The National Institute of Standards and Technology (NIST) is continuing to lead the charge in the transition to post-quantum cryptography (PQC) standards, publishing a draft report on Tuesday that outlines how it plans to replace cryptographic algorithms vulnerable to quantum computers with quantum-resistant ones.
Quantum computing has the ability to break many common forms of encryption, posing a significant threat to cybersecurity as we know it.
Therefore, in August, NIST unveiled its first set of three encryption algorithms designed to withstand cyberattacks from a quantum computer. After nearly a decade of research, the algorithms are ready for immediate use by system administrators.
The 29-page draft report published on Nov. 12 identifies existing quantum-vulnerable cryptographic standards and the current quantum-resistant standards that will be used in the migration.
The report is meant to inform the efforts and timelines of Federal agencies, industry, and standards organizations for migrating their IT products and services to PQC. However, NIST warned that time is running out for organizations to begin their transitions.
“Even though there are no existing cryptographically relevant quantum computers that currently threaten levels of security, it will take a significant amount of time to transition to new post-quantum algorithms,” NIST explains. “Past cryptographic migrations have taken over a decade, and this more complex migration will likely take at least that long.”
As a result, NIST said that organizations will need to begin their PQC migration today “to avoid having their encrypted data exposed once quantum computers become operational in the future.” NIST said this is especially important for data with “long-term sensitivity,” such as government secrets or medical records.
The White House has established the year 2035 as the primary target for completing the migration to PQC across Federal agencies. However, NIST acknowledged that migration timelines may vary based on the specific use case or application.
“Flexibility in migration planning is essential to balance the urgency of securing critical systems with the practical challenges that different sectors face during this transition,” the document says. “NIST will work to ensure that these varying timelines are acknowledged and supported while maintaining the overall goal of achieving widespread PQC adoption by 2035.”
Throughout the migration to PQC, NIST said it will continue to update its documents to provide more detailed guidance.
NIST is looking for comments on the draft report “to revise this transition plan and feed into other algorithm- and application-specific guidance for the transition to PQC.” Comments are due by Jan. 10, 2025.
