TryTRY
BuyBUY
  • newsletter
  • contact
  • corporate
  • careers
Utimaco
TRYour free HSM simulator
BUYget a quote
  • home
  • solutions
  • products
  • services
  • blog
  • downloads
  • partners
  • company

Next event

24/Mar - 25/Mar | Webinar

The Path for Cloudifying Payment HSMs

Utimaco Portal

Here you will find everything you need as a partner and customerLogin required

  • home
  • solutions
    • industries
      • banking and financial services
        • acquirer
        • card scheme
        • issuer
        • hsm-as-a-service
      • government
        • federal government
      • cloud
        • cloud-based innovation
        • multi-cloud agility
      • connected car (V2V)
      • automotive solutions
      • road infrastructure (V2I), toll collection & ITS
      • industrial IoT & manufacturing
      • energy & utilities
      • lottery & gaming
      • media & entertainment
      • telecommunications
    • applications
      • authentication
      • blockchain
      • code signing
      • database encryption
      • document signing
      • key injection
      • post-quantum crypto agility
      • public key infrastructure (PKI)
        • EJBCA
      • random number generator (RNG)
    • compliance
      • certifications & approvals
        • Common Criteria (CC)
        • FIPS 140-2
      • compliance & standardization
        • FISMA, FedRAMP, and FICAM
        • Certificate Policy of the Smart Metering PKI
        • eIDAS
        • GDPR
        • PCI DSS
        • Privacy Shield
  • products
    • general purpose HSM
      • SecurityServer Se Gen2
      • SecurityServer CSe
      • Block-safe
      • CryptoServer CP5 (eIDAS & CC)
      • CryptoServer Cloud
      • TimestampServer
      • Q-safe
    • payment HSM
      • Atalla AT1000
      • PaymentServer Se Gen2
      • PaymentServer CSe
      • Secure Configuration Assistance (SCA)
      • QuickStart Services
      • u.cloud – Atalla PaymentHSMaaS
      • u.trust 360
    • key management
      • Enterprise Key Management
    • Software Development Kit (SDK)
      • CryptoServer SDK
      • CryptoScript SDK
    • HSM simulators
      • Block-safe HSM simulator
      • CryptoServer CP5 simulator (eIDAS & CC)
      • SecurityServer simulator
      • Q-safe HSM simulator
    • form factor
      • LAN appliance
      • PCIe card
      • cloud, “HSM as a Service”
    • KeyBRIDGE
      • KeyBRIDGE POI
      • KeyBRIDGE RKD
      • KeyBRIDGE eKMS
      • TokenBRIDGE™
    • u.trust Anchor
      • u.trust Anchor CSAR
      • u.trust Anchor High Performance HSM
  • services
    • consultancy
      • PQC consultancy
    • support
    • managed services
      • Key Exchange & Escrow Service (KEES™)
    • professional services
    • Utimaco Academy
  • blog
  • downloads
    • brochures
    • data sheets
    • case studies
    • white papers
    • webinars
    • e-books
      • PQC for Dummies e-book
      • HSM for Dummies e-book
    • Utimaco Portal
      • integration guides
      • knowledge base
  • partners
    • Partner Program
      • technology partner
    • Partner Locator
  • company
    • about Utimaco
      • legal
      • terms & conditions
      • privacy
        • cookie-policy
    • locations
    • news
      • newsletter
    • events
    • contact
    • careers
    • investors
    • utimaco management
    • business ethics
    • memberships and certifications
    • engagement in research
  • home
  • solutions
    • industries
      • banking and financial services
        • acquirer
        • card scheme
        • issuer
        • hsm-as-a-service
      • government
        • federal government
      • cloud
        • cloud-based innovation
        • multi-cloud agility
      • connected car (V2V)
      • automotive solutions
      • road infrastructure (V2I), toll collection & ITS
      • industrial IoT & manufacturing
      • energy & utilities
      • lottery & gaming
      • media & entertainment
      • telecommunications
    • applications
      • authentication
      • blockchain
      • code signing
      • database encryption
      • document signing
      • key injection
      • post-quantum crypto agility
      • public key infrastructure (PKI)
        • EJBCA
      • random number generator (RNG)
    • compliance
      • certifications & approvals
        • Common Criteria (CC)
        • FIPS 140-2
      • compliance & standardization
        • FISMA, FedRAMP, and FICAM
        • Certificate Policy of the Smart Metering PKI
        • eIDAS
        • GDPR
        • PCI DSS
        • Privacy Shield
  • products
    • general purpose HSM
      • SecurityServer Se Gen2
      • SecurityServer CSe
      • Block-safe
      • CryptoServer CP5 (eIDAS & CC)
      • CryptoServer Cloud
      • TimestampServer
      • Q-safe
    • payment HSM
      • Atalla AT1000
      • PaymentServer Se Gen2
      • PaymentServer CSe
      • Secure Configuration Assistance (SCA)
      • QuickStart Services
      • u.cloud – Atalla PaymentHSMaaS
      • u.trust 360
    • key management
      • Enterprise Key Management
    • Software Development Kit (SDK)
      • CryptoServer SDK
      • CryptoScript SDK
    • HSM simulators
      • Block-safe HSM simulator
      • CryptoServer CP5 simulator (eIDAS & CC)
      • SecurityServer simulator
      • Q-safe HSM simulator
    • form factor
      • LAN appliance
      • PCIe card
      • cloud, “HSM as a Service”
    • KeyBRIDGE
      • KeyBRIDGE POI
      • KeyBRIDGE RKD
      • KeyBRIDGE eKMS
      • TokenBRIDGE™
    • u.trust Anchor
      • u.trust Anchor CSAR
      • u.trust Anchor High Performance HSM
  • services
    • consultancy
      • PQC consultancy
    • support
    • managed services
      • Key Exchange & Escrow Service (KEES™)
    • professional services
    • Utimaco Academy
  • blog
  • downloads
    • brochures
    • data sheets
    • case studies
    • white papers
    • webinars
    • e-books
      • PQC for Dummies e-book
      • HSM for Dummies e-book
    • Utimaco Portal
      • integration guides
      • knowledge base
  • partners
    • Partner Program
      • technology partner
    • Partner Locator
  • company
    • about Utimaco
      • legal
      • terms & conditions
      • privacy
        • cookie-policy
    • locations
    • news
      • newsletter
    • events
    • contact
    • careers
    • investors
    • utimaco management
    • business ethics
    • memberships and certifications
    • engagement in research

Home / Blogs / NIST’s Hybrid Mode Approach to Post-Quantum Computing – why crypto agility is crucial

NIST’s Hybrid Mode Approach to Post-Quantum Computing – why crypto agility is crucial

November 09, 2020

With the advent of information security, the importance of cryptography has acquired considerable prominence due to the requirement of security mechanisms such as confidentiality, integrity, authenticity, and non-repudiation in modern data communications.

Quantum computing has now emerged as a nightmare for the presently used cryptographic algorithms which include symmetric, asymmetric and hash functions. The resolution of hard mathematics problems seems to be achieved by the recent research on quantum platforms which was impossible with the traditional computing platforms. NIST had started the quantum-safe or quantum-resilient algorithm standardization process a few years ago and there has been prominent development on that subject but the proper finalization and incorporation in the application will definitely take time. This article informs the reader about the consequences of quantum computing and the hybrid approach introduced by NIST.

New call-to-action

Need for Post-Quantum Cryptography

The currently being used advanced cryptographic mechanisms (symmetric, asymmetric and hash algorithms) are an effort of around two decades. The whole public key infrastructure which is eventually based on asymmetric cryptography is being used as the backbone of TLS/SSL based e-commerce is also based on this effort. The concept of quantum computing was first introduced in the 1980s but the latest research in quantum computing mandates extraordinary processing power to quantum computers which will be able to solve the tradition unsolved complex mathematics problems such as finding discrete logarithms and factoring of large integers. The formalization of a quantum computer affects the symmetric and hash cryptographic algorithms to such an extent that the cryptographic strength of the algorithms will be reduced to half. Symmetric and hash algorithms are available in various key sizes, so the immediate and effective solution for this scenario is to use higher/stronger key lengths. But the case is totally different with asymmetric algorithms because asymmetric algorithms are based on hard/complex math problems which will be solved by quantum computers.

Post-Quantum Cryptography Standardization

Post-Quantum Cryptography (PQC) standardization deals with the development/finalization of post-quantum algorithms which will be deployed on the currently used classical computing platforms and would definitely resistant to attacks by quantum computers. NIST had issued a general public notice for the standardization of post-quantum algorithms in the following domains:

  • Encryption Algorithms
  • Digital signature schemes
  • Key establishment schemes

69 candidates registered for standardization in Round 1 of the NIST PQC standardization process. In Round 2, many candidates were eliminated and just 26 candidates were published. Currently, no algorithms have been finalized/standardized as “quantum-resistant” or “quantum-safe” and the finalization process will take time because there are various critical factors for a final decision such as:

  • Speed/Efficiency
  • Security testing and Cryptanalysis
  • Interoperability & Usability with existing protocols/standards.

Every post-quantum candidate has some advantages and disadvantages. There has not been adequate research carried on some quantum algorithms which ensures confidence on the respective schemes. There exists a chance that more than one algorithm will be standardized but the whole process will take time for finalization.

New call-to-actionThe Hybrid Approach

The hybrid mode/approach can be stated as the evolution toward PQC which provisions the use of classic standardized cryptographic algorithm combined with a post-quantum algorithm.

This secures compliance to specific standards and regulations depending on the area of deployment (e.g. PCI DSS in the context of banking and card based transactions).

It also includes redundantly those algorithms which are – to our best knowledge as of today PQC-safe.

But: We cannot deploy them alone, as they are not standardized by the relevant regulatory boards. And in addition, they are just candidates – with a high likelihood to be PQC-safe, but with no certainty. We simply miss the proof of concept – of course it is missing, as post-quantum computers are not there yet.

Hence this hybrid mode directly mandates the road towards crypto agility.

In the “Report on Post-Quantum Cryptography” , NIST points out right in the beginning that it “recognizes the challenge of moving to new cryptographic infrastructures and therefore emphasizes the need for agencies to focus on crypto agility.”

Crypto-Agilty as the Backbone to the Hybrid Approach

In basic terms, agility is defined as the property of a system by which it can adapt swiftly to new approaches. Similarly, the crypto-agility refers to the characteristic of an information security system to swiftly switch over to alternative cryptographic algorithms and primitives. Crypto-agility not only encourages system development and evolution but also acts as a safety measure or incident response mechanism. It is highly recommended by NIST to shift to crypto-agile architectures and follow the design strategies/principles which encourage/support crypto-agility by incorporating the latest and most secure cryptographic algorithms and key lengths. For example, the systems with symmetric and hash algorithms which can easily shift to higher key lengths are crypto-agile. Newer systems should be developed with such an approach that they can be easily shifted to newer algorithms and crypto primitives with least effort and time. As soon as the post-quantum algorithms are standardized and published, organizations will start incorporating them in their products so that user can switch over to the secure ones in case of algorithm break/compromise ensuring/achieving crypto-agility.

New call-to-action

References and Further Reading

  • Read more on Post-Quantum Cryptography (2018 – today), by Terry Anton, Utimaco and more, with guest contributions by the Institute of Quantum Computing, Samsung, Entrust Datacard and many independent security experts
  • Read more on Crypto Agility (2018 – today), by Asim Mehmood, Terry Anton, Utimaco and more
  • NISTIR 8105 Report on Post-Quantum Cryptography (2016), by Lily Chen, Stephen Jordan, Yi-Kai Liu, Dustin Moody, Rene Peralta, Ray Perlner, Daniel Smith-Tone, the Computer Security Division, the Applied and Computational Mathematics Division, the Information Technology Laboratory at the National Institute of Standards and Technology
Back to overview

Stay on top of our news
Don’t miss out on any Utimaco updates

Subscribe to Utimaco Newsletter

We will keep you posted with news from Utimaco and the industries we protect, as well as information on upcoming events and webinars.

Subscribe now

Partners

Baas Control s.r.o. Nexus - Utimaco Hardware Security Modules Partner Secure Source Distribution (M) Sdn Bhd - Utimaco Hardware Security Modules Partner Utimaco HSM - InfoGuard Swiss Cyber Security VAR Group SpA - Utimaco Hardware Security Modules Partner MIcrosec Compumatica secure networks GmbH cv cryptovision GmbH Ascertia - Utimaco Hardware Security Modules Partner Fortiedge Pte Ltd. Real security d.o.o. EUROPEAN DYNAMICS SA. Compumatica secure networks B.V. Safesoft Kft. Versasec Microexpert Limited Primekey Solutions AB Utimaco HSM - QuintessenceLabs Abrantix AG Cryptomathic Inc. Cogito Group Pty Ltd PKI Solutions Inc. MTG - Utimaco Hardware Security Modules Partner Cryptomathic A/S CertiSur S.A. Clearkey Consulting - Utimaco Hardware Security Modules Partner CEGA Security Encryption Consulting LLC MALKOM D.Malińska i Wspólnicy s.j. Cryptomathic GmbH CREAplus Italia S.r.l IQuantics Corp AKEA S.A. - Utimaco Hardware Security Modules Partner ESYSCO Sp. z o.o. E-Sign S.A. PrimeKey Labs GmbH Rohde & Schwarz Cybersecurity GmbH Softline Solutions GmbH Macroseguridad Astel (UK) Ltd. - Utimaco Hardware Security Modules Partner Cyber Armor Pte Ltd Utimaco HSM - PTESA_profesionales en transacciones electronicas Nexus Technology GmbH CewTec S.A. Nexus - Utimaco Hardware Security Modules Partner intarsys AG CREA plus d.o.o. Altacom UAB Synergy Computers (Pvt.) Ltd. - Utimaco Hardware Security Modules Partner Skytech Computing Solutions Limited. - Utimaco Hardware Security Modules Partner SecureMetric Technology Sdn. Bhd. JJNet International Co., Limited - Utimaco Hardware Security Modules Partner PETA (Thailand) Co., Ltd. Fornetix - Utimaco Hardware Security Modules Partner Perceptus-sp.-z-o.-o. Envoy Data Corporation - Utimaco Hardware Security Modules Partner Komar Consulting Inc. - Utimaco Hardware Security Modules Partner Throughwave (Thailand) Co.,Ltd - Utimaco Hardware Security Modules Partner Telegrupp AS Thomas-Krenn.AG
Find a partner

Share this page

EMEA

Utimaco IS GmbH
Germanusstraße 4
52080 Aachen
Germany
Phone: + 49 241 1696 200

Americas

Utimaco Inc.
900 E Hamilton Ave., Suite 400
Campbell, CA 95008
USA
Phone: +1 844 UTIMACO

APAC

Utimaco IS Pte Limited
80 Raffles Place,
#32-01, UOB Plaza
Singapore 048624
Phone: +65 6622 5347

Utimaco

  • support
  • corporate
  • careers
  • legal
  • terms & conditions
  • privacy
  • cookie-policy
© 2021
to top
  • home
  • solutions
    • industries
      • banking and financial services
        • acquirer
        • card scheme
        • issuer
        • hsm-as-a-service
      • government
        • federal government
      • cloud
        • cloud-based innovation
        • multi-cloud agility
      • connected car (V2V)
      • automotive solutions
      • road infrastructure (V2I), toll collection & ITS
      • industrial IoT & manufacturing
      • energy & utilities
      • lottery & gaming
      • media & entertainment
      • telecommunications
    • applications
      • authentication
      • blockchain
      • code signing
      • database encryption
      • document signing
      • key injection
      • post-quantum crypto agility
      • public key infrastructure (PKI)
        • EJBCA
      • random number generator (RNG)
    • compliance
      • certifications & approvals
        • Common Criteria (CC)
        • FIPS 140-2
      • compliance & standardization
        • FISMA, FedRAMP, and FICAM
        • Certificate Policy of the Smart Metering PKI
        • eIDAS
        • GDPR
        • PCI DSS
        • Privacy Shield
  • products
    • general purpose HSM
      • SecurityServer Se Gen2
      • SecurityServer CSe
      • Block-safe
      • CryptoServer CP5 (eIDAS & CC)
      • CryptoServer Cloud
      • TimestampServer
      • Q-safe
    • payment HSM
      • Atalla AT1000
      • PaymentServer Se Gen2
      • PaymentServer CSe
      • Secure Configuration Assistance (SCA)
      • QuickStart Services
      • u.cloud – Atalla PaymentHSMaaS
      • u.trust 360
    • key management
      • Enterprise Key Management
    • Software Development Kit (SDK)
      • CryptoServer SDK
      • CryptoScript SDK
    • HSM simulators
      • Block-safe HSM simulator
      • CryptoServer CP5 simulator (eIDAS & CC)
      • SecurityServer simulator
      • Q-safe HSM simulator
    • form factor
      • LAN appliance
      • PCIe card
      • cloud, “HSM as a Service”
    • KeyBRIDGE
      • KeyBRIDGE POI
      • KeyBRIDGE RKD
      • KeyBRIDGE eKMS
      • TokenBRIDGE™
    • u.trust Anchor
      • u.trust Anchor CSAR
      • u.trust Anchor High Performance HSM
  • services
    • consultancy
      • PQC consultancy
    • support
    • managed services
      • Key Exchange & Escrow Service (KEES™)
    • professional services
    • Utimaco Academy
  • blog
  • downloads
    • brochures
    • data sheets
    • case studies
    • white papers
    • webinars
    • e-books
      • PQC for Dummies e-book
      • HSM for Dummies e-book
    • Utimaco Portal
      • integration guides
      • knowledge base
  • partners
    • Partner Program
      • technology partner
    • Partner Locator
  • company
    • about Utimaco
      • legal
      • terms & conditions
      • privacy
        • cookie-policy
    • locations
    • news
      • newsletter
    • events
    • contact
    • careers
    • investors
    • utimaco management
    • business ethics
    • memberships and certifications
    • engagement in research