By Paul Lucier, VP of Sales and Business Development, ISARA Corporation
Published on July 2, 2019
Awareness is spreading about the threat that large-scale quantum computing poses to current public key cryptography, and both nation-states and security professionals are taking note.
Over the last six months, we have seen a significant increase in discussion and investment in quantum-safe security development and testing.
This has resulted in several significant milestones in the space, including the signing of the US National Quantum Initiative Act, the release of DISA’s Quantum-Resistance Cryptography Prototype OTA document and the development of the first commercial quantum-safe HSM from Utimaco.
- December 21, 2018 - the United States passed the National Quantum Initiative Act which calls to:
- The Act calls for an investment $1.2 B in quantum technology and security to “accelerate quantum research and development for the economic and national security of the United States”
- The Act was passed to “ensure the continued leadership of the United States in quantum information science and its technology applications by promoting the development of international standards for quantum information science and technology security”
- It also calls for collaboration with international governments, as well as academic and industry leaders to prepare to the quantum threat
- In regards to cybersecurity, the Act specifically states that “IN GENERAL.—Not later than 1 year after the date of enactment of this Act, the Director of the National Institute of Standards and Technology shall convene a consortium of stakeholders to identify the future measurement, standards, cybersecurity, and other appropriate needs for supporting the development of a robust quantum information science and technology industry in the United States”
- May 6, 2019 - DISA posts the Quantum-Resistance Cryptography Prototype OTA
- The purpose of the Quantum-Resistance Cryptography Prototype OTA is to “research, evaluate, test, and deliver a prototype utilizing cryptographic algorithms and solutions that would secure DoD (Department of Defense) IT systems against both quantum and classical computers”
- What is an OTA? An “Other Transaction Authority” is a government document that authorizes the research & development of emerging technologies in the form of prototypes and other projects.
- The document states that:
- The "DoD must begin now to prepare its information security systems to be able to resist attacks from large-scale quantum computers”
- “One of the immediate concerns facing DoD has to do with public key cryptography data encryption”
- “DISA has begun to investigate quantum-resistant or quantum-safe cryptography algorithms and solutions.”
- What is DISA? The Defense Information Systems Agency is “a combat support agency of the Department of Defense (DoD)” (via DISA)
- Provides IT support to major branches of the DoD
- Has over 4.5 million users on current Public Key Infrastructure, all of which will be at risk when large-scale quantum computing becomes a reality
These two documents, the National Quantum Initiative Act and the DISA OTA, are very significant, as they mark the first time that we have seen the US government both acknowledge the urgency and actively invest in quantum-safe security solutions.
Also, we’re thrilled to announce the most recent quantum-safe milestone: the first quantum-safe HSM from Utimaco hit the market utilizing the ISARA Radiate™ Quantum-safe Toolkit.
- June 24, 2019 – Utimaco launches the first commercial quantum-safe HSM
- The Q-safe Firmware extension to the Utimaco CryptoServer utilizes the ISARA Radiate™ Quantum-safe Toolkit allowing developers to begin testing Kyber and Dilithium (both lattice-based cryptography) within their existing environments using the Utimaco HSM Simulator.
- Utimaco’s CEO Stefan Auerbach stated “The work we’re doing today is a fundamental building block for the implementation of quantum-safe algorithms. By using these algorithms, we enable cybersecurity solution providers, IoT manufacturers, and other large organizations relying on cryptography to innovate and develop products that are well prepared against the quantum threat.”
- Read the full press release and check out the Utimaco blog post to learn more.
What’s next?
In August, NIST will hold their Second Post-Quantum Cryptography Conference in Santa Barbara, California. Leading cryptographers from around the world will gather to discuss the merits and limitations of the remaining 26 quantum-safe algorithms up for standardization. The goal is to obtain valuable feedback to determine which candidates will proceed to the next round of evaluation.
Within the commercial space, you’ll continue to see more foundational security products that integrate both crypto-agility and quantum-safe algorithms coming to market. Licensing the ISARA Radiate™ Quantum-safe Toolkit and ISARA Catalyst™ agile technologies allows companies such as Utimaco to embed quantum-safe solutions into their existing products.
Also, ISARA is collaborating on proof of concept projects with large car makers such as Volkswagen Group, as well as government agencies to determine how quantum-safe solutions will integrate into their existing infrastructure.
Getting started with quantum-safe security
We know that cryptographic migrations are complex and unique to each organization. This is why they oftentimes take several years to over a decade to complete.
However, we believe they can be seamless and cost-effective, but the reality is that if you haven’t started preparing yet, you’re potentially falling behind.
This is particularly true for the organization’s responsible for securing long-lived IoT devices, confidential information for extended periods of time or if you use PKI for identity & access management.
We recommend reaching out to our team at ISARA to answer questions unique to your organization. Some common ones include:
- Why do I have to worry about large-scale quantum computers if they don’t exist yet?
- Which critical assets should I begin with first?
- How are these quantum-safe algorithms going integrate with my system? Do I need to replace my existing equipment and infrastructure entirely?
If you have similar questions, and want to learn more about ISARA’s agile quantum-safe security solutions, or are interested in starting a proof of concept, contact us here