Between now and quantum
The National Security Agency has stated clearly that they believe this is the time to start moving to quantum-resistant encryption. Even the most optimistic enthusiasts for quantum computing believe that practical quantum computers are years away, but so is the standardization of post-quantum encryption methods.
The NSA has also made some suggestions for what to do in the mean time [1]. Last year the agency replaced its Suite B cryptography recommendations with the CNSA: Commercial National Security Algorithm Suite.
In a nutshell: use well-established methods for now but with longer keys.
In a little larger nutshell, the recommendations are:
- SHA-384 for secure hashing
- AES-256 for symmetric encryption
- RSA with 3072 bit keys for digital signatures and for key exchange
- Diffie Hellman (DH) with 3072 bit keys for key exchange
- Elliptic curve P-384, both for key exchange (ECDH) and for digital signatures (ECDSA)
Each of these represents a 50% or 100% increase in key length:
- from 128 to 256 for AES
- from 256 to 384 for hashing and ECC
- from 2048 to 3072 for RSA and DH.
If these are just stopgap measures, why not jump straight to quantum-resistant methods? There are quantum-resistant encryption methods available, but most of them haven't been studied that long. As Koblitz and Menezes put it,
" most quantum-resistant systems that have been proposed are complicated, have criteria for parameter selection that are not completely clear, and in some cases (such as NTRU) have a history of successful attacks on earlier versions.
Some methods do have a long history but have other drawbacks. Robert McEliece's encryption method, for example, dates back to 1978 and has held up well, but it requires a megabyte key to achieve 128-bit security. There is a variation on McEliece's method that has radically smaller keys, but it's only been around for six years. In short, the dust hasn't settled regarding post-quantum encryption methods.
Related posts[1] People are naturally suspicious of algorithm recommendations coming from the NSA. Wouldn't the agency like for everyone to use encryption methods that it could break? Of course. But the agency also wants US companies and government agencies to use encryption methods that foreign agencies cannot break.
There's little downside to using established methods with longer keys. However, key length may not the weakest link. If you're vulnerable to timing attacks, for example, doubling your key length may create a false sense of security.