1 Introduction

1.1 About Platform Security Architecture

This document is one of a set of resources provided by Arm that can help organizations develop products that meet the security requirements of PSA Certified on Arm-based platforms. The PSA Certified scheme provides a framework and methodology that helps silicon manufacturers, system software providers and OEMs to develop more secure products. Arm resources that support PSA Certified range from threat models, standard architectures that simplify development and increase portability, and open-source partnerships that provide ready-to-use software. You can read more about PSA Certified here at www.psacertified.org and find more Arm resources here at developer.arm.com/platform-security-resources.

1.2 About the Crypto API PQC Extension

This document defines an extension to the PSA Certified Crypto API [PSA-CRYPT] specification, to provide support for Post-Quantum Cryptography (PQC) algorithms. Specifically, for the NIST-approved schemes for LMS, HSS, XMSS, XMSSMT, ML-DSA, SLH-DSA, and ML-KEM.

When the proposed extension is sufficiently stable to be classed as Final, it will be integrated into a future version of [PSA-CRYPT].

This specification must be read and implemented in conjunction with [PSA-CRYPT]. All of the conventions, design considerations, and implementation considerations that are described in [PSA-CRYPT] apply to this specification.

1.3 Objectives for the PQC Extension

1.3.1 Background

The justification for developing new public-key cryptography algorithms due to the risks posed by quantum computing are described by NIST in Post-Quantum Cryptography [NIST-PQC].

Extract from Post-Quantum Cryptography:

In recent years, there has been a substantial amount of research on quantum computers — machines that exploit quantum mechanical phenomena to solve mathematical problems that are difficult or intractable for conventional computers. If large-scale quantum computers are ever built, they will be able to break many of the public-key cryptosystems currently in use. This would seriously compromise the confidentiality and integrity of digital communications on the Internet and elsewhere. The goal of post-quantum cryptography (also called quantum-resistant cryptography) is to develop cryptographic systems that are secure against both quantum and classical computers, and can interoperate with existing communications protocols and networks.

The question of when a large-scale quantum computer will be built is a complicated one. While in the past it was less clear that large quantum computers are a physical possibility, many scientists now believe it to be merely a significant engineering challenge. Some engineers even predict that within the next twenty or so years sufficiently large quantum computers will be built to break essentially all public key schemes currently in use. Historically, it has taken almost two decades to deploy our modern public key cryptography infrastructure. Therefore, regardless of whether we can estimate the exact time of the arrival of the quantum computing era, we must begin now to prepare our information security systems to be able to resist quantum computing.

NIST is hosting a project to collaboratively develop, analyze, refine, and select cryptographic schemes that are resistant to attack by both classical and quantum computing.

1.3.2 Selection of algorithms

NIST PQC project finalists

PQC algorithms that have been standardized are obvious candidates for inclusion in the Crypto API. The current set of standards is the following:

  • FIPS Publication 203: Module-Lattice-Based Key-Encapsulation Mechanism Standard [FIPS203]

  • FIPS Publication 204: Module-Lattice-Based Digital Signature Standard [FIPS204]

  • FIPS Publication 205: Stateless Hash-Based Digital Signature Standard [FIPS205]

Although the NIST standards for these algorithms are now finalized, the definition of keys in the Crypto API depends on import and export formats. To maximize key exchange interoperability with other specifications, the default export format in the Crypto API should be aligned with the definitions selected for X.509 public-key infrastructure. As the IETF process for defining the X.509 key formats is still ongoing at the time of publishing this document, the interfaces within this document are at BETA status.

However, it is not expected that other aspects of the API in this document will change when it becomes FINAL.

Note

Although PQC algorithms that are draft standards could be considered, any definitions for these algorithms would be have to be considered experimental. Significant aspects of the algorithm, such as approved parameter sets, can change before publication of a final standard, potentially requiring a revision of any proposed interface for the Crypto API.

Other NIST-approved schemes

In NIST Special Publication 800-208: Recommendation for Stateful Hash-Based Signature Schemes [SP800-208], NIST approved use of the following stateful hash-based signature (HBS) schemes:

  • The Leighton-Micali Signature (LMS) system, and its multi-tree variant, the Hierarchical Signature System (HSS/LMS). These are defined in Leighton-Micali Hash-Based Signatures [RFC8554].

  • The eXtended Merkle Signature Scheme (XMSS), and its multi-tree variant XMSSMT. These are defined in XMSS: eXtended Merkle Signature Scheme [RFC8391].

HBS schemes have additional challenges with regards to deploying secure and resilient systems for signing operations. These challenges, outlined in [SP800-208] sections §1.2 and §8.1, result in a recommendation to use these schemes in a limited set of use cases, for example, authentication of firmware in constrained devices.

At present, it is not expected that the Crypto API will be used to create HBS private keys, or to carry out signing operations. However, there is a use case with the Crypto API for verification of HBS signatures. Therefore, for these HBS schemes, the Crypto API only provides support for public keys and signature verification algorithms.