Common Criteria PQC Evaluation Guide

Common Criteria Evaluation Guide for Post-Quantum Cryptography

Understanding Common Criteria evaluation requirements and preparing for post-quantum cryptographic product certification.

Note: This guide provides an overview of Common Criteria evaluation in the context of post-quantum cryptography. As standards evolve, this information will be updated.

Common Criteria Overview

The Common Criteria for Information Technology Security Evaluation (Common Criteria or CC) is an international standard (ISO/IEC 15408) for computer security certification. It provides a framework for evaluating the security properties of IT products and systems.

Key Points About Common Criteria

Internationally recognized standard for IT security evaluation
Provides assurance that the specification, implementation, and evaluation of a product have been conducted in a rigorous manner
Used by governments and organizations worldwide to assess the security of IT products
Defines Evaluation Assurance Levels (EALs) from EAL1 to EAL7, with increasing levels of assurance
Supports Protection Profiles (PPs) that specify security requirements for specific types of products

Evaluation Assurance Levels (EALs)

EAL	Description
EAL1	Functionally tested
EAL2	Structurally tested
EAL3	Methodically tested and checked
EAL4	Methodically designed, tested, and reviewed
EAL5	Semi-formally designed and tested
EAL6	Semi-formally verified design and tested
EAL7	Formally verified design and tested

Important: Achieving higher EALs requires significant resources and time. Organizations should carefully consider their security needs and the level of assurance required.

Common Criteria and Post-Quantum Cryptography

As post-quantum cryptographic standards are developed, Common Criteria evaluations will need to incorporate these new algorithms. This section outlines the current status and future expectations for PQC in Common Criteria evaluations.

Current Status

Status Update: As of 2023, post-quantum cryptographic algorithms are being considered for inclusion in Common Criteria evaluations. The formal integration of these algorithms is expected as standards are finalized.

Transition Timeline

2022-2023: Initial consideration of PQC algorithms
Completed
2023-2024: Development of Protection Profiles for PQC
In progress
2024-2025: Formal integration of PQC into Common Criteria evaluations
Planned
2025-2026: First Common Criteria evaluations for PQC products
Planned
2026-2030: Gradual transition and deprecation of quantum-vulnerable algorithms
Planned

Implementation Approaches

Current Options for Organizations

Hybrid Implementations: Combine current Common Criteria-approved algorithms with PQC algorithms
Parallel Testing: Implement PQC in non-production environments while maintaining Common Criteria compliance in production
Algorithm Agility: Design systems to easily swap cryptographic algorithms when PQC becomes Common Criteria-approved
Vendor Engagement: Work with vendors who are actively participating in PQC standardization and Common Criteria evaluations

Until PQC algorithms are approved for use in Common Criteria evaluations, they cannot be used as the sole cryptographic protection in systems requiring Common Criteria certification.

Preparing for Common Criteria PQC Evaluation

Organizations developing products that will eventually require Common Criteria evaluation with post-quantum algorithms should begin preparation now. This section outlines key considerations and steps.

Documentation Requirements

Common Criteria evaluation requires extensive documentation. For PQC products, prepare:

Security Target: Detailed documentation of the product's security features, objectives, and evaluation criteria
Design Documentation: Architecture, design, and implementation details
Testing Documentation: Test plans, procedures, and results
Vendor Evidence: Documentation demonstrating compliance with each applicable Common Criteria requirement
Administrative Documentation: User and administrator guidance

Testing Considerations

Testing for Common Criteria evaluation with PQC will include:

Algorithm Testing: Verification that algorithm implementations produce expected outputs for given inputs
Interface Testing: Validation of all product interfaces and services
Self-Test Verification: Confirmation that power-up and conditional self-tests function correctly
Side-Channel Analysis: Assessment of resistance to timing, power, and electromagnetic side-channel attacks
Performance Testing: Evaluation of product performance under various conditions

Hybrid Cryptography Considerations

During the transition period, hybrid approaches combining classical and post-quantum algorithms will be common. For Common Criteria evaluation:

Aspect	Consideration	Recommendation
Algorithm Composition	How classical and PQC algorithms are combined	Document the composition method and security analysis. Consider standards like IETF Hybrid Key Exchange.
Key Management	Managing both classical and PQC keys	Ensure the product handles both key types securely and documents key lifecycle management for both.
Performance Impact	Additional computational and memory requirements	Document performance characteristics and ensure they meet operational requirements.
Validation Scope	Which algorithms are included in evaluation	Initially, only the classical algorithms will be evaluated. Document PQC algorithms as "non-approved but allowed."

Common Criteria PQC Evaluation Checklist

Use this checklist to track your organization's progress toward Common Criteria evaluation with post-quantum cryptography:

#	Task	Status	Timeline
1	Cryptographic Inventory Assessment Identify all cryptographic components and algorithms in use	Not Started	Immediate
2	Risk Assessment Evaluate quantum threat timeline for your specific applications	Not Started	Immediate
3	Algorithm Selection Select appropriate PQC algorithms based on emerging standards	Not Started	When standards finalized
4	Transition Strategy Development Create a plan for transitioning to PQC while maintaining Common Criteria compliance	Not Started	1-3 months
5	Vendor Engagement Engage with vendors about their PQC roadmaps and Common Criteria plans	Not Started	Ongoing
6	Implementation Testing Test PQC implementations in non-production environments	Not Started	3-6 months
7	Documentation Preparation Prepare documentation required for Common Criteria evaluation	Not Started	6-12 months
8	Laboratory Selection Select an accredited testing laboratory for Common Criteria evaluation	Not Started	When ready for evaluation
9	Evaluation Testing Submit product for testing and address any issues	Not Started	When PQC is Common Criteria-approved
10	Ongoing Compliance Maintain compliance through algorithm and product updates	Not Started	Continuous

Pro Tip: Start with a hybrid approach that maintains current Common Criteria compliance while preparing for the transition to PQC. This allows you to gain experience with PQC while meeting current regulatory requirements.

Resources and References

Official Documentation

Common Criteria Portal

Official Common Criteria website with resources and updates

Common Criteria Standard

ISO/IEC 15408 standard for IT security evaluation

Protection Profiles

List of approved Protection Profiles for various product categories

Implementation Guidance

Common Criteria Part 1

Introduction and general model

Common Criteria Part 2

Security functional components

Common Criteria Part 3

Security assurance components

Testing Laboratories

Common Criteria evaluation requires testing by an accredited laboratory. The following laboratories have experience with cryptographic evaluation:

North America

Europe

Asia-Pacific

Note: For the most current list of accredited laboratories, visit the Common Criteria Laboratories page.

Need Expert Guidance on Common Criteria PQC Evaluation?

Our team of quantum security experts is available to provide personalized guidance for your organization's Common Criteria evaluation strategy.

Book a Consultation