CNSA 2.0 Compliance: A Practitioner Guide to Quantum-Safe Cryptography Migration

CNSA 1.0 (published 2015) established the previous NSA-approved algorithm suite: AES-256, SHA-384, RSA-3072+ or ECDSA P-384 for signing, ECDH P-384 or DH-3072+ for key exchange. These remain secure against classical computers but are vulnerable to Grover's algorithm (symmetric) and Shor's algorithm (public-key) running on a large-scale quantum computer.

CNSA 2.0 replaces the public-key components entirely:

The symmetric algorithms (AES-256, SHA-384) are retained because Grover's algorithm halves their effective key size: AES-256 provides approximately 128-bit post-quantum security, which NSA deems sufficient. RSA and ECC are eliminated entirely for long-term use cases because Shor's algorithm breaks them completely given sufficient qubits.

NIST's post-quantum cryptography standardization project selected algorithms from a 7-year international competition. The three primary standards finalized in August 2024 are:

FIPS 203: ML-KEM (Module-Lattice Key Encapsulation Mechanism)

Formerly CRYSTALS-Kyber. The primary quantum-safe algorithm for key establishment and key encapsulation. ML-KEM-1024 is the CNSA 2.0-specified variant (highest security parameter). Based on the Module Learning With Errors (MLWE) problem over structured lattices, believed hard for both classical and quantum computers.

Key performance note: ML-KEM is faster than ECDH in most implementations and produces manageable key and ciphertext sizes (1,568 bytes for ML-KEM-1024 public key + 1,568 bytes ciphertext), making it viable for TLS, SSH, and application-layer key exchange.

FIPS 204: ML-DSA (Module-Lattice Digital Signature Algorithm)

Formerly CRYSTALS-Dilithium. The primary quantum-safe algorithm for digital signatures. ML-DSA-87 is the CNSA 2.0-specified variant. Also based on MLWE. Signature sizes are larger than ECDSA (4,595 bytes for ML-DSA-87 vs. 64 bytes for P-256 ECDSA), which is relevant for high-volume signing use cases and certificate chains.

FIPS 205: SLH-DSA (Stateless Hash-Based Digital Signature Algorithm)

Formerly SPHINCS+. Hash-based signature scheme whose security relies only on properties of cryptographic hash functions, not lattice hardness assumptions. This is the conservative choice: if lattice problems prove breakable, SLH-DSA remains secure. Signature sizes are large (49,856 bytes for SLH-DSA-SHAKE-256f), making it suitable for software signing, certificate authorities, and code signing rather than high-frequency transaction signing.

NIST IR 8547: Deprecation Timeline

NIST IR 8547 (final) sets the deprecation schedule: RSA, ECDSA, ECDH, and DH are deprecated after 2030 and disallowed after 2035 for federal use.

The conventional framing of post-quantum cryptography as a future threat is incorrect for organizations with long-lived confidentiality requirements. Harvest-now-decrypt-later (HNDL) attacks change the threat timeline.

Nation-state adversaries, particularly those with the resources to eventually operate quantum computers, are collecting encrypted data today. NSA, CISA, and intelligence community assessments have consistently assessed that Russia and China are conducting large-scale collection of encrypted traffic from key exchange protocols, VPN traffic, and encrypted communications. The collection is happening now; the decryption capability is future-state.

Data at risk from HNDL:

• Long-term secrets: encryption keys, HSM seeds, master secrets
• Government classified communications (current NSS systems)
• Intellectual property and trade secrets with multi-decade value
• Health records (HIPAA retention requirements: 6-10 years; actual sensitivity: lifetime)
• Financial contracts and legal documents

Data NOT at risk from HNDL:

• Short-lived session keys (TLS sessions): by the time a quantum computer exists to break them, the data they protected has no remaining value
• Ephemeral key exchange using forward secrecy (PFS): TLS 1.3 with ECDHE already uses ephemeral keys; even if the long-term cert key is broken, past sessions are not compromised

Organizations should prioritize post-quantum migration for key establishment in long-lived data protection scenarios first, then certificate hierarchies and software signing, then general-purpose TLS.

NSA's CNSA 2.0 advisory specifies different timelines by product category. These apply to NSS systems but serve as a reference model for commercial organizations.

You cannot migrate what you have not inventoried. A cryptographic inventory (also called a cryptographic bill of materials or CBOM) catalogues every place cryptography is used in your environment.

What to inventory:

• TLS/SSL certificate usage: which certificates, what key types and sizes, what validity periods, where they are deployed
• Code signing certificates and infrastructure
• Data-at-rest encryption: key management systems, key rotation schedules, algorithm configuration
• VPN and IPsec configurations: IKE version, DH group, cipher suites
• SSH host keys and authorized key configurations
• Application-layer cryptography: custom implementations, JWTs, database encryption keys
• HSMs: make, model, firmware version, algorithm support

Tooling for cryptographic discovery:

• TLS scan: sslyze, testssl.sh, or commercial certificate management platforms to identify all external and internal TLS endpoints
• Code signing: audit code signing certificates in your CI/CD pipeline, firmware signing infrastructure, and software distribution systems
• Network scanning: nmap with TLS scripts to enumerate cipher suites across internal network segments

Prioritize by data sensitivity and longevity: systems protecting secrets with value beyond 10-15 years (government data, health records, IP) are highest priority. Short-lived session encryption is lowest priority because data collected today will have no value when quantum computers arrive.

The IETF, NIST, and NSA all recommend hybrid cryptography as the transition approach: combining a classical algorithm (ECDH, ECDSA) with a post-quantum algorithm (ML-KEM, ML-DSA) so that security depends on the hardness of both problems. If the post-quantum algorithm proves breakable by a classical computer attack (a risk during the standardization period), the classical component still provides security. If the classical component is broken by a quantum computer, the post-quantum component provides security.

Hybrid key exchange in TLS 1.3:

RFC 8446 (TLS 1.3) supports hybrid key exchange via the key_share extension. IETF draft hybrid TLS extensions define how to combine ML-KEM with X25519 or P-256. The combined shared secret is derived from both key exchange outputs via a KDF.

Chrome 124+ and Firefox 132+ have enabled X25519+ML-KEM hybrid key exchange by default, making hybrid TLS the practical standard for browser traffic. Server-side support requires OpenSSL 3.x with liboqs integration or BoringSSL (used by Google).

Hybrid certificates:

X.509 hybrid certificate formats are under IETF standardization. In practice, running dual certificate hierarchies, a classical PKI for compatibility and a post-quantum PKI for systems that support it, is the near-term approach before hybrid certificate standards are widely deployed.