The Cyber Centre is pleased to recognize a milestone in the development and deployment of post-quantum cryptography (PQC).
The National Institute of Standards and Technology (NIST) in the United States has published standards for 3 post-quantum cryptographic algorithms. These standards will enable cyber security solutions to be secure against the threat posed by quantum computers.
About the new post-quantum cryptography standards
The Module-Lattice-Based Key-Encapsulation Mechanism (ML-KEM), known during the standardization process as CRYSTALS-Kyber, is designed to protect the confidentiality of data by establishing shared symmetric keys. It is intended to replace algorithms such as Elliptic Curve Diffie Hellman key agreement and RSA key transport.
The Module-Lattice-Based Digital Signature Algorithm (ML-DSA), known during the standardization process as CRYSTALS-Dilithium, is used to authenticate data and remote systems to protect against unauthorized access. It is intended to replace algorithms such as Elliptic Curve Digital Signature Algorithm and the RSA signature scheme.
ML-KEM and ML-DSA are both based on hard problems over lattices. They boast fast performance and balanced communication sizes. These algorithms are intended to satisfy most use cases for post-quantum key establishment and post-quantum signatures.
The Stateless Hash-Based Digital Signature Algorithm (SLH-DSA), known during the standardization process as SPHINCS+, makes security assumptions based on the security properties of standardized cryptographic hash functions. SLH-DSA boasts very small public key sizes but has larger signature sizes and performs slower compared to ML-DSA. The SLH-DSA algorithm is similar to previously standardized stateful hash-based signatures that are described in NIST ’s Special Publication 800-208, but does not include the state management requirements.
Background
The NIST PQC standards are the first to come out of NIST ’s post-quantum standardization process that launched in 2016. The new ML-KEM , ML-DSA and SLH-DSA algorithms are standardized in the Federal Information Processing Standards (FIPS) Publication 203, 204 and 205.
For more information on lattice-based cryptography and hash-based signatures, see the Cyber Centre’s summary review of final candidates for NIST Post‑Quantum Cryptography standards.
Future post-quantum cryptography standards
NIST has stated that they intend to release more standards over the next several years. This will help ensure that there are standardized PQC algorithms based on fundamentally different underlying mathematics and solutions with a wide variety of performance characteristics.
A draft standard for FFT (fast-Fourier transform) over NTRU-Lattice-Based Digital Signature Algorithm (FN-DSA) is expected soon. FN-DSA is another digital signature algorithm based on lattices (known during the standardization process as Falcon). FN-DSA may have specific use cases that make it a beneficial alternative to ML-DSA and SLH-DSA .
Other key encapsulation mechanisms are under review as part of round 4 of NIST ’s standardization process. In 2023, NIST started another standardization process seeking submissions for more post-quantum digital signature algorithms. The first round of this process is underway, with NIST currently soliciting feedback from the wider community about these new candidates.
Next steps for cryptographic standards bodies
The Cyber Centre is a partner with NIST on the Cryptographic Module Validation Program (CMVP). We are working with NIST to update the Cryptographic Algorithm Validation Program (CAVP) and the CMVP to test implementations of these new PQC algorithms. The Cyber Centre advises consumers to procure and use cryptographic modules that are tested and validated under CMVP with algorithm certificates from the CAVP .
Other standards bodies, such as the Internet Engineering Task Force (IETF), will make the necessary updates to network security protocols to support these new PQC algorithms. The Cyber Centre has an active research effort on cryptographic protocols and participates in standards bodies to help ensure protocols are robust and secure. Once the protocol standards are updated, the Cyber Centre will revise our guidance on securely configuring network protocols (ITSP.40.062) to include PQC .
What cyber security practitioners can do
Practitioners should review the Cyber Centre’s advice on preparing your organization for the quantum threat to cryptography (ITSAP.00.017) and guidance on becoming cryptographically agile (ITSAP.40.018). This will ensure organizations are ready to make the transition to PQC once standardized algorithms are available in network security protocols and products. The Cyber Centre is in the process of updating our guidance for cryptographic algorithms (ITSP.40.111) to incorporate new standards.
The Cyber Centre recommends that cyber security products be evaluated and certified to meet the Common Criteria standard with a Security Target and Certification Report that includes the desired protocol security requirements. Once protocol standards are updated, Common Criteria Testing Laboratories will need to support testing and evaluation methods for protocols utilizing the new PQC algorithms.
Soon there will be a variety of post-quantum algorithms and parameter sets available and standardized for use. Given this, it is important for Canadian practitioners to continue to look to ITSP.40.062 and ITSP.40.111 for our recommendations on usage, as well as maintaining cryptographic agility.
The Cyber Centre is working within the Government of Canada and with critical infrastructure to ensure a smooth and timely transition to PQC . Contact the Cyber Centre by email at cryptography-cryptographie@cyber.gc.ca or by phone at 1-888-CYBER-88 if you have further questions.