The following provides an introduction to what is going on with Post-Quantum Cryptography (PQC) at the moment and outlines what it might entail to get ready for PQC, certificate issuance and digital signatures, and crypto agility.
What is Post-Quantum Cryptography about?
For Public Key Infrastructure (PKI), the eventual arrival of quantum computers is going to mean that most of the algorithms we currently rely on are no longer secure. According to the National Institute of Standards and Technology (NIST):
The goal of post-quantum cryptography is to develop cryptographic systems that are secure against both quantum and classical computers and can interoperate with existing communications protocols and networks.
The question of when a large-scale quantum computer will be built is a complicated one. At the moment, estimates put the arrival of "meaningful" (at least in this sense) quantum computers at around 2030 or soon after.
What is going on with Post-Quantum Cryptography at the moment?
The primary thing taking place right now is the NIST Post-Quantum Competition, which is coming to the end of its "final" stage. We say "final" as there are already plans to have another stage looking at signature algorithms. It is expected that when all the stages are complete, there will be a set of new NIST standards describing algorithms which will continue to be robust when quantum computers become available.
When will the initial standards from the Post-Quantum Cryptography (PQC) Competition be published?
NIST has stated that the new standards will be released in 2024. There is also a signature standard available now, SP 800-208, which provides parameters for use with XMSS and LMS. SP 800-208 should really be looked at as a stopgap as both XMSS and LMS are regarded as complex to make use of safely.
Has no one actually implemented the PQC finalists and alternate candidates yet?
That is correct. We will not know what the final parameters, configurations, and, possibly, even what the exact outputs will look like before 2024 which is NIST's target date for the final publication of the standards. Bouncy Castle already provides support for XMSS and LMS and is planning to provide initial implementations of the NIST PQC finalists and the alternate candidates as the submissions are finalized (SPHINCS+, FrodoKEM, Classic McEliece, and SABER are now in BC). Even there, we stress these will be candidate implementations, there may and, more likely will be differences between the final candidate algorithms and the final standards so while these implementations will be useful for experimentation and testing, they are not necessarily suitable for production. Until NIST publishes the final standards everything should be considered as changeable.
The following sections strategize on getting ready and explore challenges in the following areas:
- Certificate Issuance and Digital Signatures
- Crypto Agility
Cryptography in the majority of Keyfactor products is implemented in the Bouncy Castle crypto APIs and in Hardware Security Modules (HSMs). In the area of cryptography, several considerations are reasonable to consider.
What should you be doing now?
Trying the new algorithms out as final candidate implementations become available, while there are likely to be some differences with the final standards, the characteristics of the algorithms are unlikely to change. You will find the key sizes, signature sizes, and, in some cases, even the key usages are different from what we are all familiar with. All these things are likely to have long-term effects on resourcing, design, protocols, and performance. That said, the US Government has already indicated that they will expect vendors to be moving to these algorithms when standards are available, and other Governments and sectors in the Enterprise market will likely do likewise. It does not hurt to prepare now rather than face an unpleasant surprise in the future!
2030 is a bit close! What about your PKI? You need a trust anchor that will live well beyond 2030.
There are also two existing Post-Quantum signature standards, LMS and XMSS, which are already standardized by both NIST (SP 800-208) and the IETF (RFC 8554 and RFC 8391). While these algorithms are secure in themselves, the NIST standard mandates the use of an HSM as the algorithms are stateful, meaning that with each signature performed, the state of private must change slightly. Using the same state of the private key twice will jeopardize the security of the algorithm. Bouncy Castle added support for LMS in BC 1.65, and XMSS in BC 1.68. LMS also has a full CMS/certificate profile defined in RFC 8708, this makes it suitable for use in certificates, S/MIME, and TSP. Support for this was also added in BC 1.70. If you are looking for a solution today, the LMS signature scheme is likely your best choice.
Bouncy Castle has also started adding LMS to the BCFIPS APIs, it will appear in BC-FJA 2.0.0, but the algorithm will only ever be certified for signature verification, due to the NIST HSM requirements for stateful algorithms.
Certificate Issuance and Digital Signatures
Certificate issuance and digital signatures can be accomplished using Post Quantum cryptography algorithms.
What is Keyfactor looking at for Digital Signatures?
Code signing based on SignServer using the post-quantum SPHINCS+ algorithm through Bouncy Castle allows you to try out creating post-quantum keys and signatures. The use case is to demonstrate Post-Quantum Cryptography (PQC) code signing based on PQC CA hierarchy in IoT applications, as it is expected to be one of the first areas where PQC is applied. The experimental support is suited for proof-of-concept implementations, for instructions on how to try it out, see Post-Quantum Code Signing How-to.
Other signing use cases like code signing for general-purpose platforms and document signing for public validation depend on the updated PKI ecosystem for these use cases where LMS, standardized in SP 800-208 may be the most production-ready.
What is Keyfactor looking at for Certificate Authorities?
We recommend creating a separate PQC CA hierarchy, much like is already standard for RSA and EC. We currently do not see the need for hybrid certificates on the market for most use cases.
The current plan is to implement PQC PKI when made official by NIST and perform Proof of Concepts when needed. For interoperability, there is a need for protocol standardization for X.509, CMS, and other protocols for efficient usage. To date, this standardization has only happened for LMS, for example in RFC 8708, making LMS the most well-covered algorithm in SP 800-208.
For this reason, for any production use today, we are recommending LMS for use as a trust anchor, with more conventional algorithms for CA and End Entity certificates for now. Keep in mind that if you want to use this in a FedRAMP situation, you will need to take advantage of HSM support as well, for which there is yet no standardized API (PKCS#11 and/or REST), so it will require the use of some proprietary API.
As the time to roll out new algorithms gets closer, it is wise to establish a high level of crypto agility in your organization. This is already needed for the use of classic cryptography (even if Quantum never becomes a legitimate threat), as the SHA-1 migration and other incidents have shown in recent years.
Effective “crypto agility” means that to be able to act on a large scale, you need to know where you need to act. Being crypto agile involves factors such as:
- Having an inventory of keys, certs and algorithms in use.
- Automation and compartmentalization - to better be able to make changes and reduce side effects.
- Shorter validity - making agility mandatory in products and solutions.
It involves so much more than changing an algorithm name - and these are all topics that Keyfactor can help you with.
We are happy to explore with our users the more general use of LMS, but keep in mind that representatives of NIST, and several others, have affirmed that the risks associated with stateful hash-based schemes mean they are best suited for long term keys and low-frequency usages. While TSP is another possible candidate for LMS, consideration should also be given to the use of Archive Timestamps which offer a real long-term solution. Other candidate algorithms are being implemented bottom-up and can be available for experiments in near future.
Again, it all depends on what you are trying to do, so feel free to ask, we are here to help.
Blog - Three key takeaways from the Real World Crypto Symposium
Read this blog by Keyfactor's David Hook to learn his three key takeaways from the 2022 Real World Crypto (RWC) Symposium in Amsterdam, see Three key takeaways from the Real World Crypto Symposium.