by Amara Graps
In January 2024, NATO presented ( Press Announcement | Text of Strategy Details) its first-ever Quantum Strategy.
A Jewel Buried Deeply
Buried inside of nineteen policy statements that describe the organization’s goals for quantum technology in general terms, are five surprisingly, specific, references to Post-Quantum Cryptography.
And buried inside of one set of bullet points, for the general item #4, is the most surprising bullet point of all:
- NATO has identified, understood and capitalised on evolving quantum technologies advancements, including with enabling technologies and in convergence with other EDTs;
- NATO has a Transatlantic Quantum Community to strategically engage with government, industry and academia from across our innovation ecosystems;
- Relevant quantum strategies, policies and action plans are dynamically updated and executed; and
- Allies have become aware of, and act to prevent, on a voluntary basis, adversarial investments and interference into our quantum ecosystems, which can include, on a national basis, the examination of relevant supply chains.
After sorting out the tenses (Did they already transition? No, it is in progress.), we suggest to watch NATO closely. It will be the first multinational government organization to undertake this task. You can see their desired goal from their press from only two years ago in the following video.
Here they have trialed one element in 2022, of a secure VPN, one baby step towards the full solution. Since NIST released on August 13, 2024, their final, approved specifications for the first three PQC algorithms, NATO has now a set of PQC protocols to work quickly. There is a ‘Q-day’ worst case scenario, coming up.
To understand how massive this feat is, NATO consists of 32 member countries, 5 million active + reserve military personnel from all member states, 30+ major military bases and command centers, with many smaller facilities across each NATO member state.
In our observation of this feat in progress: who in NATO, and which NATO division to undertake the task? The process could be a model for PQC adoption in other large, multinational organizations, for example: the U.N.. I’ll leave this as an open question to be answered in the future.
GQI’s Perspective for a Quantum Safe Future
For the most resilient strategy against ‘Q-day’, the day that current cryptographic protocols are broken (worst case scenario says 2027), GQI advises a multi-layered approach, the easiest might be first with PQC, which is math-based, and joining with Quantum Key Distribution (QKD), which is physics-based. From GQI’s 77 page, Quantum Safe Outlook Report:
GQI believes that crypto-agility will be a long term requirement for the new cryptographic stack. For the most sensitive applications, particularly those where a long security shelf-life is an ongoing requirement, a layered defense-in-depth should be considered.
As the world sets-out on the transition to quantum-safe cyber security, the obvious first port of call are new quantum-resistant math-based cryptographic algorithms. NIST has been leading international efforts to establish standards for such post-quantum cryptography (PQC).
These techniques are being joined by other physical security options. These include new techniques for out-of-band key delivery, and an array of techniques from quantum cryptography (notably QRNG, and QKD). These are best viewed not as an alternative to math-based security, but as new complementary tools. When correctly designed and implemented, these can offer additional unique properties and a further strengthened security promise. Whether these tools bring additional complexity or welcome flexibility is hotly debated. So too is in what situations they represent a good investment of the security budget.
The next Figure illustrates this principle in graphic form:
(*) If you are interested to learn more of GQI’s highly tuned Outlook Focus Reports or Playbooks, please don’t hesitate to contact info@global-qi.com.
October 13, 2024