News
8 minute read

NIST’s post-quantum cryptography standards are here

The US National Institute of Standards and Technology has released Federal Information Processing Standards (FIPS) publications for three quantum-resistant cryptographic algorithms.

The US National Institute of Standards and Technology has released Federal Information Processing Standards (FIPS) publications for three quantum-resistant cryptographic algorithms.

In a landmark announcement, the National Institute of Standards and Technology (NIST) has published its first set of post-quantum cryptography (PQC) standards. This announcement serves as an inflection point in modern cybersecurity: as the global benchmark for cryptography, the NIST standards signal to enterprises, government agencies, and supply chain vendors that the time has come to make the world’s information security systems resistant to future cryptographically relevant quantum computers.

In today’s modern digital economy, the security of sensitive data and communication depends on cryptography. By using cryptographic schemes, organizations provide protections for confidentiality, authenticity, and integrity, ensuring that only authorized parties can access or make changes to data. NIST has finalized the following three PQC standards to strengthen modern public-key cryptography infrastructure for the quantum era:

  • ML-KEM (derived from CRYSTALS-Kyber) — a key encapsulation mechanism selected for general encryption, such as for accessing secured websites
  • ML-DSA (derived from CRYSTALS-Dilithium) — a lattice-based algorithm chosen for general-purpose digital signature protocols
  • SLH-DSA (derived from SPHINCS+) — a stateless hash-based digital signature scheme

Two of the standards (ML-KEM and ML-DSA) were developed by IBM Research cryptography researchers in Zurich with external collaborators, and the third (SLH-DSA) was co-developed by a scientist who has since joined IBM Research.

Existing public-key cryptographic schemes, such as the Rivest-Shamir-Adleman (RSA) cryptosystem, rely on the difficulty of factoring large numbers into prime factors — a challenging problem as the numbers get larger. While computer scientists believe classical computers to be practically incapable of factoring numbers larger than 2048 bits, researchers have shown that a cryptographically relevant quantum computer could break RSA-2048 in a matter of hours by applying Shor’s algorithm.1 If malicious actors were to get access to encrypted data, this could disrupt and harm customer and organizational trust in digital communication, online transactions in retail, digital signatures in finance, and critical infrastructure.

This is where cryptography based on different mathematical problems comes in. The PQC standards rely on the complex mathematics of polynomial lattices and hash functions. Cracking them would be a daunting task for even the most powerful cryptographically relevant quantum computer of the future. An added benefit of the PQC algorithms is their efficiency, said Vadim Lyubashevsky, IBM cryptography researcher and co-developer of the CRYSTALS algorithm suite.

“Algorithms based on lattices when designed properly are actually more efficient than algorithms being used today,” he said. “While they might be larger than classical cryptography, their running time is faster than the classical algorithms based on discrete, larger RSA or elliptic curves.”

NIST has been encouraging organizations to plan and prepare for the quantum-safe migration in advance of this moment.2 However, the release of the standards gives organizations the assurance and guidance they need to begin the transition to post-quantum cryptography.

As cryptography expert Whitfield Diffie, alongside collaborator Martin Hellman, are credited with introducing the ideas of public-key cryptography and digital signatures. They earned the 2015 Turing Award for “inventing and promulgating both asymmetric public-key cryptography, including its application to digital signatures, and a practical cryptographic key-exchange method.” Diffie is now a cryptography researcher at IBM.Whitfield Diffie explains, “One of the main reasons for delayed implementation is uncertainty about what exactly needs to be implemented. Now that NIST has announced the exact standards, organizations are motivated to move forward with confidence.”

We also expect the announcement to drive quantum-safe transformation across the global supply chain, offering a touchpoint around which vendors, procurement experts, and others can rally to ensure quantum-vulnerable systems are identified and transitioned to post-quantum cryptography.

Accelerating the adoption of post-quantum cryptography

It is critical for organizations to begin securing their data and infrastructure with the new quantum-safe algorithms. Data not secured today using post-quantum cryptography is vulnerable to “harvest now, decrypt later” attacks, whereby bad actors steal data and store it until a cryptographically relevant quantum computer becomes available to decrypt it. Additionally, past cryptographic migrations have taken nearly 20 years to complete,3 and the quantum-safe cryptographic migration presents more complexities than previous moves, as it will require many security protocols to be re-engineered and infrastructure to be updated.4 To navigate the migration in a way that minimizes business disruptions and associated costs, organizations need to create a quantum-safe transformation strategy now and begin an incremental transition to the new standards.

Anticipating the newly published PQC standards, organizations and governments around the world have been establishing timelines and guidance for the quantum-safe migration. In May 2022, the White House issued a National Security Memorandum (NSM-10) outlining how US agencies will migrate to the new standards. Shortly after, the Quantum Computing Cybersecurity Preparedness Act passed by Congress mandated federal agencies to prepare an inventory of quantum-vulnerable cryptosystems for the transition. The Commercial National Security Algorithm Suite 2.0, an advisory provided by the US National Security Agency in response to these authorities, gives a 2035 deadline for National Security Systems to complete the quantum-safe migration.5

Meanwhile across the Atlantic, policymakers at the European Commission have been discussing recommendations for the quantum-safe migration. In their “Recommendation on Post-Quantum Cryptography,” the Commission outlines the need for a new EU coordinated action plan to ensure companies across the continent adopt quantum-secured technologies as soon as possible. The European Telecommunications Standards Institute (ETSI) and the European Union Agency for Cybersecurity (ENISA) have been instrumental in promoting PQC, with ETSI’s technical reports urging European organizations to dive into the standards’ adoption and implementation. Several European countries, including France, Germany, Austria, and the UK, plan to endorse or use the NIST standards.

Recognizing the need to prepare for a quantum-safe future, IBM has built a considerable portfolio of quantum-safe technologies and capabilities. In 2022, In 2015, before IBM put its first quantum computer on the cloud and before NIST chose its new standards, our cryptography team began researching how to quantum-proof the IBM zSystems platform.. Read about how we quantum-proofed IBM z16.IBM z16 became the industry’s first quantum-safe system, safeguarding business-critical infrastructure and data from potential attacks by both classical and quantum computers with quantum-safe technologies across multiple layers of firmware. IBM Power10 also provides a strong platform for application modernization with quantum-safe cryptography and fully homomorphic encryption. IBM Cloud offers quantum-safe TLS modes to protect data in transit during and after the key exchange process.

Moreover, we are excited to announce that the IBM Quantum Platform will soon be quantum safe: the leading quantum cloud application for programming real quantum systems will soon begin to transition to the new PQC algorithms. This initiative is part of a comprehensive, long-term plan to integrate quantum-safe security protocols across all IBM hardware, software, and services.

To achieve this, we are pursuing a two-pronged strategy that will bring quantum-safe security not only to the IBM technology stack, but also to the open-source community through our leadership in organizations like the Post-Quantum Cryptography Alliance and PQC-related contributions to numerous open source software projects. The combination of internal and open source community efforts is essential because open source software powers so much of the world’s computing systems.

We are excited to announce that the IBM Quantum Platform will soon begin to transition to the new PQC algorithms.

We aren’t the only technology company that sees the importance of quantum-safe transformation. Widely used products like Apple’s iMessage and the virtual meeting platform Zoom have similarly begun implementing the new standards, namely ML-KEM. Cloudflare is also progressively enabling a version of ML-KEM, and Google Chrome is actively rolling out support for a hybrid KEM scheme. Efforts like these demonstrate confidence in the security and performance offered by post-quantum algorithms for commercially available hardware — and also suggest widespread recognition of the urgent need for quantum-safe technology solutions across networks, software, and hardware.

Implementing the new quantum-safe standards

NIST’s publication of the PQC standards is not an endpoint in the quantum-safe journey but rather the beginning. Adopting a systematic approach with crypto-agility will enable your organization to execute a quantum-safe migration in tandem with other cybersecurity modernization efforts. Start now by establishing your organization’s priorities and creating a quantum-safe transformation strategy. To support organizations throughout this journey, IBM Quantum Safe technologies and services provide a roadmap to cyber resiliency through cryptographic discovery, observability, and transformation.

This process begins with cryptographic discovery to understand where your cryptography is at, what needs to be replaced, and what the dependencies are. Cryptography is typically dispersed across the supply chain, including in internal application code, third-party services, commercial off-the-shelf products, cloud-based services, database components, operating systems, hardware, IoT devices, and more. To promote visibility and drive adoption of post-quantum cryptography across the supply chain, IBM researchers developed the Cryptography Bill of Materials (CBOM). Included in the CycloneDX v1.6 standard — now an Ecma International Standard — the CBOM enables organizations to inventory and analyze their cryptographic assets and supply chain dependencies.

Enterprises can discover cryptographic artifacts, generate a CBOM for their portfolio of business applications, and analyze the associated vulnerabilities using IBM Quantum Safe Explorer, which can be run as a Visual Studio Code extension, via API, or through the command line. IBM Research has also built an open-source CBOM generator and CBOM viewer that generates CBOMs and creates graphic visualizations to enhance the open-source community’s understanding of cryptographic assets in their code. With these tools, organizations can begin evaluating and prioritizing cryptographic assets for the transition, as well as collaborating with vendors to ensure the new PQC standards are applied across the supply chain.

But the path to a quantum-safe future requires more than simply technology — it also depends on methodology and strategy — which is why at IBM, our approach to quantum-safe transformation extends beyond tooling to include the expertise of IBM Consulting. Collaborating across teams over the past three years, we have been enabling our clients to embark on their own unique quantum-safe journey.

LGT, a Liechtenstein-based private banking company and the largest royal family-owned private banking and asset management group in the world, has worked with IBM to identify what data and services they may need to migrate to quantum-safe algorithms. Intesa Sanpaolo (ISP), a leading Italian bank with approximately 13.6 million customers served through its digital and traditional channels, has collaborated with IBM to explore the impacts (such as performance) of migrating to post-quantum cryptography. Using an IBM-developed toolset, they ran experiments implementing two PQC algorithms in a test environment to determine the requirements for deploying quantum-safe cryptography in various use cases. Engagements like these are empowering our clients to assess their cryptographic maturity and create a quantum-safe transformation strategy.

Along with technology and strategy, organizations should look to IBM is taking a global leadership role in quantum-safe consortia. Here’s how that will help industries build a sustainable quantum-safe future.quantum-safe consortia for guidance on PQC implementation best practices. For example, the Post-Quantum Telco Network Taskforce (PQTN), a group formed by GSMA in 2022, with IBM and Vodafone as initial members, has since grown to include more than 60 companies from across the global telco supply chain, with the participation of operators, technology vendors, government, and regulators, provides practical guidelines for integrating quantum-safe capabilities into telco networks and processes. This past February, the PQTN released a white paper with telco use case guidelines that offers considerations for telcos looking to implement the PQC algorithms selected by NIST.

In the financial sector, the Emerging Payments Association Asia (EPAA) work group, comprising EPAA, IBM, HSBC, AP+, and PayPal aims to drive awareness, initiatives, and technical solutions for quantum-safe cryptography.

Potential applications are much wider than financial services and telecommunications. Hospital systems and patients’ data. Judiciary systems and all the data kept by courts. Critical infrastructure — from power plants supplying electricity to the city to public transportation and other essential services that underpin our digitally driven world. All of these sectors need cryptographic assessment and to migrate relevant, critical data to the NIST PQC standards. Take the first steps to building a quantum-safe future today by beginning to implement PQC solutions in your own enterprise. Together, we can build a more resilient digital economy for the quantum future.

Understanding NIST Standards and IBM's contributions for PQC

Notes

  1. Note 1Whitfield Diffie, alongside collaborator Martin Hellman, are credited with introducing the ideas of public-key cryptography and digital signatures. They earned the 2015 Turing Award for “inventing and promulgating both asymmetric public-key cryptography, including its application to digital signatures, and a practical cryptographic key-exchange method.” Diffie is now a cryptography researcher at IBM. ↩︎
  2. Note 2In 2015, before IBM put its first quantum computer on the cloud and before NIST chose its new standards, our cryptography team began researching how to quantum-proof the IBM zSystems platform.. Read about how we quantum-proofed IBM z16. ↩︎
  3. Note 3IBM is taking a global leadership role in quantum-safe consortia. Here’s how that will help industries build a sustainable quantum-safe future. ↩︎

References

  1. Craig Gidney and Martin Ekerå, “How to factor 2048 bit RSA integers in 8 hours using 20 million noisy qubits,” https://arxiv.org/pdf/1905.09749

  2. “Post-Quantum Cryptography: A Q&A with NIST’s Matt Scholl,” NIST.gov, October 27, 2021, https://www.nist.gov/blogs/taking-measure/post-quantum-cryptography-qa-nists-matt-scholl

  3. “Post-Quantum Cryptography,” NIST.gov, https://www.nist.gov/pqcrypto

  4. National Cyber Security Centre, “Next steps in preparing for post-quantum cryptography,” November 3, 2023, https://www.ncsc.gov.uk/whitepaper/next-steps-preparing-for-post-quantum-cryptography

  5. National Security Agency, CNSA 2.0, September 7, 2022, https://media.defense.gov/2022/Sep/07/2003071834/-1/-1/0/CSA_CNSA_2.0_ALGORITHMS_.PDF