Since 2016, the US National Institute of Standards and Technology (NIST) – the agency responsible for developing technical standards and guidelines across industries – has been conducting research on Post-Quantum Cryptography (PQC), a set of standards and algorithms meant to protect current data and assets from being broken by quantum computing. So far, it has recommended five PQC algorithms, which have since become global standards.
At Palo Alto Networks’ Quantum-Safe Summit held in January this year, Dr. Dustin Moody, Lead of the PQC Standardization Project at NIST, discussed NIST’s PQC research and offered guidance on how organizations can safely transition from existing cryptographic protocols to these new PQC algorithms.
What is the quantum threat?
As quantum computing emerges from labs and into the real world, organizations in every industry are forced to confront the possibility of Q-Day – the day when quantum computers are powerful enough to break today’s most ubiquitous encryption methods, such as RSA (Rivest-Shamir-Adleman) and ECC (Elliptic Curve Cryptography).
Describing the quantum threat and NIST’s research, Dr. Moody said, “The project that I’ve been involved with for the past several years deals with post quantum cryptography, and that is based on the fact that there are many companies trying to build what’s called a quantum computer. If they build a large enough one, it would be able to break many of the crypto systems which we use today, and so we want to be sure to have a secure replacement for those crypto systems for the future.”
Even now, ‘Harvest Now, Decrypt Later’ (HNDL) threats are already in play, where encrypted data is collected in order to be decrypted when quantum computers are powerful enough.
Dr. Moody explained HNDL, saying, “The threat of a quantum computer is that adversaries could be copying down your encrypted data today and just holding on to it until a quantum computer comes out. And then, if they’re able to leverage that, then they can get access to your information. Now, some of that information won’t matter, because this is in the future. But if you have information that is long lived, they’ll be getting access to it before you would like them to, especially because it takes time to migrate to new solutions. So you have to factor in that timeline as well.”
NIST’s research process and the security of the new algorithms
According to Dr. Moody, NIST’s PQC research, which began in 2016, was a massive undertaking that involved researchers from all over the world.
“Our team at NIST is very strong, but we couldn’t do it alone. So we basically had a large international cryptographic competition with the world’s leading researchers and academics in cryptography. They helped develop these new crypto systems, and evaluated and tested them, as did we internally.”
Some skeptics, pointing to the uncertainty of the quantum threat, have questioned whether NIST’s algorithms will be enough to secure current systems.
To that, Dr. Moody commented that the NIST team has a tremendous amount of confidence in the algorithms, emphasizing that they were studied by 300-400 of the best researchers for eight years, before being standardized. He added that it would be unrealistic to guarantee 100% security, but that the algorithms should be effective for at least the next decade.
He said, “The world’s top minds have looked at this. Is that a 100% guarantee? No, we can’t ever give that. Somebody could come along with a new idea, or something like a quantum computer or AI could come up with some new approach that we’ve never considered. That’s always possible in the future, but we are confident that for at least for the next decade or more, we can use these algorithms at their current security levels. And as a safeguard further against that, we have not just one algorithm, we have a few different algorithms based on different mathematical assumptions. So even if there’s an advancement in one area, we have other algorithms ready that we can switch to.”
The need for ongoing research
Although NIST has already come up with several PQC standards, algorithms and protocols, the research has not stopped.
“Now that we have the standards, that’s a huge milestone that we’re very proud of, so that people can begin to migrate to them. There’s still a lot of follow up work that we’re doing. There are new papers and research coming out that we have to keep track of. We’re trying to help provide guidance on the migration and the transition to these PQC solutions. We’re also looking ahead at the next generation of algorithms. It’s possible someone could come up with a new attack, and we have to have other algorithms ready. So we are currently evaluating other solutions as well, to provide some backups to these PQC standards,” Dr. Moody said.
How organizations should prepare for PQC
Dr. Moody said that organizations, led by their CISOs and IT leaders, should begin migrating to PQC as soon as possible, saying that it will be a “long, complex transition”. He pointed out that the US Federal Government has targeted a full migration to new PQC standards by 2035, and recommends that organizations adhere to this timeline.
He suggested taking the following steps to applying PQC.
- Get educated
Read the guides that many organizations, including NIST, have published about what PQC and the quantum threat are.
- Start a dedicated project
Following that, organizations should start a dedicated PQC project and assign someone to be in charge of it. At this stage, they should also make sure they have enough resources, and that their staff is properly trained.
- Do a cryptographic inventory
Dr. Moody stressed the need to start the project by doing a cryptographic inventory.
He said, “Find out where you’re using cryptography in your systems, as well as in all the different products and software that you’re using. And that sounds easy, but it’s actually a really complicated task to find out where all that cryptography is.
- Plan to swap current protocols, while discussing with vendors
Once the cryptographic inventory is complete, organizations can start planning how to implement PQC algorithms and standards. He recommended having ongoing conversations with vendors, in order to ensure that vendors are also working towards PQC.
While making the transition, organizations should build with flexibility in mind, so that they can easily adapt to new standards if necessary – an approach known as crypto-agility.
He said, “Crypto-agility is the idea that you can easily switch out your cryptographic algorithms that you’re using today. We are going to need to transition to PQC. Is this going to be the last transition? No, we’re going to need to switch to something else at some point. So it makes a lot of sense to build in flexibility, to have crypto-agility while you’re doing this. And have that future idea in mind, because we won’t be using these forever. We’re going to need to do another switch. Anything that you can do along the way, to make that easier for the future, would certainly pay off.”
Resources and how to approach the learning process
To get started, Dr. Moody commented that there are numerous resources available to organizations wishing to educate themselves before and during the migration process. These include:
- Government and industry websites, especially industry-specific resources
- NIST’s website, PQC forum, and mailing list
- US National Cybersecurity Center of Excellence (currently running a migration to PQC project, with 50 different industry partners and government agencies), which provides documents, guidance, and a FAQ section on PQC
He also highlighted the importance of experimenting with the algorithms and seeing what works, saying, “Experiment with the algorithms. The code is out there, the standards are out there, so you can actually test the algorithms. You could get it validated in your products. They are a little bit bigger than we’re used to – that’s an important thing that we want people to know. When you put it into a product, there might be some performance drawbacks because of that, so you really do want to test it out and know how that will affect things for future products.”
NIST’s algorithms on the global stage
NIST, whose role is primarily to provide guidance for US government agencies, is not the only agency working on PQC standards and protocols. Other governments, as well as international standards organizations, are also adopting NIST’s algorithms and publishing PQC standards and guidelines.
“Ostensibly, our standards are just for the federal government. But the cryptographic algorithms inspire a lot of confidence, so many organizations use these globally, internationally around the world. There are many other layers and other standards organizations as well. So you’ve got the IETF [Internet Engineering Task Force] that deals with internet protocols. They’re taking the algorithms that we’ve standardized and putting them into some of the internet protocols, like TLS and IKE. There’s ISO, the international standards organization, and they’re putting our NIST algorithms in,” Dr. Moody said.
He concluded by saying that other governments, especially those who have partnered with the US, will also be adopting NISTs algorithms.
He said, “A lot of our partners, especially in Europe, Canada, and Australia, are going to be using the same algorithms that we’ve standardized. Their researchers were involved in the process to design and evaluate these algorithms, and so they have confidence in them.”
