The U.S. National Institute of Standards and Technology (NIST) has released the first three encryption standards designed to resist future cyberattacks based on quantum computing technology.
The agency encourages system administrators to start the transition to the new algorithms as soon as possible, since timely adoption is paramount for protecting sensitive information from attackers with a retrospective decryption strategy, also referred to as “harvest now, decrypt later.”
Background
Quantum computing is based on the principles of quantum mechanics, e.g. superposition, interference, entanglement, and uses qubits (quantum bits) as the basic unit of information, the equivalent of bits in classic computing systems.
Unlike a binary bit, which can only exist in one state (either one or zero) at a time, a qubit is a two-state system that can exist in a superposition of the two states, similar to being in both states at the same time.
Although quantum computing is still at an early development phase because of the high error rates of the qubits. Even so, experiments showed that a quantum processor would take 200 seconds to perform a target computation that a supercomputer would complete in thousands of years.
Current public-key cryptography relies on the difficulty of certain mathematical problems, like factoring large numbers or solving discrete logarithms, to generate the encryption and decryption key.
While existing computers can’t handle the calculations necessary to break the encryption, quantum computers could do it in minutes.
Such is the urgency to protect against a threat that has yet to rear its head, that the U.S. [1, 2] has urged organizations since 2022 to prepare for the adoption of quantum resistant cryptography.
First NIST quantum standards
NIST started to work on testing and standardizing post-quantum cryptographic systems almost a decade ago, evaluating 82 algorithms for their resilience against quantum computing attacks.
The finalized standards are based on three key algorithms: ML-KEM (for general encryption), ML-DSA (for digital signatures), and SLH-DSA (a backup digital signature method).
The three standards are summarized as follows:
- FIPS 203
- Module-Lattice-Based Key-Encapsulation Mechanism (ML-KEM, formerly “CRYSTALS-Kyber”), a key-encapsulation mechanism that enables two parties to establish a shared secret key securely over a public channel.
- based on the Module Learning with Errors (MLWE) problem, it offers strong resistance against quantum attacks. The standard includes three parameter sets (ML-KEM-512, ML-KEM-768, ML-KEM-1024) to balance security strength and performance, ensuring the protection of sensitive U.S. government communication systems in a post-quantum era.
- FIPS 204
- Module-Lattice-Based Digital Signature Algorithm (ML-DSA, formerly “CRYSTALS-Dilithium”), a digital signature algorithm designed to authenticate identities and ensure message integrity
- based on the MLWE problem, provides security against quantum threats, and it is suitable for applications like electronic documents and secure communications.
- FIPS 205
- Stateless Hash-Based Digital Signature Algorithm (SLH-DSA, formerly “Sphincs+”) used for specifying a stateless hash-based digital signature algorithm, serving as an alternative to ML-DSA in case ML-DSA proves vulnerable
- using a hash-based approach, SLH-DSA ensures security against quantum attacks and is ideal for scenarios where stateless operations are preferred.
NIST encourages system administrators to start integrating these new encryption methods immediately, as the transition will take time.
Already, tech leaders and privacy-focused product vendors, including Google, Signal, Apple, Tuta, and Zoom, have implemented NIST-approved post-quantum encryption standards, like the Kyber key encapsulation algorithm, to protect data in transit.
In addition to these finalized standards, NIST continues to evaluate other algorithms for potential future use as backup standards.
Confidence in the current selections cannot be absolute, given that experiments to determine their resilience are practically restricted by the lack of fully-fledged quantum computing systems.