What is the quantum computing urgency, the latest post-quantum cryptography (PQC) timeline, and why should organizations prioritize this? The shift to quantum computing is going to be a massive one — as far as migration and transition planning and deployment — and companies need to start readying their systems, infrastructures, and applications now to manage security risks and maintain high performance throughout the transition. I recently presented at the Sectigo Summit 2022 to share insights on what’s needed during this process and why the management of cryptography that enterprises use and crypto agility are important. My presentation, PQC Timeline and Deployment Example is available on demand here.
Post-Quantum Computing Needs and Urgency
The White House has issued a National Security Memorandum with the goal to improve the Cybersecurity of National Security, U.S. Department of Defense, and Intelligence Community Systems. The memo states that agencies need to “identify any instances of encryption not in compliance with NSA-approved Quantum Resistant Algorithms or CNSA, where appropriate.” We believe that organizations in all industries should follow suit.
If organizations don't have a post-quantum computing roadmap yet, they need to develop one. A good place to start is Preparing for Post Quantum Cryptography, created by the National Institute of Standards and Technology (NIST) with the U.S. Department of Homeland Security (DHS). For background about the risks quantum computers pose to current cryptography, organizations can look to Managing Cryptographic and Quantum Risk. For the latest on post-quantum cryptography standards in our recent blog post, check out Quantum-Safe Cryptography Standards Are Taking Off.
NIST’s PQC Timeline
We expect NIST to announce the PQC algorithms they’ve selected to standardize soon. Once the specifications of these cryptographic algorithms are published, organizations will need to start planning for their actual deployment in 2023. Publicly reviewable draft standards for these Generation 1 algorithms are expected sometime in 2023.
If you are working on anything related to cryptography, using a draft specification is a good idea. Collectively, we’ll also want to keep an eye on future algorithm standardization candidates that focus on digital signature algorithms.
In 2024, NIST will publish a Federal Information Processing Standard (FIPS) for the PQC algorithms. At this point, FIPS 140-3 Cryptographic Modules can deploy the FIPS PQC algorithms as “FIPS Allowed.” FIPS 140-3 is one of the most important FIPS standards, providing needed security for computer systems. “The standard provides four increasing, qualitative levels of security intended to cover a wide range of potential applications and environments. The security requirements cover areas related to the secure design, implementation, and operation of a cryptographic module,” writes NIST.
In the 2025-2026 timeline, FIPS certification for the PQC algorithms will become available. This will allow cryptography vendors to certify their PQC implementations. FIPS 140-3 Cryptographic Modules can now deploy certified PQC implementations as “FIPS Approved.”
Post 2026, NIST will continue investigating other PQC algorithms for potential standardization (which I refer to as Generation 2 algorithms in my presentation), with a particular focus on digital signature algorithms. This means that organizations will still need to monitor the progress and consider the possibility of changing to a different digital signature algorithm in the future — this is especially important for public key infrastructures (PKIs) and highlights why crypto agility is such an important feature to integrate into PKIs today.
Quantum-Safe Technology Implementation is Critical
To establish long-term security, organizations need to mitigate the risk of quantum attacks. For example, using redundant databases secured with quantum-safe technologies. In my presentation, I outline an example of PQC deployment with the National Institute of Information and Communication Technology (NICT), Japan’s national research institute. NICT is currently working on a system to protect healthcare records countrywide, referred to as the Healthcare Long-term INtegrity and COnfidentiality protection System (H-LINCOS). Learn more about what is being done and how.
As organizations are transitioning to new cryptographic standards, ISARA can help make the transition smoother with crypto-agile technologies and quantum-safe cryptography to protect organizations’ mission-critical assets now, in the quantum age, and beyond. Learn more about how to manage your cryptography with the ISARA® Advance Crypto Agility Suite, an enterprise platform to enable the discovery, management, and remediation of organizations’ cryptographic infrastructure.