NIST stands for the National Institute of Standards and Technology and is part of the United States Department of Commerce. The range of subjects it oversees is huge, but one subject is of great importance for cryptography, especially public key cryptography. As I covered in [this series] about quantum resistance and blockchain, the need for research on the subject and a switch to these new, quantum resistant signature schemes will be inevitable over time.
One of the challenges will be to pick a suitable quantum resistant signature scheme. NIST can provide some helpful guidance here. In 2016 the Federal Register (The daily journal of the United States Government) put out a notice for NIST’s announcement where NIST requests for Nominations for Public-Key Post-Quantum Cryptographic Algorithms.
NIST kicked off a post-quantum cryptography project for the standardization of quantum resistant signature schemes. The urgency for this initiative was described as:
“Widely used public key cryptographic systems, which protect electronic banking data and many other kinds of information, use pairs of very large numbers to serve as the keys for decrypting the message. These numbers can be hidden by multiplying them together to produce even larger numbers that a conventional computer cannot easily factor. However, a quantum computer would be able to find the initial two numbers quickly, breaking the encryption.”
As the Federal Register mentioned:
“In particular, quantum computers would completely break many public-key cryptosystems, including those standardized in FIPS 186–4”
NIST aims to replace this and other standards with quantum resistant substitutes.
“We’re looking to replace three NIST cryptographic standards and guidelines that would be the most vulnerable to quantum computers,” Moody said, referring to FIPS 186–4, NIST SP 800–56A and NIST SP 800–56B.”
There were 69 submissions admitted, from which 23 were signature schemes. For blockchain the signature schemes are most relevant. The purpose is to provide an all-round quantum resistant signature scheme that is feasible for standardization for a large group of applications. This particular outcome will be an all-round signature scheme. Round one has finished, and in round two you can see that only 26 of the initial 69 have moved on to the next round. More rounds will follow and more submissions will excluded until one (or a few) end up on top. They intend to wrap things up around 2022–2024.
Next to their effort to find replacement for all round implementation signature schemes, they also look at more specialized signature schemes that are excellent, but less suitable for just any type of application: The NIST contest for Has based signatures:
“NIST plans to approve one or more schemes for stateful hash-based signatures (HBS) as part of the post-quantum cryptography development effort.”
LMS and XMSS are stateful hash-based signature schemes that were already expected to be approved by NIST. In feb 2019 NIST announced that it intended to approve XMSS.
A blockchain that uses XMSS as signature scheme, is QRL which is mentioned in the second request for comments as an example in june 2018.
XMSS is not generally approved for all applications due to the fact that implementations will need to be able to securely deal with the requirement to keep state. (Not reusing signatures.) And this is not a given for most systems. In blockchain however, you can not change the order of the blockchain and everything that is registered is set in stone. So keeping state can be achieved in blockchain if XMSS is implemented correctly. XMSS does require a specific design in the blockchain structure to implement XMSS, so even though blockchain is highly suited for XMSS, it still isn’t just a matter of copy paste. QRL has successfully done so and are running a smooth blockchain since they launched over a year ago at this day of writing. With QRL advisor Leon Groot Bruinderink, who is mentioned in the second request for comments on XMSS and LMS and in NIST’s Recommendation for Stateful Hash-Based Signature Schemes, two external audits on the code and implementation of XMSS, over a year of smooth running blockchain, QRL is the only blockchain at this point of time that has a successful and externally audited implementation of XMSS.
Great news has just been released: NIST has draft approved both LMS and XMSS. This means that, LMS and XMSS are the first standardized quantum resistant cryptography ever. QRL is the only crypto asset using (soon to be) NIST-approved post-quantum cryptography.
NIST credentials:
Besides the fact that NIST is part of the United States Department of Commerce and THE National Institute of Standards and Technology, another factor to take into account when looking at NIST is that they are considered to be an authority on the subject by some very credible organizations.
The NSA and NAS both point to NIST as the authority on developments and standardization of quantum resistant cryptography.
“NSA believes that NIST can lead a robust and transparent process for the standardization of publicly developed and vetted algorithms, and we encourage this process to begin soon. NSA believes that the external cryptographic community can develop quantum resistant algorithms and reach broad agreement for standardization within a few years.”
NAS:
“The most significant challenges are post-quantum key-exchange and post-quantum digital signatures. For quantum resilience, existing schemes such as RSA and ECDSA will need to be abandoned and new systems will need to be designed. NIST has already initiated a Post-Quantum Cryptography project to facilitate this process, seeking proposals for new cryptographic algorithms.”