NIST’s Quantum Standards: The Time for Upgrades Is NOW
From IC Insider Thales Trusted Cyber Technologies
By Bill Becker, CTO, Thales Trusted Cyber Technologies
After years of research, development, testing, and collaboration, in August NIST released its first set of Post Quantum Cryptography (PQC) standards. Now’s the time for federal agencies – and vendors supplying equipment to the public sector – to start planning IT infrastructure upgrades that make use of these PQC standards in their crypto-agile firmware or software.
For vendors and suppliers, NIST’s announcement means that technology providers, standards organizations, and industry groups have to get to work fixing whatever issues may have been standing in the way of large-scale releases and deployment of interoperable PQC implementations.
It’s simple. You can’t wait until the hackers have quantum tools before you start working on a plan to protect against them. Agencies and industry alike need to start now to transition to the new world of post-quantum cryptography.
A quick overview on the new NIST standards
There are two important encryption functions at the heart of NIST’s new PQC standards:
- General encryption. This function protects information across a public network
- Digital signatures. This applies in particular to identity authentication.
For a bit of history, after a 6 year competition to select the next generation of quantum-resistant cryptographic algorithms, in 2022 NIST selected four algorithms from the original 69 eligible algorithms submitted. Then in 2023, NIST announced draft standards for three of the four selected algorithms: CRYSTALS Kyber, CRYSTALS Dilithium, and SPHINCS+. The fourth draft standard, based on FALCON, is planned for late 2024. More recently, in August 2024, NIST released the first three finalized post-quantum Federal Information Processing Standards (FIPS) encryption standards: FIPS 203, FIPS 204, and FIPS 205.
Here’s a flyover look at each of the standards:
- FIPS 203. This standard is based on CRYSTALS-Kyber algorithm. The new name is the somewhat awkward but more specifically descriptive Module-Lattice-Based Key-Encapsulation Mechanism (ML-KEM). Intended to be the main general encryption standard, ML-KEM has the benefit of faster operation. It also has smaller encryption keys that can be exchanged relatively easily between two parties.
- FIPS 204. This standard is based on the CRYSTALS-Dilithium algorithm, and is now known as Module-Lattice-Based Digital Signature Algorithm (ML-DSA). This standard is intended to be the primary standard for protecting digital signatures.
- FIPS 205, which is also intended for digital signatures, makes use of the SPHINCS+ algorithm. In this iteration, it is known as Stateless Hash-Based Digital Signature Algorithm (SLH-DSA). Based on a different mathematical approach than ML-DSA, this standard is supposed to be used as a backup method in case any vulnerabilities are exposed in ML-DSA.
And the name changes are going to keep coming. When the FIPS 206 standard (which is built around the FALCON algorithm) is released, the new name for the algorithm will be “FFT (fast-Fourier transform) over NTRU-Lattice-Based Digital Signature Algorithm” or FN-DSA. That’s a mouthful, we know, but NIST wins back points for accuracy.
Continuing their mission to offer a robust suite of post-quantum encryption standards, in September 2022 NIST launched an Additional Digital Signatures project which called for additional general purpose signature schemes. In October 2024 NIST announced they have selected 14 candidates to advance to the second round of the Additional Digital Signature process.
Evaluating and implementing PQC migration
The NIST National Cybersecurity Center of Excellence (NCCoE) has been working with industry collaborators and other federal agencies to make it easier to understand the challenges associated with the migration to PQC. So far, the project has drafted guidance for crypto discovery, interoperability, and performance testing.
Now, in practical terms, the onus for change is actually on the vendor and supplier community. If they haven’t already done so, vendors have to start implementing crypto-agility across their product lines. That means putting serious effort into implementing product architectures that can accept in-field firmware updates that introduce the new NIST PQC algorithms and corresponding protocols in all of their products.
This is particularly true for providers of Hardware Security Modules (HSMs) which are often used as the root of trust for our cryptographic systems. Some vendors implemented PQC before the PQC FIPS standards were released to provide agencies a preview of how a PQC enabled system will operate within an existing FIPS 140 certified cryptographic module. This helped agencies conduct initial testing and makes for a relatively quick and easy transition to quantum-safe encryption solutions when PQC standards compliant firmware upgrades are made available.
Late in 2023 in a publication focused on the public sector vendor community, we said the race was on to “quantum-proof” encryption in the federal sector. Government has not been stingy with reminders, guidance and compliance milestones to agencies – everything from the May 2022 White House National Security Memo on Quantum, to the Office of Management and Budget’s OMB M-23-02 roadmap for agency post quantum cryptography migration. And most recently OMB M-24-14 instructed agencies to “Prepare for the Post-Quantum Future” by ensuring that they are sufficiently resourced transition to post-quantum cryptography.
As was described in the previous policies, the first step on the road to PQC migration starts with crypto discovery. Agencies should start using automated crypto inventory tools to know specifically where and how cryptography is being used in their organizations.
With NIST’s published standards, there’s really nothing more standing in the way of planning for this migration. Quantum computing is farther along than we may realize, and we have to start safeguarding our networks and our data against cybersecurity threats from bad actors. Because make no mistake: They will certainly use the quantum technology to their own bad ends.
Three steps to post-quantum strategy
With this background, and the understanding of the very real threats that can be posed by hackers armed with post-quantum technology, it is absolutely essential to develop a strategy for cryptography in a post-quantum world. Fortunately, you can get started by remembering three simple steps:
- Know Your Risks. Harvesting and early attacks are a real threat to long-term data. IT managers and other network professionals need to understand how their organizations use possibly vulnerable cryptography, the expiration date of their encrypted data, and the crypto-agility maturity of their IT infrastructure. The best way to do this is to inventory cryptographic technologies and prioritize high risk systems. There are tools available that can automate crypto discovery and inventory.
- Focus on crypto-agility. Crypto-agility is not only about the quantum threat; it’s about being able to face the reality that all algorithms will absolutely fail over time. Many systems today make it difficult to rotate keys, to choose different sizes/parameters, and to change mechanisms or key algorithms. These are all required for protocols to be versioned, negotiated and not to fail when presented with unknown options. They are essential for crypto-agility, and it’s important to work with providers with solutions that embrace those needs.
- Start Today. In fact, if you don’t start today, you’ll be racing to meet the threat tomorrow. Organizations have to begin designing a quantum-resistant architecture today, if they hope to protect themselves against the emerging quantum threat. IT infrastructure equipment is often deployed for years or decades without hardware replacement. Consequently, in the post-quantum world, it’s important to make sure currently deployed hardware was developed with crypto-agility principles in mind, and to receive software or firmware updates now that post-quantum crypto algorithms and protocols are being standardized. It is also important to check with equipment providers to see what beta or technology preview firmware they have available for testing in non-production systems that implements pre-standardized quantum-resistant cryptographic algorithms. Setting up a PQC test environment is a good idea. This will enable organizations to start testing new technology without impacting production environments.
Let’s not sugar-coat things. Quantum computers will break today’s public key cryptography. So, now what?
Even though large-scale quantum computing is several years away from being a practical reality, federal government observers and experts are already worried about the cybersecurity implications. The sooner an organization can start working toward quantum cybersecurity, the better it can handle incoming threats from when bad actors with quantum hacking in their bag of dirty tricks.
One company’s role in the PQC transition
Thales Trusted Cyber Technologies (TCT) has been actively involved in industry and government’s PQC transition from the earliest days of standard-setting.
Since 2021, Thales TCT’s Luna T-Series Network and PCIe hardware security modules (HSMs) FIPS 140 certification has included the onboard, user-configurable quantum entropy source. Thales TCT also participated as one of the earliest members of NIST’s National Cybersecurity Center of Excellence’s “Migration to Post-Quantum Cryptography Project.” In that capacity, the company contributed the T-Series HSM and associated interoperability testing to ensure that PQC implementations could be supported across the industry.
Thales is also a member of the Post-Quantum Cryptography Alliance, the steward organization for the development and maintenance of open-source PQC libraries. Perhaps most importantly, Thales TCT and the National Security Agency (NSA) have signed a Cooperative Research and Development Agreement (CRADA) for evaluating the NIST-selected PQC algorithms when operating on an HSM.
The CRADA results will be used by Thales TCT to accelerate PQC algorithm deployment, and to assist the government and other HSM users in getting a handle on the value of using PQC-enabled HSMs to mitigate the quantum threat. Thales is also a contributing member of the OASIS PCKS#11 Technical Committee, which is instrumental in defining interoperable specifications for cryptographic modules.
About Thales TCT
Thales Trusted Cyber Technologies, a business area of Thales Defense & Security, Inc., protects the most vital data from the core to the cloud to the field. We serve as a trusted, U.S. based source for cyber security solutions for the U.S. Federal Government. Our solutions enable agencies to deploy a holistic data protection ecosystem where data and cryptographic keys are secured and managed, and access and distribution are controlled.
For more information, visit www.thalestct.com
About IC Insiders
IC Insiders is a special sponsored feature that provides deep-dive analysis, interviews with IC leaders, perspective from industry experts, and more. Learn how your company can become an IC Insider.