Comparing PQC and Classical Algorithms - SafeLogic

More and more companies are starting to incorporate post-quantum cryptography (PQC) in their products and infrastructure. These algorithms provide much needed security against future attacks by a cryptographically relevant quantum computer (CRQC). However, new implementers often have questions about the differences in key sizes, as well as use of the new KEM algorithm type.

Background – NIST Security Categories

While classical algorithms have security strengths that correspond to specific bit lengths, PQC algorithms have security strengths corresponding to NIST security categories. These security categories are intended to compare the difficulty of breaking an algorithm with a given parameter set to the difficulty of breaking a comparable classical algorithm. See additional details here.

NIST security categories can be summarized as follows:

• Security Category 1: comparable to AES-128
• Security Category 2: comparable to SHA-256
• Security Category 3: comparable to AES-192
• Security Category 4: comparable to SHA-384
• Security Category 5: comparable to AES-256

Background – KASs and KEMs

With the publication of the NIST standard for ML-KEM, NIST introduced the concept of Key Encapsulation Mechanisms (KEMs) for key establishment. KEMs differ from Key Agreement Schemes (KASs), as briefly outlined below.

• KASs are classical key agreement schemes, such as Diffie-Hellman. Parties use public and private keys to establish a shared secret. A key derivation function (KDF) must be used on the shared secret to create a shared secret key.
• KEMs are key encapsulation mechanisms introduced with the PQC algorithms. Unlike KASs, KEMs are not symmetric for both parties and cannot be used to encapsulate the same key for multiple parties (e.g. for key distribution). KEMs also do not incorporate any digital signature algorithms. In a KEM, Alice sends an encapsulation (public) key to Bob, Bob generates a random key and sends it to Alice as ciphertext using her encapsulation key, and Alice uses her decapsulation (private) key on the ciphertext to obtain the random key. For more details on KEMs, see the initial public draft of SP 800-227 - Recommendations for Key-Encapsulation Mechanisms.

Comparing PQC and Classical Parameters for Digital Signatures

In general, PQC algorithms for digital signatures have much larger parameters than corresponding classical algorithms, as detailed below:

Comparing PQC and Classical Parameters for Key Establishment

As with digital signatures, PQC algorithms for key establishment (KEMs) have much larger parameters than classical algorithms (KASs), as detailed below:

Using PQC algorithms

Although PQC algorithms have larger parameters and introduce a new key establishment methodology, using them is well worth the effort. Classical asymmetric algorithms will not be able to provide security against the growing threat of quantum computers. And while large parameter sizes may require implementation adjustments, PQC algorithms can often be as fast or faster than classical algorithms.

To get started today with SafeLogic’s PQC products, reach out to our sales team here. Or learn more from our recent blog post here.