The U.S. Department of Commerce's National Institute of Standards and Technology (NIST) has selected four quantum-resistant cryptographic algorithms for general encryption and digital signatures.
NIST, a US standards setting body and research organization within the Department of Commerce, announced the four algorithms after a six-year period assessing potential quantum-resistant (QR) alternatives to today's cryptographic algorithms for public key encryption, digital signatures, and key exchange.
Today's key algorithms include AES-256 for symmetric key encryption, SHA-256 and SHA-3 for hashing functions, RSA public key encryption for digital signatures and key establishment, Elliptic Curve Cryptography (ECDSA, ECDH) and DSA public key encryption for digital signatures and key exchange.
NIST has currently selected only the CRYSTALS-Kyber algorithm for general encryption in a post-quantum world. However, it is still considering four others.
The Kyber algorithm is already used by internet firm Cloudflare in its post-quantum CIRCL (Cloudflare Interoperable, Reusable Cryptographic Library) library of cryptographic primitives written in Go. Amazon since 2020 has supported Kyber as one of its post-quantum key exchange algorithms for Transport Layer Security (TLS) 1.2, the encryption protocol behind HTTPS websites. And IBM used Kyber for its first quantum-resistant tape drive.
Its position was based on AT&T Bell Labs researcher Peter Shor's algorithm that showed a powerful enough quantum computer would endanger many modern communications systems protected by these types of encryption.
And while such a quantum computer is still years away, NIST noted it has historically taken almost 20 years to deploy modern public key cryptography infrastructure. On top of this, a sophisticated adversary could collect a ton data with today's algorithms and decrypt it once they acquire a sufficiently powerful quantum computer.
How big would that encryption-busting computer need to be?
"The point at which a given quantum computer is built with sufficient qubit capacity to break public key cryptography sometimes called "cryptographically relevant", when a quantum machine now can break our current cryptographic algorithms. This is still significantly larger in size and power than a quantum machine that achieves "quantum supremacy"," DHS notes.
The White House wants key federal agencies to migrate existing cryptographic systems to ones that are resistant to a 'cryptanalytically'-relevant quantum computer (CRQC) in order to mitigate "as much of the quantum risk as is feasible" by 2035.
NIST recommends CRYSTALS-Dilithium as the primary algorithm for digital signatures, while FALCON is suitable for applications that need signatures smaller than Dilithium can provide.
NIST picked SPHINCS+ as a backup despite it being comparatively larger and slower than the other two because it was based on a different math approach to the other three algorithms it selected.
"Three of the selected algorithms are based on a family of math problems called structured lattices, while SPHINCS+ uses hash functions. The additional four algorithms still under consideration are designed for general encryption and do not use structured lattices or hash functions in their approaches," NIST said.
"Our post-quantum cryptography program has leveraged the top minds in cryptography – worldwide – to produce this first group of quantum-resistant algorithms that will lead to a standard and significantly increase the security of our digital information." NIST director Laurie E. Locascio said in a statement.
NIST intends for the new public-key cryptography standards to specify "one or more additional unclassified, publicly disclosed digital signature, public-key encryption, and key-establishment algorithms that are available worldwide" that can protect sensitive government information beyond the advent of powerful quantum computers.