The National Institute of Standards and Technology has selected four candidates to form the basis of future data-protection technologies to resist attack by quantum computers, the US science agency said on July 5.
NIST has also advanced four other candidates for additional scrutiny and has called for more proposals for digital signature algorithms by the end of summer.
Security experts have warned that practical quantum computers, which could be less than a decade away, could break many of today's popular encryption algorithms, such as RSA and elliptic curve cryptography — hence the need for post-quantum cryptography (PQC). The selection is part of a long standardization process that will continue, likely resulting in actual standardized algorithms in 2024.
Once the PQC algorithms are turned into a final standard, companies would be advised to use the recommendations, says Dustin Moody, a mathematician in the computer security division at NIST.
"The point of our standardization project was to identify the most promising solutions, and we feel we've done that," he says. "We expect the algorithms we standardize will be widely adopted and implemented by industry and around the world."
Quantum Looms to Break Encryption
The selection of the four algorithms marks the latest milestone in the effort to future-proof current data-security measures against what is sometimes known as the "store-and-break threat." The problem is not just whether adversaries have the ability to decrypt a message today, but whether they can develop the ability to decrypt the message in the future. A classified message sent today that needs to be kept secret for the next 30 years could be captured and stored until a computer is created capable of breaking the encryption.
For that reason, experts are looking to the future. In March, for example, the Quantum-Safe Working Group of the Cloud Security Alliance (CSA) set a deadline of April 14, 2030, by which companies should have their post-quantum infrastructure in place. While admittedly arbitrary, technical experts believe that around that time a quantum computer will be able to decrypt current encryption methods using a well-known algorithm invented by mathematician Peter Shor, the CSA stated in March.
While current cryptography is nearly impossible to break with today's classical computers, quantum-computing attacks could be used against many common types of public-key encryption, such as RSA, elliptic curve cryptography, and Diffie-Hellman key exchange.
"Today, data of long-term value encrypted by traditional cryptography is already at risk to quantum," Jim Reavis, co-founder and CEO of the Cloud Security Alliance, said in the March statement. "In the near future, any type of sensitive data will be at risk. There are solutions, and the time is now to prepare for a quantum-safe future."
4 Promising Post-Quantum Algorithms
The four NIST-approved algorithms all serve different purposes. The two primary algorithms, CRYSTALS-Kyber and CRYSTALS-Dilithium — in a nod to popular science fiction, named after types of crystals in Star Wars and Star Trek, respectively — are recommended by NIST for use in most applications, with Kyber able to create and establish keys and Dilithium to be used for digital signatures. In addition, two other algorithms — FALCON and SPHINCS+ — also advanced as candidates for digital signatures.
Three of the four algorithms are based on mathematics known as structured lattices, which can be calculated at speeds comparable to current encryption, says NIST's Moody.
"In comparison with current algorithms like RSA or ECC, lattice algorithms are just as fast if not faster when comparing things like key generation, encryption, decryption, digital signing, and verification," he says. "They do have larger public key and ciphertext and signature sizes than the existing algorithms, which may potentially be a challenge when incorporating them into applications and protocols."
The selection of multiple algorithms is a necessity in the post-quantum world, says Duncan Jones, head of cybersecurity for quantum-computing firm Quantinuum.
"Unlike today's algorithms, such as RSA or elliptic curve cryptography (ECC), these new post-quantum algorithms cannot be used for both encryption and data signing," he said in a statement sent to Dark Reading. "Instead, they are used for only one task or another. This means we will be replacing a single algorithm, such as RSA, with a pair of different algorithms."
Until the algorithms pass the final round of the standardization process, estimated to be completed in 2024, organizations should focus on planning their migration and assessing their data-security needs, says NIST's Moody. There is always the chance that the specifications and parameters could change slightly before the standard is finalized, he says.
"To prepare, users can inventory their systems for applications that use public-key cryptography, which will need to be replaced before a cryptographically relevant quantum computers appear," he says. "They can also alert their IT departments and vendors about the upcoming change, and make sure their organization has a plan to deal with the upcoming transition."