CNSA 2.0 (Commercial National Security Algorithm Suite 2.0) is the NSA's mandatory list of quantum-resistant algorithms for National Security Systems, aiming for full transition by 2030-2033.

What is Harvest Now, Decrypt Later?

A threat scenario where adversaries collect encrypted data today (knowing they cannot break it yet) and store it until sufficiently powerful quantum computers exist to decrypt it in the future.

Post-Quantum Cryptography: The CNSA 2.0 Migration Guide

The Threat: Harvest Now, Decrypt Later

Why worry now? Even if a cryptographically relevant quantum computer (CRQC) is 5-10 years away, adversaries are scraping encrypted traffic today. Any long-lived secret (like diplomatic cables, military schematics, or PII) captured now will be readable the moment Q-Day arrives.

CNSA 2.0: The Mandatory Timeline

The NSA has issued the Commercial National Security Algorithm Suite 2.0 (CNSA 2.0), setting hard deadlines for National Security Systems to migrate away from RSA and ECC.

System Type	Function	Deadline
Software / Firmware Signing	Authentication	2025 (Immediate Preference)
Web Browsers / Servers	Key Establishment	2030
Traditional Networking	VPN / IPSec	2030
Operating Systems	Full Suite	2033

The New Standards: NIST FIPS 203, 204, & 205

After years of competition, NIST has standardized the winners. These are the algorithms you must implement:

1. ML-KEM (Module-Lattice-Based Key Encapsulation Mechanism)

Formerly Kyber. This is the new standard for Key Establishment (replacing ECDH). It is fast, has relatively small key sizes, and is suitable for TLS 1.3 handshakes.

2. ML-DSA (Module-Lattice-Based Digital Signature Algorithm)

Formerly Dilithium. The primary standard for Digital Signatures (replacing RSA/ECDSA). It offers balanced performance and security but has larger public keys/signatures than ECC.

3. SLH-DSA (Stateless Hash-Based Digital Signature Algorithm)

Formerly SPHINCS+. A backup signature algorithm. It is slower and has larger signatures but is based on different math (hash functions) than lattices, providing a safety net if lattice math is broken.

Implementation Strategy: Hybrid Mode

You should not simply "switch off" ECC/RSA immediately. The operational risk of a new algorithm implementation bug is higher than the immediate quantum risk.

The Solution: Hybrid Key Exchange. combining a classical algorithm (X25519) with a post-quantum one (ML-KEM-768).

// Conceptual TLS 1.3 Hybrid Key Share
ClientHello {
    KeyShare entries: [
        group: X25519_MLKEM768 (0x6399)
        key_exchange: [ 
            32 bytes X25519 public key 
            || 
            1184 bytes ML-KEM-768 public key 
        ]
    ]
}

For an attacker to break this session, they must break BOTH the elliptic curve (classical) AND the module lattice (quantum).

Alterra's Readiness

Alterra Solutions monitors these developments closely. Our Air-Gapped architectures are designed with Crypto-Agility in mind, allowing the seamless swap of cryptographic primitives as CNSA 2.0 deadlines approach, ensuring your defense systems remain compliant and secure for decades.