The U.S. National Security Agency (NSA) publishes a Commercial National Security (CNSA) document that outlines which encryption algorithms should be used by owners, operators, and vendors when working with classified information critical to military and intelligence activities. So far, their original document, which they now call CNSA 1.0, used classical encryption algorithms that were not necessarily quantum-resistant. Now that NIST has made its first PQC selections for Round 3, the NSA has updated that document to what it calls CNSA 2.0, along with guidance on which algorithms to use, and an expected timeline for the conversion.

Algorithms currently included in CNSA 2.0 include the following:

  • ESA: Symmetric block cipher for information protection
  • CRYSTALS-Kyber: Asymmetric algorithm for key establishment
  • CRYSTALS-Dilithium: Asymmetric algorithm for digital signatures
  • Secure Hash Algorithm (SHA): Algorithm for calculating a condensed representation of information
  • Leighton-Micali Signature (LMS): Asymmetric Algorithm for Digital Signature of Firmware and Software
  • Xtended Merkle Signature Scheme (XMSS): Asymmetric Algorithm for Digital Signature of Firmware and Software

Although NIST has made its initial selections, there is still work to be done to complete the standards process and publish the standards. It is therefore important to note that the NSA still considers asymmetric post-quantum algorithms as still experimental and does not yet recommend anyone to put them into production. But they encourage groups to familiarize themselves with these algorithms and begin preparations for implementation in production.

Schedule planned by the NSA for the implementation of the CNSA 2.0 algorithms

The NSA recommends a phased implementation with full transitions to be made in the 2030-2035 timeframe depending on the use case. In the table above, they show three stages for each use case. The beginning of the dotted line indicates when quantum resistant asymmetric algorithms can begin to be used as a Option. The beginning of the solid line represents when the quantum resistant algorithms are Prefer. And the end of the solid line represents when they would like to see Exclusive use quantum resistant algorithms. Organizations can start using this information for their initial planning efforts. Timelines and maybe even selected algorithms are always subject to change. The NSA will issue additional guidance with more information as the standards process progresses.

For more information on this transition, you can view a press release posted on the NSA webpage herea CNSA 2.0 announcement sheet located hereand an FAQ document that can be seen here.

September 10, 2022