The NSA just released an FAQ addressing Quantum Computing and Post-Quantum Cryptography. This FAQ advises organizations that use public key cryptography as a business enabler and critical security component of their infrastructures. We think about these topics a lot around here and so we thought we would decrypt this FAQ into 5 keys insights for you.
The NSA devotes significant resources investigating the security of information systems – domestic and foreign. Zero-day exploits and whether to fix an exploit to improve defensive posture versus leaving it untouched to allow better offensive access is resolved through a process known as the Vulnerabilities Equities Process (VEP).
VEP is also reflected in NSA’s public communications. An FAQ about Quantum Computing (QC) and Post-Quantum Cryptography (PQC) is not simply a communication about QC and PQC, but is the outcome of a debate on whether a topic is worth public attention, and if it is, what to say and what not to say about it. And who should be the target audience: domestic and/or foreign.
Insight #1 – Quantum Computing is Coming
The mere existence of this FAQ means the NSA believes that quantum computing is coming – and that it’s now time to prepare systems to safeguard against it. It took the industry almost 20 years from the early 2000’s to switch to today’s cryptography – and today’s environments are way more extensive, integrated, connected, distributed, and innovative. I will go on record now as saying with certainty that we will have quantum computers or processing environments that break today’s cryptography within the next 20 years! Given that it will take at least 10 years to elevate to PQC, organizations should implement a crypto agile foundation.
Insight #2- NIST Will Lead, NSA Will Follow
A trend in the FAQ is that NSA will follow the NIST’s process and adoption of the upcoming new PQC algorithms, and so should you. Whether discussing cryptographic requirements, acceptable algorithms, or potential timelines, NSA defers to NIST and their post-quantum efforts. In particular, NSA is trusting NIST to select the algorithms that will be used to secure National Security Systems (NSS). We anticipate finalization of initial PQC standards in the 2023 timeframe.
Insight #3- Hash-based Signatures Provide Post-Quantum Readiness Now
NIST has stated that certain Hash-Based Signatures (HBS) are post-quantum ready. These signatures are based on very well understood algorithms and have been blessed by the cryptographic community as being quantum-resistant. Deploying these techniques to secure firmware now is one way to embark on the quantum safe path. NSA agrees and supports the use of these algorithms in use cases such as signing firmware. Read more about what it means to be “Quantum safe now” here.
Insight #4 – Not Everything Needs to be Quantum
There are lots of things to do to prepare for a quantum safe state, but you do not necessarily have to adopt or deploy every “quantum” technology presented to you. For example, NSA thinks Quantum Key Distribution (QKD) is not there yet- and may never be realistically implemented at scale.
While some countries are assessing the QKD route for encrypting certain digital events, the NSA aligns with NIST in advising organizations to implement the use of PQC (post-quantum cryptography) to secure digital events instead. From a theoretical point of view, quantum mechanics should confer QKD an absolute security. But from a practical point of view, QKD is currently very far from having attained its theoretical security potential.
Insight #5 – Start with Where You Stand
We think a very practical first step is to first take stock of where your current cryptography is and how it is managed and used in your organization and supply chains.
In my next blog, I will talk about why this is an excellent first step, what information and control outcomes you will want to achieve, and how this provides a new foundation to elevate your digital trust for quantum preparedness.
The bottom line from NSA’s FAQ is that Quantum Computing is coming, and it’s time to start preparing for it.
Check back on this blog regularly as we will be talking about what work needs to be undertaken to be prepared for new advantages and new risks.