NIST Releases Three Post-Quantum Cryptography Standards
What's Next for Federal Agencies and the Private Sector?
As discussed in a previous post, in 2022, the Quantum Computing Cybersecurity Preparedness Act ordered an examination of federal administrative agencies' data cryptography to prepare for a future where quantum computing is capable of decrypting that data. Among the law's provisions was a directive triggered by the completion of the National Institute of Standards and Technology's (NIST) competition to identify "quantum-safe algorithms." In mid-August 2024, NIST announced approval of three such algorithms. The announcement will reverberate across the federal government and private sector, as it kicks off a process of upgrading to post-quantum cryptography.
NIST's Three Federal Information Processing Standards (FIPS) for Post-Quantum Cryptography
Beginning in 2016, NIST began a lengthy public competition to develop "post-quantum" cryptographic schemes, which are a subset of "quantum-safe algorithms." NIST described the quantum decryption problem as its motivation for the project:
In recent years, there has been a substantial amount of research on quantum computers – machines that exploit quantum mechanical phenomena to solve mathematical problems that are difficult or intractable for conventional computers. If large-scale quantum computers are ever built, they will be able to break many of the public-key cryptosystems currently in use. This would seriously compromise the confidentiality and integrity of digital communications on the Internet and elsewhere.
NIST was particularly concerned about Rivest-Shamir-Adleman (RSA)-based encryption. RSA encryption relies on the difficulty of factoring prime numbers, a problem that future quantum computers will be able to solve much more readily than classical computers.
The competition's stated goal was "to develop cryptographic systems that are secure against both quantum and classical computers, and can interoperate with existing communications protocols and networks." The competition began with 82 algorithms and was whittled down over four elimination rounds. By 2022, the ongoing project had identified several promising candidate algorithms, including CRYSTALS-Kyber (for key establishment) and CRYSTALS-Dilithium (for digital signatures).
On August 13, 2024, NIST announced the three finalists:
- FIPS 203, Module-Lattice-Based Key-Encapsulation Mechanism Standard
- FIPS204, Module-Lattice-Based Digital Signature Standard
- FIPS205, Stateless Hash-Based Digital Signature Standard
FIPS 203 is a general encryption standard, and FIPS 204 and 205 are digital signature standards for authenticating users. Unlike RSA, FIPS 203 and 204 rely on lattice cryptography, which relies on the difficulty of finding the lowest common multiple in a set of numbers. FIPS 205 uses hash functions as its core mathematical problem. Neither cryptographic approach is thought to be susceptible to quantum computing.
What Comes Next for Federal Agencies?
Since the Preparedness Act was passed, the U.S. Office of Management and Budget (OMB) has been developing and issuing guidance for administrative agencies "on the migration of information technology to post-quantum cryptography." Section 4(a). This guidance included "a requirement for each agency to establish and maintain a current inventory of information technology in use by the agency that is vulnerable to decryption by quantum computers[,]" and report results to OMB. Section 4(a)(1).
NIST's release of the final post-quantum cryptography standards sets a one-year clock ticking for OMB to issue further guidance preparing agencies for the migration of their data to the new, quantum-resilient standards. Section 4(c). OMB is also required to report to Congress on the migration's progress. Section 4(e).
Agencies are expected to start migrating to post-quantum cryptography quickly once OMB issues further guidance. Federal information technology (IT) contractors have already begun preparing to incorporate post-quantum cryptography into their offerings.
What Comes Next for the Private Sector?
As noted in the previous post, while the approval of new cryptographic standards is a step toward securing new information, a concern remains that any existing, compromised data may be at-risk. Such data – even if bad actors are currently incapable of decrypting it – may be decrypted later in time and mined for useful information (what hackers call "harvest now, decrypt later"). Companies holding encrypted data that may still be valuable whenever a quantum computer that can decrypt it is developed will need to assess how quickly to deploy post-quantum encryption. This will depend partly on the potential liability and reputational damage they may face, which will almost certainly be greater now that the NIST standards are available.