NIST unveils post-quantum cryptography standards. What does it mean

Why it matters

The rapid evolution of quantum computing has brought numerous concerns around cybersecurity, particularly data encryption. The theoretical power offered by quantum computers can decrypt the most complicated encryption schemes in use today in just a matter of seconds. NIST sees these new standards as a blueprint for governments and private sector organizations worldwide to deploy to mitigate the potential threats quantum computing may present.

Acknowledging the threats of quantum computing, businesses and government agencies have been working to protect data. Back in 2016, NIST launched a process where industry and government leaders could collaborate on the development of PQC standards. IBM researchers developed two of the three standards, while the third was co-developed by a researcher who recently joined IBM. Some major businesses, including Apple, Meta and Google have been quick to act and have been working with hybrid post-quantum solutions featuring draft versions of the finalized standards and are actively implementing new encryption technologies to mitigate potential threats.

What they say

Laurie E. Locascio, Under Secretary of Commerce for Standards and Technology and NIST Director

"Quantum computing technology could become a force for solving many of society's most intractable problems, and the new standards represent NIST's commitment to ensuring it will not simultaneously disrupt our security. These finalized standards are the capstone of NIST's efforts to safeguard our confidential electronic information."

Duston Moody, NIST mathematician and head of the PQC standardization project

"We encourage system administrators to start integrating [the standards] into their systems immediately because full integration will take time. There is no need to wait for future standards. We need to be prepared in case of an attack that defeats the algorithms in these three standards, and we will continue working on backup plans to keep our data safe."

What we say

Eventually, we're going to cross that line of about 4,000 or so logical qubits that can crack encryption. When that happens, certain secrets will be exposed, and we can't just flip a switch and rewrite everything. We can't just have everyone set up with new encryption standards overnight-that all takes time. These NIST standards are a significant step in that process to help protect sensitive and classified information for both the public and private sectors. The U.S. government set a deadline of 2035 to be ready, but that feels too far off. I see 2030 as when we have a potential for machines capable of cracking encryption-and maybe sooner-so the private sector, especially, should be moving quickly on this, and these standards are a good starting point.

The bottom line

Even though quantum computers that can crack encryption could be a decade away, attackers are harvesting encrypted data, regulators will soon come calling, and migration to PQC will take time. Business and government leaders should begin the process of migrating data to post-quantum cryptography, including inventorying and managing data to become "crypto-agile" as soon as possible.

• Know your crypto: Understand the cryptographic algorithms and protocols currently in use within your organization.
• Abstract it out: Design your systems in a way that allows for easy replacement of cryptographic algorithms.
• Manage your data: Ensure that your data is protected and that you have a clear understanding of where and how cryptographic keys are used.

About VISION by Protiviti