NIST encryption for quantum defense, IoT security
- By Derek B. Johnson
- Mar 21, 2019
While true quantum computing is still decades away, the federal government is already preparing to defend its IT assets and equipment from the threat.
The National Institute of Standards and Technology has spent much of the past year evaluating 69 algorithms for its Post Quantum Cryptography Standardization program, a 2016 project designed to protect the machines used today from the encryption-breaking tools of tomorrow.
The algorithms are all designed to work with current technology and equipment, each offering different ways to protect computers and data from attack vectors – known and unknown – posed by developments in quantum computing. NIST chose 26 of the most promising proposals in January 2019, and the agency will be conducting a second evaluation this year to whittle that list down even further.
NIST isn't shooting for a specific number of algorithms at the end of the process but rather wants to leave room for agencies to deploy multiple options to protect their assets, NIST Computer Security Division Chief Matthew Scholl said.
"This is to ensure that we have some resilience so that when a quantum machine actually comes around -- not being able to fully understand the capability or the effect of those machines -- having more than one algorithm with some different genetic mathematical foundations will ensure that we have a little more resiliency in that kit going forward," he said at a March 20 briefing to the Information Security and Privacy Advisory Board.
Switching encryption protocols is disruptive. NIST turned to the history books to study previous cryptographic transitions in the federal government and found they were plagued by poor communication, unrealistic timelines and overall confusion regarding expectations. Scholl said the agency plans to do more proactive outreach to agencies and industry during second-round evaluations.
NIST is also working on another revamp of encryption standards for small "lightweight" computing devices, focusing on components such as RFID tags, industrial controllers, sensor nodes and smart cards that are inherent in many internet-of-things devices.
The agency received 57 proposals for the project at the end of February, extending the submission timeline by a month due to the partial government shutdown, and plans to consider candidate algorithms at a public workshop in November.
The government's current lightweight encryption standards are largely designed for personal computers, laptops and other general purpose computing platforms. NIST officials believe new standards are needed to tackle a range of problems, from increasing reliance on connected devices to dissatisfaction with current identity and access management tools.
NIST will be able to rely on a rich catalogue of prior cryptographical research, Scholl said.
"The nice thing about the program is that many implementations and algorithms have a long history … unlike quantum where attack models are very new and different, lightweight is a more mature space," he said.
This article was first posted to FCW, a sibling site to GCN.
Derek B. Johnson is a former senior staff writer at FCW.