NIST PQC: los finalistas de criptografía post-cuántica

javi
Teclado con iluminación representando encryption keys digitales

NIST published los first post-quantum cryptography (PQC) standards en agosto 2024: FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), FIPS 205 (SLH-DSA). Estos replace RSA/ECC cuando quantum computers suficientemente capable emerge. Este artículo cubre algoritmos, timelines, y preparación.

El problema

Shor’s algorithm (1994) breaks RSA/ECC con quantum computer suficientemente large. Current quantum machines no break real crypto todavía. Pero:

  • “Harvest now, decrypt later”: adversaries capturing encrypted data now para decrypt later cuando quantum arrives.
  • Long-term secrets (patents, gov, financial) vulnerable.
  • Transition takes years — start now.

Los standards

FIPS 203: ML-KEM (Module-Lattice Key Encapsulation)

  • Based on Kyber (CRYSTALS).
  • Key encapsulation: replace RSA/ECDH key exchange.
  • 3 variants: ML-KEM-512, 768, 1024 (security levels).
  • Key size: 800 bytes (512), 1568 bytes (768), 2400 bytes (1024).

FIPS 204: ML-DSA (Module-Lattice Digital Signature)

  • Based on Dilithium.
  • Digital signatures: replace RSA/ECDSA signing.
  • 3 variants: ML-DSA-44, 65, 87.
  • Signature size: 2420 bytes (44), 3293 (65), 4595 (87).

FIPS 205: SLH-DSA (Stateless Hash-Based DSA)

  • Based on SPHINCS+.
  • Hash-based signatures: alternative foundation.
  • Pros: very conservative (relies only en hash security).
  • Cons: larger signatures (~8KB-30KB).

Para backup security if lattice schemes break.

HQC (5to standard)

Marzo 2025 adicional: FIPS 207: HQC (Hamming Quasi-Cyclic):

  • Alternative KEM based on code-based crypto.
  • Redundancy if ML-KEM breaks.

Timelines relevant

  • 2024: FIPS 203/204/205 published.
  • 2025: implementations stabilizing.
  • 2026-2030: gradual migration.
  • Post-2030+: quantum threat materializing?

Risk timeline

  • NSA, NIST: quantum computer breaking RSA 2030-2040 range.
  • Harvest-now concern: data encrypted today potentially vulnerable later.
  • Transition takes 5-10 years typical for crypto changes.

Start now.

Implementations available

OpenSSL / BoringSSL

  • Experimental branches.
  • ML-KEM en TLS 1.3 (hybrid + PQC).
  • Production-ready expected 2025.

Go crypto

  • crypto/mlkem768 stdlib coming.
  • Third-party liboqs-go already.

Rust

  • pqcrypto crate.
  • kyber-rust, dilithium-rust: implementations.

Python

  • pqcrypto bindings.
  • Limited production usage yet.

Hybrid approach

Transition strategy:

  • Classical + PQC combined: both must break to compromise.
  • TLS 1.3 extensions: X25519Kyber768Draft00 already deployed (Chrome, Cloudflare).
  • Gradual: enable hybrid, monitor, eventual PQC-only.

Amazon S3, Cloudflare, Google: hybrid TLS enabled 2024.

Crypto-agility

Principle: make crypto swappable.

BAD:  hardcoded RSA throughout code
GOOD: abstract "signer" interface, swap underneath

Prepare now:

  • Audit hardcoded crypto primitives.
  • Abstract via interfaces.
  • Library choice matters (use ones que will adopt PQC).
  • Key management that supports rotation.

TLS migration

TLS 1.3 with PQC:

  • Client Hello: offers classical + PQC keyshares.
  • Server: picks PQC if supported, else classical.
  • Backwards compatible.

Deploy PQC TLS at edge first (CDN, load balancers), backend later.

Code signing

Critical para supply chain:

  • Software updates: attackers could intercept + replace if crypto broken.
  • Container image signing: Sigstore considering PQC.
  • Package managers: npm, pypi, cargo likely migrate.

Long-lived signatures vulnerable “harvest-now”.

VPN / SSH

  • WireGuard: uses ECDH; PQC variant proposed.
  • OpenSSH: experimental ML-KEM support.
  • IPsec: vendors adding PQC.

Corporate VPN roadmap relevant.

Certificate authorities

  • Let’s Encrypt: exploring PQC.
  • Root CA migration: decade-timeline.
  • Hybrid certificates: possibly transition mechanism.

CA agility critical.

Blockchain / crypto

  • Bitcoin, Ethereum: vulnerable (ECDSA signatures).
  • Migration: forks required.
  • Research active en PQC-compatible chains.

Long-term but real.

Hardware acceleration

  • TLS chips: vendors adding PQC support.
  • HSMs: updates for ML-KEM, ML-DSA.
  • Smart cards: evolving.

Hardware lag software by 2-5 years typically.

Preparation checklist

Para enterprise 2024+:

  1. Inventory cryptographic usage.
  2. Classify by sensitivity + longevity.
  3. Crypto-agility audit.
  4. Vendor questions: are they PQC-ready?
  5. Pilot hybrid TLS donde possible.
  6. Monitor standards + implementations.

Gradual, no big-bang.

Performance

  • ML-KEM: fast operations, larger keys vs ECDH.
  • ML-DSA: slower signing than ECDSA, larger sig size.
  • Bandwidth impact: visible en TLS handshakes.
  • Overall: manageable overhead.

Risks

  • New algorithms: less battle-tested que RSA/ECC.
  • Cryptanalysis risk: could break como NTRU did.
  • Implementation bugs: early implementations risky.
  • Standards evolution: early adopters refactor.

Caution warranted.

Conclusión

Post-quantum cryptography transition es inevitable, real en 2024. NIST standards now concrete (FIPS 203/204/205). Timeline decades pero harvest-now means starting preparation now. Enterprises should: inventory crypto, adopt crypto-agility, enable hybrid TLS where available, monitor vendor PQC roadmaps. Not urgent crisis pero prudent multi-year initiative. Getting started cheap. Ignoring costly later.

Síguenos en jacar.es para más sobre criptografía, PQC y security infrastructure.

Entradas relacionadas