{"id":52066,"date":"2024-08-30T15:26:07","date_gmt":"2024-08-30T19:26:07","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=52066"},"modified":"2024-08-30T15:26:07","modified_gmt":"2024-08-30T19:26:07","slug":"post-quantum-cryptography-standards","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/post-quantum-cryptography-standards\/52066\/","title":{"rendered":"The first post-quantum encryption standards"},"content":{"rendered":"<p>After <a href=\"https:\/\/www.nist.gov\/news-events\/news\/2016\/12\/nist-asks-public-help-future-proof-electronic-information\" target=\"_blank\" rel=\"nofollow noopener\">many years<\/a> of research and testing, in mid-August 2023, the U.S. National Institute of Standards and Technology (NIST) finally introduced fully-fledged post-quantum encryption standards \u2014 FIPS 203, FIPS 204, and FIPS 205. So let\u2019s discuss them and see why they should be adopted as soon as possible.<\/p>\n<h2>Why do we need post-quantum cryptography?<\/h2>\n<p>First, let\u2019s briefly outline the threat quantum computers pose to cryptography. The issue lies in the fact that quantum computing can be used to break asymmetric encryption. Why is this important? As a rule, today\u2019s communication encryption typically uses a dual system:<\/p>\n<ul>\n<li><strong>All messages are encrypted using a symmetric algorithm <\/strong>(like <a href=\"https:\/\/en.wikipedia.org\/wiki\/Advanced_Encryption_Standard\" target=\"_blank\" rel=\"nofollow noopener\">AES<\/a>), which involves a single key shared by all participants. Symmetric algorithms work well and fast, but there\u2019s a problem: the key must be somehow securely transmitted between interlocutors without being intercepted.<\/li>\n<li>That\u2019s why <strong>asymmetric encryption is used to transmit this key<\/strong> (like <a href=\"https:\/\/en.wikipedia.org\/wiki\/RSA_(cryptosystem)\" target=\"_blank\" rel=\"nofollow noopener\">RSA<\/a> or <a href=\"https:\/\/en.wikipedia.org\/wiki\/Elliptic-curve_Diffie%E2%80%93Hellman\" target=\"_blank\" rel=\"nofollow noopener\">ECDH<\/a>). Here, each participant has a pair of keys \u2014 a private and a public one \u2014 which are mathematically related. Messages are encrypted with the public key, and decrypted only with the private one. Asymmetric encryption is slower, so it\u2019s impractical to use it for all messages.<\/li>\n<\/ul>\n<p>The privacy of correspondence is ensured by the fact that calculating a private key from the corresponding public key is an extremely resource-intensive task \u2014 potentially taking decades, centuries, or even millions of years to solve. That is \u2014 if we\u2019re using traditional computers.<\/p>\n<p>Quantum computers significantly speed up such calculations. Specifically, <a href=\"https:\/\/en.wikipedia.org\/wiki\/Shor%27s_algorithm\" target=\"_blank\" rel=\"nofollow noopener\">Shor\u2019s quantum algorithm<\/a> can crack private keys for asymmetrical encryption much faster than its creators expected \u2014 in minutes or hours rather than years and centuries.<\/p>\n<p>Once the private key for asymmetric encryption has been calculated, the symmetric key used to encrypt the main correspondence can also be obtained. Thus, the entire conversation can be read.<\/p>\n<p>In addition to communication protocols, this also <strong>puts digital signatures at risk<\/strong>. In the majority of cases, digital signatures rely on the same asymmetric encryption algorithms (RSA, <a href=\"https:\/\/en.wikipedia.org\/wiki\/Elliptic_Curve_Digital_Signature_Algorithm\" target=\"_blank\" rel=\"nofollow noopener\">ECDSA<\/a>) that are vulnerable to attacks by quantum computers.<\/p>\n<p>Today\u2019s symmetric encryption algorithms, on the other hand, are much less at risk from quantum computers than asymmetric ones. For example, in the case of AES, finding a 256-bit key using <a href=\"https:\/\/en.wikipedia.org\/wiki\/Grover%27s_algorithm\" target=\"_blank\" rel=\"nofollow noopener\">Grover\u2019s quantum algorithm<\/a> is like finding a 128-bit key on a regular computer. The same applies to hashing algorithms.<\/p>\n<h2>The trio of post-quantum cryptography standards: FIPS 203, FIPS 204, and FIPS 205<\/h2>\n<p>The primary task for cryptographers has become the development of quantum-resistant asymmetric encryption algorithms, which could be used in key transfer and digital signature mechanisms. The result of this effort: the post-quantum encryption standards FIPS 203, FIPS 204, and FIPS 205, introduced by the U.S. National Institute of Standards and Technology (NIST).<\/p>\n<h3><strong>FIPS 203<\/strong><\/h3>\n<p><a href=\"https:\/\/nvlpubs.nist.gov\/nistpubs\/FIPS\/NIST.FIPS.203.ipd.pdf\" target=\"_blank\" rel=\"nofollow noopener\">FIPS 203<\/a> describes a key encapsulation mechanism based on <a href=\"https:\/\/en.wikipedia.org\/wiki\/Lattice_problem\" target=\"_blank\" rel=\"nofollow noopener\">lattice theory<\/a> \u2014 ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism). This asymmetric cryptographic system \u2014 which is resistant to quantum algorithm attacks \u2014 is designed to transfer <strong>encryption keys<\/strong> between interlocutors.<\/p>\n<p>ML-KEM was developed as part of CRYSTALS (Cryptographic Suite for Algebraic Lattices) and is also known as <a href=\"https:\/\/pq-crystals.org\/kyber\/index.shtml\" target=\"_blank\" rel=\"nofollow noopener\">CRYSTALS-Kyber<\/a>, or simply Kyber.<\/p>\n<p>FIPS 203 features three parameter variants for ML-KEM:<\/p>\n<ul>\n<li>ML-KEM-512: Security level 1 (equivalent to AES-128);<\/li>\n<li>ML-KEM-768: Security level 3 (equivalent to AES-192);<\/li>\n<li>ML-KEM-1024: Security level 5 (equivalent to AES-256).<\/li>\n<\/ul>\n<h3><strong>FIPS 204<\/strong><\/h3>\n<p><a href=\"https:\/\/nvlpubs.nist.gov\/nistpubs\/FIPS\/NIST.FIPS.204.pdf\" target=\"_blank\" rel=\"nofollow noopener\">FIPS 204<\/a> defines a digital <strong>signature<\/strong> mechanism, also based on algebraic lattices, called ML-DSA (Module-Lattice-Based Digital Signature Algorithm). Previously known as <a href=\"https:\/\/pq-crystals.org\/dilithium\/\" target=\"_blank\" rel=\"nofollow noopener\">CRYSTALS-Dilithium<\/a>, this mechanism was developed within the same CRYSTALS project as Kyber.<\/p>\n<p>FIPS 204 has three parameter variants for ML-DSA:<\/p>\n<ul>\n<li>ML-DSA-44: Security level 2 (equivalent to SHA3-256);<\/li>\n<li>ML-DSA-65: Security level 3;<\/li>\n<li>ML-DSA-87: Security level 5.<\/li>\n<\/ul>\n<h3><strong>FIPS 205<\/strong><\/h3>\n<p>The third standard, <a href=\"https:\/\/nvlpubs.nist.gov\/nistpubs\/FIPS\/NIST.FIPS.205.pdf\" target=\"_blank\" rel=\"nofollow noopener\">FIPS 205<\/a>, describes an alternative digital <strong>signature<\/strong> mechanism: SLH-DSA (Stateless Hash-Based Digital Signature Algorithm). Unlike the other two cryptosystems, which are based on algebraic lattices, SLH-DSA is based on hashing. This mechanism is also known as <a href=\"https:\/\/sphincs.org\/\" target=\"_blank\" rel=\"nofollow noopener\">SPHINCS+<\/a>.<\/p>\n<p>This standard involves the use of both the SHA2 hash function with a fixed output length, as well as the SHAKE function with an arbitrary length. For each base cryptographic-strength level, SLH-DSA offers sets of parameters optimized for a higher speed (f \u2014 fast), or a smaller signature size (s \u2014 small). Thus, FIPS 205 has more variety \u2014 with as many as 12 parameter options:<\/p>\n<ul>\n<li>SLH-DSA-SHA2-128s, SLH-DSA-SHAKE-128s, SLH-DSA-SHA2-128f, SLH-DSA-SHAKE-128f: Security level 1;<\/li>\n<li>SLH-DSA-SHA2-192s, SLH-DSA-SHAKE-192s, SLH-DSA-SHA2-192f, SLH-DSA-SHAKE-192f: Security level 3;<\/li>\n<li>SLH-DSA-SHA2-256s, SLH-DSA-SHAKE-256s, SLH-DSA-SHA2-256f, SLH-DSA-SHAKE-256f: Security level 5.<\/li>\n<\/ul>\n<h2>HNDL, and why it\u2019s time to start using post-quantum encryption<\/h2>\n<p>For now, the threat of quantum algorithms breaking asymmetric encryption is mostly theoretical. Existing quantum computers lack the power to actually do it in practice.<\/p>\n<p>Until last year, it was believed that sufficiently powerful quantum systems were still a decade away. However, a 2023 paper suggested ways to <a href=\"https:\/\/www.kaspersky.com\/blog\/quantum-computers-and-rsa-2023\/46733\/\" target=\"_blank\" rel=\"nofollow noopener\">optimize hacking<\/a> using a combination of classic and quantum computing. As a result, the timeline for achieving quantum supremacy seems to have shifted: RSA-2048 could very well be broken within a few years.<\/p>\n<p>It\u2019s also important to remember the concept of HNDL \u2014 \u201charvest now, decrypt later\u201d (or SNDL \u2014 \u201cstore now, decrypt later\u201d). Attackers with significant resources could already be collecting and storing data that can\u2019t currently be decrypted. Once quantum computers with sufficient power become available, they\u2019ll immediately begin retroactive decryption. Of course, when this fateful moment comes, it will already be too late, so quantum-resistant encryption standards should be implemented right now.<\/p>\n<p>The ideal approach to deploying post-quantum cryptography based on established IT industry practices is hybrid encryption; that is, encrypting data in two layers: first with a classical algorithm, then with a post-quantum one. This forces attackers to contend with both cryptosystems \u2014 significantly lowering the chances of a successful breach. This approach is already being used by Signal, Apple, Google, and Zoom.<\/p>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"kaspersky-next\">\n","protected":false},"excerpt":{"rendered":"<p>The U.S. National Institute of Standards and Technology (NIST) has issued the first post-quantum encryption standards \u2014 FIPS 203, FIPS 204, and FIPS 205.<\/p>\n","protected":false},"author":2726,"featured_media":52067,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1999,3051],"tags":[597,260,261,43,465,321],"class_list":{"0":"post-52066","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-enterprise","9":"tag-cryptography","10":"tag-data-protection","11":"tag-encryption","12":"tag-privacy","13":"tag-quantum-computers","14":"tag-technology"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/post-quantum-cryptography-standards\/52066\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/post-quantum-cryptography-standards\/27935\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/post-quantum-cryptography-standards\/23230\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/post-quantum-cryptography-standards\/28111\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/post-quantum-cryptography-standards\/38170\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/post-quantum-cryptography-standards\/28246\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/post-quantum-cryptography-standards\/34045\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/post-quantum-cryptography-standards\/33706\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/encryption\/","name":"encryption"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/52066","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2726"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=52066"}],"version-history":[{"count":2,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/52066\/revisions"}],"predecessor-version":[{"id":52069,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/52066\/revisions\/52069"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/52067"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=52066"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=52066"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=52066"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}