At Entrust, we have been evangelizing, closely tracking, and participating in the development of post-quantum cryptography standards (e.g. in conjunction with NIST and IETF) for many years. I checked and found my first blog post on the topic was back in May 2020, Post-Quantum TV. Time has certainly flown by at a rapid rate, five years on in the blink of an eye. More on that later.
I’ve been involved in the definition and development of nShield Hardware Security Modules (HSMs) for 18+ years and would confidently assert that PQC is probably the biggest disruption the industry has faced in the ~25 years they have been around. Problematic but pretty exciting too.
To recap, asymmetric algorithms such as RSA and elliptic curves, digital signing algorithms such as DSA and ECDSA, and protocols like Diffie-Hellman Key Exchange due to Shor's algorithm are all going to be weak and vulnerable once quantum computers have sufficient grunt to solve the hard math that these classical algorithms and protocols are based on.
The entire IT infrastructure will need to be replumbed replacing the classical algorithms with PQC algorithms. To lessen the burden, much of the replumbing will be handled by some of the standard protocols used such as TLS, which are well on the road to being designed using PQC. However, many organizations use custom implementations of classical algorithms in their business operations, and it is here where organizations need to apply some rigor to plan the migration from classical algorithms to PQC.
One significant milestone in the PQC story is the standardization of NIST’s first batch of PQC algorithms. Entrust has been busy in the background introducing support for these new algorithms into the nShield platform. In recent years we have regularly heard from customers who are on their PQC journey and taking the necessary steps to ensure they are ready for Q-Day.
The big news is the implementation of post-quantum cryptographic algorithms in firmware of nShield 5 HSMs is now complete and Entrust has received Cryptographic Algorithm Validation Program (CAVP) certification. This includes support for:
- ML-DSA (Dilithium-based digital signature algorithm)
- ML-KEM (Kyber-based key encapsulation mechanism)
- SLH-DSA (Stateless hash-based digital signature algorithm)
The wait is over! Existing and new nShield 5 customers can start developing, testing, and deploying these algorithms right now. To benefit from the new PQC algorithms customers just need to schedule a firmware upgrade. This milestone is part of Entrust’s commitment to delivering future-ready cryptographic solutions that align with evolving security requirements and NIST’s post-quantum cryptography standards.
One of the concerns about moving to PQC is that these new algorithms have different characteristics that can place extra processing demands when using them. In some instances, the key lengths are very long, and they can be quite sluggish compared with the lean and nimble RSA equivalent. This is where acceleration of the PQC might be required.
Fortunately, the nShield 5 has the added advantage that the main security processor circuit utilizes a field programmable gate array (FPGA) device. The design code for this programmable chip is owned and maintained by Entrust. What that means is that the acceleration of PQC algorithms will be rolled out to customers via a subsequent firmware upgrade. Another good reason to choose nShield.
And don’t forget that notifications from NIST already have a set deprecation date of 2030 for using the classical asymmetric algorithms. As I mentioned at the start of the blog post, five years have gone by in the blink of an eye. 2030 is just one blink away. It’s time to get your quantum-ready nShield HSMs tested and rolled out into your production environment.
Explore our post-quantum cryptography solutions and safeguard your data with confidence.
