Although the National Institute of Science and Technology (NIST) hasn’t finalized its standards for post-quantum cryptography algorithms, that hasn’t stopped one company from integrating those potential standards into its communication platform, making it among the first firms to integrate PQC into a commercial product.
Secured Communications of Dover, Del. has announced it’s incorporating the Crystals-Kyber and Crystals-Dilithium cryptographic algorithms into the messaging layer security encryption protocol of its Mercury Workspace platform. The Mercury unified communications and collaboration (UCC) platform, developed by Secured with help from law enforcement and intelligence leaders, provides encrypted messaging, file sharing of unlimited size, HD video conferencing and VOIP calling.
Dilithium is the leading candidate chosen by NIST for encryption signatures and Kyber was chosen as the primary key encapsulation method. Both use lattice mathematics to encode and decode data.
Lattice-based cryptography algorithms have a number of advantages over other encryption methods. They’re more difficult to break, for example. They’re also faster to compute, which improves performance, a big plus when working with applications that need real-time responses, such as streaming media and online gaming. In addition, they consume less energy, which means they can be more easily used with hardware that requires less power.
The NIST algorithms integrated into the Mercury platform will protect data in transit and at rest. They’re also removing the danger of data being harvested from the platform now so it can be decrypted later by a quantum computer.
“Protecting data in movement and at rest is pretty hard because if you’re not smart about it, it can be cumbersome and slow,” Norm Willox, a director and cyber risk expert at Secured, explained in an interview.
Integrating PQC technology into the Mercury platform was an ambitious goal for Secured. “While the technology is developed, integration of the capability into our platform was challenging,” Willox said.
To do that, Secured modularized its platform for the NIST-recognized capabilities so they could be rolled out immediately to protect critical data. “Incorporating this level of security into a large commercial application would be incredibly hard if you don’t have a modular platform that lets you do that,” Willox noted.
By incorporating the Dilithium and Kyber standards into Mercury, Secured is taking a bit of a gamble that those technologies will be the final ones approved by NIST, but Willox explained that his product has a flexible architecture. “With the modular approach, if the standards change, we can pop a module out and pop another back in,” he said. “It gives us a lot of growth capability.”
Flexibility is important not only to accommodate changing standards but to address the uncertainty surrounding the effectiveness of PQC algorithms. As Christopher Savoie , CEO and founder of Zapata Computing, pointed out in Forbes: “As an enterprise, the last thing you want is to invest millions of dollars migrating to a new PQC system, only to have that PQC system compromised a few years later. Since we have no way of knowing which PQC schemes will be secure in the long term, the best approach is to stay flexible.”
It took NIST five years to announce the first results of its standardization process, and it expects to deliver the first set of specifications in 2024. Willox maintained that the velocity of integration of PQC algorithms into systems handling sensitive data needs to be increased. “We have to accelerate our capabilities, particularly around quantum encryption because of the safety issues,” he said.
“We have to bridge the gap between 256-bit encryption and quantum encryption,” he added. “If we can’t protect more effectively than 256-bit encryption, then we’re going to be exposed, and we’re not only going to lose critical information and data, we’re going to lose people.”
The process deployed by NIST to develop PQC standards has been transparent, which can have both positives and negatives. “NIST is trying to develop standards in a very democratic way,” Willox observed. “That means we’re very public about it. So the world gets to watch what we do, including our adversaries. Our adversaries don’t do it with the same level of transparency.”
“At the end of the day,” he continued, “we’ll do it much better, but that doesn’t mean our adversaries don’t have the jump on us because they’re nimble and can move much faster.”
John P. Mello Jr. is freelance writer specializing in business and technology subjects, including consumer electronics, business computing, and cybersecurity. He is also a former managing editor of the Boston Business Journal and Boston Phoenix.