Post-Quantum Cryptography

There's been a bunch of talk in the news this week around a group from China claiming to break RSA encryption with a D-Wave quantum computer.

In discussing this, first we need to distinguish between the two types of cryptography that we use on the web today: symmetric encryption (where the same key is used for encryption and decryption) and asymmetric encryption (where a public key is used for encryption and a private key is used for decryption).

The current standard for symmetric encryption: AES-GCM 256 is thought to be quantum safe at this point in time. That means that we don't know of an algorithm that you can use on a quantum computer that will allow you to easily decrypt files that use this type of symmetric encryption.

Asymmetric Encryption is an entirely different story: Shor's Alogrithm is widely accepted as a way to recover asymmetric encryption keys rapidly on a sufficiently large quantum computer (on the order of millions qbits). And in this case a small quantum computer (50 qbits) was able to factor a 22bit RSA key. Note that most people that use RSA for SSH would use a 2048bit or 4096bit key. So this development isn't really a threat.

However, it is widely expected that we will have quantum computers with millions of qbits in the next 10 years. If someone was to save data transmitted today and use one of these computers in 10 years they would be able to decrypt anything that uses Asymmetric Encryption. In order to prevent this several groups have been working on algorithms to replace what we currently use and this summer the NSA approved several of them for use (and another is coming).

Below I've compiled a list of the current approved standards along with one standard under development. For more information I recommend reading:

• Canada Cyber Security Center
• NIST Standards for Post-Quantum Cryptography
• Cloudflare Quantum Research
• Cloudflare state of Quantum Crypto

ML-KEM aka CRYSTALS-Kyber

Intended to be used for key exchange (like ECDH) it replaces algorithms used to share keys for symmetric encryption.

There are three parameter sets defined by the standard:

• Kyber-512, offering security equivalent to AES-128
• Kyber-768, offering security equivalent to AES-192
• Kyber-1024, offering security equivalent to AES-256

ML-DSA aka CRYSTALS-Dilithium

Intended to be used for cryptographic signing it is intended to replace ECDSA and RSA.

There are three parameter sets defined by the standard:

• ML-DSA-44, offering security equivalent to SHA3-256
• ML-DSA-65, offering security equivalent to AES-192
• ML-DSA-87, offering security equivalent to AES-256

SLH-DSA aka SPHINCS+

Intended to be used for calculating hashes. It doesn't use the "lattice-based" approach that Kyber uses.

There are twelve parameter sets defined by the standard, for example:

• SLH-DSA-SHA2-128s, equivalent to AES-128.
• SLH-DSA-SHA2-192s, equivalent to AES-192.
• SLH-DSA-SHA2-256s, equivalent to AES-256.

SHA2 and SHAKE are both used.

FN-DSA aka FALCON

Being developed as an alternative to ML-DSA. Several standards are being developed incase a flaw is discovered in one of them.

A draft standard for FFT (fast-Fourier transform) over NTRU-Lattice-Based Digital Signature Algorithm (FN-DSA) is expected soon.