NIST will fire the ‘starting gun’ in the race to quantum encryption

As the National Institute of Standards and Technology is slated to soon debut the first round of encryption algorithms it has deemed suited for the potential arrival of a viable quantum computer, experts have advice for organizations: know your code.

The need for strong cryptographic governance ahead of migrating digital networks to a post-quantum standard will be a major component to updated cybersecurity best practices, as both public and private sectors begin to reconcile their network security with new algorithmic needs. 

Matthew Scholl, the chief of the computer security division in the National Institute of Standards and Technology’s Information Technology Laboratory, said that understanding what a given organization’s security capabilities are will offer insight into what aspects of a network should transition first. 

Deep understanding of what current encryption methods do and precisely where they are will be a fundamental aspect of correctly implementing the three forthcoming quantum-resistant algorithms. 

“With that information, you should then be able to prioritize what to change and when, and you should plan for the long term changes and updates going forward,” Scholl told Nextgov/FCW. 

Scott Crowder, vice president for IBM Quantum Adoption and Business Development, echoed Scholl’s points on creating a cryptographic inventory to ensure the algorithms are properly configured. Crowder said that while overhauling encryption code is a comprehensive transition, understanding what needs to change can be difficult based on who wrote the code in the first place.

“It's a pain…because it's actually at two levels,” Crowder told Nextgov/FCW. “First you get all the code that you've written, but then you've got all the rest of your IT supply chain that vendors provide.”

Based on client conversations, Crowder estimates that 20% of the transformation problem hinges on an entity’s internal code, while the remaining 80% is ensuring the vendors in their supply chains have correctly implemented NIST’s new algorithms.

“From our experience, and doing some work with clients, typically for one application area, it's like three to six months to discover the environment and do some of the basic remediation,” he said. “But, you know, that's like a small part of the elephant.”

In addition to creating a comprehensive cryptographic inventory that can determine which code should be updated, Scholl said that cybersecurity in a quantum-ready era needs to be versatile.

“You need to build your systems with flexibility so that it can change,” he said. “Don't put something that's [going] to be the next generation's legacy. Build something that is agile and flexible.”

The debut of the three standardized post-quantum algorithms — ML-KEM, CRYSTALS-Dilithium, and Sphinx Plus — will enable classical computers to keep data encrypted against a future fault-tolerant, quantum-powered computer. During their implementation processes, Scholl said that organizations need to both continue monitoring the configuration of the newly implemented algorithms as well as consistently test for vulnerabilities. 

Scholl said that the fourth algorithm, Falcon, which was selected as a winning algorithm in 2022 along with the other three, will be released for implementation later this year. 

Despite the milestone in quantum cryptography readiness, Crowder notes that this is just the beginning for a new era of cybersecurity hygiene.

“You can think of the NIST standardization as basically the starting gun,” he said. “But there's a lot of work to be done on taking those standards, making sure that all the open source implementations, all the proprietary implementations get done, and then rippling through and doing all the hard work in terms of doing the transformation upgrade.”