Introduction

The National Institute of Standards and Technology (NIST) has finalized its post-quantum encryption standards [4], addressing the potential cryptographic challenges posed by quantum computing. This initiative, which began in 2016, has led to the development of quantum-safe algorithms designed to withstand future quantum threats. Despite these advancements, many organizations remain unprepared for the transition to post-quantum cryptography [5].

Description

NIST [1] [2] [3] [4] [5] [6] [7], the US National Institute of Standards and Technology [2] [4] [6], finalized its post-quantum encryption standards in August 2024 [1], addressing the anticipated cryptography crisis posed by quantum computers [6]. This initiative, which began in 2016, has involved actively assessing and establishing quantum-safe algorithms designed to withstand future quantum computing threats [2]. The culmination of this effort was the announcement of several algorithms, including FIPS 203 (ML-KEM, derived from CRYSTALS-Kyber) and FIPS 204 (ML-DSA [6], derived from CRYSTALS-Dilithium) [6]. A proposed FALCON algorithm is expected to be published as FIPS 206 in late 2024 [6]. These newly selected post-quantum algorithms differ significantly from classical asymmetric cryptography methods [4], necessitating a new approach to digital signature schemes and attestation protocols [4].

Despite the establishment of these essential guidelines, most organizations have not begun preparing for the post-quantum threat [3]. A report by the Entrust Cybersecurity Institute indicates that only 36% of organizations globally have adopted a strict post-quantum cryptography plan [5], while 31% prefer a hybrid approach [5], and 26% are in the early stages of internal testing. Alarmingly, less than half of organizations are preparing for the transition to post-quantum cryptography [5], with over one-third lacking the necessary scale or technology [5]. Furthermore, 51% of respondents report unclear ownership over the transition process [1], and 43% face challenges in gaining visibility of their cryptographic assets. Organizations are encouraged to familiarize themselves with the new standards and consider their implementation strategies [7], including any necessary hardware upgrades [7], as the urgency to prepare for the eventual need to adopt these algorithms is emphasized [7].

In response to the emerging quantum threat, the US White House issued a National Security Memorandum (NSM-10) in May 2022 [6], outlining the migration of federal agencies to the new standards [6]. The Quantum Computing Cybersecurity Preparedness Act was also passed [6], mandating agencies to inventory quantum-vulnerable cryptosystems for necessary upgrades [6]. Additionally, the NSA released a Commercial National Security Algorithm Suite 2.0 [6], setting a deadline for National Security Systems to transition to quantum-safe standards by 2035 [6].

Initial implementations of these post-quantum cryptography standards are underway, primarily in software. Google has been testing post-quantum cryptography in its Chrome Web browser since 2016, with ML-KEM set to be enabled by default in May 2024. IBM has developed post-quantum cryptography implementations on its z15 mainframe since 2017 and promoted its z16 mainframe as the first quantum-safe system in 2022 [6], integrating cryptographic algorithms into its Hardware Security Modules (HSM) [6].

To facilitate the adoption of these quantum-resilient algorithms [4], Microsoft is open-sourcing the Adams Bridge Accelerator [4], which provides hardware acceleration for the NIST-selected algorithms Dilithium and Kyber [4]. The Register Transfer Language (RTL) code for the Adams Bridge Accelerator is available as a discrete crypto accelerator and is integrated into the open-sourced Caliptra Root of Trust (RoT) [4]. Caliptra [4], a silicon root of trust co-founded by Microsoft [4], is being adopted by leaders in AI [4], storage [4], and network infrastructure [4]. The updated version of Caliptra [4], showcased at the OCP Global Summit 2024 [4], is quantum resilient and enhances the capabilities of Caliptra 1.0 [4], meeting all root of trust requirements of NIST 800-193 [4].

Samantha Mabey [5], Director of Digital Solutions Marketing at Entrust [5], noted a significant shift in industry focus from questioning the reality of the post-quantum threat to actively seeking guidance on necessary actions and implementation [5]. The transition to hardware implementations of post-quantum cryptography standards is anticipated, following a typical progression from software to dedicated hardware [6], which will require further examination of the algorithms’ mathematics to develop acceleration methods for the FIPS post-quantum cryptography algorithms [6].

Conclusion

The finalization of post-quantum encryption standards by NIST marks a significant step in addressing the cryptographic challenges posed by quantum computing. However, the transition to these new standards requires urgent attention from organizations worldwide. As the quantum threat looms, it is imperative for entities to develop comprehensive strategies, including necessary hardware upgrades [7], to ensure a smooth transition. The ongoing efforts by government bodies and tech companies highlight the importance of collaboration in mitigating potential risks and securing digital infrastructure against future quantum threats.

References

[1] https://thenimblenerd.com/article/quantum-cryptography-crisis-why-half-of-organizations-are-unprepared-for-the-future/
[2] https://www.tomshardware.com/tech-industry/quantum-computing/chinese-scientists-use-quantum-computers-to-crack-military-grade-encryption-quantum-attack-poses-a-real-and-substantial-threat-to-rsa-and-aes
[3] https://finance.yahoo.com/news/post-quantum-cryptography-awareness-high-130000989.html
[4] https://techcommunity.microsoft.com/t5/azure-confidential-computing/adams-bridge-an-accelerator-for-post-quantum-resilient/ba-p/4269585
[5] https://www.infosecurity-magazine.com/news/orgs-unprepared-postquantum-threat/
[6] https://www.eejournal.com/article/nist-issues-new-quantum-crypto-standards-for-cyberspace/
[7] https://gestaltit.com/podcast/tom/you-dont-need-post-quantum-crypto-yet/