Quantum computers are coming – likely to be powerful enough to break encryption; a threat to our information systems.
In the United State, the Department of Commerce’s National Institute of Standards and Technology (NIST) has chosen the first group of encryption tools that are designed to withstand the assault of a quantum computer, which could potentially crack the security used to protect privacy in the digital systems we rely on every day — such as online banking and email software. The Institute says the four selected encryption algorithms will become part of its post-quantum cryptographic standard, that it expects to finalise in about two years.
Secretary of Commerce Gina M Raimondo described it as an important milestone in securing sensitive data against the possibility of cyber attacks from quantum computers. She said: “Thanks to NIST’s expertise and commitment to cutting-edge technology, we are able to take the necessary steps to secure electronic information so US businesses can continue innovating while maintaining the trust and confidence of their customers.”
Comments
Duncan Jones, head of cybersecurity at US quantum computing company Quantinuum, called the announcement ‘a major leap towards a quantum-safe economy’. “Organisations can now accelerate their implementation and testing efforts, safe in the knowledge they aren’t backing the wrong horse.
“CISOs in every industry should be working hard on their post-quantum migration plans, so they are ready to launch into production as soon as standardisation is complete in 2024. Combining these post-quantum algorithms with existing quantum-based technology for generating strong cryptographic keys, organisations can create a cryptographic layer that is impenetrable to the most powerful quantum computers of the future.”
And Edlyn Teske, Senior Crypto Expert at Cryptomathic, said: “Now it’s time to apply NIST’s recommendation and ready ourselves for change. In practice, this means that CSOs need to take stock of their organisation’s ability to rapidly switch the cryptographic algorithms that underpin your data security, without upending your entire infrastructure – an approach commonly known as being ‘crypto-agile’. Organisations that invest time and money into achieving true crypto-agility as a near-term priority will be ready to deploy NIST-standardised algorithms as they become available and will be much better prepared to protect their assets from post-quantum threats than those who wait.”
Detail
The algorithms NIST says are designed for two main tasks for which encryption is typically used: general encryption, used to protect information exchanged across a public network; and digital signatures, used for identity authentication. All four of the algorithms were created by workers from multiple countries and institutions.
For general encryption, used when we access secure websites, NIST has selected the CRYSTALS-Kyber algorithm. Among its advantages are comparatively small encryption keys that two parties can exchange easily, as well as its speed of operation.
For digital signatures, often used when we need to verify identities during a digital transaction or to sign a document remotely, NIST has selected the three algorithms CRYSTALS-Dilithium, FALCON and SPHINCS+ (read as “Sphincs plus”). All of the algorithms are available on the NIST website.
