What NIST’s post-quantum cryptography standards mean for data security

Data security is the cornerstone of every business operation. Today, the security of sensitive data and communication depends on traditional cryptography methods, such as the RSA algorithm. While such algorithms secure against today’s threats, organizations must continue to look forward and begin to prepare against upcoming risk factors.

The National Institute of Standards and Technology (NIST) published its first set of post-quantum cryptography (PQC) standards. This landmark announcement is an important marker in the modern cybersecurity landscape, cementing the indeterminate future of post-quantum cryptography as an important cybersecurity priority for enterprises, government agencies and supply chain vendors.

NIST has finalized the three following PQC standards to strengthen cryptography infrastructure for the quantum era:

• ML-KEM (derived from CRYSTALS-Kyber) — a key encapsulation mechanism selected for general encryption, such as for accessing secured websites
• ML-DSA (derived from CRYSTALS-Dilithium) — a lattice-based algorithm chosen for general-purpose digital signature protocols
• SLH-DSA (derived from SPHINCS+) — a stateless hash-based digital signature scheme

Since as early as 2021, NIST has been encouraging organizations to begin planning and preparing for the transition toward quantum-safe. The finalization and release of these three PQC standards is the assurance and guidance many organizations need to embrace and begin the process of transforming to crypto-agility.

IBM has engaged with many large organizations over the past 18 months. These leaders have established, or are establishing, quantum-safe transformational initiatives as a strategic imperative, approaching it with a people, processes and technology perspective. Reaching “quantum safety” requires increasing crypto maturity, and transforming their cryptography program in the process. The objective is a strong cryptographic posture, including resilience against quantum-powered risks.

The journey toward quantum-safe often starts with discovering and classifying data to gain visibility into cryptographic inventory across the enterprise, including being able to analyze risk and prioritize remediation. Beyond discovery and classification is the transformation toward crypto-agility, the ability for platforms, systems and applications to:

• Update cryptography when it is broken
• Change cryptography when regulations and new threats require it
• Monitor that cryptography is being used properly
• Retire cryptography when it is out of date

Ready to learn more? Check out the IBM Institute of Business Value report, “The quantum clock is ticking: How quantum safe is your organization?”