NIST has formally published three post-quantum cryptography standards from the competition it held to develop cryptography able to withstand the anticipated quantum computing decryption of current asymmetric encryption.
There are no surprises – but now it is official. The three standards are ML-KEM (formerly better known as Kyber), ML-DSA (formerly better known as Dilithium), and SLH-DSA (better known as Sphincs+). A fourth, FN-DSA (known as Falcon) has been chosen for future standardization.
IBM, along with industry and academic partners, was involved in developing the first two. The third was co-developed by a researcher who has since joined IBM. IBM also worked with NIST in 2015/2016 to help establish the framework for the PQC competition that officially kicked off in December 2016.
With such deep involvement in both the competition and winning algorithms, SecurityWeek talked to Michael Osborne, CTO of IBM Quantum Safe, for a better understanding of the need for and principles of quantum safe cryptography.
It has been understood since 1996 that a quantum computer would be able to decipher today’s RSA and elliptic curve algorithms using (Peter) Shor’s algorithm. But this was theoretical knowledge since the development of sufficiently powerful quantum computers was also theoretical. Shor’s algorithm could not be scientifically proven since there were no quantum computers to prove or disprove it. While security theories need to be monitored, only facts need to be handled.
“It was only when quantum machinery started to look more realistic and not just theoretic, around 2015-ish, that people such as the NSA in the US began to get a little concerned,” said Osborne. He explained that cybersecurity is fundamentally about risk. Although risk can be modeled in different ways, it is essentially about the probability and impact of a threat. In 2015, the probability of quantum decryption was still low but rising, while the potential impact had already risen so dramatically that the NSA began to be seriously concerned.
It was the increasing risk level combined with knowledge of how long it takes to develop and migrate cryptography in the business environment that created a sense of urgency and led to the new NIST competition. NIST already had some experience in the similar open competition that resulted in the Rijndael algorithm – a Belgian design submitted by Joan Daemen and Vincent Rijmen – becoming the AES symmetric cryptographic standard. Quantum-proof asymmetric algorithms would be more complex.
Reporting a domain is one of the easiest things to do here along with reporting someone for using a normie host to host illicit or controversial content. A recent service that was taken down was pacsa.us, which was hosting photorealistic AI generated CP. They used a normie host and the owner used his real PII in the domain registration with no whois guard or anything. It is astonishing how frequently people give no thought to any of this at all.
Also, there have been lots of other services that have been getting their domains suspended within the last several weeks, so I can just assume those attacks are going to be more frequently used and abused by threat actors. Nothing worthy of getting onto the front page, kinda like most DDoS attacks these days. They're just plain annoying, but not the end of the world.
WordPress is total garbage and businesses should really stop outsourcing web development to a bunch of 3rd world outsourcing companies who hire "developers" for poverty wages that can't even write a single line of code. Sites are getting stuffed with dozens of useless freemium plugins, everything uses jQuery, and it's one giant security risk. Often times a static site generator can do the job just fine or use a headless CMS like payload. There are plenty of alternatives: https://jamstack.org/headless-cms/. WordPress, Drupal, Joomla, Wix, and all the other mutant leftover abominations belong in the trash and set on fire. Fucking normies and corpo boomers.