The National Cybersecurity Center of Excellence (NCCoE), a branch of the National Institute of Standards and Technology (NIST), will work with a group of leading organizations in both the public and private sectors to increase awareness of the transition to post-quantum cryptographic era.
According to a statement from NCCoE, quantum technologies will usher in a wave of benefits for science and society, but quantum’s ability to render current cyber protection schemes useless will be a challenge for nearly organizations. The center has enlisted the help of a group of experts on migrating from this current set of public-key cryptographic algorithms to quantum-resistant algorithms.
These organizations include:
- Amazon Web Services, Inc. (AWS)
- Cisco Systems, Inc.
- Crypto4A Technologies, Inc.
- Cryptosense SA
- InfoSec Global
- ISARA Corporation
- Samsung SDS Co., Ltd.
- Thales DIS CPL USA, Inc.
- Thales Trusted Cyber Technologies
- VMware, Inc.
These organizations have signed a cooperative research and development agreement to collaborate with NIST in a consortium to build this example solution.
Initially, the group will work with industry to demonstrate the use of automated discovery tools to identify instances of quantum-vulnerable public-key algorithm use, where they are used in dependent systems, and for what purposes. Once the public-key cryptography components and associated assets in the enterprise are identified, the next step would be to is prioritize those applications for migration planning.
Finally, the project will describe systematic approaches for migrating from vulnerable algorithms to quantum-resistant algorithms across different types of organizations, assets, and supporting technologies.
NCCoE offered both challenges and benefits of confronting post-quantum cryptographic technology.
Organizations face numerous challenges in entering this post-quantum cryptographic era: First, they are often unaware of the breadth and scope of application and function dependencies on public-key cryptography. Many, or most, of the cryptographic products, protocols, and services on which we depend will need to be replaced or significantly altered when post-quantum replacements become available.
Also, Information systems are not typically designed to encourage supporting rapid adaptations of new cryptographic primitives and algorithms without making significant changes to the system’s infrastructure—requiring intense manual effort.
Finally, the migration to post-quantum cryptography will likely create many operational challenges for organizations. The new algorithms may not have the same performance or reliability characteristics as legacy algorithms due to differences in key size, signature size, error handling properties, number of execution steps required to perform the algorithm, key establishment process complexity, etc. A truly significant challenge will be to maintain connectivity and interoperability among organizations and organizational elements during the transition from quantum-vulnerable algorithms to quantum-resistant algorithms.
The potential business benefits of the solution explored by this project include: helping organizations identify where, and how, public-key algorithms are being used on their information systems. Another benefit is that mitigating enterprise risk by providing tools, guidelines, and practices that can be used by organizations in planning for replacement/updating hardware, software, and services that use PQC-vulnerable public-key algorithms.
Business benefits also include protecting the confidentiality and integrity of sensitive enterprise data, as well as supporting developers of products that use PQC-vulnerable public-key cryptographic algorithms to help them understand protocols and constraints that may affect use of their products.
You can request to join a community of interest by emailing here.