April 16, 2024
•
4
min read
The most appropriate quote at the 5th NIST PQC conference this week was “This is the end of the beginning, not the beginning of the end.” Dustin Moody, the head of NIST’s PQC Program reinforced that FIPS 203 (ML-KEM, aka CRYSTALS-Kyber), FIPS 204 (ML-DSA, aka CRYSTALS-Dilithium) and FIPS 205 (SLH-DSA, aka SPHINCS+) remain on track to be finalized and published as formal standards this Summer. But the bulk of the 3-day event was focused on what new algorithms may be coming next.
During the conference a small stir was started when a post on the pqc-forum discussion board shared research on the use of quantum computers to break lattice problems – the types of problems on which the CRYSTALS algorithms are based. While a quick review ruled out any immediate problem with the forthcoming PQC standards, it was an important reminder that we’re in unproven territory.
RSA and Diffie-Hellman have been the basis for asymmetric cryptography that the world has used since before the internet. The effort started by NIST in 2016 to identify quantum-safe algorithms is nascent by comparison and the real-world deployments and testing have only just begun.
The implication is that the need for “cryptographic agility” is real. Organizations that have complicated, unmanaged, and brittle cryptographic implementations may likely find themselves spending their time on little else other than cryptographic updates in the coming years.
The good news is that management of cryptographic material became easier this week as OWASP released CycloneDX 1.6, the latest version of their SBOM specification, that now includes a method for creating a CBOM – a Cryptographic Bill of Materials. Like third-party libraries, cryptography is an ingredient in systems and in code, and to-date has remained unmanaged, except in specific siloed cases like in a Key Management Service (KMS) or in a Certificate Lifecycle Management (CLM) application. With the introduction of a CBOM, it’s now possible for organizations to start to tackle the problem of cataloging their cryptographic material wherever it resides.
Meanwhile, as the work to build a quantum-safe world continued, so too did the focus on accelerating the development of quantum technologies. Rep. Elise Stefanik (R-N.Y.) and Sen. Marsha Blackburn (R-TN) this week introduced the "Defense Quantum Acceleration Act of 2024", a bill that would direct an additional $100M in spending over the next 5 years towards accelerating the adoption and implementation of quantum-based systems and applications. Of note, the bill emphasizes that the quantum technologies in scope are those that specifically have critical defense-specific applications, cannot be adapted from commercially available technology, and are unlikely to be pursued or accelerated by industry because of limited commercial value. Both Rep. Stefanik and Sen. Blackburn emphasized the idea that we are in a quantum arms race with China – and that in this case, investment in quantum technology is not a matter of U.S. competitiveness, but one of national security.
New bill would greatly expand Defense Department quantum efforts