Menu
Home
People
Places
Arts
History
Plants & Animals
Science
Life & Culture
Technology
Reference.org
Commercial National Security Algorithm Suite
open-in-new
<p>The Commercial National Security Algorithm Suite (CNSA) is a set of cryptographic algorithms <a href="/facts/Promulgation/CxAc9l4d">promulgated</a> by the <a href="/facts/National_Security_Agency/Sg6MGV1o">National Security Agency</a> as a replacement for <a href="/facts/NSA_Suite_B_Cryptography/Q1VDGHJy">NSA Suite B Cryptography</a> algorithms. It serves as the cryptographic base to protect US National Security Systems information up to the <a href="/facts/Classified_information/og7wn3tD">top secret</a> level, while the NSA plans for a transition to <a href="/facts/Quantum-resistant_cryptography/1qeqUQve">quantum-resistant cryptography</a>. </p> <p>The 1.0 suite included: </p> <ul><li><a href="/facts/Advanced_Encryption_Standard/HdXGBY2Q">Advanced Encryption Standard</a> with 256 bit keys</li> <li><a href="/facts/Elliptic-curve_Diffie%25E2%2580%2593Hellman/zy3IJCeK">Elliptic-curve Diffie–Hellman</a> and <a href="/facts/Elliptic_Curve_Digital_Signature_Algorithm/gl0mfnS1">Elliptic Curve Digital Signature Algorithm</a> with curve <a href="/facts/P-384/2Ynargak">P-384</a></li> <li><a href="/facts/SHA-2/P59oPeGq">SHA-2</a> with 384 bits, <a href="/facts/Diffie%25E2%2580%2593Hellman_key_exchange/xR4YQcaD">Diffie–Hellman key exchange</a> with a minimum 3072-bit modulus, and</li> <li><a href="/facts/RSA_(cryptosystem)/XTzyfHuq">RSA</a> with a minimum modulus size of 3072.</li></ul> <p>The CNSA transition is notable for moving <a href="/facts/RSA_(cryptosystem)/XTzyfHuq">RSA</a> from a temporary <i>legacy</i> status, as it appeared in Suite B, to <i>supported</i> status. It also did not include the <a href="/facts/Digital_Signature_Algorithm/0o0FK486">Digital Signature Algorithm</a>. This, and the overall delivery and timing of the announcement, in the absence of post-quantum standards, raised considerable speculation about whether NSA had found weaknesses e.g. in elliptic-curve algorithms or others, or was trying to distance itself from an exclusive focus on ECC for non-technical reasons. </p> <h3>Version 2.0 Announcement</h3> <p>In September 2022, the NSA announced CNSA 2.0, which includes its first recommendations for post-quantum cryptographic algorithms. </p><p>CNSA 2.0 includes: </p> <ul><li><a href="/facts/Advanced_Encryption_Standard/HdXGBY2Q">Advanced Encryption Standard</a> with 256 bit keys</li> <li><a href="/facts/CRYSTALS-Kyber/FgSGHwCx">Module-Lattice-Based Key-Encapsulation Mechanism Standard (ML-KEM aka CRYSTALS-Kyber)</a> with parameter set ML-KEM-1024</li> <li><a href="/facts/Lattice-based_cryptography/66HyNf1P">Module-Lattice-Based Digital Signature Standard (ML-DSA aka CRYSTALS-Dilithium)</a> with parameter set ML-DSA-87</li> <li><a href="/facts/SHA-2/P59oPeGq">SHA-2</a> with 384 or 512 bits</li> <li>eXtended Merkle Signature Scheme (XMSS) and Leighton-Micali Signatures (LMS) with all parameters approved, with SHA256/192 recommended</li></ul> <p>Note that compared to CNSA 1.0, CNSA 2.0: </p> <ul><li>Suggests separate post-quantum algorithms (XMSS/LMS) for software/firmware signing for use immediately</li> <li>Allows SHA-512</li> <li>Announced the selection of CRYSTALS-Kyber and CRYSTALS-Dilithium early, with the expectation that they will be mandated only when the final standards and FIPS-validated implementations are released. <ul><li>RSA, Diffie-Hellman, and elliptic curve cryptography will be deprecated at that time.</li></ul></li></ul> <p>The CNSA 2.0 and CNSA 1.0 algorithms, detailed functions descriptions, specifications, and parameters are below: </p><p>CNSA 2.0 </p> <table><tbody><tr><th>Algorithm</th><th>Function</th><th>Specification</th><th>Parameters</th></tr><tr><td>Advanced Encryption Standard (AES)</td><td>Symmetric block cipher for information protection</td><td>FIPS PUB 197</td><td>Use 256-bit keys for all classification levels.</td></tr><tr><td>Module-Lattice-Based Key-Encapsulation Mechanism Standard (ML-KEM aka CRYSTALS-Kyber)</td><td>Asymmetric algorithm for key establishment</td><td>FIPS PUB 203</td><td>Use ML-KEM-1024 parameter set for all classification levels.</td></tr><tr><td>Module-Lattice-Based Digital Signature Standard (aka CRYSTALS-Dilithium)</td><td>Asymmetric algorithm for digital signatures</td><td>FIPS PUB 204</td><td>Use ML-DSA-87 parameter set for all classification levels.</td></tr><tr><td>Secure Hash Algorithm (SHA)</td><td>Algorithm for computing a condensed representation of information</td><td><a href="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf">FIPS PUB 180-4</a></td><td>Use SHA-384 or SHA-512 for all classification levels.</td></tr><tr><td>Leighton-Micali Signature (LMS)</td><td>Asymmetric algorithm for digitally signing firmware and software</td><td><a href="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-208.pdf">NIST SP 800-208</a></td><td>All parameters approved for all classification levels. SHA256/192 recommended.</td></tr><tr><td>Xtended Merkle Signature Scheme (XMSS)</td><td>Asymmetric algorithm for digitally signing firmware and software</td><td><a href="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-208.pdf">NIST SP 800-208</a></td><td>All parameters approved for all classification levels.</td></tr></tbody></table> <p>CNSA 1.0 </p> <table><tbody><tr><th>Algorithm</th><th>Function</th><th>Specification</th><th>Parameters</th></tr><tr><td>Advanced Encryption Standard (AES)</td><td>Symmetric block cipher for information protection</td><td><a href="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.197.pdf">FIPS PUB 197</a></td><td>Use 256-bit keys for all classification levels.</td></tr><tr><td>Elliptic Curve Diffie-Hellman (ECDH) Key Exchange</td><td>Asymmetric algorithm for key establishment</td><td><a href="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf">NIST SP 800-56A</a></td><td>Use Curve P-384 for all classification levels.</td></tr><tr><td>Elliptic Curve Digital Signature Algorithm (ECDSA)</td><td>Asymmetric algorithm for digital signatures</td><td><a href="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf">FIPS PUB 186-4</a></td><td>Use Curve P-384 for all classification levels.</td></tr><tr><td>Secure Hash Algorithm (SHA)</td><td>Algorithm for computing a condensed representation of information</td><td><a href="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf">FIPS PUB 180-4</a></td><td>Use SHA-384 for all classification levels.</td></tr><tr><td>Diffie-Hellman (DH) Key Exchange</td><td>Asymmetric algorithm for key establishment</td><td><a href="https://datatracker.ietf.org/doc/html/rfc3526">IETF RFC 3526</a></td><td>Minimum 3072-bit modulus for all classification levels</td></tr><tr><td>[Rivest-Shamir-Adleman] RSA</td><td>Asymmetric algorithm for key establishment</td><td><a href="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Br2.pdf">FIPS SP 800-56B</a></td><td>Minimum 3072-bit modulus for all classification levels</td></tr><tr><td>[Rivest-Shamir-Adleman] RSA</td><td>Asymmetric algorithm for digital signatures</td><td><a href="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf">FIPS PUB 186-4</a></td><td>Minimum 3072-bit modulus for all classification levels</td></tr></tbody></table>