The National Institute of Standards and Technology (NIST) has officially published its highly anticipated Federal Information Processing Standards (FIPS) for post-quantum cryptography (PQC). This significant development will affect a broad range of entities, including financial institutions and government agencies, particularly those subject to regulatory obligations. Now is an opportune time for businesses of all sizes to reassess and update their encryption strategies, ensuring they stay ahead in cybersecurity by adopting the latest automated cryptography management solutions.
Researchers worldwide are in a race to develop quantum computers, which would function in fundamentally different ways from traditional computers and could potentially break the encryption systems that currently safeguard our online security and privacy. The algorithms announced today represent the first finalized standards from NIST’s PQC standardization project and are now ready for immediate implementation.
These three new standards are designed with the future in mind. As quantum computing technology advances rapidly, some experts anticipate that a device capable of breaking today’s encryption methods could emerge within the next decade, posing significant risks to the security and privacy of individuals, organizations, and nations alike.
Taher Elgamal, ‘the father of SSL’ and senior advisor at SandboxAQ, said, “The NIST PQC Standardization marks an important step in enhancing the security of our digital infrastructure. By adopting these new standards, we are protecting sensitive data, safeguarding privacy, and maintaining trust in our digital communications. This proactive approach not only prepares us for the quantum era but also strengthens our overall cybersecurity today. We appreciate NIST’s leadership in this effort and thank the scientific community for their significant contributions through numerous cryptographic designs and research papers.”
NIST launched its PQC standardization program in 2016, with the goal of developing cryptographic methods that can withstand quantum computing threats. The latest announcement introduces the first set of standardized algorithms: one for key agreement and two for digital signatures. These algorithms are designed to ensure the confidentiality, integrity, and authentication of sensitive data, keeping digital communications secure against emerging quantum threats.
FIPS 203: Derived from Kyber, this standard is used in key agreement protocols such as TLS, replacing traditional methods like Diffie-Hellman. It offers fast performance despite the use of larger public keys and ciphertexts.
FIPS 204: Based on Dilithium, this standard is used for digital signatures. It provides faster verification than current methods like ECDSA and RSA, though it requires larger signatures (2.5KB) and public keys (1.3KB) and has roughly double the signing time.
FIPS 205: Built on the security of SHA-2 or SHA-3, this standard offers strong security with very small public keys (32 bytes) but generates larger signatures, around 7KB. It is particularly well-suited for applications like firmware updates, where rapid verification is crucial.
Today’s announcement takes place within a larger regulatory framework, including the White House’s National Security Memorandum, NSM-8, which requires the adoption of post-quantum cryptography (PQC). To transition to these new algorithms effectively, businesses must start by assessing their current cryptography usage. Whether conducted manually or through automated tools, this inventory process is critical. Proper tools and thorough testing are essential to facilitate a seamless shift from old algorithms to the new standards.
Dr Marc Manzano, General Manager of the Cybersecurity Group at SandboxAQ, comments, “NIST’s announcement makes it imperative for large enterprises to adopt scalable, automated cryptographic inventory solutions. Modern cryptography management minimizes disruption, mitigates ransomware risks, and facilitates a seamless transition to secure standards.”
Carlos Aguilar-Melchor, chief scientist, cybersecurity at SandboxAQ, added, “The new standards just released today by NIST give enterprises a clear roadmap to upgrade their security and encryption protocols. This transition is an opportunity to move to modern cryptography management models, leading to fewer outages, simpler compliance and governance, shorter and safer migrations, and higher security. We at SandboxAQ have been contributing to these new standards and the published research to validate them”.
Tim Hollebeek, Industry and Standards Technical Strategist at DigiCert, concludes, “Today, after working with the world’s best cryptographers for nearly 10 years, the National Institute of Standards and Technology (NIST) announced three new standards (FIPS 203, 204, and 205) that describe three new encryption algorithms designed to protect against the threat of quantum computers. Today’s quantum computers are small and experimental, but they are rapidly becoming more capable, and it is only a matter of time before cryptographically-relevant quantum computers (CRQCs) arrive. These are quantum computers that are powerful enough to break the asymmetric cryptography used to protect communications and devices on the internet, and they could arrive in as little as 5-10 years. The good news is that the problem can be solved by switching to new hard math problems that are not vulnerable to quantum computers, and the new NIST standards describe in precise detail exactly how to use these new hard math problems to protect internet traffic in the future. Leading internet security companies, including DigiCert, have already implemented these algorithms, and are preparing to deploy them at scale to make sure the internet remains secure during this important transition.”
