NIST Post Quantum Crypto timelines: avoiding the dangerous misconception

In response to the threat to RSA and ECC encryption algorithms imposed by Quantum Computers, the National Institute of Science and Technology (NIST) has been leading an effort to define replacement cryptographic algorithms

The goal is to create standards for new asymmetric encryption algorithms capable of withstanding attacks from Quantum Computers.

NIST started this process started in 2015 and has stated that fully published standards will be available in 2024.

The new Post Quantum Crypto algorithms will replace RSA and ECC for a wide variety of applications and use cases. Conversion to new algorithms is a major undertaking, impacting PKI systems, TLS and VPN protocols, crypto libraries, HSMs, TPMs and a host of other systems. Rolling out these new algorithms across the entire ecosystem and supply chain will take years. If companies don’t already have a roadmap for migration to PQC, they need to start now.

NIST timeline misconception

With NIST standards expected in 2024, some assume that we must wait until 2024 to begin implementing post quantum crypto solutions. This is a misconception. NIST has stated that they plan to announce the algorithms to be standardized in December of 2021 or January of 2022. In just a few months, we will know what algorithms will be standardized. In fact, NIST has already announced XMSS and LMS as standards for hash-based signature algorithms.

By early 2022 companies can begin implementing the Post Quantum Crypto solutions based on standardised algorithms. Implementations of these algorithms are available, so companies don’t have to wait until 2024 to begin migration from classical crypto solutions to the new Post Quantum Crypto (PQC) algorithms.

Although implementation details may change to some degree between now and 2024, we should begin using these algorithms as soon as they are announced. Software updates allow libraries to support modifications to the algorithms. Hardware implementations can also handle changes to algorithm parameters and details by taking advantage of HW-SW codesign principles.

Given the magnitude of the effort required for migration to post quantum crypto algorithms, this is very good news.

Migration to Post Quantum Crypto

Enterprises should begin developing a plan to migrate their systems to Post Quantum Crypto algorithms. This process begins with education. Many companies are even forming their own crypto centres of excellence with dedicated staff to lead this effort.

Next, companies need to create an inventory of crypto solutions. This means conducting a comprehensive audit of the company’s cyber infrastructure and gathering a broad set of information including:

· What devices, systems, programs, and servers are using cryptography?

· What algorithms are used?

· What is the purpose of each implementation?

· What type of cryptography is used by each?

· Is this cryptography implemented in a software library? Or in hardware?

Once this information has been gathered, companies can begin working on a roadmap to migration systems. There are six hey steps that should be taken for the migration to Post Quantum Cryptography Algorithms, the first four of which can take place today. These include:

1. Education of the quantum threat

2. Inventory of internal cryptography implementations

3. Inventory of partner and supplier cryptography solutions

4. Develop a roadman for migration to PQC

5. Implementation of PQC (multi-phased project)

6. Testing and integration

Moving towards quantum security

We are much closer to having standards for PQC than some people realise. This is critical as many of the systems being designed and developed today will still be in use after quantum computers are able to break RSA and ECC encryption.

Companies can, and should, act now and begin planning to migrate their systems to Post Quantum Cryptography. If we can take any lessons from the decade of work rolling out existing encryption standards, the first must be that failure to take action is simply delaying the inevitable.

About the Author

Alan Grau is Vice President of Business Development for PQShield, the leading provider of post quantum crypto solutions with both hardware and software implementations.

Featured image: ©Spainter_vfx