The following provides an introduction to what is going on with Post-Quantum Cryptography (PQC) at the moment and outlines what it might entail to get ready for PQC, certificate issuance and digital signatures, and crypto agility.
What is Post-Quantum Cryptography about?
For Public Key Infrastructure (PKI), the eventual arrival of quantum computers is going to mean that most of the algorithms we currently rely on are no longer secure. According to the National Institute of Standards and Technology (NIST):
The goal of post-quantum cryptography is to develop cryptographic systems that are secure against both quantum and classical computers and can interoperate with existing communications protocols and networks.
The question of when a large-scale quantum computer will be built is a complicated one. At the moment, estimates put the arrival of "meaningful" (at least in this sense) quantum computers at around 2030 or soon after.
What is going on with Post-Quantum Cryptography at the moment?
The primary thing taking place right now is the NIST Post-Quantum Competition, which is coming to the end of its "final" stage. We say "final" as there are already plans to have another stage looking at signature algorithms. It is expected that when all the stages are complete, there will be a set of new NIST standards describing algorithms which will continue to be secure when quantum computers become available.
When will the initial standards from the Post-Quantum Cryptography (PQC) Competition be published?
NIST has stated that the new standards will be released in 2024. There is also a signature standard available now, SP 800-208, which provides parameters for use with XMSS and LMS. SP 800-208 should really be looked at as a stopgap as both XMSS and LMS are regarded as complex to make use of safely. In order to start looking into post-quantum cryptography, the NIST standardization process is the recommended path.
Has no one actually implemented the NIST PQC final standards yet?
That is correct. We will not know what the final parameters, configurations, and, possibly, even what the exact outputs will look like before 2024 which is NIST's target date for the final publication of the standards. Bouncy Castle already provides support for the candidate algorithms, as they are specified today, as well as for XMSS and LMS. Even there, we stress these are candidate implementations, there most certainly will be differences between the candidate algorithms and the final standards so while these implementations will be useful for experimentation and testing, they are not necessarily suitable for production. Until NIST publishes the final standards everything should be considered as changeable.
The following sections strategize on getting ready and explore challenges in the following areas:
- Certificate Issuance and Digital Signatures
- Crypto Agility
Cryptography in the majority of Keyfactor products is implemented in the Bouncy Castle crypto APIs and in Hardware Security Modules (HSMs). In the area of cryptography, several considerations are reasonable to consider.
What should you be doing now?
Trying the new algorithms out as candidate implementations become available, while there are likely to be some differences with the final standards, the characteristics of the algorithms are unlikely to change. You will find the key sizes, signature sizes, and, in some cases, even the key usages are different from what we are all familiar with. All these things are likely to have long-term effects on resourcing, design, protocols, and performance. That said, governments worldwide have already indicated that they will expect vendors to be moving to these algorithms when standards are available, and sectors in the Enterprise market will likely do likewise. It does not hurt to prepare now rather than face an unpleasant surprise in the future!
2030 is a bit close! What about your PKI? You need a trust anchor that will live well beyond 2030.
There are also two existing Post-Quantum signature standards, LMS and XMSS, which are already standardized by both NIST (SP 800-208) and the IETF (RFC 8554 and RFC 8391). While these algorithms are secure in themselves, the NIST standard mandates the use of an HSM as the algorithms are stateful, meaning that with each signature performed, the state of private must change slightly (a new key from a tree of keys actually). Using the same state of the private key twice will completely break the security of the algorithm. Bouncy Castle added support for LMS in BC 1.65, and XMSS in BC 1.68. LMS also has a full CMS/certificate profile defined in RFC 8708, this makes it possible to use in certificates, S/MIME, and TSP. Support for this was also added in BC 1.70.
Bouncy Castle has added LMS to the BCFIPS APIs, it will appear in BC-FJA 2.0.0, but the algorithm will only ever be certified for signature verification, due to the NIST HSM requirements for stateful algorithms.
If you are looking for a solution today in 2023, the LMS or XMSS signature schemes are likely your only choice. Most implementing organizations do not however recommend using LMS due to the complexity of state management. All it takes for security to be compromised is one mistake or flaw during the whole lifetime of the key, which may be 10 or 20 years.
Certificate Issuance and Digital Signatures
Certificate issuance and digital signatures can be accomplished using Post Quantum cryptography algorithms.
What is Keyfactor looking at for Digital Signatures?
Code signing based on SignServer using the post-quantum SPHINCS+ and Dilithium algorithms through Bouncy Castle allows you to try out creating post-quantum keys and signatures. The use case is to demonstrate Post-Quantum Cryptography (PQC) code signing based on PQC CA hierarchy in IoT applications, as it is expected to be one of the first areas where PQC is applied. The experimental support is suited for proof-of-concept implementations, for instructions on how to try it out, see Post-Quantum Code Signing How-to.
Other signing use cases like code signing for general-purpose platforms and document signing for public validation depend on the updated PKI ecosystem for these use cases.
What is Keyfactor looking at for Certificate Authorities?
We first recommend creating a separate PQC CA hierarchy, much like is already standard for RSA and EC. We follow the development of hybrid certificates, such as X.509 alternative signatures, and these are implemented in Bouncy Castle since version 1.73.
The current plan is to implement PQC PKI when made official by NIST and perform Proof of Concepts when needed, using candidate algorithms until then. For interoperability, there is a need for protocol standardization for X.509, CMS, and other protocols for efficient usage. Keyfactor participates in interoperability exercises with other vendors.
Keep in mind that if you want to use this in a high-security environment such as in a FedRAMP situation, you will need to take advantage of HSM support as well, for which there is yet no standardized API (PKCS#11 and/or REST), and require the use of proprietary mechanisms and API. Keyfactor is engaged with HSM vendors to demonstrate interoperability.
As the time to roll out new algorithms gets closer, it is wise to establish a high level of crypto agility in your organization. This is already needed for the use of classic cryptography (even if Quantum never becomes a legitimate threat), as the SHA-1 migration and other incidents have shown in recent years.
Effective “crypto agility” means that to be able to act on a large scale, you need to know where you need to act. Being crypto agile involves factors such as:
- Having an inventory of keys, certs and algorithms in use.
- Automation and compartmentalization - to better be able to make changes and reduce side effects.
- Shorter validity - making agility mandatory in products and solutions.
It involves so much more than changing an algorithm name - and these are all topics that Keyfactor can help you with.
We are happy to explore with our users the more general use of post-quantum cryptography. Candidate algorithms are being implemented bottom-up and are available for experiments and learning.
Again, it all depends on what you are trying to do, so feel free to ask, we are here to help.
Blog - Three key takeaways from the Real World Crypto Symposium
Read this blog by Keyfactor's David Hook to learn his three key takeaways from the 2022 Real World Crypto (RWC) Symposium in Amsterdam, see Three key takeaways from the Real World Crypto Symposium.