What is Post-Quantum Cryptography? A Thorough Explanation of Cryptography for the Quantum Computer Era and NIST Standards

Introduction: Why is Post-Quantum Cryptography Needed?

Modern digital society is supported by technology called public-key cryptography. Algorithms such as RSA and Elliptic Curve Cryptography (ECC) are used to ensure security in everything from internet communications and financial transactions to government confidential communications. However, these cryptographic systems are based on the difficulty of mathematical problems in number theory (e.g., integer factorization and discrete logarithm problems). If quantum computers become practical, they could potentially solve these problems efficiently. Specifically, a quantum algorithm called Shor’s algorithm could break RSA and ECC in a short time. This is expected to threaten our current cryptographic infrastructure.

To address this threat, “Post-Quantum Cryptography” (PQC) has been developed. Post-quantum cryptography is a collective term for cryptographic algorithms based on mathematical problems that are difficult for quantum computers to solve. This article provides a comprehensive explanation of post-quantum cryptography, from its fundamentals to the progress of standardization by the U.S. National Institute of Standards and Technology (NIST), key algorithms, and real-world use cases.

Fundamentals of Post-Quantum Cryptography: Definition and Principles

Post-quantum cryptography broadly refers to “cryptographic systems that are resistant to attacks by quantum computers.” However, it is important to note that post-quantum cryptography is different from “quantum cryptography” (e.g., quantum key distribution) that utilizes quantum phenomena. Post-quantum cryptography operates on conventional classical computers and is designed to be resistant to quantum computer attacks.

The core of post-quantum cryptography lies in mathematical难题. Since the problems that current public-key cryptography relies on are vulnerable to quantum computers, post-quantum cryptography adopts different problems. The main underlying problems include:

• Lattice Problems: Such as the Shortest Vector Problem (SVP) and Closest Vector Problem (CVP) on lattices. They use multivariate polynomials or algebraic structures.
• Hash Function-Based Problems: Based on the collision resistance or preimage resistance of hash functions.
• Multivariate Polynomial Problems: Exploiting the difficulty of solving systems of multivariate polynomial equations.
• Code Theory-Based Problems: Such as the decoding problem for error-correcting codes.

Currently, no efficient algorithms are known for solving these problems with quantum computers, and long-term security is expected.

The NIST Standardization Process and Current Progress

The standardization of post-quantum cryptography is being led by NIST, which sets global security standards. In 2016, NIST announced the standardization of post-quantum cryptography and solicited algorithms for public-key encryption, digital signatures, key exchange, etc. A total of 69 algorithms from around the world were submitted to this process and underwent rigorous evaluation.

The evaluation was conducted in multiple rounds, considering factors such as security, performance, and ease of implementation. In 2022, NIST selected the first set of standard algorithms and plans to announce the final standards by 2024. The main algorithms selected to date are as follows:

• Public-Key Encryption (Key Exchange): CRYSTALS-Kyber (lattice-based). This is expected to be adopted as the primary standard.
• Digital Signatures: CRYSTALS-Dilithium (lattice-based), FALCON (lattice-based), SPHINCS+ (hash-based). These have different underlying bases, ensuring diversity.

The goal of NIST standardization is to provide consistent security standards across the industry. This is expected to allow vendors and developers to build interoperable products and ensure a smooth transition.

Details of Major Post-Quantum Cryptography Algorithms

There are several main families of post-quantum cryptography. It is important to understand the characteristics, advantages, and disadvantages of each.

Lattice-Based Cryptography

Lattice cryptography plays a central role in the NIST standards. Examples include CRYSTALS-Kyber and CRYSTALS-Dilithium. Lattice cryptography is based on mathematical problems in high-dimensional lattices. Specifically, it utilizes problems such as transforming the basis of a lattice or finding short vectors.

• Advantages: High efficiency, with key sizes and computation speeds sometimes comparable to traditional cryptography. Security proofs are also relatively robust.
• Disadvantages: Implementation can be complex, and attention must be paid to side-channel attacks (implementation vulnerabilities).

Hash Function-Based Cryptography

SPHINCS+ is a digital signature algorithm based solely on hash functions. It relies on the security of hash functions, which has been confirmed through years of research.

• Advantages: Well-understood security, making it a conservative and secure choice. It is also resistant to quantum attacks.
• Disadvantages: Signature sizes are large, and performance may be inferior to lattice-based schemes.

Multivariate Polynomial Cryptography

Multivariate polynomial cryptography exploits the difficulty of solving systems of multivariate polynomial equations. While some algorithms were not adopted in the NIST evaluation, research continues.

• Advantages: Fast computation, potentially suitable for small devices.
• Disadvantages: Security analysis is not yet mature, and there is a risk of new attack methods being discovered.

Code Theory-Based Cryptography

Algorithms based on error-correcting codes are also being researched, but they have not yet achieved major adoption in the NIST standards. Further evolution is expected.

Advantages and Disadvantages: Evaluating Post-Quantum Cryptography

Post-quantum cryptography has many benefits, but challenges also exist. They are summarized below.

Advantages

• Quantum Resistance: The greatest advantage is its resistance to quantum computer attacks, protecting data from future threats.
• Compatibility: It can often be integrated relatively easily with existing cryptographic infrastructure. For example, integration into the TLS protocol is progressing.
• Diversity: With algorithms based on multiple mathematical foundations, it does not rely on a single vulnerability.

Disadvantages

• Performance: Some algorithms have higher computational costs or larger key sizes than traditional cryptography. This can be a particular challenge in bandwidth-constrained environments (e.g., IoT devices).
• Maturity: As a new technology, its long-term security is not yet fully proven. Attacks may be discovered in the future.
• Transition Cost: Migrating existing systems to post-quantum cryptography requires updates to hardware, software, and protocols, which takes time and money.

Real-World Use Cases and Current Adoption Status

Post-quantum cryptography is transitioning from theoretical research to practical implementation. Specific use cases include:

• Internet Security: Adopting post-quantum cryptography in TLS/SSL protocols can protect web communications. Companies like Google and Cloudflare are advancing experiments.
• VPNs and Secure Messaging: Integration of post-quantum cryptography is being considered for corporate VPNs and messaging apps like Signal.
• Blockchain and Financial Technology: Quantum-resistant digital signatures can future-proof blockchain transactions.
• Government and Military Communications: Adoption of post-quantum cryptography is expected to accelerate for the long-term protection of confidential information.

Regarding current adoption, many security vendors have begun offering support ahead of NIST standardization. For instance, post-quantum algorithm implementations are progressing in cryptographic libraries like OpenSSL and LibreSSL. Cloud service providers (AWS, Microsoft Azure, etc.) have also announced plans to support post-quantum cryptography.

Future Outlook and Migration Steps

The migration to post-quantum cryptography should be done gradually. NIST recommends a “phased migration,” proposing the following steps:

1. Asset Identification: Identify data and systems that need protection. Prioritize those requiring long-term confidentiality (e.g., medical records, state secrets).
2. Algorithm Selection: Based on NIST-standardized algorithms, select according to use case. For example, CRYSTALS-Kyber is suitable for key exchange, and CRYSTALS-Dilithium for digital signatures.
3. Testing and Integration: Test post-quantum cryptography in existing systems and evaluate performance and compatibility.
4. Phased Deployment: Start migration with critical systems and expand broadly.

Looking ahead, as quantum computers become more practical, post-quantum cryptography will become an essential technology. Research is also ongoing, and more efficient and secure algorithms may be developed.

Conclusion

Post-quantum cryptography is a crucial initiative to evolve cryptographic technology for the quantum computer era. As NIST standardization progresses, its adoption will spread across the industry, strengthening the foundation of digital security. By understanding the basic knowledge, algorithm characteristics, and migration steps explained in this article, readers can take the first step in preparing for future threats. While there is time before quantum computers are fully practical, early action is important to ensure long-term security.