US Govt.’s NIST finalises post-quantum encryption measures
The U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) has finalised its principal set of encryption algorithms designed to withstand cyberattacks from a quantum computer.
Researchers around the world are racing to build quantum computers that would operate in radically different ways from ordinary computers and could break the current encryption that provides security and privacy for just about everything we do online. The algorithms announced are specified in the first completed standards from NIST’s post-quantum cryptography (PQC) standardisation project, and are ready for immediate use.
The three new standards are built for the future. Quantum computing technology is developing rapidly, and some experts predict that a device with the capability to break current encryption methods could appear within a decade, threatening the security and privacy of individuals, organisations and entire nations.
“The advancement of quantum computing plays an essential role in reaffirming America’s status as a global technological powerhouse and driving the future of our economic security,” said Deputy Secretary of Commerce Don Graves. “Commerce bureaus are doing their part to ensure U.S. competitiveness in quantum, including the National Institute of Standards and Technology, which is at the forefront of this whole-of-government effort. NIST is providing invaluable expertise to develop innovative solutions to our quantum challenges, including security measures like post-quantum cryptography that organisations can start to implement to secure our post-quantum future. As this decade-long endeavour continues, we look forward to continuing Commerce’s legacy of leadership in this vital space.”
The standards — containing the encryption algorithms’ computer code, instructions for how to implement them, and their intended uses — are the result of an eight-year effort managed by NIST, which has a long history of developing encryption. The agency has rallied the world’s cryptography experts to conceive, submit and then evaluate cryptographic algorithms that could resist the assault of quantum computers. The nascent technology could revolutionise fields from weather forecasting to fundamental physics to drug design, but it carries threats as well.
“Quantum computing technology could become a force for solving many of society’s most intractable problems, and the new standards represent NIST’s commitment to ensuring it will not simultaneously disrupt our security,” said Under Secretary of Commerce for Standards and Technology and NIST Director Laurie E. Locascio. “These finalised standards are the capstone of NIST’s efforts to safeguard our confidential electronic information.”
Encryption carries a heavy load in a modern digitised society. It protects countless electronic secrets, such as the contents of email messages, medical records and photo libraries, as well as information vital to national security. Encrypted data can be sent across public computer networks because it is unreadable to all but its sender and intended recipient.
Encryption tools rely on complex math problems that conventional computers find difficult or impossible to solve. A sufficiently capable quantum computer, though, would be able to sift through a vast number of potential solutions to these problems very quickly, thereby defeating current encryption. The algorithms NIST has standardised are based on different math problems that would stymie both conventional and quantum computers.
“These finalised standards include instructions for incorporating them into products and encryption systems,” said NIST mathematician Dustin Moody, who heads the PQC standardisation project. “We encourage system administrators to start integrating them into their systems immediately because full integration will take time.”
Moody said that these standards are the primary tools for general encryption and protecting digital signatures.
NIST also continues to evaluate two other sets of algorithms that could one day serve as backup standards.
One of these sets consists of three algorithms designed for general encryption but based on a different type of math problem than the general-purpose algorithm in the finalised standards. NIST plans to announce its selection of one or two of these algorithms by the end of 2024.
The second set includes a larger group of algorithms designed for digital signatures. In order to accommodate any ideas that cryptographers may have had since the initial 2016 call for submissions, NIST asked the public for additional algorithms in 2022 and has begun a process of evaluating them. In the near future, NIST expects to announce about 15 algorithms from this group that will proceed to the next round of testing, evaluation and analysis.
While analysis of these two additional sets of algorithms will continue, Moody said that any subsequent PQC standards will function as backups to the three that NIST announced today.
“There is no need to wait for future standards,” he said. “Go ahead and start using these three. We need to be prepared in case of an attack that defeats the algorithms in these three standards, and we will continue working on backup plans to keep our data safe. But for most applications, these new standards are the main event.”
While there have been no substantive changes made to the standards since the draft versions, NIST has changed the algorithms’ names to specify the versions that appear in the three finalised standards, which are:
- Federal Information Processing Standard (FIPS) 203, intended as the primary standard for general encryption. Among its advantages are comparatively small encryption keys that two parties can exchange easily, as well as its speed of operation. The standard is based on the CRYSTALS-Kyber algorithm, which has been renamed ML-KEM, short for Module-Lattice-Based Key-Encapsulation Mechanism.
- FIPS 204, intended as the primary standard for protecting digital signatures. The standard uses the CRYSTALS-Dilithium algorithm, which has been renamed ML-DSA, short for Module-Lattice-Based Digital Signature Algorithm.
- FIPS 205, also designed for digital signatures. The standard employs the Sphincs+ algorithm, which has been renamed SLH-DSA, short for Stateless Hash-Based Digital Signature Algorithm. The standard is based on a different math approach than ML-DSA, and it is intended as a backup method in case ML-DSA proves vulnerable.
Similarly, when the draft FIPS 206 standard built around FALCON is released, the algorithm will be dubbed FN-DSA, short for FFT (fast-Fourier transform) over NTRU-Lattice-Based Digital Signature Algorithm.
Dr Ali El Kaafarani, CEO and founder of PQShield, commented: “By ratifying and publishing its post-quantum cryptography standards, NIST is triggering the biggest and most significant cybersecurity transition in history.
“In every industry, the cryptography that keeps data, devices, connections and components secure must now be modernised in line with the new standards.
“The transition to quantum security will protect critical national infrastructure, and will make the entire technology supply chain more secure for decades to come – but modernising vital security systems and components won’t happen overnight. With the threat of ‘harvest-now-decrypt-later’ attacks, organisations that haven’t already started planning for post-quantum cryptography are already behind.
“This is an exciting moment for cryptographers like us, who worked to shape the new standards. It’s now our duty and responsibility to get the algorithms into the hands of more organisations, so they can keep us all one step ahead of the attackers.”