NIST announces first 4 Post Quantum Cryptographic Algorithms
Six years after it first announced its post-quantum cryptography standardization project, the National institute of Standards and Technology (NIST) has revealed the first four algorithms to make the grade.
The PQC Timeline
Launched in 2016, NIST made an open call to the world’s cryptographers to submit candidate algorithms that would be resistant to attacks by future quantum computers. The deadline for the original submissions was 30 November 2017 and by the end of that year NIST had announced it had accepted a total of 69 submissions.
In January 2019 NIST announced 26 candidates had made it through to the second round of evaluation. By July 2020 this had been narrowed down to 7 third round finalists and 8 alternates. With this month’s announcement we are one step closer to the final published standards, which are expected in 2024.
Commenting on the announcement, US Secretary of Commerce had this to say:
“Today’s announcement is an important milestone in securing our sensitive data against the possibility of future cyberattacks from quantum computers. Thanks to NIST’s expertise and commitment to cutting-edge technology, we are able to take the necessary steps to secure electronic information so U.S. businesses can continue innovating while maintaining the trust and confidence of their customers.”
“Our post-quantum cryptography program has leveraged the top minds in cryptography, worldwide, to produce this first group of quantum-resistant algorithms that will lead to a standard and significantly increase the security of our digital information.
Laurie E. Locascio, Director, NIST
The First Four
These algorithms are the first 4 of what will constitute the preliminary post-quantum cryptography standards. The primary algorithms, which NIST recommends be implemented in most cases are based on module lattices. They comprise:
CRYSTALS-Kyber – an IND-CCA2 secure key encapsulation mechanism based on the hardness of solving the Learning With Errors (LWE) problem over module lattices.
CRYSTALS-Dilithium – a digital signature scheme also based on the hardness of mathematical problems over module lattices.
Two other digital signature algorithms are also standardized:
FALCON – a lattice-based digital signature scheme that utilises the short integer solution over NTRU lattices. FALCON has smaller signatures sizes and can be used when the size of the signature is an issue.
SPHINCS+ – a stateless, hash-based signature scheme. SPHINCS+ has an excellent security record. It provides a digital signature scheme based on a totally different hard problem. Its large signature size may restrict its use to specific cases.
In addition, NIST has launched a fourth round, in order to standardize at least one more algorithm for key exchange, which will not be based on lattices. The four algorithms selected for this fourth round are: BIKE, Classic McEliece, HQC and SIKE. This will ensure a variety of hard problems, in the unlikely case that lattice-based systems fail in the future. The case of Rainbow, which was one of the finalists of Round 3, but was recently broken, is a sobering reminder that the security of any new scheme is not absolute.
NIST has also announced a future new Call for Proposals for different digital signature algorithms. The aim is to reduce the size of the keys and increase the diversity of the possible schemes.
Transitioning to quantum-safe security
Keeping in mind there is still a distinct risk that a new algorithm may fail, either classically or from a new quantum attack, the NIST choice is not the end of the road. All over the world, government, academic and industry teams are continuing to study the route to quantum-safe security. This is why, at ID Quantique, we advocate adding another layer of safety by using quantum technologies, such as quantum random number generation (QRNG) and quantum key distribution (QKD). QRNG can and should be used for all key generation processes. QKD can also be applied today for long-term protection of communication backbones and metropolitan networks. QKD Networks and the future Quantum Internet will expand the scope of applications of quantum communication technologies much further.
The future of cybersecurity will only be achieved by a combination of all available technologies, from both the mathematics side and the quantum side. The conclusion is obvious: both QKD and PQC are needed for long-term security in the quantum era.
If you are interested in learning more about the timelines for cybersecurity transitions, you can also ready the QED-C latest report on : A guide to Quantum-Safe organization
*Overview image credit: N. Hanacek/NIST