Implications of PQC migration for users and system owners
For users of commodity IT, such as those using standard browsers or operating systems, the switchover to PQC will be delivered as part of a software update and should happen seamlessly (ideally without end-users even being aware), the NCSC’s updated guidance stated. To ensure devices are updated to PQC when it is available, system owners should ensure they keep devices and software up to date. “System owners of enterprise IT, such as those who own IT systems designed to meet the demands of a large organisation, should communicate with their IT system suppliers about their plans for supporting PQC in their products,” it added.
For a minority of systems with bespoke IT or operational technology, such as those that implement PKC in proprietary communications systems or architectures, choices will need to be made by system and risk owners as to which PQC algorithms and protocols are best to use, the NCSC said. “Technical system and risk owners of both enterprise and bespoke IT should begin or continue financial planning for updating their systems to use PQC. PQC upgrades can be planned to take part within usual technology refresh cycles once final standards and implementations of these standards are available.”
Choosing algorithms and parameters for your use cases
The following table gives the NCSC recommended algorithms, their functions, and specifications:
“The above algorithms support multiple parameter sets that offer different levels of security,” The NCSC wrote. The smaller parameter sets generally require less power and bandwidth, but also have lower security margins, it added. “Conversely, the larger parameter sets provide higher security margins, but require greater processing power and bandwidth, and have larger key sizes or signatures. The level of security required can vary according to the sensitivity and the lifetime of the data being protected, the key being used, or the validity period of a digital signature.” The highest security level may be useful for key establishment in cases where the keys will be particularly long lived or protect particularly sensitive data that needs to be kept secure for a long period of time. The NCSC strongly advised that operational systems should only use implementations based on final standards.
Post-quantum traditional (PQ/T) hybrid schemes
Post-quantum traditional (PQ/T) hybrid scheme is one that combines one (or more) PQC algorithms with one (or more) traditional PKC algorithms where all component algorithms are of the same type, the NCSC wrote. For example, a PQC signature algorithm could be combined with a traditional PKC signature algorithm to give a PQ/T hybrid signature.
There are greater costs to PQ/T hybrid schemes than those with a single algorithm. “PQ/T hybrid schemes will be more complex to implement and maintain and will also be less efficient. However, there may sometimes be a need for a PQ/T hybrid scheme, due to interoperability, implementation security, or constraints imposed by a protocol or system,” according to the NCSC.