Nieke Roos
7 July 2022

The American National Institute of Standards and Technology (NIST) has chosen the first four cryptographic algorithms designed to withstand the assault of a future quantum computer (link in Dutch). Researchers from the Netherlands and Belgium are involved in three of them: the public-key encryption scheme Crystals-Kyber and the digital signature Crystals-Dilithium were co-created by Joppe Bos from NXP in Leuven, Léo Ducas from CWI/Leiden University and Peter Schwabe from Radboud University Nijmegen, while the digital signature Sphincs+ was co-authored by Schwabe and Joost Rijneveld from RU, Andreas Hülsing and Tanja Lange from TUE, Ward Beullens from KU Leuven and Bas Westerbaan from Cloudflare. Together with another digital signature, Falcon, the algorithms will become part of NIST’s post-quantum cryptographic standard, expected to be finalized in about two years.

CWI Leo Ducas
“The selection of our schemes as a standard means that it will be deployed globally, protecting the privacy of billions of users; fundamental research rarely gets such a direct and broad impact,” says Léo Ducas, a researcher in CWI’s Cryptology group and professor of mathematical cryptology at Leiden University.

To protect today’s sensitive electronic information, like secure websites and emails, from unwelcome third parties, public-key encryption systems are used that rely on math problems that even the fastest conventional computers find intractable. A sufficiently capable quantum computer, however, could solve these problems quickly. To counter this threat, the four quantum-resistant algorithms are based on math problems that both conventional and quantum computers should have difficulty solving, thereby defending privacy both now and down the road. The algorithms are designed for two typical main tasks: general encryption, used to protect information exchanged across a public network, and digital signatures, used for identity authentication.

RU Peter Schwabe
“It was a conscious decision to select more than one winner; it offers more flexibility. The different algorithms are based on different underlying mathematical challenges. This is why they perform differently, depending on the objective for which they were selected,” explains Peter Schwabe, professor of cryptographic engineering at Radboud University who is also associated with the Max Planck Institute for Security and Privacy.

The announcement follows a six-year effort managed by NIST, which in 2016 called upon the world’s cryptographers to devise and then vet encryption methods that could resist an attack from a future quantum computer. The selection constitutes the beginning of the finale of the agency’s post-quantum cryptography standardization project. Four additional algorithms are under consideration for inclusion, and NIST plans to announce the finalists from that round at a future date. The agency encourages security experts to explore the new algorithms and consider how their applications will use them, but not to bake them into their systems yet, as they could change slightly before the standard is finalized.