The New encryption standards from NIST & RISC-V: what do IoT developers need to know?

As part of the recent IoTF event, PQShield’s Alan Grau shared his thoughts on he new PQC standards and what they mean for designers of IoT and connected devices. Here are some key takeaways.

After three selection rounds, the NIST Post-Quantum Cryptography (PQC) Standardization Project recently selected new PQC algorithms to be ratified as new Federal standards for key establishment and digital signatures. It has also been announced that new NSS (Defence) cryptographic suites will be based on NIST PQC standards. In addition, RISC-V has recently ratified new cryptographic extensions.

Secure element, chip and platform engineers should be planning for a migration to PQC with the winning schemes. Similarly, application developers and product engineers should be developing a strategy for crypto agility to enable future migration to PQC that can support all winning schemes and round 4 alternatives. But for many in the industry, a key question remains: where to start?

Migration Key Areas

  • PQC for Secure Communication 
    • Updated existing protocols (TLS, IPSec, etc.) with PQC algorithms 
    • Hybrid solutions allow interoperability during transition period
  • PQC for Platform Security
    • Platform security (secure boot, secure software/firmware updates) need to adopt PQC algorithms
  • PQC for other use cases
    • PKI solutions (public & private) must migrate to PQC. Private PKI solutions can migrate today
    • Document signing, device identity/authentication, etc. will all need to migrate to PQC

The issue of when to start implementing these changes is also up for debate. We know that quantum computing will break RSA and ECC encryption algorithms by the end of this decade, which seems like a long time. However, many devices being built today will be in the field for much longer than 10 years. And when you consider that it will likely take years to update all necessary components and systems, as well as the risk of “harvest now, decrypt later” attacks, the time for action becomes increasingly imminent. Of course, some sectors are inherently more at risk than others…

Most At-risk Industries

  • Defence & Infrastructure

The retrospective potential of any quantum attack means historic government, financial, health and trade secrets are at risk in the future. 

  • Internet of Things

Thousands of IoT devices are deployed every day, carrying sensitive data about us and our devices.

  • OEM & Industrial

Long-lifecycle products like cars and industrial equipment that are designed today need to comply with both current and upcoming cryptography standards.

Whatever implementation timeline you’re facing, it’s clear that the time to start planning is definitely now. Contact the experts at PQShield today, and get on the road to quantum safety quickly and efficiently.