The U.S. government's standards-setting body released draft standards for three encryption algorithms that can resist attack by quantum computers, the final step in the algorithms' development before they are ready for widespread use next year.
On Thursday, the National Institute of Standards and Technology announced the draft standards, which will be subject to public comment until Nov. 22. The standards have been years in the making, with NIST's effort to evaluate the algorithms having started in 2016.
Banks use encryption in nearly everything they do. Encryption protects data when users access a banking application or website; it protects their transaction histories stored in the bank's core banking software; it protects ATM transactions and even communications internal to the bank. In each case, banks must consider a plan for replacing the encryption algorithm with a post-quantum option.
The three post-quantum encryption algorithms that NIST has selected will not be the last that the standards-setting body analyzes before releasing them for widespread use. In fact, the plan as of last year was to publish four standards, but researchers
The same month the flaw was uncovered, NIST called for additional standards, and last month, it
While no definitive proof exists that the three encryption standards NIST has selected are unbreakable, the same goes for the classical encryption algorithms that are widely used today. In both cases, soft proof comes instead from the numerous attempts at breaking encryption that scientists have made over the years and the fact that none of them have fully succeeded.
At least, scientists have not been able to break the encryption we use today with the computers that exist today. They have known
NIST's three quantum-resistant encryption algorithms are expected to be finalized well before such a quantum computer ever exists. The Government Accountability Office
Many experts believe that the risk that quantum computers will, in the next few years, break the encryption we use today is low. Nonetheless, a major cybersecurity consortium for the financial sector urged financial institutions in March to start planning to overhaul their encryption systems to begin moving away from these algorithms that may eventually go extinct.
The recommendations came from
Experts say banks should start stepping up their encryption now, because hackers can steal it now and decrypt it with quantum computing later.
"Regardless of our ability to predict the exact arrival of the quantum computing era, we must immediately begin preparing our information security systems to resist quantum computing capabilities that fall into the wrong hands," the FS-ISAC report reads. "There is no urgent cause for alarm. However, financial services organizations should be aware of quantum cryptography's potential impacts."
If NIST's draft standards become final in 2024 as planned, that will give banks an opportunity to transition from planning for and tinkering with post-quantum encryption into actually using it to protect their own data and that of their customers.
In the intervening months, NIST is checking in with the public one last time to see whether they have missed anything or need to change anything before they dub the three post-quantum algorithms ready for real-word applications, according to Dustin Moody, a NIST mathematician and leader of the project.
"We're getting close to the light at the end of the tunnel, where people will have standards they can use in practice," Moody said.
