NCCoE addresses preparing for the adoption of new PQC algorithms
In April, the US National Cybersecurity Council of Excellence (NCCoE), a collaboration of cybersecurity experts from the public and private sectors, released a draft publication addressing preparation for adopting new PQC algorithms. Migration to Post-Quantum Cryptography extended the typical message of urgency to plan for migration seen in federal mandates to members of the private sector.
NCCoE said it would be engaging with industry collaborators, regulated industry sectors, and the US government to bring awareness to the issues involved in migrating to post-quantum algorithms and to prepare the crypto community for migration.
PQShield supports PQC migration, advanced side-channel secured implementations
In May, PQC standards company PQShield signed a Memorandum of Understanding (MoU) with Tata Consultancy Services (TCS), a leading IT Services, consulting, and business solutions organization, to help clients transition to quantum-secure solutions. It also announced a collaboration with eShard, a side-channel analysis and testing tools provider, to further accelerate advanced side-channel secured implementations of PQC that are critical for high-security standards across industries.
“Quantum computers pose a particular threat to large organizations given the sprawling nature of their cryptographic infrastructure and their reliance on secure communications,” said Ali El Kaafarani, CEO and founder of PQShield. “We’re seeing a significant shift in the commercial landscape as more of these businesses wake up to the urgency of the problem and seek out a solution.”
X9 announces initiative to create PQC assessment guidelines
In June, the Accredited Standards Committee X9 Inc. (X9) announced a new initiative to create PQC assessment guidelines to act as a roadmap for PQC transitions. It invited participants to take part in the effort. When completed, the X9 guidelines might be used by an organization as a self-assessment tool, as an informal assessment of a third-party service provider, or as an independent assessment by a qualified information security professional, X9 said. An auditor or regulator might also refer to the assessment guidelines which could form a foundation for crypto agility standardization, it added.
“It will be important to have PQC assessment guidelines available before transitions are underway, for consistency to make the process as smooth as possible and the outcomes optimal,” said Michael Talley, chair of the X9F1 Cryptographic Tools working group.
Google readies Chrome for future attacks with quantum-resistant encryption
In August, Google announced it was taking a major step in making web browsing safe from future quantum computers by adding Chrome support for quantum-resistant encryption. Dubbed X25519Kyber768, the new quantum-resistant cryptography will be a hybrid mechanism that combines the output of two cryptographic algorithms to encrypt Transport Layer Security (TLS) sessions.
These are X25519, an elliptic curve algorithm widely used for key agreement in TLS today, and Kyber-768, a quantum-resistant Key Encapsulation Method (KEM). The new hybrid encryption has been made available in Chrome 116, and behind a flag in Chrome 115.
“Google’s announcement of shielding encryption keys in Chrome from quantum computers is very forward-looking,” said Pareekh Jain, chief analyst at Pareekh Consulting. “Quantum computers’ serious adoption is a few years away, but messages have a risk of getting stored now and decrypting later.”
NIST publishes draft PQC standards for global framework
In August, the US National Institute of Standards and Technology (NIST) published draft PQC standards designed to form a future global framework to help organizations protect themselves from quantum-enabled cyberattacks.
The standards were selected by NIST following a seven-year process which began when the agency issued a public call for submissions to the PQC Standardization Process. NIST called for public feedback on three draft Federal Information Processing Standards (FIPS), which are based upon previously selected encryption algorithms.
The public-key encapsulation mechanism selected was CRYSTALS-KYBER, along with three digital signature schemes: CRYSTALS-Dilithium, FALCON, and SPHINCS+. It is intended that these algorithms will be capable of protecting sensitive US government information well into the foreseeable future, including after the advent of quantum computers, incorporated into three FIPS: FIPS 203, FIPS 204, and FIPS 205, NIST said.
CISA, NSA, NIST issue PQC migration resource
In August, the US Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and NIST published a factsheet on the impacts of quantum capabilities. It urged all organizations, especially those that support critical infrastructure, to begin early planning for migration to PQC standards by developing their own quantum-readiness roadmap.
Quantum-Readiness: Migration to Post-Quantum Cryptography outlined how organizations can prepare a cryptographic inventory, engage with technology vendors, and assess their supply chain reliance on quantum-vulnerable cryptography in systems and assets. The factsheet also provides recommendations for technology vendors whose products support the use of quantum-vulnerable cryptography.
“PQC is about proactively developing and building capabilities to secure critical information and systems from being compromised through the use of quantum computers,” said Rob Joyce, director of NSA cybersecurity. “The transition to a secured quantum computing era is a long-term intensive community effort that will require extensive collaboration between government and industry. The key is to be on this journey today and not wait until the last minute.”
Tech community launches PQC Coalition to drive understanding, adoption
In September, a community of technologists, researchers, and expert practitioners launched the PQC Coalition to drive progress toward broader understanding and public adoption of PQC algorithms. Founding coalition members include IBM Quantum, Microsoft, MITRE, PQShield, SandboxAQ, and the University of Waterloo.
The PQC Coalition will apply its collective technical expertise and influence to facilitate global adoption of PQC in commercial and open-source technologies. Coalition members will contribute their expertise to motivate and advance interoperable standards and technical approaches and step forward as knowledgeable experts in providing critical outreach and education.
The coalition will initially focus on four workstreams:
- Advancing standards relevant to PQC migration.
- Creating technical materials to support education and workforce development.
- Producing and verifying open-source, production-quality code, and implementing side-channel resistant code for industry verticals.
- Ensuring cryptographic agility.