PQC Algorithm Support in Hardware Security Modules: Securing a Competitive Advantage

The last month saw a couple of new announcements in the Hardware Security Module (HSM) space. Utimaco launched its next-generation u.trust General Purpose HSM CSe-Series: a high-performance machine with capabilities of up to 5,000 RSA 2K signatures/sec and 25,000 Elliptic Curve Cryptography (ECC) signatures per second. It is also multi-tenant, with the ability to scale up to 31 fully isolated containerized HSMs.

IDEMIA Secure Transactions also entered the fray with the IDEMIA Sphere HSM. New in the HSM market, the Sphere is built upon a matrix of secure elements, the same technology that sits at the heart of IDEMIA’s smart card business. IDEMIA developed the HSM in-house and has leveraged it internally. Now it is delivering it as a commercial product for general-purpose use cases.

Both the Utimaco u.trust General Purpose HSM CSe-Series and the IDEMIA Sphere HSM support Post Quantum Cryptography (PQC), which is a key requirement for any new HSM coming onto the market today.

With the announcement in August 2024 of the new NIST PQC standards (ML-DSA, ML-KEM, SLH-DSA), the race has begun to obtain certification for these algorithms under the National Institute of Standards and Technology’s (NIST) new Federal Information Processing Standards (FIPS) 140-3 standard. This process is a lengthy one. Obtaining it for the algorithms under the Cryptographic Algorithm Validation Program (CAVP) takes time; it takes even longer to obtain it for HSMs, under the Cryptographic Module Validation Program (CMVP). Both IDEMIA and Utimaco have obtained CAVP status for their PQC algorithms, but they are not alone. Other HSM vendors have already passed that milestone and more are quickly joining.

The next milestone for HSM vendors is to also obtain FIPS 140-3 CMVP for their latest HSMs. Some, such as Entrust (nShield 5s HSM), Marvell (LS2 HSM), Thales (Luna G7 and K7 Cryptographic Modules), and Utimaco (Atalla Cryptographic Subsystem), already have it. But none yet have FIPS 140-3 Level 3 (CMVP certified) with PQC (CAVP-certified) support together. Their HSMs are either at the Module in Process (MIP) or Implementation Under Test (IUT) phase with NIST. The first vendor to have that certification for both the module and the PQC algorithms together will have first-mover advantage.

Regardless of first to market, all should be engaging in the FIPS 140-3 process, and providing support for these algorithms. Test environments for clients, hardware acceleration capabilities in the appliance itself, and, importantly, readiness of their own cryptographic architecture, i.e., using PQC (and hybrid mechanisms) for root of trust, boot process, firmware updates, HSM-to-HSM communications, attestation, and authentication. This latter part will take more time, likely to emerge with the next generation of HSMs, but it will be required nonetheless in order to stay relevant in the HSM space in the longer term.