Pete HahnloserThe National Institute of Standards and Technology (NIST), part of the U.S. Department of Commerce, has completed its initial set of encryption algorithms intended to resist cyberattacks from quantum computers. The release of these three standards comes nearly eight years after NIST issued its first call for proposals on the topic.
Researchers in several countries are in a race to develop quantum computers, which function in fundamentally different ways than traditional computers and have the potential to break the encryption that secures nearly all online activities. The algorithms being introduced are detailed in the first finalized standards from NIST’s post-quantum cryptography (PQC) standardization project and are available for immediate implementation.
With quantum computing technology developing rapidly, the new standards are built with the future in mind. Some experts anticipate a device capable of breaking current encryption methods emerging within the next decade, posing a serious threat to the security and privacy of people, organizations and governments.
“The advancement of quantum computing plays an essential role in reaffirming America’s status as a global technological powerhouse and driving the future of our economic security,” Deputy Commerce Secretary Don Graves said. “NIST is providing invaluable expertise to develop innovative solutions to our quantum challenges, including security measures like post-quantum cryptography that organizations can start to implement to secure our post-quantum future.”
The standards, which include the computer code for encryption algorithms, implementation instructions and their intended applications, are the first results of the eight-year endeavor. NIST brought together leading cryptography experts from around the world to design, submit and assess algorithms capable of withstanding quantum computer attacks.
“Quantum computing technology could become a force for solving many of society’s most intractable problems, and the new standards represent NIST’s commitment to ensuring it will not simultaneously disrupt our security,” NIST Director Laurie Locascio said. “These finalized standards are the capstone of NIST’s efforts to safeguard our confidential electronic information.”
With so much of day-to-day life happening online, encryption plays a key role in safeguarding email contents, medical records, photo libraries and information critical to national security. Encrypted data can be transmitted over public computer networks while remaining gibberish to anyone other than the sender and the intended recipient.
Encryption tools depend on complex mathematical problems that are challenging or impossible for conventional computers to solve. However, a powerful quantum computer could quickly analyze a vast array of potential solutions, rendering current encryption useless. The algorithms standardized by NIST are built on different mathematical problems that would confound both conventional and quantum computers.
“These finalized standards include instructions for incorporating them into products and encryption systems,” NIST mathematician Dustin Moody, who heads the PQC standardization project, said. “We encourage system administrators to start integrating them into their systems immediately, because full integration will take time.”
NIST is also assessing two additional sets of algorithms that could eventually serve as backup standards.
One of these sets contains three algorithms intended for general encryption, based on a different type of mathematical problem than the finalized standards’ general-purpose algorithm. NIST plans to select one or two of these algorithms by the end of the year.
The second set comprises a broader group of algorithms intended for digital signatures. To consider any new ideas from cryptographers since the initial 2016 call for submissions, NIST requested additional algorithms in 2022 and has started evaluating them, with around 15 expected to advance to the next phase of testing, evaluation and analysis.
Moody stressed that while research continues into additional solutions continues, the standards released today are ready for implementation. Any further PQC standards would be backup solutions.
“There is no need to wait for future standards,” he said. “Go ahead and start using these three. We need to be prepared in case of an attack that defeats the algorithms in these three standards, and we will continue working on backup plans to keep our data safe. But for most applications, these new standards are the main event.”
Photo by Markus Spiske on Unsplash
