Today the Linux Foundation announced the launch of the Post-Quantum Cryptography Alliance (PQCA), an open and collaborative initiative to drive the advancement and adoption of post-quantum cryptography. The PQCA brings together industry leaders, researchers and developers to address cryptographic security challenges posed by quantum computing, through the production of high-assurance software implementations of standardized algorithms, while supporting the continued development and standardization of new post-quantum algorithms.
The OpenSSF looks forward to closely collaborating with PQCA, so that high-assurance implementations of post-quantum algorithms will be widely adopted along with the application of other best practices to provide strong security.
What is the PQCA?
With the rapid advancements in quantum computing, the need for robust cryptographic solutions that can withstand attacks from future cryptographically-relevant quantum computers has become paramount. The PQCA aims to be the central foundation for organizations and open source projects seeking production-ready libraries, and packages, to support their alignment with U.S. National Security Agency’s Cybersecurity Advisory concerning the Commercial National Security Algorithm Suite 2.0. The PQCA will support the advancement of securing sensitive data and communications in the post-quantum era.
The PQCA will engage in various technical projects to support its objectives, including the development of software for evaluating, prototyping, and deploying new post-quantum algorithms. By providing these software implementations, the foundation seeks to facilitate the practical adoption of post-quantum cryptography across different industries.
How will OpenSSF and PQCA work together?
OpenSSF is a community of software developers and security engineers who are working together to secure open source software for the greater public good. The OpenSSF often partners with other groups to meet this broader challenge. PQCA is taking the lead on high-assurance implementation of post-quantum cryptography algorithms, as this is an important yet specialized area that most developers aren’t prepared to address.
The OpenSSF will focus on how to develop secure open source software more generally, including how to properly use these cryptographic algorithms and implementations. OpenSSF generally recommends that software developers normally do not create their own cryptographic algorithms and implementations, but instead use ones that have been developed specifically for the task and are carefully evaluated. The OpenSSF Secure Software Development Fundamentals course already discusses the use of cryptographic algorithms, including recommendations on how to properly use post-quantum cryptography. As PQCA develops these implementations we anticipate providing more specific guidance on their use. In addition, many vulnerabilities have nothing to do with inadequate cryptography, but instead involve other common kinds of vulnerabilities such as buffer overflows, SQL injection, and cross-site scripting (XSS). These vulnerabilities are exacerbated by other problems such as failing to design for security, failing to evaluate reusable software for security, inadequate testing, poor protection of build environments, and not preparing to receive vulnerability reports. The OpenSSF will continue to take steps to broadly help developers produce and select more secure open source software (OSS).
By working together, we can improve the security of the software we all depend on.