US National Security Agency Release Cybersecurity Advisory on Quantum-Resistant Encryption Algorithms.
In early September, the US National Security Agency (NSA) released a cybersecurity advisory notice to all National Security Systems (NSS) owners and operators of their future obligations in respect of quantum-resistant encryption algorithms.
The notice was issued following a recent NIST publication, announcing the first set of quantum-resistant algorithms that will form part of the standardization process for post-quantum cryptography. It also comes in response to the Biden Administration’s cybersecurity memorandum earlier in the year, which set out a series of deadlines for government institutions to toughen their security stance and begin the process of transitioning to quantum-resistant cryptography.
Cybersecurity has been a core White House talking point since the current administration came to power, with a series of memoranda and executive orders aimed at shoring up the national cybersecurity infrastructure. The rise of state-sponsored cybercrime, and the use of cyberattacks as a prelude to other forms of conflict, have seen cyber-resilience become a global priority.
The cybersecurity landscape is already complicated, but the impending arrival of a commercially viable, or cryptographically relevant, quantum computer arguably represents the biggest threat to the status quo. The security of Public Key Infrastructure relies on mathematical complexity IE: the calculations required to crack today’s cryptography are so difficult, they would take classical computers hundreds, if not thousands, of years to solve.
Quantum computers are complete game changers. Not only is the computational potential of a qubit many, many times that of a classical bit, but quantum computers also “think” differently to classical computers. Because they can calculate faster, and take fewer steps to reach a conclusion, the same cryptographic problems can be solved in a matter of hours.
It’s true to say that a cryptographically relevant quantum computer is still a few years away, but optimistic estimates predict it will be a reality by the end of the decade. Despite this, quantum computers still pose a very real threat to data security today. Specifically, they could be used in a harvest now, decrypt later attack. Much of the sensitive data travelling across NSS networks has a useful lifespan of 20 years or more. In some instances, it has a ‘whole of life’ value.
With the final standardized algorithms announced by NIST likely to take anywhere up to 10 years to implement, there is a significant period of uncertainty, during which data can be harvested for future decryption without the protection of quantum-resistant algorithms.
The time to act on quantum-resistant algorithms is now
Naturally, the transition from classical to post-quantum cryptography will take some time to implement. However, there is an increasing level of awareness regarding the potential future threat that is driving adoption today. Security conscious organisations are already implementing roadmaps for their migration to a quantum-resilient stance.
Quantum Key Generation and Distribution are already embedded into some of today’s information and communications technology infrastructure, providing guaranteed forward secrecy of sensitive data. Quantum random number generators are being used to provide a source of genuine entropy (randomness), not just for cryptographic applications, but to help secure mobile applications, communications networks, IoT devices and more.
Crypto-agile hardware manufacturers are already incorporating the NIST finalist algorithms into their solutions, providing a hybrid option that comprises the best of today’s classical standards-based encryption and tomorrow’s quantum-resistant cryptography.