NIST wants agencies to move off current encryption by 2035, but analysts say that enterprises cannot wait nearly that long; state actors are expected to achieve quantum at scale by 2028.
The US National Institute of Standards and Technology (NIST) on Tuesday published its timetables for moving government agencies off current types of encryption onto what they hope will be quantum-resistant encryption by 2035. But analysts urge enterprises to move much more quickly, given that state actors are expected to achieve quantum at scale by 2028.
Mark Horvath, a Gartner VP analyst who tracks both quantum and cryptography, said the urgency for enterprises to move away from current encryption techniques is real. IBM has said it expects to have a 200-qubit quantum computer by 2030 and, Horvath said, “We assume that state actors are two years ahead of where the commercial vendors are.”
In October, a research team in China was reported to have already broken RSA encryption via quantum, albeit not at scale.
In the newly published document, NIST distinguished between agencies getting rid of existing encryption entirely and just starting to scale it back. It used the term “deprecated” to mean that “the algorithm and key length/strength may be used, but there is some security risk. The data owner must examine this risk potential and decide whether to continue to use a deprecated algorithm or key length.” It used the more stringent “disallowed” to describe the outright ban of the use of “the algorithm, key length/strength, parameter set, or scheme.”
NIST also used “legacy” to refer to sort of a middle ground where, it said, “the algorithm, scheme, or parameter set may only be used to process already protected information” such as “to decrypt ciphertext data or to verify a digital signature.”
The document said that all current encryption (ECDSA, RSA and EdDSA) must be disallowed after 2035. After 2030, 112-bit ECDSA and RSA are to be deprecated.
“That is a little bit long, because they want to give people time to change. It’s good advice, but I would take it a little bit further” because “governments have mitigating controls [such as isolation and virtualization] and enterprises don’t typically have those controls,” Horvath said. He added that enterprises that use air gapped systems are close. “I would encourage anybody who is not in the government to take this seriously and begin planning today.”
The NIST report said that even though quantum computing is not yet here at scale, there is still a reason to act quickly. The term “post-quantum computing (PQC)” is misleading, because it is not referring to “after” quantum, but to when quantum does arrive at scale.
[ Related: The CISO’s guide to establishing quantum resilience ]
“Even though the transition to post-quantum cryptography is starting before a cryptographically relevant quantum computer has been built, there is a pressing threat. Encrypted data remains at risk because of the ‘harvest now, decrypt later’ threat in which adversaries collect encrypted data now with the goal of decrypting it once quantum technology matures,” the report said. “Since sensitive data often retains its value for many years, starting the transition to post-quantum cryptography now is critical to preventing these future breaches. This threat model is one of the main reasons why the transition to post-quantum cryptography is urgent.”
NIST also conceded that even some government systems may have to transition more quickly. “Some systems, particularly those with long term confidentiality needs or more complex cryptographic infrastructures, may require earlier transitions, while others may adopt PQC at a slower pace due to legacy constraints or lower risk profiles,” NIST said. “Flexibility in migration planning is essential to balance the urgency of securing critical systems with the practical challenges that different sectors face during this transition.”
NIST released three approaches to beginning the journey to quantum-resistant cryptography: the Module-Lattice-Based Key-Encapsulation Mechanism [FIPS203], the Module-Lattice-Based Digital Signature Algorithm [FIPS204], and the Stateless Hash-Based Signature Algorithm [FIPS205].
Horvath said that even if NIST and others have made incorrect guesses about what quantum will eventually look like, moving to the new encryption approaches is a no-brainer. “In the worst possible case, we switch over and we have much more safety than we had before. By upgrading to the lattice algorithm, we get much stronger cryptography,” Horvath said.
Horvath also stressed that there are various advantages to moving to the new encryption approaches that have nothing to do with traditional security issues. For example, he said the new versions can support encrypted searches, which are not practical today.
“It has to do with the math that it is based on, which is fundamentally different, and it therefore allows these extra properties [such as secure multi-party computation] that the current math just doesn’t,” Horvath said.
That would, for example, allow better mechanisms for executing anti-money laundering efforts where you “have high-net worth clients and we don’t want to share their names with other banks. It can be asked ‘Does he have a SAR (suspicious activity report) at any other bank?’” without identifying the customer by name, Horvath said. “It’s both stronger and more flexible.”
Frank Dickson, an IDC group VP for security and trust, argued that because encryption is the base for almost every aspect of cybersecurity today, he believes that “the delivery of this document is the single most impactful [cybersecurity] development of the year.”
The particular specs in the document are less important than the fact that this reflects the beginnings of broad industry alignment on how this encryption migration should happen, Dickson said.
“The information is less important than the idea that we got cryptographers to agree on something,” Dickson said. “It’s not the technology that is the [benefit]. It’s the agreement.”
Dickson agreed in general that enterprises must move as quickly as they can to this improved encryption, but that a business needs to consider many factors, such as cost, when deciding on a timeline. “There’s a cost factor determining how fast you can go. It costs money to replace [technology]”, he said. “[Enterprise CISOs and CIOs] may decide that some things aren’t updated until you have to replace it.”
Urs Würgler, a senior management consultant with Swisscom CISSP, a security vendor in Zurich, Switzerland, wrote in a LinkedIn comment about the NIST report, “in a technical context, the expression ‘disallowed’ is interesting. There are US agencies that are subject to some NIST adherence if they must obey DFARS or FISMA. In this case, NIST SP 800-171 compliance is required and is not yet making reference to PQC.”
“It goes without saying that PQC is not yet referenced in the sense of implementation requirements mandated by nation states,” Würgler wrote. “The concept of ‘cryptographic agility’ has been discussed for at least 20 years, but its practical implementation remains niche. Given the impending need for PQC, this situation is far from ideal.”
