Data Encryption Methods

📌 European Union Agency for Cybersecurity (ENISA)'s European Cybersecurity Certification Group Sub-group on Cryptography published their "Agreed Cryptographic Mechanisms". The document covers cryptyographic primitives (algorithms), constructions (encryption, signatures, etc), TLS, RNGs and key management. It's purpose is to "specify which cryptographic mechanisms are recognised agreed, i.e., ready to be accepted by all national cybersecurity certification authorities (NCCAs)". Some highlights from a quantum-safety perspective: 👉 Recommends hybridization to "provide assurance against the quantum threat as well as assurance against security issues that might affect the newer standardized post-quantum mechanisms" 👉 Symmetric 🏷️ Supports Triple-DES until 2027, despite it is disallowed by NIST already 🏷️ Recommends >192-bit parameters when quantum resistance is desired 👉 Hashes & MAC 🏷️ Recommends >384-bit output sizes when quantum resistance is desired 👉 Asymmetric 🏷️ Classical / Quantum-vulnerable 🤔 Parameters approx. under 128-bit security (RSA2048, DH-2048, DSA-2048) are accepted until end of 2025! 💣For RSA, it specifies: "A later acceptability deadline for user/data authentication with this particular algorithm may be set on a national level." Minimum ECC key size is at 256 bits, so it doesn't include that end of life deadline. 🏷️ Post-quantum #PQC 🔖 Lattice cryptography (ML-DSA, ML-KEM) should not be used in standalone mode. Always in hybrid mode with a strong classical algoritm. 🔖 ML-DSA and ML-KEM are recommended on level 3 and 5 parameters. Level 1 is no recommended. 🔖 Hybridization of Hash-based signature schemes is optional. SLH-DSA is supported under Level 3 and 5 parameters. 🔖 Frodo-KEM is supported under Level 3 and 5 parametersand in hybrid mode. 👉 Deterministic RNGs 🏷️ Recommended that the min-entropy of the seed is at least 188 bits This document is interesting and clarifying, but I see two issues: 1. I haven't seen a timeline to deprecation of quantum-vulnerable cryptography in general. I think that's needed and National Institute of Standards and Technology (NIST) has done well in announcing it (in draft form for now) under NIST IR 8547. 2. A deadline on 2025 for 112 bit classical crypto, like RSA-2048 seems too strict for me. New norms should avoind being challenged by reality. No other organism has gone that close and I don't think the world will stop using RSA-2048 in 2026. https://lnkd.in/dUi46V3s #cryptography #quantum #postquantum

Last week #NIST released three post-#quantum #encryption standards. Why is this significant? Put simply, from a practical standpoint: risk management and compliance. First, on risk management: experts now say that quantum computing is less than a decade away. Quantum computers are expected to have the power to search large keyspaces very quickly, which means they will be able to decrypt current encryption. Moreover, it is entirely plausible that encrypted information recorded today is being stored for decryption when quantum computing becomes available. If you speculatively apply quantum-resistant encryption to your data now, you will reduce the risk of an adversary being able to successfully exploit your data when they have access to quantum computing. Second, on compliance: NIST is the governing body for standards in the USA, and many other nations take their encryption standards from NIST, as they do not have resources at the same scale as NIST. You can be certain that NIST-approved post-quantum algorithms will start being mentioned in various compliance checklists, as is the case currently with algorithms such as AES-256 and SHA-256. Note well that these algorithms have #FIPS numbers associated with them - meaning "Federal Information Processing Standard". Briefly, the approved algorithms are: 🔒 ML-KEM, for encrypted key exchange, as FIPS 203 🔒 ML-DSA, for digital signatures, as FIPS 204 🔒 SLH-DSA, for stateless hash-based digital signatures, as FIPS 205 There is a fourth algorithm, FN-DSA, also used for digital signatures, that is expected to be released in the next year.

🚨Quantum computing is no longer a theoretical debate for blockchain. It is becoming a strategic infrastructure risk. After reading the latest Coinbase Independent Advisory Board report on Quantum Computing & Blockchain, I believe there are 3 critical points every executive in digital assets, banking and blockchain infrastructure should understand: 1️⃣ The real quantum threat is NOT today… but waiting is dangerous One of the strongest conclusions of the report is surprisingly balanced: 👉 the cryptographic collapse is not imminent 👉 but preparing late would be a massive mistake Breaking current blockchain cryptography requires a fault-tolerant quantum computer (FTQC), something enormously more complex than today’s machines. But here is the critical insight: Migration to post-quantum security may take a decade or more across: • blockchains, wallets • exchanges, custodians • validators, institutions NIST is already recommending PQ migration strategies before 2035. This means the strategic problem is no longer “if”. It becomes: “How do we migrate global blockchain infrastructure without breaking scalability, performance and trust?” 2️⃣ The biggest blockchain challenge is NOT encryption. It is consensus. Most people think the problem is simply replacing wallets signatures. The report explains the real issue is much deeper. Modern blockchains depend heavily on: • BLS aggregation • threshold signatures • validator synchronization • consensus-level cryptography And today… There is NO clean post-quantum replacement for many of these systems. This is critical because: • Ethereum • Sui • Aptos • many PoS chains depend on aggregation mechanisms that quantum-safe cryptography still struggles to replicate efficiently. Meaning: Post-quantum migration may require redesigning parts of blockchain consensus itself. Not just changing wallets. 3️⃣ Quantum simulation may become the hidden accelerator of the threat This is probably the most important strategic takeaway in the entire paper. The report explains that the main commercial driver for quantum computing is NOT breaking crypto. It is: financial, liquidity and reserve business Why does this matter? Because if quantum simulation becomes economically valuable, investment and hardware progress could accelerate dramatically. And cryptographic capabilities would emerge as a byproduct. In other words: The future quantum risk to blockchain may not come from “hackers”. It may come from successful industrial adoption of quantum computing itself. My conclusion? The blockchain industry needs to stop treating post-quantum security as a theoretical research topic. This is becoming: • a governance problem • an infrastructure problem • a migration problem • a consensus architecture problem And the organizations that begin preparing now will likely become the trusted infrastructure providers of the next era of digital finance. Alfredo Joaquim John David

As we rush to adopt AI-driven architectures, one truth remains unchanged: data is still the crown jewel and encryption is its shield. But in the age of vector databases, retrieval-augmented generation (RAG), and embedding pipelines, the meaning of “encryption” has evolved. It’s no longer just about encrypting rows, tables, or files. It’s about securing semantic meaning (the vectors that represent knowledge, identity, and behavior). Traditional encryption strategies were built for structured data: --Encrypt columns with AES-256 --Manage keys in KMS or HSM --Secure data in motion with TLS But vector databases store embeddings - high-dimensional representations of text, images, and audio. These vectors don’t look like sensitive data, but they are. They can leak identities, infer topics, or even reconstruct private information. In short: Encryption isn’t optional; it’s the new baseline for trust in AI systems. Here are four practical strategies to secure data across both traditional and vector data stores: 1️⃣ Encrypt Everywhere - At Rest, In Transit, and In Use 2️⃣ Vector-Aware Encryption - Apply field-level or feature-level encryption for embeddings stored in vector databases (like Pinecone, Weaviate, Milvus, or Vertex AI Vector Search). 3️⃣ Key Management and Rotation - Centralize key management in a secure vault and implement automated key rotation and least-privilege access. 4️⃣ This list is not exhaustive -- but I am working on a book about the rest! Encryption Alone Is NOT Enough Encryption is your first line of defense - not your last. In addition to traditional methods, AI systems must layer encryption with: --Prompt injection prevention --Audit trails for vector queries - Because in modern RAG systems, data exposure can happen through inference, not intrusion. -- And more As AI architectures become more distributed and agentic, we need a “defense-in-depth” mindset for embeddings.

Energy Consumption of Post Quantum Cryptography: Dilithium and Kyber Beat Our Existing TLS 1.3 Performance Like it or not, our existing public key methods will be easily cracked by quantum computers. We must thus look to new quantum robust methods to provide our key exchange, digital signing and public key encryption methods. Thus, TLS 1.3 and above will have to migrate away from anything that uses RSA and ECC, and towards quantum robust methods, such as with lattice techniques. For this, NIST recently started the standardization of Kyber for key exchange and public key encryption and for Dilithium in digital signatures. There will be others coming along behind them, though, possibly with Bike, FrodoKEM and Falcon for key exchange and Sphincs+ for digital signatures. But, there’s a feeling that Post Quantum Cryptograph (PQC) will not be as fast and be more costly for energy consumption than our existing public key methods. Now, a relatively new paper puts this fear aside and shows that the best PQC methods can beat our elliptic curve and RSA methods for a TLS 1.3 handshake. https://lnkd.in/e3RUG7_u

🚨 NEW PEER-REVIEWED RESEARCH: PQC Migration Timelines Excited to share my latest paper published in MDPI Computers: "Enterprise Migration to Post-Quantum Cryptography: Timeline Analysis and Strategic Frameworks." The transition to Post-Quantum Cryptography (PQC) represents a watershed moment in the history of our digital civilization. Organizations planning for a 3-5 year "upgrade" will fail. The reality is a 10-15-year systemic transformation. Key Contributions: 📊 Realistic Timeline Estimates by Enterprise Size: Small (≤500 employees): 5-7 years Medium (500-5K): 8-12 years Large (>5K): 12-15+ years ⚠️ Critical Finding: With FTQC expected 2028-2033, large enterprises face a 3-5 year vulnerability window—migration may not complete before quantum computers break RSA/ECC. 🔬 Novel Framework Analysis: Causal dependency mapping (HSM certification, partner coordination as critical paths) "Zombie algorithm" maintenance overhead quantified (20-40%) Zero Trust Architecture implications for PQC 💡 Practical Guidance: Crypto-agility frameworks and phased migration strategies for immediate action. Strategic Recommendations for Leadership: 1. Prioritize by Data Value, Not System Criticality: Invert the traditional triage model. Systems protecting long-lived data (IP, PII, Secrets) must migrate first, regardless of their operational uptime criticality, to mitigate SNDL. 2. Fund the "Invisible" Infrastructure: Budget immediately for the expansion of PKI repositories, bandwidth upgrades, and HSM replacements. These are long-lead items that cannot be rushed. 3. Establish a Crypto-Competency Center: Do not rely solely on generalist security staff. Invest in specialized training or retain dedicated PQC counsel to navigate the mathematical and implementation nuances. The talent shortage will only worsen. 4. Demand Vendor Roadmaps: Contractual language must shift. Procurement should require vendors to provide binding roadmaps for PQC support. "We are working on it" is no longer an acceptable answer for critical supply chain partners. 5. Embrace Hybridity: Accept that the future is hybrid. Design architectures that can support dual-stack cryptography indefinitely, viewing it not as a temporary bridge but as a long-term operational state. 6. Implement Automated Discovery: You cannot migrate what you cannot see. Deploy automated cryptographic discovery tools to continuously map the cryptographic posture of the estate, identifying shadow IT and legacy instances that manual surveys miss. The quantum clock is ticking. Start planning NOW. https://lnkd.in/eHZBD-5Y 📄 DOI: https://lnkd.in/ejA9YpsG #PostQuantumCryptography #Cybersecurity #QuantumComputing #PQC #InfoSec #NIST #CryptoAgility

We just hit 10,000 downloads of my free PQC (post-quantum cryptography) Migration Framework. The most common feedback surprised me. It wasn't "thanks for the resource" or "interesting…" From the people in my network who reached out, the most common response was some version of: "we have to redo our entire quantum security strategy." I've now gotten enough direct feedback to say this is the best empirical data I have for something I suspected - most organizations started thinking about PQC migration this year, but they're working from incomplete mental models of what migration actually requires. A checklist that says "swap RSA for ML-KEM" does not capture the complexity of enterprise-wide quantum readiness program. The PQC Migration Framework (https://pqcframework.com) is free, open-source (CC BY 4.0), and built from what I've learned working across critical infrastructure, financial services, and defense - environments where getting this wrong has consequences that go beyond compliance findings. What it covers that most internal efforts miss: - Cryptographic discovery that goes beyond certificate inventories - hardcoded keys, embedded protocols, third-party dependencies. And Minimum Viable CBOM model - you don't need 100% inventory to start migrating (you can’t even achieve it). - Immediate classical security value - the same inventory that finds quantum-vulnerable RSA also surfaces deprecated TLS 1.0/1.1, weak keys, expired certs, and hardcoded secrets. - Vendor dependency as the real critical path - most PQC timelines are most constrained by vendor GA dates. The framework includes procurement clauses, bridging patterns, and escalation playbooks for when vendors miss commitments. - Hybrid deployment strategies that don't break existing interoperability (but can still introduce new different vulnerabilities and operational overhead if you're not careful) - Governance structures that treat PQC migration as a multi-year program, not a one-off project - and many other points... If your organization has started its quantum readiness journey, or thinks it has, stress-test your approach against the framework. The teams that had to restart weren't behind. They were just working from assumptions that didn't hold up. The framework is completely free. No registration, no email gate, no "request a demo" - just a direct download. https://pqcframework.com #pqc #postquantum #quantumsecurity #quantumreadiness

📌The financial sector has now moved from quantum awareness to quantum execution. Europol , FS-ISAC , and the Quantum Safe Financial Forum (QSFF), together with major financial institutions, published: “Prioritising Post-Quantum Cryptography Migration Activities in Financial Services” ; a practical migration framework designed specifically for financial institutions. What makes this report particularly relevant for #boards, #regulators, and #CISOs? It introduces a structured prioritisation methodology based on two measurable dimensions: 1️⃣ Quantum Risk Score Derived from: • Shelf life of protected data • Exposure • Severity of compromise 2️⃣ Migration Time Score Derived from: • Solution availability • Execution cost and time • External dependencies Migration Priority is determined by combining both scores into a risk–time matrix (see pages 8–10) of the Report below ⬇️ . ♨️ This shifts the conversation from “When will Q-Day happen?” to “Which business use cases require action now, and which require long-term orchestration?” Two examples in the report illustrate this distinction: 🔹 Points of Sale (#PoS) Medium quantum risk but high migration complexity due to hardware lifecycles, ecosystem coordination, and standardisation uncertainty (pages 12–15) . ⛔️Early planning is essential to avoid costly out-of-cycle replacements. 🔹 Public Websites (#TLS_confidentiality) Medium quantum risk but low migration time due to hybrid schemes such as X25519MLKEM768 already supported by major browsers and CDNs (pages 16–19) . ⛔️This is one of the earliest practical deployment opportunities for quantum-safe protection in production environments. Another important contribution of the report is its focus on cryptographic antipatterns (pages 21–24) . Before large-scale PQC migration, institutions can implement no-regret actions: • Automate TLS certificate lifecycle management • Standardise TLS configurations (TLS 1.3 baseline) • Eliminate legacy cipher dependencies • Remove hard-coded credentials • Strengthen key management governance This approach aligns closely with supervisory expectations: #quantum_readiness must integrate into existing risk frameworks, asset lifecycle planning, and vendor coordination. For financial institutions, the message is clear: ❌Quantum safety is not a single migration event. ❌It is a prioritised, staged governance programme that integrates cryptography, procurement, architecture, and regulatory alignment. Full publication: Europol (2026), Prioritising Post-Quantum Cryptography Migration Activities in Financial Services Available via Europol Publications Office: https://lnkd.in/d2bgsVKm #PostQuantumCryptography #PQC #QuantumRisk #FinancialServices #CybersecurityGovernance #DigitalResilience #CryptoAgility #QuantumTransition #FinancialStability

Apple Deepens Its Post-Quantum Security Strategy With Open-Source Release Apple has taken another significant step toward quantum-resistant cybersecurity by publishing portions of its post-quantum cryptography implementation on GitHub. The move expands the company’s ongoing effort to protect iPhone, Mac, and other Apple platforms against future quantum computing threats that could eventually break many of today’s encryption methods. Apple’s post-quantum journey began publicly with the introduction of the PQ3 protocol for iMessage in iOS 17.4. PQ3 added quantum-resistant protections not only when conversations begin but also throughout ongoing communications as encryption keys are refreshed. The goal is to defend against “harvest now, decrypt later” attacks, where adversaries collect encrypted data today in hopes of decrypting it once sufficiently powerful quantum computers become available. The newly released GitHub repository includes source code from corecrypto, Apple’s foundational cryptographic library used throughout its security ecosystem. Corecrypto supports encryption, digital signatures, hashing, secure random number generation, and numerous security functions across Apple devices and services. By releasing the code, Apple enables researchers and security experts to review, test, and validate its implementations. The repository contains implementations of the NIST-standardized post-quantum algorithms ML-KEM and ML-DSA, which Apple selected as part of its quantum-resistance strategy. It also includes testing frameworks, performance evaluation tools, build targets, and formal verification resources designed to help validate the correctness and security of the cryptographic implementations. The decision to open-source these components reflects a long-standing principle in cryptography: security is strengthened through public scrutiny. Allowing independent experts to examine the code helps identify weaknesses, improve confidence, and accelerate broader industry adoption of quantum-resistant technologies. Key Takeaways: Apple has released portions of its post-quantum cryptography code through GitHub, including implementations of ML-KEM and ML-DSA. The effort builds upon the PQ3 protocol introduced for iMessage and demonstrates Apple’s continued investment in preparing for future quantum computing threats. The open-source release enables independent review, testing, and validation by the global security community. The broader implication is that the transition to post-quantum cryptography is moving from theory to deployment. As quantum computing advances, organizations worldwide are beginning to replace traditional cryptographic systems with quantum-resistant alternatives. Apple’s actions highlight how major technology providers are actively preparing for a future in which information security must withstand both classical and quantum attacks. Keith King https://lnkd.in/gHPvUttw