Algorithmic Warfare: Government Seeking Quantum-Proof Encryption
Once matured, quantum technology is expected to create a shift in the defense world due to the large volume of data it will be able to quickly process. While that can lead to great advances in science and technology, it can also empower those seeking to break into encrypted communications.
The Department of Commerce recently identified four algorithms that could stymie quantum hackers.
The National Institute of Standards and Technology recently announced it had completed a major step in its effort to create guidelines for encryption that protect against quantum-based attacks. Experts said the algorithms present an opportunity for federal agencies to begin evaluating what security measures work best for them.
The institute has been pitting cryptographers against each other for six years to come up with a new standard for encryption. The selected algorithms — CRYSTALS-Kyber, CRYSTALS-Dilithium, FALCON and SPHINCS+ — are just the first step in a long road to complete safety from quantum computing, said Duncan Jones, head of cybersecurity at Quantinuum, a quantum computing firm based in Colorado.
“It makes it much easier to start planning and testing, which is important because there is so much work to do ahead of us,” he said.
Pete Ford, senior vice president for government operations at Silicon Valley-based cybersecurity company QuSecure, described the severity of the quantum threat as the next international arms race for the defense industry.
If quantum computers unlock the information secured by current encryption technology, adversaries could gain access to U.S. operational plans, ally partnership strategies and more, he said.
“We really appreciate the freedom that our information technology allows us. When that’s taken away, it’s really hard to capture that freedom back,” he said.
Of the nearly 70 algorithms that were submitted for consideration to become part of the standard, “simplicity and elegance” seem to be characteristics favored by NIST, Duncan said.
“Where it was a more easily understood algorithm, the more confident I think they felt in selecting it,” he said.
Faster and smaller algorithms were also favored, he noted. CRYSTALS-Kyber has “comparatively small encryption keys” and quick speed, according to a press release about the standard. CRYSTALS-Dilithium and FALCON will be used for protecting digital signatures, which are used for identity authentication. They were praised for their “high efficiency” by NIST reviewers.
The way asymmetric cryptography, or public key encryption, works is by creating one public and one private key. The keys are mathematically linked using an algorithm. People can exchange public keys in order to decrypt, or unscramble, the secure communications they are exchanging.
The encryption is safe because it would take hackers too long to guess the key using a traditional computer. But if a hacker leverages the processing power of quantum, it renders the key much easier to understand, bypassing the encryption and gaining access to protected communications.
Ford said QuSecure has already been using some of the algorithms that are part of the new standard. For example, the company demonstrated secure communications for a government client using CRYSTALS-Kyber earlier in the summer.
During the demonstration, the company turned on a post-quantum communications channel over the open internet in a combined Air Force, Space Force and North American Aerospace Defense Command facility and demonstrated the use of quantum-resilient keys.
Ford said it was the first time a quantum-protected line of communication had been opened in a government facility.
Using the algorithm and tunnel to protect communications didn’t introduce any new latency or bandwidth issues, he said.
Jones added because so many nations are racing to develop quantum technology, it is possible a researcher may develop new techniques to break encryption. That could mean adversaries could start decrypting communications even faster.
“Agencies need to treat this threat seriously and recognize that the attacks may have begun,” he said.
In addition to experimenting with new algorithms, agencies need to become crypto-agile, he said. The ability to adapt will ensure long-term protection.
“We want to be able to change algorithms in the future without a huge headache,” he said. “And anytime we find a system that was painful to change this time around, we should make it easier in the future.”
That’s one reason why the SPHINCS+ algorithm is an “unexpected” but valuable choice, Jones noted. Because it is from a different family of algorithms than FALCON and CRYSTALS-Dilithium — meaning it is based on a different type of math — it can work as a backup to the others, according to a press release.
NIST is also reviewing an additional four algorithms, a statement said. The announcements for the standard were separated into two because of the “need for a robust variety of defense tools,” according to the institute.
Jones emphasized that though quantum computing is a serious risk for federal agencies and companies who work with the government, it can still be an “ally” to cybersecurity. Because of its yet unrealized processing power, it could be used to help make algorithms harder to crack, he said.
“We’re going to get past the threat phase, and then all that will be left will be the benefits that quantum can bring,” he said.