On November 12th 2024, the National Institute of Standards and Technology (NIST) released a new report (IR 8547) titled Transition to Post-Quantum Cryptography Standards. It was published as a 90-day follow-up to NIST’s release of their standards of the post-quantum algorithms ML-KEM, ML-DSA and SLH-DSA as part of the White House’s post-quantum cryptographic strategy described in National Security Memorandum 10.
The report outlines the threat quantum computers pose to modern security systems and gives recommendations for transitioning to Post-Quantum Cryptography (PQC). Much of this information is well-known to experts, including information on migration priorities. However, this report also includes an updated discussion on the timeline of the migration, and a formal, unified categorization for all NIST’s cryptographic algorithms in terms of post-quantum security.
Migration Priorities and Considerations
This report summarizes best practices from leading experts in the field. The ‘Harvest Now, Decrypt Later’ attack is described, as is an explanation of how to set priorities for a cryptographic migration. This material is extensively covered in InfoSec Global’s blog post on Understanding the Quantum Threat.
PQC Migration Deadlines
This report reiterates the previous migration deadline for completing a transition to quantum resistant algorithms for National Security Systems by 2035, as given in the White House’s National Security Memorandum 10 and the National Security Agency’s (NSA) Commercial National Security Algorithm Suite 2.0 Cybersecurity Advisory.
In past documents NIST had stated their intent to disallow the classical cryptography, both the symmetric and asymmetric algorithms, that only provide 112-bits of security or less after 2030, for example, RSA-2048 or SHA-224. In this report NIST states their intent to deprecate, not disallow, the classical asymmetric cryptographic algorithms that only provide 112-bits or less of security after 2030, where deprecates means phasing out these algorithms due to security risks. These security levels will be completely disallowed after 2035. NIST’s reasoning is that “instead of a two-step transition from a 112-bit security strength to a 128-bit security strength and ultimately to the approved quantum-resistant algorithms, [NIST] is proposing a one-step approach whereby the quantum-resistant algorithms are implemented and available as soon as feasible.” (NIST SP 800-131 Rev. 3, Draft)
The symmetric cryptography that provides 112-bits of security or less after 2030 will still be disallowed after 2030. This information is summarized in the following table:
What’s new? A Unified Classification of Cryptographic Algorithms
The most novel information given in this report is a new, formal categorization of the post-quantum security of all NIST’s algorithms. Previously, NIST had rated the post-quantum security category of each variant of their newly standardized Post-Quantum Cryptographic (PQC) asymmetric algorithms, with Category 1 being the weakest security strength and Category 5 being the strongest security strength. In this new report, NIST also includes a post-quantum categorization for all their symmetric cryptographic algorithms. It should be remarked that NIST’s classical (pre-2018) asymmetric cryptographic algorithms, such as RSA, are not part of this classification, as they are not post-quantum secure, and hence cannot be given any post-quantum security category,
The post-quantum security category for the symmetric algorithms is given in NIST’s tables shown below. In these tables, the number of bits is the classical security, that is, from non-quantum enabled attacks. Hash functions are given two security categories in the table, because some applications require the security property of collision resistance, while other applications only require the weaker security property of preimage resistance.
This unified security categorization means that organizations can now first decide the post-quantum security level that they wish to achieve, and then use a cryptographic scanning tool such as InfoSec Global’s AgileSec™ Analytics to ensure that all the algorithms parameters, for both symmetric and asymmetric cryptography, satisfy this security category.
Contact us today to leverage AgileSec Platform's advanced capabilities allowing your organization to align with NIST's post-quantum cryptography recommendations to discover vulnerabilities, maintain compliance, and future-proof your cryptographic infrastructure.
