NIST Publishes its “Transition to Post Quantum Cryptography Standards” Report
NIST recently released an Initial Public Draft, entitled: “Transition to Post-Quantum Cryptography Standards”. This document is a must-read for all cybersecurity professionals and decision makers who need to understand the ins and outs of the post-quantum transition.
The Draft covers impacted cryptographic functions, such as digital signatures, key establishment, and symmetric cryptography. These represent only the tip of the iceberg when it comes to the scope of migration, as all the underlying applications and systems may need to be upgraded as well. This will represent the bulk of the work towards the transition to quantum-safe, a complex and lengthy task that may take 10 to 20 years to complete. The algorithmic part, which has now been standardized in its initial draft, is only the beginning of a long journey.
The document outlines a number of migration considerations, with an analysis of several interesting use cases, including code signing and network security protocols, such as TLS. In the near term, hybrid protocols that mix quantum-vulnerable (but well-understood) protocols and newer, quantum-resistant protocols that may still contain implementation errors, are recommended for the best security. However, this should only be temporary, with legacy protocols being deprecated and later disallowed.
The transition timeline towards deprecation and disallowance of quantum-vulnerable algorithms is the last and probably most actionable part of the document. Deprecated algorithms can still be used but may induce a security risk. It will be up to the data owner to examine the risk potential and make an informed decision. Timewise, most quantum-vulnerable algorithms should be deprecated by 2030 and disallowed by 2035. Taking into account the transition time of at least ten years, there is really no time to waste.
Table 4: Quantum-vulnerable key-establishment schemes
| Key Establishment Scheme | Parameters | Transition |
| Finite Field DH and MQV (SP80056A) | 112 bits of security strength | Deprecated after 2030
Disallowed after 2035 |
| ≥ 128 bits of security strength | Deprecated after 2030
Disallowed after 2035 |
|
| Elliptic Curve DH and MQC (SP80056A) | 112 bits of security strength | Deprecated after 2030
Disallowed after 2035 |
| ≥ 128 bits of security strength | Deprecated after 2030
Disallowed after 2035 |
|
| RSA (SP80056B) | 112 bits of security strength | Deprecated after 2030
Disallowed after 2035 |
| ≥ 128 bits of security strength | Deprecated after 2030
Disallowed after 2035 |
At ID Quantique, we advocate a dual quantum-safe strategy combining PQC with Quantum Key Distribution (QKD), an alternate key establishment mechanism based on quantum technologies. This approach has been backed by major financial players who have already announced a so-called Dual Strategy for Quantum-Safe, which entails PQC on the application layer and QKD on the network layer wherever feasible. This defence-in-depth approach to quantum-safe not only mitigates the risk of potential future weaknesses in PQC implementations but also adds flexibility for repetitive migration or urgent swapping of PQC in the networks.
While PQC is believed to offer a robust defense against quantum attacks, it still operates within the classical computational framework and relies on the assumption that new cryptographic vulnerabilities won’t be discovered in the future. Importantly, NIST has highlighted that they are planning to release more PQC drafts, and that the migration should be seen as “dynamic” as opposed to a one-time effort. With such uncertain timelines, effort, cost and risk, QKD provides an important part of the mitigation strategy. QKD is a quantum-native technology that uses the principles of quantum mechanics to securely transmit encryption keys. It ensures that any attempt to intercept or tamper with the key will be immediately detected, making it a complementary solution to PQC.
- Read the NIST Initial Public Draft
- Read ID Quantique’s article on migrating to quantum-safe infrastructure
