New PQC Standards Set to Transform Cybersecurity

Business
August 13, 2024

NIST’s latest announcement highlights the urgency of addressing encryption vulnerabilities to prevent AI-driven attacks today and quantum attacks tomorrow. 

The National Institute of Standards and Technology (NIST) today released its long-awaited Federal Information Processing Standards (FIPS) for post-quantum cryptography (PQC). This pivotal moment will impact customers far and wide—from financial institutions to government agencies—especially those bound by regulatory requirements. This is an ideal moment for businesses of all sizes to reevaluate and modernize their encryption practices, ensuring they remain at the forefront of cybersecurity with the latest in automated cryptography management solutions.

Taher Elgamal, ‘the father of SSL’ and senior advisor at SandboxAQ, emphasized the importance of implementing the new standards in an increasingly vulnerable reality: “The NIST PQC Standardization marks a critical advancement in securing our digital infrastructure. By adopting these standards, we safeguard sensitive data, ensure privacy, and maintain trust in digital communications. This proactive approach not only prepares us for the quantum era but also fortifies our current cybersecurity measures.”

The Urgency of Implementing New Standards

Cybersecurity threats such as ransomware, Advanced Persistent Threats (ATPs) and data leaks  are continuously evolving and growing more sophisticated, and are now being powered by advanced AI techniques. Predictions indicate ransomware costs will skyrocket to $42 billion in 2024, eventually hitting $265 billion by 2031. Cryptography, being a foundational component in cybersecurity infrastructure, plays a pivotal role in this landscape. Three critical factors contribute to these attacks: outdated encryption algorithms, expired certificates, and, most critically, unencrypted files.

Furthermore, hackers are now using AI to exploit the exact vulnerabilities that formerly required hiring a vast team of cybersecurity experts. As a result, leading security-aware companies are being more efficient with their resources by implementing cryptography management platforms that discover, identify and remediate broken algorithms, allowing existing teams to focus on the complex AI-augmented attacks.

Understanding the New Standards

NIST initiated its PQC standardization program in 2016, aiming to develop cryptographic methods resilient to quantum computing threats. The latest announcement details the first set of algorithms to be standardized: one for key agreement and two for digital signatures. These algorithms are designed to provide confidentiality, integrity, and authentication of sensitive data, ensuring that digital communications remain secure against emerging threats.

  • FIPS 203: This standard, derived from Kyber, is used in key agreement protocols like TLS, replacing traditional methods like Diffie-Hellman. It offers fast performance despite larger public keys and ciphertexts.
  • FIPS 204: Based on Dilithium, this standard is used for digital signatures, outperforming current methods like ECDSA and RSA in speed of verification, though with larger signatures (2.5KB) and public keys (1.3KB), and roughly double for signing times.
  • FIPS 205: Based on the security of SHA-2 or SHA-3, this standard offers robust security with very small public keys (32 bytes) but generates larger signatures, around 7KB. It is ideal for applications like firmware updates, where quick verification is essential.

Implications for Customers

Today’s announcement comes within a broader regulatory context, including the White House's National Security Memorandum, NSM-8, which mandates the transition to PQC. Businesses must begin by taking inventory of their current cryptography usage to transition to these new algorithms effectively. This inventory process is crucial, whether done manually or through automation. Proper tooling and testing are essential to ensure a smooth transition between old and new algorithms.

Marc Manzano, General Manager of the Cybersecurity Group at SandboxAQ, underscores the urgency for this transition: "NIST's announcement makes it imperative for large enterprises to adopt scalable, automated cryptographic inventory solutions. Modern cryptography management minimizes disruption, mitigates ransomware risks, and facilitates a seamless transition to secure standards. We at SandboxAQ are proud to have contributed to this process and to offer AQtive Guard as a key tool for companies and governments to transition to these new standards for a more secure future.”

For many organizations, this is an ideal opportunity to modernize cryptography management with built-in cryptographic agility, in line with guidance from the White House and other agencies. The NIST National Cybersecurity Center of Excellence (NCCoE) advocates this approach, with SandboxAQ as an active member and co-author of related whitepapers. Benefits of crypto-agility include reduced compliance costs, lowered incident response times, and significant overall security improvements.

Learning More

These FIPS publications set by NIST impact nearly every computer, ensuring the security of millions of digital interactions each day.

The cybersecurity research and development team at SandboxAQ has been directly involved at each stage of the NIST PQC process, leading the design of selected standards, and contributing to the BIKE, and HQC, 4th round KEMs, and on-ramp signature schemes. Among other efforts, the team has also contributed research towards improving cryptanalysis, formal verification, integrating these schemes into real-world protocols, and designing new and improved implementations

NIST's publication today marks the beginning of the PQC standards rollout. The new standards released already provide enterprises with a clear roadmap to upgrade their security and encryption protocols. Read more about how customers are already improving their cybersecurity and cryptography management with AQtive Guard

About SandboxAQ
‍SandboxAQ is an enterprise B2B company, providing solutions at the nexus of AI and quantum technology (AQ) to address some of the world's greatest challenges. The company's core team and inspiration formed at Alphabet Inc., emerging as an independent, growth capital-backed company in 2022. SandboxAQ is backed by T. Rowe Price, Eric Schmidt (chairman of SandboxAQ), Breyer Capital, Guggenheim Partners, Marc Benioff, Thomas Tull, Paladin Capital Group, and other leading investors. For more information, visit http://www.sandboxaq.com

About Authors

Carlos Aguilar Melchor is the Chief Scientist in Cybersecurity at SandboxAQ. During his career, he has been a professor for 15 years and worked for multiple international organizations, contributing to a variety of domains such as cryptography, privacy, cyber security, and artificial intelligence.

James Howe is a Staff Research Scientist and technical lead in the Cybersecurity Group. He works on the research and development of post-quantum cryptography and addresses issues in integrating PQC into the real-world. He is a co-author of the SDitH signature scheme candidate which is a part of the NIST PQC process for additional signature schemes. His research interests range from optimizing designs in software and hardware, side-channel analysis and countermeasures, protocol design, and more.

No items found.