Global Standards for Quantum Security

Last week #NIST released three post-#quantum #encryption standards. Why is this significant? Put simply, from a practical standpoint: risk management and compliance. First, on risk management: experts now say that quantum computing is less than a decade away. Quantum computers are expected to have the power to search large keyspaces very quickly, which means they will be able to decrypt current encryption. Moreover, it is entirely plausible that encrypted information recorded today is being stored for decryption when quantum computing becomes available. If you speculatively apply quantum-resistant encryption to your data now, you will reduce the risk of an adversary being able to successfully exploit your data when they have access to quantum computing. Second, on compliance: NIST is the governing body for standards in the USA, and many other nations take their encryption standards from NIST, as they do not have resources at the same scale as NIST. You can be certain that NIST-approved post-quantum algorithms will start being mentioned in various compliance checklists, as is the case currently with algorithms such as AES-256 and SHA-256. Note well that these algorithms have #FIPS numbers associated with them - meaning "Federal Information Processing Standard". Briefly, the approved algorithms are: 🔒 ML-KEM, for encrypted key exchange, as FIPS 203 🔒 ML-DSA, for digital signatures, as FIPS 204 🔒 SLH-DSA, for stateless hash-based digital signatures, as FIPS 205 There is a fourth algorithm, FN-DSA, also used for digital signatures, that is expected to be released in the next year.

The era of quantum computing is closer than we think, and it’s going to change the foundations of digital security. NIST’s recent draft publication, NIST IR 8547 (link in 1st comment), outlines critical steps organizations must take to transition to post-quantum cryptography (PQC). Why This Matters Now ⏩ Quantum computers will eventually break traditional encryption algorithms like RSA and ECC. While secure today, these systems won’t be once quantum systems mature. NIST’s Post-Quantum Standards ⏩ NIST has selected algorithms like CRYSTALS-Kyber (for key establishment) and CRYSTALS-Dilithium (for digital signatures) to lead the transition. What Organizations Should Do ⏩ Inventory Cryptography: Assess where and how cryptographic algorithms are used. ⏩ Test PQC Algorithms: Experiment with hybrid solutions combining classical and quantum-safe algorithms. ⏩ Engage with Vendors: Ensure tech partners are preparing for PQC compatibility. Challenges Ahead ⏩ Performance trade-offs: Some PQC algorithms require more computational resources. ⏩ Interoperability: Integrating new cryptographic methods into legacy systems isn’t trivial. ⏩ Timeline pressure: The longer you delay, the harder it will be to catch up. The message is clear: preparation can’t wait. The organizations that start now will be in a much better position when the quantum era fully arrives.

 NIST’s Post-Quantum Cryptography Standards: ‘The Start of the Race’ NIST's finalized standards for post-quantum cryptography mark a critical step in addressing the looming cybersecurity risks posed by quantum computing. This development is being hailed as the beginning of a new era in cryptographic resilience, with sweeping implications for governments, businesses, and other stakeholders.  The Threat of Quantum Computing Quantum computers are advancing rapidly, posing a significant risk to current public-key cryptographic systems. Algorithms such as RSA and ECC, widely used to secure digital communications and data, could be rendered obsolete by quantum computing's capacity to break these cryptographic codes. The "harvest now, decrypt later" strategy, where encrypted data is collected now for decryption by future quantum computers, highlights the urgency of transitioning to quantum-resistant cryptography.  NIST’s Standards and Their Importance NIST has been spearheading efforts to establish post-quantum cryptography standards. This multiyear process involved a global competition to identify algorithms robust enough to withstand quantum threats. Four algorithms have been selected for their resilience and efficiency: - CRYSTALS-Kyber for general encryption. - CRYSTALS-Dilithium, Falcon, and SPHINCS+ for digital signatures. These standards are intended to secure systems against quantum attacks while maintaining compatibility with existing infrastructure.  Implementation Challenges Transitioning to post-quantum cryptography is a monumental challenge. Organizations must replace or upgrade cryptographic tools across various devices, systems, and processes. The process will require significant collaboration among hardware manufacturers, software developers, and cybersecurity teams. A particular concern lies in systems where cryptography is deeply embedded, such as in IoT devices and industrial control systems, which may require extensive retrofitting or redesign.  Federal and Industry Implications NIST’s standards will become mandatory for federal agencies, but the private sector, especially industries like finance, telecommunications, and healthcare, is expected to follow suit. Critical infrastructure operators are also being encouraged to transition proactively to quantum-safe solutions.  Timing and Urgency Experts estimate that practical quantum computers capable of breaking current encryption could arrive within 5 to 10 years. However, given the complexity of transitioning to post-quantum cryptography, organizations are urged to begin the process immediately.  Strategic Recommendations Organizations are advised to: 1. Assess Risks: Inventory systems using vulnerable cryptographic algorithms and evaluate the risks. 2. Collaborate: Work with supply chain partners and industry peers to ensure a cohesive transition. 3. Invest in Upgrades: Allocate resources for upgrading cryptographic systems and devices.

As quantum computing makes important strides, governments and companies must take extra steps to protect their data from cybercriminals. It is reassuring, therefore, to see that the US National Institute of Standards and Technology (NIST) has published the world’s first post-quantum cryptography standards - two of which are based on algorithms developed by IBM. At some stage, quantum computers will harness enough computational power to break the encryption standards underpinning most of the world’s data and infrastructure. The official publication of these standards - designed to safeguard data exchanged across public networks and protect/defend digital signatures for identity authentication - marks a crucial milestone in advancing the protection of data from cyberattacks. Learn more about how NIST’s standards will provide blueprints for governments and industries worldwide to begin adopting post-quantum cybersecurity strategies -