August 15, 2024
In 2016, the National Institute of Standards and Technology (NIST) in the US announced its Post-Quantum Cryptography Standardization competition whereby scientists could submit new encryption methods that are resistant to quantum attacks. 82 proposals were submitted, and in 2022, four were selected for standardization and widescale use. Now, NIST has published the standards for three of these methods, with one method, known as SPHINCS+, co-developed by TU/e researchers Andreas Hülsing – who also led the proposal – and Tanja Lange.
Quantum computers are coming, and they will herald a host of new applications and possibilities. However, their emergence presents a threat to Internet security as, in theory, quantum computers could overwhelm our current cryptographic security protocols.
So, how could quantum computers ‘defeat’ our existing encryption approaches? Several of our current encryption methods are built on a foundation of solving difficult mathematical tasks such as the factorization of a number into a pair of very large prime numbers, where each prime could have more than 200 digits. Solving for these prime numbers could take thousands of years with a desktop computer or your laptop. But a quantum computer could solve for the prime numbers in hours.
Standards to meet the urgency
Although quantum computers are not around just yet, there is still a sense of urgency to prepare for their arrival by ensuring that we have cryptographic methods that are resistant to quantum computers.
Eight years ago, NIST announced its Post-Quantum Cryptography Standardization competition with the aim of finding quantum-resistant methods to replace our current encryption methods which are designed for use with current computers. The open competition received 82 proposals, and after a lengthy evaluation process, the number was whittled down to four quantum-resistant methods.
NIST has just published the standards for three of those methods – Kyber, Dilithium, and SPHINCS+ – which means that they are now ready to be used in our global communications and online infrastructure.
Immediate impact for e-mail and documents
For Andreas Hülsing, lead of the SPHINCS+ team, and Tanja Lange both from the Department of Mathematics and Computer Science, this is a significant moment.
“Cryptographic algorithms that NIST standardizes are used all over the world,” says Hülsing. “Any secure connection to your bank is likely to be protected by at least two such standardized algorithms. And with the publication of these new NIST standards, both algorithms will be replaced by one of the newly selected algorithms.”
Hülsing and Lange have contributed considerably to SPHINCS+. This is a signature scheme, which could be used to verify the authenticity of documents or digital messages like e-mails. Dilithium, one of the other newly standardized methods, is also a signature scheme, but would be used for different applications in comparison to SPHINCS+.
Hülsing: “SPHINCS+ is a slower signature approach and would be best used to digitally sign documents (such as a contract to buy a house). In such a case, time is not a critical issue, but there is a long-term guarantee with a SPHINCS+ signature and that’s important for a house contract. On the other hand, Dilithium is much faster and better suited for authenticating a server in an online protocol as this has higher demands on speed and the validity of the proof only needs to hold for that moment.”
Why are standards needed?
The standards are intended to help with the implementation of the new encryption methods in online applications, and for this process to take place in a smooth manner without risking the disruption of current security safeguards.
However, many companies have recognized the importance of implementing these new secure encryption methods even before the standards were published.
Kyber, a key encapsulation mechanism (KEM) which helps to start an online confidential concertation between two parties who have not met, has already been adopted by several clients since it was first rolled out in 2023.
For instance, 17.1% of the clients using Cloudflare (as of August 5th, 2024 - according to Cloudflare) are using Kyber. This is equivalent to more than half a trillion connections per day terminating at Cloudflare secured using post-quantum cryptography
The biggest early adopters are services such as iMessage (Apple), Google Chrome, Signal, Zoom, and Cloudflare. With the publication of these standards, a boost in the adoption rate of these methods is expected.
It’s also important to highlight that in addition to Hülsing and Lange’s work on the methods, Kathrin Hövelmanns, assistant professor in the Applied and Provable Security group (Hülsing’s group at TU/e), contributed to the analysis of the security of key encapsulation mechanism (KEM) in a post-quantum setting and the security analysis of Kyber is based on these results.
Waiting game
Of the three methods just standardized, two are signature schemes and one is a KEM method. An additional selection round will take place to pick another KEM approach.
Of the final four KEM approaches in the running, TU/e’s Tanja Lange has played a key role in the development of an algorithm known as Classic McEliece. NIST has yet to announce the final method, so Lange along with her co-developers will have to wait and see if Classic McEliece is also standardized by NIST.
More information on SPHINCS+ and other new methods
Read more about the three finalized post-quantum encryption standards announced by NIST here. Detailed information on the standards can be found in this document.
SPHINCS+ (SLH-DSA) is a so-called stateless hash-based signature. You can find more information about SPHINCS+ here.
Look back at the TU/e stories that broke news of the NIST competition and developments in the process. First, you can read about the initial developments of the new standard in 2020. Second, you can read more about the status of the competition in 2022 when SPHINCS+ was selected as a new standard.