On August 24, the National Institute of Standards and Technology (NIST) released drafts of three post-quantum cryptographic (PQC) standards and has made a Request For Comments on these drafts to the cryptographic community.
The standards for these three drafts are scheduled to be finalized early next year. The following timeline shows how this relates to other milestones and algorithms in NIST’s PQC standardization project.
The PQC algorithms that NIST is standardizing satisfy different use cases and properties. Some PQC algorithms are used to establish a shared secret key, while others are digital signature algorithms used to authenticate entities. Some PQC algorithms are general-purpose, all-round good algorithms, while others will only be applied to specific scenarios. Different algorithms come from different mathematical areas and have different security hypotheses. Below, we give some main properties of the PQC being standardized:
Module-Lattice-Based Key-Encapsulation Mechanism Standard (ML-KEM) – FIPS203
Module-Lattice-Based Digital Signature Standard (ML-DSA) – FIPS 204
Stateless Hash-Based Digital Signature Standard (SLH-DSA) – FIPS 205
FALCON (No Draft Standard Released Yet)
Now that NIST has released the drafts of these algorithms, it is time to begin the process of migrating to PQC. As Jen Easterly, Director of the Cybersecurity and Infrastructure Security Agency (CISA), explains, “It is imperative for all organizations, especially critical infrastructure, to begin preparing now for migration to post-quantum cryptography.”
Discovery
On August 21, the CISA, NSA, and NIST published a factsheet discussing the importance of preparing a cryptographic inventory and developing a quantum readiness roadmap with technology vendors.
The unfortunate reality is that most large organizations are unaware of the cryptography that they utilize. To complete a cryptographic migration, it is necessary first to perform an inventory of the organization’s current cryptographic assets. This can be done using a cryptographic discovery tool like InfoSec Global’s AgileSec™ Analytics software.
Experimentation/Crypto-Agility
While minor changes may exist between these drafts and the final standards, the key sizes, signature sizes, and timings will remain very similar. This is the ideal time to experiment with implementations of the draft standard to iron out details and avoid difficulties during the migration process. More generally, building crypto-agility into products and systems is essential to reduce the amount of work needed in a cryptographic migration.
Crypto-agility is a modern concept that addresses an age-old problem. When the first cryptographic algorithms were designed, it assumed that they would remain secure. However, over the decades, we have discovered the hard way that cryptographic algorithms need to be replaced from time to time. Crypto-agility should be built into the application level to reduce the work required during a cryptographic migration. This can be done by using InfoSec Global’s Cryptographic Agility Management Platform.
The final standards for these four PQC algorithms are scheduled to be released in early 2024. However, now is the ideal time to prepare for the upcoming cryptographic migration by discovering your cryptographic artifacts, experimenting with these algorithms, and making your applications crypto-agile. We look forward to the continuing work of NIST and helping organizations with this PQC migration.
On August 24, the National Institute of Standards and Technology (NIST) released drafts of three post-quantum cryptographic (PQC) standards and has made a Request For Comments on these drafts to the cryptographic community.
The standards for these three drafts are scheduled to be finalized early next year. The following timeline shows how this relates to other milestones and algorithms in NIST’s PQC standardization project.
The PQC algorithms that NIST is standardizing satisfy different use cases and properties. Some PQC algorithms are used to establish a shared secret key, while others are digital signature algorithms used to authenticate entities. Some PQC algorithms are general-purpose, all-round good algorithms, while others will only be applied to specific scenarios. Different algorithms come from different mathematical areas and have different security hypotheses. Below, we give some main properties of the PQC being standardized:
Module-Lattice-Based Key-Encapsulation Mechanism Standard (ML-KEM) – FIPS203
Module-Lattice-Based Digital Signature Standard (ML-DSA) – FIPS 204
Stateless Hash-Based Digital Signature Standard (SLH-DSA) – FIPS 205
FALCON (No Draft Standard Released Yet)
Now that NIST has released the drafts of these algorithms, it is time to begin the process of migrating to PQC. As Jen Easterly, Director of the Cybersecurity and Infrastructure Security Agency (CISA), explains, “It is imperative for all organizations, especially critical infrastructure, to begin preparing now for migration to post-quantum cryptography.”
Discovery
On August 21, the CISA, NSA, and NIST published a factsheet discussing the importance of preparing a cryptographic inventory and developing a quantum readiness roadmap with technology vendors.
The unfortunate reality is that most large organizations are unaware of the cryptography that they utilize. To complete a cryptographic migration, it is necessary first to perform an inventory of the organization’s current cryptographic assets. This can be done using a cryptographic discovery tool like InfoSec Global’s AgileSec™ Analytics software.
Experimentation/Crypto-Agility
While minor changes may exist between these drafts and the final standards, the key sizes, signature sizes, and timings will remain very similar. This is the ideal time to experiment with implementations of the draft standard to iron out details and avoid difficulties during the migration process. More generally, building crypto-agility into products and systems is essential to reduce the amount of work needed in a cryptographic migration.
Crypto-agility is a modern concept that addresses an age-old problem. When the first cryptographic algorithms were designed, it assumed that they would remain secure. However, over the decades, we have discovered the hard way that cryptographic algorithms need to be replaced from time to time. Crypto-agility should be built into the application level to reduce the work required during a cryptographic migration. This can be done by using InfoSec Global’s Cryptographic Agility Management Platform.
The final standards for these four PQC algorithms are scheduled to be released in early 2024. However, now is the ideal time to prepare for the upcoming cryptographic migration by discovering your cryptographic artifacts, experimenting with these algorithms, and making your applications crypto-agile. We look forward to the continuing work of NIST and helping organizations with this PQC migration.