Quantum Computing and Post-Quantum Cryptography

General Information

Q: What is a quantum computer, and how is it different from the computers we use today?

A: Quantum computers can, in principle, perform certain mathematical algorithms exponentially faster than a classical computer. In place of ordinary bits used by today’s computers, quantum computers use “qubits” that behave and interact according to the laws of quantum mechanics. This quantum physics-based behavior would enable a sufficiently large-scale quantum computer to perform specific mathematical calculations that would be infeasible for any conventional computer.

Q: What is a “Cryptographically Relevant Quantum Computer” (CRQC)?

A: Small, laboratory-scale examples of quantum computers have been built. Some larger systems have also been proposed that can address some types of computation, but which may not be suitable for analyzing cryptographic algorithms. CRQC is used to specifically describe quantum computers that are capable of actually attacking real world cryptographic systems that would be infeasible to attack with a normal computer.

Q: What is the threat if a CRQC were developed?

A: If realizable, a CRQC would be capable of undermining the widely deployed public key algorithms used for asymmetric key exchanges and digital signatures. National Security Systems (NSS) — systems that carry classified or otherwise sensitive military or intelligence information — use public key cryptography as a critical component to protect the confidentiality, integrity, and authenticity of national security information. Without effective mitigation, the impact of adversarial use of a quantum computer could be devastating to NSS and our nation, especially in cases where such information needs to be protected for many decades.

Q: Can I mitigate the quantum threat by using a pre-shared key?

A: Many commercial protocols allow a pre-shared key option that may mitigate the quantum threat, and some allow the combination of pre-shared and asymmetric keys in the same negotiation. However, this issue can be complex.

Q: What is “quantum-resistant” or “post-quantum” cryptography?

A: Quantum-resistant, quantum-safe, and post-quantum cryptography are all terms used to describe cryptographic algorithms that run on standard encryption/decryption devices and are widely recognized by experts to be resistant to cryptanalytic attacks from both classical and quantum computers. Although cryptanalysis using classical computing has been a subject of intense interest for many decades, the art and science of cryptanalysis that involves a (potential) quantum computer is still relatively new. Algorithms believed to be safe against an adversary that might one day have a CRQC are referred to by some using the term “quantum-resistant” or “quantum-safe.” It is generally expected that any “quantum-resistant” or “quantum-safe” standard will be secure against all envisioned and understood quantum computing capabilities. “Post-quantum” is a neutral term often used to simply convey that these algorithms are designed with the quantum threat in mind. Note that post-quantum does not mean that these algorithms are only for use after a CRQC is built.

Q: Will quantum computers affect non-public key (i.e., symmetric) algorithms?

A: It is generally accepted by experts in this field that quantum computing techniques are much less effective in attacking symmetric algorithms than against widely used public key algorithms. While public key cryptography requires changes in the fundamental design, symmetric algorithms are believed to be secure, provided a sufficiently large key size is used. The symmetric key algorithms of the Commercial National Security Algorithm (CNSA) Suite were selected to be secure for NSS usage even if a CRQC is developed.

Q: Is NSA worried about the threat posed by a potential quantum computer because a CRQC exists?

A: NSA does not know when or even if a quantum computer of sufficient size and power to exploit public key cryptography (a CRQC) will exist.

Q: Why does NSA care about quantum computing today? Isn’t quantum computing a long way off?

A: The cryptographic systems that NSA produces, certifies, and supports often have very long lifecycles. NSA has to produce requirements today for systems that will be used for many decades in the future, and data protected by these systems will still require cryptographic protection for decades after these solutions are replaced. There is growing research in the area of quantum computing, and global interest in its pursuit have provoked NSA to ensure the enduring protection of NSS by encouraging the development of post-quantum cryptographic standards and planning for an eventual transition.

Q: What are the timeframes in NSS for deployment of new algorithms, use of equipment, and national security information intelligence value?

A: New cryptography can take 20 years or more to be fully deployed to all National Security Systems. NSS equipment is often used for decades after deployment. National security information intelligence value varies depending on classification, sensitivity, and subject, but it can require protection for many decades.

Q: What is quantum key distribution (QKD) and quantum cryptography?

A: The field of quantum cryptography involves specialized hardware that makes use of the physics of quantum mechanics (as opposed to the use of mathematics in algorithmic cryptography) to protect secrets. The most common example today uses quantum physics to distribute keys for use in a traditional symmetric algorithm, and is thus known as quantum key distribution. This technology exists today and is distinct from the quantum computing technology that might one day be used to attack mathematically based cryptographic algorithms. The sole function of QKD is to distribute keys between users and hence it is only one part of a cryptographic system.

Q: Are QKD systems unconditionally secure?

A: No. While there are security proofs for theoretical QKD protocols, there are no security proofs for actual QKD hardware/software implementations. There is no standard methodology to test QKD hardware, and there are no established interoperability, implementation, or certification standards to which these devices may be built. This causes the actual security of particular systems to be difficult to quantify, leading in some cases to vulnerabilities.

Q: Should I use a QKD system to protect my NSS from a quantum computer?

A: No. The technology involved is of significant scientific interest, but it only addresses some security threats and it requires significant engineering modifications to NSS communications systems.

Q: What is a quantum random number generator (quantum RNG)?

A: Quantum RNGs are hardware random number generators that use specific quantum effects to generate nondeterministic randomness. They are a commercial technology available today that is distinct from the use of quantum computing to attack cryptographic algorithms. There are a variety of non-quantum RNGs available that have been appropriately validated or certified as acceptable for use in NSS or other government applications. They will remain secure even if a CRQC is built. The decision on what RNG is appropriate to use in a specific scenario depends on many factors, and any RNG should be acceptable if properly certified/approved and implemented within the constraints of that approval.

Future Algorithms and Cryptography

Q: Where will the quantum-resistant public key algorithms used in CNSA come from?

A: NIST is in the process of standardizing quantum-resistant public key in their Post-Quantum Standardization Effort, which started in 2016. This multi-year effort is analyzing a large variety of confidentiality and authentication algorithms for inclusion in future standards. NSA expects to add lattice-based algorithms from the NIST process to CNSA at the end of Round 3 – this timeline is determined by NIST. CRQC