The PQC course map
We need to know where we're going before we start the race
I enjoy signing up for several road races every year, testing my strength and training at various distances from the 5K to the marathon. Each distance has its own challenges and pleasures, although my sweet spot seems to be in the middle at the half-marathon. But every time, the process of signing up is for me fraught with a mix of anticipation, excitement, and, yes, a little bit of fear. Especially if it’s a new race I haven’t run before—I wonder how will I perform, what features of the course might prove challenging, who will be my competition—the thoughts and emotions swirl nonstop.
One thing that helps ease my mind is studying the course map, usually available online from the race organizers. (For my first marathon in 2011 I put a printout of the Toronto Waterfront course map on the wall by my desk so that I could review it any time I had a break from work.) Studying the map lets me learn the positions of aid stations, plan for elevation changes, hairpin turns and other potential problems, and allows me to build my mental race strategy.
In my last post I suggested that the race to post-quantum cryptography has already started with the announcement of NIST’s approved PQC algorithms. Although technically it might be a bit late to study the course map let’s do so anyway, because this is a different kind of race with multiple entry points, a variable distance and some unique obstacles.
In the half-marathon, we have a saying: “Run the first 7K with your head, the middle 7K with your legs, and the last 7K with your heart.” There’s a lot of truth to that. You need to start smart, not burning all your energy too soon, but thinking of what lies ahead and planning where you will need extra effort to overcome challenges. By the middle of the race you should feel like you’re on autopilot, running at a controlled pace with the muscles warmed up and working hard. And at the end, when the pain sets in, you need your heart to remind you that you have inner resources at your disposal to overcome the discomfort and finish strong. It’s good to keep a mental image of the course map so that you know what to expect in each phase of the race.
What does the PQC course map look like?
Let’s begin with the course distance. As I said, it’s variable, and in our case, measured in time. I think that quantum advantage and the availability of a cryptographically relevant quantum computer (CRQC) will happen roughly at the same time—and although it could be by the end of the current decade, I might give it a couple more years. In this I may be a bit aggressive; the Global Risk Institute puts the odds at 50% in roughly 15 years. But I agree with GRI when they note that “rapid strides in quantum error correction theory and implementation might hasten the development of a CRQC.” So let’s assume a decade at the most—and don’t forget the more imminent threat of “harvest now, decrypt later” where hostile actors may already have captured your data (or will in the near future) in the hope that they will be able to make use of it with a future CRQC. If your data has a long enough lifespan, you may already have a problem. There’s no time to lose getting to that start line!
I would divide the course map into three parts, just like I described above for a road race.
Run with your head
Start with doing a risk assessment of your entire infrastructure. The complexity will vary depending on the size of the organisation. As an individual consumer or a small business relying on off-the-shelf software and cloud, you may not have much to do for yourself—but you will have to work with your software suppliers and service providers to ensure that you will be comfortable with their path to PQC. Make sure you have a feasible migration plan with all your vendors including integration testing with plenty of contingency time built in.
Plugins are already being made available for popular browsers like Chrome and Firefox, to enable PQC. All your other software will have to follow suit. Microsoft has begun the assessment of all its on-premise and cloud software although a detailed timeline is not yet available. IBM, Microsoft and the University of Waterloo along with SandboxAQ and other quantum computing companies launched the PQC Coalition in September of 2023 to accelerate and standardize the adoption of PQC across the software industry. I expect most software vendors will go along with this coalition and customers should stay up to date on their progress.
Larger organizations with custom code will need more time. Cryptographic routines may well be embedded in a lot of your applications and potentially in the firmware running your network devices like HSMs (Hardware Security Modules.) IOT (Internet of Things) devices and sensors may well be another source of vulnerabilities. Getting an inventory of all these instances of cryptographic code will take time and effort. If you don’t have the skills in-house, many systems integrators have quantum risk assessment service offerings to help you in this task. The result should be a cryptographic bill of materials (CBOM) that itemizes all your code and gives you an idea of the risks associated with each instance.
Software tools are coming to the market to make this first phase easier. In 2023, IBM announced a new software suite entitled the Quantum-Safe Explorer, Advisor and Remediator. Explorer automates your software scan and generates the CBOM for you, so you at least know what you have. With Advisor, you will be able to get a richer, more detailed view of your cryptographic code and a prioritization of the risk. Remediator, as the name suggests, is something you can deploy in the next phase of your race to automate the replacement of your vulnerable cryptography with quantum-resistant replacements.
The Canadian-headquartered firm InfoSec Global has a set of software tools called AgileSec Analytics and AgileSec SDK. The Analytics tool generates your CBOM, analyzes all instances of cryptographic artifacts like keys, certificates and more, and builds your risk profile. You can then use the SDK to begin remediation, and re-work your applications to be more crypto-agile to ease future updates.
Another part of your risk assessment is an evaluation of your corporate data. Painful as it sounds, assume that all or at least some of your data may already have been compromised in a harvest now, decrypt later attack. What is the useful (or vulnerable) lifespan of your data? For data with a short lifespan, you may not have to worry too much. But sensitive data with a useful lifespan of five to ten years could be a serious problem. What should be your risk mitigation strategy? How should you communicate with your past, present and future clients? What is the worst-case scenario? And of course, begin the process of securing your data now with PQC.
Run with your legs
Once you know where you stand with your code and your data, you can begin the remediation process. This will take a lot of work, but now that NIST’s PQC algorithms have been published, you will know what to do. You might find that some of your embedded cryptography is already not up to current standards, let alone PQC-ready. You may want to patch that first before embarking on a full PQC deployment, or just jump straight to PQC remediation.
As I mentioned, tools are available from IBM, InfoSec Global and other vendors that can automate some of the remediation process, much like what happened in the mid to late 1990s to help stave off the Y2K problem. But upgrading cryptographic algorithms is a more complicated task than adjusting the size of date fields, so leave lots of time in your project plan for manual reviews of the automated remediation.
If you have a lot of cryptography code embedded in your applications, now is probably a good time to start re-architecting your software for crypto-agility. This will involve extracting the cryptographic routines into separate code modules with an API (Application Programming Interface.) Then all your cryptography can be managed in one place and be accessed in a standardized way from all your other applications.
And don’t forget about securing your data. Decide what are the ‘crown jewels’—what data might have catastrophic consequences if it were compromised by a quantum attack. The nice thing is, symmetric encryption via hash functions is already more robust than asymmetric encryption methods like RSA-2048, so you may only need to upgrade the hash functions to remain quantum-resistant for the moment. But you might want to assume that any data not already secured has been harvested and may therefore be at risk. You will need a risk mitigation and communication strategy with clearly defined protocols going forward that will ensure your resistance against any future attacks.
Run with your heart
The more I think about it, the more I realize that this race toward PQC actually doesn’t have a finish line. Once you have completed the remediation work, you will of course need to do full systems and integration testing. When you have secured your communications and locked down your data with NIST’s PQC approved algorithms, you’ve essentially completed the first step. Bear in mind that there is not now, nor will be for a few years, a cryptographically relevant quantum computer that can be used for a real-world test of current PQC solutions. In the coming years, algorithms will change and the quantum industry will mature quickly.
Quantum risk assessment should become an ongoing part of your CISO office’s day-to-day operations. Evaluate new threats as they arise, and with a crypto-agile architecture, be prepared to continually update your algorithms and infrastructure. I would expect to see many of the service providers and systems integrators who currently provide quantum risk assessments to find an opportunity here. Quantum risk management will very likely become a managed service offering in the portfolio of security services that are currently provided. I don’t know if anyone will be bold enough to insure or indemnify quantum risk but at a minimum, a trusted partner can help you along this never-ending course.
To paraphrase the aphorism attributed to Thomas Jefferson, the price of quantum-safety is eternal vigilance.