Score:5

What is the significance of the results of the NIST PQC competition?

ae flag

I hope this is not offtopic.

Since NIST has rather recently announced the winners of its PQC competition I was wondering how significant this development is. Does that mean that CRYSTALS-Kyber will become the new standard for general encryption?

Maarten Bodewes avatar
in flag
Not encryption as such, possibly of (asymmetric) key encapsulation and key establishment (lacking any key agreement algorithm in the PQC competition, we maybe could have used SIDH, but yeah). Not that many protocols use RSA to directly encrypt messages either.
Score:6
ru flag

I guess one can make educated guesses by looking at what happened to DES, AES and SHA-3, all of which were the result of NIST competitions. Barring unexpected developments, it's quite likely that, at some point in the future, Kyber usage will be as prevalent as RSA and ECC today. It's just a question of how long it will take.

On the one hand, if quantum computers become a reality, any encrypted messages generated in the past may be stored to be eventually decrypted later, so that's a good reason to move to PQC straightaway.

On the other hand, there may be some mistrust of new PQC schemes due to the Rainbow and SIKE breaks, whereas the security of RSA and ECC is thought to be well understood by now, having withstood decades of cryptanalysis. Thus, in applications more concerned with an overnight break than the possibility of data getting decrypted many years from now, adoption of PQC schemes may be slower.

Maarten Bodewes avatar
in flag
The fact that the threat is not that well known and that even if the algorithms gets standardized that modern protocols first need to be updated may also hinder adaptation. Having an algorithm standardized is not enough on its own.
forest avatar
vn flag
I'm not sure why the breaks in Rainbow or SIKE would have any implications for the security of Kyber, since they are nothing alike.
swineone avatar
ru flag
@forest I wrote that to mean they just add to the general distrust of PQC by lay people, who may basically think that "if two schemes advanced to the last round and were still broken, who's to say the others won't be too?"
Score:3
bd flag

Given the high uncertainty around security of post quantum crypto, it is highly unlikely that they will be used alone in the near future.

If your that model includes an adversary with a quantum computer, it includes an adversary who can afford a few crypto people to find a weakness in these new algorithms. as such any use of a quantum encryption method for the next decade or two will likely use it in combination with an elliptic curve method to make sure it's not disastrously weaker against non quantum attacks.

Score:2
us flag

The direct significance of the outcomes of the NIST contest, up to now, is twofold:

  • NIST feels confident enough about the winners to initiate the standardisation process. We should see their standards emerge around 2024.
  • NIST would rather avoid a similar rush in the future if, say, ways to break the underlying assumptions supporting the new algorithms were discovered. They do so by hedging bets: looking to standardise algorithms based on different assumptions. The next round of the contest is motivated by this search.

It is hard to say how adoption will look like, but having trusted and stable standards is an essential part of it. Also of interest: NSA presented an aggressive timeline that would start requiring PQC support by 2025 and phasing out classic algorithms for some use cases after 2035. Granted, NSA can only influence suppliers of the US government ("national security systems"), but it is the first major player pushing for adoption, and doing so aggressively.

(Note: as noted in other answers, this contest only affects asymmetric cryptography. Algorithms like AES and SHA-3 are still considered secure—although for AES it is recommended to double the key length.)

poncho avatar
my flag
As for AES, double the key length if you want to (it's cheap); however Grover's algorithm is not a significant threat to AES-128 (because of the nonparallizability nature of Grover's and the fact that Quantum Computations are expected to remain a large factor more expensive than conventional computation)
Score:-5
cn flag

Unfortunately NIST is not legally allowed to announce nothing in relation to cryptography. Please read 44 U.S.C. § 3551 which directs all such decisions to the Director of National Intelligence, today Avril Haines. You don't have to like it, but it's the way it is. Also research NOBUS.

Paul Uszak avatar
cn flag
Any constructive informed comments by anyone who has any rational views?
fgrieu avatar
ng flag
It's unclear to me why NIST's announcement would have less effect than others have had due to [44 U.S.C. § 3551](https://uscode.house.gov/view.xhtml?req=granuleid:USC-prelim-title44-section3551&edition=prelim), and what part of that text is relevant to the reasoning. Also, if the answer is suggesting CRYSTALS-Kyber has some [NOBUS](https://en.wikipedia.org/wiki/NOBUS) weakness, what supporting evidence is there for this ? I see little similarity with NIST's past endorsement of 56-bit DES key, then Dual_EC_DRBG, or the still ongoing endorsement of PBKDF2.
kodlu avatar
sa flag
The USC code you refer to is only for federal government use of crypto, as far as I can tell
poncho avatar
my flag
In any case, it is unclear how "who within the US Government is allowed to talk about crypto" relates to "will Kyber be in general use world wide". After all, the majority of use of crypto is by entities which are not the US Government...
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.