Regulations on Post Quantum Cryptograhy

This message will disappear after all relevant tasks have been resolved.
Semantic MediaWiki
There are 1 incomplete or pending task to finish installation of Semantic MediaWiki. An administrator or user with sufficient rights can complete it. This should be done before adding new data to avoid inconsistencies.

1. Disclaimer

  • This PQC Regulation wiki page, is a tentative to interpret the current status of regulations and help our customers and developers prepare themselves against future compliance requirements
  • This is not a legal view of the regulations
  • Some interpretations may vary, and changes may occur over time.
  • Industry standards and consortiums are actively working on clarifying applicability and conformance.
  • All information and links are subject to change.

2. Which PQC standards to follow?

NIST is a USA standardization body for cybersecurity, internationally recognized.

NIST initiated a process to solicit, evaluate, and standardize one or more quantum-resistant public-key cryptographic algorithms: Post-Quantum Cryptography | CSRC

PQC algorithms have been selected by a forum of crypto experts and endorsed by NIST. New algorithms are still under evaluation. The standardized algorithms are described below:

Note white.png Note
More information on PQC also available at Post-quantum cryptography - STMicroelectronics

NIST is proposing a Cryptographic Algorithm Validation Program (CAVP) to validate your implementation: Cryptographic Algorithm Validation Program | CSRC

This program supports PQC algorithm following: LMS, ML-DSA, ML-KEM, SLH-DSA. There is no CAVP yet for Hybridization (Classic Crypto + PQC).

This CAVP validation is important in the context of new algorithm implementation requiring high cryptography skills.

The STM32 x-cube-PQC library has been CAVP certified for ML-KEM and ML-DSA. Certificates are available here : Cryptographic Algorithm Validation Program | CSRC.

3. Migration to PQC - What is the EU roadmap?

Europe is defining its own roadmap that can be summarized below:

  • End of 2026 completion of following:
    • Identify and involve stakeholders
    • Support mature cryptographic asset management
    • Create dependency maps
    • Perform quantum risk analysis
    • Include the supply chain
    • Create a national awareness and communication program
    • Share knowledge and get involved with the NIS CG work stream on PQC
    • Develop a timeline and an implementation plan
  • End of 2030 completion of following:
    • Support cryptographic agility and a quantum-safe upgrade path
    • Allocate resources for the transition
    • Adapt certification schemes
    • Evolve the rules
    • Look for opportunities within the ecosystem
    • Include transversal activities throughout the creation and implementation of the roadmap
    • Implement pilot use cases and contribute to testing centers
  • End of 2035:
    • The PQC transition for medium-risk use cases has been completed
    • The PQC transition for low-risk use cases has been completed as feasible
Note white.png Note
"Quantum Risk" method is defined into the ENISA "A Coordinated Implementation Roadmap for the Transition to Post-Quantum Cryptography

Scope of this roadmap are: NIS2, CRA and DORA

Source: ENISA "A Coordinated Implementation Roadmap for the Transition to Post-Quantum Cryptography

4. Migration to PQC - What is the UK roadmap?

UK is defining its own roadmap that can be summarized below:

  • To 2028 – identify cryptographic services needing upgrades and build a migration plan
  • From 2028 to 2031 – execute high-priority upgrades and refine plans as PQC evolves
  • From 2031 to 2035 – complete migration to PQC for all systems, services and products

Source: NCS "Timeline for PQC migration revealed - NCSC.GOV.UK

5. Migration to PQC - What is the USA Roadmap?

In the USA there are 2 main organizations regulating PQC deployment:

1. National Institute of Standards and Technologies (NIST) is a USA standardization body for cybersecurity, internationally recognized

NIST is publishing recommendations related to Crypto to the international crypto community.

2035 should be the transition completion for:

  • The overall goal of achieving widespread PQC adoption
  • Classical Digital signature/Key establishment algorithms will be “Disallowed”

NIST is proposing a roadmap (still at draft level) available at Transition to Post-Quantum Cryptography Standards.

2. The Commercial National Security Algorithm Suite (CNSA) is a set of cryptographic algorithms published by the National Security Agency (NSA)

This publication is targeting USA National Security Systems (NSS) networks that contain classified information or are otherwise critical to military and intelligence activities.

The CNSA 2.0 is considering only direct migration from Classic Crypto to PQC, avoiding Hybridization.

PQC transition timeline is different per device and considering that all devices would have completed their PQC migration by 2033:

Security CNSA 2.0 Timeline.png


A Questions and answers document is also available at CSI_CNSA_2.0_FAQ_.PDF.

Source: CSA_CNSA_2.0_ALGORITHMS.PDF

6. Is PQC mandated by European Cyber Resilience Act (CRA)?

PQC is not explicitly mentioned in the CRA legislation. However, the CRA mandates the use of recognized security standards for cryptographic applications.

NIST plans to deprecate the classical asymmetric cryptographic algorithms from 2030.

ENISA’s roadmap aims to complete PQC migration by the end of 2030.

Therefore, we believe that the PQC transitioning completion will be required by the end of 2030, in the context of the CRA.

A key decision factor will be the "Quantum risk" factor that would accelerate the transitioning timeline to PQC. "Quantum Risk" method is defined into the ENISA "A Coordinated Implementation Roadmap for the Transition to Post-Quantum Cryptography". This risk should be considered into the CRA's Risk assessment of your product.

7. PQC regulation vs France?

ANSSI is the French cybersecurity agency publishing recommendations.

ANSSI algorithms recommendations:

  • AES-256 and SHA-384
  • ML-KEM (min -768) & FrodoKEM (rejected by NIST)
  • ML-DSA (min-65) & Falcon
  • XMSS/LMS and SLH-DSA

ANSSI strongly recommends to use hybrid protocols in the short and medium terms (except for XMSS/LMS)

Sources:

8. PQC regulation vs Germany?

BSI is the German cybersecurity agency publishing recommendations.

BSI algorithms recommendations:

  • AES-128/192/256 and SHA-256/384/512  + SHA3/256/384/512
  • ML-KEM (min 768), Classic McEliece (in round 4) and FrodoKEM (rejected by NIST but not ISO)
  • ML-DSA (min-65 ) & SLH-DSA
  • XMSS/LMS

BSI strongly recommends to use hybridization:

  • Mixing ML-KEM and ECDH/ECDHE decrypted keys in a derived key for encryption
  • Double signature with classical and PQ algorithm mixing

Sources:

9. Which standards for hybridization to follow?

This is an ongoing work in different organizations:

  • For national regulations mandating the specific hybridization methods, these methods are specified by these national cybersecurity agencies
  • For international regulations, many methods are under consideration

In this context, it is crucial to support "crypto agility", enabling flexibility with the crypto choice.

This flexibility can be enabled thanks to 2 key pillars:

  • Software updates
  • Hardware cryptographic acceleration enhanced by software.

10. Hybridization regulation vs USA?

NISTis a US standardization body for cybersecurity, internationally recognized. NIST has initiated a process to solicit, evaluate, and standardize one or more quantum-resistant public-key cryptographic algorithms: Post-Quantum Cryptography | CSRC.

2035:

  • The overall goal is to achieve widespread PQC adoption
  • Classical Digital signature/Key establishment algorithms will be “Disallowed”

Hybridization is not mandatory. SP800-56C already defines a composite key establishment technique that will be extended to any Key Encapsulation Mechanism


CNSA 2.0 considers only direct migration from Classic Crypto to PQC, avoiding Hybridization

Sources:

11. ST and Post Quantum Cryptographic (PQC) library

The STM32 post-quantum cryptographic library package (X-CUBE-PQC) includes all the major security algorithms for encryption, hashing, message authentication, and digital signing. This enables developers to satisfy application requirements for any combination of data integrity, confidentiality, identification/authentication, and nonrepudiation. It includes both the PQC Leighton-Micali signature (LMS) and the extented Merkle signature scheme (XMSS) verification methods, which are used mainly for secure boot code authentication. It also includes the ML-KEM lattice-based algorithm, which can replace the current use of key exchange mechanisms to establish a secret key between two parties. ML-DSA is included for digital signatures. ML-DSA can replace ECDSA, EdDSA, and RSA-PSS in protocols, for instance in high-level applications as a method of authentication, of attestation, or both.

Developers can start by updating secure boot and software updates with PQC algorithms, using for example LMS or XMSS or ML-DSA and update further its code for use cases, such as secure communications, either directly or later via secure updates.

Our STM32 PQC compliant library was CAVP ( Cryptographic Algorithm Validation Program | CSRC) certified, to grant user trust in the functional implementation.

12. References



Retrieved from "https://wiki.st.com/stm32mcu/index.php?title=Security:Regulations_on_Post_Quantum_Cryptograhy&oldid=83106"