Back in May, an article in New Scientist created a bit of a stir around the National Institute of Standards and Technology (NIST) competition to select post-quantum (PQ) cryptographic algorithms. The article quoted NIST’s Dustin Moody as saying that announcement of the winners was imminent — “no more than a few weeks” away. As the official NIST timeline lists draft standards as being available sometime between 2022 and 2024, Dr. Moody’s statement was not entirely shocking but still surprising for those of us expecting announcements on the later side of that time range. Since the New Scientist article, we’ve been on pins and needles waiting for news … and as of this blog, we are still waiting.

A Brief History Of The NIST PQ Project

While we’re waiting, here’s a bit of interesting history. NIST launched the Post-Quantum Cryptography Standardization project in 2016, similar to the AES competition in the late ’90s and early 2000s. As quantum computing (QC) advanced, cryptographers expressed concern that a powerful enough quantum computer could easily break the public key cryptosystems that have been ubiquitous for years: RSA and Elliptic Curve. NIST’s competition is designed to find alternatives to RSA and Elliptic Curve that can withstand quantum computers.

In December of 2016, NIST issued a call for proposals, inviting participants to submit PQ algorithms to be considered for standardization. By the end of the following year, NIST had received 69 algorithms for Round 1. After a series of workshops, NIST culled the algorithms to 26 second-round candidates in 2019. NIST further reduced the list to seven finalists and eight alternates in mid-2020. Both the finalists and alternates are broken down into public key encryption algorithms and digital signature algorithms — unlike RSA, none of the algorithms in the PQ standardization project are suitable for both encryption and signing. NIST will select multiple “winners” — at least one for encryption and at least one for signing.

Announcing New Research Into Quantum Computing

So when will we hear about the “winners”? There’s still no official word, but we continue to watch and wait and will share our thoughts on the winning algorithms when they are announced.

We want to point out, though, that a NIST PQ winner algorithm is nothing more than that. While NIST definitely has a large weight in shaping the PQ algorithmic future, it is not the only force shaping the world of computing and security. In fact, one can argue that a PQ algorithm standard can serve as a starting point for an adversarial nation state to stage an attack that builds on the algorithm’s weaknesses.

Consider that:

  • QC itself won’t be free of problems and security issues.
  • PQ algorithms will not stop hackers from collecting encrypted data for later decryption using QC algorithms.
  • PQ algos will help with but won’t fully solve the legacy encrypted data migration problem from RSA and Elliptic Curve algorithms (existing baggage) to the new PQ encryption algorithm. If the old algorithm is replaced, the data needs to reencrypted for it to be decryptable with the new algorithm.
  • One PQ algorithm, as is scheduled to be selected soon by NIST, will likely be insufficient to solve the entire spectrum of PQ encryption problems.
  • We at Forrester believe that QC should be self-defending against PQ attacks.
  • PQ algorithms’ strength and performance should be (onerously) tested against true QC attacks.

We are planning to investigate and write on the above and more QC- and PQ-related topics. Stay tuned!