Daniel Apon – National Institute of Standards and Technology

NIST’s Post-Quantum Cryptography Project (2012-2024)

In recent years, there has been a substantial amount of research on quantum computers – machines that exploit quantum mechanical phenomena to solve mathematical problems that are difficult or intractable for conventional (classical/digital) computers. If large-scale quantum computers are built, they will be able to break many of the public-key cryptosystems currently in use, such as RSA and other systems based on the hardness of computing discrete logarithms. This would seriously compromise the confidentiality and integrity of digital communications on the Internet and elsewhere. (If such a machine potentially came into being this Wednesday, Facebook would break; Amazon and Uber would break; your Bank of America credit card would break; the worldwide stock market would crumble.)  The goal of post-quantum cryptography is to develop cryptographic systems that are secure against both quantum and classical computers, and can interoperate with existing communications protocols and networks.

The question of WHEN some nation-state will build a large-scale quantum computer is a complicated one. Current estimates range from 10 years to 15 years. Nonetheless, our past experience suggests that we need to decide on standard cryptographic protocols at least one decade before potential attacks come to fruition.  Consider, for example, the task of deploying new cryptographic software to the entire community of devices maintained by Department of Defense, which numbers at least in the many (hundreds of) millions. Realistically, this task could take 3-5 years. Moreover, it is not simply enough to deploy defenses immediately prior to some new cryptanalytic attack emerging. A clever adversary could intercept and store ciphertexts sent across the Internet for many years, waiting for the point in time at which it gained the technical resources to unlock the underlying messages. When you pay for a gallon of milk with your credit card, how long should you reasonably expect that credit card number to remain private between you, your grocery store, and your bank?

In this talk, I will survey the truly-worldwide effort to develop, standardize, and deploy quantum-safe cryptographic protocols to the Internet infrastructure, led by NIST. My talk will be designed to be approachable by a broad assortment of STEM-type researchers — in particular, this talk will be *intentionally light* on topic-specific mathematical or technical detail. (I will, however, introduce the “bare bones” of some of the most common post-quantum cryptographic encryption schemes.) The primary goal is to enlighten the broader community about the challenges that we will jointly face over the next decade or two, and what NIST’s role is in helping us all prepare for them.