The National Institute of Standards and Technology (NIST) on Tuesday released the final version of the first three cryptographic standards based on algorithms that are considered resistant to attacks from quantum computers powerful enough to decrypt data secured with the current Advanced Encryption Standard (AES).

The culmination of a process that started in 2015, NIST Publication of the new Federal Information Processing Standards (FIPS) algorithms provides the foundation for CISOs and software, hardware, and services vendors to initiate or further develop their post-quantum cryptography (PQC) recovery strategies.

According to security experts, the release of the first PQC standards is the first major milestone for cryptography in more than two decades since the introduction of the Advanced Encryption Standard (AES) in 2001 to replace the Data Encryption Standard (DES). In modern communications using public-key infrastructure (PKI), standard AES and RSA encryption are often used together.

The implementation of the new standards-based PQC encryption algorithms promises to address long-held predictions that quantum computers will eventually emerge powerful enough to crack standard AES and RSA-2048 encryption using what is commonly known as Shor’s algorithmBased on the developments, experts believe that the first cryptographically relevant quantum computer (CRQC) could potentially do this within the next decade.

“This is a historic moment and the beginning of a new era in digital security,” Matthew Scholl, head of NIST’s computer security division, said in a short video announcing the publication of the standards.

Of the initial 82 candidates, NIST selected four algorithms for 2022: CRYSTAL-KyberCRYSTALS-Dilithium, Sphincs+ and FALCON. Last year, NIST released the first three standards in draft form, and it was said that FALCON would be released as a draft standard later this year.

Now that they are published standards, NIST has given them official FIPS designations:

According to NIST, the draft standard for the FALCON algorithm, when it publishes it, will be called FN-DSA (FFT-fast-Fourier transform over NTRU-Lattice-Based Digital Signature Algorithm), FIPS 206. In addition, NIST is evaluating a number of other candidates that could complement existing standards or serve as backups for new standards.

The ringing of the starting bell

“This is really a long-awaited announcement around the world, not just in the U.S.,” said Tom Patterson, former co-chair of the White House Cyber ​​Moonshot task force who advises PQC and is now managing director of emerging technology security at Accenture. “It’s going to be the opening bell for a lot of organizations around the world to really take this threat seriously and start working on it.”

Patterson adds that CISOs have long recognized that quantum computers will one day be powerful enough to crack RSA encryption. Despite the release of draft standards in 2023 and advice to Accenture clients to implement them, most have stayed on the sidelines awaiting official release.

“They’ve said, ‘Look, if NIST has a go-to algorithm and a new standard, we’re going to work on this,’” Patterson says. “So we think this is the go-to for a lot of companies around the world.”

The bell has already rung for the federal government. Following executive orders from the last three administrations, President Biden signed the Quantum Computing Cybersecurity Act in 2023, a law encouraging the migration of government information systems to migrate all federal systems to quantum-resistant cryptography.

In July, the White House filed its Post-quantum cryptography report to the Senate Committee on Homeland Security and Governmental Affairs and the House Committee on Oversight and Accountability. According to the report, the U.S. Office of National Cyber ​​​​Director (ONCD) estimates that migrating government systems between 2025 and 2035 will cost an estimated $7.1 billion.

Industries That Will Follow This Lead

While the federal government is poised to be among the first to do so, experts believe several industries are following closely behind. The most notable are healthcare providers and insurers, which store sensitive patient information that can go back decades or more, and financial services providers, including banks.

Scott Crowder, vice president of quantum acceptance and business development at IBM, says, like Accenture’s Patterson, that so far the extent to which officials, both inside and outside of government, are taking the need to address PQC seriously has been mixed.

“I think this is another signal to the market that you need to start thinking about this,” Crowder said. “It also allows people who have interoperability challenges to actually start doing things, which I think is a big deal.”

Crowder says it often takes longer than they expect based on IBM’s work with clients who have moved to address this. “Even for people who think they have it under control, there’s more weeds or whatever in the background that they have to find and fix than they think,” he says. “So I think that probably takes years.”

Entrust director of digital security solutions Samantha Mabey agrees. “We know it’s going to take years, and it’s going to require all hands on deck, and it’s going to require active management,” Mabey says.

Mabey recommends that organizations first appoint a leader to oversee the transition, set priorities, and create a plan for inventorying data and all cryptographic systems, including how keys and certificates are managed. “It’s going to take a lot of time to ensure that your crypto agility maturity is at the right level to enable this transition,” she says.

Phased approach, starting with hybrid

Like many in the industry, content delivery network (CDN) provider Akamai is taking a phased approach to implementing the standards. Akamai engineers are testing PQC modules for each step in the data flow, starting with Akamai to the customer’s origin site. Quantum-resistant hybrid key exchange for data in transit between Akamai and customer origin sites is expected to be available in the second half of 2024.

“We’re doing hybrid key exchange because these post-quantum algorithms are really new,” says Akamai principal architect Rich Salz. “They haven’t had the years of bait time and people trying to crack them. “If we do a hybrid for key exchange, then if one fails, at least we have the other one, and it’s still good.”

Akamai plans to support PQC-enabled transport from browser-based clients to its CDN in early 2025, and offer end-to-end PQC hardening later that year.

PQC Standards in Web Browsers

Salz expects that all major browsers will have implemented the necessary PQC standard algorithms by then. In particular, Google, which has revealed its PQC research in 2016, announced in May that the implemented the draft specification of ML-KEM in Chrome 124, enabled by default for TLS 1.3 and QUIC on desktop.

In a message on tuesdayGoogle announced that ML-KEM has also been enabled on Google servers, noting, “Connections between Chrome Desktop and Google products, such as Cloud Console or Gmail, are already experimentally protected with post-quantum key exchange.”

Akamai’s Salz says it’s important for Google and all the major browser providers to roll out quantum-resistant support for their respective browsers. “But the smart customers know that’s only half the problem,” he says. “You still have to get the rest of the communication path — the middleman or the CDN to the origin — covered.”