Post-quantum preparations: NIST has chosen, what should CISOs do now?

I'm here for your keys

Image:
I'm here for your keys

With the post-quantum cryptography landscape becoming clearer, every infrastructure decision should include considerations of quantum risk, says Post-Quantum's Andersen Cheng

Last week, the US National Institute of Standards and Technology (NIST) unveiled the four post quantum cryptography (PQC) algorithms that it will take forward to standardisation, the winners of its six-year competition to find suitable replacements for the public key encryption that protects data and communications today, but which could be easily cracked by a quantum computer.

This should provide some welcome clarity for CISOs, who can now proceed to replace the elliptic curve and RSA algorithms in their systems with reasonable certainty that the rug will not be pulled out from beneath them. But it will not be an easy task as the final NIST choices are not drop-in replacements for RSA, and depending on the complexity of the organisation, could represent months or years of work.

But the biggest blocker may not be having to wait for approved algorithms at all, but rather a lack of urgency brought about by the uncertain timeline. No-one can be sure when the first crypto-cracking quantum computer will arrive (worryingly, we probably won't know when it does), which inevitably knocks PQC down the priority list when set against protecting home-working, anti-ransomware measures or rolling out zero trust infrastructure.

In fact, a recent survey by EY found that only one third of UK organisations are making any sort of preparations for the quantum computing future at all, be that defensive or opportunistic, despite half of them believing the new paradigm is set to ‘disrupt industry' by as soon as 2025.

The study "reveals a disconnect between the pace at which industry leaders expect quantum to start significantly transforming businesses and their general preparedness for its impact," according to Piers Clinton-Tarestad, quantum computing leader at EY UKI.

Andersen Cheng, CEO of UK security consultancy Post-Quantum, is frustrated by the pace of change, and bemoans the fact that public funds haven't been ringfenced specifically for post-quantum security.

However, Cheng does see opportunities for CISOs to start on the PQ journey by adding a quantum audit to something that's already on their priority list, for example, upgrading their identity and access management (IAM) system: just as asymmetrically encrypted communication links are quantum-vulnerable, so is asymmetrically encrypted authentication, and now would be a good time to find out how.

"On a call, the link might be protected by a VPN, but what about the identity platform before we even get through? If there's a quantum risk there, then the bad guy will be able to impersonate me."

In fact, any time organisations are considering their public key infrastructure and related systems, they should be thinking about crypto-agility: how quickly could we upgrade our systems should the protective algorithms be cracked?

The US: from laggards to leaders

In this respect the US, once a quantum laggard, has an advantage. President Biden's $2.3 trillion, 30-year plan to upgrade the country's creaking infrastructure, and subsequent memoranda and initiatives have "changed the entire landscape", according to Cheng.

"They're replacing all the power grids, all the water works, all the highways, all the traffic lights, all the city infrastructure and quantum will have come in by then. So in all their RFPs nowadays, or soon, they'll have a question asking the supplier ‘what are you doing about quantum?'. They've really started doing it now."

By contrast, the UK is in danger of losing its advantage, failing to make the most of the country's skills in cybersecurity. Cheng would like to see this country emulate the US model, giving businesses a positive framework in order to kickstart the process of upgrading encryption, but there's not much sign of that.

"The UK government doesn't have that sort of strategy at this point, which is worrying," he opined.

What now for Classic McEliece?

Cheng has long been an advocate of what he calls a hybrid approach to quantum-proofing, wrapping the current algorithm with one that's quantum-safe, so that when the time comes the legacy system can simply be switched off. This is a practical approach to crypto-agility, the ability to quickly switch to new algorithms once the old ones become vulnerable, that can be started any time. It depends on replacements being available of course, and NIST's winners includes one algorithm, the hashing-based SPHINCS+ signing system, that could replace the faster, lattice-based CRYSTALS-Dilithium, should the latter be found at some time to be flawed.

NIST is not the only standards body looking at post-quantum encryption. Indeed, its decisions have occasionally been highly controversial, including approving algorithms that were later discovered to feature an NSA backdoor, and for this and other reasons organisations and nations may look elsewhere. Nevertheless, it is the leading such standards body, and it is likely that the EU and maybe other blocs and nations will standardise on its recommendations, provided their own audits don't turn up any serious glitches.

The four selected are not the only viable PQC algorithms either. Just as now, there's nothing to stop organisations looking beyond the officially sanctioned options, although that may carry more risk. Meanwhile, other finalists, including Classic McEliece, of which Post-Quantum was a co-creator, along with Dan Bernstein's team at the University of Illinois, will continue to be evaluated, with a fourth NIST PQC Standardisation Conference scheduled for the end of this year.

Classic McEliece's large key size makes it harder to implement, particularly for smaller devices, and carries a performance overhead, but Cheng asserts it is provably secure in a way that the winning algorithms are not, and could well find a place in high security messaging applications or where there's a need to double up on encryption. While he insists he's "algo-agnostic", he's not prepared to give up on his baby yet.

Post-Quantum recently undertook a secure VPN project for NATO and did not even include the company's own algorithm, he said, adding they are working on a follow-up that will: "We didn't have time to do it, but my co-founder CJ [Tjhai] knows it can be done so is going to spend a bit of time to put Classic McEliece into that hybrid VPN to prove you can actually use it. That will be a world first, I believe."