The release of the first three cryptographic standards by the National Institute of Standards and Technology (NIST) marks a significant milestone in the world of digital security. These standards are designed to combat potential attacks from quantum computers capable of decrypting data protected by the current Advanced Encryption Standard (AES). This release, which culminates a process initiated in 2015, sets the stage for organizations to implement post-quantum cryptography (PQC) strategies to enhance their security posture.
The security community views the publication of these standards as a historic moment comparable to the adoption of the AES in 2001. With quantum computers becoming increasingly powerful, the need for robust encryption algorithms that can withstand potential attacks is more crucial than ever. Experts predict that the first cryptographically relevant quantum computer (CRQC) could emerge within the next decade, underscoring the urgency of implementing the new PQC standards.
Among the initial set of 82 candidates, NIST selected four algorithms in 2022: CRYSTALS-Kyber, CRYSTALS-Dilithium, Sphincs+, and FALCON. These algorithms have now been officially designated as FIPS 203, FIPS 204, and FIPS 205, respectively. The draft standard for the FALCON algorithm is expected to be released as FN-DSA (FFT-fast-Fourier transform over NTRU-Lattice-Based Digital Signature Algorithm), FIPS 206. Additionally, NIST is evaluating other candidates to complement existing standards or serve as backups.
The announcement of these standards has been eagerly awaited worldwide, prompting organizations to take the quantum computing threat more seriously. CISOs have long recognized the potential vulnerabilities posed by quantum computers to existing encryption mechanisms like RSA. The enactment of the Quantum Computing Cyber Security Act in 2023 underscores the government’s commitment to migrating all federal systems to quantum-resistant cryptography.
Industries such as healthcare, insurance, and financial services are expected to follow suit in adopting these new standards. While the transition to post-quantum cryptography will be a multi-year process requiring meticulous planning and execution, organizations are advised to appoint dedicated personnel to oversee the transition, conduct data inventories, and ensure crypto-agility maturity to facilitate a smooth transition.
Companies like Akamai are taking a phased approach to implementing the new standards, introducing quantum-resistant hybrid key exchange to enhance data security. Major browser providers like Google are already incorporating PQC standards into their products to ensure end-to-end protection for users. As the digital landscape evolves, ensuring the security of communications and data transfers in the post-quantum era remains a top priority for organizations across various industries.