NIST Quantum Standards: Security Experts Talk Hurdles

The emergence of quantum computing presents a significant challenge to contemporary cryptography. Current cryptographic methods, such as RSA and Elliptic Curve Cryptography (ECC), depend on complex mathematical problems that are difficult for classical computers to solve.

For example, RSA's security hinges on the challenge of factoring large integers, while ECC relies on the discrete logarithm problem.

Quantum computers, utilising principles of quantum mechanics like superposition and entanglement, have the potential to dismantle these cryptographic systems with relative ease.

In 1994, Peter Shor introduced a quantum algorithm capable of efficiently factoring large numbers and solving discrete logarithm problems—key challenges that underpin existing cryptographic frameworks. Consequently, once sufficiently advanced quantum computers are developed, they could decrypt information secured by today’s encryption standards.

A particularly alarming tactic is the "harvest now, decrypt later" approach, where malicious entities might collect and store encrypted data in anticipation of future quantum capabilities to decrypt it.

This poses a grave risk to sensitive information that requires long-term confidentiality, such as government intelligence, personal health records, and proprietary corporate data. The urgency to safeguard against this potential threat is pressing, even if powerful quantum computers remain years away.

As the National Institute of Standards and Technology (NIST) releases its new Post-Quantum Cryptography (PQC) standards, organisations must prioritise their readiness for the implications of quantum computing on security.

Yet quantum computing could empower cybercriminals to execute brute force attacks against the cryptographic keys that protect most current encryption methods, jeopardising sensitive data.

So what insights does the security sector provide regarding the NIST standards? Furthermore, how can these insights emphasise the necessity for proactive measures as organisations confront evolving cybersecurity threats?

Research from Thales indicates that 61% of organisations have yet to formulate a strategy for navigating a post-quantum landscape.

Todd is a highly regarded cybersecurity expert with over 28 years of experience in safeguarding sensitive data for various organisations.

His extensive background includes nearly two decades at Harris Corporation, where he gained a profound understanding of security challenges and defence technologies. Todd has consistently demonstrated his ability to craft business cases and conduct market analyses for new security products, successfully bringing them to market. He regularly devises strategies for product development and execution.

“It is critical for organisations to begin securing their data and infrastructure with these new standards. With risks such as Harvest Now, Decrypt Later attacks where cyber criminals steal and store data in preparation for quantum computing capabilities, it is essential that organisations prepare immediately for this unprecedented cryptographic transformation by adopting crypto agile solutions that support these new Quantum-safe algorithms.”

Cybersecurity threats, including ransomware, Advanced Persistent Threats (APTs), and data breaches, are evolving rapidly and becoming increasingly sophisticated, largely due to advancements in artificial intelligence. Cryptography remains a critical element of cybersecurity infrastructure, playing an essential role in safeguarding digital communications and data.

Taher Elgamal, honoured with the RSA Conference 2009 Lifetime Achievement Award, is widely regarded as the "father of SSL," the Secure Sockets Layer protocol that underpins internet security. He holds numerous patents in areas such as online security, payments, and data compression. As a founder of several companies, including NokNok Labs, InfoSec Global, and Securify, he has significantly influenced the field. Previously, he served as Director of Engineering at RSA Security Inc. and was Chief Scientist at Netscape Communications from 1995 to 1998, where he played a pivotal role in developing SSL.

“The NIST PQC Standardisation marks a critical advancement in securing our digital infrastructure. By adopting these standards, we safeguard sensitive data, ensure privacy, and maintain trust in digital communications. This proactive approach not only prepares us for the quantum era but also fortifies our current cybersecurity measures.”

Although the benefits for a transforming your security to post-quantum are becoming clear, the problem lies in managing such a scope of a project. 

The US government estimated the cost to the entire US economy at US$100bn (US$189bn in 2024 dollars) for Y2K preparations. Some companies reportedly spent hundreds of millions of dollars on their Y2K efforts.

Roger Grimes explains that this process will involve software and hardware.

“Every organisation will be undergoing a huge Y2K-like post-quantum cryptographic migration...whether they realise it or not, that will likely impact every piece of software and firmware they have in their environment protecting critical data. Every organisation, if they have not already done so...and most have not done so...will be creating a multi-year post-quantum migration project involving far more resources than they have experienced in decades. 

“NIST has been telling organisations over and over for nearly a decade to create a post-quantum migration project. What was needed for most organisations to care and start creating their very necessary, required, post-quantum project, was THIS announcement. 

Equally, standing in the way is the fact that standards are constantly evolving. Only recently, IBM algorithms got NIST standardised. 

Dr Adam Everspaugh thinks a end point to the standardisation, will help speed the adoption along. 

“The finalisation of NIST’s Quantum Resistant Cryptography (QRC) standards is a pivotal step forward in safeguarding digital environments against the threat posed by quantum computing. Quantum computing has the potential to revolutionise various fields but also threatens current public key encryption methods. The primary attack of concern is store-and-crack, where attackers may capture and store encrypted information and web traffic now, and then, when quantum computers are available, break the encryption to read the data that is stored. If this information is still valuable in the future, attackers can use it to exploit sensitive systems.

“At Keeper Security, we are actively tracking these developments and updating our product roadmap to ensure we’re ready to integrate these cryptographic standards as soon as production software libraries fully support them.

“The challenges for IT and security teams are significant, from ensuring compatibility with existing systems to managing the transition of cryptographic keys. However, the urgency of this shift cannot be overstated. The potential for quantum computers to break widely used encryption algorithms is a very real threat that could compromise the security of sensitive data worldwide.”

After the NIST announced three encryption standards that are believed to be resistant to decryption from quantum computers, it has been estimated that 20 billion digital devices globally will likely need to be upgraded or replaced with quantum-safe alternatives.

While quantum computers may not be widely available for another decade, updating cryptographic algorithms is a lengthy process that can also take 10 years or more. Therefore, planning for quantum cyber readiness must begin now.

“Quantum computing could be significantly beneficial to society, delivering breakthroughs in drug discovery and financial modelling, however, quantum computing could also undermine numerous existing public-key encryption methods if realized on a large scale,” Dr Colin Soutar commented.

“For many years, Deloitte has been activating the quantum cyber readiness industry, including collaborating with the World Economic Forum to establish a quantum security program in 2021, and hosting a number of discussions with leaders from both government and industry. We need to look at this topic less about speculating exactly when a CRQC will be available, and more about what organizations can do to prepare for it.”

The finalisation of NIST’s three of four algorithms marks the starting line in the race to secure against the threat of quantum computers for many – and the preservation of digital trust is on the line.

“Security leaders are well aware of the threats to come with quantum computing – with each day we get closer to a quantum computer that could break current encryption methods that every business relies on. Encryption protects everything from banking and retail transactions to valuable business data and does not discriminate.

“With the finalisation of the first suite of NIST cryptographic algorithms, organisations now have the tools to safeguard against the quantum threat. While Q-day may seem years away, security leaders need to keep in mind that AI capabilities increase the need to transition to PQC algorithms. 

"Now, more than ever, it will be vitally important for organisations of all sizes to adequately plan and test for the adoption of these new algorithms, which includes conducting security assessments to verify how prepared their supply chains to ensure a smooth transition over the coming years.”

Explore the latest edition of Cyber Magazine  and be part of the conversation at our global conference series, Tech & AI LIVE and Cyber LIVE.

Discover all our upcoming events and secure your tickets today. ​​​​​​​

Cyber Magazine is a BizClik brand