NIST has selected four security algorithms, including one co-authored by NXP Semiconductors, for the new post-quantum cryptography standard.
A security algorithm co-authored by NXP Semiconductors has been selected by the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) to become part of a global post-quantum cryptography (PQC) standard to protect against attacks from quantum computers. The CRYSTALS-Kyber lattice-based cryptography algorithm, submitted by NXP in collaboration with IBM, Arm, and academic partners, was selected as the post-quantum public-key standard.
The CRYSTALs-Kyber algorithm is one of the first four encryption algorithms selected by NIST after a six-year effort to develop encryption methods to protect against threats from quantum computers. The other three algorithms are the CRYSTALS Dilithium, FALCON, and SPHINCS+. These algorithms are based on structured lattices and hash functions.
Four additional algorithms are under consideration by NIST, including the Classic McEliece, co-authored by NXP, which is advancing to the fourth and final round for further analysis.
NIST received 69 worldwide submissions for the new security standard, going through several rounds of finalists. These encryption algorithms have two main jobs: general encryption to protect information exchanged across a public network and digital signatures for identification.
The new PQC algorithms will be used to develop a new public-key–encryption standard that can be used in both traditional and quantum computers, enabling companies to transition to new, secure systems ahead of the quantum threat. Draft standards are expected in 2024.
The new key-exchange standard will join today’s standards, including NIST SP 800-56A Rev. 3, which specify Diffie-Hellman or the elliptic-curve variant key exchange during a transitional phase. The industry expects at some point the two current methods will no longer be secure and all industry products will have to migrate to the new post-quantum secure key-exchange standard.
Why a new standard is needed
Cybersecurity experts believe that large-scale quantum computers, when realized, will be able to break today’s public-key–encryption systems “in a fraction of the time,” making data, digital signatures, and devices vulnerable, said NXP.
Quantum computers enable many-times-faster computing and “opens up a whole new realm of computation,” which has applications across many areas, including health care, materials, sustainability, financial trading, and big data, as well as other complex problems and simulations, said Joppe Bos, senior principal cryptographer at NXP.
“There are not only opportunities but also definitely some risks associated with the rise of quantum compute power,” he said.
If there were a large-scale quantum computer with a sufficient number of qubits, which at this moment is not available, one could instantly break all currently used public-key crypto — RSA and elliptic-curve cryptography (ECC), said Bos. This has all kinds of implications on data stored today, he added, because it can be retroactively decrypted in the future.
Some examples cited where data could be compromised include over-the-air updates in vehicles with safety implications, financial transactions, audit trails, and blockchain and cryptocurrency transactions. “All of these applications, which are heavily-based on public-key crypto as we know it today, would become insecure,” he added.
This problem was recognized early on and it was decided to search for a new public-key standard, which is not only secure against attacks from classical computers but also from attacks using quantum computers, resulting in post-quantum crypto, said Bos.
He makes it clear that post-quantum cryptography does not require a quantum computer to run the algorithms. They can run on traditional hardware platforms and CPUs. The term refers to security in a post-quantum era, also known as quantum-safe.
With NIST’s announcement, companies will start to prepare their product roadmaps for the new upcoming standards, said Bos. NXP is in a very particular market, targeting high-assurance implementations, and “we need to find all of these countermeasures for these new types of algorithms, which is non-trivial…” to ensure that all products — software and hardware — are secure against advanced attacks.
“And we need to ensure that future products but also, more importantly, products introduced now can seamlessly upgrade to post-quantum crypto with this new public-key standard in the future,” he said.
He refers to this as “crypto agility,” where there is a defined way to seamlessly convert or upgrade your crypto library so the data is protected in a post-quantum world.
“We need to ensure that these new algorithms are securely implemented and can run on our existing and new platforms, so that is something we’re very busy with at this moment,” said Bos.
“The big upside is it is secure against quantum computers, but it has significant drawbacks compared to the algorithms which are running now,” he said.
The keys are much bigger and typically slower, requiring more memory to run, he added.
So how do you help prepare OEM customers for the new standard? It’s mainly related to setting requirements, said Bos, and helping them with impact assessments.
Even though the new algorithms can run on today’s computers, it may not be feasible to run on some platforms. Particularly for resource-constrained platforms like smart cards, it simply will not fit, said Bos, adding that they cannot meet the performance requirements to run much bigger and slower algorithms.
This is one of the reasons why NXP started last year to develop new hardware designs to ensure that the company could accelerate post-quantum crypto for upcoming products.
But it is a massive challenge across all industries, from mobile to industrial IoT, said Bos. Every segment that uses some form of security will need to upgrade to this new standard in the upcoming decades.
Initially, a lot of governments are rolling out roadmaps with a migration period that requires compliance with both post-quantum cryptography and the current crypto standards “to be on the safe side,” said Bos. “When there is enough trust in this new post-quantum crypto standard, we will drop RSA and ECC completely.”
Learn more about NXP Semiconductors