Agencies can slowly switch out their older encryption protocols over the coming years without leaving themselves exposed.
Despite industry claims that a quantum computer can now solve a problem beyond the power of classical computers – a state known as quantum supremacy – a security expert says agencies can slowly switch out their older encryption protocols over the coming years without leaving themselves exposed.
There's no near-term danger that modern tools will be able break current encryption methods, according to Matthew Scholl, chief of the Computer Science Division at the National Institute of Standards and Technology. NIST is currently working on a number of initiatives to develop more-modern cryptographic algorithms – ones that resist codebreaking efforts from quantum computers as well as new standards for smaller "lightweight" and internet-of-things devices.
"I want to assure people that the step from Google's announcement of quantum supremacy to having a quantum machine that is cryptographically relevant -- meaning something that will actually be able to break our current public-key infrastructure -- is really a significantly wide gap," Scholl told members at a recent Information Security Privacy Advisory Board meeting.
"We still feel quite confidently -- not just NIST but the global community that we're working with -- that the timeline that we're on for developing and deploying quantum-resistant encryption standards is still relevant," he said. "So we're still looking at 2022 to 2024 for having those standards complete."
The agency has already gone through two rounds of evaluating submissions for replacement post-quantum algorithms and met in August to examine not just the cryptographic strength of those proposals but also their performance and how disruptive they might be if they were used as replacements for certain systems and devices.
Scholl said NIST is working with the National Cybersecurity Center of Excellence and industry partners to develop a guidance document to assist organizations as they work through the cost and technical difficulties associated with transitioning from older forms of encryption to the newer post-quantum algorithms. However, he reiterated that those standards are still being evaluated and developed, and agencies shouldn't move too quickly to replace their encryption before the new standards are fully vetted.
"Folks are asking us, 'I need to buy something quantum safe now, what should I buy now?' and what we're telling them is 'Nothing," Scholl said. "Buy nothing now but know where the items are that you need to have in place, know what those items are protecting and then start to prioritize when buying is appropriate."
This article was first posted to FCW, a sibling site to GCN.