In today’s connected digital world, cryptographic algorithms are implemented in every device and applied to every link to protect information in transmission and in storage. Over the past 50 years, the use of cryptographic tools has expanded dramatically, from limited environments like ATM encryption to every digital application used today. Throughout this long journey, NIST has played a unique leading role in developing critical cryptographic standards.
In the early 1970s, there was little public understanding of cryptography, although most people knew that military and intelligence organizations used special codes or code equipment to communicate. The National Bureau of Standards (NBS), which NIST was formerly called, initiated a program to develop the Data Encryption Standard (DES) in 1973 to protect computer data and to allow for large-scale commercial interoperability. A 64-bit block cipher with 56-bit key, DES was the first public encryption created by the U.S. government. An exhaustive search attack for a DES key takes only 256 operations, which is trivial in today’s computing capacity, but in 1977 DES provided sufficient protection for our electronic data. It became the de facto symmetric key standard of the U.S. commercial cryptographic product industry. Federal Information Processing Standard (FIPS) 46, which specifies DES, was published in January 1977.
Cryptanalysis techniques and the computing power of attackers have steadily advanced during the past half century, demanding a constant transition to cryptographic algorithms with higher levels of security strength. As historian David Kahn noted in The Codebreakers: The Comprehensive History of Secret Communication from Ancient Times to the Internet, “Much of the history of cryptology of this time is a patchwork, a crazy quilt of unrelated items, sprouting, flourishing, withering. . . The story of cryptology during these years is, in other words, exactly the story of mankind.”
By the mid-1990s, it was anticipated that the security strength of DES soon would be overtaken by cryptanalysis advancements. Not only had computing capacity tremendously increased since DES was designed, but more sophisticated cryptanalysis techniques, such as differential and linear cryptanalysis methods, had been developed. In 1997, NIST initiated the first world-wide public competition to solicit a 128-bit block cipher with three key length options: 128, 192, and 256 bits. The winner would be named the Advanced Encryption Standard (AES). This open competition enabled NIST to partner with an international community of cryptographers, academic researchers and industry practitioners.
The open partnership with the international community enabled NIST to select an algorithm that represented the state of the art design for block cipher with a strength to resist different cryptanalysis methods. The AES competition turned a page for NIST cryptographic standards and solidified NISTs position as the world’s leader in cryptography. In 2005, when research results challenged the collision resistance property of the hash function SHA-1, the international security community urged NIST to hold another competition for a new family of hash functions. This demonstrated a widespread enthusiasm for participating in the trusted NIST process, an acknowledgement of NIST leadership, and a reliance on NIST to create needed encryption. Working with our stakeholders, NIST then selected the latest family of hash functions, SHA-3, in 2012 and specified these in FIPS 202.
Public-key cryptography, invented in 1976, enabled a game-changing breakthrough in the 21st century, allowing different parties to establish keys without a protected channel and enabling the function of digital signatures. With the Internet explosion of the late 1980s, demand skyrocketed for protocols to establish many-to-many secure communications, which cannot rely on a centralized key distribution. In response to this demand, the Internet Engineering Task Force (IETF) deployed public-key cryptography for key establishment and mutual authentication in Internet protocols. The American Banker Association was an early adopter for financial applications.
An American National Standards Institute (ANSI) group called X9 initiated a much-needed standard for public-key cryptography, and NIST actively contributed to these new activities. The major public-key cryptography standards developed in X9 were adopted by NIST in NIST Special Publication (SP) 800-56A and SP 800-56B. The supporting signature schemes standardized by X9, such as RSA and Elliptic Curve Digital Signature Algorithms (ECDSA), were also adopted in FIPS 186.
A more dramatic transition lies ahead of us. The public-key cryptography that NIST standardized is based on the hardness of either integer factorization or discrete logarithm problems. Quantum computers, once in full scale, will completely change the hardness assumptions, which are based on classical computers. Today’s widely deployed public-key cryptography schemes, such as RSA and ECDSA, will not provide any security protection against quantum computers. Even if they are still far off on the horizon, quantum computers raised a mission call to the NIST cryptographic program. We now face an unprecedented urgency to develop quantum-resistant cryptography standards, a.k.a. post-quantum cryptography (PQC) standards.
NIST started to develop post-quantum cryptography standards in 2016 through an open call for proposals for the new algorithms. The candidate algorithms were submitted by 82 design teams with researchers from 25 countries on 6 continents. In the past 6 years, NIST has led the community to intensively analyze and evaluate these candidates. The candidate pool was narrowed down twice, each time considering security, performance, and many other properties. The selection of algorithms is expected to be announced in the spring of 2022. NIST plans to release the first set of draft PQC standards no later than 2023 for public comments, with the final publication scheduled in 2024.
Considering that cryptographic standards are the cornerstone of cybersecurity, we must work to assure a smooth migration to our new encryption. The Migration to Post-Quantum Cryptography project, a partnership between the National Cybersecurity Center of Excellence (NCCoE) and industry, aims to ease migration from the current set of public-key cryptographic algorithms to the replacement quantum-resistant algorithms.
NIST has a full cryptographic standards portfolio covering the essential cryptographic primitives (low-level, established cryptographic algorithms often used in developing cryptographic protocols) and guidelines on how to use the primitives in different applications. As the world becomes more digitized every day, cryptographic standards are required not only for protecting against extremely powerful attacks by quantum computers, but also for protecting extremely constrained devices, such as sensors, IoT devices, and RFIDs, and we are developing lightweight cryptography standards for these constrained environments. At the same time, NIST continues work in multiple explorative and research projects to investigate advanced cryptographic tools, such as secure multiparty computation for security and privacy needs in applications like AI and Blockchains.
As we reflect on the journey over the past 50 years, we can trace the evolution of cryptographic standards with the demand for new applications, from code signing for open platforms to pervasive wireless communications. NIST has guided every step of the journey, from DES to AES, from SHA-1 to SHA-2/SHA-3, and from 80-bit security strength parameter set to 112-bit and beyond. The evolution will continue, and we are confident we will continue to lead the way.