This month marks a significant achievement in the realm of post-quantum cryptography (PQC) with the publication of three new algorithm standards (ML-KEM, ML-DSA, SLH-DSA) by NIST, the national standards organization of the United States.
The NCSC has updated our PQC white paper to acknowledge this milestone. While the core technical messages of the document remain the same, we recognize that many of you are eager to grasp the subsequent steps in the national transition to PQC.
What are the key early activities?
The standardization of algorithms is merely the beginning for the global cryptography community as we work towards a comprehensive migration to PQC. Robust implementations of these algorithms are necessary, along with modifications to the services and protocols that currently utilize public-key algorithms. For instance, there are ongoing international efforts to revise key internet protocols like TLS.
Migrating to PQC will be a prolonged endeavor, and in certain sectors, it may extend beyond a decade. However, the magnitude of this work necessitates that preparation begins now. Larger organizations, especially those with customized IT or operational technology, should initiate plans for their future migration to PQC. This initial discovery phase should include:
- Establishing a clear understanding of the data an organization holds, its value to both the organization and potential adversaries, and the expected longevity of specific data assets.
- Documenting the systems involved in processing and storing that data.
- Assessing how data is secured across these systems, particularly focusing on the usage of public key cryptography.
- Grasping how each organization’s supply chain is approaching its own PQC migration.
The systems that should be prioritized for migration include:
- Systems that handle data anticipated to be valuable over an extended period.
- Systems that can only be updated infrequently due to reliance on legacy hardware or complex infrastructure.
What comes next?
The NCSC will provide various forms of support for the PQC migration planning and execution process.
1. Support for regulation
Many larger organizations function within regulated frameworks. The NCSC will assist regulators in establishing appropriate guidelines and policies for their respective sectors, engaging with major industry bodies to comprehend their challenges while collaborating with DSIT and other government departments as necessary.
Several sectors, such as finance and telecommunications, have already invested considerable effort into understanding how to incorporate PQC into their complex networks. We will highlight best practices where applicable and provide tailored advice for sector-specific challenges.
2. Support for central government
Within the government, the NCSC will mainly collaborate with the Cabinet Office and DSIT to determine policies guiding other departments’ migrations and offer customized consultancy when processing data related to national security.
In the upcoming year, we plan to work with one or two departments to delve deeper into what constructing a ‘whole-department PQC migration plan’ entails. Should there be universally applicable principles arising from this endeavor, we will disseminate them widely.
3. Assisting all organizations in obtaining quality advice.
Numerous specialized companies currently provide services associated with post-quantum cryptography, and we aim to ensure that exceptional consultancy services are widely available across various areas — from expertise in post-quantum cryptography to discovery activities and migration planning, down to large-scale system integration.
In the long term, we intend to create a system to accredit suitable consultants and firms through our existing programs. In the near term, we will explore efficient ways to connect organizations with the expertise they require on a national scale.
Future publications
We have plans to release several additional guidance documents in the coming months. These will feature a collection of FAQs addressing aspects of migration that may pose challenges. We will also elaborate on how the NCSC can assist the industry, including more information on how to assure consultancy roles. Further along, we will update our guidance on specific cryptographic technologies as their PQC implementations develop, and provide ongoing insights into the national migration as we gather experience from various sectors.
Jeremy B
Principal Technical Director for Crypt and High Threat Technologies, NCSC
Article has been taken from ncsc.gov.uk: https://www.ncsc.gov.uk/blog-post/post-quantum-cryptography-what-comes-next
