NIST Releases First Post-Quantum Encryption Algorithms

From the Federal Register:

After three rounds of evaluation and analysis, NIST selected four algorithms it will standardize as a result of the PQC Standardization Process. The public-key encapsulation mechanism selected was CRYSTALS-KYBER, along with three digital signature schemes: CRYSTALS-Dilithium, FALCON, and SPHINCS+.

These algorithms are part of three NIST standards that have been finalized:

NIST press release. My recent writings on post-quantum cryptographic standards.

EDITED TO ADD: Good article:

One – ML-KEM [PDF] (based on CRYSTALS-Kyber) – is intended for general encryption, which protects data as it moves across public networks. The other two –- ML-DSA [PDF] (originally known as CRYSTALS-Dilithium) and SLH-DSA [PDF] (initially submitted as Sphincs+)—secure digital signatures, which are used to authenticate online identity.

A fourth algorithm – FN-DSA [PDF] (originally called FALCON) – is slated for finalization later this year and is also designed for digital signatures.

NIST continued to evaluate two other sets of algorithms that could potentially serve as backup standards in the future.

One of the sets includes three algorithms designed for general encryption – but the technology is based on a different type of math problem than the ML-KEM general-purpose algorithm in today’s finalized standards.

NIST plans to select one or two of these algorithms by the end of 2024.

IEEE Spectrum article.

Slashdot thread.

Tags: , , , , ,

Posted on August 15, 2024 at 11:37 AM5 Comments

Comments

Clive Robinson August 15, 2024 12:34 PM

@ ALL,

I kind of guess based on the track record, one the first questions in peoples heads will be,

“How long before a break gets anounced? Especially a non quantum break?”

Which is why other questions will get asked over the next few days and months, including “What Next?”

Mind you this from the press release gave me a hollow laugh,

“Quantum computing technology is developing rapidly, and some experts predict that a device with the capability to break current encryption methods could appear within a decade, threatening the security and privacy of individuals, organizations and entire nations.”

With “collect it all” that “threat” started years ago for the majority, and like a “beheading” all we are waiting for “is the axe to fall”.

I guess the majority of records for the likes of “e-commerce” won’t be of interest unless for things that lets just say are “morally questionable” or worse, or can be used to show “behaviour patterns”.

I don’t do e-commerce, and have not tried it since Amazon “behaved like a criminal” and I don’t do “social media” either and in general I keep my behaviours “uninteresting” and have done since before the 1990’s

Because I’m old enough to have lived through the failing of DES and Crypto-Wars-1 and foreseen the path that was being set for the majority to the “Guilded Cage” and took care to keep off of it, and still continue to do so.

Z.Lozinski August 15, 2024 7:09 PM

@ Clive,
Quantum Computers are not cheap. The risk of store now decrypt later in the next 6-10 years is not to your or my email / WhatsApp etc. messages but to high value data sets. The data that describes a novel pharmaceutical represents USD 2.5B dollars of investment with a 20 year life (the patent lifetime). An aerospace platform is an investment of USD 10B with a life of 30 years. Then there is the really important stuff like NNPI.

There is firmware/software signing. Updating code signing has been the highest priority for the NSA since before 2022. For those not following the transition to Post Quantum Cryptography, the NSA has declassified and published a detailed timeline for the US Government. (Search “CNSA 2.0”). The IETF standardised quantum-safe software signing a few years ago (XMS/LMSS). (But .. XMS/LMSS are hard to implement securely at scale)

Ledgers. Digitally signed ledgers with legal force, such as the UK’s Land Registry. Forging the ownership of one set of property deeds is a personal tragedy for the person who loses their house or apartment. Forging 10,000 deeds leads to a crash in the City of London as the mortgage-backed securities market collapses. Same for Bitcoin and Central Bank Digital Currency.

Authentication. If I was a wicked person, I would be targeting the authentication of high-value payments. It is not worth using a quantum computer to forge an EMV card payment for a journey on the London Underground (GBP2.80). It is worth using a quantum computer to attack a Central Bank payment. FEDWIRE has a limit of USD 10B – 1 cent for a single transaction. And we know there have been successful attacks on Central Bank payments (2015, Federal Reserve & Bank of Bangladesh).

Military cryptographic systems have been designed to fallback if a systemic break occurs. We have never had to do this for commercial cryptography. The concept of ‘cryptographic agility’ is supposed to address this problem, but it is hard and we are still working on the details.

And you are right. We have not had a proof of the security of any of the public key systems to date beyond Gauss, Euler and 200 years of lesser mathematicians couldn’t find a fast factoring algorithm. Equally, we have no proof of the hardness of lattice cryptography, just 10 years work by most of the world’s cryptographers. Any better suggestions are welcome in the 4th round of the NIST competition.

But the biggest problem will be updating the security components of the world’s technology. 8.5 Billion mobile devices; 25 million network nodes in 890 networks for a start!

(Full disclosure: the transition to PQC is what I have been worrying about for the last 5 years. It’s an important problem, and it ain’t easy).

Who? August 16, 2024 5:13 AM

@ Clive Robinson

“How long before a break gets anounced? Especially a non quantum break?”

New encryption algorithms need to be tested on field, this one is the reason OpenSSH uses the hybrid Streamlined NTRU Prime + x25519 ECDH as KEX, providing a good protection against quantum computers without losing the well-tested resistance of the old x25519 ECDH against classical computing technology.

Leave a comment

Blog moderation policy

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.