Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Technology

NIST Announces First Four Quantum-Resistant Cryptographic Algorithms (nist.gov) 56

jd writes: NIST has announced winners of its post-quantum cryptography battle of the giants.

CRYSTALS-Kyber has been chosen for standard encryption, CRYSTALS-Dilithium, Falcon, and SPHINCS+ were chosen for digital signatures. Falcon is recommended by NIST as a backup for Dilithium where shorter keys are needed, and SPHINCS+ uses a different mathematical technique than all of the other submissions, so if it is found that there's a flaw in the maths for the others, then there's something to fall back on.

There is still a final round for public key encryption algorithms. The remaining candidates are BIKE, Classic McEliece, HQC, and SIKE.

The mailing list members probably wish that they could use Slashdot's moderation system about now, as some of the discussions have been extremely heated. This was especially true for the signature system Rainbow, which is used by the ABC Mint crypto-currency, which was rejected after what was claimed to be a catastrophic flaw was reported, with allegations that it could be broken over a weekend on a laptop, followed by counter-allegations that many of the other algorithms had significant flaws in them also. (This is likely why SPHINCS+ is a backup.)

Another area that was hotly debated was CPU design flaws, particularly HertzBleed, which got the well-known crypto maestro Bernstein rather annoyed. As SIKE is a final round candidate, NIST seem to be satisfied with his explanation for why CPU design flaws should not be considered. It is to be seen how this debate progresses.

This discussion has been archived. No new comments can be posted.

NIST Announces First Four Quantum-Resistant Cryptographic Algorithms

Comments Filter:
  • Link to Falcon (Score:5, Informative)

    by jd ( 1658 ) <imipakNO@SPAMyahoo.com> on Tuesday July 05, 2022 @01:46PM (#62675516) Homepage Journal

    My bad when checking. The definition of Falcon can be found at: https://falcon-sign.info/ [falcon-sign.info]

  • Signature lengths (Score:5, Informative)

    by jd ( 1658 ) <imipakNO@SPAMyahoo.com> on Tuesday July 05, 2022 @02:12PM (#62675594) Homepage Journal

    The signature lengths in these schemes is... impressive. Falcon was recently congratulated for bringing the hash down to 410 bytes (not bits!), without compromising security, for their Falcon-512 algorithm. If you thought getting SHA-2 and SHA-3 into Git was bad, Falcon is going to be an absolute nightmare even with their reduced length. (I'm guessing here, but the pub size and sig size on their web page are therefore presumably bytes as well.)

    This really is an improvement on the others. Dilithium reports a signature size of 2420 bytes and I believe SPHINCS+ produces one that is even longer.

    You, too, can play with them, not only through the reference implementations but also through BouncyCastle, which has implementations of these algorithms. I wouldn't be surprised if they were being added to other standard crypto libraries, so expect some usage of them in the near future.

    • by kyoko21 ( 198413 )

      Well, 410 bytes is better than 410 kilo-bytes....Right?

      In all seriousness though... 410 bytes is still CRAZY!!!

      • by jd ( 1658 )

        Ah, found SPHINCS+ sig lengths. The strongest version is 49k (49856 byte) signatures. It seems to be tied to SHA2 and similar hashes, but doesn't get defined with SHA3. I'm unsure what happens if SHA2 gets compromised, or whether you can use SHA3 as the regular hashing component.

        (Pages 56-58 from https://sphincs.org/data/sphin... [sphincs.org])

    • Falcon is for signatures: Think PGP signatures. SHA2 and 3 are quantum resistant

    • Using RSA with traditional key length (2048 Bit) results in signature size of 256 Byte (+ additional encoding). After 2025 larger key length (> 3000 Bit) are required: https://www.sogis.eu/documents... [sogis.eu] This results in signture sizes of typically 384 bytes. => not that different from falcon.
      • by jd ( 1658 )

        Fair enough, so Falcon is of usable length, then. Dilithium is 5.9x longer, which is getting lengthy. Still haven't found SPHINCS+' digest length, but this may be the one that ends up used if the potential risk turns out to be an actual risk.

  • by TechyImmigrant ( 175943 ) on Tuesday July 05, 2022 @02:57PM (#62675702) Homepage Journal

    It took me a while to comprehend SIKE. However after looking at it for a while, I've concluded that SIKE is my preferred candidate. While the mathematics for supersingular isogency graphs is a bit mind bending, implementing it is not too bad.

    • by chrish ( 4714 )
      SIKE is mathematically intense; it's one of the slowest algorithms in the competition. Running it on embedded hardware is extremely painful... think in minutes rather than seconds to perform a key exchange.
      • SIKE is mathematically intense; it's one of the slowest algorithms in the competition. Running it on embedded hardware is extremely painful... think in minutes rather than seconds to perform a key exchange.

        My focus is hardware implementation of cryptographic stuff. It seems not to bad in that context. Your point is valid. I wouldn't try it on an 8052.

        While I get the math mechanistically, I still have no real clue what a supersingular curve really is or why it is.
        E.G. This enlightening blob of obfuscation from the internet, doesn't really

        "A supersingular elliptic curve is an elliptic curve E/F with the property that the endomorphism ring (ring of homomorphisms from E to E) of E over the algebraic closure of F_

  • I thought symmetric algorithms like AE-256 weren't especially vulnerable to quantum attack; but the description of crystal, at least, implies otherwise. Was I misunderstanding the situation?

    • AES is believed to be secure against quantum attacks.
      AES has stood up to attack attempts. It's not mathematically proven to the degree we'd like.

      Kyber is mathematically proven (IND-CCA2), but hasn't been battle-tested like AES has.

      A Kyber-based scheme will be used for asymmetric encryption. It is therefore convenient to also use Kyber for symmetric.

      Bottom line - I'd continue using AES for the next couple of years, then switch to Kyber if things still look good.

      • by bws111 ( 1216812 ) on Tuesday July 05, 2022 @05:05PM (#62676122)

        Kyber is an asymmetric algorithm. It is not at all 'convenient to use it for symmetric', as it doesn't do that. Kyber is used to exchange AES keys, it is in no way a replacement for AES.

      • AES has stood up to attack attempts.

        So has every other crypto algorithm ever, because despite the twice-a-month announcement of quantum supremacy and billions of dollars spent, no-one has ever managed to build a quantum computer that's capable of attempting anything other than simple toy problems.

        • > > AES has stood up to attack attempts.

          > So has every other crypto algorithm ever, because despite the twice-a-month announcement of quantum supremacy and billions of dollars spent, no-one has ever managed to build a quantum computer that's capable of attempting anything other than simple toy problems.

          It seems my message was unclear. I didn't say AES has stood up to QUANTUM attacks. It has survived all kinds of attacks, for a long time. That's very much NOT true of "every other crypto algorithm e

    • AES 256 is secure, but for Public Key encryption, you need to encapsulate the symmetric key in a Public Key Algorithm. CRYSTALS-Kyber is this encapsulation algorithm (Lookup KEM)

      • AES 128 is probably secure, too. The only known quantum attacks are on a reduced number of rounds.

    • by bws111 ( 1216812 )

      I don't see anything in the description of CRYSTALS that implies AES is vulnerable. Kyber is a key encapsulation mechanism, intended only to encrypt a short message (i.e. an AES key). You wouldn't use it replace AES because encrypting just a 32 byte key results in a 1668 byte (if I remember correctly) output, and it is slow.

    • by chrish ( 4714 )

      AES-256 or better is safe against quantum attacks (the best current algorithm for attacking it is still Grover's, which just cuts down the search space, making it effectively as secure as AES-128).

      The asymmetric algorithms in the competition are all key exchange mechanisms. You use KEMs to securely agree on a shared secret, which you can use to derive keys for use with symmetric encryption like AES. Existing Diffie-Hellman key agreement schemes like ECDH can be "easily" cracked via Shor's algorithm (for val

    • by gweihir ( 88907 )

      I thought symmetric algorithms like AE-256 weren't especially vulnerable to quantum attack; but the description of crystal, at least, implies otherwise. Was I misunderstanding the situation?

      They are not. Symmetric algorithms get their strength reduced to half the number of bits (worst case) and that only for a known-plain text attack. As even a 64 bit calculation (AES-128) is completely out of reach of any QC and will remain there for the foreseeable future, this whole thing is bogus.

      • by bws111 ( 1216812 )

        This has nothing to do with AES or any other symmetric encryption, and nobody is claiming otherwise. This is only about the public key stuff used for key exchange and signature verification, specifically the ability to calculate the private key given the public key. And if the key exchange is compromised, then it doesn't matter how secure AES (or any other symmetric algorithm) is, because the attacker will possess the key.

        Are their any quantum computers now that can do that? Probably not. Might there be

        • by gweihir ( 88907 )

          But it would be beyond stupid to just pretend the possibility does not exist, and do nothing to prepare for it.

          Well, you certainly do not undertand risk management. Nobody pretends the possibility does not exist. What I say is that this is not a real threat anytime soon and it is still completely unclear whether it ever will be one. That the crypto-mathematicians can do some nice research here and then some additional nice research trying to attack what they have come up with is nice, but that is essentially it. There is no need to replace anything just yet. And there may never be any need for these things. Having t

  • by jd ( 1658 )

    This algorithm used a regular hash as part of the code, but is only defined to work up to SHA2. Does anyone see any obvious reason it couldn't work with SHA3?

  • Let's have QCs more powerful than my 30 year old programmable pocket calculator first. As things are going, that will require another 100 years or so.

    • Actually, it remains to be seen whether QCs able to tackle traditional cryptographic algorithms are feasible at all.
      • by gweihir ( 88907 )

        Actually, it remains to be seen whether QCs able to tackle traditional cryptographic algorithms are feasible at all.

        Indeed. But if they could get to what my old calculator can do, they might. Or not. If they cannot even get there (and they are very far removed from it), then we can forget about the whole thing.

Think of it! With VLSI we can pack 100 ENIACs in 1 sq. cm.!

Working...