NSA and Post Quantum Cryptography

The National Security Agency (NSA, USA) has announced the “Commercial National Security Algorithm Suite 2.0” (CNSA 2.0, you can find the announcement here and some FAQ here).

There are a few points of interest related to this announcement:

  • first of all, NIST has not completed the selection and standardization of all possible Post Quantum Cryptography algorithms, which should be completed by 2024, but the NSA has anyway decided to require the implementation of the algorithms already standardized by NIST (see NIST SP 800-208) and to suggest to get ready to implement the others which will be standardized in the next years; this can be interpreted as NSA has some kind of urgency in introducing the new algorithms and that it foresees that Quantum Computers able to break current cryptographic algorithms like RSA will arrive in a not too far future;
  • the already standardized new PQC algorithms are to be used only for software and firmware signing, and the transition to them must begin immediately;
  • the timelines are quite short considering the time it takes to implement, also in hardware, all the new algorithms, summarizing: the already standardized new PQC algorithms must be implemented by 2025 and exclusively used by 2030; all others new PQC algorithms should be supported or implemented by 2025 and exclusively used by 2033;
  • the above mentioned timelines suggest that NSA believes that a Quantum Computer able to break current cryptographic algorithms like RSA could be available by 2035 or around.

Post Quantum Cryptography is not doing so Well

Post Quantum Cryptography (PQC) is the name which describes new cryptographic algorithms which should be safe to use even if a real Quantum Computer will arrive. NIST competition to designate these algorithms has started in 2016, now is in its 4th round and is supposed to end by 2024.

This year NIST, for round 4, has selected 4 final candidates and 4 potential replacements in case any of the 4 front runners will drop out. But this year already two candidates have been invalidated due to the discovery of serious security weaknesses: in February, at the end of round 3, it was the case of Rainbow, and these days (see here), in round 4, is the case of SIKE, a potential replacement candidate.

The weaknesses discovered apply only to the algorithms which have been invalidated, but the fact that they have been discovered so late in the NIST selection process should make us wonder if the timeline will be maintained or more time will be needed to completely test and evaluate these new algorithms.