Revolution in Cryptography: NIST Presents New Security Algorithms

The willingness to protect digital data from attacks by upcoming quantum computer technologies is reaching a pivotal stage as U.S. authorities introduce a range of protective tools. The National Institute of Standards and Technology (NIST) is on the verge of releasing three approved security algorithms. These algorithms can be utilized by governments and businesses to safeguard information against the emerging threat of quantum hacking. This NIST initiative is part of an evolving revolution in cryptography, responding to fears that quantum computers may one day be capable of cracking codes that have remained impenetrable for decades. Encrypted data is essential for the functioning of modern societies in the digital age, and its security is fundamental for individuals, businesses, and governments. Industries such as finance and telecommunications are planning their transition intensively, while other potentially vulnerable companies have made little or no preparations so far. "It will be massive and costly," said Dustin Moody, head of NIST's post-quantum cryptography standardization process, about the forthcoming security measure. "We need new solutions that provide protection against attacks by these future quantum computers. So much of our security and what we do online—financial transactions, medical information—all of that is cryptographically protected." NIST, part of the U.S. Department of Commerce, is awaiting approval of the trio of standards that were submitted for public commentary last year. The algorithms are part of broader NIST preparations for the post-quantum cryptography era, involving leading technology companies, banks, other businesses, and researchers. U.S. federal agencies will be required to use the new algorithms. While private companies are not mandated to follow suit, many organizations in the U.S. and elsewhere have historically adopted NIST's leadership in cryptography. Quantum computers have transformative potential due to their additional computational power. While standard machines use binary bits that exist in either state 0 or 1, "qubits" of their quantum counterparts can exist in both states simultaneously. This means they can perform certain tasks, like searching for ways to decrypt long-established protection methods, exponentially faster. Quantum computers are still far from commercialization, as their qubits only maintain their quantum states for very short periods, causing errors or "noise" in the calculations. U.S. mathematician Peter Shor theoretically demonstrated 30 years ago that quantum computers with a sufficient number of stable qubits could crack the mathematical problems underlying traditional cryptography. While such machines do not yet exist, technological advancements are bringing the prospect of this critical moment, known as Q-Day, closer. NIST's work is at the forefront of preparations for Q-Day. It received submissions from researchers in more than 30 countries across six continents, reflecting a shared interest in combating cyberterrorism and extortion. Scientists from China have participated in the NIST process, although Beijing is also working on its cryptographic rules for the quantum computing era. NIST's standards would serve "something like a catalyst to get people to take action," said Lory Thorpe, an IBM manager who works with clients on quantum security issues. "For some industries, it’s not something companies do alone. It requires coordination, especially around standards." Some companies have already begun taking measures, while others may only consider moving after the recent global IT outage last month. In February, Apple announced that it had secured its iMessage system with a "groundbreaking post-quantum cryptography protocol." In contrast, other industries and many smaller companies are less advanced. Companies involved in supply chain logistics are among those that most urgently need to focus on the change, according to observers. A challenge in promoting the switch to new cryptographic methods is the lack of concrete deadlines for the quantum computer threat. It may initially seem less urgent than previous IT threats with specific dates, such as the "Y2K bug." However, experts say the threat is already present. Hackers could pursue a "harvest now, decrypt later" strategy, meaning they could steal data today and then store it until quantum computing technology for decryption is developed. The release of the NIST standards will further fuel the debate over the best types of next-generation cryptography. While the new algorithms use classical computing methods of encryption, some researchers are developing ways to harness the massive power of quantum mechanics as a defense mechanism. This idea, known as quantum key distribution, uses a phenomenon called quantum entanglement. This relates to how the properties of two subatomic particles can be linked, even when separated by a large distance. By measuring data from one particle, information from the other can be inferred, enabling the pair to serve as a key for exchanging coded messages. A significant advantage of this technique is that if someone attempts to eavesdrop on such communications, the disturbance to the system alerts both parties that they are being spied on. On the other hand, the technology has a potential security drawback. While the quantum element of communication is secure, the equipment used for transmission and relay is not. Experts suggest that next-generation cryptography will likely comprise a mix of classical and quantum mechanical techniques, depending on the best applications and users. The quantum key distribution method is likely suited for parties that trust each other, communicate frequently, and strictly control the physical infrastructure they use. The finalization of the NIST algorithms will be a critical moment in global preparations for the new cryptography era. It should provoke a response from people who have so far "stood on the sidelines," said Luke Ibbetson, head of research and development at the British telecommunications company Vodafone. "Even among those aware of the threat, they have been hesitant to take action until standards like those from NIST are released," said Ibbetson, who works on cryptography with other telecommunications companies from Europe, the U.S., and Asia. "So, it will be something like the starting gun.