Common encryption methods such as RSA or ECDSA will lose out to powerful quantum computers in the future. Therefore, in 2016, the National Institute of Standards and Technology (NIST) launched a competition to find the best candidates for both encryption and digital signatures that can withstand attacks from a quantum computer. Of the original 69 candidates, four procedures proved to be suitable and safe over the course of three rounds. The Ruhr University Bochum is involved in three of them.
NIST chose the grid-based CRYSTALS-Kyber method for encryption. For digital signatures, CRYSTALS dilithium is the preferred candidate, but since the process sometimes produces long signatures, NIST has also standardized Falcon and SPHINCS+.
Competition is not over yet
Another four candidates remain under closer scrutiny: The encryptions BIKE, Classic McEliece, HQC and SIKE go through another round and could be standardized at a later date. McEliece, for example, is generally considered secure and was therefore a finalist last year, but due to gigantic keys a few MBs in size, the practical future looks bleak. Nevertheless, NIST wants to keep the option open to standardize the procedure at the end of the fourth round.
The individual procedures were evaluated according to three criteria: security, performance and the implementation characteristics. The candidates all had to be available in the C programming language and make the source code publicly available. Cryptologists then had a good year per round to put the different methods through their paces. Unsuitable candidates were thrown out or were allowed to continue participating in the process after successful changes.
The result of the competition was a great success for the Ruhr University Bochum: the university was directly involved in three of them. In “Cyber Security in the Age of Large-Scale Adversaries” (CASA), cryptographers tinkered with SPHINCS+ and the CRYSTALS methods. Peter Schwabe, Eike Kiltz, Tanja Lange and Daniel J. Bernstein were involved.
Peter Schwabe assumes that the NIST recommendations will most likely be adopted by European authorities; provided they do not find any weaknesses in the procedures.