There have been several interesting developments in the move to post-quantum, or quantum-resilient cryptography, over the past few days. The US National Institute of Standards and Technology (NIST) has formalized its first three post-quantum algorithms as Federal Information Processing Standards (FIPS). Here’s an overview press release outlining the process and background and providing links to the individual standards, as well as information about ongoing work in this area.
The US Office of Management and Budget (OMB) has issued a legislatively-mandated report to Congress which is well worth reading. While dated July 2024, I am not clear exactly when it went public, but I suspect it may have only been in the last week or so. This is worth reading. See
https://www.whitehouse.gov/wp-content/uploads/2024/07/REF_PQC-Report_FINAL_Send.pdf
This short report has three parts. The first outlines the strategy to migrate US Government systems to post-quantum cryptography. The second provides cost estimates. The third summarizes standards efforts being led by NIST in this area. The report estimates the 10-year cost of this migration to be in excess of $7billion (current dollars) — and this excludes the costs of migrating “national security systems” (eg the intelligence community and the Department of Defense, for example)! This should provide some sense of the scale of the parallel challenge faced by the sectors beyond the federal government in managing such a transition,
Another important development — which also represents a fascinating bridge between leading edge information security and issues around long term cultural stewardship and archiving — is the growing emphasis, in the OMB report and other discussions about the urgency and strategy development for post-quantum cryptography by sectors beyond the federal government — of responding to what are being described as “harvest now, decrypt later” strategies, where encrypted content is captured and stored today under the assumption that it will be relatively cheap and quick to decrypt at some point in the future using quantum computing technologies. This has been going on for some time (I can recall mentioning this at one of my December CNI keynotes around 2017, when it was much less widely known, and triggering some discussion among our meeting attendees).
My understanding is that OMB is shortly going to start requiring federal agencies to submit plans for how they will accomplish their moves to post-quantum cryptography (other than for national security systems); it will be interesting to see the timetables proposed for these efforts.
Clifford Lynch
Director, CNI