The US National Institute of Standards and Technology (NIST) has announced that it developing a new post-quantum cryptographic standard to replace current public-key cryptography, which is vulnerable to quantum-based attack. Despite the 2024 timescale, NIST says that organizations should start preparing for the transition now by following the Post-Quantum Cryptography Roadmap, which includes:
- Inventorying your organization’s systems for applications that use public-key cryptography.
- Testing the new post-quantum cryptographic standard in a lab environment; however, organizations should wait until the official release to implement the new standard in a production environment.
- Creating a plan for transitioning your organization’s systems to the new cryptographic standard that includes:
- Performing an interdependence analysis, which should reveal issues that may impact the order of systems transition;
- Decommissioning old technology that will become unsupported upon publication of the new standard; and
- Ensuring validation and testing of products that incorporate the new standard.
- Creating acquisition policies regarding post-quantum cryptography. This process should include:
- Setting new service levels for the transition.
- Surveying vendors to determine possible integration into your organization’s roadmap and to identify needed foundational technologies.
- Alerting your organization’s IT departments and vendors about the upcoming transition.
- Educating your organization’s workforce about the upcoming transition and providing any applicable training.
What’s the difference between post-quantum cryptography and quantum-resistant cryptography?
NIST says that the term post-quantum cryptography is often referred to as quantum-resistant cryptography and includes, ‘cryptographic algorithms or methods that are assessed not to be specifically vulnerable to attack by either a CRQC [cryptanalytically relevant quantum computer] or classical computer’.