Q&A with Lily Chen, group manager, post-quantum cryptography team with NIST
TPG: Tell us about your role with the NIST Post-Quantum Team and how you are leading the efforts to render quantum attacks ineffective.
LC: I am the manager of the Cryptographic Technology Group at NIST, which has developed and published cryptographic standards for more than 40 years. NIST Cryptographic Standards have been implemented in numerous networks and almost every digital device. These standardized mechanisms and algorithms protect information and infrastructure and provide a trustworthy platform for processing and operating. The NIST Cryptographic Program includes cutting-edge research, standardization for essential primitives, and recommendations for application. NIST Post-Quantum Cryptography is one of our ongoing projects, and – in my opinion – it is the most challenging one. As a group manager, my role is to work with two other project co-leaders to plan each step in the project and facilitate outreach to stakeholders in order to raise awareness about the need to develop quantum-resistant cryptography standards.
TPG: What are the biggest concerns with current cryptography vis a vis quantum computers?
LC: Our primary concerns involve transition and security. NIST Cryptographic Standards have specified two kinds of cryptographic algorithms: public-key cryptography and symmetric-key cryptography. Quantum computers will completely break current, well-deployed public-key cryptography standards such as the RSA digital signatures specified in FIPS 186 and the Diffie-Hellman Key Agreement specified in SP 800-56A.
With regard to the transition or migration challenge, public key cryptography schemes have been deployed everywhere, from critical infrastructure to the Internet of Things. We cannot hit a pause button while we replace the current cryptography, but we hope that the new cryptosystem can serve as a drop-in replacement. Moreover, even though we have established a sound foundation in classical security over the past few decades, a new algorithm can go wrong in many different ways, even it is provably secure. Simply put, quantum security is still new, and we have a lot to explore.
TPG: Please explain NIST’s Post-Quantum Cryptography standardization process and what it entails.
LC: There are three stages to NIST’s Post-Quantum Cryptography standardization process. The first stage involved determining the criteria for the standard. We had a lot of open discussions with the crypto research community, industry implementors, and government users in order to identify the most essential requirements to be included in the call for proposals. The second stage focused on reviewing, analyzing, and evaluating the submitted candidates. We received 82 submissions by the deadline in November 2017, and we have run three rounds in the past 2-3 years. Each round has narrowed down the field of candidates to a smaller set. The third and final stage will involve selecting the algorithms to standardize. We plan to release draft post-quantum cryptography standards in 2022-2023, which will cover two categories of public-key cryptography functions: digital signature and key establishment.
TPG: How are you evaluating quantum-safe replacements? What are possible contenders?
LC: We have relied heavily on the cryptographic research community to evaluate the candidates. In the past 2-3 years, many papers have been published in research conferences and journals to analyze, evaluate, and attack the candidate algorithms. Some researchers have provided a platform to conduct performance evaluations of speed and resource consumption. Each candidate algorithm was designed by a team of researchers. Although we have always emphasized that the process is not a competition in the strictest sense, submission teams are vying to get their algorithms standardized. The spirited atmosphere has, in some ways, motivated more aggressive analyses. Overall, I have found the process to be a healthy and collaborative community effort.
TPG: How did you get into your field? Tell us a little about your background.
LC: Actually, mathematics was not the major I chose when I applied for college. But it was 1977, and China had just opened entrance exams for the first time in 10 years, so I accepted what was assigned to me. I wanted to go to college, and I worried that if I did not accept, I would not have a second chance. Later, when I began studying for my master’s degree in applied mathematics, my advisor was a famous researcher in cryptography. With his guidance, I selected stream cipher as the research topic for my master’s degree dissertation. Then I went to Aarhus University, Denmark for my PhD. Aarhus University has one of the strongest research groups in Europe for cryptography. There, I had the opportunity to work with many distinguished cryptographers and eventually came to love the field. In the past few decades, as the world has entered a more digital era, cryptography has become a very practical branch of science, and so I have been able to stay in this field from academia to industry and now to government.
TPG: What do you like best about what you do?
LC: NIST is a unique place, nationally and internationally, for cryptography. I have enjoyed communicating with people who research, implement, and use cryptography. The information provides me with a bigger picture to navigate our strategies and decisions. NIST is where I feel I can best use my knowledge, research, and experience.
TPG: What has your cryptographic research entailed? How your research has related your work today?
LC: When I was in academia, my research primarily focused on theoretical topics, such as stream cipher cryptanalysis and zero-knowledge proof. After I joined the industry side, my research extended to more practical applications, such as security protocols in wireless networks. Being involved in different research has enabled me to cover more ground in cryptography and its applications in security, which has enabled me to understand both the theoretical and practical aspects of leading the NIST Cryptographic Program.
TPG: What do you think could be a worse-case scenario when it comes to quantum computers breaking cryptography?
LC: Most people think the worst-case scenario is that quantum resistance cryptography standards are not in place or deployed when large-scale quantum computers become available. Public-key cryptography has become a cornerstone of modern cybersecurity, and quantum computers would negate the protection of all of our information, both in storage and in transmission. To avoid this, our post-quantum cryptography project has been forging ahead at full speed, and we closely monitor any advances in quantum computing. Our goal is to have quantum-resistant counterparts in place before quantum computers become available.
In my opinion, an even more devastating scenario is that security flaws are exploited by attackers after post-quantum cryptography standards have been deployed. Security is critical, and we have made all possible efforts to evaluate the security of newly proposed post-quantum algorithms. The research community has also been fully engaged. Over the past decade, post-quantum cryptography research has rapidly advanced to ensure that we can continue to provide reliable security solutions in the future.
TPG: What should organizations be doing today to prepare for quantum computing?
LC: Organizations should prepare for the transition to post-quantum cryptography by, first and foremost, identifying the critical applications and protocols that use cryptography. Specific information is key to foreseeing possible challenges and barriers, such as current allowed maximum key and signature sizes and limits on hardware, software, and transmission bandwidth. Introducing crypto agility will ease the future replacement. For new designs, it shall consider the features of post-quantum cryptography. Information about the NIST post-quantum cryptography project can be found at www.nist.gov/pqcrypto. Organizations are welcome to send us feedback to email@example.com.