NIST sets key deadlines for retiring legacy encryption algorithms, with widely-used methods like RSA, ECDSA, EdDSA, DH, and ECDH set for deprecation by 2030 and full phase-out by 2035.
Last week, NIST released an Initial Public Draft (IPD) report outlining its recommended roadmap for transitioning from traditional public-key cryptographic algorithms to standardized post-quantum cryptography (PQC). This guidance provides a transition plan, including timelines and key considerations for migration, aimed at helping federal agencies, industries, and standards organizations transition their products, services, and infrastructure to PQC by 2035.
One of the key highlights of the report is NIST’s clear long-term plans for cryptographic transitions. The report includes a list of current and widely-used key establishment and digital signature algorithms that will soon be deprecated and eventually disallowed.
Digital Signature Algorithm Family | Parameters | Transition |
ECDSA | 112 bits of security strength | Deprecated after 2030 and disallowed after 2035 |
≥ 128 bits of security strength | Disallowed after 2035 | |
EdDSA | ≥ 128 bits of security strength | Disallowed after 2035 |
RSA | 112 bits of security strength | Deprecated after 2030 and disallowed after 2035 |
≥ 128 bits of security strength | Disallowed after 2035 |
Key Establishment Scheme | Parameters | Transition |
Finite Field DH and MQV | 112 bits of security strength | Deprecated after 2030 and disallowed after 2035 |
≥ 128 bits of security strength | Disallowed after 2035 | |
Elliptic Curve DH and MQC | 112 bits of security strength | Deprecated after 2030 and disallowed after 2035 |
≥ 128 bits of security strength | Disallowed after 2035 | |
RSA | 112 bits of security strength | Deprecated after 2030 and disallowed after 2035 |
≥ 128 bits of security strength | Disallowed after 2035 |
NIST also points out that transitioning from algorithm standardization to full integration into information systems can take anywhere between 10 to 20 years. Given the time it takes and the rise of “harvest now, decrypt later” attacks, it’s more important than ever for organizations to start preparing for post-quantum cryptography (PQC) now. NIST’s report serves as a vital resource, offering clarity and direction to help begin and speed up the PQC adoption journey.
But first, it’s essential to understand more about the NIST’s finalized PQC encryption algorithm standards. So, here’s a quick overview of the standardized algorithms and the key factors to consider for the PQC migration.
Back in 2016, NIST kicked off the Post-Quantum Cryptography (PQC) Standardization Project aimed at developing trusted and tested PQC encryption algorithms that are secure against attacks by both classical and quantum computers.
In July 2022, after the third round of the standardization process, NIST made a preliminary announcement, unveiling the first four selected algorithms:
- CRYSTALS-Kyber for KEM (Key Establishment Mechanism) for general encryption
- CRYSTALS-Dilithium, Falcon, and SPHINCS+ for digital signature schemes
A year later, in August 2023, NIST released the Initial Public Drafts (IPD) of three of the above algorithms to get industry feedback and make appropriate revisions.
Again, a year later, after completing the fourth round of standardization, on August 13, 2024, NIST released the finalized PQC encryption algorithm standards with name changes:
- FIPS 203: Referred to as ML-KEM, based on the CRYSTALS-KYBER algorithm for general encryption
- FIPS 204: Referred to as ML-DSA, based on the CRYSTALS-Dilithium algorithm for digital signatures
- FIPS 205: Referred to as SLH-DSA, based on the SPHINCS+ algorithm for digital signatures
Algorithm | FIPS Name |
CRYSTALS-KYBER | FIPS 203: ML-KEM |
CRYSTALS-Dilithium | FIPS 204: ML-DSA |
SPHINCS+ | FIPS 205: SLH-DSA |
Note: NIST has also announced plans to release the Initial Public Draft (IPD) of the FIPS 206 standard, which is based on the FALCON digital signature algorithm. This draft, tentatively named FN-DSA, is expected to be available soon.
AppViewX can help you implement crypto-agility and start preparing today for Post-Quantum Cryptography
Let’s now take a deeper dive into each of these standards:
1. FIPS 203
This standard specifies the ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism) algorithm derived from the original CRYSTALS-KYBER. It is designed for a key encapsulation mechanism used to establish a shared secret key between two communicating parties over a public channel. The shared secret key can then be used for symmetric-key cryptography.
The ML-KEM algorithm is based on lattice-based cryptography, which relies on the difficulty of solving problems related to lattices. It is suitable for replacing RSA in secure key exchanges within certificates.
Key Considerations:
- Only KEM Algorithm: Among NIST’s PQC standardized algorithms, CRYSTALS-KYBER is the only algorithm for Key Encapsulation Mechanism, making it essential for quantum-safe key exchanges. It is also a preferred algorithm compared to CRYSTALS-Dilithim for Lattice-based Crypto.
- Performance: With high-speed key generation and encapsulation, CRYSTALS-KYBER is ideal for real-time applications. It outperforms traditional methods, being nearly twice as fast as X25519, an elliptic curve Diffie-Hellman key exchange algorithm. It is also faster than CRYSTALS-Dilithium in key exchange operations.
- Resource Utilization: Optimized for low memory consumption, CRYSTALS-KYBER is well-suited for IoT and embedded platforms where resources are constrained.
- Scalability: Supports various key sizes, allowing tailored security levels for diverse applications.
- Lower Bandwidth Overhead: Efficient in bandwidth-limited environments, making it ideal for IoT applications.
- Complex Implementation: The algorithm requires advanced cryptographic and machine learning expertise, adding complexity to deployment.
- Potential Overhead: The use of complex machine learning algorithms can introduce performance trade-offs, especially in resource-limited environments.
2. FIPS 204
This Standard specifies ML-DSA (Module-Lattice-Based Digital Signature Algorithm) derived from the original CRYSTALS-Dilithium. It is designed for generating and verifying digital signatures.
Digital signatures help verify the identity of the signer and the integrity of the signed data. They also help with non-repudiation, where the signer cannot deny the signature at a later time.
ML-DSA is the primary standard for generating and verifying digital signatures and is the preferred algorithm to replace RSA-based signatures. NIST notes that it can be used in email, funds transfer, data interchange, software distribution, data storage, and other applications that require data origin and integrity verification.
Key Considerations:
- Fast Signature Generation: ML-DSA comes with high efficiency for quick signing and verification, making it a strong candidate for high-speed applications.
- Low Resource Requirements: Suitable for environments where resources are not a constraint.
- Enhanced Security Features: Uses machine learning to improve resistance against specific attacks.
- Adaptability: Adapts to various security needs, making it versatile across different applications.
- Complex Implementation: Requires specialized knowledge of machine learning, complicating integration.
- Potential Overhead: The complexity of machine learning models may add computational overhead in some contexts.
3. FIPS 205
This standard specifies SLH-DSA (Stateless Hash-based Digital Signature Algorithm) derived from the original SPHINCS+. While this, too, is designed for digital signatures, it employs a different mathematical approach from CRYSTALS- Dilithium and is intended as a backup method if CRYSTALS- Dilithium proves vulnerable. The standard is based on hash-based cryptography that leverages cryptographic hash functions that are difficult to decode.
Key Considerations:
- Efficient Signature Generation: Just like CRYSTALS- Dilithium, SPHINCS+ also allows for quick signature generation and verification, making it suitable for high-performance systems.
- Low Resource Consumption: Optimized for resource-constrained environments like IoT.
- Robust Security: By leveraging statistical learning techniques, SPHINCS+ enhances resistance to certain types of attacks.
- Flexibility: Can be tailored to various security levels and use cases, making it flexible for multiple deployment scenarios.
- Implementation Complexity: Integrating statistical learning methods requires specialized knowledge.
- Potential Performance Overhead: Complexity may introduce performance trade-offs in specific scenarios.
NIST’s finalized PQC standards are a big step forward in preparing for the quantum era. These standards lay the foundation for a secure future, addressing quantum threats head-on. They are built to tackle the demands of modern-day applications—whether it’s ensuring performance, scalability, or working within resource-constrained environments—without undermining security.
Yes, implementing these algorithms might feel complex, and the transition will take time, but NIST’s guidance provides a clear roadmap to follow. Now is the right time to start thinking about how your organization can adapt and prepare for what’s ahead.
Start Testing The PQC Algorithms Now and Get Post-Quantum Ready with AppViewX
To facilitate a seamless and efficient transition to PQC, AppViewX offers:
- AppViewX PQC Test Center: A dedicated free online resource built to help organizations assess their PQC readiness by generating and testing quantum-safe certificates prior to their integration into existing systems, workloads, and machines. You can quickly set up your own quantum-safe PKI hierarchy and generate PQC-ready certificates and keys to test their compatibility with your environment. Visit the AppViewX PQC Test Center and begin your PQC journey today.
- PQC Certificate Lifecycle Management: The AppViewX AVX ONE platform offers a comprehensive certificate lifecycle management solution to help enable PQC readiness and crypto-agility with complete certificate discovery and inventory, full certificate lifecycle automation, and total certificate control across the enterprise.
To get started on your PQC readiness journey, contact AppViewX today to learn how.