What is Post-Quantum Cryptography?
Post-Quantum Cryptography (PQC) refers to cryptographic algorithms designed to be secure against attacks by quantum computers. Traditional algorithms like RSA and ECDSA rely on mathematical problems (integer factorization, discrete logarithm) that quantum computers could efficiently solve using Shor’s algorithm. PQC algorithms are based on different mathematical foundations, such as lattice problems, that are believed to resist both classical and quantum attacks.Supported PQC Algorithms
Infisical supports the following NIST-standardized post-quantum signature algorithms for certificate authorities and certificate issuance:ML-DSA (Module-Lattice Digital Signature Algorithm)
ML-DSA (formerly known as CRYSTALS-Dilithium) is a lattice-based digital signature scheme standardized in FIPS 204. It offers a strong balance of security, performance, and key/signature size.ML-DSA is the recommended PQC algorithm for most use cases due to its efficient key generation, signing, and verification performance.
Using PQC Algorithms
Creating a PQC Certificate Authority
You can create a Certificate Authority with a PQC key algorithm through the Infisical UI or API.- Infisical UI
- API
When creating a new Internal CA, select one of the ML-DSA variants from the Key Algorithm dropdown:
- ML-DSA-44 for NIST Level 2 security
- ML-DSA-65 for NIST Level 3 security
- ML-DSA-87 for NIST Level 5 security
Key Differences from Classical Algorithms
When using PQC algorithms, keep the following constraints in mind:- Signature-only: PQC algorithms are digital signature algorithms. Key usages like
keyEncipherment,keyAgreement, anddataEnciphermentare not valid for PQC certificates. Requesting these usages will return an error. - Larger keys and signatures: PQC keys and signatures are significantly larger than RSA/ECDSA equivalents. Plan for increased certificate sizes in bandwidth-constrained environments.