NIST pushes new encryption protocols for quantum, connected devices

The National Institute of Standards and Technology is inching closer to developing two new encryption standards designed to protect the federal government from new and emerging cybersecurity threats.

Many experts believe the advanced computing capabilities of quantum computers will render most traditional encryption protocols used today obsolete. While true quantum computing is still decades away, the federal government is already preparing contingencies for how to defend its current IT assets and equipment from the threat.

In a March 20 briefing to the Information Security and Privacy Advisory Board, Matthew Scholl, Chief of the Computer Security Division at NIST, said the agency spent much of the past year evaluating 69 algorithms for its Post Quantum Cryptography Standardization project, a 2016 project designed to protect the machines used by federal agencies today from the encryption-breaking tools of tomorrow.

The submitted algorithms are all designed to work with current technology and equipment, each offering different ways to protect computers and data from attack vectors – known and unknown – posed by developments in quantum computing. NIST chose 26 of the most promising proposals in January 2019, and the agency will be conducting a second evaluation this year to whittle that list down even further.

Scholl told the board that the agency isn't shooting for a specific number of algorithms at the end of the process and wants to leave room for agencies to deploy multiple options to protect their assets.

"This is to ensure that we have some resilience so that when a quantum machine actually comes around -- not being able to fully understand the capability or the effect of those machines -- having more than one algorithm with some different genetic mathematical foundations will ensure that we have a little more resiliency in that kit going forward," Scholl said.

Switching encryption protocols is disruptive. NIST turned to the history books to study previous cryptographic transitions in the federal government and found they were plagued by poor communication, unrealistic timelines and overall confusion regarding expectations. Scholl said the agency is planning to do more proactive outreach to agencies and industry during second round evaluations.

NIST is also working on another revamp of encryption standards for small "lightweight" computing devices, focusing on components such as RFID tags, industrial controllers, sensor nodes and smart cards that are inherent in many Internet of Things devices.

The agency received 57 proposals for the project at the end of February, extending the submission timeline by a month due to the partial government shutdown, and plans to consider candidate algorithms at a public workshop in November.

The government's current encryption standards are largely designed for personal computers, laptops and other general purpose computing platforms. NIST officials believe new standards are needed to tackle a range of problems, from increasing reliance on connected devices to dissatisfaction with current identity and access management tools.

NIST will be able to rely on a rich catalogue of prior cryptographical research, Scholl said.

"The nice thing about the program is that many implementations and algorithms have a long history…unlike quantum where attack models are very new and different, lightweight is a more mature space," he said.