PQC’s Standardization

Standardization is crucial for interoperability and security. To enable different devices from different manufacturers that different people operate to communicate with each other securely, the means of communication has to be agreed upon. Without standardization, chaos would ensue; imagine each person in a city using their own traffic rules. 

Introduction

The foundational elements supporting security features that necessitate standardization primarily consist of cryptographic primitives, including widely-used algorithms such as the Advanced Encryption Standard (AES), Secure Hash Algorithm (SHA), RSA (PKCS #1), and the Elliptic-Curve Digital Signature Algorithm (ECDSA). However, the rise of quantum computers has rendered these established standards insufficient in providing the required level of security. 

Key standardization bodies like the National Institute of Standards and Technology (NIST) in the USA or the German Federal Office for Information Security (BSI) play a crucial role in this context. These entities consider various factors, such as use cases, assets requiring protection, advancements in mathematical research targeting cryptographic vulnerabilities, and anticipated improvements in computational capabilities. They then recommend algorithms tailored for specific purposes over the next 10, 15, and 20 years. The challenge lies in determining appropriate key lengths, as larger cryptographic key sizes enhance computational security but can impact performance and bandwidth. In contrast, smaller keys are faster but may compromise security. 

How did PQC Standardization start?

The journey’s origins can be traced back to the accelerated progress in quantum research, prompting both academic and industrial communities to delve into the potential computational advantages of quantum computers. Simultaneously, there was a growing awareness of the potential threats quantum computing posed to modern public-key cryptography. Responding to this, the academic community established a dedicated platform for research on post-quantum cryptography, with PQCrypto 2006 in Leuven, Belgium, being the inaugural event. The escalating academic focus on this subject and the rapid advancements in quantum computing led to a collective recognition of the need to standardize cryptographic algorithms resilient against quantum threats. 

Dustin Moody of NIST presented a pivotal talk titled “Post-Quantum Cryptography: NIST’s Plan for the Future,” unveiling a comprehensive plan for a standardization process in February 2016 at the post-quantum cryptography conference. The envisaged outcome was the identification of ‘winning’ algorithms that would be incorporated into a standardized framework. This vision materialized in December 2016 when a formal call for proposals was issued. Approximately a year later, the response was robust, with 69 submissions deemed ‘complete and proper’ for cryptographic functionalities encompassing public-key encryption, key encapsulation mechanisms (KEMs), and digital signatures. 

Winners’ Announcement in July 2022

After an extensive process spanning nearly six years, NIST concluded its post-quantum cryptography standardization competition in July 2022, unveiling the inaugural set of winners. Its selection was driven by stellar performance, manageable key sizes, and NIST’s confidence in its enduring security capabilities. 

Turning to the digital signature category, the primary champion is CRYSTALS-Dilithium, another lattice-based scheme recommended by NIST for general use. Its straightforward design facilitates secure (embedded) implementation. NIST also recognized two additional schemes: Falcon, acknowledged for its minimal signature and public-key size, ideal for applications in internet protocols, and the conservative option, SPHINCS+, known for its well-understood security despite trailing in performance and size compared to CRYSTALS-Dilithium and Falcon. Notably, CRYSTALS-Dilithium takes precedence for standardization and has already earned acclaim from NXP as a promising candidate, demonstrated by a secure boot proof-of-concept on the automotive S32G processor in collaboration with Blackberry. 

NIST’s New PQC Algorithms 

As quantum computers continue to advance, they pose a serious risk to traditional encryption methods. To counter this, NIST has been developing Post-Quantum Cryptography (PQC) standards since 2016. In August 2023, NIST published Initial Public Drafts (IPD) of three PQC algorithms, inviting feedback from the industry to refine them further. After completing the fourth round of standardization, the final versions were officially released on August 13, 2024, with updated algorithm names. 

FIPS 203, now called ML-KEM (Module Lattice Key Encapsulation Mechanism), is derived from CRYSTALS-Kyber and is designed to secure data against emerging risks. It features three parameter sets—ML-KEM-512, ML-KEM-768, and ML-KEM-1024, each offering different levels of security and performance. ML-KEM-512 provides a baseline level of security, while ML-KEM-768 offers enhanced protection for sensitive applications. ML-KEM-1024, the most secure variant, is ideal for high-security and long-term encryption needs. These parameter sets vary in key and ciphertext sizes, allowing organizations to choose an optimal balance between security and efficiency. ML-KEM will play a key role in TLS protocols, VPNs, and encrypted messaging, ensuring secure communication against quantum threats. 

FIPS 204, rebranded as ML-DSA (Module Lattice Digital Signature Algorithm), is built on CRYSTALS-Dilithium and is used for digital signatures. This algorithm strengthens identity verification and data integrity, making it a reliable successor to RSA and ECDSA. By following FIPS 204, organizations can generate and validate digital signatures reliably, preventing unauthorized modifications. Additionally, the standard promotes interoperability, allowing seamless integration across diverse platforms and systems. This makes it particularly useful for digital certificates, software signing, secure email communication, and authentication systems. 

FIPS 205, now called SLH-DSA (Stateless Hash-Based Digital Signature Algorithm), is based on SPHINCS+ and introduces a stateless approach to digital signatures. This eliminates security risks associated with state management, reducing attack vulnerabilities. It relies on hash functions for data integrity and pseudo-random functions (PRFs) to ensure unpredictability in key generation. FIPS 205 strengthens security by introducing new address types for improved key handling and replacing SHA-256 with SHA-512 in key cryptographic functions to address prior weaknesses.

Additionally, it incorporates mitigation strategies against multi-target attacks, making it more resilient. The standard carefully selects 12 out of 36 parameter sets to optimize security and efficiency. SLH-DSA is particularly suited for firmware updates, blockchain applications, and critical infrastructure security, where long-term protection is essential. 

These finalized PQC standards mark a major step toward securing digital communications against quantum threats. Organizations across finance, healthcare, defense, and cloud computing must begin transitioning to quantum-resistant encryption to safeguard sensitive data for the future. With the rapid progress of quantum computing, adapting to these new cryptographic techniques is now a necessity rather than an option. 

Algorithm Deprecation 

In 2024, NIST released an Initial Public Draft (IPD) of NIST IR 8547, which outlines a structured roadmap for the transition to Post-Quantum Cryptography (PQC) standards. The guidance provides a phased approach to help federal agencies, industries, and standards organizations transition their cryptographic infrastructure in a timely and efficient manner. 

A critical aspect of the report is the listing of legacy cryptographic algorithms that will soon be deprecated and eventually disallowed. Organizations relying on these algorithms must begin assessing their cryptographic dependencies and planning upgrades to NIST-approved PQC standards like ML-KEM (FIPS 203), ML-DSA (FIPS 204), and SLH-DSA (FIPS 205). The transition plan emphasizes interoperability, security validation, and compliance requirements, ensuring a coordinated shift toward a quantum-safe cryptographic future by 2035. 

Some highlights from the report are mentioned below: 

NIST encourages early adoption of PQC algorithms in a hybrid mode with classical cryptography to ensure a smooth and secure transition. Organizations should start assessing system compatibility, cryptographic dependencies, and implementation challenges now to avoid security risks as quantum computing advances. 

Conclusion

In conclusion, the journey toward post-quantum cryptography underscores the critical importance of standardization in ensuring interoperability and security. As quantum computers pose a threat to established cryptographic standards, the efforts led by institutions like NIST and the German BSI become pivotal in navigating this evolving world. The meticulous selection process, spanning years and culminating in the announcement of winners, reflects a commitment to identifying resilient algorithms against quantum threats.  

The competition, extended into a fourth round, introduces alternative proposals and demonstrates the continuous adaptability required in the face of quantum advancements. As the cryptographic community collaborates to define the future of secure communication, the balance between security, performance, and adaptability remains at the forefront of considerations for the post-quantum era.  
 
Encryption Consulting’s Post-Quantum Cryptography Advisory Services bridge the gap between cutting-edge technology and practical implementation. We’ll help you harness the power of quantum-resistant cryptography without the risks.