hpr_transcripts/hpr4014.txt

Episode: 4014
Title: HPR4014: Post-Quantum Cryptography Update 1st November 2023
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr4014/hpr4014.mp3
Transcribed: 2025-10-25 18:37:22

---

This is Hacker Public Radio Episode 4,014 for Thursday, 21 December 2023.
Today's show is entitled Post Quantum Cryptography Update 1 November 2023.
It is part of the series' privacy insecurity.
It is hosted by Ahukad and is about 10 minutes long.
It carries a clean flag.
The summary is, a NIST guide is published aimed at it and security professionals.
You are listening to a show from the Reserve Q.
We are airing it now because we had free slots that were not filled.
This is a community project that needs listeners to contribute shows in order to survive.
Please consider recording a show for Hacker Public Radio.
Hello, this is Ahuka, welcoming you to Hacker Public Radio.
And another exciting episode is coming out of the Reserve Q.
And if you're hearing it, what that means is we have run short of shows.
Ah, Hacker Public Radio is a collective that all of the members contribute shows.
That's the whole idea.
And a lot of people are not doing that, so we would like to encourage everyone to contribute shows.
If that doesn't happen at some point, we may just have to shut the whole thing down.
Now, none of us really want that to happen, so get in there.
Make some shows. It's not hard.
And if you need any assistance, there's lots of people ready to help you.
And there's a whole bunch of shows already on Hacker Public Radio about how easy it is to do a show.
Give you some ideas.
So, with that out of the way, what I want to talk about today is something from NIST,
which is the National Institute for Standards and Technology.
And they have within there what they call the National Cybersecurity Center of Excellence.
So, they put out a publication originally dated in April of 2023 and then updated in May of 2023.
And the title is Migration to Post-Quantum Cryptography,
Preparation for considering the implementation and adoption of a quantum safe cryptography.
Now, I know I've done a number of shows on this, so I'll do a very quick recap.
Basically, quantum computers offer the prospect of being able to treat conventional cryptography that we're using right now,
as almost irrelevant, because quantum computers could just crack any of these things.
So, that's obviously it's a big game changer.
On the other hand, as we've said many times before, in security, it's always an arms race.
And for every action, there's an equal and opposite reaction.
So, in terms of quantum cryptography, that is the answer to quantum decryption.
So, conventional cryptography, yeah, it will become totally insecure.
Now, when is this going to happen?
I don't know. I think it's pretty inevitable that it's going to happen.
But is it going to happen next month, next year, 10 years from now?
I don't really know.
But it is going to happen, and it's well to keep in mind how that works.
But whatever quantum can do, quantum can also create the solution.
So, what we want to do is take a look at this.
This is a call preparation for considering the implementation.
In other words, this is their idea of best practices.
And so, in the executive summary, they see advances in quantum computing could compromise many of the current cryptographic algorithms being widely used to protect digital information,
necessitating replacement of existing algorithms with quantum resistant ones.
Previous initiatives to update a replace installed cryptographic technologies have taken many years.
So, it is critical to begin planning for the replacement of hardware, software, and services that use affected algorithms now,
so that data and systems can be protected from future quantum computer-based attacks.
NIST has been soliciting, evaluating, and standardizing quantum-resistant public key cryptographic algorithms.
And I've done a few shows about how that process has been working.
And so, you know, it's something we've talked about before.
I'll put a link in the show notes that you can get an update on some of these.
So, basically what it is is you can, using quantum computers, you can create algorithms that are resistant to quantum decryption.
And that's the whole point.
But, you know, if you think about all the things that we use cryptography for now,
you know, all of your websites, you know, communicating with them.
VPNs, you know, passwords, and protecting your passwords, and, you know, there's a whole host of these things.
And, you know, what they have used up until now are things like RSA and Elliptical Curve Algorithms and things like that.
And what they're saying here, NIST is saying, well, we're going to have to replace all of that.
That's a big deal.
So, and they go on to say the new algorithms will likely not be drop-in replacement for the quantum vulnerable algorithms.
They may not have the same performance or reliability characteristics due to differences in key size, signature size, error handling,
number of execution steps required to perform the algorithm, key establishment, process complexity, et cetera.
So, it's not as simple as saying pull out one algorithm and plug in another one.
This means reengineering the whole thing, and that it's going to be a big project.
A big project can take a lot of time.
Now, if I was someone who was involved in security or was an IT professional, I would want to be on top of this kind of stuff.
You know, this sounds like the kind of thing that, you know, if you get up to speed on this as quickly as possible, you could maybe make yourself more valuable in the organization you're in.
And I think this guide is intended to put this stuff out there as kind of a best practices or the beginning of best practices.
You're saying this is the stuff you need to be thinking about right about now.
So, the project that they have in mind is that they want to identify interoperability and performance challenges that applied cryptographers may face when implementing the first quantum resistant algorithms, which NIST will standardize in 2024.
Now, as I record this, it's November 1st, 2023. So, 2024 is not that far off.
Initial interoperability and performance testing will incorporate QUIC, transport layer security, secure shell, X.59 post-quantum certificate hybrid profiles,
next-generation hardware security modules. So, it looks like it's going to be pretty interesting.
So, what they want to do, and I'm going to put the link in the show notes so that you can get this guide, it's only five pages.
So, you know, in that there are additional, a few additional links and some IT guides that you want to.
So, for instance, they say technology, security, and privacy program managers.
So, you know, whether you're in that category, who are concerned with how to identify, understand assess and mitigate risk, will be able to use NIST, SP, 1800-38B,
approach architecture and security characteristics, which will describe what we built and why, including the risk analysis performed, and the security privacy control mappings once it is published.
IT professionals who want to implement an approach like this, will be able to make use of NIST, SP, 1800-38C, how two guides, which will provide specific product installation, configuration and integration instructions for building the example and implementation, allowing you to replicate all or parts of this project once it is published.
So, let's do consider this an alert that there are some things that you might want to be thinking about.
And so, with that, this is Ahuka for Hacker Public Radio signing off and is always encouraging you to support FreeSoftware. Bye-bye.
You have been listening to Hacker Public Radio at HackerPublicRadio.org. Today's show was contributed by a HBR listener like yourself.
If you ever thought of recording a podcast, then click on our contribute link to find out how easy it really is.
Hosting for HBR has been kindly provided by an onsthost.com, the Internet Archive and R-Sync.net.
On the Sadois status, today's show is released under Creative Commons Attribution 4.0 International License.
Initial commit: HPR Knowledge Base MCP Server - MCP server with stdio transport for local use - Search episodes, transcripts, hosts, and series - 4,511 episodes with metadata and transcripts - Data loader with in-memory JSON storage 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-10-26 10:54:13 +00:00			`Episode: 4014`
			`Title: HPR4014: Post-Quantum Cryptography Update 1st November 2023`
			`Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr4014/hpr4014.mp3`
			`Transcribed: 2025-10-25 18:37:22`

			`---`

			`This is Hacker Public Radio Episode 4,014 for Thursday, 21 December 2023.`
			`Today's show is entitled Post Quantum Cryptography Update 1 November 2023.`
			`It is part of the series' privacy insecurity.`
			`It is hosted by Ahukad and is about 10 minutes long.`
			`It carries a clean flag.`
			`The summary is, a NIST guide is published aimed at it and security professionals.`
			`You are listening to a show from the Reserve Q.`
			`We are airing it now because we had free slots that were not filled.`
			`This is a community project that needs listeners to contribute shows in order to survive.`
			`Please consider recording a show for Hacker Public Radio.`
			`Hello, this is Ahuka, welcoming you to Hacker Public Radio.`
			`And another exciting episode is coming out of the Reserve Q.`
			`And if you're hearing it, what that means is we have run short of shows.`
			`Ah, Hacker Public Radio is a collective that all of the members contribute shows.`
			`That's the whole idea.`
			`And a lot of people are not doing that, so we would like to encourage everyone to contribute shows.`
			`If that doesn't happen at some point, we may just have to shut the whole thing down.`
			`Now, none of us really want that to happen, so get in there.`
			`Make some shows. It's not hard.`
			`And if you need any assistance, there's lots of people ready to help you.`
			`And there's a whole bunch of shows already on Hacker Public Radio about how easy it is to do a show.`
			`Give you some ideas.`
			`So, with that out of the way, what I want to talk about today is something from NIST,`
			`which is the National Institute for Standards and Technology.`
			`And they have within there what they call the National Cybersecurity Center of Excellence.`
			`So, they put out a publication originally dated in April of 2023 and then updated in May of 2023.`
			`And the title is Migration to Post-Quantum Cryptography,`
			`Preparation for considering the implementation and adoption of a quantum safe cryptography.`
			`Now, I know I've done a number of shows on this, so I'll do a very quick recap.`
			`Basically, quantum computers offer the prospect of being able to treat conventional cryptography that we're using right now,`
			`as almost irrelevant, because quantum computers could just crack any of these things.`
			`So, that's obviously it's a big game changer.`
			`On the other hand, as we've said many times before, in security, it's always an arms race.`
			`And for every action, there's an equal and opposite reaction.`
			`So, in terms of quantum cryptography, that is the answer to quantum decryption.`
			`So, conventional cryptography, yeah, it will become totally insecure.`
			`Now, when is this going to happen?`
			`I don't know. I think it's pretty inevitable that it's going to happen.`
			`But is it going to happen next month, next year, 10 years from now?`
			`I don't really know.`
			`But it is going to happen, and it's well to keep in mind how that works.`
			`But whatever quantum can do, quantum can also create the solution.`
			`So, what we want to do is take a look at this.`
			`This is a call preparation for considering the implementation.`
			`In other words, this is their idea of best practices.`
			`And so, in the executive summary, they see advances in quantum computing could compromise many of the current cryptographic algorithms being widely used to protect digital information,`
			`necessitating replacement of existing algorithms with quantum resistant ones.`
			`Previous initiatives to update a replace installed cryptographic technologies have taken many years.`
			`So, it is critical to begin planning for the replacement of hardware, software, and services that use affected algorithms now,`
			`so that data and systems can be protected from future quantum computer-based attacks.`
			`NIST has been soliciting, evaluating, and standardizing quantum-resistant public key cryptographic algorithms.`
			`And I've done a few shows about how that process has been working.`
			`And so, you know, it's something we've talked about before.`
			`I'll put a link in the show notes that you can get an update on some of these.`
			`So, basically what it is is you can, using quantum computers, you can create algorithms that are resistant to quantum decryption.`
			`And that's the whole point.`
			`But, you know, if you think about all the things that we use cryptography for now,`
			`you know, all of your websites, you know, communicating with them.`
			`VPNs, you know, passwords, and protecting your passwords, and, you know, there's a whole host of these things.`
			`And, you know, what they have used up until now are things like RSA and Elliptical Curve Algorithms and things like that.`
			`And what they're saying here, NIST is saying, well, we're going to have to replace all of that.`
			`That's a big deal.`
			`So, and they go on to say the new algorithms will likely not be drop-in replacement for the quantum vulnerable algorithms.`
			`They may not have the same performance or reliability characteristics due to differences in key size, signature size, error handling,`
			`number of execution steps required to perform the algorithm, key establishment, process complexity, et cetera.`
			`So, it's not as simple as saying pull out one algorithm and plug in another one.`
			`This means reengineering the whole thing, and that it's going to be a big project.`
			`A big project can take a lot of time.`
			`Now, if I was someone who was involved in security or was an IT professional, I would want to be on top of this kind of stuff.`
			`You know, this sounds like the kind of thing that, you know, if you get up to speed on this as quickly as possible, you could maybe make yourself more valuable in the organization you're in.`
			`And I think this guide is intended to put this stuff out there as kind of a best practices or the beginning of best practices.`
			`You're saying this is the stuff you need to be thinking about right about now.`
			`So, the project that they have in mind is that they want to identify interoperability and performance challenges that applied cryptographers may face when implementing the first quantum resistant algorithms, which NIST will standardize in 2024.`
			`Now, as I record this, it's November 1st, 2023. So, 2024 is not that far off.`
			`Initial interoperability and performance testing will incorporate QUIC, transport layer security, secure shell, X.59 post-quantum certificate hybrid profiles,`
			`next-generation hardware security modules. So, it looks like it's going to be pretty interesting.`
			`So, what they want to do, and I'm going to put the link in the show notes so that you can get this guide, it's only five pages.`
			`So, you know, in that there are additional, a few additional links and some IT guides that you want to.`
			`So, for instance, they say technology, security, and privacy program managers.`
			`So, you know, whether you're in that category, who are concerned with how to identify, understand assess and mitigate risk, will be able to use NIST, SP, 1800-38B,`
			`approach architecture and security characteristics, which will describe what we built and why, including the risk analysis performed, and the security privacy control mappings once it is published.`
			`IT professionals who want to implement an approach like this, will be able to make use of NIST, SP, 1800-38C, how two guides, which will provide specific product installation, configuration and integration instructions for building the example and implementation, allowing you to replicate all or parts of this project once it is published.`
			`So, let's do consider this an alert that there are some things that you might want to be thinking about.`
			`And so, with that, this is Ahuka for Hacker Public Radio signing off and is always encouraging you to support FreeSoftware. Bye-bye.`
			`You have been listening to Hacker Public Radio at HackerPublicRadio.org. Today's show was contributed by a HBR listener like yourself.`
			`If you ever thought of recording a podcast, then click on our contribute link to find out how easy it really is.`
			`Hosting for HBR has been kindly provided by an onsthost.com, the Internet Archive and R-Sync.net.`
			`On the Sadois status, today's show is released under Creative Commons Attribution 4.0 International License.`