European Union Agency For Cybersecurity: PQC Current State and Quantum Mitigation

The European Union Agency for Cybersecurity (ENISA) produced a White Paper that provides an overview of the current state of affairs on the standardization process of Post-Quantum Cryptography (PQC). It presents the 5 main families of PQ algorithms; viz. code-based, isogeny-based, hash-based, lattice-based and multivariate-based. It is important to make a distinction between Post-Quantum Cryptography (PQC) and Quantum Cryptography. PQC is about designing cryptographic solutions that can be used by today’s [non-quantum] computers and that we believe are resistant to both conventional and quantum cryptanalysis. On the other hand, Quantum Cryptography is about cryptographic solutions that take advantage of quantum physics to provide certain security services.

NIST Standardization

NIST intends to standardize post-quantum alternatives to its existing standards for digital signatures (FIPS 186) and key establishment (SP 800-56A, SP 800-56B). These standards are used in a wide variety of Internet protocols, such as TLS, SSH, IKE, IPsec, and DNSSEC. Schemes will be evaluated by the security they provide in these applications, and in additional applications that may be brought up by NIST or the public during the evaluation process. Additionally, NIST intends to standardize one or more schemes that enable “semantically secure” encryption or key encapsulation with respect to adaptive chosen ciphertext attack, for general use. This property is generally denoted IND-CCA2 security in academic literature.

Getting Ready for Post-Quantum Cryptography

In a National Institute of Standards and Technology (NIST) Cybersecurity White Paper, they discuss how cryptographic technologies are used throughout government and industry to authenticate the source and protect the confidentiality and integrity of information that we communicate and store. The paper describes the impact of quantum computing technology on classical cryptography, particularly on public-key cryptographic systems. This paper also introduces adoption challenges associated with post-quantum cryptography after the standardization process is completed. Planning requirements for migration to post-quantum cryptography are discussed. The paper concludes with NIST’s next steps for helping with the migration to post-quantum cryptography.

Post-quantum cryptography

Post-quantum cryptography (PQC), also called quantum-resistant cryptography, refers to the pursuit of cryptographic systems that would be secure against attacks from both conventional and quantum computers. In recent years, quantum computers—machines that exploit quantum mechanical phenomena to evaluate math problems that are too complex or intractable for traditional computers—have been the subject of an extensive amount of research. As of 2021, while no such quantum computer has been built, researchers in the field agree that these powerful computers would be able to break many of the public-key cryptosystems that are currently in use. Doing so would severely compromise the privacy and integrity of digital communications on the internet and elsewhere. Post-quantum cryptography strives to address this issue before it arrives, by working to create cryptographic algorithms that would be secure from a cryptoanalytic attack by a quantum computer.

National Security Agency (NSA) Quantum Computing and Post-Quantum Cryptography FAQ

Lattice-based cryptography derives its security from the related problems of finding a short vector in a lattice or finding a lattice vector that is close to a target vector not in the lattice. These systems are fairly well-studied in cryptologic literature, and analysis suggests that these systems can be secure when well-parameterized. We agree with the NIST assessment, documented in NISTIR 8309: Status Report on the Second Round of the NIST Post-Quantum Cryptography Standardization Process, that these are among the most efficient post-quantum designs. Based on their history of analysis and implementation efforts, NSA CSD expects that a NIST-candidate lattice-based signature and a NIST-candidate lattice-based key encapsulation mechanism will be approved for NSS.