NIST announced on the 5th of July 2022 its decision to standardise the CRYSTALS-Kyber encryption scheme (actually KEM[1]) as well as the digital signature schemes CRYSTALS-Dilithium, FALCON and SPHINCS+.
Background
NIST is the National Institute of Standards and Technology in the US, and it has been working towards a new standard for the next generation of asymmetric primitives, collectively known as “Post Quantum Cryptography” (PQC). NIST have in the past driven the development of several cryptographic standards, best known is the Advanced Encryption Standard (AES) for symmetric encryption.
In Academia, PQC deals with signature and encryption/KEM schemes that must be secure even in the presence of large-scale quantum computers, it relates only to asymmetric encryption and signature schemes since symmetric schemes appears to be inherently secure against quantum computers[2]. PQC has been one of the largest focus points of both the industrial and academic cryptographic communities ever since NISTS’s call-for-proposals went public more than 6 years ago. This latest announcement marks the end of the 3rd round in what is colloquially referred to as the NIST PQC competition.
The milestone
As part of their recent announcement, NIST also stated that the encryption (KEM) schemes BIKE, Classic McEliece, HQC and SIKE are all selected for further review in an extra 4th round. It’s expected that one or two of these will be selected for inclusion in the standard at the end of that round. The primary purpose is to have alternatives already in place in case some major breakthrough would affect the primary candidate. Therefore, the research community’s cryptoanalytical focus should now shift towards those schemes mentioned, as these are the ones selected to be most dissimilar to CRYSTALS-Kyber, while still offering “good enough” performance.
For the case of digital signatures NIST expressed some unhappiness with the (lack of) mathematical diversity among the current proposals, and to this end they have announced a new call for proposals for digital signatures only. Basically, they are offering a restart of the standardization process for signature schemes, except for the ones that have already been selected for standardization. With this they hope find candidates which are based on other mathematical properties than those selected.
What’s next?
As you’ve might have guessed, the PQC effort will continue for a long while yet, but we are seeing the start of the end of the tunnel for this process, and soon the industry can start the work on including some of the selected schemes in concrete products. As of yet, the work has been mostly theoretical, even in the industry.
As a point of comparison, it can also be mentioned that German BSI has already approved[3] the encryption (KEM) schemes McEliece and FrodoKEM to “[…] protect confidential information on a long-term basis […]”. These are much more conservative choices, security wise, but that selection might be just a matter of timing, since they are closely watching the same academic output that NIST has managed to put into focus. It’s probable that BSI will follow NIST’s lead and eventually approve roughly the same schemes, but only time will tell.
Final remarks
Worth noticing is that even with the new methods for key-establishment, the messages themselves, i.e. the payload, stored or communicated will still be encrypted with symmetric algorithms, most likely AES.
Due to an early decision to primarily rely on symmetric primitives for security, and to use only asymmetric primitives for certain add-on features, Advenica’s network encryptors have remained “post quantum secure” since their conception. That is, data transmitted with our VPNs today will remain secure[4] even after the emergence of large-scale quantum computers.
One perspective, by some known as Mosca’s theorem[5], makes us aware of that if we want to keep data protected for X years, we need use a cryptographic system that are safe not only X years but in addition the Y years it takes to change systems. If either or both of X and Y is measured in years or even tens of years we need to focus not only on crypto being secure now, but being secure X+Y years in the future.
Please see our White Paper for more information about quantum cryptography.
Notes
1: A KEM, or a Key Encapsulation Mechanism, is an asymmetric encryption mode whose purpose is to carry a symmetric key which in turn is used to encrypt the actual payload, with a symmetric cipher, such as AES or ChaCha20.
2: Provided your symmetric encryption-key is long enough. See Grovers algorithm.
3: First approval was published 2020-03-24.
4: That is of course, unless some unexpected cryptanalytic breakthrough turns up to affect also the symmetric primitives used.
5: https://csrc.nist.gov/csrc/media/events/workshop-on-cybersecurity-in-a-post-quantum-world/documents/presentations/session8-mosca-michele.pdf
