A new set of standards from the National Institute of Standards and Technology (NIST) are now available for federal agencies and industry vendors to use as they prepare their systems for a post-quantum world.

The new standards, which include three specific algorithms, are the first standards NIST has released as part of its Post-Quantum Cryptography Standardization Project. This marks a milestone in the government’s effort to migrate systems to post-quantum cryptography and prepare for the impending “Q-Day.”

What is Q-Day?

Quantum technology will soon become so advanced that it can crack current encryption methods and threaten the information systems that make up the nation’s digital services and critical infrastructure across sectors. White House and cybersecurity leaders have referred to this time of advanced quantum computing as “Q-Day.”

This is why post-quantum cryptography standards are so critical. Many of today’s cryptographic products and services rely on public key algorithms that quantum technology can easily break.

NIST is at the forefront of an international effort around developing new secure and standardized algorithms that would guide federal agencies in this critical migration. The agency is preparing to release more algorithms.

“It’s going to be a long migration, it’s not going to be quick,” Dustin Moody, head of NIST’s Post-Quantum Cryptography Standardization Project, told GovCIO Media & Research. “We hope it goes as quickly as possible, but we know from past experience that cryptographic transitions take time.”

Preparing for Quantum

Moody said cryptography is used in many applications and products. Agencies, he added, need to take inventory of which data is protected by cryptography and understand what algorithm is being used to protect them. Not all cryptographic algorithms will be vulnerable, but for those that will be, agencies need to start talking with product vendors to plan for migration.

“[Agencies] have places they need to spend their money and resources. We think [post-quantum cryptography] should be a high priority, but of course, they’ve also got other hard priorities,” Moody said. “It takes time to allocate all the funding and to make sure the people making the decisions are aware this is a priority.”

Preparing for a quantum reality has been a top priority for national security-focused agencies and also the White House, which included standardizing post-quantum cryptographic algorithms in the fourth pillar of its 2023 cyber plan.

“The threat posed by the prospect of a cryptanalytically relevant quantum computer requires that agencies prepare now to implement post-quantum cryptography,” said Office of Management and Budget Director Shalanda Young in a November 2022 memo.

National Cyber Director Harry Coker referred to current encryption methods as major cybersecurity threats and called on the entire industry to work together.

“The stakes are high, and the time to act is now. NIST has done their part, and now it’s up to the rest of us to build on NIST’s stellar work,” Coker said in an Aug. 13 press conference. “We must continue to drive our government and private sector, as well as encourage our friends and allies abroad, to initiate deployment efforts.”

Encryption Solutions for Quantum

Officials have advocated for various methods of encryption for quantum technology. Post-quantum cryptography is one solution. Another is quantum key distribution.

A Quantum Economic Development Consortium report noted that both solutions can work in tandem to thwart bad actors in the financial sector.

“There is potential for using [quantum key distribution] to assist in the secure movement of money, primarily the end-to-end exchange of symmetric keys for international payments and messaging systems,” according to the report. “This would create a quantum-secure key exchange and key management system, in addition to the traditional public key mechanism, that would detect misbehavior into areas otherwise invisible to the transferring party.”

The report calls on federal agencies to invest in research and development in quantum key distribution technologies to make them more scalable and certifiable.

Adversaries like China have also created post-quantum cryptography standards similar to those in the U.S., but have mainly focused on quantum key distribution. The U.S. hasn’t focused on this method because of its limitations in some applications, said Moody.

“We’ve seen a lot of European countries and Japan, South Korea, Australia and Canada that are going to be using algorithms that came out of the NIST process as recommended for their national usage,” added Moody. “Our adversaries probably won’t use the same algorithms, but because of commercial interests, we will see a lot of global adoption of these algorithms.”

NIST is still working to release additional algorithms designed for general encryption and based on a different type of math problem. Those will start to become available by the end of 2024.