On October 24th, the National Institute of Standards and Technology (NIST) selected 14 candidate algorithms to proceed to the second round of evaluation for its standardization process of additional post-quantum digital signature algorithms.
One question that may come to mind is, “Didn’t NIST just set standards for post-quantum digital signature algorithms?” It is true that a couple of months ago, NIST released finalized Post-Quantum Cryptographic (PQC) standards for
- ML-KEM: a key-agreement algorithm (formerly Kyber),
- ML-DSA: a digital signature algorithm (formerly Dilithium),
- SLH-DSA: a digital signature algorithm (formerly SPHINCS+),
- A draft standard for the digital signature algorithm FN-DSA (formerly FALCON) is set to be released in late 2024.
Despite growing concerns about quantum threats to current cryptographic systems, the cybersecurity community lacked clear direction on which algorithms to adopt until NIST's recent release of PQC standards. Now that these algorithms have been standardized there has been a flurry of activity around PQC migration. With the National Security Agency (NSA)’s recommendations of ML-KEM and ML-DSA as reasonable general-purpose algorithms, many people have looked at these standards as final, steady-state cryptographic solutions to satisfy their security needs.
Current Challenges with Existing PQC Standards
Cryptographic researchers continue to find both more powerful attacks and better cryptographic algorithms. The original submission date for NIST’s PQC standardization process was 2017. Meanwhile, a great deal of research on PQC algorithms has been done. In 2022, NIST initiated a second standardization process to evaluate additional PQC digital signature algorithms, aiming to identify other recently-developed quantum-safe digital signature algorithms. Similarly, NIST is still finishing up their first PQC standardization process by continuing to evaluate a few more key establishment algorithms in an additional round of assessment.
ML-DSA is the current favorite of NIST’s standardized PQC digital signature algorithms; however, its signatures cannot fit into a single internet packet. While FN-DSA, once standardized, will have shorter signatures, it utilizes floating-point arithmetic, making it challenging to implement correctly. Due to these implementation difficulties, the NSA has recommended against using FN-DSA. Experts hope NIST’s second standardization process will yield an additional algorithm with shorter signatures to facilitate its implementation.
It is unclear if such an algorithm even exists—one easier to deploy than ML-DSA, which is secure. Most of the algorithms submitted to NIST’s request for additional digital signatures rely upon novel, untested security assumptions that must be scrutinized. NIST has chosen representatives from six different areas for further examination. Before standardizing any new digital signature algorithms, NIST will complete a multi-year standardization process such as the one that led to the standardization of ML-KEM, ML-DSA, and SLH-DSA.
NIST's Continued Standardization Timeline and Process
We expect this standardization process to have the following structure:
- Start of Round 1: (July 17th, 2023) Shortly after the submission date, NIST released a list of 40 Round 1 candidates. These were all the submitted algorithms that NIST considered to be “complete and proper.” NIST did not evaluate these algorithms for security or efficiency.
- Start of Round 2: (October 24th, 2024) This is a list of algorithms which NIST considers to be promising and worthy of further examination. NIST has analyzed these algorithms, with the help of the cryptographic community at large, for “security, cost and performance, and algorithm and implementation characteristics.”
- Further Rounds: We can expect that NIST will further narrow down the number of algorithms to focus the attention of cryptanalysts on the most promising candidates.
- Standardization: Once NIST has chosen specific digital signature algorithms and is convinced that sufficient cryptanalysis has been completed to make sure they are secure, NIST will release draft standards and request comments from the cryptographic community. The final standards will be released after this scrutiny.
The Importance of Crypto-Agility
As the standardization of any digital signature algorithm will take a several years, it is still necessary to migrate to the current quantum-safe digital signature standards before knowing which digital signature will be best in the long run. For this reason, we recommend adopting crypto-agile solutions. Effective cryptographic agility demands a streamlined, secure approach to managing cryptographic algorithms across applications. Speed is crucial in this process, as vulnerabilities in cryptography must be addressed swiftly—within hours, not weeks or months.
The diverse landscape of quantum-ready cryptographic algorithms, with their varying performance metrics, memory requirements, and key sizes, means that different applications may benefit from tailored sets of algorithms. This diversity necessitates the creation of specific cryptographic policies for various application types and computing environments. Moreover, even the general-purpose digital signature algorithm ML-DSA might be replaced in several years by an overall better algorithm, which has smaller key and signature sizes without floating-point arithmetic.
The future of cryptography management cannot rely on IT personnel manually adjusting algorithm configurations for each piece of software and hardware—such an approach would be unsustainable. Instead, the solution lies in implementing policy-driven agile cryptography. This will prepare your organization to quickly adapt to more efficient algorithms, and to respond swiftly to any newly identified vulnerabilities.
