3 Key Take-aways from NIST Round 3

Jul 5, 2022

Just today NIST released its long-awaited report on the results of their Round 3 process for selecting post-quantum algorithms for standardization. The chosen algorithms CRYSTALS – Kyber, CRYSTALS- Dilithium, FALCON and SPHINCS+ will now be standardized and will start showing up in our roots of trust, our applications, our devices, our networks, and so on. In addition, evaluation efforts will continue for BIKE, Classic McEliece, HQC, and SIKE as they progress into a 4th round of evaluation to determine which, if any, will be added to the list of algorithms that NIST will be standardizing.

Deploying these new post quantum ( i.e. quantum-safe) algorithms in our IT and OT stacks will protect digital identities and by extension the confidentiality, integrity and availability of our connected digital structures. They will also serve to protect our individual and collective privacy. They will become the new stronger foundations for digital trust.

Here’s a recent NIST quote issued prior to the release of the Round 3 results that caught (confirmed?) our attention: 

If you’re an organization, don’t wait for the standard to be done,” Matt Scholl, chief of the computer security division at NIST.


So now let’s talk about this Round 3 standardization report at a high level. 

As we do it’s important to keep in mind the timelines and work efforts required to effect actual timely and tested implementations of these new quantum-safe algorithms. We have spoken a bit about this in the past (ok a lot!). 

Understanding these upgrade timelines is a part of our efforts to bring awareness and education to the scope of this issue from a time, work, risk and cost perspective.  Today, we won’t comment on individual candidates included or not, or on who or what the Round 4 outcomes may contain.  

We are hopeful that you will now become inundated from many market participants reinforcing key messages about looming timelines, efforts and necessary budgets for quantum-safe communications based on the NIST selected candidates, as well as the need to begin to formulate a plan for this ‘big lift’.

There may be comments about the new candidates possibly not being perfect too, particularly in selected scenarios- but neither are our current standards on which today’s economy reliably runs.

We take this opportunity though to speak to NIST, and to its participants’ own ‘big lift’. The quantum of the preparatory and due diligence work done to date by NIST and all those involved, in getting to the end of Round 3, and in providing all of us with the enhanced clarity coming out of this Round 3, is its own ‘big lift’ – and is to be appreciated and respected as such.

We all owe NIST, and the wide array of volunteers who participated in this process, a real debt of gratitude. Their hard work in identifying the nature and scope of the issues, and in working through them in a proactive, passionate, disciplined peer-reviewed process over the last several years has been a Herculean effort. This effort, as well as those efforts looking at the lifecycle issues associated with determining new measures of fitness for purpose, is in many ways a mirror reflection of all the areas of work now required to be undertaken in all parts of the stacks, networks, protocols and standards that comprise our modern, growing and evolving IT and OT connected systems. 

The end goal of the up-lifted quantum-safe cryptographic ecosystem is to achieve the verifiable outcomes required to protect the confidentiality of our data, as well as the integrity of our digital identities, communications and transactions against their new natural predator, the quantum-enabled adversary. Not to mention our investments in intellectual property.

This quantum-safe work also serves to protect and encourage quantum investments and infrastructures that promise new and improved outcomes for society.

Ultimately there will be pqc horses for quantum-safe courses. As just one example of this, and in an area that we will all consistently come across in our collective scoping and planning, is the TLS protocol. A sample service to all of us from the NIST work is the clarity that while McEliece will work securely in many scenarios, it’s not appropriate for use in TLS (at least not at this stage) due to its large public key size. 

Another material benefit from the NIST/volunteer work is the participative and emerging framework for assessing ongoing quantum-safe encryption candidates and life cycle processes. This ongoing and important work will be a service to all, as quantum progresses and security events occur.

We at C4A extend our gratitude and respect for NIST and the volunteer efforts to date.


The second thing we want to talk about is what we hope by now is the clear requirement for crypto agility in post-quantum encryption crypto-structures. Like our roots of trust.

When we add in new encryption requirements for identity first/zero trust security paradigms to the pqc horses for quantum-safe courses reality, crypto-agility emerges as a fundamental enabler. 

Strong, agile cryptography properly implemented and managed, is the core of reliable and trusted digital identity. And trusted digital identity provides security that is a foundation for digital trust. 

While we have mentioned this many times, now is a good time to further emphasize that as further NIST Rounds continue; as optimization and life cycle issues emerge; and as new improved quantum-safe variants emerge for specialized use cases, protocols etc., that an agile cryptographic processor is simply required. Crypto agility, given the multiplicities of pqc horses for quantum-safe courses, must be a core consideration for how to implement and support quantum-safe communications.  

Quantum-safe Planning requires Technology Inputs

The third key take-away now that Round 3 has been completed, and the industry has settled on a provisional date for Y2Q of April 14, 2030, is that we must also now be thinking through the available and planned technologies, tools, new functions, visibilities and control planes that we could or should be using in our planning. 

We clearly advocate crypto-agility as a core requirement as it allows cost effective, consistent updates to occur in a timely and quantum safe manner- just as today’s ‘as-a-service’ processes might push software updates and patches to you, or as managed security services may perform such updates for you, as a continuous obligation. And you will want your supply chain partners and technology inputs to also be crypto-agile, for efficiency and security.

Some  organizations may also come to the conclusion that it would be best to leave the complex process of technology selection, implementation, integration and life-cycle requirements to a crypto-as-a-service model provider, mimicking the above described software-as-a-service paradigm. This approach allows organizations to leave the new infrastructure and post-quantum -and hybrid encryption expertise, to an accountable crypto-as-a-service provider. This approach can  ease a lot of the HR and technical burdens of this big uplift, concentrate best practices and be of great assistance also to your ecosystem participants.  

An anecdote will further help contextualize this last point. Rotating from DES to AES cryptography by individual entities took a decade or more, and some pockets of DES processing still remain 20 years later! However, that rotation could be distilled down to something as simple as changing the water that was running through the pipes and replacing it with say antifreeze, but you still get to reuse those very same pipes. These same pipes were compatible with the anti-freeze so this was relatively easy, yet it still proved to be a very time-consuming effort even with moderate risk and complexity.

In this quantum-driven rotation, we need to introduce a new liquid, have it co-exist with the old liquid, allow each to continue to be effective in their own way, and here is the real point- we will also need to replace the pipes themselves as these new technologies introduce some fundamentally incompatible properties for our existing infrastructure! 

That’s the big uplift. That’s why we have been speaking about getting going for some time now.  We hope the completion of NIST Round 3 gets this process going in earnest. 

Y2Q in eight years is not a long period of time (although for those following along, the reality is that this date keeps being brought in closer) given the magnitude of the tasks remaining to be done.

We also all know that rotation into the cloud is accelerating – one estimate is that only 10% of applications currently run on cloud infrastructure. So, lots of work to be done in a short period of time as we are also doing other major IT and OT work in our digital transformations. 

A new quantum-safe root of trust defined by new crypto-agility to underpin and seed your quantum-safe communications infrastructure is a sensible part of the future. And a crypto-as-a-service model will also play useful roles in helping organizations and their supply chains complete their own big lifts and become safe and trusted and crypto-agile.

We all have a lot of work to do. 

Thanks for reading.

Contact Us

Want to know more about how our systems work? Thinking about partnering with us? We are here to help. Just reach out through the link below and we'll get back to you as soon as possible.