How the NSA is getting ready for the (coming) quantum codebreaking revolution

Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger  and Homeland Security Advisor and Deputy National Security Advisor Dr. Elizabeth Sherwood-Randall speak about the Colonial Pipeline cyber attack during the daily press briefing at the White House on May 10, 2021 in Washington, DC. The NSA, like everyone else, is figu...

Whether you’re a small business or a massive government bureaucracy, it’s important to know how to keep your sensitive data safe and encrypted over the long term.

The evolution of quantum computing — and its malicious cousin, quantum codebreaking — will pose significant data security question to virtually every organization and individual that uses a computer today. Governing and standards bodies are racing to develop and vet new forms of encryption that they believe can withstand the (still largely theoretical) threat posed by quantum code breaking, while vendors have already moved quickly — perhaps too quickly — to offer and sell new, largely unvetted “quantum resistant” encryption products to industry.

The National Security Agency has to protect some of the world’s most sensitive national security data on the planet. While the intelligence agency has a spotty history around promoting encryption practices that could make some parties skeptical of taking their advice, they’re also largely in the same boat as everyone else in trying to figure out the best way to keep their data safe in a post-quantum environment.

To that end, a document released by the agency this week provides new insight into how national security organizations responsible for keeping sensitive classified or unclassified data safe from hackers and foreign intelligence services should approach the replacement of their classical encryption protocols with new quantum-resistant ones.

The National Institute for Standards and Technology is currently in the later stages of vetting and selecting a handful of new algorithms that will not only underpin the encryption of federal and contractor systems, but also likely have a broad influence on the international and industrial standards that develop around quantum-resistant encryption.

According to the document, the NSA expects to select a lattice-based algorithm from the list of NIST finalists when the process is complete. It also reveals how officials are approaching the uncertainties on the ground, including how fast organizations should be moving to plan for or implement newer, quantum-resistant encryption algorithms.

However, just what can be done to prepare today without jumping ahead of the science is an ongoing question. For example, NSA’s Commercial National Security Algorithm Suit, first stood up in 2015, still recommends commercial partners use a number of public-key encryption options that have been vetted for use in national security systems, but are considered open to potential quantum attacks.

It also offers a number of classical symmetrical key algorithms in use today that mathematicians believe are far less vulnerable to the kind of code-breaking capabilities introduced by cryptographically relevant quantum computers. In fact, they’re good enough that the agency specifically recommends vendors and commercial partners use them over newer, untested algorithms that could wind up being out of compliance.

“NSA considers the use of pre-shared symmetric keys in a standards compliant fashion to be a better near-term post-quantum solution than implementation of experimental post-quantum asymmetric algorithms that may or may not be proven secure and which will not be compatible with NIST standards,” the agency warns.

Some of these algorithms are still used by NSA’s Cybersecurity Directorate to protect classified and unclassified data. Two of them — AES-256 and SHA-384 — are considered safe against attacks on large quantum computers, but the agency is upfront that these options represent an interim solution until newer standards are approved by NIST. Those with other or less advanced encryption protocols in place are probably better off waiting for the oncoming wave of new algorithms to be approved by NIST and NSA.

“The cryptographic systems that NSA produces, certifies, and supports often have very long lifecycles,” the agency noted. “NSA has to produce requirements today for systems that will be used for many decades in the future, and data protected by these systems will still require cryptographic protection for decades after these solutions are replaced.”

So why start worrying now? Because the agency expects it will take “20 years or more” to fully deploy the new algorithms in different national security systems. Once in place, the officials expect them to stay for quite some time.

It’s a familiar problem for those trying to get an early jump on the next generation of encryption. Because we don’t know exactly how the coming quantum hacking revolution will play out, there’s a chance some of the algorithms we deem as “safe” today will turn out to have unforeseen weaknesses.

In fact, this is why NIST ultimately wants to have seven or eight primary algorithms and a number of backup options available. Even some of the algorithms that have made it to the third round have later been found to be more vulnerable to theoretical quantum hacking than originally thought.

Dustin Moody, a mathematician at NIST who manages the Post-Quantum Cryptography project, told SC Media in July that the agency expects to wrap the third round by the end of this year and it will likely take another one- to two years for them to go through the public comment process and be finalized. While government and commercial entities should know by 2024 which algorithms NIST will endorse, the research won’t stop there.

“At the same time we announce the [round 3] algorithms, we will also announce any algorithms we wish to consider evaluating in a fourth round. This fourth round will be again one to 1 1/2 years… and some of the alternates might be selected for this,” Moody told SC Media.  

"We also announced that at the end of the 3rd round, we would issue a new call for signatures. This is a smaller-scoped call, which will be looking for non-lattice based general-purpose digital signature schemes to complement the lattice-based one we will choose at the end of the third round.”

Many cryptographic experts stress that the best way for organizations to prepare now is through “crypto agility” — or building flexible encryption protocols capable of supporting multiple kinds of newer quantum resistant algorithms. This can allow them to switch out a less effective algorithm and prevent an organization from boxing themselves into betting on one particular solution that may or may not turn out to be fully safe from quantum hacks.

“Regardless of when NIST finalizes any quantum-resistant encryption, or when [they] become capable of breaking today's encryption, crypto-agility is a capability that is needed today," Sounil Yu, chief information security officer for JupiterOne, told SC Media last month.

Derek B. Johnson

Derek is a senior editor and reporter at SC Media, where he has spent the past three years providing award-winning coverage of cybersecurity news across the public and private sectors. Prior to that, he was a senior reporter covering cybersecurity policy at Federal Computer Week. Derek has a bachelor’s degree in print journalism from Hofstra University in New York and a master’s degree in public policy from George Mason University in Virginia.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.