How will NIST’s new algorithm standards affect organizations moving forward?

Jan. 9, 2024
A conversation with Dr. Torsten Staab, Chief Innovation Officer for Raytheon’s Cybersecurity, and Intelligence business units explains

The first round of PQC candidate algorithms that were announced by NIST on August 24 of last year. It included one general-purpose encryption algorithm (ML-KEM) and two digital signature algorithms (ML-DSA and SLH-DSA). Other alternative encryption and digital signature algorithms are pending for potential future release as well.

SecurityInfoWatch.com editorial director Steve Lasky recently engaged with Dr. Torsten Staab, PhD, RTX Principal Technical Fellow to discuss what these new standards will mean for organizations going forward. Dr. Staab serves as Chief Innovation Officer for Raytheon’s Cybersecurity, Intelligence, and services business unit and Chief Technology Officer for Raytheon Blackbird Technologies, Inc. As an RTX Principal Technical Fellow, his role also supports RTX’s other businesses Collins Aerospace and Pratt & Whitney.

SIW: What is the goal of NIST's proposal of draft post-quantum cryptography standards?

Dr. Staab: The draft release of the first three NIST-sanctioned post-quantum cryptography (PQC) algorithms represents a major leap forward in NIST’s seven-year-long journey to identify and standardize the next generation of quantum-resistant encryption and digital signature algorithms. These draft standards are designed to enable organizations around the world to internally evaluate what it will take to implement and operationalize these new PQC algorithms under real-world conditions.

SIW: What role will these PQC algorithms play in defending against quantum attacks? 

Dr. Staab: The purpose of PQC algorithms is to ensure that cryptographic systems can withstand quantum attacks. With the first round of NIST’s standardization of PQC algorithms slated for early 2024, we will likely see more organizations starting to develop quantum security strategies. As a result, crypto-agility will also gain more attention over the next few years, as it will be key in defending against quantum attacks. Crypto-agility is an information security system’s ability to quickly adopt an alternative to its original encryption method or protocol without requiring a significant change to the system, its infrastructure, or connected systems, services, or applications. For a successful transition from today’s classical encryption to tomorrow’s post-quantum cryptography, the next generation of IT/OT solutions must be crypto-agile. 

The purpose of PQC algorithms is to ensure that cryptographic systems can withstand quantum attacks..

SIW: What is Q-Day? How do these standards prepare for this time?

Dr. Staab: Q-Day is the day when quantum computers are expected to be able to break through existing cryptographic algorithms. Expert opinions on when Q-Day will arrive vary widely; some estimate that it will occur in the next five to 15 years. Although, at the pace that quantum computing and cybersecurity risks are progressing, Q-Day may arrive sooner than expected. It is estimated that it will take more than a decade to transition the world’s IT/OT infrastructure from today’s classical crypto technology to tomorrow’s Post Quantum Crypto (PQC). This means organizations must implement crypto-agile systems that support PQC algorithms sooner rather than later. The problem at hand is that many of today’s IT/OT solutions cannot be easily upgraded to PQC. Some systems will have to be replaced, which is time-consuming and costly. As a result, migrating to a PQC world will require careful planning and implementation. This is a key motivation behind why NIST issued public guidance, urging all organizations to start developing their Quantum Security migration strategy now.

SIW: What will the transition from today’s classical encryption to NIST’s new PQC algorithms look like for organizations? 

Dr. Staab: Due to today’s crypto solutions being widely distributed and embedded across organizations, and the fact that many implementations cannot be easily software-upgraded, this transition will not be an easy feat. It will most likely take many years for most organizations to migrate from today’s classical encryption to NIST’s new PQC algorithms. Hardware-based implementations may need to be replaced entirely—all while ensuring continuity of operations. To ensure a successful transition, organizations will need to carefully plan and allocate resources far in advance. Organizations will also need to plan coordination across organizational boundaries (e.g., suppliers, partners, customers, end users, etc.) to ensure a smooth and seamless transition process. Developing a strategy and a phased implementation and migration plan will be essential.

 

Dr. Torsten Staab serves as Chief Innovation Officer for Raytheon’s Cybersecurity, Intelligence, & Services business unit and Chief Technology Officer for Raytheon Blackbird Technologies, Inc. He is also an RTX Principal Technical Fellow, a role in which he also supports RTX’s other businesses Collins Aerospace and Pratt & Whitney. 

Staab has an extensive background in software and systems engineering and cybersecurity. He is a recognized subject matter expert in areas such as Zero Trust Security, data analytics, machine learning, distributed systems, and laboratory automation. He has contributed to more than 50 publications and has received five patents with nine pending.

He received a Diplom Informatiker (FH) degree from the University of Applied Sciences in Wiesbaden, Germany. In addition, he also holds Master of Science and Doctorate degrees in Computer Science from the University of New Mexico.