Preparing for the Future: A Guide to Transitioning to Post-Quantum Cryptography
Understanding Quantum Threats to Cryptography
As quantum computing technology advances, it poses significant risks to current cryptographic systems. The NCSC’s 2020 white paper, “Preparing for Quantum Safe Cryptography,” detailed the potential threats posed by quantum computers and outlined the efforts of organizations such as the US National Institute of Standards and Technology (NIST) and the European Telecommunications Standards Institute (ETSI) to address these threats.
Quantum computers exploit quantum mechanics to perform calculations in ways that classical computers cannot. Although today’s quantum computers are still limited and error-prone, the potential for more powerful quantum systems in the future is a serious concern. Such systems could potentially break traditional public key cryptography (PKC) algorithms, which include those based on integer factorization (RSA) and discrete logarithms (e.g., Diffie-Hellman, ECDH, DSA, ECDSA, EdDSA).
Risks of Quantum Computing to Current Cryptographic Systems
- Key Establishment and Encryption: Quantum computers could potentially decrypt data collected today in the future, making long-term data protection vulnerable if a cryptographically-relevant quantum computer (CRQC) becomes a reality. This risk is particularly significant for organizations needing long-term security for high-value data.
- Digital Signatures: A CRQC could forge digital signatures or alter information protected by these signatures, impacting systems where keys are intended to have long operational lifetimes.
In contrast, symmetric cryptography, including algorithms like AES with 128-bit keys, and hash functions such as SHA-256, are less affected by quantum advancements and remain secure.
Transitioning to Post-Quantum Cryptography (PQC)
To mitigate quantum threats, post-quantum cryptography (PQC), also known as quantum-safe or quantum-resistant cryptography, offers a viable solution. PQC algorithms are designed to be secure against both classical and quantum computers. Transitioning to PQC involves:
- Planning the Migration: PQC algorithms will not directly replace current PKC algorithms. System owners must plan for this transition carefully, ensuring compatibility with existing protocols and systems.
- For Commodity IT Users: PQC adoption will likely occur through software updates. Users of standard browsers and operating systems can expect a seamless transition as PQC algorithms are integrated alongside traditional PKC algorithms. Keeping devices and software updated according to NCSC guidance is essential.
- For Enterprise IT Owners: Organizations should engage with IT suppliers about their support for PQC and plan financial updates to systems to accommodate PQC. New IT systems should either support PQC or be upgradeable to PQC.
- For Bespoke Systems: Owners of proprietary or specialized systems need to select appropriate PQC algorithms and protocols and plan for updates as systems are refreshed or replaced.
Progress in PQC Standardization
NIST has been working since 2016 to standardize PQC algorithms, with significant contributions from the international cryptography community. Recent updates include:
- ML-KEM (CRYSTALS-Kyber) for key establishment.
- ML-DSA (CRYSTALS-Dilithium) and SLH-DSA (SPHINCS+) for digital signatures.
These standards mark a critical step in migrating to PQC. However, robust implementations of these standards are still in development. The NCSC recommends using PQC based on final, robust standards rather than draft versions.
Moving Forward
The IETF is updating protocols to integrate PQC, including key exchange and signature mechanisms in widely-used protocols like TLS and IPsec. Implementations will be subject to change until finalized as RFCs. For operational systems, using protocols based on these finalized RFCs, rather than draft versions, is strongly advised by the NCSC.
Preparing for the quantum future involves proactive planning and updates. By staying informed and adapting to new standards, organizations can secure their systems against the evolving quantum threat.