NIST releases three encryption standards to prepare for future quantum attacks
The National Institute of Standards and Technology has officially released three new encryption standards that are designed to fortify cryptographic protections against future cyberattacks by quantum computers.
The finalized standards come roughly eight years after NIST began efforts to prepare for a not-so-far-off future where quantum computing capabilities can crack current methods of encryption, jeopardizing crucial and sensitive information held by organizations and governments worldwide. Those quantum technologies could appear within a decade, according to a RAND Corp. article cited by NIST in the Tuesday announcement.
“Quantum computing technology could become a force for solving many of society’s most intractable problems, and the new standards represent NIST’s commitment to ensuring it will not simultaneously disrupt our security,” Laurie E. Locascio, director of the Department of Commerce’s NIST and undersecretary of commerce for standards and technology, said in a statement. “These finalized standards are the capstone of NIST’s efforts to safeguard our confidential electronic information.”
The new standards provide computer code and instructions for implementing algorithms for general encryption and digital signatures — algorithms that serve as authentication for an array of electronic messages, from emails to credit card transactions.
For general encryption, the finalized Module-Lattice-Based Key-Encapsulation Mechanism (ML-KEM) is a standard under which small encryption keys can be easily exchanged by parties quickly, according to the release. Meanwhile, for digital signatures, NIST released the final Module-Lattice-Based Digital Signature Algorithm (ML-DSA) as the primary standard and the Stateless Hash-Based Digital Signature Algorithm (SLH-DSA) as a secondary line of defense based on different math.
“We encourage system administrators to start integrating them into their systems immediately, because full integration will take time,” Dustin Moody, a NIST mathematician who leads the post-quantum standardization project, said in a statement included in the release.
Future preparedness
The standards are based on four algorithms that NIST selected in 2022 after a six-year competition to craft new quantum-ready encryption methods. Those algorithms were CRYSTALS-Kyber, CRYSTALS-Dilithium, Sphincs+ and FALCON. In 2023, NIST released draft versions of the three standards that were finalized Tuesday to solicit feedback. According to the agency, the standards haven’t substantially changed since then.
Additionally, while the newly finalized standards are based on the CRYSTALS-Kyber, CRYSTALS-Dilithium, and Sphincs+ algorithms, another draft standard for digital signatures based on FALCON is on the way. That standard will be called the fast-Fourier transform over NTRU-Lattice-Based Digital Signature Algorithm (FN-DSA), NIST’s announcement said.
The agency is also in the process of evaluating two other sets of algorithms for general encryption and digital signatures “that could one day serve as backup standards,” NIST said.
During a White House event Tuesday, Locascio said there will be scenarios in which the first three standards might be insufficient, which is why NIST and its global partners will keep working on generating and testing additional algorithms.
“We will ensure a strong pool of alternates and backups to provide resiliency and redundancy in the case of any yet unknown leaps in quantum mathematics,” Locascio said. “Now, while we know that these leaps and technological advances are inevitable, we do not wait for that future. We act now.”
Scott Crowder, vice president of quantum adoption and business development at IBM, which developed three of the four algorithms NIST selected with its collaborators, told FedScoop in an interview ahead of the announcement that the motivation for releasing the standards now has a couple of aims.
The first is mitigating risks from bad actors collecting information now that they’ll try to decrypt when quantum computing is fully realized. For secure government work and industry areas where security is key, “that data has long-term value,” Crowder said. The second is giving organizations time to implement them, he said.
In a way, the situation shares some similarity with the two-digit year abbreviation software bug that was projected to wreak havoc in 2000, known as Y2K. Whereas developers needed to find and change the places in code with a two-digit year ahead of 2000, here organizations need to find cryptographic deployments and change them, Crowder said. Though, the difference between the situations, he said, is that cryptography isn’t static and must evolve for different threats.
The IBM-developed algorithms are CRYSTALS-Kyber, which is now the general encryption standard ML-KEM; CRYSTALS-Dilithium, which is now the primary digital signature algorithm ML-DSA; and FALCON, the forthcoming standard that will be called FN-DSA. The other finalized algorithm, which was called Sphincs+ and is now SLH-DSA, was co-developed by a researcher who was later hired by IBM.
Crowder said that following the release of the NIST standards, more compliance agencies around the world are likely to follow.
Government, industry security
In addition to the standards, other work to prepare the U.S. government for post-quantum cryptography is also underway.
The National Security Agency, for example, released its Commercial National Security Algorithm Suite 2.0 in 2022, outlining requirements for future quantum-resistant algorithms in national security systems. That same year, the Office of Management and Budget directed agencies to inventory cryptography on certain systems and estimate funding needed for migration to post-quantum standards.
Based on those estimates, the White House said the approximate funding needed to make the transition between 2025 and 2035 would be $7.1 billion. That estimate was part of a congressionally mandated report released last month that outlined a plan for migration to post-quantum cryptography, or PQC, standards in the federal government. OMB is required by statute to release guidance on agency migration plans within one year of the first NIST standards being published.
At the White House event Tuesday, Anne Neuberger, deputy national security advisor for cyber and emerging technology, said that through the process of inventorying cryptography, the government learned that it would be “wise” to do it in a more automated way. Neuberger also highlighted a need for prioritization.
“We’re learning that it’s important when you do those inventories to identify what are the most sensitive systems? What’s the most high-value data? Indeed, what’s the data that you’d care if an adversary could use a quantum computer in nine or 10 years to decrypt it?” Neuberger said. “We have lots of that in the intelligence community. We have lots of that in our Department of Defense.”
On an IBM press call ahead of the announcement, Lily Chen, a mathematician and NIST fellow, said “the PQC standardization process has been a community effort.” NIST worked with cryptographic researchers, industry and government for evaluation and feedback on the algorithms. That work with industry will need to continue as organizations make the transition, she said.
Similar to the government, some companies have also started looking at post-quantum standards ahead of the NIST announcement to ensure the safety of their information.
Richard Marty, the chief technology officer at LGT Financial Services who also spoke on the IBM call, said it isn’t an option for his company to write off the issue, sometimes called Q-day, as an industry or global problem that it will deal with later.
“We want to be ready for this, and we want to implement solutions as early as possible to specifically also address the threat of ‘harvest now and decrypt later,’” Marty said. “The less old our data is once Q-day happens, the better is our standing in the market, and we can keep up that trust with our clients.”