Hopefully there’s no need for a post-quantum preamble to this blog. Any techies who have not been living in a cave in some outpost of the globe should already be aware of the threat that Cryptographically Relevant Quantum Computers (CRQCs) will have on the classical algorithms that permeate the tech and IT infrastructure that we rely on in the 21st century. Entrust has blogged in the past about Harvest Now, Decrypt Later, with the main takeaway being … you can’t afford to wait until CRQCs are viable.

We also recently blogged on the updates to the Commercial National Security Algorithm Suite (CNSA) 2.0. With an industry eager to start using the new algorithms, the six-year (and counting) NIST PQC competition is nearing a milestone with FIPS 203 and 204 set for publication in the summer of 2024, with FIPS 205 anticipated later in the year.

The concern for some in the industry is that these post-quantum cryptography (PQC) algorithms are shiny and new – mathematically, algorithmically, and in terms of software implementations. In particular, the lattice-based algorithms ML-KEM (FIPS 203) and ML-DSA (FIPS 204) still garner some skepticism about their long-term security.

Enter the hybrids

Hybrids are a combination of a quantum-safe algorithm, such as ML-KEM, with a battle-hardened traditional algorithm, such as RSA or ECDH, to form a “hybrid algorithm.” This means any serious threat actor needs to be armed with both a CRQC to break the classical crypto part, and a catastrophic algorithmic breakthrough or implementation bug to break the PQ part. As long as one component remains secure, the data remains secure.

One example of the adoption of the hybrid approach is Hybrid key exchange in TLS 1.3. It’s proposed to be the first standardized post-quantum cipher suite for Transport Layer Security (TLS) and builds on years of experimentation with hybrid cipher suites by Google (2016), CloudFlare’s TLS Post-Quantum Experiment (2019), and others. It will use the ML-KEM key exchange in combination with an ECDH key exchange.

Entrust has been actively involved in the Internet Engineering Task Force (IETF) working group, with Entrust’s John Gray and Mike Ounsworth (co-author of this blog post) being lead authors of a proposed standard that brings the same hybrid encryption protection to network security protocols that use certificate-based encryption, such as S/MIME email encryption: Composite ML-KEM for Use in the Internet X.509 Public Key Infrastructure and CMS. This proposed internet standard was adopted by the IETF in August 2023 and is well on its way to being published as an RFC.

What about hybrid digital certificates?

When it comes to certificates, the argument in favor of hybrids is less clear. Certificates are most used for authentication. For example, TLS uses certificates mainly for the server to prove that they are who they say they are prior to the user typing in sensitive information. To attack authentication, you need to perform the attack in real time; doing the attack years later does no good. Think of it this way … if a police officer pulls you over and asks for your ID card, you need to produce a real (or forged) card now; the police officer will become impatient if you delay for 10 years until your forging technology has improved!

There are, however, some cases where pre-emptive migration to PQ certificates – and therefore hybrids where the lattice scheme ML-DSA is used – do provide value. Think, for example, of devices with extremely long service lifetimes that are difficult to upgrade once deployed, such as:

  • Satellites in orbit
  • Sensors in cars, airplanes, and cell phone towers
  • Smart water and electricity meters in people’s homes
  • The chip in a 10-year ePassport

To push over-the-air firmware updates to these devices, the devices need an embedded cryptographic root to verify the integrity of the new firmware, which leads to the chicken-and-egg problem: What security issues are lurking if you allow field-updating the trusted cryptographic root? Typically, they are burned into ROM and can’t be changed to avoid the whole question.

Therefore, it follows that if you’re manufacturing devices that are expected to have a service lifetime beyond “Q-Day,” then you should probably be deploying them with PQ (or PQ/traditional hybrid) trusted cryptographic roots today.

With that introduction to the “sometimes urgent, sometimes not” needs for hybrid signatures, let’s dive into the world of standards surrounding them.

Entrust recognized as early as 2017 that while hybrid encryption is relatively straightforward, hybrid signatures would need a more elaborate design process. Entrust was involved in the development of one of the earliest post-quantum/traditional (PQ/T) hybrid certificate formats: Multiple Public-Key Algorithm X.509 Certificates, first published in March 2018, and the related mechanism standardized in ITU-T X.509 2019, which has since fallen out of favor for technical reasons.

Major milestone

A new major milestone in the PQ migration journey was recently reached where the IETF adopted Composite ML-DSA for use in Internet PKI, of which John Gray and Mike Ounsworth are also lead authors, into the internet standards track.

This document, the first draft of which was published in March 2019, has seen an incredible amount of community feedback, hackathons, multi-vendor collaboration, academic study, and general debate of all kinds. It failed its first call-for-adoption in June 2023, mainly due to the scope of the document being too broad. With a few more rounds of industry feedback to distill it down to the core elements, it passed its second call-for-adoption on May 1, 2024.⁠

Reassuring IETF-backed standards

At Entrust, we know that X.509 certificates and public key infrastructure is more than HTTPS certificates. We know that next to TCP/IP, X.509 certificates are one of the oldest and most fundamental technologies of the internet, providing the trust layer that underpins a vast diversity of network security protocols.

Looking to the long tail of specialized uses of X.509 as we help our customers migrate to PQ over the coming decade, we’re pleased to have IETF-backed standards for both composite encryption and PQ composite signatures in our toolbox. Learn more about our post-quantum cryptography solutions.