UK guidance on quantum-resistant cryptography
John Mattsson
Hi,
On November 3rd the UK published recommendations for quantum-resistant cryptography. I think it is great that UK aligns with NIST and recommends ML-KEM, ML-DSA, and SLH-DSA, writes that ML-KEM and ML-DSA are recommended for general purpose use, and write that ML-KEM-512 can be used for government use.
https://www.ncsc.gov.uk/whitepaper/next-steps-preparing-for-post-quantum-cryptography
”ML-KEM (Kyber) and ML-DSA (Dilithium) are algorithms selected for standardisation by NIST that are suitable for general purpose use. All proposed parameter sets provide an acceptable level of security for personal, enterprise and OFFICIAL-tier government information. The NCSC recommends ML-KEM-768 and ML-DSA-65 as providing appropriate levels of security and efficiency for most use cases.”
It is also great that the UK clearly writes that all 128-bit algorithms can continue to be used. Any attacks using Gover’s algorithm (which is proven to be optimal) are practically completely ridiculous like a billion CRQCs running for a million years.
”In contrast with PKC, the security of symmetric cryptography is not significantly impacted by quantum computers, and existing symmetric algorithms with at least 128-bit keys (such as AES) can continue to be used. The security of hash functions such as SHA-256 is also not significantly affected, and secure hash functions can also continue to be used.”
The Netherlands, France, and the UK are now recommending ML-KEM and ML-DSA. I think this is great. Global cryptographic standards benefit everyone. I really hope that Germany will also recommend ML-KEM and ML-DSA soon.
As a side note, the Signal Protocol will
also use ML-KEM for quantum-resistance.
https://signal.org/docs/specifications/pqxdh/
Cheers,
John Preuß Mattsson
