Security Position Statement: NSA Statement on Post Quantum Cryptography and Suite B

EMV-SWG-NE58r4 EMVCo Position Statement on NSA Statement on Post Quantum Cryptography and Suite B "Cryptography Today" 3 March 20161 Statement: In August 2015, the NSA posted an update to their Suite B cryptography paper https://www.nsa.gov/ia/programs/suiteb_cryptography first posted in Jan 2009. This statement is also reflected in the more recent CNSS Advisory Memorandum on the use of Public Standards for the Secure Sharing of Information Among National Security Systems. Further clarification is provided in the Commercial National Security Algorithm Suite and Quantum Computing FAQ. The advisory memorandum addresses US government use of cryptography and states that after observing the past decade of progress in quantum computing research, the NSA endorses the increasing consensus that quantum computers will pose a threat and that the NSA will initiate a transition to quantum resistant algorithms in the not too distant future. Changing public key cryptography algorithms is difficult and expensive, and can have significant infrastructure and data format implications. Based on experience in deploying Suite B cryptography, the NSA has therefore decided to start planning and communicating early about any upcoming transition to new cryptographic algorithms. The advisory memorandum provides a recommendation that if a transition to ECC cryptography has not been made, it might be prudent to use larger RSA key lengths rather than making the significant expenditure required for moving to ECC. For this reason, the updated advice now allows for the use of minimum 3,072 bits for the deployment of RSA and Diffie-Hellman (DH) based algorithms. The updated guidance also provides caution for current or future use of ECC. They note that users of ECC P-256 are likely to be required to change to a longer curve before they can adopt quantumresistant algorithms. For cited interoperability reasons they recommend P-384 and NSA permission is required for use of P-521 in government systems. Industry "experts" have commented on what the memorandum means and whether the timing of its publication is significant. Perhaps the most grounded commentary is from Neal Koblitz and Alfred J. Menezes https://eprint.iacr.org/2015/1018.pdf 1 Submitted for posting September 2016 Business Associate Access Only: do not distribute. This document contains proprietary and confidential information of EMVCo. LLC. Copyright 2016 © EMVCo. LLC. All rights reserved The EMVCo reading of the situation is: • The NSA advisory memorandum does not imply an actual attack on ECC – no curve size is considered weaker in security terms than before the advisory memorandum was published. • There has been no major breakthrough in the development of quantum computers2, however the NSA is being prudent, based on lessons learned (including cost and time) in migrating systems to new cryptography. • EMVCo and the NSA live in two different paradigms. The NSA needs to provide long-term security for a large diversity of different national governmental information systems, whereas EMVCo needs comparatively short-term and short-lived security for payment transactions in consumer products. • There are no suitable quantum-resistant algorithms waiting in the wings and it is likely to be several years before anything is standardised3. • Of the currently known quantum-resistant candidates, none are likely to be effective on constrained platforms (e.g., smart cards) with limited processing and communication speeds. • The EMVCo justification for moving to ECC in Next Gen, and not using ever longer RSA keys remains. • The justification for choosing NIST curves for EMV usage remains the same. This includes the earned reputation and authority given by NIST and that the NIST curves are globally standardised by ISO and are widely supported in software libraries and hardware products. • For 3DS we are not constrained by the limitations of smart cards and it is quite acceptable for 3DS entities (servers etc.) to use longer RSA keys and/or elliptic curves as the industry evolves. Libraries for mobile phones already support a wide variety of suitable cryptographic mechanisms and algorithms and will similarly evolve. 2 Note that "quantum computing" is not the same as "quantum cryptography". The first concerns the idea of building a computer whose processes exploit quantum phenomena to solve problems that are difficult to solve with classical computers. The second concerns building cryptographic systems whose processes exploit quantum phenomena. Quantum computers are of interest to EMVCo because quantum computers might be used to attack ECC and RSA. Quantum cryptography is not of interest to EMVCo. 3 See http://csrc.nist.gov/publications/drafts/nistir-8105/nistir_8105_draft.pdf Business Associate Access Only: do not distribute. This document contains proprietary and confidential information of EMVCo. LLC. Copyright 2016 © EMVCo. LLC. All rights reserved