Welcome to the 12th edition. Inspired by my conference trip last week, we have a strong post-quantum focus today. Let’s dive into the content…
Updates from NIST
NIST gave several talks at the PKIC PQC conference last week in Amsterdam. As usual, they were open and honest.
Here are some of my takeaways:
2035 was seen as an “ambitious” goal. The US government will not be fully migrated by then, but hopefully, the critical systems will be.
Standards are still aiming for the first half of 2024. A draft Falcon standard is due in approx. 9 months.
NIST has no plans to find a replacement for Diffie–Hellman key exchange. The current work to standardise KEMs is seen as sufficient.
There are no doubts about the security of Classic McEliece. The fact that it wasn't selected for immediate standardisation is due to its practicality, and not its security.
“Don't wait. Start getting ready.” This was the overriding message from Dustin Moody's talk. He believes the forthcoming migration will be the hardest task the crypto community has ever done.
Kudos to NIST for continuing to engage with the public, and being up-front about the challenges we all face.
Post Quantum Democracy
Global governments don't agree on the right approach for post-quantum cryptography.
Viewpoints from the UK, France and Germany differ on some important points, compared to the US. And this will have an impact on cyber vendors trying to position global products.
Here’s a snapshot, informed by talks I heard last week in Amsterdam.
United Kingdom 🇬🇧
Unlike the US, recent advice from the NCSC could be characterised as “Keep calm, carry on.” Their stance is the most relaxed out of the major powers, and they view migration as a natural part of technology refreshes.
The UK is alone in disliking hybrid modes and advises they are used sparingly as an interim solution. However, they are fully aligned with the NIST algorithm selections.
France 🇫🇷
Across the channel, ANSSI is thinking differently. They believe PQC migration should begin as soon as possible.
Unlike the UK and US, France recommends FrodoKEM as an algorithm option. It will be the job of ISO to standardise that, in lieu of NIST. Fortunately, France also welcomes the NIST standardised algorithms.
Hybrid modes will be mandatory in France until 2030. This is a sharp departure from the US and the UK.
QKD is not viewed favourably. At the PKIC PQC conference last week, the ANSSI representative was very disparaging, calling it “science fiction”.
Germany 🇩🇪
The Germans are mostly aligned with the French, but not in every aspect.
The BSI recommends the use of hybrid modes, but doesn't go as far as setting a 2030 date, like the French.
FrodoKEM is also a preferred algorithm, alongside NIST choices. But the BSI also lists Classic McEliece as an option, as it trusts the security of the algorithm. Both algorithms are viewed as acceptable to use today, in a hybrid mode.
This range of opinions held by different governments is going to make life tough for implementers. Especially those in the embedded/hardware field, who have to make choices about which algorithms and accelerators to implement.
Poodling Along
Why are cyber folks nervous about the PQC migration? It's because we know how long these things can take.
I heard a good example recently from the payments industry.
In 2014, SSL v3 was found to be vulnerable to the POODLE attack. This attack allows someone to read the encrypted communications sent over a supposedly secure connection.
A few months later, in June 2015, SSL v3 was deprecated. The official advice was to move to TLS 1.2.
Soon after, the payments industry was issued guidance to migrate away from SSL v3 by 2016. This target was two years from the attack, and one year from the official deprecation.
The industry fought back. “This is not possible” was the feedback, and the overseeing body was forced to push the date back to 2018.
To give context, this change was relatively minimal compared to what is required for post-quantum. And yet, the payments industry needed 4 years to make the change.
This is the challenge we face. And the challenge regulators may face if they ask industries to change faster than they actually can.