Over the next few months, the National Institute for Standards and Technology will finalize a short list of new encryption algorithms and standards that are designed to withstand the threat of quantum computers, which are expected to one day mature to the point where they are capable of breaking many classical forms of encryption.
This will necessitate a widespread effort over the next decade to transition computers and systems that rely on classical encryption — especially public key encryption — to newer algorithms and protocols that are explicitly designed to withstand quantum-based hacks.
But simply knowing that the world will need to move to new forms of encryption not the same thing as knowing when or how to do it. It also doesn't tell you what to do if and when a new algorithm later turns out not to be a viable candidate.
That kind of uncertainty is why NIST wants multiple algorithms and a number of backup options to be part of any new standards. It’s also one of the reasons it is working to build what is known as “crypto agility” into any forthcoming standards and migration guidance. The term essentially means designing encryption protocols in a way that can facilitate the swift replacement of the underlying algorithm with minimal disruption in the event that it proves not up to the task.
The National Cybersecurity Center of Excellence, a research center within NIST, is working on a migration playbook to help organizations identify vulnerable systems and game out questions around implementation. Officials expect the process of switching out encryption protocols at most large organizations to be a years-long slog, one fraught with uncertainty.
One of the biggest challenges is expected to be visibility — many organizations lack the process and expertise to identify which parts of their IT environment are reliant on the form of encryption that is most at risk from future quantum codebreaking.
“A lot of people don’t have any real sense of where [their public key encryption] are deployed in their systems. The non-technical folks that rely on them probably just don’t really recognize that it's all going to be rather complicated,” said Bill Newhouse, a cybersecurity engineer at NIST during a presentation to the Information Security and Privacy Advisory Board this week.
However, beyond the logistical hurdles, the future of the quantum computing landscape is still murky enough to create substantial pockets of uncertainty that can make it impractical or dangerous for organizations to put all their eggs in one basket.
For instance: until a working quantum computer advanced enough to break classical encryption comes along, officials at NIST are basing their algorithmic choices in part on mathematical estimations of what those computers might do. That means that the algorithms we think will protect us may actually fall short — and in fact NIST official Dustin Moody told SC Media earlier this year that each round of the post-quantum cryptography selection process has revealed a previously unknown or unforeseen weakness in one of the algorithms.
Another variable: a prominent French research organization is claiming that two of the lattice-based algorithms selected as finalists by NIST violate technology patents they own and are demanding the right to receive royalties and issue licenses for their use. That dispute has yet to be resolved, though at least one research paper has argued the claims may have little merit.
Over the next six months, the agency’s cyber center will meet with members of industry and academia to begin building, testing and troubleshooting migrations in a lab setting. They’ll also continue to work with agencies like NSA and the Cybersecurity and Infrastructure Security Agency, which both have defensive cybersecurity missions and in-house expertise on the challenges around encryption.
That work will feed into follow-up awareness campaigns. Newhouse said the agency needs to conduct outreach “to convince people that this is a challenge to be taken on and there are reasonable steps that we can show… because we’ve done it in our laboratory.”