NIST Releases Post-Quantum Cryptography Algorithms – Industry Reacts

The U.S. National Institute of Standards and Technology (NIST) Tuesday published three new standards that replace current encryption methods with post-quantum cryptography (PQC).  

The three standards are:

They aim to protect encrypted data from cyberattacks using next-generation quantum computers. Quantum computers are progressing toward the point when they will be cryptographically relevant, meaning criminals could use them to break the public key encryption currently used to secure important data.

While this may still be some years away, securing data using the new standards is important now as bad actors are stealing encrypted data to decode when they have access to sufficiently powerful quantum computers. This is known as a harvest-now-decrypt-later attack.

In the U.S., the NSA has already mandated that national security systems adopt PQC by 2030. The U.K.’s National Cyber Security Council also strongly recommends implementing the standards.

Other countries are likely to adopt PQC standards based on NIST’s initiative and adopting them will become a commercial necessity.

The standards have been a long time coming – NIST began its standardization process in 2016. After months of speculation about when NIST would formalize the standards, here’s what industry spokespeople have said about today’s release.

Related:Financial Firms Advised to Prepare for ‘Q-Day’ Cybersecurity Risk

Jay Gambetta, Vice President, IBM Quantum.

IBM’s mission in quantum computing is two-fold: to bring useful quantum computing to the world and to make the world quantum-safe. We are excited about the incredible progress we have made with today’s quantum computers, which are being used across global industries to explore problems as we push towards fully error-corrected systems.

However, we understand these advancements could herald an upheaval in the security of our most sensitive data and systems. NIST’s publication of the world’s first three post-quantum cryptography standards marks a significant step in efforts to build a quantum-safe future alongside quantum computing.

Ali El Kaafarani, CEO and Founder, PQShield

By ratifying and publishing its post-quantum cryptography standards, NIST is triggering the biggest and most significant cybersecurity transition in history.  

In every industry, the cryptography that keeps data, devices, connections and components secure must now be modernized in line with the new standards.

The transition to quantum security will protect critical national infrastructure and will make the entire technology supply chain more secure for decades to come – but modernizing vital security systems and components won’t happen overnight. With the threat of harvest-now-decrypt-later attacks, organizations that haven’t already started planning for post-quantum cryptography are already behind. 

Related:Businesses Brace for NIST Post-Quantum Cryptography Algorithms

This is an exciting moment for cryptographers like us, who worked to shape the new standards. It’s now our duty and responsibility to get the algorithms into the hands of more organizations, so they can keep us all one step ahead of the attackers.

Duncan Jones, Head of Cybersecurity, Quantinuum

We welcome NIST concluding this vital industry-wide process. Today represents a crucial first step towards protecting all our data against the threat of a future quantum computer that could decrypt traditionally secure communications. Every CISO now has a mandate to urgently adopt these new standards alongside other methods for hardening their cybersecurity systems. We know that data stolen today could be decrypted at any time in the future and sensitive data such as health records or financial data falling into the wrong hands would be damaging. We work with a wide range of enterprise customers and it’s clear that successful CISOs recognize quantum is an ally as well as a threat.

A lot has taken place in the quantum industry since NIST announced the PQC algorithms for standardization in 2022. Quantum hardware developers are achieving systems that are now edging beyond classical simulation, initial real-world benefits are starting to emerge across a variety of applications and governments around the world are increasing their investments to ensure economic and national security. On all fronts – from technology to global policy – advancements are causing experts to predict a faster timeline to reaching fault-tolerant quantum computers. The standardization of NIST’s PQC algorithms is a critical milestone in that timeline.

The NIST standardization marks the start of a new era for CISOs and their security teams, one of planning and implementation. Moving forward, public and private sectors alike must pursue a layered, defined strategy that includes PQC as well as cybersecurity solutions that leverage quantum mechanics, such as proven quantum randomness for encryption key generation. When combined with PQC algorithms, these quantum-derived technologies can help protect against a far fuller range of threats posed by quantum computers.

Dr. Colin Soutar, Global Quantum Cyber Readiness Leader, Deloitte

Quantum computing could be significantly beneficial to society, delivering breakthroughs in drug discovery and financial modeling, however, quantum computing could also undermine numerous existing public-key encryption methods if realized on a large scale.

For many years, Deloitte has been activating the quantum cyber readiness industry, including collaborating with the World Economic Forum to establish a quantum security program in 2021 and hosting a number of discussions with leaders from both government and industry. We need to look at this topic less about speculating exactly when a cryptographically relevant quantum computer will be available and more about what organizations can do to prepare for it.

BT Group

The publication of NIST’s first set of post-quantum cryptography (PQC) standards is a significant milestone for modern cybersecurity. The set of algorithms is a globally leading standard in a new era of protecting communications against cyber-attacks by quantum computers.

Although Quantum Computers are not yet able to break cryptography, organizations need to have a plan for managing the risk. This begins with a risk assessment for each organization. For example, services that provide encryption of data – particularly long-term sensitive data – may be at risk from an adversary who can tap their data today and will gain access to a cryptographically relevant quantum computer in the future. Quantum readiness for these systems is a priority.

The technologies selected to mitigate the risks will involve both PQC and symmetric cryptography and for some scenarios, also Quantum Key Distribution (QKD). We will increasingly see PQC implemented in OTT services, including web browsers and services, and cloud interfaces.

For BT’s own systems, as always, we will manage the threat responsibly, ensuring that updates and changes are tested before deployment in live networks.

Taher Elgamal, “the Father of SSL” and Senior Advisor, SandboxAQ

The NIST PQC standardization marks a critical advancement in securing our digital infrastructure. By adopting these standards, we safeguard sensitive data, ensure privacy and maintain trust in digital communications. This proactive approach not only prepares us for the quantum era but also fortifies our current cybersecurity measures.

Chris Hickman, Chief Security Officer, Keyfactor

Security leaders are well aware of the threats to come with quantum computing. With each day we get closer to a quantum computer that could break current encryption methods that every business relies on. Encryption protects everything from banking and retail transactions to valuable business data and does not discriminate. All businesses, from global organizations to small mom-and-pop shops, are at significant risk. 

With the finalization of the first suite of NIST cryptographic algorithms, organizations now have the tools to safeguard against the quantum threat. While Q-day may seem years away, security leaders need to keep in mind that AI capabilities increase the need to transition to PQC algorithms. Attackers will leverage the speed of AI to get that much closer to breaking encryption and, in many cases, steal valuable and sensitive data now to decrypt in the future, including personal information, trade secrets and national security information - wreaking havoc on the long-term security of and trust in the entities that we rely on for our digital world to operate. The confluence of these two events means the world is now racing against an unknown timeline and opponent to secure – or break – encryption.

The finalization of NIST’s three of four algorithms marks the starting line in the race to secure against the threat of quantum computers for many - and the preservation of digital trust is on the line. Now, more than ever, it will be vitally important for organizations of all sizes to adequately plan and test for the adoption of these new algorithms, which includes conducting security assessments to verify how prepared their supply chains are to ensure a smooth transition over the coming years.

Ekaterina Almasque, General Partner, OpenOcean

Europe must take the lead in post-quantum cryptography (PQC) standards, not just ride on the U.S.’s coattails. That requires strategic thinking. As NIST releases its first set of federal PQC standards, the U.S. is executing a clearly defined strategy. It has already communicated to companies working on sensitive projects for the U.S. government that they may soon be required to use quantum encryption algorithms and it is now giving them the tools to do so. If Europe and the U.K. want to direct their own quantum funding efficiently and build public confidence in PQC, they need a clear and well-communicated strategy that reaches startups, the public sector and other key stakeholders.

A unified approach and joint investment in standardization is crucial because, as the saying goes, each chain is only as strong as its weakest link. While Europe and the EU’s diversity is a strength, it could easily become a vulnerability if we don’t introduce a cohesive quantum strategy that ensures all member states are aligned in their quantum defenses.

Right now, European quantum startups are burdened with navigating separate dialogues with each national government to secure subsidies and compliance. A more unified approach across the continent would streamline these efforts, allowing startups to focus on what they do best: driving innovation.

Jon France, CISO, ISC2

We welcome the announcement and the official release of crypto suites that are quantum resilient, especially as they come from more than one family of math—lattices and hashes. Not only does this allow best use case selection but also diversifies the base of the cryptographic suite which in itself may prove useful for protection.

Two of the three standards are based on a family of math problems called structured lattices and one is based on hash patterns. They’re hedging their bets that if lattice-based algorithms prove to be weak or inefficient, they’re going to need others that are efficient. So, the focus on quantum-resistant algorithms is strong in the research community and I anticipate we’ll see more of that activity and search for improved algorithms from NIST, ETSI and others.

Within the next five to 10 years, quantum technology will likely become commercially available, making it a very real threat to past and outdated encryption algorithms, many of which are used to protect the nation's top secrets. Building cyber resilience in preparation for quantum technology should have been an effort started a decade ago but now is the second best time. We'll see both the private and public sector's increased awareness around the challenges associated with quantum resilience and we'll see efforts begin to take hold more significantly to prepare for quantum computing.

Much of the encryption infrastructure in communication networks that keeps information safe now is deeply embedded, i.e., certificates, and will take years to transition to quantum resilient algorithms, posing a timeline issue for changeover before the general availability of quantum computing. In the meantime, we must begin producing quantum-resilient and safe algorithms while also testing them regularly for safety. We have entered the arms race with quantum and both developers and consumers must know what quantum may mean for product lines and business.

Royal Hansen, vice president privacy, safety and security engineering, Google, and Phil Venables, chief information security officer, Google Cloud

Migrating to new cryptographic algorithms is often a slow process, even when weaknesses affect widely-used cryptosystems, because of organizational and logistical challenges in fully completing the transition to new technologies. For example, NIST deprecated SHA-1 hashing algorithms in 2011 and recommends a complete phase-out by 2030.

That’s why it's crucial to take steps now to improve organizational preparedness, independent of PQC, to make your transition to PQC easier.

These crypto agility best practices can be enacted anytime:

Cryptographic inventory Understanding where and how organizations are using cryptography includes knowing what cryptographic algorithms are in use and, critically, managing key material safely and securely

Key rotation Any new cryptographic system will require the ability to generate new keys and move them to production without causing outages. Just like testing recovery from backups, regularly testing key rotation should be part of any good resilience plan

Abstraction layers You can use a tool like Tink, Google's multi-language, cross-platform open-source library, designed to make it easy for non-specialists to use cryptography safely and to switch between cryptographic algorithms without extensive code refactoring

End-to-end testing PQC algorithms have different properties. Notably, public keys, ciphertexts and signatures are significantly larger. Ensure that all layers of the stack function as expected.

Extract from a Google blog post.

Karl Holmqvist, founder and CEO, Lastwall

We have been warned by the heads of the NSA, the FBI and even the White House that active nation-state attacks are stealing currently encrypted data and that we need to switch PQC algorithms. This announcement by NIST is fantastic and a positive progression for defense against a significant threat. 

In the last few years, the landscape of quantum computation has dramatically changed. The potential for a cryptographic class break is much more real than most people realize. Thirty years ago, in 1994, Peter Shor demonstrated that we would need approximately 4,100 qubits to factor 2048-bit RSA, which is the most broadly deployed asymmetric encryption algorithm. At that time, we had no quantum computers available and people questioned if we would ever develop a functional quantum computer.

Over 20 years ago, in 2001, IBM researchers used an early, extremely limited quantum computer, called a liquid-state nuclear magnetic resonance quantum computer, to show that Shor's algorithm could run in reality. However, quantum computers were small and factoring 15 was not particularly impressive. Five years ago, KTH and Google researchers demonstrated that while we would need over 3,500 qubits to make each stable logical qubit, a 20-million-qubit system would crack 2048-bit RSA in less than eight hours.

Time is not on our side to change to quantum-resistant ciphers. We need to address this now – it’s time to get to work and eliminate outdated cryptography.

Andersen Cheng, chair, Post-Quantum

The speed at which NIST has these Federal Information Processing Standards (FIPS) compliant versions is truly commendable and an important milestone. It means we are now moving from math to engineering and implementation, which is still a complex endeavor but one where organizations like IETF and the National Cybersecurity Center of Excellence now play an integral role. We’ve already seen Google and Cloudflare adopt some of the draft proposals, but it will now be down to IETF to include support for the Kyber family in protocols such as Transport Layer Security (TLS) if the whole of the public Internet is to become quantum-safe.” 

Daniel Shiu, chief cryptographer, Arqit

We congratulate NIST on the long-awaited publication of standards for the first post-quantum algorithms offering protection against the imminent threat of quantum computing. However, while an important milestone, these algorithms are only a part of the solution and are years away from widespread adoption. Organizations must not be complacent and look for holistic solutions that can be implemented today.

Tim Callan, Chief Experience Officer, Sectigo

Transitioning to quantum-resistant cryptography will become a mainstream boardroom discussion. No longer a buzzword or a topic to be tabled, becoming crypto-agile to prepare for post-quantum encryption will be a key focus for the C-suite this year.

This shift has massively been supported by NIST’s development of quantum-resistant encryption and its impactful educational campaign on quantum's threat to decryption. They have now transformed a once theoretical discussion about decryption into a mainstream business focus.

Samantha Mabey, director of digital security solutions, Entrust

As we approach the milestone of NIST's finalization of three quantum-resistant security algorithms, it becomes increasingly crucial for organizations to prepare for the quantum computing era.

The shift to post-quantum cryptography (PQC) is more than a technical update, it's a vital step in protecting sensitive information and promises to be more complex and time-consuming than anything we’ve seen before. Additionally, with harvest-now-decrypt-later attacks, the post-quantum era has effectively arrived.

To prepare effectively, organizations need to quickly develop a comprehensive cryptographic agility strategy. This means identifying where their most sensitive data is stored, understanding the current cryptographic protections in place and ensuring they can switch to quantum-resistant algorithms without major disruptions.

However, recent research highlighted a concerning gap in readiness with 27% of organizations yet to consider the post-quantum threat and 23%  aware but yet to start planning. This is worrying, as experts predict that quantum computers could break current cryptographic systems as early as 2027. Even now, the threat is real; attackers are already trying to steal data, hoping they can decrypt it later when quantum technology becomes available.

Ultimately, the release of NIST's recommended PQC algorithms is a positive development. However, organizations can only reap the benefits and protect against future quantum threats by readying their security infrastructure for the transition now.

Tim Hollebeek, industry and standards technical strategist, DigiCert

After working with the world’s best cryptographers for nearly 10 years, the National Institute of Standards and Technology (NIST) announced three new standards (FIPS 203, 204, and 205) that describe three new encryption algorithms designed to protect against the threat of quantum computers. 

Today’s quantum computers are small and experimental, but they are rapidly becoming more capable and it is only a matter of time before cryptographically-relevant quantum computers (CRQCs) arrive.  These are quantum computers that are powerful enough to break the asymmetric cryptography used to protect communications and devices on the internet, and they could arrive in as little as five to 10 years. 

The good news is that the problem can be solved by switching to new hard math problems that are not vulnerable to quantum computers and the new NIST standards describe in precise detail exactly how to use these new hard math problems to protect internet traffic in the future.  Leading internet security companies, including DigiCert, have already implemented these algorithms, and are preparing to deploy them at scale to make sure the internet remains secure during this important transition.