On July 5, NIST unveiled the first suite of four post-quantum cryptography (PQC) algorithms designed to strengthen the world’s cybersecurity defenses in the quantum era. After more than six years of work by hundreds of scientists and engineers from 25 countries, the highly anticipated news marked a major milestone in the history of cryptography and cybersecurity.
For all intents and purposes, July 5 officially kicked-off the world’s migration from classical public-key cryptography (PKC) – which has admirably protected the world’s data and communications for nearly 50 years but is vulnerable to quantum computer-aided attacks – to the new PQC standard algorithms. Businesses, government agencies and academics finally had the long-awaited algorithms upon which the next encryption and digital signature schemes would be based.
On July 16, NIST announced the 12 technology collaborators for the National Cybersecurity Center of Excellence’s “Migration to Post-Quantum Cryptography” project. SandboxAQ was among the 12 selected, along with Amazon Web Services, Cisco, Microsoft, Samsung SDS, VMWare, Crypto4A Technologies, Cryptosense, InfoSec Global, ISARA Corporation and two divisions of The Thales Group.
Together, the consortium will pursue the project’s mission of “initiating the development of practices to ease migration from the current set of public-key cryptography algorithms to replacement algorithms that are resistant to quantum computer-based attacks.” In simple terms, this means writing white papers, creating migration playbooks, and developing “demonstrable implementations for organizations” – i.e., quantum-resistant solutions leveraging PQC.
The focus of phase one is to build automated discovery tools that can identify where and how PKC is being used throughout an enterprise’s IT architecture: in hardware, firmware, operating systems, communication protocols, cryptographic libraries, and applications – whether they’re in data centers, on-prem, in the cloud, or across distributed computer, storage, and network infrastructures. The tools will identify instances of quantum-vulnerable public-key algorithms, where they are used, and the function they support-- delivering actionable insights to CIOs, CISOs and others. Even with state-of-the-art technologies, the discovery process can take a substantial time period, based on the size and complexity of the systems.
Once these vulnerabilities have been identified, phase two of the project is to help organizations prioritize those components that need to be migrated first – e.g., the most at-risk systems, the most valuable or private data, etc. – using a variety of risk management practices. Since a full migration to PQC could take years, and requires extensive and costly hardware and software upgrades, organizations will likely tackle their critical systems first and then systematically transition other systems and assets on a rolling basis – which is the culmination of phase three.
We are incredibly proud to have been chosen by NIST to join the NCCoE consortium, all of whom underwent a rigorous review and selection process. We will contribute our discovery software, AQ Analyzer, which identifies and tags every instance of public-key cryptography in TLS traffic. The insights provided by this application will enable CIOs and CISOs to develop their PQC migration strategies.
We look forward to collaborating with the NCCoE consortium to accelerate the development and deployment of PQC solutions, and we’re happy to speak with your organization about your specific needs right now.