by Davide Maniscalco, Regional Coordinator Aidr, Legal and Privacy officer Swascan, Tinexta Group
The U.S. Department of Commerce's National Institute of Standards and Technology (NIST) has selected the first group of cryptographic tools designed to withstand the onslaught of a future quantum computer.
In fact, quantum computing has such processing power as to constitute a potential threat for the violation of the security measures used to protect privacy in the interconnected systems of the digital ecosystem and, more generally, for the security of our digital information.
And indeed, public key cryptographic systems currently "in the field" use mathematics to protect sensitive electronic information, ensuring that digital information is inaccessible to unwanted third parties.
However, a sufficiently capable quantum computer, based on a different technology than today's conventional computers, can quickly solve the mathematical problems underlying today's cryptographic systems, thereby violating their confidentiality.
Conversely, quantum-resistant algorithms rely on mathematical problems (mainly structured lattices but also hash functions) that both conventional and quantum computers should have difficulty solving.
Algorithms are designed for two main tasks for which cryptography is generally used:
- general cryptography, used to protect information exchanged on a public network;
- digital signatures, used for identity authentication.
The announcement of the upcoming release of cryptographic standards follows a six-year effort led by NIST, which in 2016 invited cryptographers from around the world to devise and then control cryptographic methods that could withstand an attack from a future quantum computer. .
The four selected cryptographic algorithms will thus become part of NIST's post-quantum cryptographic standard, which is expected to be finalized in about two years.
For general cryptography, NIST has selected the CRYSTALS-Kyber algorithm characterized by relatively small cryptographic keys that two parties can easily exchange with higher operating speed.
For digital signatures, often used to verify identity during a digital transaction or to sign a document remotely, NIST has selected the three algorithms CRYSTALS - Dilithium, FALCON and SPHINCS +.
But why is NIST's announcement of post-quantum cryptographic algorithms so technologically important in the geo-political context?
It is well known that the Chinese government has allocated a whopping 10 billion dollars to promote quantum computing, increasing government investments by more than 7%.
In contrast, the US Department of Commerce has banned eight Chinese-affiliated technology entities in pursuit of a strategy aimed at preventing emerging US technologies from being used or, worse, exploited for advances in China's quantum computing functional to military applications with consequent development. the ability to break encryption or develop unbreakable encryption.
In this regard, just in these days, the heads of MI5 and the FBI issued a joint warning on the growing threat from China.
Specifically, FBI Director Christopher Wray said the Chinese government "poses the greatest long-term threat to economic and national security, to the UK, the US and allies in Europe and elsewhere."
Wray then clearly warned that the Chinese government "poses an even more serious threat to Western companies and is ready to steal their technologies."
It follows that NIST's announcement must be welcomed with the awareness that the race for post-quantum cryptography is at the same time a question of national security, on a global geo-political level, and of privacy (data confindentiality) in the digital ecosystem. of the internet of everything.
And in fact, it must be said that, although the current cryptographic algorithms are quite secure against conventional attacks, they are nevertheless not resistant and certainly will not be resistant to quantum attacks, which is why (in part) governments around the world they are allocating billions of investments to the new gold rush.
In this scenario, while the development of quantum technology continues briskly, we cannot overlook a scenario in which hostile actors and criminal hackers exfiltrate encrypted data sets, reserving the right to apply quantum exploitation only at a later time.
For these reasons, NIST and the Cybersecurity and Infrastructure Security Agency (CISA), in order to better prepare for the potential release in 2024 of new cryptographic standards, recommend taking inventory of organizational systems for applications using key cryptography. publish and test standards (when officially released) in a laboratory setting.
However, it will be essential to prepare well to educate and prepare public, private and critical infrastructures for this new transition.
While the standard is in development, NIST still encourages security experts to explore the new algorithms and consider how their applications will use them, but not to get them into their systems just yet, as the algorithms may change slightly before the standard is finalized.