The News: On August 24, the National Institute of Standards and Technology (NIST) published the first draft of its standards for post-quantum cryptography. The draft standards follow last year’s selection of four algorithms upon which it would develop its standards for standardizing encryption algorithms that are designed to withstand quantum computing-fueled cyberattacks. Three new algorithms are slated to be ready for use in 2024, with others planned to follow. NIST is requesting community feedback on the draft standards until Nov. 22, 2023. Additional detail is available on NIST’s website.
NIST Releases First Draft Standards for Post-Quantum Cryptography
Analyst Take: Quantum computers are approaching reality – possibly as soon as the next 5 or 10 years – and they represent arguably the most serious emerging threat to data security. While current public-key encryption methods are based on mathematical equations that are difficult for classical computers to solve, quantum computers could crack these problems – in some instances even as quickly as in a fraction of a second. This portends risk to sensitive data ranging from financial transactions to medical records to government secrets, an area that currently relies on encryption as an important means to protection from cyber-attacks. Against this backdrop, quantum-safe encryption methodologies will become necessary for cyber-resiliency.
For its part, NIST is driving standards for encryption algorithms that will be powerful enough to avoid being cracked by quantum computers. In addition to vetting algorithm candidates, NIST will provide technical documentation designed to help organizations with implementing the algorithms into their infrastructure. This ongoing development is important as the reality of quantum computing nears because it will take years for some organizations to update their infrastructure with the new algorithms.
NIST has been working on quantum-safe algorithms for the better part of a decade. It launched its Post-Quantum Cryptography Standardization Project and called for submissions of algorithms in 2016. The 69 eligible algorithms that were submitted from countries across the world were then opened up for vetting, including allowing expert cryptographers to try to crack them. After approximately five years of evaluation, in 2022 NIST selected four algorithms for standardization. It is worth noting that IBM, a leading player in the development of quantum computers, contributed to the development of three of the four algorithms that ended up being chosen.
NIST has now released draft standards for three of those algorithms (CRYSTALS-Kyber, for general-purpose encryption, and CRYSTALS-Dilithium and SPHINCS, both of which are designed for digital signatures). Draft standards for the fourth algorithm, FALCON, which is also designed for digital signatures, are expected to be released in 2024. NIST has also already selected for evaluation a second set of algorithms designed for general encryption. This second set of algorithms will be intended to augment the first, core set of algorithms, in the event that a weakness emerges.
The Futurum Group will be watching the development of the algorithms and standards, as well as how attackers respond. Especially following U.S. President Joe Biden’s signing of the Quantum Computing Cybersecurity Preparedness Act into law, and the National Security Agency (NSA) issuing an order mandating government agencies to ensure all their systems are migrated to the NIST-selected quantum-resistant algorithms by 2035 – both of which occurred in the late fall and early winter of last year – it is clear that large public sector organizations through small-to-midsized businesses will need to be prepared.
Disclosure: The Futurum Group is a research and advisory firm that engages or has engaged in research, analysis, and advisory services with many technology companies, including those mentioned in this article. The author does not hold any equity positions with any company mentioned in this article.
Analysis and opinions expressed herein are specific to the analyst individually and data and other information that might have been provided for validation, not those of The Futurum Group as a whole.
Other Insights from The Futurum Group:
NIST Launches the Trustworthy & Responsible Artificial Intelligence Resource Center
NIST Cybersecurity Framework 2.0 Addresses Growing Cyberattack Threats
Biden Administration Appeals to Big Tech to Raise the Bar on Cybersecurity
Author Information
With a focus on data security, protection, and management, Krista has a particular focus on how these strategies play out in multi-cloud environments. She brings approximately 15 years of experience providing research and advisory services and creating thought leadership content. Her vantage point spans technology and vendor portfolio developments; customer buying behavior trends; and vendor ecosystems, go-to-market positioning, and business models. Her work has appeared in major publications including eWeek, TechTarget and The Register.
Prior to joining The Futurum Group, Krista led the data protection practice for Evaluator Group and the data center practice of analyst firm Technology Business Research. She also created articles, product analyses, and blogs on all things storage and data protection and management for analyst firm Storage Switzerland and led market intelligence initiatives for media company TechTarget.