In a recently published FAQ, the NSA outlines the switch for NSS (National Security Systems) from Suite B cryptography to the CNSA (Commercial National Security Algorithm Suite).
The NSA describes the CNSA as a “suite of algorithms identified in CNSS Advisory Memorandum 02-15 for protecting NSS up to and including TOP SECRET classification. This suite of algorithms will be incorporated in a new version of the National Information Assurance Policy on the Use of Public Standards for the Secure Sharing of Information Among National Security Systems (CNSSP-15 dated October 2012). The Advisory Memorandum and Policy define the set of public cryptographic standards that may be used to protect NSS until acceptable public standards for quantum resistant cryptography exist and are approved for use in NSS by the Committee for National Security Systems (CNSS).”
Detailing the CNSA’s algorithms and its usage:
The NSA remarked that “The AES-256 and SHA-384 algorithms are symmetric, and believed to be safe from attack by a large quantum computer.”
According the NSA, the following isn’t safe to use:
- ECDH and ECDSA with NIST P-256
- RSA with 2048-bit keys
- Diffie-Hellman with 2048-bit keys
What provoked this switch was the ever-growing threat of quantum computers breaking encryption.
“… quantum computers will use “qubits” that behave in surprising ways, efficiently performing selected mathematical algorithms exponentially faster than a classical computer.” The NSA went on to say “A sufficiently large quantum computer, if built, would be capable of undermining all widely-deployed public key algorithms used for key establishment and digital signatures.”
According to the NSA, symmetric algorithms are more quantum-resistant as opposed to public key algorithms.
“It is generally accepted that quantum computing techniques are much less effective against
symmetric algorithms than
against current widely used public key algorithms. While public key
cryptography requires changes in the fundamental design to protect against a potential future
quantum computer, symmetric key algorithms are believed to be secure provided a sufficiently large key size is used.”
The NSA made sure to note that just because they’re making this switch doesn’t mean that a quantum computer exists.
“NSA does not know if or when a quantum computer of sufficient size to exploit public key
cryptography will exist. The cryptographic systems that NSA produces, certifies, and supports
often have very long life-cycles. NSA has to produce requirements today for systems that will be
used for many decades in the future, and data protected by these systems will still require
cryptographic protection for decades after these solutions are replaced.
There is growing research in the area of quantum computing, and enough progress is being made that NSA must act now to protect NSS by encouraging the development and adoption of quantum resistant algorithms.”
Regarding, “why now”, the NSA says “Choosing the right time to champion the development of quantum resistant standards is based on 3 points: forecasts on the future development of a large quantum computer, maturity of quantum resistant algorithms, and an analysis of costs and benefits to NSS owners and stakeholders. NSA believes the time is now right—consistent advances in quantum computing are being made, there are many more proposals for poten
tially useful quantum resistant algorithms than were available 5 years ago, and the mandatory change to elliptic curves that would have been required in October 2015 presented an opportune time to make an announcement. NSA published the advisory memorandum to move to quantum resistant symmetric key options and to allow additional continued use of older public key options as away to reduce modernization costs in the near term. In the longer term, NSA is looking to all
NSS vendors and operators to implement standards-based, quantum resistant cryptography to
protect their data and communications.”