U.S. NIST PQC Standards to Kick-Start Product Commercialization

On August 13, 2024, the U.S. National Institute of Standards and Technology (NIST) published three Federal Information Processing Standards (FIPS) for Post-Quantum Cryptography (PQC). These are officially:

1. FIPS 203, Module-Lattice-Based Key-Encapsulation Mechanism (KEM) Standard (CRYSTALS-KYBER)
2. FIPS 204, Module-Lattice-Based Digital Signature Standard (CRYSTALS-Dilithium)
3. FIPS 205, Stateless Hash-Based Digital Signature Standard (SPHINCS+)

These complement a number of other previously published standards that are deemed quantum-secure, notably hash-based signature schemes LMS and XMSS (NIST SP 800-208), cryptographic hashes SHA and HMAC (FIPS 202 and FIPS 198-1, respectively), and symmetric cipher AES (FIPS-197).

NIST is still working on the FALCON standard, the fourth algorithm that was selected in 2022, alongside the three just published. A fourth round of the PQC standardization process is still in progress for KEMs, and a first round was launched in 2024 for additional Digital Signature Algorithms (DSAa).

The result of an 8-year process, NIST had made a first announcement of four candidate algorithms for standardization back in 2022, but it took 2 years to draft and publish those standards. Other algorithms (FALCON, Round 4 KEM, and Round 1 Additional DSA) are being evaluated by NIST in order to have a diverse pool of PQC standards available for the market. Having a greater number of algorithms spreads the risk if one of them is broken; this is important as these algorithms have yet to be fully tested in the field (i.e., not just by white hats). Spreading the risk is good for minimizing it, but it also makes implementation that much harder because it means work for vendors that have to integrate PQC algorithms into their products.

The standards need to be adapted to varied use cases: from secure elements in smart cards and small, resource-constrained connected devices that need DSA for secure boot and Over-the-Air (OTA) updates to large-scale cloud-based Hardware Security Module-as-a-Service (HSMaaS) implementations. This means not only selecting the right PQC algorithm for that use case and developing an adapted cryptographic library, but also evolving the underlying technology; for example, better hardware acceleration capabilities, or protection against side-channel attacks. These efforts will differ for each use case, but also vary for each PQC algorithm. These efforts will not just be challenging for PQC product innovators, but also for implementers in all types of markets, from finance to automotive manufacturing, and from healthcare to utilities.

The standardization legwork is not yet done, but the three new FIPS standards gives the green light to a market that has been in relative limbo since the announcement of the candidate algorithms in 2022. Now, silicon Intellectual Property (IP) providers, semiconductors, and other Original Equipment Manufacturers (OEMs) can move past their Proofs of Concept (PoCs) and start bringing to market their first generation of PQC-ready solutions: whether those are libraries, IPs, chipsets, or other. This first windfall will drive market interest and a lot of beta-testing, and eventually lead to the refinement of use case- and market-specific PQC solutions. In turn, better supporting hardware and ecosystems will emerge to catalyze second-generation solutions that are closer to plug-and-play.

PQC innovators will be better off focusing on a select number of industries, rather than spreading themselves too thin trying to offer a one-size-fits-all solution. Not all end markets will start integrating PQC-ready technology at the same pace. Implementers will have to spend some time identifying the right algorithm and standard for their specific use case, and likely also spend time in the refinement process with innovators to ensure eventual solutions are fit for purpose. This is not, however, a one-sided effort; partnerships between innovators and implementers will play a key role in advancing market-ready solutions.