NIST is Continuing to Work on Post-Quantum-Computing Cryptography Standards

NIST is accepting proposals for public-key algorithms immune to quantum computing techniques. Details here. Deadline is the end of November 2017.

I applaud NIST for taking the lead on this, and for taking it now when there is no emergency and we have time to do this right.

Slashdot thread.

Posted on December 23, 2016 at 6:39 AM • 10 Comments


AndrewDecember 23, 2016 8:14 AM

Basically they ask people to replace Diffie-Hellman with something equally genius, in several months. Things like this just happen, you never know who, when and where will invent something like this again.

AndrewDecember 23, 2016 1:03 PM

@carl I knew about elliptic curves attemps, still nothing close to simplicity of rsa, I guess this is what they expect.

Ross SniderDecember 23, 2016 1:45 PM

They appear to be making the same mistakes as with prior standards.

For instance:

- nonces should be generated by cryptographic hashes of settings and plaintext. This way they can't accidentally be reused and do not rely on the integrity of a PRNG to function correctly.

- if nonce reuse does occur, it's much better to lose indistinguishability than it is to leak the private key material.

- algorithms should be designed so that naive implementations are or are close to constant time.

- constants should be motivated on a nothing-up-my-sleeve-basis, especially if they exist in trapdoor functions.

- primitives for key agreement should include options for authentication.

- crypto agility away from standards should be a primary feature.

NIST doesn't appear to have learned its lesson. We're going to get a bunch of 'influenced' and impossible-to-implement primitives from this exercise.

A Nonny BunnyDecember 23, 2016 3:01 PM

@Ross Snider

- primitives for key agreement should include options for authentication.
Isn't authentication something you could do after you have a secure channel? Seems like two things that can be separated quite well.

TedDecember 23, 2016 3:47 PM

Dr. Dustin Moody of NIST's Cryptographic Technology Group offers a timeline for the post-quantum cryptography standard development process at PQCrypto 2016, the seventh international conference on post-quantum cryptography, at minute 6:40. [1] He estimates that following the November 2017 submission deadline there will be a 3-5 year analysis phase, after which NIST will report its findings. Draft standards are scheduled to be composed two years after that point. [2] He says this will be similar to the SHA-3 competition that was held from 2007-2012. [3]

[1] Dustin Moody – “Post-Quantum Cryptography: NIST's Plan for the Future” YouTube video

[2] PQCrypto 2016

[3] SHA-3 Competition 2007-2012

AnuraDecember 23, 2016 4:49 PM

@A Nonny Bunny

You generally want to at least perform key confirmation to prevent certain attacks (it really simplifies security proofs if you can guarantee that both sides have the same key).

CarpetCatDecember 26, 2016 9:44 AM

The road to hell...

Too much convenience, too much complexity...It's not a good thing.

Some things should be hard to do. How else do you know if you're doing it right?

Let's take a moment to reflect on these 'experts' who will be implementing these 'standards':

Most, nay, all the programmers just used the default P and Q settings, despite the documention.

RSA, et al, implemented the kitchensink and lied about it.

The whole effort is pointless. Even Bruce shats upon PGP like it's the trendy thing to do. We forget our roots, we repeat our errors, we forget what's worth fighting for.

The only good thing about NIST is the early start. They have much work to restore confidence. I have always said that whatever you learn is useless if not put into practice. And whatever you practice is useless if not practical and simply in its implimentation.

But what the heck do I know? Most of you overfocus on the esoteric minutiae while the world spins circles around us all. All the while, Bruce waxes poetic about his politcal feelings. I'LL ASK YOU AGAIN, what is your purpose people? You have to do something more then just post on this forum. Group up, organize, plan and change the world. Soon, power will concentrate, and it will be too late to stop it.

ZomartaDecember 29, 2016 2:03 PM

@Carl @SquidCuddles: Google does not want to push their New Hope implementation as the de-facto standard: "We do not want to promote CECPQ1 as a de-facto standard and so a future Chrome update will disable CECPQ1 support. It's likely that TLS will want a post-quantum key-agreement in the future but a more multilateral approach is preferable for something intended to be more than an experiment."

After which Jacob Alperin-Sheriff from NIST replied "Thanks for leaving standardization to us at NIST, Google. I mean that sincerely!"

And here we are, NIST is accepting proposals for public-key algorithms immune to quantum computing techniques. Deadline is the end of November 2017.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.