WASHINGTON: The National Institute of Standards and Technology has chosen to standardize four “quantum-resistant” cryptographic algorithms that are meant to protect sensitive data, several months after the White House warned of national security risks posed by quantum computers.
NIST picked the CRYSTALS-Kyber algorithm for general encryption, used when accessing secure websites, and CRYSTALS-Dilithium, FALCON and SPHINCS+ algorithms, used when needing to verify identities during a digital transaction or signing a document remotely, the agency announced Tuesday in a press release.
But there’s a difference between choosing the algorithms and implementing them, according to Duncan Jones, head of cybersecurity at commercial quantum research firm Quantinuum.
“What’s important, though, is to realize that migrating an entire federal agency or private sector company to new algorithms is a huge task,” Jones told Breaking Defense today. “You can’t do it all at once and therefore you have to choose what you do first. And also, what do you test first because you might want to experiment with these algorithms.”
Jones added that first the algorithms will have to be standardized, which will “start the clock” on some of the requirements laid out in national security memorandums issued by the White House in May.
President Joe Biden signed two directives aimed at advancing quantum science, including a memorandum outlining his administration’s plan to address risks posed by quantum computers capable of cracking the Defense Department’s encryption.
“Research shows that at some point in the not-to-distant future when quantum information science matures and quantum computers are able to reach a sufficient size and level of sophistication, they’ll be capable of breaking much of the cryptography that currently secures our digital communication,” a senior administration official told reporters May 4. “The good news is that this is not an insurmountable problem.”
The memorandum directed the federal government to protect quantum technologies and provided a roadmap for agencies to meet specific milestones to cryptographic migration.
For example, within one year of the memorandum, heads of those agencies are required to deliver an inventory of their IT systems that remain vulnerable to risks posed by quantum computers. Further, within one year of NIST releasing the first set of standards, federal agencies will be required to develop a plan to upgrade their systems to quantum-resistant cryptography.
Final standardization will take up to two years and four additional algorithms are still under consideration for inclusion. NIST plans to announce the finalists at an undisclosed future date, according to the agency’s press release.
“Today’s announcement is an important milestone in securing our sensitive data against the possibility of future cyberattacks from quantum computers,” Gina M. Raimondo, secretary of commerce, said in a statement. “Thanks to NIST’s expertise and commitment to cutting-edge technology, we are able to take the necessary steps to secure electronic information so U.S. businesses can continue innovating while maintaining the trust and confidence of their customers.”