August 30, 2021

It’s not too late for Europe to lead the post-quantum cryptography race

Europe has the talent to pave a third way, but policymakers must take note and act fast.

Markus Spiske via Unsplash

The world may be focused on the race to vaccinate — but some necessary sprints should not make us forget about long-term marathons, including post-quantum cryptography (PQC). 

A functioning quantum computer will make all current tools for confidential, secure data and communications — also known as cryptography — obsolete. We need new encryption methods that can stand against these new powerful computers. The stakes are high: we also need to master these technologies to avoid having anti-democratic or terrorist groups abuse encryption to act against our open societies. 

While the US has taken the lead so far in defining post-quantum cryptography (PQC), Europe also has a chance to become a global leader.


Europe versus the US

So far, the US has taken the lead in defining PQC. The US’s National Institute of Standards and Technology (NIST) started a post-quantum cryptography competition in 2016 to identify cryptographic algorithms able to withstand quantum computer attacks by 2022 — and make them available by 2024. A bit ironic given that five years ago, US entities like the National Security Agency (NSA) were spying on the world.

So how can Europe 'crack the code' and take a leadership position in PQC? It’s actually easier than we might think. 

Firstly, we already have the talent here: among the seven NIST finalists, all cryptosystems except one have a majority of European scientists participating in their development. We need to keep those talented individuals in Europe, through less bureaucratic and more purpose-driven funding mechanisms, and through an effective Digital Single Market to build a market on the same scale as the US and China. Otherwise, European policymakers will keep subsidising tech leaders that will then fly over the Atlantic to deploy their solutions.

There's a clear window of opportunity for Europe to be the ‘third way’ between other tech superpowers.

Secondly, there's a clear window of opportunity for Europe to be the ‘third way’ between other tech superpowers, provided they're much more proactive and technologically savvy. In the case of PQC, there are rising concerns over the monopoly that the NIST and the US administration has on the normalization of PQC technology worldwide. The EU can act as the ‘kingmaker’ not only in cryptography but also in AI, greentech or healthcare — provided we are bold, fast and agile.

Defining the code of tomorrow

European policymakers should take note. As the NIST example shows beyond soft and hard power, regulatory power can also pave the way for tech dominancy. The NIST (a federal agency of the US Department of Commerce) doesn’t have any international legal authority. Yet, since the US hosts by far the biggest postquantum ecosystem, the NIST is in the position to declare standards that will become industry requirements — this already happened in the early 2000s for the standardisation of cryptosystems such as the AES (now the most widely used encryption method in the world) and SHA-3 (now used for some bitcoins).

It's said that 'code is read more than it is written'. In the case of the NIST competition, it highlights on the contrary that policymakers can still define the code of tomorrow — if they act and craft the future now, develop much stronger foresight capabilities and find the missing boldness and agility, by working much more closely with the European technology ecosystem and the civil society. 

André Loesekrug-Pietri is chairman of the Joint European Disruptive Initiative (JEDI). He tweets at @andrepietri.