• US’s National Institute of Standards and Technology (NIST) releases the first three encryption standards able to withstand quantum computer-enabled cyberattacks
• ‘Historic moment’ signals the start of a new era in digital security for both current and future systems and is welcomed by UK telco BT and quantum computing giant IBM
• Any organisation handling sensitive data should migrate to systems secured by post-quantum cryptography (PQC) as soon as possible
• No mention of the costs involved, to governments and commerce alike, but they will be eye-wateringly high

The US Department of Commerce’s National Institute of Standards and Technology (NIST) has issued the first three encryption algorithms developed to resist and negate attacks made by quantum computers against digital security defences, including those deployed in communications network infrastructure. 

For years it has been known that malign actors have been accessing and stealing massive amounts of encrypted data, storing it and waiting for the arrival of a quantum computer that would be able to decrypt everything they have purloined, as well as then planning to use quantum computers to breach the security systems used to defend digital systems. 

Now, though, there are some globally-applicable specifications that can be used to set up quantum-safe systems. The NIST announcement comes nine years after it began to select, evaluate, test and work on tools designed to standardise post-quantum encryption systems. The new algorithms are able fully to secure a very wide range of digital data transmissions, from email messages to e-commerce transactions and everything else between and beyond.

As scientists around the world compete to build robust quantum computers capable of operating continually under real-world conditions, rather than just in very closely controlled laboratory environments, nation states as well as commercial organisations are racing to realise quantum computing systems able to break the current encryption standards that provide online security. Now, as long as enterprises, governments and network operators make use of the specifications, those bad actors will have to contend with systems protected by the three new algorithms, which are the first fruit of NIST’s ongoing post-quantum cryptography (PQC) standardisation project. 

The algorithms are ready for application now. That immediacy will enable defences to be put in place to ensure the continuing viability of today’s most widely used security protocols, which permit the transmission of encrypted data across public computer networks because the messages sent cannot be read by anyone other than the sender and the intended recipient. However, nations including China, Russia, Iran and North Korea (together with other countries such as India) are known to be working on ways to crack western encryption standards: Current estimates suggest that one or another will be successful, perhaps as early as 2030.  

The NIST announcement represents a major milestone passed for the National Security Memorandum 10, introduced by the administration of US President Joe Biden. It requires all US federal agencies immediately to adopt the new standards and so protect vital national infrastructure from attacks by criminals and foreign national entities. The new standards contain the encryption algorithms’ computer code, instructions on how to implement them, and their intended uses. 

In its search for quantum computer-resistant algorithms, NIST evaluated the strength and capabilities of 82 submissions, in open and transparent competition, by 25 countries since 2016. After going through successive levels of testing and evaluation, the top 15 most promising were identified and split into two categories – seven finalists, and eight regarded as being alternative algorithms, subject to further refinement or tailoring for specific uses.

Commenting on the release, Dustin Moody, a lead mathematician at NIST and head of the PQC programmes, said: “These finalised standards, the primary tools for general encryption and the protection of digital signatures, include instructions for incorporating them into products and encryption systems. We encourage system administrators to start integrating them into their systems immediately, because full integration will take time.”

No need to wait for the next lot – start using the first trio right now!

NIST’s remit required the submission of designs for the algorithmic protection of general encryption and digital signatures that are used for identity authentication. After evaluation, the agency announced its selection of four algorithms – CRYSTALS-Kyber, CRYSTALS-Dilithium, Sphincs+ and Falcon – and released drafts of the first three in 2023: That trio are the new standards. A first draft of Falcon is still in development and is due later this year.  

Interestingly, so good are they, that no “substantive” amendments have been made to the original draft versions of the standards but NIST has changed their names specifically to the three final versions.

The first is the Federal Information Processing Standard (FIPS) 203, which is intended to be the primary standard for general encryption. One of its biggest advantages is that it requires “comparatively small encryption keys” that two parties (one sending, one receiving) can quickly and easily exchange. FIPS 203 is based on the CRYSTALS-Kyber algorithm, which has now been renamed as the Module-Lattice-Based Key-Encapsulation Mechanism, or ML-KEM for short.

The second, FIPS 204, has been designed as the primary standard for the protection of digital signatures. It corresponds to the CRYSTALS-Dilithium algorithm (the name of which is yet another nod to the enduring science fiction nomenclature of Star Trek being used in real science). It has been re-christened as the Module-Lattice-Based Digital Signature Algorithm, or ML-DSA. 

The third new algorithm, FIPS 205, also applies to digital signatures. It corresponds to the Sphincs+ algorithm, which, henceforth will be known as the Stateless Hash-Based Digital Signature Algorithm, or SLH-DSA, for short. It is based on different mathematics than those applied in ML-DSA and is intended for use as a powerful back-up in the event that ML-DSA proves vulnerable to attack in the future.

Meanwhile, the fourth new standard, FIPS 206, based on Falcon, will be called the FFT (fast-Fourier transform) over NTRU-Lattice-Based Digital Signature Algorithm (catchy eh?) or for short and for obvious reasons will commonly be referred to as FN-DSA.

In a statement to all interested parties, Moody noted: “There is no need to wait for future standards. Go ahead and start using these three. We need to be prepared in case of an attack that defeats the algorithms in these three standards, and we will continue working on backup plans to keep our data safe. But for most applications, these new standards are the main event.” And so they are: This is a very important development indeed.

Reaction to the news has been swift and enthusiastic. In the UK, national telco BT Group was quick off the mark to applaud NIST’s announcement. In comments shared with the media, BT, which has been working hard on quantum-secure networking services for years already, stated: “The publication of NIST’s first set of post-quantum cryptography (PQC) standards is a significant milestone for modern cybersecurity. The set of algorithms are a globally leading standard in a new era of protecting communications against cyberattacks by quantum computers.” 

It added: “Although quantum computers are not yet able to break cryptography, it’s important for organisations to have a plan for managing the risk. This begins with [a] risk assessment for each organisation. For example, services that provide encryption of data – particularly long term sensitive data – may be at risk from an adversary who can tap their data today, and will gain access to a cryptographically relevant quantum computer in future. Quantum readiness for these systems is a priority.  The technologies selected to mitigate the risks will involve both PQC and Symmetric Cryptography, and for some scenarios, also Quantum Key Distribution (QKD). We will increasingly see PQC implemented in OTT services, including web browsers and services, and cloud interfaces.” 

And that’s only the start – for example, think about the inherent weaknesses in IoT systems spread across the entire world.

BT has been pouring significant resources into its quantum-safe networking developments in recent years and, in partnership with Toshiba, launched its initial services in 2022 – see BT targets thousands of businesses with its new quantum-secured network.

Meanwhile, IBM has been keen, quite understandably, to blow its own trumpet in letting the world know that it developed (in collaboration with several industry and academic partners) most of the initial NIST post-quantum encryption standards – namely ML-KEM and ML-DSA, as well as the yet-to-be-released Falcon-based FN-DSA specifications. In addition, SLH-DSA was co-developed by a researcher who has since joined IBM. 

"IBM's mission in quantum computing is two-fold: to bring useful quantum computing to the world and to make the world quantum-safe,” stated Jay Gambetta, VP at IBM Quantum. “We are excited about the incredible progress we have made with today's quantum computers, which are being used across global industries to explore problems as we push towards fully error-corrected systems. However, we understand these advancements could herald an upheaval in the security of our most sensitive data and systems. NIST's publication of their first three post-quantum cryptography standards marks a significant step in efforts to build a quantum-safe future alongside quantum computing," added Gambetta. 

IBM was identified as the leading developer of technology that will enable quantum-safe networking, according to the results of a TelecomTV market perception survey (330+ respondents) that were published in our DSP Leaders publication, the Quantum-Safe Networking Perception Report, in April this year. It’s worth noting that BT ranked third in that report.

There’s sure to be plenty more reaction to the NIST standards – watch out for further coverage on TelecomTV. For all of our quantum-related coverage, check out this dedicated news channel.