1. Introduction 443
Symmetric-key cryptography employs cryptographic algorithms that require both the sending and 444 receiving parties to protect communications using the same secret key. This is distinct from 445 asymmetric-key (i.e., public key) cryptography in which the parties have pairs of keys − a private 446 key known only to the key pair owner, and a public key that may be known by anyone. Section 3 447 of SP 800-175B4 discusses the use of these two algorithm types, including the pros and cons of 448 each, namely that: 449
• Symmetric-key cryptography is generally much less computationally intensive than 450 asymmetric-key cryptography. 451
• Digital signatures generated using asymmetric-key algorithms provide better source 452 authentication properties than can be provided by symmetric-key algorithms. 453
• The number of keys required to initiate and maintain cryptographic keying relationships is 454 much higher for symmetric-key cryptography than for asymmetric-key cryptography. 455
As a result of these characteristics, recent key-management schemes have used symmetric-key 456 cryptography for the encryption and integrity protection of data-at-rest and data-in-transit (i.e., 457 stored or communicated data), and asymmetric-key cryptography to establish the symmetric keys 458 for data-in-transit and for source authentication and integrity protection using digital signatures.5 459
Recent concerns associated with the projected consequences of emerging quantum-computing 460 technology for the security of existing asymmetric algorithms (see NISTIR 81056) suggest a 461 potential federal government requirement for the reconsideration of, and possible reversion to, the 462 use of symmetric-key cryptography. Keys protected using currently approved asymmetric-key 463 algorithms7 can, therefore, be expected to become known by adversaries once quantum computers 464 become available. In contrast, the impact on symmetric-key algorithms will not be as drastic; 465 doubling the size of the key will be sufficient to preserve security. Symmetric-key algorithms and 466 hash functions with sufficiently large output should be usable in a quantum era. 467
Research is in progress to develop quantum-resistant asymmetric-key algorithms.8 However, 468 replacing the currently used asymmetric-key algorithms with quantum-resistant asymmetric-key 469 algorithms can be expected to not really begin until about 2020 and not be completed until the 470 2030s. 471
Where the security of information is very important, and the security of information currently 472 being protected by asymmetric-key algorithms needs to be maintained for more than a few years,
