U.S. quantum cryptography standards set for release next week
NIST’s flagship post-quantum cryptography guidance that would help protect against decryption capabilities enabled by quantum computers aimed for release the week of Aug. 12.
Scientific guidance meant to ensure the U.S. is ready to shore up cyber defenses against a potential quantum computers’ ability to break through modern encryption methods are set for release the week of Aug. 12, according to people familiar with the matter.
The development of the finalized post-quantum cryptography (PQC) standards are led by the National Institute of Standards and Technology, the Commerce Department’s scientific standards bureau. NIST has finalized the guidance and is readying its release in the coming days, said the people, who spoke on condition of anonymity because they were not authorized to publicly discuss the release timeline.
Today’s cryptographic systems rely on complex mathematical algorithms that are difficult for traditional computers to unravel. Future quantum computers could potentially solve these problems much faster, processing information based on the laws of quantum mechanics where a vast number of possibilities can be solved simultaneously. In cybersecurity terms, it means malicious hackers in the coming years may be augmented with new abilities to unravel encrypted information previously deemed secure.
Federal officials are trying to prevent future quantum computing-powered cyber incidents like “record now, decrypt later” attacks, where an adversary will hoover up encrypted datasets, store them, and — with the eventual existence of a quantum device — decrypt that data to use for theft or exploitation.
Ahead of the algorithms’ release, NIST spent months seeking feedback on draft standards for post-quantum algorithms approved by the agency as it looks to help organizations migrate their networks toward a state of quantum-resilient code.
NIST made an initial selection of four algorithms deemed suitable for post-quantum cryptographic migration in July 2022. The algorithms — CRYSTALS-Kyber, CRYSTALS-Dilithium, SPHINCS+, and FALCON — are specialized for different applications based on draft Federal Information Processing Standards, or FIPS, which are government-stamped blueprints deemed for optimal computer interoperability and security.
CRYSTALS-Kyber, for example, is designed for general secure website encryption, while the others focus on securing digital signature software.
Experts have previously told Nextgov/FCW that implementing quantum readiness cryptography into digital systems is just “the starting gun” for a larger mass migration to secure digital networks in an uncertain quantum future.
“You can think of the NIST standardization as basically the starting gun,” Scott Crowder, vice president for IBM Quantum Adoption and Business Development said in a previous interview. “But there’s a lot of work to be done on taking those standards, making sure that all the open source implementations, all the proprietary implementations get done, and then rippling through and doing all the hard work in terms of doing the transformation upgrade.”
Practical quantum computing tools are about 3 to 5 years out from workforce use and will likely be accessed through cloud based environments, a top National Security Agency official predicted in April.