NIST PQC: Post-Quantum Cryptography Finalists

javi
Teclado con iluminación representando encryption keys digitales

NIST published the first post-quantum cryptography (PQC) standards in August 2024: FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), FIPS 205 (SLH-DSA). These replace RSA/ECC when sufficiently capable quantum computers emerge. This article covers algorithms, timelines, and preparation.

The Problem

Shor’s algorithm (1994) breaks RSA/ECC with sufficiently large quantum computer. Current quantum machines don’t break real crypto yet. But:

  • “Harvest now, decrypt later”: adversaries capturing encrypted data now to decrypt later when quantum arrives.
  • Long-term secrets (patents, gov, financial) vulnerable.
  • Transition takes years — start now.

The Standards

FIPS 203: ML-KEM (Module-Lattice Key Encapsulation)

  • Based on Kyber (CRYSTALS).
  • Key encapsulation: replace RSA/ECDH key exchange.
  • 3 variants: ML-KEM-512, 768, 1024 (security levels).
  • Key size: 800 bytes (512), 1568 bytes (768), 2400 bytes (1024).

FIPS 204: ML-DSA (Module-Lattice Digital Signature)

  • Based on Dilithium.
  • Digital signatures: replace RSA/ECDSA signing.
  • 3 variants: ML-DSA-44, 65, 87.
  • Signature size: 2420 bytes (44), 3293 (65), 4595 (87).

FIPS 205: SLH-DSA (Stateless Hash-Based DSA)

  • Based on SPHINCS+.
  • Hash-based signatures: alternative foundation.
  • Pros: very conservative (relies only on hash security).
  • Cons: larger signatures (~8KB-30KB).

For backup security if lattice schemes break.

HQC (5th Standard)

Additional March 2025: FIPS 207: HQC (Hamming Quasi-Cyclic):

  • Alternative code-based KEM.
  • Redundancy if ML-KEM breaks.

Relevant Timelines

  • 2024: FIPS 203/204/205 published.
  • 2025: implementations stabilising.
  • 2026-2030: gradual migration.
  • Post-2030+: quantum threat materialising?

Risk Timeline

  • NSA, NIST: RSA-breaking quantum computer in 2030-2040 range.
  • Harvest-now concern: today’s encrypted data potentially vulnerable later.
  • Transitions take 5-10 years typical for crypto changes.

Start now.

Available Implementations

OpenSSL / BoringSSL

  • Experimental branches.
  • ML-KEM in TLS 1.3 (hybrid + PQC).
  • Production-ready expected 2025.

Go Crypto

  • crypto/mlkem768 stdlib coming.
  • Third-party liboqs-go already.

Rust

  • pqcrypto crate.
  • kyber-rust, dilithium-rust: implementations.

Python

  • pqcrypto bindings.
  • Limited production usage yet.

Hybrid Approach

Transition strategy:

  • Combined classical + PQC: both must break to compromise.
  • TLS 1.3 extensions: X25519Kyber768Draft00 already deployed (Chrome, Cloudflare).
  • Gradual: enable hybrid, monitor, eventual PQC-only.

Amazon S3, Cloudflare, Google: hybrid TLS enabled 2024.

Crypto-Agility

Principle: make crypto swappable.

BAD:  hardcoded RSA throughout code
GOOD: abstract "signer" interface, swap underneath

Prepare now:

  • Audit hardcoded crypto primitives.
  • Abstract via interfaces.
  • Library choice matters (use ones that will adopt PQC).
  • Key management that supports rotation.

TLS Migration

TLS 1.3 with PQC:

  • Client Hello: offers classical + PQC keyshares.
  • Server: picks PQC if supported, else classical.
  • Backwards compatible.

Deploy PQC TLS at edge first (CDN, load balancers), backend later.

Code Signing

Critical for supply chain:

  • Software updates: attackers could intercept + replace if crypto broken.
  • Container image signing: Sigstore considering PQC.
  • Package managers: npm, pypi, cargo likely migrate.

Long-lived signatures vulnerable to “harvest-now”.

VPN / SSH

  • WireGuard: uses ECDH; PQC variant proposed.
  • OpenSSH: experimental ML-KEM support.
  • IPsec: vendors adding PQC.

Corporate VPN roadmap relevant.

Certificate Authorities

  • Let’s Encrypt: exploring PQC.
  • Root CA migration: decade timeline.
  • Hybrid certificates: possibly transition mechanism.

Critical CA agility.

Blockchain / Crypto

  • Bitcoin, Ethereum: vulnerable (ECDSA signatures).
  • Migration: forks required.
  • Active research in PQC-compatible chains.

Long-term but real.

Hardware Acceleration

  • TLS chips: vendors adding PQC support.
  • HSMs: updates for ML-KEM, ML-DSA.
  • Smart cards: evolving.

Hardware typically lags software by 2-5 years.

Preparation Checklist

For enterprise 2024+:

  1. Inventory cryptographic usage.
  2. Classify by sensitivity + longevity.
  3. Crypto-agility audit.
  4. Vendor questions: are they PQC-ready?
  5. Pilot hybrid TLS where possible.
  6. Monitor standards + implementations.

Gradual, no big-bang.

Performance

  • ML-KEM: fast operations, larger keys vs ECDH.
  • ML-DSA: slower signing than ECDSA, larger sig size.
  • Bandwidth impact: visible in TLS handshakes.
  • Overall: manageable overhead.

Risks

  • New algorithms: less battle-tested than RSA/ECC.
  • Cryptanalysis risk: could break like NTRU did.
  • Implementation bugs: risky early implementations.
  • Standards evolution: early adopters refactor.

Caution warranted.

Conclusion

Post-quantum cryptography transition is inevitable, real in 2024. NIST standards now concrete (FIPS 203/204/205). Decades-long timeline but harvest-now means starting preparation now. Enterprises should: inventory crypto, adopt crypto-agility, enable hybrid TLS where available, monitor vendor PQC roadmaps. Not urgent crisis but prudent multi-year initiative. Cheap to start. Costly to ignore later.

Follow us on jacar.es for more on cryptography, PQC, and security infrastructure.

Entradas relacionadas