NIST'S Post-Quantum Standards Are Just The Beginning

Uploaded on 2024-12-05 in TECHNOLOGY-Key Areas-Quantum Computing, FREE TO VIEW

The US National Institute of Standards and Technology (NIST) recently released its much-anticipated list of post-quantum algorithms (PQAs), designed to protect data from quantum computing threats. This marks a pivotal moment in the race to secure networks before 'Q-Day' – the moment when quantum computers could potentially break today’s encryption methods.

However, Andy Leaver, CEO at Arqit cautions that while these new standards are a step forward, they are only part of the solution. He highlights the need for a broader, more comprehensive approach to strengthening network security in the face of evolving quantum threats.

Q: What is the significance of NIST’s recently released list of post-quantum encryption algorithms?

The release of this list is a major step in protecting sensitive data from the potential power of quantum computers, which could one day break today’s encryption and expose everything from personal data to state secrets. NIST’s standards offer a global framework for future-proofing cybersecurity, but this is just the start. There are challenges ahead, and organisations will need to navigate the transition carefully.

Q: How do these algorithms differ from current encryption methods?

In contrast to many current encryption methods, which could be vulnerable to quantum computing’s novel mathematical capabilities, these new algorithms offer a higher level of protection by using structures that are much harder for quantum computers to break. 

ML-KEM, ML-DSA  and SLH-DSA are designed for asymmetric encryption, which involves using a pair of keys, where one is public and one is private. ML-KEM (Modular Lattice Key Encapsulation Mechanism) and ML-DSA (Modular Lattice Digital Signature Algorithm) are both based on lattice-based cryptography, which is recognised as one of the strongest approaches to post-quantum security. SLH-DSA (Stateless Hash-Based Digital Signature Algorithm) is slightly different and is founded on the SPHINCS+ hashing mechanism.

Q: What challenges might organisations face in transitioning to NIST’s post-quantum encryption standards?

The algorithms selected by NIST may not be as efficient or cost-effective as the encryption methods currently in use. This could lead to higher operational costs, particularly for organisations that need to update extensive infrastructure. 

The transition itself involves updating a substantial amount of infrastructure, and a range of technical and operational challenges will inevitably arise along the way. This includes interoperability issues between old and new systems. Organisations will need to be prepared for potential downtime and other operational challenges as they implement the new standards. The migration will be complex and gradual, demanding significant investment in time and resources.

Q: Given the potential security issues with some of the algorithms previously considered by NIST, how confident can organisations be in the final list?

The development and selection process behind this list was thorough, but not without setbacks. For example, it only took a weekend and a standard laptop to breach earlier candidates RAINBOW and SIKE, which were previously thought to be quantum-secure. The final list represents the best of what’s currently available.

While the algorithms have been rigorously tested, there are no guarantees that they won’t face similar challenges in the future. Adopting them is a proactive step towards safeguarding data against quantum risks but ongoing research is crucial. Organisations should stay informed about any developments in this regard.

Q: How can Symmetric Key Agreements (SKAs) help in protecting against quantum threats, and why should they be considered alongside NIST’s standards?

Symmetric Key Agreements (SKAs) are quickly becoming the ‘gold standard’ for post-quantum encryption. They use a single key shared between two parties to encrypt and decrypt data, making them simpler and more resistant to quantum attacks compared to asymmetric encryption. SKAs also offer flexibility, supporting a wider range of algorithms.

SKAs can be easily integrated into existing systems, providing immediate protection against threats like man-in-the-middle attacks. Backed by NIST and the NSA, and proven in projects with Intel and Sparkle, SKAs are ready for deployment now. Pairing them with NIST’s new standards offers organisations a stronger, layered defence against both current and future quantum threats.

Andy Leaver is  CEO at  Arqit

Image: Alex Shuper

You Might Also Read:

Quantum-Safe Encryption Comes Closer:

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Empowering Women To Take On More Roles In Cybersecurity
Are Your Deduplication Capabilities Good Enough? »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Tines

Tines

The Tines security automation platform helps security teams automate manual tasks, making them more effective and efficient.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Council of Europe - Cybercrime Programme Office (C-PROC)

Council of Europe - Cybercrime Programme Office (C-PROC)

The Cybercrime Programme Office of the Council of Europe is responsible for assisting countries worldwide in strengthening their legal systems capacity to respond to cybercrime

LSEC

LSEC

LSEC is a global innovator and facilitator for the Cybersecurity industry. It is a non-profit membership organisation supporting further maturing the industry through its end users.

Certis

Certis

Certis is a leading advanced integrated security organisation that develops and delivers multi-disciplinary security and integrated services.

Prescient

Prescient

Prescient’s Cyber solutions supplement your firm’s existing data security infrastructure with specialized investigations that identify unconventional cyber risks.

Aergo

Aergo

Aergo offers an easier and more proven way to adopt blockchain and transform your business while building on your existing IT and cloud assets.

Zero Networks

Zero Networks

With Zero Network, you can achieve affordable, airtight network access security at scale.

Cobalt Iron

Cobalt Iron

Cobalt Iron is a global leader in SaaS-based enterprise backup and data protection technology.

Prodera Group

Prodera Group

Prodera Group is a specialist technology consulting partner trusted to help navigate the complex and dynamic lifecycle of change and transformation.

Rede Nacional CSIRT

Rede Nacional CSIRT

Rede Nacional CSIRT is a national network of CSIRTs in Portugal aimed at cooperation and mutual assistance in the handling of incidents and in the sharing of good security practices.

Shorebreak Security

Shorebreak Security

Shorebreak Securioty specialize in conducting highly accurate, safe, and reliable Information Security tests to determine the risks posed to your business.

AdronH

AdronH

AdronH is a company of Cyber Security consultants. We support companies and public institutions with their digital transformation to new and secure business platforms.

Technation

Technation

Technation proudly represents the Canadian technology companies that are furthering our nation and the world into the future through innovation, creativity and ingenuity.

Iron Mountain

Iron Mountain

Iron Mountain Incorporated is a global business dedicated to storing, protecting and managing, information and assets.

GitLab

GitLab

GitLab is a complete DevOps platform, delivered as a single application, fundamentally changing the way Development, Security, and Ops teams collaborate and build software.

Transcendental Technologies

Transcendental Technologies

Transcendental is a consulting organization which specializes in customized assurance services in the fields of Localization, Mobile Software Solutions, Web Design, Cyber Security & Cyber Forensics.

Aeris

Aeris

Aeris IoT Watchtower is the world’s first fully integrated cyber security solution for cellular IoT devices.