With many organizations holding back on PQC groundwork, the release of the first PQC standards is the cue to get rolling

This month, the National Institute of Standards and Technology (NIST) of the USA finalized its principal set of encryption algorithms (also referred to as Post Quantum Cryptography or PQC) for the world to stave off quantum-level cyberattacks.

Federal Information Processing Standards (FIPS) number 203, 204, and 205 were made effective on 14 August 14, 2024.

In detail, the FIPs have the following descriptions, taken verbatim from the NIST announcement:

  1. FIPS 203 specifies a cryptographic scheme called Module-Lattice-Based Key-Encapsulation Mechanism, or ML-KEM, which is derived from the CRYSTALS-KYBER submission. A Key Encapsulation Mechanism (KEM) is a particular type of key establishment scheme which can be used to establish a shared secret key between two parties communicating over a public channel. Current NIST-approved key establishment schemes are specified in SP 800-56A, Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm-Based Cryptography, and in SP 800-56B, Recommendation for Pair-Wise Key Establishment Schemes Using Integer Factorization Cryptography.
  2. FIPS 204 and 205 each specifies digital signature schemes, which are used to detect unauthorized modifications to data and to authenticate the identity of the signatory. FIPS 204 specifies the Module-Lattice-Based Digital Signature Algorithm (ML-DSA), which is derived from the CRYSTALS-Dilithium submission. FIPS 205 specifies the Stateless Hash-Based Digital Signature Algorithm (SLH-DSA), which is derived from the SPHINCS+ submission. Current NIST-approved digital signature schemes are specified in FIPS 186-5, Digital Signature Standard and SP 800-208, Recommendation for Stateful Hash-based Signature Schemes.
  3. In the future, NIST intends to develop a FIPS specifying a digital signature algorithm derived from FALCON as an additional alternative to these standards.

According to Tim Hollebeek, Industry and Standards Technical Strategist, DigiCert, “quantum computers that are powerful enough to break the asymmetric cryptography used to protect communications and devices on the internet” could arrive in “as little as five to 10 years,” but the “NIST standards use new hard math problems that are not vulnerable to quantum computers.”

A spokesperson from Accenture has publicly recommended that organizations assess their quantum risk and develop a resilient cryptographic architecture now, while there is still time.