Future-Proofing with Post-Quantum Cryptography
The Impact of Quantum Computing
The advent of quantum computing threatens to compromise the security of classical cryptography such as the RSA and Diffie-Helman algorithms and Elliptic Curve Cryptography (ECC). Data sent encrypted today could be harvested and decrypted once cryptographically relevant quantum computers are available.
To protect long-term digital identities and secure communications, organizations must prepare their public key infrastructure for the transition to post-quantum cryptography (PQC); NISt and BSI recommend for the migration to be completed by 2030 to 2035, for encryption and authentication respectively.
MTG CLM provides a PQC-ready architecture built on the principle of crypto-agility, ensuring the platform can adopt new NIST-standardized cryptographic algorithms without requiring a fundamental redesign of the underlying infrastructure.
PQC Algorithm Support
As post-quantum standards are getting finalized, MTG CLM continuously integrates these methods into its core engine. Currently, the system natively supports the following post-quantum digital signature algorithms, standardized by NIST:
-
ML-DSA, FIPS 204 (formerly Dilithium)
-
SLH-DSA, FIPS 205 (formerly SPHINCS+)
By integrating these algorithms, organizations can begin testing and issuing quantum-resistant certificates in preparation for their endpoints to be fully uptodate and receiving them.
In the course of the next months, additional PQ algorithms such as XMSS, LMS, ML-KEM and potential future standards will be integrated for support for the entire certificate chain. Among the planned extensions there is also support for hybrid algorithms and certificates, as described next.
Bridging the Gap with Hybrid Certificates
Hybrid cryptography combines the established compatibility of classical algorithms with the added security of PQ algorithms within the same deployment. MTG CLM and the underlying MTG CARA engine are being prepared to support Composite ML-DSA certificates. This approach concatenates a PQ signature (ML-DSA) with a classical signature (such as ECDSA or RSA).
This dual-validation ignature allows organizations to secure their infrastructure against quantum threats and simultaneously maintain compliance with frameworks that mandate traditional algorithms.
Another example of hybrid certificates are Catalyst certificates, which inject the secondary (usually the PQ) objects into an X.509 extension rather than the primary key field. This enables certain legacy clients to only process the traditional RSA/ECC key without failing.
Evaluating Protocol and Size Impact
Post-quantum keys and signatures often require significantly larger storage sizes than their classical counterparts. This size increase can critically impact network protocols, automated enrollment clients and database schemas. To help security architects navigate this transition, MTG provides a dedicated PQC Size Calculator.
This tool allows organizations to evaluate and compare the exact data object sizes for both traditional and PQC algorithms. By factoring in fixed byte overhead, public key counts and signature sizes, enterprises can accurately predict the network payload impact of migrating to ML-DSA or SLH-DSA.
Further Reading
Since 2018, MTG has been actively engaged in the field of post-quantum cryptography and participates in research and development projects of such. You may refer to the dedicated website section for a deeper dive on all MTG PQC activities.
Business Value Summary
| Operational Risk | MTG CLM Mechanism | Business Outcome |
|---|---|---|
Future quantum attacks |
Native support for ML-DSA and SLH-DSA |
Prepares the enterprise for long-term cryptographic security against quantum harvesting. |
Transition downtime |
Composite ML-DSA Certificates |
Enables a phased, non-disruptive migration by combining classical and PQC signatures. |
Unpredictable network impact |
MTG PQC Size Calculator |
Provides accurate capacity planning to prevent protocol failures due to PQC payload sizes. |