Return to Security and Privacy

NIST Quantum Cryptography Update 20221008

The Problem

The National Institute of Standards and Technology (NIST) is the U.S. Government Agency responsible for setting the standards for encryption technology used by the government, and has become the de facto standard setter for most of private industry as well. And aside from one lamentable lapse involving the NSA putting backdoors into Elliptical Curves (see Dr. Michael Scott’s explanation for more details), it has done a very good job. And I think the evidence is that NIST learned from that experience not to trust the NSA so much. So this is as much of an authority as there is in this business. One of the things they have been looking at is Quantum Computing, and how that will affect encryption.

The first news reports about quantum computing were full of breathless, “the-sky-is-falling”, apocalyptic warnings that quantum computing would mean the end of all encryption, that no one would ever be able to keep secrets again, and so on. This did of course greatly exaggerate the likely impact of quantum computing. First, while the field is progressing rapidly, it is still an expensive and difficult technology. Typically the components, called Qubits, need to be kept in cryogenically cold conditions. This makes the technology expensive as well. Still, it seems unavoidable that over time this technology will improve, drop in cost, and become a practical technology for many uses. So at some point the encryption technology used today wll become obsolete, that is undeniable. But then, that has happened many times before, and encryption is still here.

But suppose in ten years time it becomes something that is useful for goverments and large companies to implement. How will that affect most people? Well, let’s consider how most of us use encrpytion now. For most people, their encounter with encryption happens when they log on to a Web site that employs some form of TLS encryption to secure your online connections. The current TLS encryption standard is TLS 1.3, adopted in 2018, and it replaced the now deprecated SSL standard first introduced by Netscape. TLS 1.3 removed support for older, now insecure encryption algorithms like MD5 and SHA-1, and moved towards more secure algorithms like SHA-256. For right now, TLS is secure. And given the high cost and limited application of quantum computing right now, it will stay secure for some time into the future, though for how much longer is open to debate. But the biggest threat to your secure online connection is not quantum computing, it is Doug. And by Doug I mean the guy who for the online site who clicks on the wrong link and lets a hacker into the company network, where they can download a database of all of the customers’ login credentials. Doug has always been the biggest threat, and always will be. Now the NSA is likely to be the first agency to implement practical quantum computing, so let’s say they have a practical working prototype right now. Are they going to use it to steal your Netflix login? Of course not. If they thought you were a Russian spy they might want to hack your e-mail, though I suspect they would just issue a legal subpoena to your e-mail provider.

We have some current evidence on how secure current encryption is, and that comes from the Ukraine. Russia has a reputation for having good computer hackers working for them, but they don’t have any idea what the Armed Forces of Ukraine (AFU) are doing from one day to the next. Ukraine’s OpSec is excellent, and they know what they are doing.

The Solution

So, current encryption standards are OK for now, but there will come a time when they are not OK any more. And that is exactly the situation we have faced many times. Old standards fall, and new ones take their place. And NIST takes as its mission to look ahead and prepare for when that happens, and they have done so in the case of quantum computing. Quantum computiong will definitely break current encryption at some time in the not too distant future. Note that NIST says that:

Some engineers even predict that within the next twenty or so years sufficiently large quantum computers will be built to break essentially all public key schemes currently in use.

But quantum computing is a sword that cuts both ways. NIST is in a process of developing encryption technology that uses the power of quantum computing, as we have looked at before (Encryption and Quantum Computing; NIST’s Quantum Cryptography Update 20200815.) The way NIST does this is by creating competitions that let teams of researchers compete to develop new algorithms that are pitted against each other to weed out the weaker ones and find the best ones. This process has been going on to find the quantum computing algorithms since the initial RFC “Post-Quantum Cryptography: Proposed Requirements and Evaluation Criteria” in 2016. And it will likely take a while to work through, since NIST also estimates that it will take about 20 years to work through all of the process. So the ideal is that we have the solution implemented somewhere around 2036, and that is a few years before the practical quantum decrypting machines come along.

One of the issues that NIST has to deal with is that classical computing (the kind we do now with zeros and ones) and quantum computing (with qubits) have both strengths and weaknesses. The current algorithms we use are very strong for classical computers. If done properly an encrypted message could withstand an attack by thousands of computers working for billions of years. But these algortihms could be solved by quantum computers in perhaps days. What you might not realize is the reverse can be true. An algorithm that is secure against quantum decryption might be easily broken by a classical computing. So the algorithms that NIST is looking at have to be secure against both types of computing. Right now they have selected 4 algorithms for further development, out of an initial group of 69, and they are:

  • CRYSTALS-KYBER – This is in the category of Public-key Encryption and Key-establishment Algorithms. So this is a more general encryption algortihm.
  • CRYSTALS-DILITHIUM – A Digital Signature Algorithm
  • FALCON – A Digital Signature Algorithm
  • SPHINCS+ – A Digital Signature Algorithm

All 4 of these came out of the Round Three submissions, but there is also a Round 4 process going on, and many of the algorithms that were not selected from the Round Three group have modified their specifications in response to comments and suggestions and will go back for another try. This is how the good algorithms rise to the top, so you should not be surprised. And there is also a Call for Proposals for additional Digital Signature Algorithms. So the NIST is going to keep looking for new and improved algorithms, and this first batch of 4 is far from the end of the process. These 4 selected algorithms are Candidates to be Standardized, but there could be additional developments.


NIST has proposed to have the initial standardized algorithms in place in 2024, but that is only the start of the process. Just having a standard is not the same thing as having a solution in place. For that to happen, the algorithms need to be embodied in systems throughout society, in corporations, web sites, software packages, and so on. We know from experience that this takes a long time. We still don’t have IPv6 in most applications, and the U.S. still doesn’t have sensible measurement units. So the idea that it could take us into the 2030s to complete the rollout is not at all far fetched. But it is certainly a feasible timeline. And if you are worried about hackers draining your bank account, don’t worry about quantum computers, worry about Doug. Always worry about Doug.


 Save as PDF