NIST'S Post-Quantum Standards Are Just The Beginning

Uploaded on 2024-12-05 in TECHNOLOGY-Key Areas-Quantum Computing, FREE TO VIEW

The US National Institute of Standards and Technology (NIST) recently released its much-anticipated list of post-quantum algorithms (PQAs), designed to protect data from quantum computing threats. This marks a pivotal moment in the race to secure networks before 'Q-Day' – the moment when quantum computers could potentially break today’s encryption methods.

However, Andy Leaver, CEO at Arqit cautions that while these new standards are a step forward, they are only part of the solution. He highlights the need for a broader, more comprehensive approach to strengthening network security in the face of evolving quantum threats.

Q: What is the significance of NIST’s recently released list of post-quantum encryption algorithms?

The release of this list is a major step in protecting sensitive data from the potential power of quantum computers, which could one day break today’s encryption and expose everything from personal data to state secrets. NIST’s standards offer a global framework for future-proofing cybersecurity, but this is just the start. There are challenges ahead, and organisations will need to navigate the transition carefully.

Q: How do these algorithms differ from current encryption methods?

In contrast to many current encryption methods, which could be vulnerable to quantum computing’s novel mathematical capabilities, these new algorithms offer a higher level of protection by using structures that are much harder for quantum computers to break. 

ML-KEM, ML-DSA  and SLH-DSA are designed for asymmetric encryption, which involves using a pair of keys, where one is public and one is private. ML-KEM (Modular Lattice Key Encapsulation Mechanism) and ML-DSA (Modular Lattice Digital Signature Algorithm) are both based on lattice-based cryptography, which is recognised as one of the strongest approaches to post-quantum security. SLH-DSA (Stateless Hash-Based Digital Signature Algorithm) is slightly different and is founded on the SPHINCS+ hashing mechanism.

Q: What challenges might organisations face in transitioning to NIST’s post-quantum encryption standards?

The algorithms selected by NIST may not be as efficient or cost-effective as the encryption methods currently in use. This could lead to higher operational costs, particularly for organisations that need to update extensive infrastructure. 

The transition itself involves updating a substantial amount of infrastructure, and a range of technical and operational challenges will inevitably arise along the way. This includes interoperability issues between old and new systems. Organisations will need to be prepared for potential downtime and other operational challenges as they implement the new standards. The migration will be complex and gradual, demanding significant investment in time and resources.

Q: Given the potential security issues with some of the algorithms previously considered by NIST, how confident can organisations be in the final list?

The development and selection process behind this list was thorough, but not without setbacks. For example, it only took a weekend and a standard laptop to breach earlier candidates RAINBOW and SIKE, which were previously thought to be quantum-secure. The final list represents the best of what’s currently available.

While the algorithms have been rigorously tested, there are no guarantees that they won’t face similar challenges in the future. Adopting them is a proactive step towards safeguarding data against quantum risks but ongoing research is crucial. Organisations should stay informed about any developments in this regard.

Q: How can Symmetric Key Agreements (SKAs) help in protecting against quantum threats, and why should they be considered alongside NIST’s standards?

Symmetric Key Agreements (SKAs) are quickly becoming the ‘gold standard’ for post-quantum encryption. They use a single key shared between two parties to encrypt and decrypt data, making them simpler and more resistant to quantum attacks compared to asymmetric encryption. SKAs also offer flexibility, supporting a wider range of algorithms.

SKAs can be easily integrated into existing systems, providing immediate protection against threats like man-in-the-middle attacks. Backed by NIST and the NSA, and proven in projects with Intel and Sparkle, SKAs are ready for deployment now. Pairing them with NIST’s new standards offers organisations a stronger, layered defence against both current and future quantum threats.

Andy Leaver is  CEO at  Arqit

Image: Alex Shuper

You Might Also Read:

Quantum-Safe Encryption Comes Closer:

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Empowering Women To Take On More Roles In Cybersecurity
Are Your Deduplication Capabilities Good Enough? »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

US Cyber Command (USCYBERCOM)

US Cyber Command (USCYBERCOM)

USCYBERCOM conducts activities to ensure US/Allied freedom of action in cyberspace and deny the same to our adversaries.

Telecom Information Sharing and Analysis Center Japan (T-ISAC Japan)

Telecom Information Sharing and Analysis Center Japan (T-ISAC Japan)

T-ISAC Japan coordinates information sharing and activities related to ISP/telecommunications network security in Japan.

Operational Center for Information Systems Security (COSSI)

Operational Center for Information Systems Security (COSSI)

COSSI is responsible for the detection and mitigation of cyber attacks directed at French Government information systems.

Potomac Institute for Policy Studies

Potomac Institute for Policy Studies

Potomac Institute undertakes research on key science, technology, and national security issues facing society, Study areas include cybersecurity.

Hexatrust

Hexatrust

The HEXATRUST club was founded by a group of French SMEs that are complementary players with expertise in information security systems, cybersecurity, cloud confidence and digital trust.

ComCERT

ComCERT

ComCERT SA is an independent, private consulting company focusing in the assistance of its customers facing the dangers of cyber threats and security incidents.

Cybersecurity Professionals

Cybersecurity Professionals

Search vacancies from top cyber security jobs worldwide on CyberSecurity Professionals. View IT security jobs or upload your CV to be seen by recruiters from industry leading firms.

Oceania Cyber Security Centre (OCSC)

Oceania Cyber Security Centre (OCSC)

OCSC engages with government and industry to conduct research, develop training opportunities and build capacity for responding to current and emerging cyber security issues.

Vortiv

Vortiv

Vortiv Ltd (formerly known as Transaction Solutions International Ltd) is a technology based company focused on the cybersecurity and the cloud services sector.

EVOKE

EVOKE

EVOKE is an award-winning Digital Transformation company that partners with its clients to build digital workplace solutions for organizational challenges.

EYE Security

EYE Security

EYE provides enterprise-grade cyber security services and cyber insurance to SMEs in Europe, Cyber Incident Response and strategic advice in board rooms.

Cira Info Tech

Cira Info Tech

Cira InfoTech’s cyber security and network consulting and managed services deliver unmatched talented resources and capabilities required to design and build an agile and adaptive IT environment.

NSR

NSR

NSR provide trusted solutions that deliver positive business outcomes for our clients in cybersecurity and data protection challenges.

CLEAR

CLEAR

With more than 17 million members and a growing network of partners across the world, CLEAR's identity platform is transforming the way people live, work, and travel.

RightSec

RightSec

RightSec is an emerging market leader and solution provider for cybersecurity and digital resiliency. We provide end to end solutions to suit your specific business lifecycle.

SGS Brightsight

SGS Brightsight

SGS Brightsight is the largest independent security evaluation lab in the world, with ten recognised labs worldwide.