Some cryptographers and mathematicians believe that quantum computing’s current limitations mean RSA encryption is safe for now. Others worry that cracking the algorithms will soon be proven possible—and that quantum's potential poses a significant security concern.

It’s a concern the U.S. government takes seriously. The National Institute of Standards and Technology (NIST) has been leading efforts to standardize post-quantum cryptography (PQC) algorithms. And in September 2022, the NSA’s Cybersecurity Advisory (CSA) released its Commercial National Security Algorithm Suite 2.0 (CNSA 2.0), mandating that quantum-resistant algorithms be fully adopted by 2035.

After years of research and collaboration, NIST finally standardized the PQC algorithms, publishing FIPS 203, 204, and 205 in August 2024. So where does that put us now, and what’s next on the path to securing a quantum-resistant future?

NIST’s PQC standards and the recent updates to FIPS 140-3

On August 13, 2024, NIST released three algorithms designed to remain secure even against large-scale, fault-tolerant quantum computers:

• FIPS 203: Module-Lattice-Based Key-Encapsulation Mechanism (ML-KEM)

• FIPS 204: Module-Lattice-Based Digital Signature Standard (ML-DSA)

• FIPS 205: Stateless Hash-Based Digital Signature Standard (SLH-DSA)

NIST believes these PQC algorithms can stand up to attackers. But at the International Cryptographic Module Conference 2024 (ICMC24) in September, the institute announced that it will continue researching more quantum-resistant algorithms, standardizing them to create a cryptographic inventory for quantum computing. As the research continues, organizations are encouraged to work toward achieving crypto-agility to prepare.

In the meantime, NIST welcomes public feedback on the published standards. And on October 24, the institute announced fourteen candidates for the second round of the Additional Digital Signatures for the PQC Standardization Process, which would be included in the existing FIPS 204, FIPS 205, FIPS 186-5 (Digital Signature Standard), and SP 800-208 (Recommendation for Stateful Hash-Based Signature Schemes):

On the same day NIST published the PQC standards, the Cryptographic Module Validation Program (CMVP)—the validation authority for FIPS 140-3—updated:

• SP 800-140C to include FIPS 204 and FIPS 205 as approved digital signature methods.

• SP 800-140D to include FIPS 203 as an approved key encapsulation method.

• FIPS 140-3 IG 10.3.A “Cryptographic Algorithm Self-Test Requirements” for the self-test requirement of PQC implementations for vendors wanting to claim these algorithms in the FIPS validated model.

Some PQC algorithms in the tech industry have successfully obtained Cryptographic Algorithm Validation Program (CAVP) certificates for ML-KEM, ML-DSA, and/or SLH-DSA. At DigiCert, we’re currently implementing the PQC algorithms for FIPS 203, FIPS 204, and FIPS 205 in TrustCore SDK’s NanoCrypto module.

Addressing performance concerns and industry adoption

While PQC algorithms offer robust security, their large key sizes present performance challenges. That’s especially true for industries like IoT and the Internet of Medical Things (IoMT), where device memory and processing power are often constrained. ML-KEM is gaining traction for key exchange methods due to its ephemeral key pairs, but digital signature adoption faces hurdles due to both key size and processing time requirements.

At ICMC24, the Internet Engineering Task Force (IETF) announced the upcoming publication of the final draft of a PQC-related RFC to provide guidance for the tech industry. But a hybrid approach combining PQC with classical algorithms will help ease the transition and guard against complete dependence on new algorithms that haven’t yet undergone the same level of scrutiny as classical algorithms. 

This hybrid approach protects against “harvest-now, decrypt-later” attacks, a strategy attackers can use to record the encrypted communication sent in a secure session, holding onto the data until the widespread availability of quantum computers powerful enough to decrypt it. It also supports backward compatibility during the transition from classical encryption algorithms to PQC.

Protocol and open-source progress

A number of protocols have begun integrating PQC algorithms.

TLS protocol

OpenSSL has added support for PQC algorithms via liboqs in openssl-3.2 version. The University of Waterloo, Cisco Systems, and University of Haifa are working toward a draft RFC that describes the usage of KYBER in the TLSv1.3 key exchange method (draft-ietf-tls-hybrid-design-10: “Hybrid key exchange in TLS 1.3”).

SSH protocol

OpenSSH added support for PQC algorithms via liboqs for key exchange method and public key authentication. (Git project: https://github.com/open-quantum-safe/openssh). The University of Waterloo and AWS are working on a draft RFC that describes the hybrid approach to use ML-KEM and Elliptic Curve for key exchange method in SSH protocol (draft-kampanakis-curdle-ssh-pq-ke-04: “PQ/T Hybrid Key Exchange in SSH”). 

IKEv2 protocol

strongSwan added support for PQC algorithms via liboqs in v6.0 series (Git branch: https://github.com/strongX509/docker/tree/master/pq-strongswan#readme), and three RFCs describe the quantum-resistance strategy for IKEv2 protocol: 

• RFC 8784: Mixing Preshared Keys in the Internet Key Exchange Protocol Version 2 (IKEv2) for Post-Quantum Security 

• RFC 9242: Intermediate Exchange in the IKEv2 Protocol 

• RFC 9370: Multiple Key Exchanges in IKEv2

The transition timeline for cryptographic algorithm usage in NSS

In September 2022, the CNSA 2.0 update outlined plans to phase out RSA, Diffie-Hellman (DH), and elliptic curve cryptography (ECDH and ECDSA) by 2035, when CNSA 2.0 requirements take effect. Federal agencies will only be permitted to use quantum-resistant algorithms for National Security Systems (NSS), with some federal security agencies recommending PQC preparedness by 2030.

SLH-DSA (aka SPHINCS+) is not included in CNSA 2.0 and is not approved for any use in NSS. FN-DSA (aka Falcon) is also not approved by NIST and NSA, as the organizations note it seems more susceptible to security-impacting implementation errors. NIST’s research into Falcon will continue alongside their work toward the inventory for PQC standards.

NSA encourages vendors to begin transitioning to CNSA 2.0 algorithms as soon as possible according to this timeline: 

• Software and firmware signing: Begin transition immediately. Where available, support and prefer CNSA 2.0 by 2025; exclusive use by 2030.

• Web browsers/servers and cloud services: Support and prefer CNSA 2.0 by 2025; exclusive use by 2033.

• Traditional network equipment (e.g., virtual private networks and routers): Support and prefer CNSA 2.0 by 2026; exclusive use by 2030.

• Operating systems: Support and prefer CNSA 2.0 by 2027; exclusive use by 2033.

To strengthen the current usage of the existing cryptographic algorithms before transitioning to PQC, NIST also released revision 3 of SP 800-131A (Transitioning the Use of Cryptographic Algorithms and Key Lengths). This revision provides guidance to:

• By 2030, deprecate and disallow weak cryptographic algorithms like SHA-1, SHA-224, and the AES-ECB mode.

• Increase the security strength requirement from 112 bits to 128 bits.

• Include the PQC standards in the acceptance list.

For more information, see the NSA’s statement on the NSS requirements for quantum-resistant algorithms.

What’s yet to come

Although NIST has finalized its PQC standards, the National Information Assurance Partnership/Common Criteria Evaluation and Validation Scheme (NIAP/CCEVS) is still drafting updates to Protection Profiles to include the new algorithms. These updates are crucial for ensuring compliance with PQC standards in Commercial-Off-the-Shelf (COTS) and Government-Off-the-Shelf (GOTS) products. 

Organizations will need to stay informed about these changes to ensure smooth transitions and compliance with CNSA 2.0 requirements. As we await further updates from the NIAP program, DigiCert will remain committed to supporting customers throughout the transition.

The latest developments in digital trust

Want to learn more about topics like crypto-agility and PQC? Subscribe to the DigiCert blog to ensure you never miss a story.