The US National Institute of Standards and Technology (NIST) has finalized three post-quantum cryptography standards after nearly a decade of work. This move is in preparation for the ability of emerging quantum computers to crack public-key cryptosystem technologies such as RSA.

Cryptography basics

For laymen, cryptography can be thought of as ‘hiding information in plain sight’. A simple method is a shift cipher that replaces each letter with one earlier or later in the alphabet. For example, if a shift of three letters forward is applied to “cat”, the hidden message “fdw” is created. When strong encryption like AES is used, the hidden message is very difficult to uncover without the password or key.

Cracking conventional cryptography

Quantum computers are revolutionary in the way they hold and process data, opening new paths to cracking current public-key and encryption methods faster. The Internet uses cryptosystem technologies such as RSA, TLS, OpenPGP, and VPNs that are vulnerable to cracking, which cryptographers agree will occur sooner than later. This opens the door for criminals to read secret messages in applications like Signal, intercept secure website (HTTPS) interactions, manipulate digitally-signed documents, monitor VPN data, and steal money including bitcoins.

Post-quantum cryptography (PQC) standards

PQC is designed to be resistant to cracking by both quantum and conventional computers. The three published standards to replace vulnerable public-key cryptosystem standards are:

FIPS 203 – ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism) based on the CRYSTALS-Kyber algorithm to protect data and public-key exchange with encryption.

FIPS 204 – ML-DSA (Module-Lattice-Based Digital Signature Algorithm) based on the CRYSTALS-Dilithium algorithm to protect digital signatures on documents.

FIPS 205 – SLH-DSA (Stateless Hash-Based Digital Signature Algorithm) based on the Sphincs algorithm to protect digital signatures as a backup to ML-DSA.

Software using the final standards is not yet available, but is for prior revisions (e.g. Kyber).

For now, readers wanting to protect their private files and cryptocurrency can use AES-256 encryption. Files can be stored in an encrypted drive (like this one on Amazon), optionally within a Veracrypt folder using triple-cascading encryption. Cryptocurrency can be stored offline in an encrypted hardware wallet (like this one on Amazon).

Business preparation

Businesses should conduct a survey of their data and online transactions. The most sensitive ones such as top-secret data should be first in line for updated encryption once validated software becomes available. Much like when SLS 3.0, TLS 1.0, and TLS 1.1 support were deprecated, plans for web browser, certificate, and operating system updates should also be made to minimize service and Internet disruptions.

Unfortunately, computers running abandoned operating systems like Windows 7 will not be able to connect to websites after the switchover unless someone ports the newer standards.