The U.S. National Security Agency (NSA) publishes a Commercial National Security (CNSA) document which specifies which encryption algorithms should be used for owners, operators and vendors to use when working with classified information critical to military and intelligence activities. Up until now, their original document, which they now call CNSA 1.0, used classical encryption algorithms which were not necessarily quantum resistant. Now that NIST has made their initial Round 3 PQC selections, the NSA has updated this document to what they call CNSA 2.0 along with guidance on what algorithms to use along with an expected time table for conversion.

The algorithms currently included in the CNSA 2.0 including the following:

  • AES: Symmetric block cipher for information protection
  • CRYSTALS-Kyber: Asymmetric algorithm for key establishment
  • CRYSTALS-Dilithium: Asymmetric algorithm for digital signatures
  • Secure Hash Algorithm (SHA): Algorithm for computing a condensed representation of information
  • Leighton-Micali Signature (LMS): Asymmetric algorithm for digitally signing firmware and software
  • Xtended Merkle Signature Scheme (XMSS): Asymmetric algorithm for digitally signing firmware and software

Although NIST has made their initial selections, there is still work required to complete the standardization process and publish the standards. So, it is important to note that the NSA still regards the asymmetric post-quantum algorithms as still experimental and they are not recommending that anyone put them in production yet. But they are encouraging groups to get familiar with these algorithms and start preparations for production implementation.

NSA Expected Timeline for Implementation of CNSA 2.0 Algorithms

NSA is recommending a phased implementation with full transitions to be completed in the 2030 -2035 timeframe upon the use case. In the chart above they show three milestones for each use case. The beginning of the dashed line indicates when the quantum resistant asymmetrical algorithms can start being used as an Option. The beginning of the solid line represents when the quantum resistant algorithms are Preferred. And the end of the solid line represents when they would like to see Exclusive Use of the quantum resistant algorithms. Organizations can start using this information for their initial planning efforts. The timelines and perhaps even the selected algorithms are always subject to change. NSA will be releasing additional guidance with more information as the standardization process progresses.

For more information this transition, you can view a press release posted on the NSA web page here, a CNSA 2.0 announcement sheet located here, and an FAQ document which can be seen here.

September 10, 2022