In the realm of cryptography, the advent of quantum computing has raised significant concerns about the security of classical encryption algorithms. As quantum computers continue to advance, the need for quantum-resistant encryption methods becomes increasingly evident. The National Institute of Standards and Technology (NIST) has taken on the monumental task of identifying and standardizing post-quantum cryptography (PQC) algorithms to ensure the security of digital communications in the quantum era.
We recently spoke with Dr. Torsten Staab, Chief Innovation Officer and principal technical fellow at Raytheon, about the cybersecurity challenges organizations might face during the transition period from classical to post-quantum cryptography, and why organizations could benefit from having a PQC strategy and phased implementation plan. What are the key motivations behind NIST's proposal to standardize several post-quantum cryptography (PQC) candidate algorithms?
The draft release of the first three NIST-sanctioned post-quantum cryptography (PQC) algorithms represents a major milestone in NIST’s seven-year-long journey to identify and standardize the next generation of quantum-resistant encryption and digital signature algorithms. These draft standards will enable organizations around the world to start evaluating what it will take to implement and operationalize these new PQC algorithms under real-world conditions.
The first round of PQC candidate algorithms that were announced by NIST on August 24th include one general purpose encryption algorithm (ML-KEM) and two digital signature algorithms (ML-DSA and SLH-DSA). There are other alternative encryption and digital signature algorithms under evaluation for potential future release as well.
There are a few reasons NIST is not just focusing on ratifying just one algorithm. One is implementation complexity and performance: some of their PQC candidate algorithms require a considerable amount of compute and/or storage resources, thus making them less suitable for deployment in resource-constrained environments (i.e., embedded systems, low-cost IoT devices). Another reason is risk mitigation. Should one of the newly released PQC algorithms get compromised in the future, organizations then have the ability to quickly transition to an alternative crypto algorithm.
Can you explain the concept of "crypto-agility" and why it is considered important in the context of PQC strategies? Crypto-agility refers to a hardware or software solution’s ability to replace its underlying encryption algorithms or protocols. Many of today’s IT or OT solutions, in particular embedded systems, have their encryption functions so deeply integrated or hardwired that they cannot be easily replaced or upgraded.
Crypto-agility sometimes also refers to a system’s ability to support and switch between multiple crypto algorithms and protocols (e.g., classical and PQC algorithms) on demand. The ability to support both classical and PQC is going to be especially important during the expected multi-year transition from today’s classical crypto to the emerging PQC algorithms and systems. At a global scale, this PQC migration period is expected to take well over a decade. The ability to replace crypto algorithms and protocols on the fly is also important, because it’s always possible that someone might still find a vulnerability in one of NIST’s upcoming PQC algorithms after they have been officially released. The compromise of the SIKE PQC algorithm in 2022, which was one of NIST’s PQC finalists, is a good reminder for why we need to be able to replace a system’s crypto algorithms or security protocols without much effort and cost.
How might organizations benefit from having a PQC strategy and phased implementation plan in place, especially concerning legacy IT/OT solutions?
At this point, nobody knows when Quantum Day or “Q-Day” might arrive. Q-Day is the day when quantum computers will have matured to a point they could break widely used asymmetric encryption algorithms such as RSA. Expert opinions on when Q-Day might arrive vary widely. Some estimates range from 5-15 years. With a steady increase in government and venture capital investments in Quantum Computing and significant Quantum Science-related breakthroughs now being reported every few months, Q-Day might arrive sooner than expected.
It is estimated that it will take more than a decade to transition the world’s IT/OT infrastructure from today’s classical crypto technology to tomorrow’s Post Quantum Crypto (PQC). Unfortunately, many of today’s IT/OT solutions cannot be easily upgraded to PQC. Consequently, some systems will have to be replaced, which is time-consuming and costly. To ensure continuity of operations, especially for critical IT/OT infrastructure and services, migrating to a PQC world requires careful planning and coordination. This is the primary reason why NSA, CISA, and NIST recently issued public guidance, urging all organizations to start developing their Quantum Security migration strategy now.
What challenges might organizations face during the transition period from classical to post-quantum cryptography, and how can these challenges be addressed effectively?
For many organizations, migrating from today’s classical encryption to NIST’s new PQC algorithms will take many years. This is because today’s crypto solutions are widely distributed and deeply embedded, and many implementations cannot be easily software-upgraded. Hardware-based implementations may have to be replaced entirely—all while ensuring continuity of operations. To be successful, this requires organizations to carefully plan and allocate resources well in advance. It also requires a lot of coordination across organizational boundaries (e.g., suppliers, partners, customers, end users, etc.). Developing a strategy and a phased implementation and migration plan will be key.
Could you elaborate on the potential risks associated with not having crypto agility and the inability to switch cryptographic algorithms in legacy systems as needed?
As witnessed by the recent compromise of SIKE, a finalist algorithm in NIST’s PQC competition, there are no security guarantees for any encryption algorithms or protocols, including PQC. Therefore, all future IT/OT solutions should be designed so that their underlying encryption algorithms and security protocols can be easily replaced if needed. Systems that are not crypto-agile and do not support PQC algorithms are likely to become prime targets for hackers. Depending on the type and sensitivity of the data handled by these systems; the privacy, safety, and security of anyone could be at stake.
###