Companies working on sensitive projects for the US government may soon be required to use encryption algorithms that protect their data and technology from quantum computer attacks. In July, the National Institute for Standards and Technology (NIST), an agency of the Department of Commerce, will specify three encryption algorithms it considers sufficient to safeguard against quantum computer threats, according to a Bloomberg report.
These algorithms, marking a critical step towards “post-quantum cryptography” for US government contractors, will establish an international standard for protecting everything from national secrets to online transactions, the report added.
“Breaking encryption not only threatens national security secrets but also the way we secure the internet, online payments and bank transactions,” White House deputy national security adviser Anne Neuberger was quoted as saying in the report. “The rollout of the standards will kick off the transition to the next generation of cryptography.”
Quantum threat looms large
Quantum computers, harnessing the principles of quantum mechanics, promise significantly greater processing power for certain types of calculation, potentially rendering present-day encryption methods vulnerable.
Although quantum computers capable of such attacks do not yet exist, the threat of their future existence is taken seriously by governments, including the US and the UK. One of the biggest risks is that well-equipped enemies might adopt a “harvest now, decrypt later” approach, gathering confidential information in the hope that they will one day be able to decrypt it while it still has some strategic value.
In 2022, the US Senate unanimously passed a bill addressing quantum threats to cryptography, empowering government agencies to mandate that contractors adhere to the encryption standards defined by NIST.
In July that year, NIST selected four encryption algorithms to become part of the agency’s post-quantum cryptographic standard. At the time, Secretary of Commerce Gina M. Raimondo welcomed the announcement, hailing it is “an important milestone in securing our sensitive data against the possibility of future cyberattacks from quantum computers,” and saying, “Thanks to NIST’s expertise and commitment to cutting-edge technology, we are able to take the necessary steps to secure electronic information so US businesses can continue innovating while maintaining the trust and confidence of their customers.”
Three of the four algorithms — CRYSTALS-Khyber, CRYSTALS Dilithium, and SPHINCX+ — have already been standardized and are expected to be ready for use this year 2024, a NIST announcement last year said. That now looks set to happen by July. A draft standard for FALCON, the fourth algorithm, will be released in about a year, the announcement had added.
Companies seeking or holding federal contracts will need to comply with these standards by 2035, with those working in the most sensitive areas required to adopt them earlier, the Bloomberg report said. “It’s in companies’ own interests to be leading the way there,” Neuberger was quoted as saying in the report.