NIST recommends timelines for transitioning cryptographic algorithms

The quantum age is quickly approaching. This month, NIST (the US National Institute of Standards and Technology) posted an initial public draft (NIST IR 8457) detailing timelines and recommendations for the Transition to Post-Quantum Cryptography Standards.

The report details the strategic approach to transitioning systems away from the use of vulnerable cryptographic algorithms by 2035, a deadline based on the expectation of a viable quantum technique for breaking current encryption methods. It’s long been theorized that a cryptographically relevant quantum computer will be realized within the next decade.

What is the timeline for algorithm transition?

Following the publication of the first PQC NIST standards earlier this year, this new report is intended to encourage engagement from industry leaders, standards bodies, and relevant agencies. Transition is a pressing concern, especially as the threat of ‘harvest-now-decrypt-later’ attacks is already here, and developments in quantum computing are accelerating.

While the standards might be key to answering the question of how to transition, this report is a step towards understanding the ‘what’ and the ’when’.

In summary, NIST outlines the following timeline:

  • From now until 2030, existing encryption methods should be phased out
  • By 2030, algorithms relying on 112-bit security will be deprecated
  • By 2035, all systems will need to be transitioned, as traditional cryptographic algorithms will be disallowed

Digital Signature Algorithms

Key Establishment Schemes

Symmetric Cryptography

Symmetric cryptography standards are less vulnerable to quantum attack, and aren’t currently included in PQC transition recommendations. However, standards at the 112-bit security level will nevertheless be disallowed from 2030. Consequently, applications should move away from these when transitioning to post-quantum cryptography.

Key considerations for applications

The report details a number of applications of cryptography that will need to be considered.

Code signing

Code signing is a security process that’s widely used to prevent the execution of malicious or corrupted code. It uses digital certificates with signatures that are checked by the system to ensure that the code is from an authentic source. The report outlines the need for devices to use quantum-resistant signatures on executables, especially if there’s a risk that those executables could still be in use following the expected arrival of cryptographically relevant quantum computers.

Authentication

User and machine authentication typically involves the use of a digital signature algorithm or key-establishment scheme. NIST recommends that quantum-vulnerable algorithms can be used until quantum computers can break them. At that point, an upgrade will be required. This applies to network security protocols also, where the algorithm used for authentication can be transitioned separately.

Hybrid Solutions PQ/T

In order to transition smoothly, a hybrid solution combines quantum-vulnerable algorithms with quantum-resistant cryptography (Post-Quantum/Traditional PQ/T) as a temporary measure. NIST recommends that hybrid solutions can be accommodated, but there should be caution around the added complexity of PQ/T, and even with hybrid, the goal should always be to replace PQ/T with PQC-only algorithms at a later stage.

Planning for Migration

The White House National Security Memorandum 10 (NSM-10) published in 2022, set the target for completion by the year  2035 for US Federal systems. This report makes it clear that individual migration timelines can be complex. A lot depends on the infrastructure, risk profiles, and security measures involved, and NIST suggests flexibility as essential in order to achieve secure and efficient transition.

With that in mind, NIST will continue to revise SP 800-131A (Transitioning the Use of Cryptographic Algorithms and Key Lengths) and will update application-specific standards and guidelines, specifying earlier transitions for certain algorithms and protocols where necessary.

It’s a timely reminder that transition of cryptographic systems to the new quantum age will take a significant amount of time, and, as NIST point out, that time is already running out. Mosca’s Theorem, for example, introduces the idea that if:

X = the number of years sensitive data must be kept secure

Y = the estimated time taken to complete the transition

Z = the expected length of time left before a cryptographically relevant quantum computer is built

… then organizations must start transitioning before X+Y > Z. In other words, if a quantum computer is a decade away, the time to start the transition is now, as the complexity of the transition extends the length of Y, the security consideration increases X, and Z is constantly reducing with time.

This report highlights that urgency, and provides detail into the timeline and expectations of migration. Once again, it’s encouraging to see NIST emphasizing the importance of collaboration between industry, standards organizations, and other stakeholders, for a smooth transition to post-quantum cryptography.