Plan for failure with quantum in-depth approach to PQC
(QuantumXchangeBlog) The National Institute for Standards and Technology (NIST) will finalize its list of quantum-safe encryption algorithms and standards designed to resist the threat of quantum computers in a few short months. The final selection process is only the beginning of this multi-year cryptographic transition that is certain to be fraught with challenges, uncertainties, and unforeseen risks.
Uncertainty permeates the Post Quantum Cryptography (PQC) Project itself, which is why the agency is selecting multiple algorithms and embracing “crypto agility” as a key feature in the forthcoming standard and crypto-transition guidance. Read more about crypto agility here.
NOTE: IQT-News summarizes the QuantumXchange blog on Quantum discussing ther PQC adoption challenges and planning requirements.
Visibility and Logistics
The PQC transition will be a major undertaking and require the largest, global cryptographic transition in the history of computing. Quantum Risk Assessment or knowing which parts of your IT environment are reliant on public key encryption (PKE) methods most susceptible to quantum attack, is not well recognized, understood, or deployed by most organizations. (See CIO’s Guide for Implementing Quantum-Safe Key Delivery)
Testing and Awareness
Beyond these logistical hurdles, the SC Magazine article cautions that until a quantum computer comes along powerful enough to break classic encryption, NIST can only evaluate candidate algorithms based on mathematical estimations of what these computers might do. Meaning, an algorithm selected as standard could fail. It’s worth pointing out that all math-based encryption standards have eventually failed or have been cracked by adversaries.
Plan to Fail – Quantum-in-Depth
As we enter 2022, organizations should heed the advice of NIST Computer Security Division Chief Matthew Scholl, “It’s no time to panic, it’s time to plan wisely.”
As the SC Magazine points out, “the quantum computing landscape is still murky enough to create substantial pockets of uncertainty that can make it impractical or dangerous for organizations to put all their eggs in one basket.”
We agree whole heartedly, which is why Phio TX was designed to be vendor agnostic, platform independent, and work with all forms of quantum-resistant security, i.e., PQC, QKD, ORNG or a combination for a defense-in-depth approach to post-quantum security preparation. The simple architecture overlay can be dropped into your existing encryption environment to make legacy encryption keys immediately quantum safe (see how here).