
Quantum computers won鈥檛 be able to break encryption tools in 2024, but that hasn鈥檛 stopped security experts preparing for a time when quantum devices will be powerful enough to crack the algorithms that keep data safe 鈥 and the coming year will see the end of this lengthy process.
Although it is聽unclear when encryption-busting quantum computers will emerge, the US National Institute of Standards and Technology (NIST) has been running a project since 2012聽to standardise a new generation of post-quantum cryptography (PQC) algorithms that should resist their attacks.
In that time, NIST has whittled down 82 submitted algorithms to a list of four. A period of public consultation ended on 22 November, and NIST has said that the final standards will be .
Advertisement
at King鈥檚 College London says cryptographers are currently 鈥渉aggling over details鈥 before the chosen algorithms are given the final stamp of approval by NIST, and the process has been hit by controversy over claims that one of the algorithms, Kyber512, may be less secure than promised.
NIST says that the algorithm meets its 鈥渓evel one鈥 security criterion, which requires that it be at least as hard to break as the commonly used algorithm AES-128. But in October, cryptographer at the University of Illinois Chicago warned that the US National Security Agency could be deliberately weakening this algorithm. While Albrecht doesn鈥檛 think that this is likely, he says that his calculations have shown that Kyber512 might only be equivalent to 123 bits of security under AES-128, not 128 bits. NIST didn鈥檛 respond to a request for comment.
Albrecht says that, ultimately, this spat doesn鈥檛 matter. That is because Kyber is based on mathematical equations called polynomials that have 256 coefficients, meaning that the algorithm can only be stepped up in security by jumps that large. So Albrecht believes that while Kyber512 will be standardised, the next level of security, Kyber768 will be commonly adopted by most organisations. That will solve any lingering concerns about attacks, he says.
鈥淲e have nothing that suggests that this would be anywhere near the capabilities of any adversary,鈥 he says. 鈥淭his is not an existential question that we鈥檙e discussing.鈥
Albrecht says that while PQC adoption is likely to be fast once NIST makes its final recommendation, we are still some way off having a computer that can crack modern encryption, and even after one emerges, there will still be a period where it is possible 鈥 but impractical 鈥 for most messages to be cracked.
鈥淚 think for a while we鈥檙e looking at nation-state adversaries; when will criminal gangs have quantum computers in their data centres? I think that鈥檚 probably kind of a far way off,鈥 says Albrecht.