NSA’s Cybersecurity Perspective on Post-Quantum Cryptography Algorithms
In response to requests from our National Security Systems (NSS) partners, the NSA Cybersecurity Directorate (CSD) has been asked to share its view on the remaining algorithms in the NIST post-quantum standardization effort, which can be found below. Sharing this analysis publicly represents one aspect of NSA’s efforts to be more transparent in the way we secure NSS. We thank NIST for all their efforts to help advance the adoption and deployment of secure post-quantum cryptography, which are vital to the defense of our nation.
NSA CSD has reviewed the security analysis and performance characteristics of the proposals, and we are confident in those lattice-based schemes with strong dependence on well-studied mathematical problems and in hash-based signatures for certain niche solutions.
Lattice-based cryptography:
Lattice-based cryptography derives its security from the related problems of finding a short vector in a lattice or finding a lattice vector that is close to a target vector not in the lattice. These systems are fairly well-studied in cryptologic literature, and analysis suggests that these systems can be secure when well-parameterized. We agree with the NIST assessment, documented in NISTIR 8309: Status Report on the Second Round of the NIST Post-Quantum Cryptography Standardization Process, that these are among the most efficient post-quantum designs. Based on their history of analysis and implementation efforts, NSA CSD expects that a NIST-candidate lattice-based signature and a NIST-candidate lattice-based key encapsulation mechanism will be approved for NSS.
Hash-based signatures:
Hash-based signatures are based on the well-understood security of inverting a hash function. These systems are also fairly well-studied in cryptologic literature, and analysis suggests that these systems can be secure when well-parameterized. However, the stateful versions have a limited number of allowable signatures per public key and require the signer to maintain an internal state. Because of this, they are not suitable for all applications. NSA CSD expects that the stateful signatures LMS and XMSS will be standardized by NIST in NIST SP 800-208 and approved for NSS solutions for certain niche applications where maintaining state is not a problem.
At the present time, NSA CSD does not anticipate the need to approve other post-quantum cryptographic technologies for NSS usage, but recognizes circumstances could change going forward. A variety of factors—including confidence in security and performance, interoperability, systems engineering, budgeting, procurement, and other requirements—could affect such decisions.