The European Telecommunications Standards Institute (ETSI) has this week debuted its first post-quantum cyber security standard, designed to guarantee the protection of critical data and communications in the quantum-enabled future.
Responding to the potentially existential threat to current encryption methods posed by large-scale quantum computers – which will likely be able to efficiently solve the complex maths relied on by current asymmetric public key cryptography (PKC) – ETSI has developed specification TS 104 105 – or, to give it its full name, Efficient quantum-safe hybrid key exchanges with hidden access policies – to help ensure that only authorised users are able to access sensitive data.
The standard defines a scheme for Key Encapsulation Mechanisms (KEMs) with Access Control (Kemac) – dubbed Covercrypt – that ETSI claims will ensure pre- and post-quantum security through hybridisation.
In layman’s terms, it will lock and anonymise session keys based on user attributes, and enables those who meet the encapsulation policy requirements to retrieve them while keeping those who don’t away.
ETSI said its standard also heralded a breakthrough in efficiency – it takes a few hundred microseconds to encapsulate and decapsulate said keys. It can supposedly be easily and readily integrated into existing security products, the body added.
“ETSI’s latest specification marks a significant milestone in the transition to post-quantum cryptography,” said Matt Campagna, chair of the Quantum Safe Cryptography (QSC) working group at ETSI. “This standard is fundamental to the quantum future, we are empowering organisations to safeguard their sensitive data both for today, and for the decades ahead.
“The work we’ve done in the Cyber QSC working group underlines our commitment to providing secure, future-proof solutions that can withstand emerging threats, while also helping to build a healthy industrial ecosystem and a sustainable economy,” he said.
ETSI said organisations should begin to use quantum-resistant encryption as soon as possible to future-proof their data security, safeguard their most sensitive data and remain compliant with yet-to-emerge standards.
The launch of the standard comes in the wake of guidance issued by the UK’s National Cyber Security Centre, which similarly urged organisations to begin exploring their migration pathways to post-quantum cryptography (PQC).
The NCSC’s advice – which can be accessed in full here – sets out a three-phase schedule that will help key industries move to quantum-resistant encryption over the next decade.
The agency said that at-risk organisations – such as financial institutions, healthcare providers, operators of critical national infrastructure and public sector organisations – should have the core of a migration plan in place by 2028, before beginning high-priority upgrades and then moving on to a complete PQC migration by 2035.
The NCSC said much of this work involved the sort of activity that would accompany any large-scale IT migration, and in security terms, activity that should already be at the heart of any business’ security practice – so those that are sufficiently on the ball should think about using PQC migration as an opportunity to build additional resilience into their IT systems.
The agency also noted that the ultimate cost of PQC migration could be significant, so it is essential that organisations begin to budget accordingly.
#ETSI #launches #postquantum #encryption #standard