Quantum computers are advancing quickly, and their ability to break the encryption systems protecting our online transactions, digital signatures, and private communications is a growing concern. These powerful machines could weaken traditional security methods, putting critical data at risk. To address this, the National Security Agency (NSA) introduced the Commercial National Security Algorithm Suite 2.0 (CNSA 2.0) in September 2022, with ongoing updates to guide organizations toward quantum-resistant security.
This major transition, set to finish by 2035, requires updating systems to new standards that can withstand quantum attacks. Hybrid cryptography, which combines traditional and quantum-safe methods, is a key tool for this process. It protects against potential weaknesses in quantum-safe algorithms, keeps systems compatible with older ones, and allows a fallback to trusted traditional methods if problems occur. However, hybrid cryptography is not a reason to skip system upgrades; it is a temporary strategy to support the shift to CNSA 2.0’s quantum-safe standards.
What is CNSA 2.0?
CNSA 2.0 is the NSA’s plan to protect critical systems, especially National Security Systems (NSS), from quantum computers that could break traditional encryption methods like RSA or elliptic curve cryptography (ECC) using techniques such as Shor’s algorithm. It replaces CNSA 1.0, which was not designed for quantum threats, and uses post-quantum cryptography (PQC), relying on math problems that resist both regular and quantum attacks. The suite includes:
-
Symmetric-Key Algorithms
The Advanced Encryption Standard (AES) with 256-bit keys provides encryption with at least 128 bits of post-quantum security, strong enough to resist Grover’s algorithm, which reduces the effective strength of symmetric ciphers. The Secure Hash Algorithm (SHA) with SHA-384 (192-bit quantum-resistant security) or SHA-512 (256-bit security) ensures data integrity for hashing, maintaining protection against quantum attacks. These algorithms, carried over from CNSA 1.0, are quantum-safe when used correctly.
-
Software and Firmware Signing
The Leighton-Micali Signature (LMS) and eXtended Merkle Signature Scheme (XMSS), outlined in NIST SP 800-208, verify the authenticity of software and firmware. LMS with SHA-256/192 (192-bit post-quantum security) creates a hash-based structure with 2^20 signatures, each using a 192-bit hash for efficiency and security and is recommended for all security levels. XMSS uses a similar hash-based approach with comparable security.
-
Public-Key Algorithms
The Module-Lattice-based Key Encapsulation Mechanism (ML-KEM, based on CRYSTALS-Kyber-1024) supports secure key sharing, offering 256 bits of post-quantum security against advanced math attacks. It uses a public key of about 1,568 bytes and a ciphertext size of 1,568 bytes. The Module-Lattice-based Digital Signature Algorithm (ML-DSA, based on CRYSTALS-Dilithium-8) handles data signing, also providing 256-bit security, with a public key of 2,592 bytes and a signature size of 4,595 bytes. Both operate at Security Level V, the highest defined by NIST, for maximum protection.
These algorithms were standardized by NIST in August 2024 through FIPS 203 (ML-KEM) and FIPS 204 (ML-DSA), after a thorough global evaluation process that tested resistance to quantum attack methods. CNSA 2.0 focuses on NSS but offers a roadmap for commercial sectors to adopt quantum-safe practices for sensitive data.
Why Hybrid Cryptography Matters?
As an organization, you want to keep your data secure while preparing for a quantum future. Hybrid cryptography is your ally, blending trusted traditional methods, such as RSA-2048 (2048-bit modulus, ~256-byte public key) or ECDSA with NIST P-384 (384-bit curve, ~48-byte public key), with quantum-safe ones like ML-KEM or ML-DSA. This combination ensures that if a quantum-safe algorithm has an unexpected weakness, such as a new attack on its math structure, the traditional method keeps your data safe. It also allows your systems to work with others that have not yet adopted quantum-safe standards, ensuring smooth operations during the transition.
Hybrid cryptography addresses the “harvest now, decrypt later” threat, where adversaries collect encrypted data today to decrypt it with future quantum computers. By adding quantum-safe methods early, you reduce this risk significantly. However, hybrid cryptography is not a way to avoid upgrading your systems. It is a temporary approach to support the move to CNSA 2.0’s quantum-safe standards by 2035. If quantum-safe algorithms face compatibility issues or new weaknesses, you can fall back to traditional methods, giving you flexibility and security during this multi-year shift.
Where Hybrid Cryptography Makes an Impact?
Hybrid cryptography supports the adoption of quantum-safe security while keeping existing systems operational. It is a transitional tool, not a permanent solution, ensuring protection and compatibility with the option to revert to traditional methods if needed. The table below outlines its key applications, detailing the hybrid approach, technical specifics, and role in the CNSA 2.0 transition.
| Application Area | Cryptography Approach | Role in Transition |
|---|---|---|
| Software Updates and Signing | Combines traditional signatures (RSA-2048, ECDSA with NIST P-384) with quantum-safe signatures (LMS with SHA-256/192, XMSS). | Ensures authenticity across systems. Fallback to traditional signatures if LMS/XMSS fails due to weaknesses or compatibility. Supports full quantum-safe signing by 2030. |
| Websites and Secure Connections | Enables quantum-safe key sharing (ML-KEM-1024) alongside traditional methods (ECDH with NIST P-384). | Maintains secure connections with fallback to ECDH if ML-KEM has issues. Enables upgrades to quantum-safe protocols. |
| Virtual Private Networks (VPNs) | Combines traditional key sharing (256-bit ECDH) with quantum-safe methods (ML-KEM-1024). | Secures VPN tunnels with fallback to ECDH if ML-KEM falters. Supports quantum-safe key sharing by 2033. |
| Operating Systems | Integrates quantum-safe security (ML-KEM, ML-DSA) with traditional methods (RSA-2048, ECDSA) for APIs. | Provides immediate security with a fallback to traditional methods if needed. Aids with full quantum-safe integration. |
| Cloud and IoT Environments | Blends traditional encryption (AES-256) with quantum-safe methods (ML-KEM-1024). | Secures data with fallback to AES if ML-KEM underperforms, supporting gradual quantum-safe adoption. |
| Secure Communication Protocols | Enhances protocols with quantum-safe signatures (ML-DSA-8) and traditional ones (ECDSA). | Ensures reliable communication with fallback to ECDSA if ML-DSA fails. Supports quantum-safe protocols. |
| Supply Chain Security | Uses dual signatures (RSA-2048, ECDSA with LMS/XMSS) to verify component authenticity. | Maintains trust with fallback to traditional signatures if LMS/XMSS has issues. Supports quantum-safe adoption. |
Challenges of Hybrid Cryptography
Using hybrid cryptography comes with challenges that need careful handling:
- Complexity: Managing two encryption methods requires expertise in traditional systems (RSA’s number-based calculations, ECC’s curve-based calculations) and quantum-safe systems (ML-KEM’s advanced math operations). Mistakes in setting up keys, verifying signatures, or fallback processes could create security gaps, so thorough planning is essential.
- Testing Needs: Each method must be tested alone and together, checking security against indirect attacks (like timing or power analysis) and quantum-based attacks, performance (extra processing effort from dual calculations, e.g., ~2 ms for ML-DSA vs. ~0.2 ms for ECDSA), compatibility with existing systems, and fallback reliability. This takes significant time and effort.
- Key Size Issues: Quantum-safe methods like ML-KEM-1024 (1,568-byte public key, 1,568-byte ciphertext) and ML-DSA-8 (2,592-byte public key, 4,595-byte signature) use larger keys than traditional ones (RSA-2048: 256-byte public key; ECDSA P-384: 48-byte public key). These can conflict with system limits, such as TLS’s 16 KB handshake maximum, requiring careful adjustments.
- Resource Demands: Setting up hybrid systems requires considerable time, skilled staff, and computing power for key creation (ML-KEM’s math operations, ~1 ms), verification, and maintenance, potentially raising costs by 20-30% compared to single-method systems.
- Performance Impacts: Using two methods increases processing effort, with ML-KEM/ML-DSA adding ~1-2 ms per operation compared to RSA/ECDSA’s ~0.1-0.3 ms, slowing down systems, especially on resource-limited devices, so optimization like pre-calculated keys is needed.
NSA’s Recommendations for Hybrid Cryptography
The NSA sees hybrid cryptography as a short-term tool, with full CNSA 2.0 adoption targeted by 2035. Key goals include quantum-safe software signing by 2025, using LMS/XMSS, and key sharing by 2033, using ML-KEM. For NSS, single quantum-safe methods are preferred for their reliability, and hybrid approaches need explicit NSA approval, allowed only when single methods are not possible, such as in systems with key size limits (IKEv2, per RFC 8784, combining 256-bit ECDH with ML-KEM-1024).
RFC 8773 supports secure layering for TLS, enabling hybrid key sharing with pre-shared keys. The NSA requires hybrids to be tested for resistance to quantum and traditional attacks to ensure no weak points. Hybrids will be phased out by 2035, with systems moving to single quantum-safe methods, supported by regular NIST/NSA updates to address new attack methods on encryption.
Steps to Implement Hybrid Cryptography
To use hybrid cryptography effectively as a temporary tool, follow these practical steps:
- Work with Experts: Partner with cybersecurity professionals who understand both traditional and quantum-safe methods to set up hybrid systems and reliable fallback processes, reducing risks.
- Test Carefully: Test each encryption method (RSA’s number-based calculations, ML-DSA’s math-based signing) and their interactions, checking security against quantum and traditional attacks, performance like processing speed, compatibility with current systems, and fallback reliability.
- Follow NSA Advice: Stick to NSA recommendations, get approvals for critical system hybrids and align with CNSA 2.0 goals for security and compliance.
- Stay Updated: Keep track of NIST and NSA updates for changes in quantum-safe standards or new attack methods to keep your systems secure.
- Train Your Team: Teach your staff about traditional encryption (ECC’s curve-based calculations) and quantum-safe methods (ML-KEM’s advanced math) to handle hybrid systems and fallback processes well.
- Plan for Quantum-Safe Systems: Build systems that can easily switch to single quantum-safe methods by 2035, using flexible designs to phase out traditional methods.
- Check Performance: Monitor how larger quantum-safe keys (ML-DSA’s 4,595-byte signatures) and dual processing affect system speed, optimizing with techniques like pre-calculated keys for limited devices.
The Road Ahead
Hybrid cryptography supports a secure and compatible transition to CNSA 2.0, protecting against potential weaknesses in quantum-safe methods and keeping systems working together, with options to fall back to traditional methods. It is not a long-term solution; organizations must upgrade to single quantum-safe standards by 2035. By working with experts, testing carefully, and following NSA advice, you can manage this shift confidently. This transition builds stronger cybersecurity, preparing your organization for the quantum future while keeping trust and connectivity intact.
How Encryption Consulting Can Help?
Encryption Consulting helps enterprises and governments implement CNSA 2.0-aligned signing infrastructures with full PQC and hybrid crypto support. CodeSign Secure v3.02 supports PQC out of the box, giving organizations a head start in adapting to the next era of cryptography without sacrificing usability or performance. It’s a smart move now and a necessary one for the future.
Moving to CNSA 2.0 isn’t just about selecting the right algorithm. It’s about building an end-to-end code signing strategy that protects keys, automates workflows, enforces policy, and ensures compliance. That’s exactly what CodeSign Secure was built for.
Here’s how CodeSign Secure supports CNSA 2.0:
- LMS & XMSS-Ready: Already supports the post-quantum signature schemes required for software and firmware signing.
- HSM-Backed Key Protection: Your private keys stay protected inside FIPS 140-2 Level 3 HSMs, ensuring no exposure.
- State Tracking Built-In: Automatically manages state for LMS and XMSS to ensure every signature is compliant.
- DevOps Friendly: Integrates natively with Jenkins, GitHub Actions, Azure DevOps, and more.
- Policy-Driven Security: Use RBAC, multi-approver (M of N) sign-offs, and custom security policies to control every aspect of your code signing.
- Audit-Ready Logging: Get full visibility into every signing operation for easy reporting and compliance.
Whether you’re signing software for Windows, Linux, macOS, Docker, IoT devices, or cloud platforms, CodeSign Secure is ready to help you transition safely and efficiently.
Conclusion
The CNSA 2.0 transition is a major step to secure our digital world against quantum threats. Hybrid cryptography helps by offering a safety net against weaknesses in quantum-safe methods and ensuring compatibility, with fallback to traditional methods during system upgrades. Guided by NSA’s clear timelines and careful planning, organizations can achieve quantum readiness. This is more than technology, it is about keeping your data and operations secure in a quantum-aware world. Start preparing now to build a strong, secure future.
