Post-Quantum Computing Security Challenge

It’s the year 2030, and post-quantum computing has moved from theoretical to practical implementation. Large organizations, including government agencies and corporations, are under pressure to protect their digital infrastructure against potential threats posed by quantum computers. Traditional encryption methods like RSA and ECC (Elliptic Curve Cryptography) are no longer considered secure due to quantum algorithms like Shor's algorithm, which can break them in a matter of seconds.

QSecure, Inc., a financial services company, is preparing to make the transition to post- quantum cryptography. The company handles large volumes of sensitive customer data and proprietary financial information, requiring it to stay at the forefront of security protocols.

Recently, QSecure has begun migrating its encryption standards to quantum-safe algorithms, but this process has proven complex and costly.

The Chief Information Security Officer (CISO), Taylor Brooks, has called for a meeting with the technical team to evaluate the best post-quantum cryptographic algorithms and to assess their integration into QSecure’s existing infrastructure. Taylor emphasizes the importance of balancing security, performance, and costs.

Taylor poses the following challenge:

  • “We need to identify which post-quantum algorithms we should implement for various functions such as key exchange, digital signatures, and encryption. But our systems are extensive, and our budget is limited. We can’t afford massive downtime or a complete overhaul. You must create a comprehensive transition plan that:
    • Recommends the most suitable quantum-safe algorithms based on security and performance.
    • Outlines a phased migration strategy, minimizing disruption to business operations.
    • Ensures compliance with relevant regulations and standards for the financial industry.
    • Provides cost estimates for the transition, including hardware upgrades, software integration, and staff training.”

Background

QSecure operates a global payment processing network and manages personal and financial data for millions of users. Its infrastructure is currently protected by RSA-2048 and ECC-based encryption for secure communications and data storage. However, with the impending threats from quantum computers, these protocols are considered vulnerable.

Additionally, the company operates under strict regulatory guidelines, including the Payment Card Industry Data Security Standard (PCI-DSS) and General Data Protection Regulation (GDPR). Failure to meet these guidelines or protect customer data could lead to heavy fines and loss of consumer trust.

Your Task

Your team is tasked with:

  • Researching and recommending quantum-safe encryption algorithms (such as Lattice- based, Hash-based, Multivariate-quadratic, and Code-based cryptography).
  • Proposing a step-by-step migration plan that outlines the order of transitioning different systems (e.g., data storage, network communications, user authentication).
  • Estimating the costs and resources required for full integration, including changes to existing hardware and software systems, employee training, and compliance updates.
  • Anticipating potential risks and challenges during the migration, including interoperability issues with legacy systems and maintaining data availability during the process.

In preparing your plan, consider the following:

  • What are the security risks QSecure faces with quantum computers, and how will the recommended cryptography methods mitigate those risks?
  • How can QSecure ensure compliance with regulatory standards while adopting post- quantum cryptographic algorithms?
  • What performance trade-offs might occur with the introduction of quantum-safe cryptography, and how can they be minimized?

TIMELINE
  • Competition details announced - November 2024
  • February 20, 2025 (11:59 PM Eastern) - Preliminary submissions due 
  • February 28, 2025 – Finalists notified
  • March 28-29, 2025 – Final presentations (during SCLC) and winners announced
PRIZES
  • First place: $2,000 USD
  • Second place: $1000 USD
  • Third place $500 USD
ELIGIBILITY REQUIREMENT
Only teams from current AIS Student Chapters are eligible to complete.   

Rules

  • The project submissions should be the work of the project team. If faculty and/or other individuals have significantly contributed to the submission, please be sure to note their contributions.
  • Alpha / Early development system solutions are completely acceptable.
  • Submissions that are based on pre-beta solutions and/or from pre-existing on-going coursework projects are acceptable as well.
  • The contest materials must be submitted by the due dates.
  • Teams must be members of an AIS Student Chapter.
  • If the number of submissions allow, graduate and undergraduate groups may be judged separately. In this case, a team with a 50% or more graduate student composition will be classified as a graduate student team.
  • No deliverable can identify the university or school to which the team belongs. The team must refrain from using school colors in the submitted documents. The video should not indicate to which school the team belongs. If school identification is included in any of the submitted documents or video, the team will be eliminated from the competition. 

Submit Here

Final Round

The top submissions, as scored by the judges, will move on to the final round, to be held in person during the 2025 Student Chapter Leadership Conference at the University of Alabama. 

In this round, the teams will be required to make a 15-minute presentation of their report to a panel of judges. After the presentation, there will be a 10-minute Q&A with the panel of judges.  Each slide deck must contain a title slide including the names of the team members (no email addresses or other contact information). The team should not identify its school affiliation on the title slide or anywhere else in the slide deck, nor should it mention that affiliation (directly or indirectly) during its presentation. Team members should refrain from wearing school colors.

Judging Criteria

1. Technical Understanding (30 points)

  • Clear explanation of quantum computing and its threat to traditional cryptography.
  • Selection and explanation of quantum-resistant cryptographic methods.

2.   Feasibility and Execution (30 points)

  • Realistic transition plan for migrating to post-quantum cryptography.
  • Consideration of the bank’s current infrastructure, systems, and processes.

3.   Risk Analysis and Contingency Planning (20 points)

  • Identification of potential risks and mitigation strategies.
  • Development of backup plans for failures or new vulnerabilities.

4.   Presentation and Clarity (10 points)

  • Well-structured, clear presentation of technical concepts to both technical and non-technical audiences.

5.   Research and Innovation (10 points)

  • Evidence of thorough research, creativity in approach, and use of emerging technologies

Questions? Contact ais2025@ua.edu