NIST, the US National Institute of Standards and Technology, has picked four encryption tools that may be able to resist attack from future quantum computers.
The Insitute, part of the US Commerce Department, is looking to set a standard for cryptography that is secure enough to stand up to the massive increase in available computing power expected when quantum computers become more widely available. NIST plans to create a "post-quantum" cryptography standard, within the next two years.
On the way to post-quantum standards
Current banking and email software use public-key cryptography algorithms that rely on problems such as integer factorization, which cannot be solved quickly on classical computers. Quantum computers are currently nowhere near being able to break these systems, but they are expected to reach that scale eventually. The cryptography community is therefore looking for new public key algorithms which are complex enough to resist attack by a future quantum computer.
NIST is looking to provide a government-backed quantum-secure algorithm, and has called for possible candidates, in a Post Quantum Cryptography Standardization project, which began in 2016, and is due to deliver in 2024. In January 2021, NIST announced that 26 candidate algorithms had passed to the PQC "semi-finals." This week it has published a short list of four finalists.
“Today’s announcement is an important milestone in securing our sensitive data against the possibility of future cyberattacks from quantum computers,” said Secretary of Commerce Gina M. Raimondo. “Thanks to NIST’s expertise and commitment to cutting-edge technology, we are able to take the necessary steps to secure electronic information so US businesses can continue innovating while maintaining the trust and confidence of their customers.”
NIST director, Under Secretary of Commerce for Standards and Technology Laurie E. Locascio, said: “NIST constantly looks to the future to anticipate the needs of US industry and society as a whole, and when they are built, quantum computers powerful enough to break present-day encryption will pose a serious threat to our information systems. Our post-quantum cryptography program has leveraged the top minds in cryptography — worldwide — to produce this first group of quantum-resistant algorithms that will lead to a standard and significantly increase the security of our digital information.”
The eventual standard will offer more than one algorithm for each use case so system builders can choose the best... and potentially eliminate any which are found to be vulnerable.
For general encryption, NIST's candidate is the Crystals-Kyber algorithm, which operates quickly with comparatively small encryption keys.
For digital signatures, NIST has picked three possible algorithms Crystals-Dilithium, Falcon and Sphincs+ (read as “Sphinx plus”). Reviewers found the first two were highly efficient, with NIST recommending Crystals-Dilithium for preference and Falcon as the primary algorithm, with Falcon reserved for applications needing smaller signatures.
Sphincs+ is a bit larger and slower than the other two digital signature candidates, but NIST has kept it on hand for a very important reason: it uses a different math approach than all three of NIST’s other selections, so it's a good reserve if a flaw in the main algorithms' approach is uncovered.
Sphincs+ uses hash functions, while the others all use structured lattices. The other four algorithms which NIST has not announced are designed for general encryption and don't use structured lattices or hash functions.
Four more algorithms
Because cryptographers have suggested a diverse set of options, NIST will publish further finalists picked from four additional algorithms, at a future date. The Institute says it is doing this because of the need for a robust variety of defense tools, which cater to different systems and tasks, including general encryption, and digital signatures.
These four "fourth round" candidates are Bike, Classic McEliece, HQC, and SIKE.
Of these, Bike and HQC use structured codes, and could be used for general purpose encryption. NIST expects to eliminate one of these candidates before the end of round four.
Sike has small key and ciphertext sizes, which NIST says will be useful. By contrast, Classic McEliece is there as a possible candidate, but NIST does not anticipate many will use it, as it has large public keys.
These four algorithms are still open for minor "tweaks" by their submission teams, before October 1, 2022.
Watch this space
NIST will create new draft standards for the algorithms to be standardized and make sure the standards comply with the specifications, before posting these versions for public comment.
NIST is encouraging security experts to explore the new algorithms and figure out how they might be used, but warns developers "not to bake them into their systems yet, as the algorithms could change slightly before the standard is finalized."
NIST advises users to run an inventory and find where they are relying on public-key cryptography applications, so they know what needs to be updated with the eventual PQC standard, before dangerously powerful quantum computers emerge.
All of the algorithms are available on the NIST website.
There will be a NIST PQC Standardization Conference on November 29 to December 1, 2022.