Provide NIST Approved Post-Quantum Algorithms In Future-Ready HSMs

The arrival of quantum computing poses a well-documented threat to public key cryptography, challenging the security protocols that safeguard our digital world. As the potential for quantum computers looms closer, the need to transition to post-quantum cryptography (PQC) becomes imperative. Before we dive into recent updates, you can review our insights into quantum computing in 2025, preparing for post-quantum cryptography, and the global approach to PQC migration.

As threats and vulnerabilities increase, action must be taken now to protect organizations from fraud and security breaches. Enter post-quantum computing algorithms. The new algorithms, approved by the National Institute of Standards and Technology (NIST), are designed with unprecedented, mathematical complexity and code structures. They’re so complex government standards bodies, academia, and industry don’t think they can be broken by current or future classical or quantum computers. That’s good news! The bad news, however, is that they increase key sizes as well as implementation complexity. They also require an entire ecosystem to rally around them, ensuring ubiquitous support by certificate authorities, public key infrastructure (PKI) software, end-user applications, browsers, APIs, and hardware security modules (HSMs) – the secure environments where the keys are used.

Entrust began its commercial PQ journey in 2022, with the release of our Post-Quantum Option Pack. It made the NIST candidate algorithms (Dilithium, Kyber, SPHINCS+, and Falcon) available to deploy within the nShield CodeSafe secure execution environment. Inside the protected boundaries of the nShield HSM, customers could safely begin “kicking the tires” of PQ algorithms – determining the readiness of the surrounding ecosystem of their IT environment and those of communicating customers and suppliers. Also, they could begin to assess the performance impact of PQ’s larger keys and compute requirements on networks, connected devices, and transactions. Since then, Entrust has added a fully PQ-ready PKIaaS and PKI Hub offerings, as well as keeping the Post-Quantum Option Pack for the nShield HSM line up to date for advances in the state of the PQC algorithms.

Also in 2022, with the introduction of nShield 5, Entrust took a major leap ahead in crypto-agility by integrating a cryptographic accelerator in the form of a field upgradable chipset (FPGA), to provide hardware-based acceleration to PQ algorithms. Customers that invest in the nShield 5 HSM family will not only get access to NIST-approved PQ algorithms, as we roll them out to all of our HSM offerings, but also a means to accelerate them, minimizing the performance impact they may present to the HSM transactions that use them.

This month, Entrust continued its drive toward PQ-ready solutions for customers who have begun the migration to NIST-approved PQ algorithms. ML-DSA (FIPS 204) is now available in firmware for the nShield XC, the nShield 5, and nShield as a Service (nSaaS). ML-DSA provides quantum-safe digital signatures, the most immediate industry need, covering private key generation and signing for certificates, software and firmware, documents, etc.

With our nShield as a Service support for ML-DSA, customers can experiment with post-quantum cryptography APIs through a subscription to dedicated HSMs – building a cost-effective solution without committing to long-term capital expenditure, while ensuring that the PQC lab remains separate from existing test and production environments.

The rollout of firmware-based PQ algorithms for nShield HSMs will continue throughout 2025, along with support for additional APIs and, of course, benefit from the crypto accelerator in the nShield 5. The nShield HSM family continues to grow seamlessly alongside our customers’ application needs. Learn more about our adaptable, scalable, quantum-ready HSMs to help your organization prepare for post-quantum cryptography today.