Market Update: Post Quantum Encryption
Author: Harvey Morrison
With the recent release of the NIST Post Quantum Encryption (PQE) standards (NIST Releases First 3 Finalized Post-Quantum Encryption Standards | NIST) we at Marion Square anticipate there will be a focus from Federal Agencies in FY 25 to become compliant with the White House Executive Order and National Security Memo for Post Quantum Cryptography.
Federal agencies are planning to allocate approximately $7.1 billion for the transition to post-quantum encryption (PQE) between 2025 and 203512 This budget will cover the migration to new cryptographic standards developed by the National Institute of Standards and Technology (NIST) to protect sensitive systems and data
Looking specifically at the FY 25 budget requests, the following agencies are planning to allocate funding towards PQE projects next Government fiscal year:
Department of Treasury
US Army
US Air Force
Department of Homeland Security
Department of Energy
NASA
What are the NIST standards?
NIST released in August FY 24 their standards for 3 PQE algorithms designed to protect organizations from the advancements of Quantum Computers and "harvest know, decrypt later" attacks.
The 3 standards are focused on Key Encapsulation Mechanism-KEM (General Encryption) and Digital Signatures.
Federal Information Processing Standard (FIPS) 203, intended as the primary standard for general encryption. Among its advantages are comparatively small encryption keys that two parties can exchange easily, as well as its speed of operation. The standard is based on the CRYSTALS-Kyber algorithm, which has been renamed ML-KEM, short for Module-Lattice-Based Key-Encapsulation Mechanism.
FIPS 204, intended as the primary standard for protecting digital signatures. The standard uses the CRYSTALS-Dilithium algorithm, which has been renamed ML-DSA, short for Module-Lattice-Based Digital Signature Algorithm.
FIPS 205, also designed for digital signatures. The standard employs the Sphincs+ algorithm, which has been renamed SLH-DSA, short for Stateless Hash-Based Digital Signature Algorithm. The standard is based on a different math approach than ML-DSA, and it is intended as a backup method in case ML-DSA proves vulnerable.
What do Federal Agencies need to do next? Based on the recent Government mandates specifically OMB memo M-23-02 Federal agencies should be "discovering and inventorying" their cryptographic assets and systems. Specifically M-23-02 states:
"Establishes requirements for agencies to prioritize and identify where they are using cryptography within their most sensitive systems that are vulnerable to decryption by a future quantum computer."
"Agencies are required to submit these inventories annually by May 4th until 2035- these inventories must be submitted to both the Office of the National Cyber Director and CISA ."
A subsequent OMB Memo M-23-18 also stated that agencies should:
"Provide budgets for transitioning systems to PQE should be included along with funding for “software required to accurately and where possible automatically inventory cryptographic systems"
This means no manual processes for inventory the Government is requesting automated tools.
As we look forward to FY 25, it’s evident that the transition to post-quantum encryption is not just a regulatory challenge but a strategic imperative. Agencies like the Department of Treasury, US Army, US Air Force, Department of Homeland Security, Department of Energy, and NASA are already leading the way, setting a precedent for others to follow. The successful integration of PQE standards will mark a significant advancement in our collective efforts to secure national and organizational security in an increasingly complex digital age.
As this transition unfolds, staying informed and prepared will be key. The journey towards a post-quantum secure future is underway, and those who embrace it with diligence and foresight will be best positioned to navigate the challenges and opportunities it presents.