In a recent update to its guidance on preparing for quantum-safe cryptography (PQC), the National Cyber Security Centre (NCSC) highlighted the implications of PQC migration for users and system owners. The aim of this update is to assist both individual users and organizational system owners in understanding the steps they need to take to ensure a seamless transition to PQC.
For users who rely on commodity IT, such as standard browsers or operating systems, the migration to PQC is expected to be delivered through a software update. Ideally, this update will occur without the end-users even being aware of the transition. To ensure a smooth migration, it is recommended that users keep their devices and software up to date. By doing so, they will be ready to adopt PQC as soon as it becomes available. System owners of enterprise IT, designed to meet the demands of large organizations, are advised to communicate with their IT system suppliers to understand their plans for supporting PQC in their products.
However, for a minority of systems with bespoke IT or operational technology, the decision-making process becomes more complex. These systems often implement public key cryptography (PKC) in proprietary communications systems or architectures. In such cases, system and risk owners must carefully evaluate which PQC algorithms and protocols are best suited for their specific use cases. The NCSC recommends that technical system and risk owners begin or continue financial planning for updating their systems to support PQC. It is also advised to align these updates with regular technology refresh cycles, once final standards and implementations of PQC are available.
When choosing algorithms and parameters for PQC, the NCSC provides a table that outlines the recommended algorithms, their functions, and specifications. It is important to note that these algorithms offer different levels of security. Smaller parameter sets require less power and bandwidth but offer lower security margins. On the other hand, larger parameter sets provide higher security margins but require more processing power and bandwidth, with larger key sizes or signatures. The level of security required depends on the sensitivity and lifetime of the data being protected. The NCSC strongly advises that operational systems should only use implementations based on final standards to ensure their security.
In addition to the recommended algorithms, the NCSC introduces the concept of post-quantum traditional (PQ/T) hybrid schemes. These schemes combine PQC algorithms with traditional PKC algorithms of the same type. For example, a PQC signature algorithm could be combined with a traditional PKC signature algorithm to create a PQ/T hybrid signature. However, it is important to note that PQ/T hybrid schemes are more complex to implement and maintain, and they are less efficient compared to single algorithm solutions. Despite these drawbacks, there may be a need for PQ/T hybrid schemes due to interoperability, implementation security, or constraints imposed by a protocol or system.
In conclusion, the implications of PQC migration for users and system owners are significant. Commodity IT users can expect a seamless transition through software updates, while those with bespoke systems must carefully plan their migration strategies. The choice of algorithms and parameters depends on the desired security level and specific use cases. It is crucial to stay updated with final standards and implementations to ensure the highest level of security. Furthermore, the introduction of PQ/T hybrid schemes provides a possible solution for interoperability or security constraints. However, it is essential to consider the added complexity and reduced efficiency associated with these schemes. By following the NCSC’s guidance, users and system owners can navigate the transition to PQC effectively and enhance their cybersecurity posture in the era of quantum computing.