Review & Commentary: NIST Whitepaper Achieving Crypto Agility


Posted on by Sandip Dholakia

The National Institute of Standards and Technology (NIST) released the initial public draft of Cybersecurity Whitepaper (CSWP) 39, Considerations for Achieving Cryptographic Agility: Strategies and Practices, which discusses what, why, and how of cryptographic agility.

The agile approach to software development is not new. IT professionals have embraced the agile methodology for a very long time, but cryptography was treated as a stepchild because of the complexity involved. Thanks to the looming threat of quantum computers, the concept of agility is finally gaining momentum in the cryptographic realm. Modern cryptography made its way to the business world with the introduction of Lucifer in the 1960s. Since then, cryptography has become integral to business and personal transactions. However, cryptographic agility was not a significant concern until recently.

The NIST whitepaper aims to discuss the challenges faced and propose approaches to implementing crypto agility. The whitepaper can be divided into three primary sections: Introduction to Crypto Agility (what), Challenges in Cryptographic Transitions (why), and Implementation (how).

What is Crypto Agility?

No matter how robust the cryptography primitives are, eventually, they are replaced with a newer version—either because of vulnerability, technological advancement, or both. Replacing or enhancing the cryptography algorithm takes time—NIST standardized AES in 2001, but DES was still used almost two decades later. Upgrades from TLSv1.1 to TLSv1.3 are ongoing, and the SHA1 to SHA2 migration is still incomplete. These examples highlight two facts: that change is inevitable, and cryptographic changes take time.

Change is inevitable, but crypto agility can help – That is the focus of the whitepaper.

NIST defines crypto agility as “Cryptographic (crypto) agility describes the capabilities needed to replace and adapt cryptographic algorithms for protocols, applications, software, hardware, and infrastructures without interrupting the flow of a running system in order to achieve resiliency.”

Why is Crypto Agility Needed?

The simple answer is that there are many challenges in cryptographic transitions. Cryptographic transitions are like kidney stones—no matter how painful they are, we must pass them! Updates to cryptography algorithms and protocols are challenging but necessary. The NIST whitepaper identifies three key challenges:

  • Backward Compatibility: The lack of backward compatibility is one primary reason weaker cryptography primitives have survived for a long time. The NIST whitepaper explains this with an example of the SHA1 to SHA2 transition. SHA1 has been used in signatures in many protocols, so backward compatibility must be considered before switching over to SHA2. 
  • Constant Need for Transition: Technological advancement forces frequent algorithm transitions. The key size has to be increased every time a more efficient, faster computer comes around. Key size and other configuration changes require cryptography transitions. The whitepaper proves this point with an example of RSA modulus size. It was 1024 in 2000 and doubled in 2013 to 2048, thanks to an increase in computing power.
  • Resource and Performance Challenges: Upgrading to newer algorithms often requires extra computing power and network speed. Transitioning to better, bigger primitives degrades the performance if the system resources do not support it. The whitepaper discusses this point with an example of transitioning to the ML-DSA algorithm.

How to Implement Crypto Agility?

Strategies for implementing crypto agility include a variety of approaches. First, modular cryptography implementation enables developers to modify or replace necessary components without touching other parts of the implementation. Second, hybrid implementation – wrapping PQC algorithm along with conventional primitive. This provides security now using conventional and in future PQC primitives. Third, automated discovery and management to avoid manual work and potential human error. Lastly, the whitepaper also encourages the use of API to make the primitives easy to transition.

Commentary

The NIST whitepaper CSWP 39, Considerations for Achieving Cryptographic Agility: Strategies and Practices, gives a comprehensive overview of the challenges in cryptographic transition and available approaches. Since the “Harvest Now, Decrypt Later” attack vector is already on the radar, guidance on cryptographic transition is more necessary than ever. The paper is at the right time and in the right place.

The whitepaper lacks step-by-step implementation guidance and discusses crypto agility only in relation to the PQC transition. Crypto agility should be an ongoing process regardless of PQC. Nonetheless, this is a timely step in the right direction by NIST. NIST encouraged the cryptography community to provide comments on the initial draft by April 30, 2025, and invited discussions among stakeholders, and the community looks forward to the draft’s publication to help keep the momentum going.

Contributors
Sandip Dholakia

Principal Security Architect, Co-Chair Cryptography CoE, SAP America

Applied Crypto & Blockchain

quantum computing cryptography

View More Blogs

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSAC™ Conference, or any other co-sponsors. RSAC™ Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community

Related Blogs