#KEYMASTER: Where we’re at with HSMs and PQC – Testing LMS, ML-DSA, and Beyond
2025-04-29
In this session, Tomas Gustavsson, Chief PKI Officer, and Sven Rajala, International PKI Man of Mystery, explore the current state of Hardware Security Modules (HSMs) in relation to post-quantum cryptography (PQC), focusing on the implementation and performance of algorithms like LMS, ML-DSA, and ML-KEM.
The discussion begins with LMS, which has been tested across multiple HSMs. While LMS is interoperable and supported by PKCS #11 version 3.1, its operational performance varies significantly between implementation. Some HSMs handle multi-threading well, while others only support single-threaded workloads or struggle with slow processing speeds. Given the strict state management requirements of LMS, its use should be carefully considered. It is best suited for use cases like root certificate authorities or code signing that can operate in a single-threaded signing environment. However, for high-speed operations such as code signing in CI/CD pipelines, LMS can introduce severe bottlenecks.
ML-DSA is seeing adoption among HSM vendors, with several already supporting it. Performance testing shows that ML-DSA can handle high volumes of certificate issuance, performing at speeds comparable to RSA and ECC. Tests on different ML-DSA key sizes reveal no significant performance degradation, even with larger key sizes like ML-DSA-85. Unlike traditional algorithms, ML-DSA is purpose-built for digital signing, reducing the complexity associated with multiple algorithm variants. Its inclusion in PKCS#11 version 3.2 further ensures that implementations can be more consistent across different HSMs.
The session also touches on ML-KEM, which is being considered for encryption use cases. While testing on ML-KEM is still in the early stages, its fixed functionality within the algorithm is expected to simplify implementation compared to elliptic curve-based key derivation, which varies significantly across different HSMs.
Looking ahead, HSM vendors are encouraged to provide their hardware for additional testing to evaluate post-quantum cryptography readiness. The field is rapidly evolving, and as more vendors integrate post-quantum algorithms, performance and interoperability will continue to improve.
Read more about HSMs and PQC
- See all supported HSMs in EJBCA and SignServer under Hardware Security Modules. Support for PQC HSMs will come in upcoming releases.
- Stay informed about the latest PQC updates: PQC Lab
Related resources
OpenSSF Podcast – Racing Against Quantum: The Urgent Migration to Post-Quantum Cryptography