
Quantum computers won’t be able to break encryption tools in 2024, but that hasn’t stopped security experts preparing for a time when quantum devices will be powerful enough to crack the algorithms that keep data safe – and the coming year will see the end of this lengthy process.
Although it is unclear when encryption-busting quantum computers will emerge, the US National Institute of Standards and Technology (NIST) has been running a project since 2012 to standardise a new generation of post-quantum cryptography (PQC) algorithms that should resist their attacks.
In that time, NIST has whittled down 82 submitted algorithms to a list of four. A period of public consultation ended on 22 November, and NIST has said that the final standards will be .
Advertisement
at King’s College London says cryptographers are currently “haggling over details” before the chosen algorithms are given the final stamp of approval by NIST, and the process has been hit by controversy over claims that one of the algorithms, Kyber512, may be less secure than promised.
NIST says that the algorithm meets its “level one” security criterion, which requires that it be at least as hard to break as the commonly used algorithm AES-128. But in October, cryptographer at the University of Illinois Chicago warned that the US National Security Agency could be deliberately weakening this algorithm. While Albrecht doesn’t think that this is likely, he says that his calculations have shown that Kyber512 might only be equivalent to 123 bits of security under AES-128, not 128 bits. NIST didn’t respond to a request for comment.
Albrecht says that, ultimately, this spat doesn’t matter. That is because Kyber is based on mathematical equations called polynomials that have 256 coefficients, meaning that the algorithm can only be stepped up in security by jumps that large. So Albrecht believes that while Kyber512 will be standardised, the next level of security, Kyber768 will be commonly adopted by most organisations. That will solve any lingering concerns about attacks, he says.
“We have nothing that suggests that this would be anywhere near the capabilities of any adversary,” he says. “This is not an existential question that we’re discussing.”
Albrecht says that while PQC adoption is likely to be fast once NIST makes its final recommendation, we are still some way off having a computer that can crack modern encryption, and even after one emerges, there will still be a period where it is possible – but impractical – for most messages to be cracked.
“I think for a while we’re looking at nation-state adversaries; when will criminal gangs have quantum computers in their data centres? I think that’s probably kind of a far way off,” says Albrecht.