Commvault has added the HQC algorithm to its platform to complement the potential security vulnerabilities of ML-KEM, aiming to provide customers with comprehensive protection that allows for “data collection before decryption.”
Commvault has expanded its support for post-quantum cryptography on its platform, as current encryption algorithms will inevitably be compromised—whether the time has come is irrelevant.
The New Jersey-based data protection and management company integrated post-quantum algorithms recognized by the U.S. NIST standards agency into its Commvault Cloud platform last year, while implementing a cryptographic agility framework.
Now, the company has introduced the Hamming Quasi-Cyclic algorithm, which was designated by NIST earlier this year as an alternative to ML-KEM (FIPS 203), the primary algorithm for key encapsulation.
The organization refers to HQC as a “backup line of defense when quantum computers can one day break ML-KEM. Both algorithms are designed to protect stored information as well as data transmitted over public networks.”
However, NIST explains that they want an alternative based on different mathematical principles in case ML-KEM shows vulnerabilities. While the ML-KEM algorithm is built on a mathematical concept known as structured lattices, the HQC algorithm is developed based on another concept called error-correcting codes.
Data collection will be halted immediately.
Commvault will launch HQC through its platform, meaning that Commvault Cloud customers running CPR 2024 (11.36) or higher will immediately have support for this algorithm.
This move seems premature, as most quantum experts believe that a quantum computer capable of breaking existing encryption algorithms would need to have 10,000 qubits, and currently, no system possesses this capability. Reports indicate that IBM announced plans this week to build a 10,000-qubit system by 2029, leveraging advancements in fault-tolerant technology, but this effectively equates to 200 logical qubits.
However, the truly concerning threat lies in the “data collection before decryption”—attackers steal data, including long-term intellectual property and national secrets, and decrypt it once they have the appropriate system. Even more frightening is that the world may not know who developed such a system or when it will actually be realized.
Commvault’s Chief Security Officer Bill O’Connell stated in a statement: “By integrating new algorithms like HQC and advancing our cryptographic agility framework, we are providing customers with the tools to confidently navigate this complex situation. Our goal is simple and clear: when the threat of quantum computing arises, we will help customers protect their data security.”