Skip to main content

Enable PQC algorithms for keypairs

You can enable post-quantum cryptography (PQC) algorithms in your DigiCert​​®​​ Software Trust Manager account. This enables users to create PQC keypairs for code signing certificates. PQC algorithms are designed to resist attacks from future quantum computers, helping you prepare for emerging security risks.

When enabled, users can select these options when creating keypairs and are limited to the algorithms and security levels you configure.

Before you begin

Before you begin, make sure you have:

  • A Software Trust Manager account

  • Manage account settings permission or Lead user role

To enable PQC algorithms

  1. In the Managers (grid icon) menu, select Software Trust.

  2. Go to Account > Account settings.

  3. In the Account section, select the edit (white_pencil_edit_icon.png) icon.

  4. In the Keypair section, update the following sections:

    1. In the Algorithms section, select the checkbox for the algorithms you want to enable.

    2. In the Security levels section, select the checkbox for the security levels you want to enable.

  5. Select Update settings.

Available PQC algorithms

The following algorithms are available for PQC:

  • MLDSA

    Module-Lattice-Based Digital Signatures Algorithm (MLDSA) is a PQC approach to cryptographic security. It relies on the difficulty of solving lattice-based problems, which makes it resistant to attacks from quantum computers.

  • SLHDSA

    Secure Lightweight Hash-based Digital Signature Algorithm (SLHDSA) is a PQC approach to cryptographic security. It's designed to offer robust protection with minimal computational overhead. It uses lightweight hash-based techniques to ensure security while optimizing performance, making it ideal for resource-constrained environments.

Available PQC security levels

For MLDSA

The following security levels are available for MLDSA algorithms:

  • MLDSA-44

    Represents a cryptographic strength equivalent of at least 128-bit symmetric encryption. This level of security is considered sufficient for many applications requiring strong security, such as protecting sensitive data and communications.

  • MLDSA-65

    Represents a higher cryptographic strength equivalent to at least 192-bit symmetric encryption. Offers increased security margin compared to security level 44, making it suitable for applications demanding elevated security requirements.

  • MLDSA-87

    Represents an even higher level of cryptographic strength of at least 256-bit symmetric encryption, surpassing the previous two levels. Equivalent to an even greater bit length in symmetric encryption, further increasing the complexity for potential attackers. Offers the highest level of security among the mentioned levels, suitable for sensitive applications requiring maximum protection against advanced cryptographic attacks.

For SLHDSA

The following security levels are available for SLHDSA algorithms:

  • SHA2-128s

    Provides a cryptographic strength equivalent to 128-bit symmetric encryption, offering strong protection for general applications.

  • SHAKE-128s

    Offers an equivalent strength of 128-bit symmetric encryption, using SHAKE for flexible security parameters.

  • SHA2-128f

    Similar to SHA2-128s but optimized for faster performance.

  • SHAKE-128f

    Fast variant of SHAKE-128, balancing performance and security.

  • SHA2-192s

    Provides 192-bit symmetric encryption strength, suitable for applications demanding higher security.

  • SHAKE-192s

    Flexible security with 192-bit strength using SHAKE for adjustable output lengths.

  • SHA2-192f

    Fast variant of SHA2-192s, offering higher security with optimized performance.

  • SHAKE-192f

    Fast variant of SHAKE-192, optimized for performance in demanding applications.

  • SHA2-256s

    Offers 256-bit symmetric encryption strength, suitable for highly sensitive applications.

  • SHAKE-256s

    Uses SHAKE for flexible cryptographic output at a 256-bit strength.

  • SHA2-256f

    A faster version of SHA2-256s, providing maximum security with optimized performance.

  • SHAKE-256f

    Fast variant of SHAKE-256, ideal for highly sensitive environments requiring both strong security and high efficiency.

Tip

SLHDSA security levels are grouped by strength. Each group includes multiple variants:

  • s (small): Smaller signatures, lower bandwidth usage

  • f (fast): Faster performance, larger signatures

See also

Generate a certificate using a PQC keypair

Rekey an existing keypair to PQC

In this section: