Sep 04, 2021

The article is based on this NSA FAQ (PDF): https://media.defense.gov/2021/Aug/04/2002821837/-1/-1/1/Qua...

I don't see anything new, but nice to have their official position in a compact FAQ format. Also, I think the headline of this MSN article (as well as the Register article from which it seems to be copied) is somewhat misleading -- the NSA doesn't seem to be suggesting they think quantum computers will _never_ be able to break public-key encryption, just that everyone should sit tight and trust the ongoing NIST process for standardizing post-quantum crypto:

> Once NIST post-quantum cryptographic standards are published and certification procedures for those algorithms are established, CNSSP-15 [US gov standard for protecting classified info] will be updated with a timeline for required use of the post-quantum algorithms and disuse of the quantum-vulnerable portion of the current CNSA Suite of algorithms.

And for the time being, adding a pre-shared key where possible to existing public-key algorithms is a better quantum-mitigation strategy than trying to use a new, unproven alternative:

> Many commercial protocols allow a pre-shared key option that may mitigate the quantum threat, and some allow the combination of pre-shared and asymmetric keys in the same negotiation. However, this issue can be complex.... NSA considers the use of pre-shared symmetric keys in a standards-compliant fashion to be a better near-term post-quantum solution than implementation of experimental post-quantum asymmetric algorithms that may or may not be proven secure and which will not be compatible with NIST standards.