Much of the quantum sector was alarmed recently when a research paper showed that Supersingular Isogeny Key Encapsulation (SIKE), a public key encryption scheme that last month advanced to the fourth round of evaluation as a potential industry standard, could be vulnerable to an attack from a single-core PC.
However, the discrediting of SIKE so quickly after it advanced is proof that the sometimes long process of holding standards candidates up to close public inspection and evaluation is working as intended, according to Dustin Moody, mathematician and post-quantum cryptography (PQC) project lead at the National Institute of Stands and Technology (NIST).
Moody spoke during a National Cybersecurity Center of Excellence (NCCoE) webinar late last week, explaining what NIST learned from the quick discrediting of SIKE. “This is how we expect this process to work,” he said. “All these cryptosystems out there, we invited people to look at them and start their attack cycles… This shows the value of evaluating them and testing them out. So that’s what we wanted to see occurring in the process.”
Yet, he added, “On the other hand, yes, [SIKE] made it to the fourth round, which means it made it through three rounds, and we were starting to gain some confidence in it.” Moody explained that one reason NIST put it in the fourth round instead of selecting it or standardization earlier is that the technique comes from “a newer area of research, and we felt that it still needed a little bit more time still,” Moody said. “So in that sense, it’s not ultimately surprising that this algorithm was discovered to be broken. It was a very nice research result, but we didn’t see any cracks in [SIKE’s] defenses until this paper broke it.”
Echoing industry speculation, Moody also said it is “unlikely” that SIKE will survive the fourth round, but that there currently is no plan to add a new encryption candidate to the fourth round to replace it.
He did indicate that NIST is looking to open up the standardization process to new digital signature candidates, but any new entrants likely will face years of evaluation.
Even the encryption scheme and digital signature models that were chosen for standardization last month still face potentially another two years of more stringent evaluation, testing and even tweaking, before they are finalized likely sometime in 2024. While there is a growing sense of urgency around upgrading to PQC, Moody stressed that organizations should not go to far down that road just yet.
“We really recommend that until the standards are published, you don’t hard-code them in or bake them in because the versions of specifications as they are now may continue to change slightly until the standard is published.”
Like others, Moody and the NCCoE recommended the focus for now should be on taking stock of encryption in use, and numbers and classes of devices and systems that eventually will require an upgrade, and taking the time to carefully develop a PQC migration plan.
“We’re currently drafting the standards,” Moody said. “We’re writing up the documents that will tell you how to implement them. We expect to have the final versions published by 2024. Before then we’ll post versions for public comment so we can get feedback and suggestions and address anything that we need to.”
Moody no doubt will have more to say on this topic when he presents on “The Future of PQC” at IQT’s Quantum Cybersecurity event in late October in New York City.
Dan O’Shea has covered telecommunications and related topics including semiconductors, sensors, retail systems, digital payments and quantum computing/technology for over 25 years.