Category: NIST

NIST selects HQC as the 5th Post-Quantum Algorithm: What you need to Know?

NIST selects HQC as the 5th Post-Quantum Algorithm: What you need to Know?

By | | Comments 0 Comment

The Evolution of Post-Quantum Cryptography: NIST’s Fifth Algorithm Selection and Its Impact

Introduction

Quantum computing is no longer just a theoretical curiosity—it is advancing towards real-world applications. With these advances comes a major challenge: how do we keep our data secure when today’s encryption methods become obsolete?

Recognising this urgent need, the National Institute of Standards and Technology (NIST) has been working to standardise cryptographic algorithms that can withstand quantum threats. On March 11, 2025, NIST made a significant announcement: the selection of Hamming Quasi-Cyclic (HQC) as the fifth standardised post-quantum encryption algorithm. This code-based algorithm serves as a backup to ML-KEM (Module-Lattice Key Encapsulation Mechanism), ensuring that the cryptographic landscape remains diverse and resilient.

Business and Regulatory Implications

Why This Matters for Organisations

For businesses, governments, and security leaders, the post-quantum transition is not just an IT issue—it is a strategic necessity. The ability of quantum computers to break traditional encryption is not a question of if, but when. Organisations that fail to prepare may find themselves vulnerable to security breaches, regulatory non-compliance, and operational disruptions.

Key Deadlines & Compliance Risks

  • By 2030: NIST will deprecate all 112-bit security algorithms, requiring organisations to transition to quantum-resistant encryption.
  • By 2035: Quantum-vulnerable cryptography will be disallowed, meaning organisations must adopt new standards or risk compliance failures.
  • Government Mandates: The Cybersecurity and Infrastructure Security Agency (CISA) has already issued Binding Operational Directive 23-02, requiring federal vendors to begin their post-quantum transition.
  • EU Regulations: The European Union is advocating for algorithm agility, urging businesses to integrate multiple cryptographic methods to future-proof their security.

How Organisations Should Respond

To stay ahead of these changes, organisations should:

  • Implement Hybrid Cryptography: Combining classical and post-quantum encryption ensures a smooth transition without immediate overhauls.
  • Monitor Supply Chain Dependencies: Ensuring Software Bill-of-Materials (SBOM) compliance can help track cryptographic vulnerabilities.
  • Leverage Automated Tooling: NIST-recommended tools like Sigstore can assist in managing cryptographic transitions.
  • Pilot Test Quantum-Resistant Solutions: By 2026, organisations should begin hybrid ML-KEM/HQC deployments to assess performance and scalability.

Technical Breakdown: Understanding HQC and Its Role

Background: The NIST PQC Standardisation Initiative

Since 2016, NIST has been leading the effort to standardise post-quantum cryptography. The urgency stems from the fact that Shor’s algorithm, when executed on a sufficiently powerful quantum computer, can break RSA, ECC, and Diffie-Hellman encryption—the very foundations of today’s secure communications.

How We Got Here: NIST’s Selection Process

  • August 2024: NIST finalised its first three PQC standards:
    • FIPS 203 – ML-KEM (for key exchange)
    • FIPS 204 – ML-DSA (for digital signatures)
    • FIPS 205 – SLH-DSA (for stateless hash-based signatures)
  • March 2025: NIST added HQC as a code-based backup to ML-KEM, ensuring an alternative in case lattice-based approaches face unforeseen vulnerabilities.

What Makes HQC Different?

HQC offers a code-based alternative to lattice cryptography, relying on quasi-cyclic codes and error-correction techniques.

  • Security Strength: HQC is based on the hardness of decoding random quasi-cyclic codes (QCSD problem). Its IND-CCA2 security is proven in the quantum random oracle model.
  • Efficient Performance:
    • HQC offers a key size of ~3,000 bits, significantly smaller than McEliece’s ~1MB keys.
    • It enables fast decryption while maintaining zero decryption failures in rank-metric implementations.
  • A Safety Net for Cryptographic Diversity: By introducing code-based cryptography, HQC provides a backup if lattice-based schemes, such as ML-KEM, prove weaker than expected.

Challenges & Implementation Considerations

Cryptographic Diversity & Risk Mitigation

  • Systemic Risk Reduction: A major breakthrough against lattice-based schemes would not compromise code-based HQC, ensuring resilience.
  • Regulatory Alignment: Many global cybersecurity frameworks now advocate for algorithmic agility, aligning with HQC’s role.

Trade-offs for Enterprises

  • Larger Key Sizes: HQC keys (~3KB) are larger than ML-KEM keys (~1.6KB), requiring more storage and processing power.
  • Legacy Systems: Organisations must modernise their infrastructure to support code-based cryptography.
  • Upskilling & Training: Engineers will need expertise in error-correcting codes, a different domain from lattice cryptography.

Looking Ahead: Preparing for the Post-Quantum Future

Practical Next Steps for Organisations

  • Conduct a Cryptographic Inventory: Use NIST’s PQC Transition Report to assess vulnerabilities in existing encryption methods.
  • Engage with Security Communities: Industry groups like the PKI Consortium and NIST Working Groups provide guidance on best practices.
  • Monitor Additional Algorithm Standardisation: Algorithms such as BIKE and Classic McEliece may be added in future updates.

Final Thoughts

NIST’s selection of HQC is more than just an academic decision—it is a reminder that cybersecurity is evolving, and businesses must evolve with it. The transition to post-quantum cryptography is not a last-minute compliance checkbox but a fundamental shift in how organisations secure their most sensitive data. Preparing now will not only ensure regulatory compliance but also protect against future cyber threats.

References & Further Reading

Do You Know What’s in Your Supply Chain? The Case for Better Security

Do You Know What’s in Your Supply Chain? The Case for Better Security

By | | Comments 0 Comment

I recently read an interesting report by CyCognito on the top 3 vulnerabilities on third-party products and it sparked my interest to reexamine the supply chain risks in software engineering. This article is an attempt at that.

The Vulnerability Trifecta in Third-Party Products

The CyCognito report identifies three critical areas where third-party products introduce significant vulnerabilities:

  1. Web Servers
    These foundational systems host countless applications but are frequently exploited due to misconfigurations or outdated software. According to the report, 34% of severe security issues are tied to web server environments like Apache, NGINX, and Microsoft IIS. Vulnerabilities like directory traversal or improper access control can serve as gateways for attackers.
  2. Cryptographic Protocols
    Secure communication relies on cryptographic protocols like TLS and HTTPS. Yet, 15% of severe vulnerabilities target these mechanisms. For instance, misconfigurations, weak ciphers, or reliance on deprecated standards expose sensitive data, with inadequate encryption ranking second on OWASP’s Top 10 security threats.
  3. Web Interfaces Handling PII
    Applications that process PII—such as invoices or financial statements—are among the most sensitive assets. Alarmingly, only half of such interfaces are protected by Web Application Firewalls (WAFs), leaving them vulnerable to injection attacks, session hijacking, or data leakage.

Beyond Web Servers: The Hidden Dependency Risks

You control your software stack, but do you actually know what runs beneath those flashy Web/Application servers?

Drawing parallels from my previous article on PyPI and NPM vulnerabilities, it’s clear that open-source dependencies amplify these threats. Attackers exploit the very trust inherent in supply chains, introducing malicious packages or exploiting insecure libraries.

For example:

  • Attackers have embedded malware into popular NPM and PyPI packages, which are then unknowingly incorporated into enterprise-grade software.
  • Dependency confusion attacks exploit naming conventions to inject malicious packages into CI/CD pipelines.

These risks share a core vulnerability with traditional third-party systems: an opaque supply chain with minimal oversight. This is compounded by the ever-decreasing cycle-times for each software releases, giving little to no time for even great Software Engineering teams to doa decent audit and look into the dependency graph of the packages they are building their new, shiny/pointy things that is to transform the world.

Why Software Supply Chain Attacks Persist

As highlighted by Scientific Computing World, software supply chain attacks persist for several reasons:

  • Aggressive GTM Timelines: Most organisations now run quarterly or even monthly product roadmaps, so it is possible to launch a new SaaS product in a matter of days to weeks by leveraging other IaaS, PaaS or SaaS systems – in addition to any Libraries, frameworks and other constructs.
  • Exponential Complexity: With organisations relying on layers of third-party and fourth-party services, the attack surface expands exponentially.
  • Insufficient Oversight: Organisations often focus on securing their environments while neglecting the vendors and libraries they depend on.
  • Lagging Standards: The industry’s inability to enforce stringent security protocols across the supply chain leaves critical gaps.
  • Sophistication of Attacks: From SolarWinds to MOVEit, attackers continually evolve, targeting blind spots in detection and remediation frameworks.

Recommended Steps to Mitigate Supply Chain Threats

To address these vulnerabilities and build resilience, organizations can take the following actionable steps:

1. Map and Assess Dependencies

  • Use tools like Dependency-Track or Sonatype Nexus to map and analyze all third-party and open-source dependencies.
  • Regularly perform software composition analysis (SCA) to detect outdated or vulnerable components.

2. Implement Zero-Trust Architecture

  • Leverage Zero-Trust frameworks like NIST 800-207 to ensure strict authentication and access controls across all systems.
  • Minimize the privileges of third-party integrations and isolate sensitive data wherever possible.

3. Strengthen Vendor Management

  • Evaluate vendor security practices using frameworks like the NCSC’s Supply Chain Security Principles or the Open Trusted Technology Provider Standard (OTTPS).
  • Demand transparency through detailed Service Level Agreements (SLAs) and regular vendor audits.

4. Prioritize Secure Development and Deployment

  • Train your development teams to follow secure coding practices like those outlined in the OWASP Secure Coding Guidelines.
  • Incorporate tools like Snyk or Checkmarx to identify vulnerabilities during the software development lifecycle.

5. Enhance Monitoring and Incident Response

  • Deploy Web Application Firewalls (WAFs) such as AWS WAF or Cloudflare to protect web interfaces.
  • Establish a robust incident response plan using guidance from the MITRE ATT&CK Framework to ensure rapid containment and mitigation.

6. Foster Collaboration

  • Work with industry peers and organizations like the Cybersecurity and Infrastructure Security Agency (CISA) to share intelligence and best practices for supply chain security.
  • Collaborate with academic institutions and research groups for cutting-edge insights into emerging threats.

7. Schedule a No-Obligation Consultation Call with Yours Truly

Struggling with supply chain vulnerabilities or need tailored solutions for your unique challenges? I offer consultation services to work directly with your CTO, Principal Architect, or Security Leadership team to:

  • Assess your systems and identify key risks.
  • Recommend actionable, budget-friendly steps for mitigation and prevention.

With years of expertise in cybersecurity and compliance, I can help streamline your approach to supply chain security without breaking the bank. Let’s collaborate to make your operations secure and resilient.

Schedule Your Free Consultation Today

Building a Resilient Supply Chain

The UK’s National Cyber Security Centre (NCSC) principles for supply chain security provide a pragmatic roadmap for businesses. Here’s how to act:

  1. Understand and Map Dependencies
    Organizations should create a detailed map of all dependencies, including direct vendors and downstream providers, to identify potential weak links.
  2. Adopt a Zero-Trust Framework
    Treat every external connection as untrusted until verified, with continuous monitoring and access restrictions.
  3. Mandate Secure Development Practices
    Encourage or require vendors to implement secure coding standards, frequent vulnerability testing, and robust update mechanisms.
  4. Regularly Audit Supply Chains
    Establish a routine audit process to assess vendor security posture and adherence to compliance requirements.
  5. Proactive Incident Response Planning
    Prepare for the inevitable by maintaining a robust incident response plan that incorporates supply chain risks.

Final Thoughts

The threat of supply chain vulnerabilities is no longer hypothetical—it’s happening now. With reports like CyCognito’s, research into dependency management, and frameworks provided by trusted institutions, businesses have the tools to mitigate risks. However, this requires vigilance, collaboration, and a willingness to rethink traditional approaches to third-party management.

Organisations must act not only to safeguard their operations but also to preserve trust in an increasingly interconnected world. 

Is your supply chain ready to withstand the next wave of attacks?

References and Further Reading

  1. Report Shows the Threat of Supply Chain Vulnerabilities from Third-Party Products – CyCognito
  2. Hidden Threats in PyPI and NPM: What You Need to Know
  3. Why Software Supply Chain Attacks Persist – Scientific Computing World
  4. Principles of Supply Chain Security – NCSC
  5. CyCognito Report Exposes Rising Software Supply Chain Threats

What’s your strategy for managing third-party risks? Share your thoughts in the comments!

Why Do We Need Quantum-Resistant Security Standards?

Why Do We Need Quantum-Resistant Security Standards?

By | | Comments 1 comment

In October 2024, we discussed the profound implications of China’s quantum computing advancements and their potential to disrupt internet security. Quantum computers, with their unparalleled processing power, pose a direct threat to current encryption systems that secure global communications. Since then, the National Institute of Standards and Technology (NIST) has made significant strides in shaping the post-quantum cryptography (PQC) landscape. This follow-up delves into NIST’s recent updates, including finalised standards, transition strategies, and their broader impact on global cybersecurity.

NIST’s Finalised Post-Quantum Encryption Standards

On August 13, 2024, NIST announced the release of its first three finalized post-quantum encryption standards. These standards are foundational for safeguarding electronic information in a quantum-enabled future, addressing key areas such as secure email communications, online transactions, and identity verification.

The standards selected are robust against both classical and quantum attacks, offering a proactive defence against the anticipated rise of quantum threats. While these are groundbreaking, NIST has emphasized the need for rapid adoption, encouraging enterprises and governments alike to begin transitioning their systems to quantum-resistant encryption.

Key highlights:

  • Algorithms: CRYSTALS-Kyber (public key encryption) and CRYSTALS-Dilithium (digital signatures) lead the finalized standards.
  • Applications: These standards are particularly suited for critical applications, such as financial systems, healthcare records, and government communications.

NIST’s Draft Transition Strategy and Timeline

In a draft report released on November 14, 2024, NIST outlined a detailed roadmap for migrating to PQC. This document provides clarity on the timeline and steps necessary to shift from current cryptographic protocols to quantum-resistant ones.

Key Aspects of the Draft:

  1. Transition Timeline:
    • Transition to begin immediately, with milestones for algorithm implementation by 2026.
    • Full adoption in federal systems is targeted by 2030, though enterprises are urged to act sooner.
  2. Evaluation and Risk Management:
    • A phased approach to identify and replace quantum-vulnerable systems.
    • Focus on testing and interoperability with existing infrastructure.
  3. Public Review Period:
    • The draft is open for comments until January 10, 2025, ensuring that the strategy incorporates diverse perspectives from industry leaders, academia, and government.

Guidance for Federal Agencies and Enterprises

To aid the transition, NIST has issued specific guidance tailored for federal agencies and private organizations:

  • Quantum Risk Assessments: Organizations must inventory their cryptographic systems and identify components vulnerable to quantum decryption.
  • Pilot Programs: Encouraged for testing quantum-resistant algorithms in controlled environments.
  • Training and Awareness: Enterprises need to upskill their workforce to understand and implement PQC effectively.

This proactive approach aligns with Executive Order 14028 on improving national cybersecurity, which mandates the adoption of innovative security measures across federal systems.

Enterprises Must Act Faster

While NIST has provided a structured timeline, cybersecurity experts warn that enterprises cannot afford to wait until the final deadlines. The development of practical quantum computers may outpace current expectations, leaving vulnerable systems exposed.

Recommendations for Enterprises:

  1. Prioritise Cryptographic Inventories: Develop a clear understanding of where cryptography is used and its quantum vulnerability.
  2. Develop a Migration Plan: Incorporate NIST’s guidance to create a tailored transition strategy.
  3. Collaborate with Vendors: Work with software and hardware providers to ensure seamless updates and integrations of PQC algorithms.

Global Implications and Call to Action

The transition to PQC is not just a technical challenge but a global imperative. With quantum computing breakthroughs occurring across nations, adopting quantum-resistant standards is essential for maintaining the integrity of digital systems. Organizations worldwide must:

  • Collaborate to ensure interoperability of PQC standards across borders.
  • Share best practices and innovations to accelerate the global transition.
  • Support research in next-generation cryptographic techniques to stay ahead of emerging threats.

Conclusion

NIST’s efforts in finalizing post-quantum encryption standards and drafting a comprehensive transition strategy mark a pivotal moment in cybersecurity. However, these initiatives are only as effective as their adoption. Governments, enterprises, and individuals must take urgent steps to align with these standards and safeguard their digital assets against the looming threat of quantum-powered attacks.

For further insights into how quantum computing advancements could reshape internet security, revisit our previous discussion: How Will China’s Quantum Advances Change Internet Security?.

References & Further Reading: 

  1. NIST IR 8547 – https://csrc.nist.gov/pubs/ir/8547/ipd
  2. NIST IR 8413 – https://nvlpubs.nist.gov/nistpubs/ir/2022/NIST.IR.8413.pdf
  3. Dilithium – https://pq-crystals.org/dilithium/
  4. Falcon – https://falcon-sign.info/
  5. PHINCS+ – https://sphincs.org/ 
  6. Trapdoor for hard Lattices in Cryptographic Constructs – https://eprint.iacr.org/2007/432 (Must read if you’re a programmer and interested in exploring Lattices) 
  7. Lattice-based cryptography – Chris Peikert, Georgia Institute of Tech – https://web.eecs.umich.edu/~cpeikert/pubs/slides-abit4.pdf
  8. Additional Source Codes to Explore – https://github.com/regras/labs  (This project is a Proof of Concept (PoC), about an Attribute-Based Signature scheme using lattices.)
Bitnami