NCSC Releases New Guidance on Post-Quantum Cryptography Migration

How best to prepare for quantum cryptography

The UK National Cyber Security Centre (NCSC) has published guidance on the next steps you need, in order to prepare for migration to post-quantum cryptography (PQC).

In recent years, we’ve seen the need to get ready for a world in which quantum computers might be able to break the ubiquitous encryption methods that are in use today. These classical methods currently keep all of our connections, communications, data and devices safe, but could soon be vulnerable. That’s why there has been a concerted effort on behalf of governments, industry, and national bodies to develop global PQC standards, to which organizations will need to comply.

Since 2016, NIST has been running that process of standardisation, and as the NCSC report, this process has been closely followed by organizations such as the Internet Engineering Task Force (IETF) and ETSI, producing more detailed deployment guidance as those standards are developed.

For example, ML-KEM (CRYSTALS-Kyber) and ML-DSA (CRYSTALS-Dilithium) were drafted as standards by NIST in August 2023, and final standards for these algorithms are expected in 2024. Algorithms such as these function as key establishment and digital signature techniques.

NCSC recommends that in particular, the draft standards ML-KEM-768 and ML-DSA-65 provide appropriate levels of security and efficiency for most use cases, including the use of OFFICIAL-tier government information.

These draft standards should allow developers to test systems and plan for deployment when the full standards are released next year. NCSC emphasise of course, that only the final standards should be deployed in an operational environment.

Hybrid PQ/T – the transition phase to quantum-resilience

Transition to PQC is almost certainly not a single-step process. NCSC point out that planning, financing and evaluating are essential to the migration, and that a strategic, well-thought-through approach is the best way to a smooth transition to post-quantum resistance.

That’s why this latest guidance also focuses on the use of PQ/T hybrid schemes that combine classical and post-quantum technology of the same type (for example, digital signature algorithms). This is particularly relevant if there are current constraints on migrating to PQC, such as interoperability, implementation security or protocol considerations. 

It’s important to understand that these hybrid schemes should only be chosen as an interim measure, allowing for full PQC migration in future, and should be planned strategically.

The advice is that “risk owners should weigh the reasons” as well as the cost of migrating to a PQ/T hybrid scheme, and consider the further transition from PQ/T to full PQC cryptography at a later stage. The plan can easily incorporate the usual technology refresh cycles, which might include PQC upgrades to your systems.

Alongside the new draft standards from NIST (as well as recent US legislation and many other international bodies) NCSC’s latest recommendations provide an important framework for modernizing current cryptography against the very real threat of a cryptographically relevant quantum computer.

Summary:

  • NIST have released draft standards which can be used to test deployments. However, it’s important to only deploy finalized standards in operational environments
  • *Transition might need to involve the use of PQ/T hybrid schemes. These schemes should be carefully planned for, and used with a view to transition to full PQC at a later stage.
  • Hybrid PQ/T schemes should be thought of as a ‘stepping stone’ to full PQC migration, rather than a permanent solution
  • PQC migration can be planned as part of the usual technology refresh and upgrade cycles