NIST Announces 2024 Timeline for First Standardized Post-Quantum Cryptography (PQC) Algorithms
2 votes, average: 5.00 out of 52 votes, average: 5.00 out of 52 votes, average: 5.00 out of 52 votes, average: 5.00 out of 52 votes, average: 5.00 out of 5 (2 votes, average: 5.00 out of 5, rated)

NIST Announces 2024 Timeline for First Standardized Post-Quantum Cryptography (PQC) Algorithms

The U.S. federal standards body announced that three quantum-safe algorithms are expected to be ready for use next year. Now through Nov. 22, 2023, NIST is accepting feedback from the cryptographic community on those draft standards.

We’ve been talking about the need for post-quantum cryptography (PQC) now for a few years. As you can imagine, developing and rolling out new encryption standards for the entire internet takes a while. However, another significant milestone was recently achieved.

On Aug. 24, the National Institute of Standards and Technology (NIST) announced a public comments period for the first three Post Quantum Cryptography (PQC) algorithms’ proposed standards drafts. These Federal Information Processing Standards (FIPS) aim to address the suspected dangers associated with cryptographically relevant quantum computer (CRQP) capabilities. The drafts of these algorithms, which were announced in July 2022, are open to comments through Nov. 22, 2023.

This public comment period allows members of the cryptographic community to share their thoughts, concerns, and recommendations relating to three cryptographic schemes. This way, changes or improvements can be made before the standards are ready for use in 2024.

So, what’s the significance of all this to your organization and the industry as a whole?

Let’s hash it out.

What’s the Significance of the 2024 Post-Quantum Cryptography Timeline?

A graphic of the NIST logo

These standards represent a big step toward data security in a post-quantum cryptography world. NIST anticipates that the standards will be available for use in 2024. The sooner NIST can standardize these FIPS, the faster public and private organizations can begin implementing quantum-safe algorithms within their environments. (But even after the standards are approved, it’ll still take years or decades to make the full transition.)

In May 2022, the White House released its National Security Memorandum on Promoting United States Leadership in Quantum Computing While Mitigating Risks to Vulnerable Cryptographic Systems. The document states that the goal is to move “the maximum number of systems off quantum-vulnerable cryptography within a decade of the publication of the initial set of standards.” There also will be a proposed timeline for deprecating quantum-vulnerable cryptographic standards.

We recently shared that Google announced the adoption of a hybrid PQC algorithm in the Chrome 116 version release of its browser. This is just one example of how industry leaders are starting to shift toward PQC-safe digital environments. 

“PQC” Doesn’t Convey the True Urgency of This Effort

Doesn’t the term “post-quantum cryptography” mean that you don’t need to have it in place until quantum computers are commercially available? NO. The name “post-quantum cryptography” is a bit of a misnomer. Experts within the industry use other names for post-quantum cryptography interchangeably: “quantum-resistant cryptography” and “quantum-safe cryptography.”

Tim Hollebeek, Industry and Standards Technical Strategist at DigiCert, says he thinks quantum-safe cryptography is the most accurate. Hollebeek shared in a recent LinkedIn post that the PQC term gives people the wrong impression regarding the need or urgency for adoption:

“The problem with the term post-quantum cryptography is that it is easy to misunderstand as something you don’t need to do until cryptographically relevant quantum computers (CRQCs) arrive, which that’s the exact opposite of true. Quantum-safe cryptography is what you need to start using early enough so that ALL of your data and communications have been COMPLETELY migrated before the EARLIEST possible date when Dr. Evil will have access to his pet CRQCodile-9000. And remember, he won’t publicly announce it!

Translation: Although quantum computers that can break modern encryption schemes don’t currently exist, it doesn’t mean that your organization shouldn’t be planning or starting to prepare for this eventual reality now. And part of that planning should include how you’ll securely manage your cryptographic keys’ lifecycles.

It doesn’t matter whether the emergence of quantum computing happens in two years or 20: start getting your ducks in a row now, so you won’t be caught off guard later. 

An Overview of the Three Proposed Algorithms

In its July 2022 PQC algorithm selection announcement, NIST selected four candidate algorithms as the finalists. NIST has opened public comments for three of those four standards (FIPS 203, 204, and 205) now, and announced that it will release the draft standards of the fourth (FALCON) for public comments in 2024.   

So, what are these standards? We’ve talked about them before, but let’s quickly review what they are and how they’re intended to be used.

1. FIPS 203. This module lattice-based key encapsulation mechanism (ML-KEM), based on CRYSTALS-Kyber, is used to establish a shared secret key over open (i.e., insecure) channels. Think of this as the replacement for factor-based key agreement schemes for public-facing environments (e.g., RSA), which are expected to be broken by quantum computing. An example of this type of application would be securing connections for websites and web apps.

2. FIPS 204. The modern lattice-based digital signature algorithm (ML-DSA) consists of three algorithms for generating cryptographic keys, digital signing, and verifying the resulting digital signature and is based on CRYSTALS-Dilithium. An example of where this could be used is for remote document signing.

3. FIPS 205. The stateless hash-based digital signature algorithm (SLH-DSA) is a cryptographic function that aims to reduce signature sizes. It’s based on SPHINCS+ and operates differently from the other algorithms at a mathematical level. Much like CRYSTALS-Dilithium, this algorithm would be best suited for remote digital signing. 

To learn more about each of these algorithms and their FIPS proposed standards, click on the links listed above.

Let’s Wrap This Up

Quantum-related threats are coming; it’s a matter of when, not if. To prepare for this, you can adopt a hybrid approach:

  • Use modern strong cryptographic algorithms within your environment. This will help to protect your data against current threats.
  • Incorporate new, quantum-safe algorithms as they become available. This will help protect your current data against future threats (i.e., “harvest now, decrypt later” [HNDL] attacks). The concern is that bad guys will steal your sensitive info now and sit on it until CRQC capabilities are available, and use it to decrypt evergreen data (IP, personally identifiable information that have long lifespans [such as social security numbers, birthdates, etc.]).
  • Implement and automate secure key management. After all, cryptographic algorithms won’t do you any good if you don’t properly secure the keys they rely on.

Quantum computers will, inevitably, be a part of our lives in the future. So, while it’s important not to panic, it’s even more important to start planning and making your preparations now.


Casey Crane

Casey Crane is a regular contributor to and managing editor of Hashed Out. She has more than 15 years of experience in journalism and writing, including crime analysis and IT security. Casey also serves as the Content Manager at The SSL Store.