Skip to main content

Q: What is Post-Quantum Cryptography (PQC) readiness?

A: Public Key Cryptography (Asymmetric) is the way computers create an initial trust to pass secrets. Almost all systems today use Asymmetric encryption based on algorithms, using a combination of large prime numbers to create public and private keys. This method is easy to compute but hard to reverse engineer.

In 1994, mathematician Peter Shor created his famous algorithm. The Shor algorithm introduced a method of efficient factorization which made it possible to reverse engineer commonly used encryption algorithms, such as RSA, ECC, etc. Since then, efforts to reverse encryption algorithms have improved exponentially. Qubits in a quantum computer are well suited to calculate Shor’s algorithm and the speed improves based on the number of qubits available. It is estimated that a quantum computer with the number of qubits needed to break the RSA algorithm will be available by 2030.

What makes matters more complicated is that adversaries are already capturing and storing network traffic for decrypting later when the compute power is available – Store-Now, Decrypt Later (SNDL). This is why it is crucial that agencies identify their weak encryption methods and begin to formulate a plan to replace them.

PQC readiness is the measure of an organization’s ability to transition to quantum-resistant cryptography in a timely and secure manner. This includes having a plan for migrating to PQC, as well as having the necessary resources and expertise in place to do so.

 

Q: Why do organizations need to be ready for post-quantum cryptography?

PQC readiness is Public Law No: 117-260 (12/21/2022). The Quantum Computing Cybersecurity Preparedness Act requires federal agencies to prepare for the post-quantum era by evaluating and transitioning to quantum-resistant cryptography and National Security Memorandum 10 directs specific actions for agencies to take to begin to migrate vulnerable computer systems to quantum resistant information systems. The law sets a deadline of December 31, 2025, for agencies to complete this transition. As of May 2023, agencies must demonstrate an effort to adhere to the requirements of the Quantum Computing Cybersecurity Preparedness Act. This means each agency is responsible for discovering, documenting, and maintaining a current inventory of devices and applications “that are vulnerable to decryption by quantum computers.”

The head of each agency must report annually on the state of readiness in terms of capabilities to continuously monitor and document cryptographic methods as well as their plan to upgrade any vulnerable methods, when discovered.  It is up to each agency to determine the priority of the vulnerabilities and upgrades.

By the end of this year and for the next five years, agencies are mandated to update the Directors of CISA, OMB, and National Security on the state of their readiness.

 

Q: Why is Law 117-260 so important?

A: First, the law helps prepare federal agencies for the quantum threat. As quantum computers become more powerful, they will be able to break many of the encryption algorithms currently used to protect sensitive data. By transitioning to quantum-resistant cryptography, agencies can protect their data from attacks.

Second, the law ensures federal agencies are compliant with regulations. Many government regulations require agencies to use strong cryptography to protect sensitive data. By transitioning to quantum-resistant cryptography, agencies ensure they are compliant.

Third, the law helps to increase confidence in the security of critical infrastructure. Numerous infrastructure systems rely on cryptography to protect sensitive data. By transitioning to quantum-resistant cryptography, agencies increase confidence in the security of their systems.

 

Q: How can agencies achieve PQC readiness?

A: Organizations that are serious about protecting their data and systems must start planning for post-quantum cryptography now. However, there are challenges organizations face in achieving PQC readiness. These include:

  • The need to evaluate and select PQC algorithms.
  • The need to modify existing cryptographic systems to use PQC algorithms.
  • The need to test and deploy PQC systems.
  • The need to educate and train staff on PQC.

To overcome these challenges, there are resources available, including the NIST website and the Post-Quantum Cybersecurity Resource Center. In addition, here are some specific steps that organizations can take to achieve post-quantum cryptography readiness:

  • Conduct a risk assessment to identify the systems and data most vulnerable to quantum attacks.
  • Evaluate and select PQC algorithms that are appropriate for their needs.
  • Modify existing cryptographic systems to use PQC and Hybrid algorithms.
  • Test and deploy PQC and Hybrid systems.
  • Educate and train staff on PQC.

 

Q: How can TYCHON help?

A: TYCHON’s Post-Quantum Cryptographic Management Module is commercially available and specifically designed to assist federal organizations in meeting mandated reporting requirements prescribed in Public Law No: 117-260 and NSM-10. TYCHON users can easily generate a comprehensive inventory of cryptographic systems and a prioritized inventory of vulnerable information systems as required by the Quantum Computing Cybersecurity Preparedness Act. In addition, TYCHON provides the ability to address issues immediately within your network, such as disabling weak ciphers. In this way, TYCHON delivers an all-in-one solution that enables an organization to discover and maintain situational awareness of cryptographic systems and applications, continuously monitor endpoints for cryptographic reporting and prioritizing, and remediate discovered issues.