With cryptography essential to every organization’s operation and continuity, progress on post-quantum cryptography standards is good news all around. By the end of March 2022, the National Institute of Standards and Technology (NIST) plans to announce the results of the third round of its Post-Quantum Cryptography (PQC) Standardization Process. NIST will summarize the results — which include the algorithms NIST has selected for standardization as well as the rational for their decisions — in a NIST Internal Report that will be publicly available. At that time, NIST will also announce any algorithm candidates that have not been selected for standardization but that will advance to a fourth round for further study, according to Dustin Moody, a leader of NIST’s PQC Standardization Process.
“If you're an organization, don't wait for the standard to be done,” emphasizes Matt Scholl, chief of the computer security division at NIST, in a recent interview. He outlines these steps for organizations to start taking now:
1. Start inventorying your most important information
2. Determine whether encryption is vulnerable
3. Develop priorities for using quantum-resistant encryption as you upgrade your infrastructures over the next couple of years
4. Prioritize and plan so that you’re ready to implement the new standards when they are available
If organizations don't have a roadmap, they need to develop one. A good place to start is Preparing for Post Quantum Cryptography, developed by NIST with the U.S. Department of Homeland Security (DHS). For background about the risks quantum computers pose to current cryptography, organizations can look to the guide, Managing Cryptographic and Quantum Risk.
Snapshot of Post-Quantum Cryptography Activity and Resources
For an update of what’s going on with quantum-safe standardization and what new standards (or updated versions of previous standards) might affect organizations, here are highlights and resources that outline the latest:
NIST: Expected to announce post-quantum algorithm selections in March 2022. NIST regularly updates its Post-Quantum Cryptography Standardization page. They will also be advancing certain algorithms to a fourth round of study, as well as announcing an “on-ramping” process to solicit proposals for new quantum-safe signature schemes not based on structured lattices.
ETSI: Published two technical reports on the NIST PQC algorithms, KEMs and Signatures — and a technical report State management for stateful authentication mechanisms, investigating issues for managing hash-based signature schemes in different deployment environments. It also previously published a report on quantum-safe migrations: Migration Strategies and Recommendations to Quantum Safe Schemes.
Next Steps: Where is Your Cryptography Lurking?
For organizations who already have a baseline understanding of the quantum threat, they next need to learn more about how they use cryptography internally and understand the security dependencies along their supply chains and between internal systems. Questions to ask themselves: Where is cryptography used? Where is it quantum-vulnerable? How sensitive are the applications it is used for? Read more in the Forbes article, The Unknown Unknowns: Tales From The Crypto Crypt.
Looking into standards-based solutions to replace cryptography that will be outdated or to augment current deployments with quantum-safe protections is smart. Developers will want to think carefully about how quantum-safe security can be included in the early stages of product development — especially for products with long design cycles and in-field lives.
As the countdown continues, let us know if you have questions or need help implementing crypto-agile technologies and quantum-safe cryptography for a seamless, practical transition to the forthcoming cryptographic standards. Request a meeting today.