Since my last blog post.. no wait..let me set the scene – NIST has chosen the future warriors (winners of its Post Quantum Cryptography competition) of cryptography from round 3 and kept potential contestants for another round 4! A mere month later, one of those contestants fell down on the spear of researchers and for some added theatrics, a justiciar came into play around the same time. (Dear readers, can you tell I’ve been watching many dramas with my Mum over the holidays?)
On 05 July 2022, NIST (National Institute of Standards and Technology) chose CRYSTALS-Kyber technique to be standardised for general encryption, and CRYSTALS-Dilithium, FALCON and SPHINCS+ to be standardised for digital signatures, with a further four techniques still in review for general encryption (round 4). CRYSTALS-Kyber, CRYSTALS-Dilithium and Falcon are based on the mathematical problem of structured lattices and SPHINCS+ is based on hash functions.
This, however, is not the end of the line. The warriors now need to train before they can fight the just fight and become the real heroes! In other words, these four techniques will now need to become standards that the industry can take and implement in their systems. This process is expected to take another two years. Guidance on migrating quantum-vulnerable techniques to the quantum-resistant techniques has to be developed. Organisations across the world need to be prepared e.g methods on how to implement the standards in a crypto-agile manner need to be looked at. It will not be without challenges and it will not be an easy task. However, the sooner the standards are ready, the quicker assets that are vulnerable to “harvest now, decrypt later” attacks can be protected.
The warriors also have four supporting fellows in the next round of elimination; BIKE, SIKE, Classic McEliece and HQC. But drama was not far away when not even a month later, SIKE fell. NIST competition encourages public scrutiny and SIKE algorithm was broken through a research done at KU Leuven university. PQC Rainbow was another technique that fell earlier in the year in February. Although these caused speculations in the media about the techniques being evaluated, at this experimental level, it would be more concerning if all the algorithms passed without issues. Plus, with a select few algorithms around, attention is focused on them. The competition is working as intended and it is a worthy fight.
There is a question on whether it should have taken as long for scrutiny around the algorithms to kick in, and of the nature of investigations performed. Within a month of the chosen warriors taking position on the podium, a justiciar questioned the transparency of any communication between NIST and NSA (National Security Agency), and what that entailed on the competition selections (and on general public security and privacy rights). Well known Post Quantum Cryptography scientist, Daniel J. Bernstein has filed a lawsuit against NIST for not divulging information about its cooperation with NSA. That said, the algorithms are public and can be accessed, researched and investigated throughout the world and throughout the cryptography community.