Quantum computing continues to be a hot topic. Within the certification industry, it was most recently covered at the International Common Criteria Conference (ICCC) recently held in Spain. So, what is quantum computing and more importantly, what is the potential impact on computer security and cryptography? The purpose of this post is to provide a brief introduction to post-quantum cryptography – including what changes are planned to algorithm standards to proactively defend against potential security issues and when will cryptography updates come into effect? In addition, what organizations are involved in assessing requirements, proposing updates and then enforcing post-quantum solutions?
Quantum computing is a new type of computation that can harness various aspects of quantum mechanics, such as superposition, interference, and entanglement, that can be combined to provide a large number of states versus the traditional computing binary states of ones and zeros. This permits quantum computers to be far more efficient at solving traditionally computationally difficult problems, including concepts that underlie certain cryptographic foundations. Although this sounds very futuristic, steady development progress has been made and the resulting computational power is expected to increase exponentially. For this reason a number of currently approved cryptographic algorithms are at risk of being rendered obselete and must be updated and/or replaced to remain secure – this is the post-quantum or quantum-resistant (QR) algorithms initiative that will be summarized below.
Enter some of the key players in the world of computer security such as the National Security Agency (NSA), the National Information Assurance Partnership (NIAP) and the National Institute of Standards and Technology (NIST). Together, these organizations are leading the charge to specify, certify and enforce QR algorithms.
Commercial National Security Algorithm Suite (CNSA) 1.0
In September 2021, the NSA released Commercial National Security Algorithm Suite (CNSA) 1.0, which provides the following updates to predominantly increase the size (bits, curve, modulus) of parameters to make the computation required to break the algorithm much harder. This is seen as a short-term but practical approach.
| Algorithm | Function | Specification | Parameters |
|---|---|---|---|
| Advanced Encryption Standard (AES) | Symmetric block cipher for information protection | FIPS PUB 197 | Use 256-bit keys for all classification levels. |
| Elliptic Curve DiffieHellman (ECDH) Key Exchange | Asymmetric algorithm for key establishment | NIST SP 800–56A | Use Curve P-384 for all classification levels. |
| Elliptic Curve Digital Signature Algorithm (ECDSA) | Asymmetric algorithm for digital signatures | FIPS PUB 186–4 | Use Curve P-384 for all classification levels. |
| Secure Hash Algorithm (SHA) | Algorithm for computing a condensed representation of information | FIPS PUB 180–4 | Use SHA-384 for all classification levels. |
| Diffie-Hellman (DH) Key Exchange | Asymmetric algorithm for key establishment | IETF RFC 3526 | Minimum 3072-bit modulus for all classification levels |
| RSA | Asymmetric algorithm for key establishment | FIPS SP 800–56B | Minimum 3072-bit modulus for all classification levels |
| RSA | Asymmetric algorithm for digital signatures | FIPS PUB 186–4 | Minimum 3072-bit modulus for all classification levels. |
Commercial National Security Algorithm Suite (CNSA) 2.0
In September 2022, the NSA introduced CNSA 2.0, which provides updates listed in the table below. It is interesting to note that in addition to the minor size increase for Hashing with SHA, brand new algorithms have now been added to the roster. In particular, new CRYSTALS algorithms have been added for Asymmetric algorithms for key establishment and digital signatures. In addition, the asymmetric algorithm used to digitally sign software or firmware will require the use of Leighton-Micali Signature (LMS) or the Xtended Merkle Signature Scheme (XMSS).
| Algorithm | Function | Specification | Parameters |
|---|---|---|---|
| Advanced Encryption Standard (AES) | Symmetric block cipher for information protection | FIPS PUB 197 | Use 256-bit keys for all classification levels. |
| CRYSTALS-Kyber | Asymmetric algorithm for key establishment | FIPS 203 | Use Level V parameters for all classification levels. |
| CRYSTALS-Dilithium | Asymmetric algorithm for digital signatures | FIPS 204 | Use Level V parameters for all classification levels. |
| Secure Hash Algorithm (SHA) | Algorithm for computing a condensed representation of information | FIPS PUB 180–4 | Use SHA-384 or SHA- 512 for all classification levels. |
| Leighton-Micali Signature (LMS) | Asymmetric algorithm for digitally signing firmware and software | NIST SP 800–208 | All parameters approved for all classification levels. SHA256/192 recommended. |
| Xtended Merkle Signature Scheme (XMSS) | Asymmetric algorithm for digitally signing firmware and software | NIST SP 800–208 | All parameters approved for all classification levels. |
It is important to realize that CNSA 1.0 is in effect now from an NSA and NIAP perspective. The timeline for CNSA 2.0 is a bit more complicated but the requirement for digitally signing firmware and software using a QR algorithms is planned for 2025 compared to overall adoption of the 2.0 suite by 2035. Please refer to this NSA document for more details – https://media.defense.gov/2022/Sep/07/2003071834/-1/-1/0/CSA_CNSA_2.0_ALGORITHMS_.PDF.
To fully understand the potential impact of post-quantum algorithm requirements, transitions, and impacts on your FIPS validation or CC certification, please contact Lightship Security!
James Ramage
James Ramage is a senior FIPS evaluator at Lightship. He has been doing FIPS evaluations and security certifications for 5+ years and enjoys working with customers, training team members and evaluating new technologies.