The U.S. government is expected to roll out its National Cyber Strategy 2023 in the coming weeks and quantum computing is expected to be featured with a likely path toward post-quantum cryptographic standards.

Enter Quantum asked quantum and cybersecurity experts for their views about what the industry can expect from the upcoming policy.

Kaniah Konkoly-Thege, Quantinuum senior vice president for government relations

It seems clear that the forthcoming National Cybersecurity Strategy will include guidance about preparing for the transition to quantum-resistant cryptography.  This guidance will likely include best practices for the private sector to assess current cryptographic systems, inventory data, experiment with NIST’s post-quantum algorithms and develop plans to protect data, especially sensitive (medical, financial or personal) data, by transitioning to these post-quantum algorithms.  NIST is currently in the process of standardizing these algorithms with final standards due to be released in 2024.

This guidance will come on the heels of President Biden’s signing of the Quantum Computing Cybersecurity Preparedness Act in December 2022, which is designed to help federal agencies proactively shift to a post-quantum security posture and gives agencies until May 4, 2023, to submit an inventory of potentially vulnerable systems and directs the Office of Management and Budget to prioritize the adoption of post-quantum cryptography standards across the government.

The time is now to:

1. Begin inventorying cryptography systems that will be vulnerable to future quantum attacks. 

2. Develop “quantum IQ” across your organization by exploring the benefits and risks that quantum technologies will pose for your business

3. Review the NIST post-quantum algorithms (four finalists were announced in July 2022) and create a strategy for cryptographic agility that will allow you to shift your systems to the final standards and protect your data with minimal disruption.

4. Identify partners established in the quantum ecosystem who can guide you through the transition to quantum-safe cybersecurity while protecting data from both classical and quantum cyberattacks.

Nils Gerhardt, Utimaco CTO

We welcome this spotlight on post-quantum cryptography, as many companies today are often not aware of what type of cryptography they are using, which certificates are being used, when they will expire and what algorithms are executed by the different enterprise applications.

There is great uncertainty, so the need to better understand a company’s own infrastructure and to properly secure a wide variety of communications is growing. For this reason, security-conscious companies are increasingly starting crypto assessments.

Another step is forward-looking asset management, for example, when an algorithm is outdated. In the future, it will be important to find solutions and define processes for continuously modernizing your own cryptographic assets. The aim of this is to achieve so-called crypto-agility so that algorithms are adapted directly if a certain encryption method is broken - for example by quantum computers. We eagerly await the publication of the US National Cybersecurity Strategy 2023 so we can help businesses navigate the way forward.

Roger Grimes, KnowBe4 data-driven defense evangelist

Every sufficiently capable nation is not only trying to maximize the coming benefits of quantum information sciences but also best defend its resources against equally possible quantum attacks.

The U.S. will likely continue to further increase investment in quantum information science projects and provide additional funding to defense projects, which will protect us against quantum attacks. It wouldn't surprise me if there was even more funding devoted to finding additional quantum-resistant cryptography because of the recent challenges revealed in the current NIST post-quantum cryptography contest. It's taking longer than expected and the risk of selecting what we previously thought was a good quantum-resistant cipher is increasing.

A few of the most recent leading quantum-resistant cryptography candidates have been shown to contain fatal flaws in the last weeks before they were likely to be selected as recommended post-quantum cryptography finalists, and many of the remaining finalists share a common mathematical makeup, meaning that one improved cryptographic attack could render them all unusable.

All nations are in a rush to create quantum computers capable of breaking each other's current cryptography and preparing their own defenses, so they aren't caught unaware. I think you'll also see an increase in project funding as additional agencies are now tasked with starting their own post-quantum projects.

Trying to defend against quantum cryptography attacks is going to be expensive and time-consuming and will drag on for over a decade. That means lots of money. Expect to see everyone's budget start to contain line items dedicated to their post-quantum projects. If they don't have a post-quantum project already, they will certainly have one soon.

Andersen Cheng, Post-Quantum founder

The US government has taken a global lead in protecting our world from the looming threat of quantum computers. The expected inclusion of further mandates in the strategy will only add to this growing push at a federal level.

Today many organizations are rightly focused on auditing a prioritized inventory of cryptographic systems, the first of which is due in May. However, auditing alone isn't enough. Organizations should also do what they can today while they're undertaking this preparatory work by considering how they can prevent their data-in-transit from being collected. It could take an agency years to audit and replace its cryptography, but a quantum-safe VPN can be rolled out in weeks to protect data in transit.

In 2020, NATO successfully tested our Hybrid PQ VPN, demonstrating we can protect critical entities from powerful quantum computers including, harvest now, decrypt later attacks. Crypto-agile approaches like this support interoperability by allowing multiple post-quantum and traditional algorithms to be used in conjunction with one another. We are hopeful that governments across the world will mandate crypto-agility to ensure that allies and companies across the world can interoperate.

Scalable quantum computers will be able to run a handful of very powerful algorithms; the one most relevant to this discussion is Shor's algorithm. Post-quantum cryptography is cryptography that can be implemented on current devices, but that should be resistant to future scalable quantum computers. Post-quantum cryptographic algorithms can be implemented now on anyone's smartphone, laptop, or even smartcards or other smaller devices, and we as a community aim to have updated as much as possible of the encryption algorithms before a scalable quantum computer is realized. 

Since the end of 2016, NIST has been running an international competition to get new standards for key encapsulation mechanisms (used in message encryption) and digital signatures. The aspects of these that are currently in wide deployment that will be susceptible to attacks from quantum computers (using Shor's algorithm) are based on the supposed hardness either of factoring or the discrete logarithm problem. There are five main areas of post-quantum cryptography, all of which are also based around a hard problem in mathematics and should be thought of as replacing factoring and the discrete logarithm problem. These areas are code-based cryptography, based on error-correcting codes, hash-based cryptography, based on specially designed hard-to-invert functions, isogeny-based cryptography, based on finding maps between elliptic curves, lattice-based cryptography, based on the shortest vector problem, and multivariate cryptography, based on finding solutions to large systems of simultaneous equations.

In 2022, NIST announced standards for post-quantum message encryption and signatures. They chose one standard for key encapsulation, a lattice-based scheme called CRYSTALS-Kyber whose hardness is based on finding the shortest vector in an algebraic lattice. The algebraic structure on the lattice allows for very efficient computation; in fact, it is on par with our most efficient pre-quantum algorithms, although the memory requirements are much higher. It does mean that the security is based on a slightly weaker problem that the generic shortest vector problem, but so far it has proved to be resistant to cryptanalysis. For digital signatures, NIST has selected a more diverse set of problems: two also based on algebraic lattices, CRYSTALS-Dilithium and Falcon but also one choice from hash-based cryptography, SPHINCS+. They have also announced that they will restart the competition in June for digital signatures allowing new submissions to further diversify the set of problems that they standardize in the future. 

Richard Watson-Bruhn, PA Consulting US head of digital trust & cybersecurity, and Peter Clay, PA Consulting digital trust and cybersecurity Expert

Looking back in 2018, the US National Cyber Strategy acknowledged the threat quantum computers posed and supported the NIST post-quantum algorithm standardization process. More recently, 2022 was a busy year for the US government and US agencies for post-quantum cryptography: the Quantum Computing Cybersecurity Preparedness Act was passed; the Presidential memorandum, and related memoranda, directed all Federal Agencies to prepare for post-quantum cryptography by inventorying the use of algorithms vulnerable to quantum computers; and NIST announced the selection of the first four quantum-resistant cryptographic algorithms for standardization. 

This is against a backdrop of continued progress in quantum computing capabilities, which continue to press the need to prepare for post-quantum encryption such as IBM’s continued progress on their development roadmap and Google’s latest paper on the reduction of error correction. Research papers from China cause concern by proposing new attack approaches on near-term hardware which overcome some of our assumptions on quantum encryption risk even if the extent of some claims is questionable. 

We can therefore expect the 2023 National Cybersecurity strategy to push practical progress on migration to post-quantum encryption. 

Awareness of the threat has been raised, now is the time for action. For high-priority systems, where national security or critical infrastructure services are affected, targets for completion of migration might be set as aggressively as 2030-2035. Building on the Office of Management and Budget (OMB) November 2022 memorandum to inventory, it prioritizes and assesses funding requirements for migration. We can expect preparation in earnest even if the actual transition needs the standardization process to complete in the next two years and for vendors to get their new products through FIPS certification before it can be adopted. 

Action is required in the private sector as well as Federal agencies. Critical national infrastructure providers as well as Federal Agencies involved in national security work are likely to be included in the strategic direction. The threat applies to both private and public actors meaning that all parties must act if the cyber strategy is to be successful in preparing the US for the quantum threat to encryption. 

Fans of quantum key distribution (QKD) are likely to be disappointed.  It is unlikely that the strategy will shift from the implementation of post-quantum algorithms on classical computers to the widespread use of quantum technology as part of key distribution. The urgency makes waiting to solve the engineering challenges of QKD too risky, and the need to replace vulnerable algorithms used in digital signatures for critical uses such as software and firmware signing means that QKD alone cannot protect us against the quantum threat.