New Post-Quantum Cryptography Guidance Issued by the NCSC
By TOI Staff November 23, 2023 Update on : November 24, 2023
The National Cyber Security Centre (NCSC) for the UK has published guidance that aims to prepare for the post-quantum world. When quantum computing becomes a technological reality, fields like cryptography may be widely disrupted since encryption will become easier to crack. To prepare for this, organisations like the NCSC or the American National Institute of Standards and Technology (NIST) are exploring post-quantum cryptography (PQC). This comes after the NCSC warned about this quantum threat in 2020.
An NCSC whitepaper about mitigating the threat to cryptography from development in Quantum Computing: https://t.co/biErcOTzSW pic.twitter.com/smo8Pv1345
— NCSC UK (@NCSC) November 13, 2020
Why Cryptography Matters
There are simple, everyday examples that demonstrate the importance of cryptography. Most revolve around random outputs, which are used in password generation. This is facilitated through random number generators (RNGs) used by password managers but also security and entertainment software. Some industries sell digital randomness as a product, like iGaming for example, so dice rolls, card deck shuffles and bingo machines need to have unpredictable output. As a result, RNGs are also used to determine which balls are chosen in interactive bingo games at Paddy Power, especially games like Slingo Money Train which combine slots and bingo together. Fair play in iGaming, and other entertainment industries that rely on randomness, is key to customers trusting their games.
While RNGs have become unpredictable for human beings, other machines can be used to crack them. In the context of cybersecurity, this is how passwords get brute-forced – a fast software has randomly tried enough inputs to find the required output. With a quantum computer, attempts to do this could be shortened drastically. This is why the NCSC and other governmental cybersecurity agencies across the world are readying themselves for quantum tools to become publicly available to consumers.
The NCSC & NIST Guidance
The main body of the NCSC’s guidance contains practical information for those deeply embedded in the cybersecurity and cryptography industries. This includes suggestions of which algorithms and protocols to build with, ones that have been future-proofed to provide extra security when Q-Day dawns on us.
Q-Day is the name given to the day quantum computers breach widely used public-key cryptography standards. If you need to learn more about public-key cryptography (PKC), take it from IBM, who are sitting on top of 20 quantum-enabled systems worldwide.
The NCSC’s published guidance has been carefully considered by several of the world’s leading cybersecurity watchdogs, such as the aforementioned NIST and the European Telecommunications Standards Institute (ETSI). In the preceding summer of 2023, NIST drafted post-quantum encryption standards seven years in the making and openly called for comments and criticisms of them from the wider industry.
NIST's first three draft standards for post-quantum encryption are out! Our experts need your feedback to finalize them for publication next year. Share your comments by Nov. 22, 2023: https://t.co/bqZtuIiUYa pic.twitter.com/dwRQ6mxSSe
— National Institute of Standards and Technology (@NIST) August 24, 2023
Post-Quantum Migration
The NCSC publication warns that fundamental protocol changes will be necessary to transition from PKC to PQC. Even devices and hardware will need to be upgraded since PQC requires a lot more number crunching than older security standards, and it all needs to be sent between devices to encrypt data in a fast, timely manner.
John H., the named author of the NCSC publication, wrote “additional challenges in these use cases include having to run cryptography on devices with constrained resources, and on legacy systems that are hard to upgrade.” This titbit is perhaps the biggest implication of PQC for the average tech user – a lot of hardware needs upgrading to survive PQC. The government cannot buy new devices for everyone and tech (especially new hardware) can drain consumers’ wallets. In the meantime, we will continue to cover the latest news in hardware and gadgets at Time Of Info.