Encryption & Key Management,
Geo Focus: Australia,
Geo-Specific
Regulatory Authorities Warn NIST’s 2035 Encryption Deadline May Be Insufficient
Australia is proactively advancing a strategic plan aimed at mitigating risks associated with future quantum computing threats to cybersecurity. In a decisive move, regulators are targeting several outdated encryption algorithms to phase out by 2030, marking a significant five-year advance over the National Institute of Standards and Technology (NIST) timeline established in the United States.
The Australian Signals Directorate (ASD) recently published a comprehensive list detailing approved asymmetric cryptographic algorithms essential for safeguarding data against potential quantum-driven cyber threats. This list specifies the required cryptographic techniques for protecting data both in transit and at rest.
Among the endorsed algorithms are Elliptic Curve Diffie-Hellman (ECDH) for encrypting session keys, the Elliptic Curve Digital Signature Algorithm (ECDSA) for digital signature verification, and RSA for securely transporting encryption session keys. Notably, the ASD has established minimum security thresholds tailored to thwart attacks leveraging quantum capabilities, stating that encryption for classified data needs to meet varying bit standards depending on the sensitivity of the information.
For example, encryption for top-secret data must possess a minimum of 192 bits, while secret data requires at least 128 bits. Official, sensitive, and protected data mandates a baseline of 112 bits. These stipulations extend to non-classified data as well, emphasizing the need for robust encryption irrespective of data classification.
This initiative mirrors recent developments from the U.S. Department of Commerce, where NIST recently released recommendations featuring three encryption algorithms validated through extensive testing against quantum computing threats. NIST plans to disallow certain legacy algorithms by 2035, giving organizations a ten-year window to transition to more secure, post-quantum alternatives.
The algorithms facing sunset by NIST include ECDSA and EdDSA, both associated with 128 bits of security, and RSA signatures under the same strength constraints. The guidance specifically calls out vulnerable key establishment techniques, including 128-bit RSA, which could be susceptible to quantum attack methods.
While the advent of a usable quantum computer is projected to be a decade or more away, immediate action is deemed necessary to transition to post-quantum cryptography. The ASD pointed out the inherent risks posed by the “harvest-now, decrypt-later” threat model, where adversaries capture encrypted data today with the intent of decoding it once quantum capabilities mature.
Experts like Bill Buchanan, a professor of cryptography, note that Australia’s timeline further accelerates the urgency for organizations to adapt compared to NIST’s measures. Beyond the finalization of algorithm deadlines, the ASD encourages the shift towards High Assurance Cryptographic Equipment (HACE) to safeguard sensitive information more effectively against potential data breaches.
This strategic direction aligns with Australia’s broader National Cyber Security Strategy, which underscores the necessity to future-proof data security in light of rapid advances in quantum computing. Additionally, the National Quantum Strategy outlines government commitments to invest in quantum technology, ensuring that Australia emerges as a leader in quantum research and implementation of security technologies.
