The U.S. government body NIST this week unveiled three quantum-safe encryption tools. Unlike the encryptions of yesteryear, these options should keep data secure forever, even when quantum computers attempt to crack them.
The quantum era isn’t imminent, but that’s no reason to dawdle on security. NIST advises system administrators to begin the transition to quantum-safe standards now. The main benefit is that data that is not crackable nowadays will not become so in the future. Currently, various encryptions are virtually unbreakable through conventional compute, but once quantum computers arrive, bypassing them will be a piece of cake. NIST quotes experts who suspect that this moment could happen as early as within a decade.
The star performer: FIPS 203
Although NIST presents three encryption standards, one dominates: FIPS 203. It is meant to be the replacement for the Advanced Encryption Standard (AES), which appears in various forms in everything from Wi-Fi to Google Cloud to password managers to the U.S. government’s confidential data. Big shoes to fill, in other words.
FIPS 203 seems to be prepared for that. It is based on the CRYSTALS-Kyber algorithm, as of now renamed ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism). That algorithm had already been chosen by NIST as a quantum-resistant encryption standard in 2022, after a competition that lasted four years. An important detail to consider: one of the finalists of this competition was already cracked within 62 minutes.
Tip: Quantum Key Distribution guarantees secure communication
Through this encryption, it is possible to share a shared key over a public channel. As with AES, there are different formats, with the larger being the more secure, but also the slowest option for transmission. For example, ML-KEM-512 is likely to come in when exchanging data over Wi-Fi, while ML-KEM-1024 will be deployed whenever state secrets are involved.
FIPS 204 and 205: digital signatures
FIPS 203, based on ML-KEM, is joined by two other options from NIST. FIPS 204 is recommended as the new standard for digital signatures. For that purpose, the underlying algorithm deployed is called ML-DSA (Module-Lattice-Based Digital Signature Algorithm), a renaming of CRYSTALS-Dilithium. Those who want to be sure that a file is authentic and unmodified in a post-quantum era will probably rely on FIPS 204 and ML-DSA in the near future.
FIPS 205 applies as an alternative to 204, using what was formerly known as the Sphincs+ algorithm. This is now called SLH-DSA (Stateless Hash-Based Digital Signature Algorithm). Because this algorithm uses a different mathematical approach than ML-DSA, it is considered a potential substitute if ML-KEM turns out not to be secure after all.
Theoretical but necessary
That stroke of caution from NIST is telling. After all, no one can make guarantees about post-quantum security without living in the post-quantum era. Shor’s algorithm has never been tested, but is considered the ultimate bogeyman for all known, traditional encryption standards like AES and RSA. Theoretical hardware requirements for cracking RSA, by the way, previously proved incapable of actually doiong so. In short, it is uncertain whether we really need to worry that much about encryptions in the relatively short term.
Yet on several occasions, old encryptions turn out to be no match for modern computing power. Later discovered vulnerabilities, as proved true of the widely used RADIUS protocol in July this year, could be the death knell for an encryption standard. There will therefore always be the need to come up with alternatives and modernizations of encryption techniques. That is what the cryptography community is contributing to in coordination with NIST.
Also read: Ransomware victims recover data for free due to hackers’ bugs