As the deadline for public input on the National Institute of Standards and Technology’s (NIST) quantum standardization efforts approaches on Nov. 22, a NIST official said during the Nov. 15 Red Hat Government Symposium 2023 event in Washington, D.C. that the public can expect to see the finalized version of the guidelines in the first part of 2024.
Earlier this summer, NIST announced new draft standards for three quantum-resistant algorithms that will be ready for use in 2024.
“Back in 2016, we basically kicked off a big crypto competition to find and select new algorithms that would provide this protection against these future quantum attacks,” Dustin Moody, a NIST mathematician and leader of the project, said. “Over the past seven years, we’ve evaluated a lot of algorithms. A year ago or so we selected the ones that are going to be used in the future.”
“The first draft standards for these algorithms came out just a few months ago. There’s still a week left of public comment period if you have any public comment to give us, and we expect to finalize and publish the first standards here in the first part of 2024,” Moody said. “After that, industry, government, everyone will be able to use these algorithms to provide protection for attacks from quantum computers.”
The push to move to post-quantum cryptography follows President Biden’s 2022 National Security Memorandum calling for the Federal government to leverage its resources to help all U.S. digital systems migrate to quantum-resilient cybersecurity standards by 2035.
The first step in this is for agencies to inventory their cryptographic systems as they prepare to transition to the era of quantum-resistant cryptography – an effort that the Office of the National Cyber Director (ONCD) began spearheading with the release of guidelines in February. Agencies were instructed to finish these inventories by May 4, 2023, but a top ONCD official said during the Red Hat event that the Federal government is “not up to speed.”
“We’ve known since the 1990s, since the mid-1990s, that a sufficiently large quantum computer will be able to break all known forms of encryption used to protect unclassified systems,” Dylan Presman, ONCD’s director of budget and assessment said. “Your iPhone, your emails, your medical records, these are all going to be wide open once a … sufficiently mature quantum computer has been developed.”
Presman explained that while it’s not clear exactly when a sufficiently large quantum computer will be available, most experts think it is 10 or 20 years away. That means the government needs to start preparing now, he said.
“We know that transitions in the Federal government take a long time,” Presman said. “If it takes a long time at the Federal government, it takes even longer in areas like critical infrastructure [and] operational technologies that may only be refreshed every 20 or 30 years. So, these transitions are very, very long [and] will take a really long time to implement.”
“We know that our adversaries are gathering up large troves of encrypted data with the understanding that eventually they’re going to have a sufficiently mature quantum computer that will be able to decrypt that data – so harvest now, decrypt later,” Presman said. “That means that we need to protect our data on the front end of that lifespan. It won’t be good enough to wait till the end. Once there’s a cryptographically relevant quantum computer, we’ll already be too late.”
If the Federal government wants to reach its 2035 deadline for a post-quantum future, it must act now, according to one official at the National Security Agency (NSA).
“You need to think about how you’re going to be able to adapt in order to transition to post-quantum cryptography,” Alyssa Thompson, a mathematician at NSA said during the Red Hat Government Symposium. “The deployment is not going to be trivial and it’s simply going to take time as we work out how these things are going to fit into our current algorithms.”
Anna Levine, the senior director of defense and national security programs at Red Hat, who moderated the conversation, closed out the panel saying, “The threat is real. It’s going to be incredibly complex to resolve this threat. And most importantly, it is going to take a long time to basically protect our environment, so the time to act is now.”
