NIST has picked Post-Quantum to join the National Cybersecurity Center of Excellence (NCCoE) Migration to Post-Quantum Cryptography (PQC) project. The project is focused on helping organisations migrate to a new world of cryptography. It will be essential as Quantum computing comes online and threatens many of the existing cryptography schemes people use.
Andersen Cheng, Executive Chairman, Post-Quantum, commented: “Our priority over the last few years has been on accelerating real-world implementations. For example, last year a new standard that we authored for a hybrid quantum-safe Virtual Private Networks (VPN) was ratified by the Internet Engineering Task Force (IETF).
“This new standard is now the glue that allows parties using different post-quantum key establishment algorithms to talk with one another, which is particularly important as we enter a situation where different nation states deploy a variety of different algorithms.
“We are looking forward to sharing implementation knowledge of our protocol and unique know-how in securing mobile end points with partners such as Palo Alto, Microsoft, and AWS, to accomplish an end-to-end secure quantum migration.”
What is the problem here?
There are several problems with how we encrypt data today. First, future quantum technologies are expected to break many cryptographic algorithms that are in use today. Second, many breaches are Harvest Now and Decrypt Later (HNDL). Nation-states and malicious actors hold on to stolen data sets until they break the encryption to access the data.
To counter this, NIST has conducted a series of tests to find new cryptographic algorithms that can withstand quantum computing attacks. The successful algorithms are beginning to emerge from those tests. However, they must still be proven in a wider environment and get organisations to migrate to them.
That migration process is complex. It cannot be assumed that an organisation can apply a new algorithm. First, a lot of coding and technology needs to change. Additionally, once the new algorithm is in place, it is just not feasible for organisations to go through historical data sets and backups and re-encrypt them. At best, some will decide based on what they see as the most sensitive data.
Why Post-Quantum?
Post-Quantum says that its selection by NIST will see it playing a role in:
- Ensuring smooth transition and deployment of VPN that will protect us from HNDL attacks
- Ensuring that backward compatibility is supported
- Testing different PQC algorithm configurations in hybrid arrangement, not only those standardised by NIST but also other PQC algorithms.
- Providing in particular unique implementation know-how in securing edge to mobile end-points.
Key to this is the Post-Quantum Quantum-Safe Platform. The platform consists of modules covering identity, transmission, and encryption. There are three modules in the current platform. They are:
- PQ Chat: It is a secure end-to-end messaging app that runs on desktops, laptops and mobile devices. With all the attention on the problems of messaging apps like WhatsApp, this alternative meets government and military requirements. It is only available to enterprise and government customers.
- Hybrid PQ VPN: Based on the IETF standards, PQ VPN protects all traffic from eavesdropping and removes the risk of data compromise. The company says that its crypto-agility ensures it can use any NIST post-quantum algorithms. It means it has longevity and can be used in hostile areas where critical secure communications are.
- Nomidio Identity: It is described as a quantum-safe multi-factor biometric identity system. Users register once with it and then use the Nomidio identity to connect to other systems. Of interest to IT security teams is that this is a self-sovereign identity solution. It means that identity is only revealed when the user provides consent.
Enterprise Times: What does this mean?
The security risks that quantum computing will pose have been discussed since IBM first showed it in 2016. Since then, the technology has continued to evolve and is getting near the point where commercial use is expected to start. Once that happens, development will accelerate, and the technology will become more widely used.
As with other technologies, it can be used for good or bad. Since the technology was developed, breaking cryptographic algorithms has been a focus. Despite this, we are still awaiting NIST’s final list of post-quantum algorithms.
Only once they have been widely tested will organisations start to implement them. This means a significant gap exists between the deployment of quantum-safe technology and the reality for many organisations.
It will be interesting to see how Post-Quantum changes this. Its solutions above will appeal to customers outside of organisations such as NATO, which it cites as a customer. The challenge will be getting them to adopt its technology. One area where it might well get traction is in the age-verification market with Nomidio. That market needs an ultra-secure solution, especially to protect minors.
Outside of that, its chat service will be interesting to organisations, although more information on end-to-end encryption would be helpful. For example, can the organisation provide access to all messages on demand from law enforcement?
