The Department of Commerce’s National Institute of Standards and Technology (NIST) today unveiled its first set of three encryption algorithms designed to withstand cyberattacks from a quantum computer – noting that, after nearly a decade of research, they are ready for immediate use.
NIST initiated its journey for quantum-resistant algorithms in 2015, selecting the top 15 from a batch of 82 submitted algorithms. In 2022, NIST announced its selection of four algorithms – CRYSTALS-Kyber, CRYSTALS-Dilithium, Sphincs+, and FALCON – slated for standardization and released draft versions of three of these standards last August.
“The advancement of quantum computing plays an essential role in reaffirming America’s status as a global technological powerhouse and driving the future of our economic security,” said Deputy Secretary of Commerce Don Graves. “Commerce bureaus are doing their part to ensure U.S. competitiveness in quantum, including the National Institute of Standards and Technology, which is at the forefront of this whole-of-government effort.”
“NIST is providing invaluable expertise to develop innovative solutions to our quantum challenges, including security measures like post-quantum cryptography that organizations can start to implement to secure our post-quantum future,” Graves added. “As this decade-long endeavor continues, we look forward to continuing Commerce’s legacy of leadership in this vital space.”
NIST noted that quantum computing could revolutionize fields from weather forecasting to fundamental physics to drug design, but it carries threats as well.
“Researchers around the world are racing to build quantum computers that would operate in radically different ways from ordinary computers and could break the current encryption that provides security and privacy for just about everything we do online,” NIST said in its press release.
Quantum computing technology is developing rapidly, and some experts predict that a device with the capability to break current encryption methods could appear within a decade, threatening the security and privacy of individuals, organizations, and entire nations.
“Quantum computing technology could become a force for solving many of society’s most intractable problems, and the new standards represent NIST’s commitment to ensuring it will not simultaneously disrupt our security,” said NIST Director Laurie Locascio. “These finalized standards are the capstone of NIST’s efforts to safeguard our confidential electronic information.”
The three finalized standards released today – CRYSTALS-Kyber, CRYSTALS-Dilithium, and Sphincs+ – contain the encryption algorithms’ computer code, instructions for how to implement them, and their intended uses. The fourth draft standard based on FALCON is planned for late 2024, NIST said.
“These finalized standards include instructions for incorporating them into products and encryption systems,” said NIST mathematician Dustin Moody, who heads the post-quantum computing standardization project. “We encourage system administrators to start integrating them into their systems immediately, because full integration will take time.”
Moody said that these standards are the primary tools for general encryption and protecting digital signatures.
NIST noted there have been no substantive changes made to the standards since the draft versions released last year, but it has changed the algorithms’ names to specify the versions that appear in the three finalized standards:
- The CRYSTALS-Kyber algorithm – Federal Information Processing Standard (FIPS) 203 – is intended as the primary standard for general encryption. Among its advantages are comparatively small encryption keys that two parties can exchange easily, as well as its speed of operation. It has been renamed Module-Lattice-Based Key-Encapsulation Mechanism (ML-KEM).
- The CRYSTALS-Dilithium algorithm – FIPS 204 – is intended as the primary standard for protecting digital signatures. It has been renamed Module-Lattice-Based Digital Signature Algorithm (ML-DSA).
- The Sphincs+ algorithm – FIPS 205 – is also designed for digital signatures. The standard is based on a different math approach than ML-DSA, and it is intended as a backup method in case ML-DSA proves vulnerable. It has been renamed the Stateless Hash-Based Digital Signature Algorithm (SLH-DSA).
Similarly, when the draft FIPS 206 standard built around FALCON is released, the algorithm will be dubbed FN-DSA, short for FFT (fast-Fourier transform) over NTRU-Lattice-Based Digital Signature Algorithm.
To accommodate any ideas that cryptographers may have had since the initial 2015 call for submissions, NIST asked the public for additional algorithms in 2022 and has begun a process of evaluating them. NIST continues to evaluate two other sets of algorithms that could one day serve as backup standards, the agency said.
One of these sets consists of three algorithms designed for general encryption but based on a different type of math problem than the general-purpose algorithm in the finalized standards. NIST plans to announce its selection of one or two of these algorithms by the end of 2024.
The second set includes a larger group of algorithms designed for digital signatures. In the near future, NIST expects to announce about 15 algorithms from this group that will proceed to the next round of testing, evaluation, and analysis.
While analysis of these two additional sets of algorithms will continue, Moody said that any subsequent post-quantum cryptography standards will function as backups to the three that NIST announced today.
“There is no need to wait for future standards,” he said. “Go ahead and start using these three. We need to be prepared in case of an attack that defeats the algorithms in these three standards, and we will continue working on backup plans to keep our data safe. But for most applications, these new standards are the main event.”
