On August 24, the National Institute of Standards and Technology (NIST) released drafts of three post-quantum cryptographic (PQC) standards and has made a Request For Comments on these drafts to the cryptographic community.
How do these Drafts relate to NIST’s Overall PQC Project?
The standards for these three drafts are scheduled to be finalized early next year. The following timeline shows how this relates to other milestones and algorithms in NIST’s PQC standardization project.
- 2016 - Initial call for proposals for NIST’s PQC standardization process.
- 2017-2022 - Analysis of initial 69 submissions and progressive narrowing of the candidate pool.
- 2020 - In a separate process, two stateful post-quantum digital signature algorithms, XMSS and LMS/HSS, were standardized in NIST’s Special Publication SP 800-208.
- 2022 - NIST selects 4 algorithms for standardization: KYBER, DILITHIUM, FALCON, and SPHINCS+. NIST also chose additional key establishment algorithms for a fourth round of analysis.
- July 2023 - NIST releases 40 additional PQC digital signature submissions to undergo analysis.
- Aug 2023 - NIST releases drafts for Kyber, Dilithium, and SPHINCS+, renamed ML-KEM, ML-DSA, and SLH-DSA, respectively, and requests comments on these drafts.
- Nov 2023 - Comments on the drafts for ML-KEM, ML-DSA, and SLH-DSA are due.
- Early 2024 - NIST is expected to publish the final ML-KEM, ML-DSA, and SLH-DSA standards. We do not expect large-scale changes between the drafts and the final standards.
- Summer 2024 - NIST is expected to release a standard draft for FALCON.
- 2025 onward - Continued work on the standardization of additional PQC algorithms.
What are the Algorithms that are being Standardized?
The PQC algorithms that NIST is standardizing satisfy different use cases and properties. Some PQC algorithms are used to establish a shared secret key, while others are digital signature algorithms used to authenticate entities. Some PQC algorithms are general-purpose, all-round good algorithms, while others will only be applied to specific scenarios. Different algorithms come from different mathematical areas and have different security hypotheses. Below, we give some main properties of the PQC being standardized:
Module-Lattice-Based Key-Encapsulation Mechanism Standard (ML-KEM) – FIPS203
- Previously called Kyber.
- A general-purpose algorithm that is used for establishing a shared secret key.
- Recommended by the National Security Agency (NSA) in their Commercial National Security Algorithm Suite CNSA2.0.
- From an area of cryptography based on lattices. Lattice-based cryptography has been studied since the 1990s, and its security is believed to be well-understood.
Module-Lattice-Based Digital Signature Standard (ML-DSA) – FIPS 204
- Previously called Dilithium.
- A general-purpose digital signature algorithm.
- Recommended by the NSA in CNSA 2.0.
- A lattice-based algorithm.
Stateless Hash-Based Digital Signature Standard (SLH-DSA) – FIPS 205
- Previously called SPHINCS+.
- InfoSec Global researchers took part in developing SPHINCS+, and InfoSec Global is listed on the SPHINCS+ team.
- A digital signature algorithm known for its security.
- A hash-based cryptographic algorithm, where the algorithm's security is directly based on the security of the underlying well-known hash function, making it an appropriate choice for those who value the highest level of protection.
FALCON (No Draft Standard Released Yet)
- A draft standard is scheduled to be released in around a year.
- A special use-case digital signature algorithm.
- A lattice-based algorithm.
- Not recommended for general use due to difficulties in creating secure implementations.
- Has the smallest bandwidth, which may make it the best solution for specific situations.
NIST Released the Drafts: What are the Next Steps?
Now that NIST has released the drafts of these algorithms, it is time to begin the process of migrating to PQC. As Jen Easterly, Director of the Cybersecurity and Infrastructure Security Agency (CISA), explains, “It is imperative for all organizations, especially critical infrastructure, to begin preparing now for migration to post-quantum cryptography.”
Discovery
On August 21, the CISA, NSA, and NIST published a factsheet discussing the importance of preparing a cryptographic inventory and developing a quantum readiness roadmap with technology vendors.
The unfortunate reality is that most large organizations are unaware of the cryptography that they utilize. To complete a cryptographic migration, it is necessary first to perform an inventory of the organization’s current cryptographic assets. This can be done using a cryptographic discovery tool like InfoSec Global’s AgileSec™ Analytics software.
Experimentation/Crypto-Agility
While minor changes may exist between these drafts and the final standards, the key sizes, signature sizes, and timings will remain very similar. This is the ideal time to experiment with implementations of the draft standard to iron out details and avoid difficulties during the migration process. More generally, building crypto-agility into products and systems is essential to reduce the amount of work needed in a cryptographic migration.
Crypto-agility is a modern concept that addresses an age-old problem. When the first cryptographic algorithms were designed, it assumed that they would remain secure. However, over the decades, we have discovered the hard way that cryptographic algorithms need to be replaced from time to time. Crypto-agility should be built into the application level to reduce the work required during a cryptographic migration. This can be done by using InfoSec Global’s Cryptographic Agility Management Platform.
Looking Forward
The final standards for these four PQC algorithms are scheduled to be released in early 2024. However, now is the ideal time to prepare for the upcoming cryptographic migration by discovering your cryptographic artifacts, experimenting with these algorithms, and making your applications crypto-agile. We look forward to the continuing work of NIST and helping organizations with this PQC migration.