From “Migration” to “Transition”: A Review of NIST’s Latest Report on Post-Quantum Cryptography

On November 12, 2024, the National Institute of Standards and Technology (NIST) released the draft of NIST IR 8547, Transition to Post-Quantum Cryptography Standards. This report outlines the roadmap for transitioning to post-quantum cryptography standards, sparking widespread attention. One seemingly minor but significant change in terminology stands out: the shift from “Migration to Post-Quantum Cryptography” to “Transition to Post-Quantum Cryptography.” This change in phrasing reflects not only NIST’s deeper understanding of technological evolution but also the inherent complexity and long-term nature of cryptographic transitions in practice.

Why Is This Change in Terminology Important?

“Migration” implies a complete replacement of classical cryptographic algorithms with post-quantum ones, emphasizing urgency and completeness. By contrast, NIST’s adoption of the term “Transition” more accurately captures the complexity of cryptographic evolution, suggesting that legacy and new technologies may coexist for a long time, requiring dynamic and gradual adjustments.

From Urgency to Reality: A Gradual Transition Strategy

In previous publications and meetings, NIST frequently highlighted the “Harvest Now, Decrypt Later” risk, urging the early adoption of post-quantum cryptography. However, in this report, NIST defined the transition process more flexibly under the term “Transition”. Based on the report, we have identified the following three phases:

Short-term (2024-2029): Standards Publication and Early Implementation
During this phase, NIST is expected to release guidelines tailored to specific application scenarios, encouraging early adopters to take action gradually.

Mid-term (2030-2035): Phased Decommissioning of Classical Algorithms
By 2030, NIST plans to label classical public-key algorithms with 112-bit security strength as “Deprecated” and fully discontinue their use by 2035.

Long-term (Post-2035): Full Adoption of Post-Quantum Cryptography Standards
From 2035 onwards, new systems will be required to use post-quantum algorithms exclusively, with classical algorithms no longer permitted for any new encryption or signature tasks.

Key Considerations During the Transition

The report details specific considerations for various application scenarios, such as code signing, user and machine authentication, network security protocols, and email and document signing and encryption. It emphasizes the unique requirements of each application and highlights that some systems may need to prioritize migration to mitigate the risk of long-term sensitive information being compromised by quantum computers. Additionally, NIST recommends adopting flexible transition timelines to balance security needs with technical complexity across different applications.

Furthermore, the transition to post-quantum cryptography may initially involve hybrid schemes, where both post-quantum and classical algorithms are used simultaneously for key establishment or digital signatures. These schemes ensure that as long as one algorithm remains secure, the overall scheme retains its security. In scenarios where classical algorithms are still required, hybrid schemes serve as a transitional pathway to compatibility with post-quantum cryptography. NIST leaves the decision to adopt hybrid key establishment or dual signatures to specific application scenarios, based on their tolerance for implementation costs, performance impacts, and engineering complexities. To assist external parties that desire such a mechanism, NIST will accommodate the use of a hybrid key-establishment mode and dual signatures in FIPS 140 validation when suitably combined with a NIST-approved scheme.

Timeline for Deprecation and Disallowance of Algorithms

The report further clarifies the timeline for phasing out classical algorithms, as shown below:

These timelines indicate that NIST aims to guide industries toward a smooth transition to post-quantum cryptography.

Why the Shift from “Migration” to “Transition” Was Inevitable

This change in terminology reflects a balance between the practical challenges of implementation and the diverse needs of stakeholders:

Differences in Technological Maturity: While NIST has announced the first batch of post-quantum cryptographic standards, many associated technologies, such as hardware security modules, cryptographic libraries, protocol standards, and infrastructure, are not yet fully mature.

Diversity of Application Scenarios: Different sectors have varying demands and sensitivities regarding cryptographic technology. For instance, financial institutions and government agencies require high data security and must deploy post-quantum cryptography early, whereas low-risk sectors can extend their transition period to reduce costs.

Broad Participation Across the Industry: Updating cryptographic technology is not merely a matter of standardization; it requires the comprehensive collaboration of software and hardware vendors, developers, and operational entities to gradually implement this massive technological upgrade globally.

Conclusion

The shift from “Migration” to “Transition” in NIST’s terminology not only reflects the practical needs of technological evolution but also marks a significant step forward in the development of post-quantum cryptographic strategies. Industries must closely monitor NIST’s updates and proactively develop tailored transition plans to enhance their data security before the quantum era arrives.

As experts in data security, Watchdata is committed to responding to this trend, planning and deploying in advance, and continually providing our clients with forward-looking post-quantum cryptographic solutions to help build a robust digital security framework.