Key Takeaways
- NSA has updated CNSA 2.0 guidance for National Security Systems
- Quantum safe algorithms are central to long-term security strategy
- Clear timelines reinforce urgency for transition between 2025 and 2030
- Certain algorithms are approved, while others are explicitly excluded
- PQShield supports scalable implementation of quantum-safe solutions
NSA Releases update to CNSA 2.0
On April 18th, 2024, the NSA released an update to their published guidance on national security algorithms, CNSA 2.0 (originally published September 2022).
This update reinforces the importance of quantum safe algorithms in protecting US National Security Systems (NSS), with a defined transition timeline between 2025 and 2030. It also provides clarification on key topics raised by stakeholders.
Key areas covered in the update
This FAQ reinforces the requirement for US National Security Systems (NSS) to be protected on a timeline of transition between 2025 and 2030, and it answers questions based on feedback from stakeholders.
The FAQ includes clarification on some of the latest key topics, including:
- Cryptographic algorithms
- PQ/T hybrid (post-quantum/traditional) schemes
- Stateful HBSS
- Quantum Key Distribution
Approved algorithms in CNSA 2.0
CNSA 2.0 now includes the following algorithms:
- AES-256
- ML-KEM 1024
- ML-DSA-87
- SHA-384/SHA-512
- LMS (all parameters allowed, SHA-256/192 recommended but no multitree HSS allowed)
- XMSS (all parameters, no multitree XMSSMT allowed)
With the release of this update, the NSA reinforces its confidence in CNSA 2.0 algorithms, and, having performed its own analysis, confirms that it considers them appropriate for long-term use.
Because of this confidence in the CNSA 2.0 algorithms, the NSA “will not require NSS developers to use hybrid certified products for security purposes.”
PQ/T hybrid approach
While PQ/T hybrid schemes are not recommended as a long-term solution, the NSA acknowledges practical limitations.
For example, CNSA 1.0 algorithms cannot yet be fully replaced in IKEv2. As a result, a hybrid approach using both traditional and quantum safe algorithms may continue for key establishment in certain protocols.
Implementation guidance
When it comes to implementation, the NSA expects to provide further guidance in collaboration with the IETF through RFC publications.
These will:
- Define protocol options
- Clarify algorithm usage
- Support consistent deployment
The FAQ also highlights that establishing a quantum-safe root of trust is a priority, helping organisations avoid future costs and security risks.
Exclusions and clarifications
As it stands, the following algorithms are excluded from CNSA 2.0:
- SLH-DSA
- HSS
- XMSSMT
- SHA-3 (not allowed separately but allowed as part of LMS)
- SHAKE (not allowed separately but allowed as part of LMS)
- ASCON (will not be added to CNSA)
For implementation:
- CAVP testing is sufficient for signature validation only
- Code signing requires CVMP-validated hardware or NSA-approved alternatives
- No waivers are being granted
Quantum alternatives and limitations
It’s worth noting that the NSA considers Quantum Key Distribution (QKD) as a highly impractical and inappropriate model for quantum resilience.
This theoretical technique uses physics to distribute keys, and is of scientific interest, but is not recommended as an alternative to post-quantum cryptography. NSS owners should not use or research QKD at the current time.
Similarly, consultation with the NSA is recommended before using any cryptography not specified by either CNSA 1.0 or CNSA 2.0. In particular, the following techniques have no approved solutions and should be avoided:
- Distributed ledgers or blockchains
- Private information retrieval (PIR)
- Private set intersection (PSI)
- Identity-based encryption (IBE)
- Attribute-based encryption (ABE)
- Homomorphic encryption (HE)
- Group signatures
- Ring signatures
- Searchable encryption
- Threshold signatures
What this means for the industry
This update provides greater clarity for National Security Systems owners and reinforces the importance of transitioning to approved standards.
Interoperability requirements are likely to extend beyond government systems, influencing broader technology supply chains. As a result, adoption of quantum safe algorithms will become increasingly important across industries.
PQShield and quantum-safe implementation
QShield’s mission is to support the transition to quantum resilience across global technology supply chains.
Our solutions are built around approved quantum safe algorithms, enabling organisations to:
- Meet evolving regulatory requirements
- Implement scalable cryptographic systems
- Prepare for future standardisation
With a team of leading engineers and cryptographers, PQShield is well-positioned to support this transition.
Conclusion
The NSA’s update to CNSA 2.0 reinforces the direction of travel for modern cryptography.
By prioritising quantum safe algorithms, organisations can ensure long-term protection against emerging threats while aligning with evolving standards and guidance.
Ready to implement quantum safe algorithms in your systems?
Contact PQShield to explore solutions and start building quantum-resilient infrastructure today.
Frequently asked questions
What are quantum safe algorithms?
Quantum safe algorithms are cryptographic methods designed to remain secure against attacks from quantum computers.
What is CNSA 2.0?
CNSA 2.0 is the NSA’s set of cryptographic standards for securing National Security Systems against quantum threats.
What are hybrid schemes not recommended?
Because the NSA has confidence in quantum-safe algorithms, hybrid approaches are not required for long-term security, although they may be used in specific cases.
What algorithms are excluded from CNSA 2.0?
Excluded algorithms include SLH-DSA, HSS, XMSSMT, and certain hash functions when used independently.
How does PQShield support quantum-safe cryptography?
PQShield provides advanced cryptographic solutions built on approved standards to help organisations transition securely.