NIST Releases 3 Post-Quantum Standards, Urges Orgs to Start PQC Journey

The National Institute of Standards and Technology (NIST) on Tuesday released the final version of the first three cryptographic standards based on algorithms deemed capable of resisting attacks from quantum computers powerful enough to decrypt data protected with the current Advanced Encryption Standard (AES).

Culminating a process launched in 2015, NIST's publication of the new Federal Information Processing Standards (FIPS) algorithms sets the stage for CISOs and providers of software, hardware, and services to kick off or advance their post-quantum cryptography (PQC) remediation strategies.

Security experts say the release of the first PQC standards is the first major milestone for cryptography since the adoption of the Advanced Encryption Standard (AES) in 2001 to replace the Data Encryption Standard (DES). In modern communications, public-key infrastructure (PKI), standard AES, and RSA encryption are commonly used in tandem.

Implementing the new standards-based PQC encryption algorithms promises to address long-standing predictions that quantum computers will eventually emerge that are powerful enough to break standard AES and RSA-2048 encryption by applying what is widely known as Shor's algorithm. Based on advances, experts believe the first cryptographically relevant quantum computer (CRQC) could potentially do so within the next decade.

"This is a historic moment and the beginning of a new era in digital security," said Matthew Scholl, chief of NIST's computer security division, in a short video announcing the publication of the standards.

Among an initial set of 82 candidates, NIST selected four algorithms in 2022: CRYSTALS-Kyber, CRYSTALS-Dilithium, Sphincs+, and FALCON. Last year, NIST released the first three standards in draft form and said FALCON would be released as a draft standard later this year. Now that they are published standards, NIST has given them official FIPS designations:

According to NIST, when it releases the draft standard for the FALCON algorithm, it will be called FN-DSA (FFT-fast-Fourier transform over NTRU-Lattice-Based Digital Signature Algorithm), FIPS 206. NIST also is evaluating several additional candidates as contenders to augment existing standards or serve as a backup to new ones.

Ringing the Starting Bell

The announcement has been "highly anticipated" around the world, not just in the US, says Tom Patterson, a former co-chair of the White House Cyber Moonshot working group advising on PQC and now managing director for emerging technology security at Accenture.

"It becomes the opening bell for many organizations around the world to really take this threat seriously and start working on it," he says, adding that CISOs have long understood the potential for quantum computers to someday become powerful enough to break RSA encryption. Despite the 2023 release of the draft standards and advice to Accenture's clients to begin implementing them, most have remained on the sidelines awaiting the official release.

"They've been saying, 'Look, when NIST has a go-to algorithm and has a new standard, we'll start to work on this,'" Patterson says. "This is why we think it's the starting bell for a lot of companies around the world.

The bell has already rung for the federal government. Following executive orders by the last three administrations, President Joe Biden signed the Quantum Computing Cyber Security Act in 2023, a law that encourages the migration of government information systems to migrate all federal systems to quantum-resistant cryptography.

Last month the White House submitted its "Report on Post-Quantum Cryptography" to the Senate Committee on Homeland Security and Governmental Affairs and the House Committee on Oversight and Accountability. According to the report, the US Office of National Cyber Director (ONCD) estimates that migrating government systems between 2025 and 2035 will cost an estimated $7.1 billion.

Industries to Follow Suit

While the federal government is poised to be among the first movers, experts believe several industries are close behind. The most notable are healthcare providers and insurers, which store sensitive patient information that can date back many decades, and financial services firms, including banks.

Like Accenture's Patterson, Scott Crowder, IBM's VP of quantum adoption and business development, says it has been a mixed bag to date in terms of how seriously officials, both in government and outside, have taken the need to address PQC.

"I think this is another signal to the market that you need to start thinking about this," he says. "It also allows people who have interoperability challenges to actually start doing stuff, which is, I think, a big deal."

It often takes longer than they expect based on IBM's work with clients that have moved to address this, Crowder notes.

"Even for people who think they've got it covered, there's more weeds or whatever in the background that they need to go find and fix than they think," he says. "So I think that's probably like years."

Samantha Mabey, Entrust's director of digital security solutions, agrees.

"We know it's going to span several years," Mabey says. "It's going to require all hands on deck, and it's going to have to be actively managed as well."

Mabey recommends that organizations should first assign a lead person to oversee the transition, set priorities, and create a plan for taking inventories of data and all cryptographic systems, including how keys and certificates are managed.

"It's going to take a lot of time making sure that your crypto-agility maturity is up there to allow for this transition," she says.

Phased Approach Starting With Hybrid

Like many in the industry, content delivery network (CDN) provider Akamai is taking a phased approach to implementing the standards. Akamai engineers are beta-testing PQC modules for each data flow step, starting with Akamai to the client's origin site. Quantum-resistant hybrid key exchange for data in transit between Akamai and customer origin sites is set to become available in the second half of 2024.

"We're doing the hybrid key exchange because these post-quantum algorithms are really new," says Akamai principal architect Rich Salz. "They haven't had the years of bait time and people trying to break them. If we do a hybrid for the key exchange, then if one fails, at least we'll have the other one, and that will still be good."

Akamai plans to support PQC-capable transport from browser-based clients to its CDN in early 2025; later that year it will provide "end-to-end PQC" hardening.

PQC Standards in Web Browsers

Salz expects that all of the major browsers will have implemented the necessary PQC standard algorithms by then. Notably Google, which revealed its PQC research in 2016, announced in May that it has implemented the draft spec of ML-KEM in Chrome 124, enabled by default for TLS 1.3 and QUIC on the desktop.

In a post on Tuesday, Google announced that ML-KEM is also enabled on Google servers, noting that "connections between Chrome Desktop and Google's products, such as Cloud Console or Gmail, are already experimentally protected with post-quantum key exchange."

Akamai's Salz says it's important that Google and all of the major browser providers are rolling out quantum-resistant support to their respective browsers.

"But the savvy customers know that's only half the problem," he says. "You still need to get the rest of the communication path — the intermediary or the CDN to the origin."