Are you prepared to roll out new cryptographic standards in the coming years? Discover why updating to Post-Quantum Cryptography standards is crucial for compliance and security.

Whether or not you believe in the currency of the quantum threat and its applicability to your organization, the change in cryptographic standards is coming—and fast. In 2024, new cryptographic standards (Post-Quantum Cryptography standards) will be standardized, leading to the deprecation of current ciphers. Using outdated ciphers will result in failed audits and non-compliance with regulations. This will trigger widespread efforts to update cryptographic protocols across organizations, transforming emerging technology risks into intolerable compliance risks.

Konstantinos Karagiannis discussed this perspective of the quantum risk in detail during his Q2B speech (YouTube) in December 2023. The transcript of his speech, refined by a few AI models for clarity, is shared below for additional insights.

"How NIST Will Kick off the Cryptographic Apocalypse in 2024": that's a pretty exciting title, right? The Apocalypse. There's going to be all sorts of apocalyptic destruction described here, but seriously, this is what a lot of people got into quantum computing for in the first place, right? Let's face it: this industry wouldn't even exist without Peter Shor's algorithm. It threw a whole bunch of fear and money into the industry and kept it moving ahead. And sure, eventually, we started getting to awesome use cases. But it's that thing that's always been in the back of our minds, the thing we've been worrying about.

So, the apocalypse. This is something we've been worrying about from the beginning. We used to talk about qubit numbers. Everyone thought once you reach a certain number of qubits, the apocalypse is here. But today, we're going totalk about how that's not entirely true.

There are a lot of variables that could change the timeline. One of the variables is quantum computers interconnectivity — making quantum computers work together as one. Instead of needing 4,000 logical qubits in one machine, you might justneed four 1,000-qubit machines connected together. That may be years away, but if you're in information security, when does the actual work for the apocalypse begin for you? Thanks to NIST, it's just a few months away. So, 2024 is really the beginning of the end. This is where everything will change, and you have no choice but to become part of it.

So it all started with the NSM-10 memorandum that the White House put out in May 2022. It's a document combining future thinking, current actions, and a bit of American pride. It's a great document to read because, for the first time, it telegraphs what's going to happen across the industry, not just federal agencies. This is not just about federal actions; it's about how federal actions will roll over into the private sector and affect everyone. In May 2022, section three started talking about NIST finalists being on the horizon, saying by 2024, we would have them, and all signs point to yes.

In July 2022, NIST identified four candidate algorithms for standardization, and three out of the four got draft standards by July this year. CRYSTALS-Kyber and three others related to digital signatures, not data transmission. My prediction is that we'll have the finalists by July. There are still others under consideration, like McEliece, HQC, and SIKE.

One implementation of SIKE was attacked via a side-channel attack. But CRYSTALS-Kyber, currently one of the final standards, generated a lot of buzz recently when news emerged that it was hacked. The implementation of CRYSTALS-Kyber that was attacked was a proof-of-concept bit of C code, showing how a new algorithm could be implemented to ensure it's post-quantum safe. It was not a production-ready piece of software. So, there's nothing to worry about. CRYSTALS-Kyber is still valid and on track to be a final standard.

Another action from NSM 10 is the annual crypto inventories. The first to take the reins on this was OPM, likely motivated by a significant attack a few years ago. They published guidelines on post-quantum cryptographic assessments, which is really useful. This OPM chart isn't groundbreaking but serves as an example of what they put out to show what to look for. During inventories, you'll find that most systems are vulnerable to quantum attacks. In January 2024, NSM-10 called for National Security Systems to start adding extra cryptography protections. You can't buy any post-quantum solutions before the finalists in 2024. Federal agencies can test them but not roll them out to production. They want everything finalized first.

So, what does this mean for the rest of the world and the coming apocalypse? In 2024, new standards will be issued, and timelines for the deprecation of ciphers will be set. Within one year, by 2025, you need a plan for migration, not just an inventory. Federal agencies need to plan to migrate to post-quantum cryptography, and private sector regulators will likely follow suit. By 2035, all migration needs to be done. While there are wildcard technologies like interconnect that could accelerate the timeline, with 4,000 error-corrected qubits, the migration date will be set in stone by NIST.

Once a cipher is deprecated, it's everyone's problem. Failing audits and compliance issues will surface. Deprecation means setting timelines for remediation. So, this is something everyone has to start dealing with in 2024, due to timelines for deprecation.

In summary, the end begins in 2024, and preparation should start now. Ironically, it's now easier to sell cloud services because people used to be afraid of the cloud. For example, AWS uses hybrid post-quantum techniques to wrap traditional cryptography with post-quantum methods. However, it is crucial to start planning your migration now. There are four major steps involved:

1. Understanding your data.

2. Understanding your cryptography, including how it flows and which ciphers are in use.

3. Knowing what third parties you are working with because they might not have post-quantum cryptography solutions.

4. Abstracting out cryptography from your code and adopting a modular approach.

Ultimately, it's about becoming crypto-agile and ready to implement post-quantum cryptography.