U.S. NIST Announces Post Quantum Cryptography Algorithms for Standardization

The U.S. National Institute of Standards and Technology (NIST) has been running a standardization competition for Post Quantum Cryptographic (PQC) algorithms since 2016 for Key Encapsulation Mechanisms (KEM)/encryption and for digital signatures. The Third Round candidate algorithms were announced in July 2020 (seven finalists and eight alternates). Today, NIST has announced the following algorithms for standardization:

• Public Key Encryption (KEM): CRYSTALS-KYBER
• Digital Signatures: CRYSTALS-Dilithium, Falcon, and SPHINCS+

Beyond that, some of alternatives will move on to a Fourth Round, where the competition will also open up for new submissions for digital signatures. In part, this is because these new encryption algorithms need more testing and analysis, and also because there was limited choice for some of the other classes, such as code and isogeny-based algorithms (most of the finalists are lattice-based). Diversity helps minimize the risk of weaknesses being found in one of the algorithmic classes.

The announcement of the algorithms for standardization effectively marks the start of the transition to quantum-safe encryption. The algorithms need to be finalized as standards, a process that is set to take about another year. Then they can be leveraged into existing and new protocols for use in various technologies and applications. This is where the role of the Internet Engineering Task Force (IETF) and other Standards Development Organizations (SDO), and especially industry consortia, will have to really get to work to devise practicable standards for implementation and real-world usage.

It also marks the start of the market for PQC and quantum-safe products. Many technology and cybersecurity vendors have been participating in the standardization process for a number of years and have been waiting for NIST to announce the winners. Some have been investing in PQC Research and Development (R&D) since the beginning of the competition, with products already primed to hit the market as soon as NIST makes its announcement, while others already have commercialized solutions on the market.

In 2018, ABI Research identified 34 companies globally with a PQC strategy (involvement in standardization or R&D), of which 11 had market offerings. As of June 2022, ABI Research uncovered 97 different companies at various stages of PQC involvement, with 40-odd companies offering a market solution. Now with the first batch of announced algorithms for standardization, productization will accelerate significantly. ABI Research has already identified 10 broad categories of PQC solutions: libraries; silicon Intellectual Property (IP), and System-on-Chip (SoC) design; semiconductors and chipsets; firmware and software; Virtual Private Networks (VPNs); Public Key Infrastructure (PKI) and EKM; messaging; Hardware Security Modules (HSMs) and crypto appliances; blockchain; and Internet of Things (IoT) platforms.

The outlook for the PQC market is highly promising. There has been some significant acceleration in the past few years as the NIST process has advanced in rounds and slimmed down the pool of potential candidates. Today, the chosen Round 3 algorithms will shift the market into the next gear, and the opening up of Round 4 will provide another kick, with those on the sidelines joining the fray. A vendor participating in the PQC standardization process provides a significant competitive advantage; its selection by NIST provides an official stamp of trust, which can be a powerful marketing tool. This is especially significant as NIST is the foremost standardization organization for PQC algorithms, with other SDOs (national and international), national certification and regulatory agencies, and industry groups having accorded NIST this role.

Much of the technology development and market traction for PQC hinges on the conclusion of the NIST process. Standardization may be the catalyst, but there will be long and complex migration to quantum-safe technologies. Selling that transition will be no easy feat.

The biggest challenge facing PQC vendors is that product and solution design using the new algorithms does not mean implementation will be straightforward, or consumption easy. Developing PQC solutions is challenging, as final usage will determine how and which algorithm to implement. It requires significant R&D from a design and testing front, which needs to be justified based on product viability and eventual mass-market adoption. The development costs are relatively high, which can prove a barrier to market entry.

The main issues center around the complexity of PQC-based key exchange and the difficulty in making the schemes practicable for a broad range of applications, and primarily for the IoT. Most of the algorithms are less efficient than classical cryptography, with large key and signature sizes, which means they need to be optimized. Further, most are impractical for resource-constrained and low-power device without significant modification. Beyond that, hybrid implementations (combining classical and PQC algorithms together) is fraught with debate around how to best implement them. For digital signatures, hybrid solutions are acceptable in theory, but the reality is that the signature is just too large for practical usage, so it still requires considerable work to make them commercially viable.

Moreover, there is apprehension about NIST and other SDOs standardizing too many different algorithms and protocols, and countries not aligning on recommendations, creating fragmentation before the market has a chance to fully take off. Fewer standards will be better for migration, but there will be a need for different algorithms based on application and final usage.

There is another big challenge around public awareness. The rationale for many enterprises is to wait until attack-capable quantum computers are commercially viable, so mass-market demand for PQC might take some time to emerge, at least outside of niche markets. National and policy directives in the United States, France, Germany, Japan, and other North Atlantic Treaty Organization (NATO) countries will drive faster adoption of PQC solutions in those markets, but the rest of the world will wait until those first movers have done the hard part before catching up.  

Ultimately, it is the availability of standards that will drive market traction around PQC. There will be a significant transition period (at least a decade, likely more) between the publication of finalized standards and their widespread integration into commercial products. Nonetheless, ABI Research has identified three main target markets for PQC products today that vendors should be focusing on in the short to mid-term:

• Primary: Military & defense, semiconductors & Original Equipment Manufacturers (OEMs), automotive & aerospace
• Secondary: Government, Banking, Financial Services, and Insurance (BFSI), Communication Service Providers (CSPs)
• Tertiary: Healthcare, utilities, transport, enterprise

PQC is still a new and niche area of cryptography, and the market is already highly risk averse. Vendors will have to focus on ensuring that nothing breaks that does not need to and will have to effectively assuage market anxieties around the deployment of an immature technology that is little understood outside of cryptographic circles. The key priority will be to focus on crypto agility and hybrid implementations to ensure backward compatibility and provide a trusted path to quantum-safe integration.