NIST Seeks to Raise Its Cryptographic ProfileBudget Addresses Threats Posed by Quantum Computing
It's barely a drop in the bucket, but President Obama is earmarking $7 million of his nearly $4 trillion federal budget to help the National Institute of Standards and Technology provide stronger cryptographic solutions and enhance privacy tools.
If approved by Congress for fiscal year 2016, which begins Oct. 1, NIST would hire 10 new fulltime employees to work on its cryptographic and privacy initiatives.
Cryptographic research is a growing focus for NIST, in part because of the prospect of quantum computing, with its expanded capabilities that would make many of today's encryption methods obsolete.
A race is on to develop functioning quantum computers. According to NIST, Britain is investing about $420 million over the next five years in quantum technologies. In another part of the NIST budget, Obama is requesting Congress to approve $26.6 million, a $5 million increase from 2015 levels, for NIST to accelerate widespread use of quantum science and support development of the next-generation of quantum devices. The National Security Agency, according to documents leaked by former contractor Edward Snowden, is spending $79.7 million to build a quantum computer to crack cryptography.
Questioning the Need
But one cryptography expert questions the need to defend against quantum computers in the foreseeable future. "I don't see quantum computing posing a threat to current generations of systems in any reasonable time frame," says Phillip Rogaway, a computer science professor at the University of California at Davis, adding a functioning quantum computer is decades away, "if ever."
Still, interest is growing in quantum computing, and NIST wants to be ready for it with appropriate cryptography when it arrives. In April, NIST will hold a post-quantum world workshop following the IACR International Conference on Practice and Theory of Public-Key Cryptography to be held from March 30 to April 1 at its Gaithersburg, Md., campus. NIST isn't alone in its interest in post-quantum cryptography; in September, the fifth International Conference on Quantum Cryptography will be held in Tokyo.
"As we're investing in quantum research, others in world are as well, so you want to be ahead of that and make sure that once that does becomes a reality, we can be prepared," NIST spokeswoman Jennifer Huergo say.
Emphasis on Independence
In seeking the added money next fiscal year to improve cryptography, NIST emphasizes that it wants to continue to "deliver robust and independence cryptography capabilities." NIST has come under criticism for its relationship with the National Security Agency, which was accused of tampering with a NIST cryptographic algorithm (see Report: NSA Circumvented Encryption). Federal law requires NIST to collaborate with the NSA on cryptography and other security standards. To rely less on the NSA, NIST would use the extra funding to foster cryptographic collaboration with academia and industry, according to a summary of its cybersecurity budget request for 2016.
Huergo cites the recently published second draft of NIST Cryptographic Standards and Guidelines Development Process, which states: "In order to make independent decisions, NIST stresses the importance of its access to sufficient expertise, both from within NIST and from organizations and individuals external to NIST."
NIST began drafting the report, also known as Interagency Report 7977, as a result of the NSA meddling with its cryptographic algorithm, which it eventually withdrew from its guidance (see NIST Revises Crypto Standards Guide).
Protecting the Internet of Things
Besides developing post-quantum computing cryptography standards, NIST would use the added money to create cryptography standards to address so-called constrained environments, also known as lightweight cryptography, that supports devices found on the Internet of Things. In July, NIST will hold a lightweight cryptography workshop.
The privacy tools NIST intends to enhance with the new funding are aimed at assisting information systems users, owners, developers and designers who handle personal information. The tools and guidance NIST hopes to develop could be used to decrease risks related to exposing private information, according to the agency, and allow users to make meaningful decisions about resource to allocate and security and privacy controls to implement.