NIST Prepares Post-Quantum Encryption Standards
Long before quantum computing becomes “main stream”, state actors will have access to it. In part, because they command large budgets; in part because it is important to them.
Why do they care? Because, it will allow them to decrypt both communications that they intercept going forward and communications that they have intercepted in the past and stored. That is a game changer.
While we can make things more difficult with perfect forward secrecy (PFS), which requires each message to be separately decrypted, there are plenty of places were PFS is not being used.
NIST, the part of the Department of Commerce, is responsible for creating encryption standards used by most of the government (except for the spies) and all of the commercial sector, and has been working on this problem since 2016. They are not there yet, but this week they made an important announcement.
They plan to announce finalists for new standards roughly by the end of the year.
Then they have to document them as standards and put out the documents for public comment. Possibly, rinse and repeat.
They expect approved standards by 2024 – an 8 year process.
THEN COMPANIES NEED TO IMPLEMENT THEM AND INTEGRATE THEM INTO SOFTWARE AND HARDWARE PRODUCTS.
They have selected 8 algorithms as candidate standards.
And just to make sure that things don’t get away from them, they are also looking at 7 backup standards.
These standards use different strategies, not just different implementations of solving the same problem. (Like RSA encryption uses the hard problem of factoring large prime numbers. That is not quantum proof, but that is an example of one strategy). So we potentially have 15 different problems which NIST thinks will be hard for even quantum computers to break. If they are wrong about one, they have 14 more. Backups with backups to the backups.
Look for NIST to release draft proposals in a few months. Then we have more wait. But at least this seems like light at the end of the tunnel.
For software developers, that means work, documentation and testing. Plan to be doing that around 2024.
Credit: SC Magazine and NIST