A bill to help secure US government cryptographic systems against attack from quantum computers has passed the House and has now advanced to the Senate. The Quantum Computing Cybersecurity Preparedness Act introduces requirements for federal agencies to identify systems using cryptography and prioritize them for migration.
The Act, co-sponsored by senators Rob Portman (R-OH) and Maggie Hassan (D-NH), calls for every executive agency to create an inventory of all the cryptographic systems in use, along with the IT systems that they will prioritize for migration to post-quantum cryptography. They will also define processes for evaluating the process of that migration.
The Office of Management and Budget (OMB) also has a role under the Act. Within 15 months of the law coming into effect, the OMB must create a strategy to manage the risk posed by quantum encryption, along with a report on the funding that executive agencies need to protect themselves.
The House version of this Act, sponsored by representatives Ro Khanna (D- CA-17), Gerry Connolly (D-VA-11), and Nancy Mace (R-SC-1), passed this month after its introduction in April. It was endorsed by Google, IBM, PQSecure Technologies, QuSecure, Maybell Quantum, Quantinuum and Qryp.
Lawmakers introduced the bill because they’re worried about the potential for quantum computers to easily crack current cryptographic algorithms. Cryptography typically requires an attacker to conduct many calculations to crack a code. The more bits an encryption key has, the more calculations are required.
Traditional computers use conventional electronic bits to represent numbers. These bits have a binary state (0 or 1), meaning they can only represent one number at a time. This limits them to calculating possible results consecutively. Even with parallel processing, the computing power required to crack modern cryptography algorithms is still prohibitive in many cases.
Conversely, quantum computers use qubits, which are quantum bits exploiting the quantum quality of superposition. This allows them to maintain several states at once, increasing their ability to make different calculations concurrently. These computers could threaten traditional cryptographic algorithms in five to 10 years.
Quantum encryption uses new encryption methods to produce unpredictable encryption keys that these new computers will not easily be able to crack.
America’s security services have been aware of the threat for a while. The Department of Homeland Security released a roadmap on PQC in October and the NSA is also working on solutions.
Agencies must provide their inventories of cryptographic systems no later than one year after NIST publishes post-quantum cryptography standards. NIST hasn’t finalized these standards yet. It expects to do that within two years. However, this month it did choose four encryption tools that could potentially withstand attacks from a quantum computer.