NIST Post-Quantum Crypto timelines: avoiding the dangerous misconception
(TechShield) Alan Grau, the Vice President of Business Development for PQShield writes here to issue a warning about the dangerous misconception that businesses do not have to begin integrating Post Quantum Encryption solutions until after the NIST standards expected in 2024. IQT-News here summarizes Grau’s article.
NIST started this process in 2015 and has stated that fully published standards will be available in 2024.
The new Post Quantum Crypto algorithms will replace RSA and ECC for a wide variety of applications and use cases. Conversion to new algorithms is a major undertaking. Rolling out these new algorithms across the entire ecosystem and supply chain will take years. If companies don’t already have a roadmap for migration to PQC, they need to start now.
NIST has stated that they plan to announce the algorithms to be standardized in December of 2021 or January of 2022. In just a few months, we will know what algorithms will be standardized. In fact, NIST has already announced XMSS and LMS as standards for hash-based signature algorithms.
By early 2022 companies can begin implementing the Post Quantum Crypto solutions based on standardised algorithms. Implementations of these algorithms are available, so companies don’t have to wait until 2024 to begin migration from classical crypto solutions to the new Post Quantum Crypto (PQC) algorithms.
Although implementation details may change to some degree between now and 2024, we should begin using these algorithms as soon as they are announced.
Migration to Post Quantum Crypto
Enterprises should begin developing a plan to migrate their systems to Post Quantum Crypto algorithms.
Next, companies need to create an inventory of crypto solutions. This means conducting a comprehensive audit of the company’s cyber infrastructure and gathering a broad set of information including:
· What devices, systems, programs, and servers are using cryptography?
· What algorithms are used?
· What is the purpose of each implementation?
· What type of cryptography is used by each?
· Is this cryptography implemented in a software library? Or in hardware?
Once this information has been gathered, companies can begin working on a roadmap to migration systems. There are six hey steps that should be taken for the migration to Post Quantum Cryptography Algorithms, the first four of which can take place today. These include:
1. Education of the quantum threat
2. Inventory of internal cryptography implementations
3. Inventory of partner and supplier cryptography solutions
4. Develop a roadman for migration to PQC
5. Implementation of PQC (multi-phased project)
6. Testing and integration
Moving towards quantum security
We are much closer to having standards for PQC than some people realise. This is critical as many of the systems being designed and developed today will still be in use after quantum computers are able to break RSA and ECC encryption.
Companies can, and should, act now and begin planning to migrate their systems to Post Quantum Cryptography. If we can take any lessons from the decade of work rolling out existing encryption standards, the first must be that failure to take action is simply delaying the inevitable.