The post-quantum encryption legislation has come into effect, how to proceed?

Quantum computers forecast a significant increase in computing capacity. This not only means speeding up calculations but also entails security risk, especially for web-based communications, where e.g. RSA encryption is used.

In Hungary, as the first in Europe, on July 1, 2022, the important legislation entered into force introduced a new term, post-quantum encryption, which must be used for communication between two endpoints – and, after later expansion, even for data storage – for all government organizations providing public services, utility companies, and banks. Although the exact technical specification and directive’s implementation have not yet been published, the legal basis for implementation has been prepared.

Although the current version of the legislation only covers the protection of the communication channels of the organizations, similar regulations tend to define a much wider scope: it is enough to recall for instance the GDPR, where in addition to data transmission, the encryption and integrity of stored personal data is also marked as protected. Presumably, the present law will also be clarified to be consistent with similar legislation.

A few days ago – after 6 years of analysis – the American National Institute of Standards and Technology (NIST) made public its decision on which of the “quantum-safe” algorithms will be used in the development of the post-quantum encryption standard. In the field of general encryption, the CRYSTALS-Kyber algorithm was selected, while for digital signatures 3 algorithms (CRYSTALS-Dilithium, FALCON, and SPHINCS+) were selected.

In theory, all currently widely used public-key cryptographic algorithms are vulnerable to attacks based on Shor’s algorithm, which can only be implemented with large-scale quantum computers. For certain functions (e.g. HTTPS communication, SSL/TLS handshake) it may be sufficient to reconfigure the web server, but for other functions – for message-level operations (e.g. encrypted SAML or OpenID Connect JWT) – it is necessary to dig into the codes. The technology change may also require database-level modifications (e.g. in the case of data stored in an encrypted manner).

The organizations defined in the legislation must start preparing for the change. While some components of some systems (e.g. mobile phones) replaced by new components solves the problem, for other components (e.g. electricity generation and distribution systems) the appropriate modification can only be achieved much more slowly. Interoperability between different computer systems and data archiving define additional tasks. However, as a general rule, cryptographic algorithms cannot be replaced until all elements of the system have been prepared to process the change. The update of the applied protocols, schemes, and infrastructure elements must also be solved with the introduction of the new cryptographic algorithm. The transition as in other migration processes may not be smooth: recently, experts fixed a vulnerability in the Java signature checking code.

All algorithms work according to multiple different parameters, the configuration of those also requires serious expertise. As a consequence, the implementation of the law calls for support, adaptation to the business line, and even the involvement and audit of a mathematician specialized in this so the systems of the institution or organization meet the regulations. Since Hungary was the first to introduce the regulation, it is worth monitoring what happens.

The E-Group team has been working on the topic since 2015 and is considered a serious authority. Contact us if You need additional support.

Share this post
This site is registered on wpml.org as a development site.