Friend
Professional
- Messages
- 2,653
- Reaction score
- 850
- Points
- 113
The U.S. National Institute of Standards and Technology (NIST) has unveiled the first three standards that define cryptoalgorithms that are brute-force on a quantum computer. The first standardized algorithm (CRYSTALS-Kyber) defines how keys are encapsulated and is designed to encrypt data exchange, while the other two (CRYSTALS-Dilithium and Sphincs+) implement digital signature options that can be used to solve authentication problems. To avoid confusion, standardized versions of the algorithms have been renamed: CRYSTALS-Kyber to ML-KEM, CRYSTALS-Dilithium to ML-DSA, and Sphincs+ to SLH-DSA. The selected algorithms have been developed since 2016 and are the winners of the previously announced NIST competition for the development of post-quantum cryptography algorithms.
Quantum computers, which have been actively developing in recent years, are radically faster at solving the problems of natural prime factorization (RSA) and discrete logarithm of elliptic curve points (ECDSA), which are the basis of modern asymmetric algorithms for public key encryption, which are not effectively solved on classical processors. At the current stage of development, the capabilities of quantum computers are not yet enough to crack current classical encryption algorithms and public key-based digital signatures, such as ECDSA, but it is assumed that the situation may change in this decade.
Accepted standards:
• FIPS 203 - is considered as the main standard for data encryption, using the CRYSTALS-Kyber (ML-KEM - Module-Lattice Key-Encapsulation Mechanism) algorithm to organize the exchange of keys between parties performing data encryption and decryption. The CRYSTALS-Kyber algorithm uses cryptography methods based on solving lattice theory problems, the solution time of which does not differ on conventional and quantum computers. The advantages of the chosen algorithm are the relatively small size of the keys and high speed.
• FIPS 204 is the primary standard for generating digital signatures, based on the CRYSTALS-Dilithium (ML-DSA - Module-Lattice Digital Signature Algorithm) algorithm, which, like CRYSTALS-Kyber, is based on lattice theory.
• FIPS 205 is an alternative standard for generating digital signatures using the Sphincs+ (SLH-DSA - Stateless Hash-Based Digital Signature Algorithm) algorithm, which applies hash-based cryptography techniques. Sphincs+ lags behind CRYSTALS-Dilithium in terms of signature size and speed, but is based on completely different mathematical principles, i.e. it will remain effective in case of compromise of algorithms based on lattice theory.
In addition, by the end of the year, it is planned to approve a fourth standard, FIPS 206, designed to work with digital signatures and based on the FALCON algorithm, which, like the CRYSTALS-Kyber and CRYSTALS-Dilithium algorithms, is based on solving problems of lattice theory, but unlike them, it is focused on applications in which a minimum signature size is required. A standardized version of the FALCON algorithm will be shipped under the name FN-DSA (FFT (Fast Fourier Transform) over NTRU-Lattice Digital Signature Algorithm). By the end of the year, it is also planned to select algorithms to create alternative standards for general encryption, which will be based on different principles of operation than those used in the FIPS 203 standard based on the CRYSTALS-Kyber algorithm.
• Video:
----------------------
The U.S. National Institute of Standards and Technology (NIST) has announced the publication of the second draft of the fourth edition of the Digital Identity Manual (Special Publication 800-63) in four volumes.
NIST document. SP.800-63-4.2 provides comprehensive guidance on the processes and technical requirements for achieving different levels of trust in digital identity management. In addition, the new edition focuses on aspects related to improving the privacy, fairness, and usability of digital identity solutions and technologies.
The initial draft of the fourth edition of SP 800-63 was released in December 2022. During the discussion period, the authors received nearly 4,000 comments from various organizations and individuals, who helped to significantly improve the document to meet the requirements of security, privacy, and fairness in digital identity systems.
Based on the feedback received, significant changes were made to all volumes of the manual. Among the key changes is the updating of the text and context of risk management, including the addition of a stage for defining and analyzing the online service that the organization intends to protect with an identity system. Fraud management requirements have also been expanded to better address the challenges that arise when implementing audits. A new structure has been introduced to manage identity verification, based on the types of evidence provided (remote, face-to-face, etc.).
NIST has also identified several key issues on which comments and recommendations from reviewers are expected:
1. Risk management and identity models:
0 The description of the user-controlled wallet model should be detailed enough to allow organizations to understand how it compares to real-world examples of solutions such as mobile driver's licenses and verifiable credentials.
0 An updated risk management process should be clearly defined enough to support the effective and repeatable implementation of solutions to protect online services and systems.
2. Identity verification and registration:
0 The structure of requirements for the types of identity verification should be sufficiently clear. It is important that the different types of confirmation are described in detail.
0 Additional requirements for anti-fraud programs, which may become a common framework for all certification service providers and other organizations, should be introduced as necessary.
0 The requirements for verifying the authenticity and validity of identity proofs, as well as their performance metrics, should be realistic and achievable using existing technologies.
3. Authentication and management of authenticators:
0 The requirements for synchronized authenticators should be clearly defined to ensure intelligent risk-based decision-making for public and corporateabout usage.
0 Additional control measures should be considered. It is also important to consider specific recommendations or implementation considerations.
4. Federation and attestations:
0 The concept of "user-controlled wallets" and "attribute sets" should be clearly enough to support their actual implementation. Additional requirements or considerations should be considered to improve the security, usability, and privacy of these technologies.
5. General Questions:
0 Additional implementation guidance, architectural diagrams, metrics, or other supporting resources could accelerate the adoption and implementation of these and future versions of the Digital Identity Guidance.
0 The areas of applied research and measurement that can have the greatest impact on the identification market should be identified and contribute to the development of these recommendations.
NIST invites all interested parties to participate in the discussion of the draft and submit their comments by October 7, 2024.
The fourth edition of SP 800-63 aims to adapt to the changing digital landscape and provides organizations with comprehensive guidance for ensuring the security, privacy, and availability of digital identity systems. Attention to these aspects is especially important in the context of growing dependence on online services and increasing threats in the digital environment.
• Source: https://csrc.nist.gov/pubs/sp/800/63/4/2pd
• Source: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-4.2pd.pdf
Quantum computers, which have been actively developing in recent years, are radically faster at solving the problems of natural prime factorization (RSA) and discrete logarithm of elliptic curve points (ECDSA), which are the basis of modern asymmetric algorithms for public key encryption, which are not effectively solved on classical processors. At the current stage of development, the capabilities of quantum computers are not yet enough to crack current classical encryption algorithms and public key-based digital signatures, such as ECDSA, but it is assumed that the situation may change in this decade.
Accepted standards:
• FIPS 203 - is considered as the main standard for data encryption, using the CRYSTALS-Kyber (ML-KEM - Module-Lattice Key-Encapsulation Mechanism) algorithm to organize the exchange of keys between parties performing data encryption and decryption. The CRYSTALS-Kyber algorithm uses cryptography methods based on solving lattice theory problems, the solution time of which does not differ on conventional and quantum computers. The advantages of the chosen algorithm are the relatively small size of the keys and high speed.
• FIPS 204 is the primary standard for generating digital signatures, based on the CRYSTALS-Dilithium (ML-DSA - Module-Lattice Digital Signature Algorithm) algorithm, which, like CRYSTALS-Kyber, is based on lattice theory.
• FIPS 205 is an alternative standard for generating digital signatures using the Sphincs+ (SLH-DSA - Stateless Hash-Based Digital Signature Algorithm) algorithm, which applies hash-based cryptography techniques. Sphincs+ lags behind CRYSTALS-Dilithium in terms of signature size and speed, but is based on completely different mathematical principles, i.e. it will remain effective in case of compromise of algorithms based on lattice theory.
In addition, by the end of the year, it is planned to approve a fourth standard, FIPS 206, designed to work with digital signatures and based on the FALCON algorithm, which, like the CRYSTALS-Kyber and CRYSTALS-Dilithium algorithms, is based on solving problems of lattice theory, but unlike them, it is focused on applications in which a minimum signature size is required. A standardized version of the FALCON algorithm will be shipped under the name FN-DSA (FFT (Fast Fourier Transform) over NTRU-Lattice Digital Signature Algorithm). By the end of the year, it is also planned to select algorithms to create alternative standards for general encryption, which will be based on different principles of operation than those used in the FIPS 203 standard based on the CRYSTALS-Kyber algorithm.
• Video:
----------------------
The U.S. National Institute of Standards and Technology (NIST) has announced the publication of the second draft of the fourth edition of the Digital Identity Manual (Special Publication 800-63) in four volumes.
NIST document. SP.800-63-4.2 provides comprehensive guidance on the processes and technical requirements for achieving different levels of trust in digital identity management. In addition, the new edition focuses on aspects related to improving the privacy, fairness, and usability of digital identity solutions and technologies.
The initial draft of the fourth edition of SP 800-63 was released in December 2022. During the discussion period, the authors received nearly 4,000 comments from various organizations and individuals, who helped to significantly improve the document to meet the requirements of security, privacy, and fairness in digital identity systems.
Based on the feedback received, significant changes were made to all volumes of the manual. Among the key changes is the updating of the text and context of risk management, including the addition of a stage for defining and analyzing the online service that the organization intends to protect with an identity system. Fraud management requirements have also been expanded to better address the challenges that arise when implementing audits. A new structure has been introduced to manage identity verification, based on the types of evidence provided (remote, face-to-face, etc.).
NIST has also identified several key issues on which comments and recommendations from reviewers are expected:
1. Risk management and identity models:
0 The description of the user-controlled wallet model should be detailed enough to allow organizations to understand how it compares to real-world examples of solutions such as mobile driver's licenses and verifiable credentials.
0 An updated risk management process should be clearly defined enough to support the effective and repeatable implementation of solutions to protect online services and systems.
2. Identity verification and registration:
0 The structure of requirements for the types of identity verification should be sufficiently clear. It is important that the different types of confirmation are described in detail.
0 Additional requirements for anti-fraud programs, which may become a common framework for all certification service providers and other organizations, should be introduced as necessary.
0 The requirements for verifying the authenticity and validity of identity proofs, as well as their performance metrics, should be realistic and achievable using existing technologies.
3. Authentication and management of authenticators:
0 The requirements for synchronized authenticators should be clearly defined to ensure intelligent risk-based decision-making for public and corporateabout usage.
0 Additional control measures should be considered. It is also important to consider specific recommendations or implementation considerations.
4. Federation and attestations:
0 The concept of "user-controlled wallets" and "attribute sets" should be clearly enough to support their actual implementation. Additional requirements or considerations should be considered to improve the security, usability, and privacy of these technologies.
5. General Questions:
0 Additional implementation guidance, architectural diagrams, metrics, or other supporting resources could accelerate the adoption and implementation of these and future versions of the Digital Identity Guidance.
0 The areas of applied research and measurement that can have the greatest impact on the identification market should be identified and contribute to the development of these recommendations.
NIST invites all interested parties to participate in the discussion of the draft and submit their comments by October 7, 2024.
The fourth edition of SP 800-63 aims to adapt to the changing digital landscape and provides organizations with comprehensive guidance for ensuring the security, privacy, and availability of digital identity systems. Attention to these aspects is especially important in the context of growing dependence on online services and increasing threats in the digital environment.
• Source: https://csrc.nist.gov/pubs/sp/800/63/4/2pd
• Source: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-4.2pd.pdf
