Home » Featured » NSA Switches To Quantum-Resistant Cryptography
Click Here To Hide Tor

NSA Switches To Quantum-Resistant Cryptography

In a recently published FAQ, the NSA outlines the switch for NSS (National Security Systems) from Suite B cryptography to the CNSA (Commercial National Security Algorithm Suite).

The NSA describes the CNSA as a “suite of algorithms identified in CNSS Advisory Memorandum 02-15 for protecting NSS up to and including TOP SECRET classification. This suite of algorithms will be incorporated in a new version of the National Information Assurance Policy on the Use of Public Standards for the Secure Sharing of Information Among National Security Systems (CNSSP-15 dated October 2012). The Advisory Memorandum and Policy define the set of public cryptographic standards that may be used to protect NSS until acceptable public standards for quantum resistant cryptography exist and are approved for use in NSS by the Committee for National Security Systems (CNSS).”

Detailing the CNSA’s algorithms and its usage:

Algorithm Usage
RSA 3072-bit or larger Key Establishment, Digital Signature
Diffie-Hellman (DH) 3072-bit or larger Key Establishment
ECDH with NIST P-384 Key Establishment
ECDSA with NIST P-384 Digital Signature
SHA-384 Integrity
AES-256 Confidentiality


The NSA remarked that “The AES-256 and SHA-384 algorithms are symmetric, and believed to be safe from attack by a large quantum computer.”

According the NSA, the following isn’t safe to use:

  • ECDH and ECDSA with NIST P-256
  • SHA-256
  • AES-128
  • RSA with 2048-bit keys
  • Diffie-Hellman with 2048-bit keys

What provoked this switch was the ever-growing threat of quantum computers breaking encryption.

… quantum computers will use “qubits” that behave in surprising ways, efficiently performing selected mathematical algorithms exponentially faster than a classical computer.” The NSA went on to say “A sufficiently large quantum computer, if built, would be capable of undermining all widely-deployed public key algorithms used for key establishment and digital signatures.

According to the NSA, symmetric algorithms are more quantum-resistant as opposed to public key algorithms.

“It is generally accepted that quantum computing techniques are much less effective against symmetric algorithms than against current widely used public key algorithms. While public key cryptography requires changes in the fundamental design to protect against a potential future quantum computer, symmetric key algorithms are believed to be secure provided a sufficiently large key size is used.”

The NSA made sure to note that just because they’re making this switch doesn’t mean that a quantum computer exists.

“NSA does not know if or when a quantum computer of sufficient size to exploit public key cryptography will exist. The cryptographic systems that NSA produces, certifies, and supports often have very long life-cycles. NSA has to produce requirements today for systems that will be used for many decades in the future, and data protected by these systems will still require cryptographic protection for decades after these solutions are replaced. There is growing research in the area of quantum computing, and enough progress is being made that NSA must act now to protect NSS by encouraging the development and adoption of quantum resistant algorithms.”

Regarding, “why now”, the NSA says “Choosing the right time to champion the development of quantum resistant standards is based on 3 points: forecasts on the future development of a large quantum computer, maturity of quantum resistant algorithms, and an analysis of costs and benefits to NSS owners and stakeholders. NSA believes the time is now right—consistent advances in quantum computing are being made, there are many more proposals for potentially useful quantum resistant algorithms than were available 5 years ago, and the mandatory change to elliptic curves that would have been required in October 2015 presented an opportune time to make an announcement. NSA published the advisory memorandum to move to quantum resistant symmetric key options and to allow additional continued use of older public key options as away to reduce modernization costs in the near term. In the longer term, NSA is looking to all NSS vendors and operators to implement standards-based, quantum resistant cryptography to protect their data and communications.”


  1. Hello Fuzzy,

    I don’t get it, the NSA already used quantum-resistant symmetric ciphers for decades.

    The problem is public key encryption, that is the hard part.

    But the NSA has not switched to any quantum-resistant public key system.

    Such algorithms would be Isogenies, NTRU, McEliece … not fucking RSA! RSA 3072 bit just takes 50% longer for a quantum computer to break than 2048 bit. That doesn’t look like quantum-resistant at all.

  2. I’m curious as to why SHA-384 would be safe, and SHA-256 would not. They are essentially the same algorithm, except for some constants. Just with more key / state space, which would result in only a linear difference in the time required to break it with quantum computing.

    • Searinox

      SHA-256 = 256bits of security, 128bits against birthday attacks(this type of attack has only half the bit difficulty)

      With quantum computing, Grover’s algorithm halves the bit difficulty of ALL forms of bruteforce, on everything from AES keys to SHA2 inputs for a desired output.

      So AES256 ends up providing only 128bits of security, and conversely, SHA-256 ends up providing 128bits of security as well, which is still sufficient, until you realize that means that birthday attacks have 64bit difficulty. That becomes doable.

      With SHA-384 security is 192bits and birthday attacks have 96bit difficulty. I’d consider that on the edge, but okay let’s go with it. They should have just moved straight to SHA-512.

  3. As being educated in this stuff, quantum comp are still very experimental. While ‘normal’ elliptic]
    Those algorithes only ‘see’ 0 and 1 apart.
    The quantum sees 1 and 0 together:
    This is very experimental and I’m happy -if interest- updatinf you soon, got first hand info.
    Because before nsa has a model they understand research labs first need to complete them…

  4. There’s nothing here about NSA moving to quantum resistant public key algorithms.

    For the symmetric encryption, the NSA, banks, Deepdotweb, McDonalds, everyone has been using AES for years. And yes it happens to be quantum proof.

    But the real problem is that symmetric key needs to be agreed and exchanged first, and NSA aren’t changing to a quantum-proof version of that yet (see Google’s recent post quantum testing).

    If a quantum computer can get your symmetric key, it doesn’t matter that AES is quantum proof if an adversary already has your key.

Leave a Reply

Your email address will not be published. Required fields are marked *


Captcha: *