The National Cybersecurity Center of Excellence (NCCoE), part of the National Institute of Standards and Technology (NIST), is a collaborative hub of industry organizations, government agencies, and academic institutions that work together to address cybersecurity challenges. They have created a project called Migration to Post-Quantum Cryptography to develop white papers, playbooks, demonstrations, tools that can help other organizations implement their conversions to Post-Quantum-Cryptography (PQC) .
Although NIST has announced their first selections of recommended algorithms to use for PQC, there is still a great amount of work to do. It is not a simple matter of unplugging the module that uses legacy RSA encryption and plugging in the new algorithms. Some of the activities that still need to be completed include first finding all the places where an upgrade is needed, determining which of the algorithms to use, deciding on whether to implement a hybrid classical/quantum encryption for extra safety, integrating the new algorithms with the rest of the system, and running tests to make sure it all works properly. The new post-quantum algorithms will also have different key sizes, cyphertext lengths, and different latencies than were previously used in the classical cryptography. Sometimes these differences could cause a secondary problems in system operation and sometimes they won’t.
One recommendation that most experts have made is to make sure the implementation is “crypto agile” so that it will allow future upgrades or replacements of an algorithm to be made easily if a new weakness is found or a better algorithm is standardized in the future. This will require a modular architecture in the software stack which may not have been used when the legacy cryptography implementations were first installed.
To get started, the NCCoE Migration to Post-Quantum Cryptography project will demonstrate discovery tools that can provide automated assistance on identifying where public-key cryptography is being used in the hardware, software, on-premise or in the cloud. It will then help identify which areas need to be upgraded first based upon a risk management methodology, It will then provide systematic approaches for migrating from vulnerable algorithms to quantum-resistant algorithms.
To create a consortium of partners who would help with this project, NCCoE issued a call for partners and selected 12 partners to work with them under the terms of a Cooperative Research and Development Agreement (CRADA). The twelve companies selected are the following:
- Amazon Web Services, Inc. (AWS)
- Cisco Systems, Inc.
- Crypto4A Technologies, Inc.
- Cryptosense SA
- InfoSec Global
- ISARA Corporation
- Samsung SDS Co., Ltd.
- Thales DIS CPL USA, Inc.
- Thales Trusted Cyber Technologies
- VMware, Inc.
There are a number of ways that others can participate in this project. NCCoE is creating a Community of Interest (COI) of other individuals who can share their expertise and help guide NCCoE projects. To learn more about this project, you can view a web page on the NIST website that describes it in more detail here and also see a one-page project description which is available here.
July 16, 2022