Government Closes in on Quantum-Resistant Encryption Standards – Plan for Failure with Quantum-in-Depth Approach

In a few short months, the National Institute for Standards and Technology (NIST) will finalize its list of quantum-safe encryption algorithms and standards designed to resist the threat of quantum computers. The final selection process is only the beginning of this multi-year cryptographic transition that is certain to be fraught with challenges, uncertainties, and unforeseen risks.

Uncertainty permeates the Post Quantum Cryptography (PQC) Project itself, which is why the agency is selecting multiple algorithms and embracing “crypto agility” as a key feature in the forthcoming standard and crypto-transition guidance. Read more about crypto agility here.

A recent SC Magazine article highlights other “uncertainties” with the NIST PQC Project and how best to prepare for the looming quantum threat or Q-Day, when a quantum computer breaks today’s encryption standards.

Visibility and logistics are one area discussed, testing and awareness another. These issues have been raised and address by NIST previously in their paper, Getting Ready for Post-Quantum Cryptography: Exploring Challenges Associated with Adopting and Using Post-Quantum Cryptographic Algorithms.  It’s likely this white paper will serve as the foundation for the migration playbook the National Cybersecurity Center of Excellence (a research center within NIST) to help organizations identify vulnerable systems and answer questions around transition and implementation. Quantum Xchange also addresses these PQC adoption challenges and planning requirements here.

Visibility and Logistics

The PQC transition will be a major undertaking and require the largest, global cryptographic transition in the history of computing. History shows past cryptographic transitions can take years, even decades to complete. Look no further than the 20 years it took for the Advanced Encryption Standard (AES) to completely replace Data Encryption Standard (DES) and 3DES. We must get it right this time. There’s just too much at stake not to — 4.5 billion internet users, 200 million websites, $3 trillion of retail e-commerce annually are protected by public key encryption (PKE) methods and vulnerable to quantum attack.

Quantum Risk Assessment or knowing which parts of your IT environment are reliant on PKE methods most susceptible to quantum attack, is not well recognized, understood, or deployed by most organizations. (See CIO’s Guide for Implementing Quantum-Safe Key Delivery)

Bill Newhouse, a NIST engineer echoes this sentiment in a recent presentation to the Information Security and Privacy Advisory Board sharing, “A lot of people don’t have any real sense of where {their public key encryption} are deployed in their systems. The non-technical folks that rely on them probably just don’t really recognize that it’s all going to be rather complicated.”

Quantum Xchange has built a robust quantum literacy program to help IT security professionals, especially those responsible for protecting long-duration data, become agents of change within their organizations – conveying to leadership and non-technical stakeholders the severity and immediacy of the post-quantum crypto migration. Faced with competing priorities, they may otherwise fail to understand why this issue deserves immediate attention and investment.

Testing and Awareness

Beyond these logistical hurdles, the SC Magazine article cautions that until a quantum computer comes along powerful enough to break classic encryption, NIST can only evaluate candidate algorithms based on mathematical estimations of what these computers might do. Meaning, an algorithm selected as standard could fail. It’s worth pointing out that all math-based encryption standards have eventually failed or have been cracked by adversaries.

Once the standard selection process is finalized, NIST plans to work with academia, members of the industry, and other vested agencies like the NSA to build, test, and troubleshoot migrations in a lab setting – then promote these findings as part of their ongoing awareness campaign.

NIST Researcher William Baker shared with SC Magazine, “there are a bundle of outstanding questions about the effect these new algorithms will have on the broader IT ecosystems they operate in, questions that must be worked out in advance because if the agency doesn’t have the answers, it’s almost certain that other organizations are similarly in the dark.”

Plan to Fail – Quantum-in-Depth

As we enter 2022, organizations should heed the advice of NIST Computer Security Division Chief Matthew Scholl, “It’s no time to panic, it’s time to plan wisely.”

As the SC Magazine points out, “the quantum computing landscape is still murky enough to create substantial pockets of uncertainty that can make it impractical or dangerous for organizations to put all their eggs in one basket.”

We agree whole heartedly, which is why Phio TX was designed to be vendor agnostic, platform independent, and work with all forms of quantum-resistant security, i.e., PQC, QKD, ORNG or a combination for a defense-in-depth approach to post-quantum security preparation. The simple architecture overlay can be dropped into your existing encryption environment to make legacy encryption keys immediately quantum safe (see how here).

The next-generation key distribution system features all PQC key encapsulation candidate algorithms for crypto agility and is impervious to potential PQC implementation errors or unforeseen weaknesses in the algorithms selected due to its out-of-band key delivery technology – where key generation and delivery are decoupled from data transmissions.

Enterprise ready as a FIPS 140-2 validated implementation, Phio TX can be deployed today with very little lift or outlay. Replacement of existing algorithms, equipment, or network infrastructure is not required; network performance or reliability is not degraded in any way; and it works over any TCP/IP connection or network media type to delivery quantum-safe keys anywhere in the world. If desired, customers can even begin with PQC then eventually add QKD with no changes needed to the underlying infrastructure, no fiber required, and no limitations on key delivery.

The quantum-in-depth solution gives users the peace-of-mind knowing their network communications infrastructure and data links are stronger today and future-proof from quantum attack. Contact Quantum Xchange today.

Sign Up for Updates from Quantum Xchange

Quantum Xchange does not share or rent your information to any third parties.