Quantum Leap: New NIST Guidance for Quantum-Resistant Cryptography

The promise of quantum computing presents exciting possibilities to usher in a new era of innovation across the global economy.  But as these systems mature and proliferate, significant security concerns have emerged about the capacity of quantum computing to compromise widely used cryptographic technologies. The far-reaching implications of this outcome threaten the availability of digital systems globally, crippling the foundation of our digital economy, as well as the interactions that organizations rely upon every day, including secure communications and authentication of users and devices. 

In anticipation of this “quantum” leap in code breaking capabilities, the National Institute of Standards and Technology (NIST) has announced the first new algorithmic standards in years. This new post-quantum cryptography (PQC) establishes global standards to ensure that today’s data remains safe despite the exponential computing power of quantum technology.  

In the short term, these new guidelines can protect organizations from Store Now, Decrypt Later attacks, in which adversaries acquire and store mass amounts of potentially sensitive or valuable encrypted data for future decryption. Long term, they represent a solid foundation upon which organizations can begin planning broader cybersecurity strategies built around PQC, Zero Trust and related approaches to thwart direct quantum-enabled and other new attacks. 

What’s Next? 

We can expect to see broad adoption of these standards throughout core technologies utilized by public and private entities alike. And with these new parameters in place, organizations can make better decisions for future planning and investments to achieve quantum-safe status. The adoption of new cryptographic technologies will need to take place on a global scale.  To compound the challenge, the various resource requirements for the new algorithms call for organizations to balance performance and security according to their unique needs. The conventional drop-in approach will no longer suffice. 

With such complexity and the enormous implications at stake, organizations should use the dawning of this new era to reassess and modernize their overall approach to cybersecurity and cryptography to strengthen business resilience. But while it is reassuring to have this new framework in place to protect against future threats, what will the practical application look like?  The most critical factors include: 

• Increased Visibility of Quantum-Safe Transition Programs – Organizations will increasingly tout their progress under the new standards with regular reporting and benchmarking against peers. 

• Implementations – With the new algorithms finalized and vetted, the cost of entry and risk for organizations to begin testing is dramatically reduced. 

• Ongoing Guidance and Best Practices – NIST, along with supportive industry leaders, will continue to provide guidance as new security elements come into play, including crypto-agility, hybrid encryption protocols, and defense-in-depth. 

• Certifications – Vendors will need to have new and existing solutions (hardware and software) validated and certified with the new standards, which is a requirement for government and many procurement departments. 

Time for Action 

Some organizations might not fully grasp the magnitude of what is to come and choose to defer strategic decisions until the technology matures—believing current cryptography is sufficient for the time being. The new NIST algorithms dispel this notion by establishing that the current approach is not adequate for what lies ahead in a post-quantum cryptography world. Now that the requirements are in place, we can expect to see an acceleration of market adoption.  It is important to adopt the mentality that the time for action is now!   

Decision makers need to carefully consider the time and resources needed to transition to PQC, and adjust their planning and budgets accordingly. For example, it took more than a decade for companies to transition from SHA-1. Given the growth and complexity of IT architectures, transitioning to PQC will take steadfast organizational focus and commitment to avoid being behind the curve when it comes to broader adoption. The first step is for organizations to understand their current cybersecurity posture, institute a plan to remediate any vulnerabilities, and make any necessary upgrades needed to implement the new NIST standards.  

The nature of PQC is inherently dynamic and complex, requiring a dedicated focus to keep pace with the changes ahead. For nearly a decade, the evolutionQ team has been at the forefront of algorithm development and quantum threat analysis. We are ideally positioned to help organizations fully grasp quantum risk with the expertise and experience to navigate both immediate and future challenges.  The Multimodal Key Establishment System (KES) we pioneered leverages the NIST standards in its multi-layered approach that combines secrets from multiple cryptographic primitives or modes to derive an end-to-end encryption key that is stronger and more resilient than the sum of its parts. 

Our engineers and cryptographers have been on the cutting edge of these new PQC technologies for years – both in academia and with commercial partners – and are intimately aware of both the quantum cyber threat and the steps that organizations must take to protect their customers and data. The new standards are only just the beginning of the journey in this generational shift to a new cybersecurity paradigm. 

Don’t get left behind! Contact us today to assess your quantum threat exposure and start your journey for PQC migration.