NIST Outlines Strategies for Crypto Agility as PQC Migration Stalls, Available for Public Comment

Published by on

image credit: J. Stoughton/NIST

Insider Brief:

  • Federal agencies and organizations are slow to adopt post-quantum cryptography, with only 7% having a formal transition plan, despite the urgency.
  • NIST’s new white paper highlights crypto agility as a key solution for seamless cryptographic transitions across protocols, applications, and infrastructure.
  • Technical and logistical challenges hinder migration, including performance costs, interoperability issues, backward compatibility constraints, and regulatory delays.
  • Hybrid cryptographic algorithms may provide a temporary safeguard, combining classical and quantum-resistant encryption to ease the transition while standards mature.
  • NIST is inviting public input on its crypto agility recommendations, with a comment period open until April 30, 2025, and a virtual workshop planned to refine implementation strategies.
  • Image Credit: Stoughton/NIST

Last year, the National Institute of Standards and Technology (NIST) released its first set of post-quantum cryptography algorithms–a long-awaited event and one with the promise of securing data against the potential threats of cryptographically relevant quantum computers. The years-long selection process was intended to very intentionally provide a roadmap for transitioning away from traditional public-key cryptography, which is expected to become vulnerable if quantum computers reach sufficient scale.

However, despite the urgency surrounding quantum-resistant encryption, the actual migration to these new standards has been slow. A survey by GDIT and IBM found that only 7% of U.S. federal agencies have a formal PQC transition plan and dedicated project team in place, while nearly one in five agencies reported that PQC is not currently a priority. Although half of respondents are in the early stages of strategy development, many still lack clear roadmaps or dedicated resources to execute a full-scale transition.

The lack of widespread adoption raises questions: If quantum threats have been deemed significant enough to warrant new cryptographic standards, why have so few organizations made the shift? It turns out that while it may be human nature to blame external factors and delay action, the reality is that migrating to post-quantum cryptography is far more complex than simply swapping out algorithms.

A new NIST cybersecurity white paper, titled “Considerations for Achieving Crypto Agility: Strategies and Practices” provides insight into this challenge by addressing crypto agility—the ability to replace cryptographic algorithms in protocols, applications, and infrastructure without disrupting system operations. The white paper presents a broad survey of current strategies for crypto agility, highlighting the technical, logistical, and economic challenges that have made the PQC migration process less straightforward. These challenges are compounded by concerns over legacy system upgrades, regulatory delays, and the sheer cost of the transition—a recent White House report estimates that migrating U.S. federal agencies alone will cost $7.1 billion by 2035, with further costs likely as agencies refine their transition plans.

Why Migration to Post-Quantum Cryptography Is Difficult

According to the white paper, cryptographic transitions have historically been long and complex. The shift from the Data Encryption Standard (DES) to Triple DES, and then to AES, took decades. Even though NIST standardized AES in 2001, Triple DES was only formally disallowed in 2024. A similar pattern emerged with SHA-1, which was first found vulnerable in 2005 but remains in use in some legacy systems today, with a full deprecation deadline set for 2030.

The slow transition to post-quantum cryptography follows this trend due to several technical and logistical obstacles. As highlighted in the white paper, one major challenge is resource and performance costs—new cryptographic algorithms, particularly post-quantum ones, often require greater computational power and memory. For example, the Module-Lattice-Based Digital Signature Algorithm (ML-DSA), specified in last year’s recommendations, produces signatures that are significantly larger than those of RSA, leading to increased network bandwidth demands and longer transmission times.

Beyond performance concerns, organizations must also navigate interoperability and compatibility issues, to ensure that new algorithms work across existing infrastructure, software, and security protocols, many of which were never designed with quantum resilience in mind. Additionally, backward compatibility constraints create an additional obstacle, as many systems relying on older cryptographic standards must remain compatible with legacy devices and protocols, making the phase-out of outdated algorithms a challenge—dare I say, a multibody problem in its own right.

Even when the security risks are well understood, some industries face regulatory and compliance gaps, requiring official mandates before transitioning to new cryptographic standards. This further delays adoption, even when technical solutions are available.

The Case for Crypto Agility

To address these challenges, NIST’s white paper argues that organizations should adopt a crypto agility approach, which allows cryptographic transitions to happen with minimal disruption. The document outlines several key principles for achieving crypto agility across security protocols, enterprise IT systems, and software applications:

  • Modular cryptography implementation – Systems should be designed to allow cryptographic algorithms to be swapped out easily. This includes avoiding hard-coded cryptographic choices in software and ensuring that cryptographic libraries support multiple algorithms.
  • Hybrid cryptographic approaches – One strategy for transitioning to PQC involves using hybrid cryptographic algorithms, which combine both classical and quantum-resistant algorithms. This ensures continued security while PQC standards mature and gain broader adoption.
  • Algorithm negotiation and interoperability – Security protocols should support mechanisms for negotiating cryptographic algorithms, ensuring that different implementations can communicate securely even as algorithms change.
  • Automated cryptographic discovery and management – Organizations should maintain an inventory of cryptographic assets and automate monitoring for vulnerabilities in existing implementations.
  • Cross-sector collaboration and standards development – Given the complexities of cryptographic transitions, NIST encourages discussions among industry stakeholders to develop sector-specific strategies for achieving crypto agility. A future NIST-hosted virtual workshop will further explore these considerations.

The Role of Hybrid Cryptographic Algorithms

One of the more immediate solutions discussed in the white paper is the adoption of hybrid cryptographic algorithms. These combine traditional public-key cryptography, such as ECDSA, with PQC alternatives like ML-DSA. The goal is to provide a safeguard against unforeseen vulnerabilities in quantum-resistant schemes while ensuring that systems remain secure throughout the transition.

However, hybrid cryptographic approaches come with trade-offs. The increased computational overhead can impact system performance, and organizations may eventually need to undergo a second transition once traditional cryptographic algorithms are fully deprecated. Despite this, hybrid methods may provide a practical path forward for organizations hesitant to fully commit to PQC immediately.

Moving Forward: The Need for Proactive Transition Strategies

NIST’s report makes the case that crypto agility is not just about future-proofing against quantum attacks but about improving resilience to all cryptographic vulnerabilities. The white paper encourages organizations to integrate crypto agility into their broader security strategies, recognizing that cryptographic transitions will be an ongoing necessity as computing capabilities and cryptanalysis techniques evolve.

For now, NIST is seeking public input on its crypto agility recommendations, with a comment period open until April 30, 2025. Suggestions may be emailed to crypto-agility@nist.gov. An upcoming virtual workshop will provide an opportunity for industry leaders, cryptographers, and policymakers to discuss best practices and challenges in implementing crypto agility at scale, though time and other registration details have not yet been shared.

Categories: Uncategorized

0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *

Related Posts

Uncategorized

Quantum, Energy, and the Future of Intelligence: Reflections on Responsibility from ICQE 2025

Insider Brief: ICQE 2025 brought together scientists, founders, policymakers, and technologists to confront how we power the exponential rise of intelligence without exhausting the planet’s energy systems. The conference emphasized that quantum technologies must be Read more…

Uncategorized

Guest Post: Are UK Quantum Startups Destined For Acquisition Before They Scale And Deliver For The UK?

Guest Post By Dr Sebastian WeidtCo-founder and Chief Executive Officer, Universal Quantum The recent news that IonQ has acquired Oxford Ionics should give us pause. On the one hand it is a testament to the Read more…

Uncategorized

Black Hole Physics Meets Quantum Machine Learning in Study Exploring Information Retrieval Limits

Insider Brief A new theoretical study draws a mathematical analogy between black hole evaporation and the double descent effect in machine learning, proposing a shared structure in how information becomes recoverable in both systems. The Read more…