After a busy few months, I had to make time for a post. Mainly because I couldn’t let the first Quantum Day (14 April 2022) pass without having spent some brain cells on a quantum topic!
Recently, my focus on Quantum Technologies took a backseat while I adapted to something new. I have kept reading relevant articles when I could and made a point to attend my regular quantum computing centred meetups to keep an eye and a foot in… so to speak. Still, I have some catching up to do and this post might have more questions than answers as I navigate and research my thoughts. On the plus side, having questions is always a good starting place!
For the cybersecurity sector, the year 2022 can be a determining one. NIST is expected to announce the “winning” algorithms from their Post-Quantum Cryptography (PQC) competition and this will then bring about a new standard in cryptography. In this post, I want to catch up on the competition status and the latest news. I also touch on the idea of standardisation in Quantum Computing.
Shor’s algorithm and Grover’s algorithm, devised around three decades ago, combined with the processing power of commercial quantum computers expected within the next decade or so, will break or greatly diminish the cryptography based security of our technological world today. Shor’s algorithm for example, could be used to break RSA factorisation, which is the underlying mathematical problem protecting transactions on the internet. The current cryptography standards will become unsafe, and NIST since 2009 started looking at post-quantum cryptography methods (classical, quantum or a combination of both) that will not be broken with the advent of quantum computers, and from 2016, a call for proposals for post-quantum cryptosystems was made to the public. Unlike previous competitions, a clear winner is not expected due to the ongoing development in all aspects. Instead, a select few that have gone through NIST and public scrutiny will become the new standards. Thus, NIST is advocating the industry to be open minded and crypto agile – i.e. whichever system you move to, be ready to change, if for some reason that system is no longer deemed secure.
In 2022, the proposals analysis is at its 3rd round. From the 69 proposals in round 1 in 2017, 15 candidates remained at the beginning of this year and are under rigorous scrutiny. Attack proposals have already been placed on two finalist candidates in 2021 and in 2022. Now, one question would be, do we know all the attack prospects of the finalists? Discovering a weakness in a finalist that could become a world standard… would not disclosing that vulnerability be an advantage for the nefarious minded?
It is worth noting that the NIST competition is not close-ended either; they are open to new evaluations. For example, 8 of those 15 candidates in round 3 are alternate candidates who showed potential and could possibly go to a 4th round. From the 7 finalists including the two with attack proposals (it will depend how they handle the attacks, I presume), the initial standards will be chosen this year or at least by 2025.
If you use cryptography to secure your systems, the crypto-standards will change very soon and would require some work to get the systems to the new standard. NIST will of course provide guidelines. This brings my next questions! Currently how many systems are actually within existing standards? Can we expect resistance from companies to move to new standards? Are stakeholders and end-users aware of the crypto standards protecting their assets? Will there be compliancy or certification required and will those be region oriented e.g. for the UK, will this be governed by the National Physical Laboratory (NPL)? Finally, will there be sanctions or legal repercussion if a system is not transitioned to a new standard within a time limit? On the promising side of all these questions, the quantum industry and community is new and are aware of security aspects and standardisation benefits, thus everybody is designing, building and growing together from the outset.
Related Quantum Cybersecurity topics I would like to eventually explore are the standardisations expected for Quantum Key Distribution and Quantum Random Number Generators. I would also like to explore and reflect on the first set of Quantum Computing Governance Principles published by the World Economic Forum in January 2022, with particular attention to the themes of Security, Privacy and Standardisation.
2 replies on “Happy World Quantum day! And a little bit about standardisation!”
This is really interesting ”Currently how many systems are actually within existing standards? “. I remember at university my lecturer was saying that the technology advances so fast by the time regulations /standards kick in, the technology itself is 10 steps ahead.
Thanks for reading and for your feedback, Dana! There are two points; 1.concerning whether or how soon changes in standards are applied and 2.the progress of technology v/s standards.
1. The real world sometime needs motivation to push through inertia. Take for example hash function SHA-1 standard, the use of which was officially deprecated by NIST in 2011 as it was no longer secured. In 2017, 1 out of 5 world’s websites were still using it to sign certificates. This number decreased when the main web browsers started showing security warnings to users as they came across such websites. In an ideal world, when standards are updated for a security reason, systems using them should make the necessary changes as soon as possible.
2. It is interesting to hear about the advancement of technology v.s appropriate standards and I wonder if this could be avoided in the quantum community; the technology is nascent and standards (e.g NIST PQC or IEEE Quantum Initiative) are being developed alongside its progress.