The world’s first post-quantum cryptography standards have been formalized by the US National Institute of Standards & Technology (NIST).
The standards provide organizations with a framework to secure systems and data against future quantum threats.
The announcement comes nearly a year after NIST published three draft Federal Information Processing Standards (FIPS), the post-quantum cryptographic algorithms selected following a process that began in December 2016.
Quantum computers are predicted to develop to a stage where they can break existing encryption algorithms in the next five to 10 years, leaving all digital information exposed.
The new NIST standards are designed to help organizations transition to quantum-secure encryption before the ‘Q-Day’ event occurs.
Three Post-Quantum Cryptography Standards
Following a public consultation on the draft document, NIST has finalized the algorithms and released them as official post-quantum cryptography standards:
- Module-Lattice-Based Key-Encapsulation Mechanism Standard (FIPS 203). A key-encapsulation mechanism (KEM) is a set of algorithms that, under certain conditions, can be used by two parties to establish a shared secret key over a public channel. A shared secret key that is securely established using a KEM can then be used with symmetric-key cryptographic algorithms to perform basic tasks in secure communications, such as encryption and authentication.
- Module-Lattice-Based Digital Signature Standard (FIPS 204). These digital signatures are used to detect unauthorized modifications to data and to authenticate the identity of the signatory. In addition, the recipient of signed data can use a digital signature as evidence in demonstrating to a third party that the signature was, in fact, generated by the claimed signatory.
- Stateless Hash-Based Digital Signature Standard (FIPS 205). This standard specifies the stateless hash-based digital signature algorithm (SLH-DSA). Digital signatures are used to detect unauthorized modifications to data and to authenticate the identity of the signatory. In addition, the recipient of signed data can use a digital signature as evidence in demonstrating to a third party that the signature was, in fact, generated by the claimed signatory.
The standards contain the encryption algorithms’ computer code, instructions for how to implement them and their intended uses. The algorithms are all available for immediate use.
During an IBM press briefing about the new standards, Dr Lily Chen, Mathematician and Leader of NIST's Cryptographic Technology Group, highlighted the importance of the publication.
She explained that while advances in quantum computing will bring huge benefits in areas like scientific research, they bring the potential for “catastrophic” cyber-attacks to current public key cryptography systems.
The algorithms are designed to be used on all types of devices, including smartphones and laptops, as well as all areas of the internet.
Chen praised the cross-industry collaboration in developing the standards, between government, industry and academia.
“This has been a long journey, it’s not been easy to get to this situation after eight years since 2016,” added Chen.
How to Transition to Quantum-Secure Cryptography
Dr Ali El Kaafarani, CEO and founder of PQShield, believes the NIST standards will trigger the biggest and most significant cybersecurity transition in history.
“In every industry, the cryptography that keeps data, devices, connections and components secure must now be modernized in line with the new standards,” he said.
During the IBM briefing, Dr Vadum Lyubashevsky, cryptography researcher at IBM, which helped develop two of the cryptographic algorithms, advised organizations use the new post-quantum standards in conjunction with existing standards to enable a smooth transition.
“Once quantum computers are powerful enough to break Rivest–Shamir–Adleman (RSA) encryption, having RSA protecting anything will be useless. But until that time, it is useful to have both algorithms protecting our data.”
Read now: How to Pave the Way for Quantum-Secure Encryption
The new standards encapsulate two different types of post-quantum algorithms – digital signatures and key encapsulation. These have slightly different use cases.
Dr Joost Renes, Principal Cryptographer at NXP Semiconductors, explained that it is important that organizations ensure there is “cryptographic agility” in the deployment of these algorithms, meaning if system security requirements change, these changes can be made in a post-quantum secure way.
Organizations Urged to Begin Transition Now
NIST Mathematician Dustin Moody urged system administrators to start integrating the finalized standards into their systems immediately, because full integration will take time.
He added that NIST continues to evaluate two other sets of algorithms that could one day serve as backup standards, in the unlikely event the maths equations contained in the three algorithms can be overcome by quantum computers.
“There is no need to wait for future standards. Go ahead and start using these three. We need to be prepared in case of an attack that defeats the algorithms in these three standards, and we will continue working on backup plans to keep our data safe. But for most applications, these new standards are the main event,” said Moody.
Additionally, while Q-Day may still be some years away, Richard Marty, Chief Technology Officer at LGT Financial Services, emphasized that making the transition to quantum-secure cryptography should be done as soon as possible.
This is due to the risk of “harvest now, decrypt later” attacks, whereby threat actors steal encrypted data with a view to decrypting it later on once quantum computers are ready.
This is especially pertinent in critical sectors like finance, given the sensitive nature of the data held.
“We want to implement solutions as early as possible to specifically address the threat of harvest now decrypt later. The less old our data is once Q-Day happens, the better our standing in the market, and we can keep up that trust with our clients,” explained Marty.