NIST standards, PQC certification, crypto-agility…And where to begin
The loudest narratives paint Q-Day as an impending event akin to a cybersecurity apocalypse, but Keys&More post-quantum cryptography (PQC) expert Gaëtan Pradel likens it to the gradual arrival of climate change, reminding us that the Q-era has already begun.
“We can talk about being ready for Q-day, but that’s not really what matters today,” Pradel asserts. “We need to be ready now, especially companies encrypting sensitive data that they are supposed to host for years. They should already be prepared, because of ‘store now, decrypt later.’”
Aptly named, ‘store now, decrypt later’ refers to a cyberattack in which criminals gather as much encrypted data as possible with the hopes of one day deciphering it using quantum computers.
Post-quantum-ready organizations face less exposure to these developing cybersecurity threats. For organizations yet to adopt a plan for the shifting cryptographic tides, however, time is of the essence.
Instead of Q-day, prepare for PQC certification day
Q-day refers to the moment when quantum computers successfully crack the algorithms that underly society’s encrypted communications. While, yes, this day will eventually come, manufacturers face a more pressing and predictable day in the near future. Let’s call it, PQC certification day—the day when international bodies certify post-quantum cryptography and the world’s major players begin to migrate.
The international community took a step closer to that reality this past month with the National Institute of Standards and Technology’s publication of its post-quantum cryptographic algorithms, meaning that post-quantum migration could reasonably begin within the next year. Those unprepared for the crypto-migration will not only lose their spots as industry frontrunners, but they will find themselves on a road to obsoletion.
A rising tide may indeed lift all boats, but only if those boats can float. As Europe and the world transition to post-quantum cryptography and embrace this monumental evolution, new prerequisites for interoperability will emerge.
“If Q-day happens, classical algorithms won’t be able to be used for establishing an encrypted communication, only PQC will be allowed,” Pradel reminds. “Without that encrypted connection, or encrypted tunnel, data will not be transmitted, and operational issues may occur. This interoperability issue means that developers and manufacturers will either make the shift or become obsolete.”
Major manufacturers that change with the first wave, ready to offer post-quantum-based technologies or, at least, support them, position themselves to gain market share and maximize opportunity.
“There’s also a so-called hybrid transition that’s worth noting and is being suggested by Germany’s Federal Office for Information Security,” he adds. “In this case, you would use both classical and post-quantum algorithms at the same time. However, this creates more implementation issues.”
NIST post-quantum cryptography standardization has arrived
In its defense of the need for PQC standardization, the US-based NIST asserts that, while it might take quantum computers another 20 years to crack today’s public key algorithms, it has taken that same amount of time to deploy the current cryptography infrastructure. Hence, the time is now to build quantum resilience.
On August 13, 2024, the NIST published the following:
- FIPS 203: Specifies the Module-Lattice-Based Key-Encapsulation Mechanism Standard (ML-KEM), derived from the CRYSTALS-KYBER submission. This standard enables two parties to securely establish a ‘shared secret key’ via a public channel
- FIPS 204: Defines the Module-Lattice-Based Digital Signature Standard (ML-DSA), based on the CRYSTALS-DILITHIUM submission, a digital signature scheme
- FIPS 205: Introduces the Stateless Hash-Based Digital Signature Standard (SLH-DSA), derived from SPHINCS+, also a digital signature scheme
With this significant standardization of algorithms, the NIST solidifies the potential next steps for organizations and the international community.
Crypto-agility & post-quantum readiness: where to start
Post-quantum migration, crypto-agility, quantum resilience…many terms that point to one underlying question: Is your organization ready for a post-quantum world, or more specifically, for the algorithmic shift that the international community will undergo?
Post-quantum readiness begins with an organization’s current cryptography. Without a clear picture of its current encryption processes and assets, it is impossible to adapt and evolve. Early steps include:
- Taking inventory of cryptographic materials & practices
- Designing, setting up & adopting a unified, compliant key management system (KMS)
- Testing migration readiness (specifically cryptographic module manufacturers)
For most manufacturers, these steps require guidance from cryptographic experts. Even highly skilled cybersecurity teams often possess limited experience with cryptography and related strategies.
“I went to a conference last year and Google did a presentation on their crypto-agility and the difficulty of managing cryptographic keys, particularly in a distributed system as large-scale as their own,” Pradel recalls. “While discussing their current work on moving to post-quantum, especially on their internal communication protocol, they mentioned the need to first figure out which cryptography to prioritize for migration in their systems. They ended up doing it step by step, and successfully integrated post-quantum cryptography after a few years of intense work and many challenges.”
For organizations without a unified KMS, encryption practices and assets can get easily lost.
As an INCERT company, Keys&More leverages its highly skilled government experts, the same ones who support Luxembourg national cybersecurity efforts, e.g. electronic signatures of national travel documents. These cryptographers participate within standardization and regulatory bodies, following events and shaping conversations, ensuring that Keys&More clients have access to real-time developments.
While there is still much to define on the road to a global post-quantum transition, momentum is building, market leaders are adapting, post-quantum attacks are brewing and the post-quantum era is unfolding, with or without you. The right KMS and expert strategic guidance, helps ensure that it’s the former.