Draft Standards For Quantum Safe Cryptography Are Here

An important milestone for key encapsulation mechanisms and digital signature algorithms.


The world of security is constantly evolving, and in the few short weeks that have passed since my last blog on What It Takes To Make An SoC Design Quantum Safe, there have been some new and exciting developments in the world of quantum safe cryptography. On August 24th, 2023, NIST published the first three draft standards for general-purpose Quantum Safe Cryptography (also known as Post-Quantum Cryptography).

These are draft standards are:

  • FIPS 203 for ML-KEM (also known as CRYSTALS-Kyber)
  • FIPS 204 for ML-DSA (also known as CRYSTALS-Dilithium)
  • FIPS 205 for SLH-DSA (also known as Sphincs+)

The publication of these draft standards is an important milestone for the worldwide race to secure all online infrastructure and digital assets against the looming threat of cryptographically relevant quantum computers. It enables IT departments, device manufacturers, and governments to prepare for a transition to Quantum Safe Cryptography.

Cryptographically relevant quantum computers pose a major threat for our digital assets, infrastructure, and devices as they are today. The security of almost everything we do on the internet relies on key exchange and signature algorithms that are based either on the integer factorization problem or on the (elliptic curve) discrete logarithm problem. That includes the famous RSA (integer factorization) and DH (discrete logarithm) algorithms but also widely deployed algorithms ECDSA, EdDSA and ECDH. While no cryptographically relevant quantum computer exists today, we must keep in mind that infrastructure updates take a lot of time and careful planning and some data needs to remain secure for multiple decades, starting today.

The threatened algorithms are so pervasive and fundamental to online security that experts started searching for potential replacements as far back as 2006 at the first PQCrypto conference. In 2016, NIST started their process to standardize quantum safe replacements for the threatened algorithms, and after multiple rounds of review selected candidate algorithms for standardization in 2022.

The algorithms for Quantum Safe Cryptography fall, broadly speaking, into three categories:

  1. General-purpose key encapsulation mechanisms (KEMs).
  2. General-purpose digital signature algorithms (DSAs).
  3. Special purpose digital signature algorithms.

Standardization started with two special purpose digital signature algorithms, XMSS and LMS. On the one hand, they are quite easy to analyze and specify and thus much easier to standardize than general purpose algorithms. On the other hand, they come with a rather severe use-case restriction as every time a signature is generated, the private key must be updated to maintain the security of the private key. This makes it extraordinarily difficult to deploy these algorithms in situations where many signatures need to be generated with the same key in parallel. Even key backup is quite a difficult and sensitive topic. The one use-case where they can be deployed relatively safely also happens to be a use-case where the migration to Quantum Safe Cryptography can’t start soon enough: firmware signing and secure boot. Thus, XMSS and LMS were standardized in RFCs 8391/8554 with additional guidance for their secure deployment provided by NIST SP 800-208.

Large parts of the internet today rely on (elliptic curve) Diffie-Hellman key exchange to establish fresh session keys. Unfortunately, no general-purpose Quantum Safe key exchange mechanism exists today. However, key encapsulation mechanisms (KEMs) that are built on top of asymmetric encryption schemes provide a decent alternative to key exchange and for KEMs Quantum Safe solutions exist. NIST chose the CRYSTALS-Kyber algorithm, which is based on Module Lattices, for standardization as ML-KEM in FIPS 203 and continues evaluating other candidate algorithms to have a backup solution.

General purpose digital signature algorithms complete the set of Quantum Safe algorithms. Here NIST chose three algorithms for standardization: CRYSTALS-Dilithium which is also based on Module Lattices, Falcon which is based on NTRU lattices and the Stateless hash-based Sphincs+ algorithm. CRYSTALS-Dilithium was chosen for its good all-round performance as the primary digital signature algorithm, ML-DSA in FIPS 204. The stateless hash-based Sphincs+ algorithm has worse performance, but it also provides the highest confidence in the security of its design. It is being standardized as SLH-DSA in FIPS 205.

Rambus recently announced the first in a family of Quantum Safe IP products with its next-generation Root of Trust. The RT-634, RT-654 and RT-664 Root of Trust deliver Quantum Safe Cryptography to protect hardware and data against quantum attacks. Through firmware updates, the Rambus Quantum Safe IP solutions already support the FIPS 203 and FIPS 204 draft standards in addition to the dedicated XMSS and LMS algorithms for secure boot from SP800-208 and RFCs 8391/8554. Stay tuned for more Quantum Safe-related updates in the coming months!


Leave a Reply

(Note: This name will be displayed publicly)