NIST urges immediate adoption of new, post-quantum encryption standard

On Tuesday, the U.S. finalized standards for post-quantum encryption — a move intended to ensure companies, citizens and government agencies can all stay ahead of the potential of quantum computers that can break the encryption used today on nearly every computer.

The post-quantum encryption algorithm that the National Institute of Standards and Technology, or NIST, released in final form today has been vetted for years by experts. The institute encouraged computer system administrators to begin transitioning to the new standard "as soon as possible," according to a press release from NIST.

"These finalized standards include instructions for incorporating them into products and encryption systems," said Dustin Moody, the NIST mathematician who heads the institute's post-quantum cryptography standardization project. "We encourage system administrators to start integrating them into their systems immediately, because full integration will take time."

Switching encryption standards is a gargantuan task, especially for banks, because encryption permeates nearly every aspect of a bank's operations and services. Encryption protects data when users access a banking application or website; it protects their transaction histories stored in the bank's core banking software; it protects ATM transactions and even communications internal to the bank.

In each case, banks will need a plan for replacing the encryption algorithm with a post-quantum option, like the one finalized Tuesday, lest they fall behind and find themselves vulnerable when quantum computing is powerful enough to break classical encryption in coming years.

NIST began work on its new encryption standard eight years ago, when it called for submissions from cryptographers who had ideas for algorithms that could withstand attacks from classical computers and quantum computers. A year ago, NIST released draft standards for a new algorithm. The finalized standard announced Tuesday is substantially the same, but with a name change.

The newly finalized algorithm announced Tuesday is called Module-Lattice-Based Key-Encapsulation Mechanism, or ML-KEM for short. It was previously known as Crystals-Kyber. NIST intends for ML-KEM to be the "primary standard for general encryption," according to the press release. The institute said the standard provides comparatively small encryption keys that two parties can use and exchange easily, with little operational overhead.

According to cryptography expert and IBM researcher Whitfield Diffie, one of the main reasons institutions delay implementation of new standards is uncertainty about what exactly needs to be implemented. With the new ML-KEM standard, that barrier has been overcome.

"Now that NIST has announced the exact standards, organizations are motivated to move forward with confidence," said Diffie, who is half of the namesake of the Diffie-Hellman protocol, which is a foundational concept of cryptography.

Bank technology

How worried should banks be about the dangers of quantum computing?

Experts say banks should start stepping up their encryption now, because hackers can steal it now and decrypt it with quantum computing later.

By Carter Pape

May 22

NIST also finalized standards for two digital signature algorithms. Rather than encrypting data to protect it from prying eyes, these signature algorithms enable entities — people, companies, government agencies or anyone else — to create a digital stamp of authenticity. Digital signatures are useful for verifying, for example, that a document was signed and approved by a particular person, or that a website is legitimate.

NIST is still developing three encryption algorithm alternatives that can act as a backup to the standard announced today. Each of the three are so-called "code-based" encryption algorithms because they are based on the math behind error correction codes — in contrast with ML-KEM, which is based on the math behind lattices.

One major reason NIST is pursuing backup signature and encryption algorithms is that there is no way to definitively, mathematically prove that ML-KEM can resist attacks. Rather, ML-KEM's trustworthiness is based on the effort that NIST and cryptographic experts around the world have poured into trying to break the algorithm, and the fact that none of those efforts have succeeded.

However, if a major development occurs in the mathematical fields of lattices or codes that renders that class of encryption algorithm insecure, the other class would remain secure.

Such a development happened in 1994 that undermined trust in the popular encryption algorithms of the day. That year, mathematician Peter Shor published an algorithm that quantum computers could one day implement to break every encryption algorithm that was popular at the time.

However, because no quantum computer actually existed at the time — let alone one advanced enough to implement Shor's algorithm — the status quo for encryption algorithms remained unchanged.

That status quo has persisted until today, even as quantum computing has advanced significantly. This is because Shor's algorithm requires a quantum computer so powerful that many experts agree no such computer will exist for at least another five years.

While it is possible that the encryption and digital signature algorithms finalized Tuesday will one day be broken — just as classical encryption algorithms are expected to be broken — there is ample reason to trust that the algorithms will long resist attacks from both classical computers and quantum computers.

"Quantum computing technology could become a force for solving many of society's most intractable problems, and the new standards represent NIST's commitment to ensuring it will not simultaneously disrupt our security," said NIST Director Laurie Locascio. "These finalized standards are the capstone of NIST's efforts to safeguard our confidential electronic information."