As many people are now aware, the disruptive promise of scaled quantum computing comes with a threat to the security of many of our most widely used cryptographic algorithms. Fortunately, since 2016, the National Institute of Standards and Technology (NIST) has been evaluating safe alternatives, now widely referred to as “post-quantum cryptography” (PQC).
In this blog, we briefly explain the recent PQC standards announced by NIST, the recent U.S. federal government memorandum on migration efforts, and VMware’s initiatives, which will be showcased at the upcoming VMware Explore 2022 event.
The new crypto standards
After a lengthy proposal and vetting process, NIST announced in July 2022 their selections and intent to standardize the first four quantum-safe (PQC) algorithms. These algorithms address two key use cases in public key cryptography: key establishment and digital signatures. In their initial selection, CRYSTALS-Kyber was selected as the go-to algorithm due to its relatively small public keys and fast cryptographic operation speeds. This will help to enable minimal performance impact, for example, reducing overhead in security communication protocols like Transport Layer Security (TLS).
For digital signatures, CRYSTALS-Dilithium was selected as a primary algorithm, with FALCON for use when smaller signatures are required and SPHINCS+ to increase the diversity of quantum-safe alternatives. In general, all quantum-safe digital signature schemes have larger signature and key sizes and will impact existing security protocols that utilize them.
ALT: Quantum-safe authentication schemes have larger authentication data sizes
TLS, for example, will need to be modified to support larger keys and certificates. This modification will have implications for connection establishment time and the probability of packet loss within congested networks. Note that NIST is also planning to issue a new Call for Proposals for additional authentication schemes to diversify its digital signature alternatives.
The challenge of cryptographic transition
NIST’s announcement marks the beginning of a vast industry transition effort that you will, without a doubt, be reading more about in the future.
In the United States, for instance, the federal government recently released a national memorandum on quantum information science (QIS) and PQC. This memo creates a coordination office directly under the President and issues a list of executive orders mandating that federal agencies begin PQC migration activities. As a result, agencies will have the obligation to formulate detailed transition plans and update them annually.
Transitioning billions of devices and their associated systems, software, and applications to PQC will be a vast undertaking. Security and privacy solutions across the board make extensive use of cryptography standards and will be impacted by the change.
Technology providers will need to account for compliance, backward compatibility, secure implementations, and protocol compatibility. Enterprises making use of hundreds (or even thousands) of software and service providers will need to plan for an orchestrated migration. The impact of new key and signature sizes, computational requirements, and other requirements on network latencies and device resource utilization will need exploration.
Building the path forward
VMware is exploring solutions to help our customers transition to PQC. The key to this and future migrations is cryptographic agility, the ability to reconfigure an application or system with a different cryptographic algorithm or implementation. Innovative crypto agility frameworks can do more than just streamline new patches and the transition to new algorithms; they can enable enterprise customers to make orchestrated transitions in a policy- and compliance-governed manner.
Along with technology development in the area of cryptographic agility, VMware is collaborating with NIST and other industry co-travelers as an active participant in NIST’s Cybersecurity Center of Excellence, where a special initiative on “Migration to Post-Quantum Cryptography” launched early this year. More on this in future blog installments.
We can’t wait to show you what’s next! Be sure to attend our VMware Explore 2022 session on cryptographic agility, where you will hear more about the road forward! You can register for the session here: Cryptographic Agility: Preparing Modern Apps for Quantum Safety and Beyond
You can read more about the PQC migration challenge and cryptographic agility in these other blogs:
- Computing Community Consortium: Identifying Research Challenges in Post Quantum Cryptography Migration and Cryptographic Agility
- Post-Quantum Cryptography and the Approaching Storm
- Post-Quantum Cryptography: Taking Stock of the Challenge Ahead
- A Deep Dive into VMware’s Crypto Agility Demo at VMworld 2021
- Kicking Off Your Organization’s Action Plan for Post-Quantum Cryptography Readiness
- Cryptographic Agility: Exploring Proxy Approaches