PQC Standardization Project To Determine The Most Quantum-Safe Algorithms
Read time: 7 minutes
In an age where the idea of quantum cryptography is more than just a theory, organizations like the National Institute of Science and Technology (NIST) are looking for a way to standardize post-quantum cryptography algorithms. The NIST creates compliance standards, best practices, and regulations for cyber security. They work to provide a standardized framework for different encryption algorithms and methods to ensure the best possible security is in place within different organizations. Quantum cryptography is an asset that can be used in the coming years, but it can also cause a detriment to the security of organizations if they are not prepared. That is why the NIST has turned its sights to post-quantum cryptography standardization with its post-quantum cryptography (PQC) standardization project.
What is the PQC standardization project?
As previously mentioned, the NIST sets standards and best practices for cyber security that they suggest organizations follow. Quantum cryptography is a type of cryptography that has the potential to cause large issues in the cyber security community, as it will make the majority of cryptographic algorithms obsolete. The reason quantum cryptography can do this is that, with a powerful enough computer, algorithms that would usually take 10 years to crack could now take only weeks or days with quantum computing. This is the biggest reason the NIST has begun the PQC standardization project. The idea behind this project is to prepare organizations for quantum cryptography before it becomes a real threat. This would allow companies to have the proper encryption algorithms in place throughout the organization so that once quantum computing becomes possible to do, these attacks can be defended against. The types of encryption algorithms the PQC standardization project is working to standardize are quantum-safe algorithms. A quantum-safe algorithm is resistant to attacks from both classical computers, which are the types of computers we use today, and quantum computers. This allows private information stored on devices or in transit in organizations to be the most secure possible, as even a quantum computer will not be able to break a quantum-safe algorithm within hours or days.
Determining the most quantum-safe algorithms
Many times in the past, the NIST has done projects like the PQC standardization project where a number of algorithms are submitted to the project to see if they meet the criteria the best to be considered the standard for that type of cryptography. At the time of writing this, the NIST has just completed its 3rd round of selection for cryptographic algorithms. The finalists and alternative options are as follows:
- Key-Establishment Mechanism (KEM) Algorithms: Kyber, NTRU, SABER, and Classic McEliece
- Digital Signature Algorithms: Dilithium, Falcon, and Rainbow
- Alternative KEM Algorithms: BIKE, FrodoKEM, HQC, NTRUprime, and SIKE
- Alternative Digital Signature Algorithms: GeMSS, PICNIC, and SPHINCS+
Once the current round ends, one or two of the KEM algorithms and one or two of the Digital Signature algorithms will be selected as quantum-resistant algorithms strong enough for standardization across the cyber security landscape. After completing the third round, NIST mathematicians and researchers will continue to look at other algorithms and newly emerging algorithms to see if they are powerful enough to be considered a part of the standardized group of quantum-resistant algorithms.
How can Organizations Prepare for the Future?
Although the NIST has not yet released its list of recommended quantum-resistant cryptography algorithms, organizations can begin preparing themselves for quantum computers now. The following are a few different ways organizations can prepare for the future:
- Quantum Risk Assessment
Performing a quantum risk assessment for your organization will give the security teams within your organization a good idea of where gaps exist in relation to quantum computing. A quantum risk assessment also helps create a list of applications that will be affected by the creation of quantum computers, thus providing the organization with a detailed list of applications that must be updated when moving to quantum-resistant algorithms. This will also help with the next step, identifying at-risk data.
- Identify at-risk data
Identifying an organization’s data at risk is extremely important, even just relating to cyber security in general. Having data classification and identification systems in place in an organization is vital to keep track of data and ensure it is properly protected.
- Use cryptographically agile solutions
The NIST has indicated that the use of crypto-agile solutions is a great way to begin the process of moving toward having quantum-safe security in place. Crypto-agility is the ability to switch between algorithms, primitives, and other encryption mechanisms without causing significant issues in the organization’s infrastructure.
- Develop an understanding of quantum computing and its risks
By training employees on what to look out for in the future of quantum computing, and methods of becoming quantum-resistant, they will have a mindset that is already prepared for the post-quantum age.
- Track the NIST’s PQC Standardization Project
By keeping track of the PQC Standardization Project, an organization can keep up to date on any changes to the quantum-resistant algorithms in the running and change to the selected algorithms when the time is right.