Three key U.S. national cyber agencies have jointly issued a call-to-action for organizations to prepare for the transition to post-quantum cryptography (PQC) standards. In conjunction with this, the National Institute of Standards and Technology (NIST) has unveiled three draft PQC standards as part of its ongoing efforts to address the growing development of quantum computers and the associated risks to conventional encryption.
NIST, recognizing the steady advancements in quantum computing, warns that widely used public-key cryptosystems could be compromised in the face of large-scale quantum computers. To mitigate these risks, NIST initiated a public selection process in 2016 to identify quantum-resistant cryptographic algorithms for standardization. Following rigorous evaluation, 26 out of 82 initial submissions were shortlisted for further consideration.
In the summer of 2022, NIST announced the selection of four schemes for standardization, including CRYSTALS-KYBER for encryption and CRYSTALS-Dilithium, FALCON, and SPHINCS+ for digital signatures. These selections are now the basis for three draft PQC standards under public review: ML-KEM, ML-DSA, and SLH-DSA.
The move toward PQC standards is considered a pivotal moment by experts in the quantum computing field, as these standards are expected to set the global benchmark for quantum-resistant security measures.
To support quantum readiness, the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and NIST jointly released an informative factsheet titled "Quantum-Readiness: Migration to Post-Quantum Cryptography." This resource aims to educate organizations, particularly those involved in critical infrastructure, about the risks associated with quantum capabilities and the importance of early planning for PQC migration.
In line with these efforts, U.S. President Joe Biden enacted the Quantum Computing Cybersecurity Preparedness Act earlier this year, highlighting the need for federal agencies to bolster their cybersecurity defenses against potential quantum-driven attacks.
Experts emphasize that now is the time for governments and businesses to take proactive steps toward quantum readiness by establishing comprehensive migration plans and engaging with technology vendors to navigate the transition to PQC.
Greg Wetmore, VP of Software Development, Entrust, said:
“Leaders can no longer put off the work that is required to actively prepare for the migration to post-quantum cryptography (PQC). CISA and NIST have also jointly provided some excellent guidelines that serve as the starting whistle for teams to begin the race to quantum-safe solutions.
NIST’s release of draft standards provide the secure, open and interoperable cryptographic guidelines that will allow organizations to protect their data from the quantum threat. Quantum computing is rapidly advancing and while it may seem far away, security teams have a limited timeline to prepare in order to mitigate against potential attacks. Any encrypted sensitive information and data a company possesses will be at risk within the decade, and it will take significant time and effort for organizations to develop and execute their PQC strategies.
When it comes to PQC preparation, companies should begin by establishing a group responsible for managing this transition, identifying the cryptographic assets (keys and certificates) across their organization, prioritize protecting the highest value data, and test and prototype PQC-ready solutions in their labs, and finally deploy quantum-safe security solutions into production. These NIST PQC standards are an important next step that will push all organizations, public and private, to move ahead with PQC preparations today, which will secure data and minimize the damage to the organization from a critical future threat.”
As quantum computing continues to evolve, collaboration between public and private sectors is essential to ensure the security of critical information and systems in the era of quantum computing.
###