The US National Institute of Standards and Technology  (NIST) has selected an algorithm developed with input from Thales engineers as a new post-quantum cryptography standard for digital signatures. The move marks a vital first step towards developing cybersecurity defences that can withstand attacks from future quantum computers. 

Building defences against an as-yet non-existent weapon may sound like a daunting challenge. But this is precisely the prospect facing the global cybersecurity community with the imminent arrival of quantum computers – machines that take advantage of the laws of quantum physics to perform atomic-scale operations. These supercomputers, which could become a reality in the next two decades, promise to revolutionise a whole host of scientific fields – healthcare, meteorology, artificial intelligence and more – by processing data at a speed and scale that defies the imagination.

But for the cryptography experts tasked with keeping our data and systems secure, the advent of quantum computing poses a new kind of threat: many of our current encryption algorithms, including those that protect critical and strategic operations, will become obsolete overnight.

Thales has been working on post-quantum cybersecurity technologies for the past decade as a way to prepare for these emerging risks. Engineers at its cryptography laboratory in Gennevilliers have developed the Falcon signature algorithm, which the US National Institute of Standards and Technology (NIST) recently selected as a new post-quantum standard.

According to Eric Brier, Chief Technology Officer for the Cyber Defence Solutions business line, this distinction is well-deserved recognition for the team’s hard work. But, as he explains, Falcon also represents the cornerstone of the next generation of cybersecurity defences.

There’s been a lot of speculation as to when the first quantum computers will appear. But let’s say it happened tomorrow. How would that alter the cybersecurity landscape as we know it?

Let’s start by making one thing clear: the algorithms that will power future quantum computers and threaten our current cryptographic systems already exist. They’ve been studied extensively and we know exactly how they work. It’s the machines themselves that are lacking. So this isn’t a theoretical issue – it’s an engineering problem. For argument’s sake, let’s imagine that we’d overcome this technological barrier and that, sometime tomorrow, a sufficiently large and stable quantum computer kicked into action and started attacking our existing cryptographic defences.

The impact would be huge. And it would be felt across all our secure information systems, starting with many of those that use the HTTPs protocol (Hypertext Transfer Protocol Secure, an internet communication protocol that protects data integrity and confidentiality – ed.). It would upend our approach to cryptography, rendering around half of the algorithms we use on a daily basis utterly irrelevant.

Are all cryptographic defence systems vulnerable to quantum attacks?

No, although this new threat ultimately poses a risk to the entire security chain. There are basically two main kinds of encryption algorithms: symmetric and asymmetric. Estimates suggest that quantum computers could reduce the effectiveness of the secret keys used in symmetric encryption by half. In other words, these defences would be weakened but not entirely breached. But for asymmetric encryption, which uses public keys, the threat is far graver: quantum technology would break these algorithms, rendering them completely obsolete.

On this basis, it could be argued that switching to symmetric-only algorithms and doubling the length of the encryption keys would be the best way to protect ourselves against future attacks by quantum computers. Sadly, however, this isn’t a realistic option. Information systems across every sector and industry use both symmetric and asymmetric encryption, and it’s been that way for decades now.

Aside from being unworkable, this kind of radical change would have too great an impact. What’s more, public-key cryptography has numerous other advantages that make it indispensable to many information systems. So we need to completely rethink our approach to asymmetric encryption to counter the threat posed by quantum computers.

This is precisely what the NIST set out to do in 2017 when it launched a global challenge to set future post-quantum standards for public-key cryptographic algorithms. What was the thinking behind this initiative?

Every technology company on the planet uses cryptography to keep their systems secure, but not all organisations are able to hire in-house cybersecurity experts. That’s why they rely on secure algorithms that conform to international standards. So it seemed only right, given the emerging risks posed by quantum computing, to develop new standards for both hybrid cryptography (combining pre-quantum and post-quantum defence mechanisms – ed.) and post-quantum cryptography. It also seemed right for Thales, with its long history and recognised leadership in encryption technologies, to answer the NIST’s call.

How did the NIST selection process unfold?

Our team took part in a five-year competition that attracted 82 individual researchers and research groups from 25 countries. The aim of the challenge was to develop a standardised, quantum-resistant signature algorithm, which is the most common of the three types of public-key encryption technologies in use today. Designing this kind of algorithm meant thinking differently and finding new mathematical problems that are especially difficult to solve.

Falcon, our entry for the NIST challenge,[1] is based on lattice reduction using a Euclidean algorithm. Once the design stage was complete, Falcon and the other candidates were subjected to a “crash test” – a series of deliberate attacks by other members of the community. The three finalists were the algorithms that stood firmest against these attacks: CRYSTALS-Dilithium (another Euclidean lattice-reduction algorithm), SPHINCS+ (which uses hash-based signatures) and Falcon, which appealed to the NIST on account of its compact design and its compatibility with constrained systems. We’re especially proud of the fact that Falcon provides consistently high security even in physical systems with low processing power, such as embedded systems and energy meters.

Why is it important for Thales that Falcon has been selected as a new cryptography standard?

First of all, it underscores the quality of the work we’re doing and the meaningful contribution it can make. Emerging victorious in a crowded field and making it through such a cut-throat selection process wasn’t something that happened by chance. Perhaps more importantly, a post-quantum cryptographic standard represents a major leap forward for the entire cybersecurity industry. And for Thales, having a toolkit that includes this new algorithm – developed in-house and endorsed by the international scientific community – means we are even better placed to help our customers counter the threats posed by quantum computing.

In a recent position paper, France’s National Agency for Information Systems Security (ANSSI) recommended that IT security systems should transition to hybrid cryptography by 2025 and to post-quantum cryptography by 2030. So the selection of Falcon by the NIST comes at an opportune moment, allowing Thales to continue to lead from the front in the cybersecurity industry.

[1] Falcon was co-developed by Thales together with academic and industrial partners from France (University of Rennes 1, PQShield SAS), Switzerland (IBM), Canada (NCC Group) and the US (Brown University, Qualcomm). Thales was the only technology group serving the defence, aerospace and digital identity markets to take part in the NIST competition.