Migrate to PQC

Google Cloud Provider (GCP): Migrating to PQC.

• BLUF(2): (1) Google is actively preparing for the future of cryptography by implementing Post-Quantum Cryptography (PQC). (2) It's important to note that PQC implementation is an ongoing process. While Google has made significant progress, the industry as a whole is still working on standardization and widespread adoption.

• Why Google Cares About PQC (2): (1) Protect user data: Quantum computers could break current encryption methods, potentially compromising data stored now. PQC helps prevent this. (2) Future-proof security: Transitioning now ensures continued secure communication even with advancements in quantum computing.

• What Google's Doing to PQC (3): (1) Standardization efforts: Google contributes to organizations like NIST (National Institute of Standards and Technology) to define PQC standards. (2) Testing and implementation: Google actively tests PQC algorithms and has already integrated some into products like Chrome and their internal communication systems. (3) Focus areas: Google prioritizes securing asymmetric encryption, specifically for internal traffic (using ALTS) and external traffic (using TLS with NIST standards).

• Steps for Implementation (general, not specific to Google): (4)

  1. Identify vulnerabilities: Analyze systems reliant on classical cryptography for potential quantum hacking risks.

  2. Choose PQC algorithms: Select PQC algorithms suited for specific use cases, considering factors like performance and security needs.

  3. Develop migration plan: Plan the transition from current cryptography to PQC, keeping in mind potential compatibility issues and resource requirements.

  4. Testing and deployment: Thoroughly test the PQC implementation before full deployment to ensure smooth operation and continued security.

• Resources:

  1. Google's blog posts on PQC:

     • Why Google now uses post-quantum cryptography for internal comms: https://cloud.google.com/blog/products/identity-security/why-google-now-uses-post-quantum-cryptography-for-internal-comms

     • How Google is preparing for a post-quantum world: https://cloud.google.com/blog/products/identity-security/why-google-now-uses-post-quantum-cryptography-for-internal-comms

Microsoft Azure: Migrating to PQC.

• BLUF: (1) To be fully post-quantum cryptography (PQC) ready, using Azure alone can cover a significant portion of your needs, but there are additional technologies and processes you should consider to ensure comprehensive readiness. (2) Microsoft has integrated PQC algorithms into its products and services.

• Using Azure tools for PQC Readiness. (3)

  1. SymCrypt Library: Azure uses the SymCrypt library, which now supports post-quantum algorithms like ML-KEM (Kyber) and XMSS1.

  2. Quantum Safe Program (QSP): Microsoft’s QSP aims to integrate PQC algorithms across its ecosystem, ensuring that Azure services are quantum-resistant1.

  3. Adams Bridge Accelerator: This is an open-source silicon quantum-resilient cryptographic accelerator developed by Azure, which will be integrated into various Azure services2.

• Additional Technologies and Processes -- While Azure provides a robust foundation, you should also consider the following:

  1. Hybrid Cryptographic Solutions: Implement hybrid solutions that combine classical and post-quantum algorithms to ensure a smooth transition and backward compatibility.

  2. Key Management: Upgrade your key management systems to support larger key sizes and new PQC algorithms. This includes updating your Certificate Authorities (CAs) to use stronger key sizes (e.g., 4K RSA)4.

  3. Network Security: Follow best practices for network security, such as upgrading VPN connections to use stronger cipher suites (e.g., Suite-B-GCM-256) and avoiding weaker algorithms4.

  4. Regular Audits and Updates: Conduct regular security audits and stay updated with the latest PQC developments and standards from organizations like NIST and IETF1.

• Conclusion: (1) Using Azure provides a strong starting point for PQC readiness, but... (2) integrating additional technologies and processes will ensure a comprehensive and future-proof approach. 

• References: 1: Microsoft’s Quantum-Resistant Cryptography 3: Post Quantum Cryptography: Readiness Challenges 4: Best Practices for Resisting Post-Quantum Attacks 2: Adams Bridge: An Accelerator for Post-Quantum Resilient Cryptography.

Approaches.

1. The Adams Bridge Accelerator is an open-source silicon quantum-resilient cryptographic accelerator developed by Azure. It aims to bridge the gap between classical and quantum-resilient cryptography. Initially integrated into Caliptra 2.0, it will later be available as an independent accelerator. This makes Caliptra the first open-source root-of-trust with hardened post-quantum cryptography.

   • Value and Benefits:

     1. Quantum Resilience: Provides hardware acceleration for NIST-selected quantum-resilient algorithms (Dilithium & Kyber), ensuring security against quantum threats.

     2. Open Source: The open-source nature of Adams Bridge and Caliptra allows for easy adoption and integration by industry partners, saving development time.

     3. Enhanced Security: Strengthens foundational hardware security capabilities, such as immutable root-of-trust anchors for code integrity and hardware identity.

     4. Future-Proofing: Ensures that hardware designs are ready for the post-quantum era, addressing the longer development times and immutability of hardware.

     5. Compliance: Meets all root-of-trust requirements of NIST 800-193, providing a transparent and robust security subsystem.

OMB M-23-02 (Migrate to PQC), -- Received: Apr 2024.

• BLUF: The Office of National Cyber Director (ONCD) in coordination with OMB, CISA, and GSA FedRAMP, has released instructions to federal agencies for the collection and transmission of a “Prioritized Inventory of Information Systems and Assets, excluding national security systems, that contain CRQC-vulnerable cryptographic” algorithms, along with “an assessment of the funding required to migrate information systems and assets inventoried under this memorandum to post-quantum cryptography during the following fiscal year.”  

• AV-2: 

  1. CRQC (Cryptanalytically Relevant Quantum Computer): A type of quantum computer that poses a significant threat to current encryption methods. -- CRQC's are not here yet -- 

     • Cryptanalysis: The art of breaking codes and deciphering encrypted messages.

     • Cryptanalytically Relevant:  Powerful enough to run algorithms that can crack the encryption methods widely used today (mostly public-key cryptography).

     • Azure Tools: MS Azure doesn't directly offer tools for CRQCs.

       1. Azure Quantum: A platform that provides access to various quantum computing hardware and software tools from different providers. This allows developers to experiment with quantum algorithms and explore potential applications (outside of cryptanalysis).

       2. Quantum Threat Landscape: Just resources and information about the potential impact of quantum computing on cybersecurity. This can help organizations prepare for the future by transitioning to "quantum-resistant" cryptography algorithms when CRQCs become a reality.

  2. Cryptographic System: An active software or hardware implementation of one or more cryptographic algorithms that provide one or more of the following services: (1) creation and exchange of encryption keys; (2) encrypted connections; or (3) creation and validation of digital signatures. 

• Guidance (OMB PDF): OMB M-23-02 Migrating to Post Quantum Cryptography (PQC). 

• Summary of PDF: Federal agencies are transitioning to a zero-trust architecture (ZTA) per executive orders and memoranda. 

  1. -- Transition To: This transition includes using strong encryption and implementing post-quantum cryptography (PQC) to protect against the threat of quantum computers. 

  2. -- Actions: Agencies are required to conduct a prioritized inventory of their cryptographic systems and submit it to the Office of the National Cyber Director (ONCD) and the Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA). 

  3. -- The inventory (5): The inventory should include (1) information on cryptographic algorithms, (2) encryption keys, (3) software packages, (4) operating systems, and (5) hosting environments. 

  4. -- PQC Migration WG: A cryptographic migration working group will be established to provide assistance and coordination for agencies during this transition.

• In addition to OMB's guidance:

  1. Excel Worksheets: 

     • Two (2) Excel template worksheets are: 

       1. Cryptographic Inventory worksheet 

       2. Cost estimate worksheet for the transition to post-quantum cryptography (PQC).

     • Stored Here: Go to My-Desktop (D:\J-FOLDER\WORK STUFF\Gunnison\-- HHS\PROJECTS\PQC\PQC Migration Strategy (HHS) to see 2 Excel templates. 

  2. OMB Instruction: Per OMB M-23-02, agencies must (1) submit the cryptographic inventory and (2) cost estimates for the transition to post-quantum cryptography to CyberScope annually.  Inventories are due in CyberScope by May 3, 2024, and cost estimates are due by June 3, 2024.