Siqn
Back to documentation

Project Overview

The goal of this project is to showcase the integration of PQC algorithms, specifically EdDilithium2 for digital signatures and hybrid KEMs (X25519+MLKEM768) for TLS key exchange, into a functional PKI and certificate management ecosystem.

Key Features

  • Hybrid Cryptography: Utilizes both classical (ECDSA P-256) and PQC (EdDilithium2) algorithms to provide security against both classical and quantum threats.
  • ACME v2 Compliance: The acme-server implements the ACME protocol for automated certificate management, following the RFC8555 standard for automated certificate issuance and renewal.
  • PQC Signatures:
    • The ca-service issues certificates signed with EdDilithium2, a post-quantum digital signature algorithm that is resistant to attacks by quantum computers.
    • The acme-server supports account key binding and request signing using EdDilithium2 JWS, extending the JSON Web Signature standard to support post-quantum algorithms.
    • The signing-service provides hybrid ECDSA+PQC signatures, combining the established security of ECDSA with the quantum resistance of EdDilithium2.
  • PQ Hybrid KEM: TLS endpoints (ACME, CA, Signing Service) prefer X25519+MLKEM768 hybrid key exchange, combining the classical X25519 with the post-quantum ML-KEM (formerly Kyber) for key establishment that is secure against both classical and quantum attacks.
  • Certificate Revocation: Implements CRL distribution and OCSP checking. Client certificate verification includes CRL checks to ensure that compromised certificates cannot be used.
  • Transparency Log: Records issued certificates for auditability (transparency-log-service), similar to Certificate Transparency logs used in the web PKI ecosystem.
  • Modular Architecture: Services are designed as independent microservices that can be deployed, scaled, and maintained separately.
  • Supply Chain Security: CI pipeline generates SBOMs (Software Bill of Materials) and SLSA (Supply chain Levels for Software Artifacts) provenance attestations to enhance the security and transparency of the software supply chain.

Use Cases

The Quantum-Safe PKI project is designed to address several key use cases:

  • Software Signing: Secure software releases with quantum-resistant signatures to ensure long-term verification of software authenticity.
  • Certificate Management: Automate the issuance and renewal of certificates using the ACME protocol with post-quantum cryptography.
  • Device Identity: Provision IoT and other devices with quantum-resistant certificates for secure authentication.
  • Secure Communication: Establish secure communication channels using hybrid key exchange methods that are resistant to both classical and quantum attacks.
  • Audit and Compliance: Maintain a transparent, immutable log of all issued certificates for audit and compliance purposes.

Project Status

The Quantum-Safe PKI project is a demonstration of how post-quantum cryptography can be integrated into existing PKI systems. It is designed to be a reference implementation that showcases the feasibility and practicality of adopting post-quantum cryptography in real-world applications.

While the project implements all the core functionality needed for a functional PKI, it should be considered a starting point for organizations looking to explore post-quantum cryptography rather than a production-ready system. The cryptographic algorithms used (EdDilithium2 and ML-KEM) are based on NIST's post-quantum cryptography standardization process, but standards and implementations may evolve.

Next Steps

Now that you have an overview of the Quantum-Safe PKI project, you might want to explore:

  • Architecture: Understand the system architecture and component interactions.
  • Prerequisites: Learn what you need to set up before building the services.
  • CA Service: Dive into the core Certificate Authority service.