U.S. Standards Body Reaches Critical Milestone for Mitigating the Quantum Threat, But More Work Is Needed

The National Institute of Standards and Technology (NIST) announced at the beginning of July the successful testing and selection of the first four algorithms that will become part of NIST’s post-quantum encryption standard. This is a critical milestone in the race to develop advanced encryption methods that can resist the code-breaking power of quantum computers that will become available over the next five to 10 years.

In its announcement, NIST explained that the four selected algorithms can “withstand the assault of a future quantum computer, which could potentially crack the security used to protect privacy in the digital systems we rely on every day — such as online banking and email software.” In encryption, algorithms are the mathematical formulas that protect data. To decrypt data, a computer needs to solve those formulas — a process that becomes exponentially faster with the superior computational power emerging via quantum computing. Google’s research has found that calculations taking 10,000 years to complete with current systems could be conducted in one second using quantum technology, making quantum 100 million times faster.

As the White House noted in a national security memorandum in May, “a quantum computer of sufficient size and sophistication — also known as a cryptanalytically relevant quantum computer (CRQC) — will be capable of breaking much of” the encryption used today. “When it becomes available, a CRQC could jeopardize civilian and military communications, undermine supervisory and control systems for critical infrastructure, and defeat security protocols for most Internet-based financial transactions.”

Identifying algorithms that can withstand the increased power of quantum computers is an essential first step. Within two years, NIST will take the next step and release the first technical standards and guidance for quantum-resistant encryption for all products and services currently using less advanced algorithms. Implementation of this standard will take another five to 15 years to protect all systems and data in use today.

Industry experts, however, expect quantum computing to be widely used within five to 10 years. What is more, companies such as IBM are developing hybrid models that merge classical and quantum computing to bypass some of the technical challenges with pure quantum computing so users can begin taking advantage of quantum computing power even sooner.

Thus, there is a need to move faster toward quantum-resistant security. NIST’s approach focuses on increasing the computational complexity of algorithms, but that is not the only way to achieve security. A second, less discussed strategy uses an “information-theoretic secure state.” Regardless of the computational power available for cracking the encryption, data stored in an information-theoretic secure state remains protected by ensuring the adversary never has enough information to break the security.

Today, security practitioners mainly use information-theoretic security as an additional layer rather than the main foundation of cybersecurity. However, with recent technological advances, creating information-theoretic secure states is more viable than in years past and provides a second avenue to achieving post-quantum security. Little effort, however, is being made to explore standards and guidance for developing information-theoretic secure states that could expedite the development of quantum-resistant encryption. As the United States races to match the growing offensive capabilities of adversaries, NIST needs to redouble its efforts to close the impending quantum gap by investing in secondary avenues to achieve immediate and long-term security.

Dr. Georgianna Shea is the chief technologist of the Center on Cyber and Technology Innovation (CCTI) at the Foundation for Defense of Democracies (FDD), where Matthew Brockie is a research assistant. For more analysis from the authors and CCTI, please subscribe HERE. Follow FDD on Twitter @FDD and @FDD_CCTI. FDD is a Washington, DC-based, nonpartisan research institute focusing on national security and foreign policy.