NIST’s 3 PQC Standards Are Out — Where Do We Go From Here?
The world’s first quantum-resistant cryptographic standards have been published. Is it “go time” to launch public PQC on the web? Not yet — here’s where we stand and what the road ahead looks like
This week, the National Institute of Standards and Technology (NIST) published three long-awaited post-quantum cryptographic standards. These Federal Information Processing Standards (FIPS) will eventually replace many of the modern (i.e., “classical”) public key cryptographic algorithms we depend on today, including RSA.
Cryptographically relevant quantum computers (CRQCs) are poised to decimate modern public key cryptography. They’ll quickly compute problems that would take modern supercomputers many human lifetimes to figure out. And if we don’t have quantum-resistant algorithms in place to augment and (eventually) replace modern algorithms, then the sensitive data and secrets we hold dear will be at risk of compromise.
Let’s hash it out.
A Quick Overview of the 3 Standards (ML-KEM, ML-DSA, and SLH-DSA)
NIST selected these three standards after winnowing down a list of more than 80 PQC algorithm submissions. Without getting too mired in the details, these standards are designed to serve two main purposes in digital security:
- Encrypting and decrypting information in public channels to protect its confidentiality.
- Digitally signing data to ensure its authenticity and integrity (i.e., verify its legitimacy and detect unauthorized modifications).
Unlike traditional factor- or multiplication-based cryptography (think RSA), these select PQC algorithms rely on alternative math problems that are thought to be harder for classical and CRQCs alike to solve.
Let’s explore each of the three recently released standards and their uses.
- FIPS 203 — Module-Lattice-Based Key-Encapsulation Mechanism (ML-KEM). The ML-KEM standard is a key-encapsulation mechanism that’s based on a version of the CRYSTALS-KYBER PQC algorithm. In short, it’s a key establishment scheme that securely delivers a shared secret key in an insecure channel. The two parties then can use this shared secret key to exchange data over public channels using secure, encrypted connections.
- FIPS 204 — Module-Lattice-Based Digital Signature Algorithm (ML-DSA). ML-DSA, formerly known as CRYSTALS-DILITHIUM, is another lattice-based standard. It’s intended to serve as the de-facto PQC digital signature generation and verification protocol for emails, software, hardware, financial transactions, and other applications that require digital identity and integrity assurance.
- FIPS 205 — Stateless Hash-Based Digital Signature Algorithm (SLH-DSA). SLH-DSA is another digital signature algorithm. However, this one is built upon the SPHINCS+ algorithm and is intended to serve as a backup to the primary ML-DSA standard.
Where We Stand Now Regarding Quantum-Resistant Cryptography
Organizations can implement and manage hybrid PQC certificates within their private PKIs. This means using combinations of classical and PQC algorithms to protect internal sites emails, software, and devices against harvest now, decrypt later (HNDL) attacks and other threats. An attacker would have to break both types of algorithms (i.e., classical and quantum resistant) to be able to decipher the data.
Why bother doing this now if CRQCs are still years away? Because PQC integration isn’t instantaneous. It can take years to fully integrate new algorithms into a company’s products and information systems, some of which might have lifespans that are one to two decades. (Think of devices in healthcare, aerospace, critical infrastructure, and other key sectors.)
This means everything you put into your products now will likely be outdated by the time it’s deployed.
Dustin Moody, a mathematician who heads up NIST’s PQC Standardization Project, says organizations don’t have to wait for new standards to be created in order to prepare now:
“Go ahead and start using these three. We need to be prepared in case of an attack that defeats the algorithms in these three standards, and we will continue working on backup plans to keep our data safe. But for most applications, these new standards are the main event.” — Dustin Moody, NIST Mathematician
A Look at What’s Next
The Standards Draft for FALCON (FN-DSA) Is Still to Come
FN-DSA, short for the Fast-Fourier Transformation (FFT) over NTRU-Lattice-Based Digital Signature Algorithm, is a fourth algorithm that NIST is still working on. It’s a “hash-then-sign” signature scheme that relies on an NTRU lattice-based cryptosystem.
The plan is to release a draft of this algorithm standard (published as FIPS 206) before the end of the year.
Public PQC Is Still a Waiting Game… For Now
Although the Q-Day clock is ticking down, we’re still miles away from implementing public PQC on the internet and public networks. This is largely because there are many pieces that have to be in place before PQC digital certificates for public use cases (i.e., websites, emails, and software applications) will be fully ready to make their debuts.
So, while we can still utilize hybrid PQC algorithms for private (internal) use cases, there are still things that must be done before we can “flip the switch” on public PQC.
But wait — you may be thinking that Cloudflare and Google already support a PQC hybrid algorithm (X25519Kyber768). And you’d be correct, but that’s used in a limited capacity. There are multiple processes that must be completed before PQC certificates can be issued for public-facing websites, emails, and software signing use cases. For example, here’s a basic overview of the flow of processes for public PQC SSL/TLS certificates:
Embracing private PQC is all well and good. But what can your business do to start preparing for the inevitable use of PQC for public websites (public PQC)? After all, while public PQC standards aren’t yet available for implementation, it doesn’t mean that we can sit back on our haunches, doing nothing.
You Need to Plan Your Steps and Start Implementing Them
Implement your private PQC initiatives now and start planning for your public PQC migration while you’re at it. Here are a few ways to get started:
- Inventory your cryptographic assets. Tally up which devices, services, websites, web apps, and other systems use encryption, digital signatures, and other cryptographic processes.
- Prioritize what must be transitioned first. If you have assets that will be deployed for multiple years at a time, or you have websites that collect sensitive customer information, then you’ll want to start with those.
- Figure out the budget situation. Don’t wait until quantum computers are already here to determine how much of the pie should be allocated to PQC transition efforts. And don’t be stingy, either — dedicate enough powder to support these crucial initiatives.
- Identify who will lead your PQC initiatives. Figure out who is doing what ahead of time. Centralize your efforts — either have one department spearhead the initiative or stakeholders from multiple departments on a committee make decisions together. These approaches help you avoid everyone acting independently, which can leave gaps in your defenses.
- Roll out hybrid PQC algorithms when and where you can. Aside from implementing the hybrid mechanism X25519Kyber768 via Google and Cloudflare, we recognize that this is largely a private PKI play for now. Shifting to hybrid PQC reduces the chances of your existing data being stolen and stored for HNDL attacks down the road.
- Automate your PKI lifecycle. All of your PQC efforts won’t be of much use if your cryptographic keys are insecurely stored and you’re not minding your certificates’ validation dates.
- Stay informed about industry updates and PKI requirements. The tide is shifting little by little. Stay informed about the latest updates with Hashed Out to understand what you need to know about these changing requirements as we get closer to Q-Day. (Yeah, sorry, couldn’t resist a little marketing plug.)
Want to Learn More About PQC Readiness?
Sign up for DigiCert’s inaugural World Quantum Readiness Day event, which will take place Thursday, Sept. 26. The promotion for this virtual event shows it will feature many distinguished industry speakers:
- Dr. Peter Shor, Professor of Applied Mathematics at Massachusetts Institute of Technology (MIT) and author of Shor’s Algorithm
- Dr. Taher Elgamal, cryptographer (also known as the “Father of SSL”) and Partner at Evolution Equity Partners
- Bob Sutor, Quantum Technologist, and Vice President and Practice Lead at the Futurum Group
- Reza Nejabati, Head of Quantum Research at Cisco
- Arfan Sabar, EMEA Cyber Security Services Encryption and Quantum-Safe Services Leader at IBM
- Jim Goodman, cryptography expert, and Co-Founder and Chief Technology Officer (CTO) at Crypto4A
- Dr. Marc Manzano, cryptography expert and General Manager at SandboxAQ
- Tom Patterson, Managing Director for Emerging Technology Security at Accenture
- Colin Soutar, Global Quantum Cyber Readiness Leader at Deloitte
- Andy Regenscheid, Cryptographic Technology Group Chief at NIST Computer Security Division
Be the first to comment