NIST’s Intention to Deprecate RSA and ECC Will Accelerate PQC Migration on a Global Scale

In November 2024, the U.S. National Institute of Standards and Technology (NIST) published a draft guidance (IR 8547) on the transition to Post-Quantum Cryptography (PQC) standards. Hot on the heels of its recently announced PQC standards, ML-DSA (FIPS204), SLH-DSA (FIPS205) and ML-KEM (FIPS203), NIST is setting a clear migration timeline for adoption of these (and eventual other) new PQC standards. However, the key announcement is its intention regarding RSA and ECC algorithms, which will be effectively deprecated after 2030.

This announcement is a significant one. RSA is the most widely used algorithm for digital signatures and certificates, deployed globally in everything from web browsers to Virtual Private Networks (VPNs) to Transport Layer Security (TLS). It is the primary protocol used in SSH, S/MIME and OpenPGP. ECC is the alternative, more efficient algorithm, that is increasingly preferred over RSA.  However, both of their futures are sealed, as NIST is effectively designating their end of life in this guidance document. In large part, this is because they are vulnerable to cryptanalysis by the eventual advent of a Cryptographically Relevant Quantum Computer (CRQC), expected to be a reality potentially as early as 2030. Yet, NIST is not waiting for a commercially viable CRQC to emerge; now that it has a first set of published PQC standards, it is essentially driving for migration to these by 2035, at which point RSA and ECC will be disallowed.

The timeline might seem generous, but it is, in fact, very tight given the endeavor. Cryptographic algorithms, especially asymmetric ones like RSA and ECC, underpin virtually all trust-based infrastructure. Payment transactions, authentication mechanisms, secure communications, data protection—and the list goes on. And while NIST is a U.S.-based federal entity, the digital economy is borderless. Digital continuity will require most of the world to follow suit, although NIST’s influence in terms of cryptographic standard setting is already global, and most countries tend to follow NIST guidance in this space; the PQC process has been no exception.

The NIST document, once finalized, will accelerate the global transition to PQC. While the U.S. National Security Agency (NSA) and a few select countries in Europe and Asia-Pacific, have made their own timeline recommendations, most of these are directed at national security systems. NIST standards, and in particular RSA and ECC, are globally recognized and used for all commercial and non-commercial ends. The timeline for deprecation will, therefore, have a global effect.

Organizations should start planning their PQC migration today. However, this is a challenging and laborious affair, especially due to the complexity of the matter at hand. Most organizations don’t understand cryptography; but they will need to start educating themselves. How much are they at risk? What do they need to know? What should be their first step? These are the questions being asked today and PQC vendors should be focused on educating their audience and helping them to assess their cryptographic posture. Determining risk involves discovery of crypto assets and making an inventory of them. Only then can remediative proposals be made. These initial steps will form the first phase of that Post-Quantum (PQ) transition. Software, application, and hardware security vendors should ensure that they can provide those capabilities if they want to ensure the adoption of their solutions during the second phase of migration, where organizations will start testing and integrating PQ-safe technologies into their systems and processes. Indeed, 5 years seems a short time for such a transition, and NIST is right to push. CRQC will be a reality; being quantum-safe will be crucial when faced with the fait accompli.