 Review
 Open Access
 Published:
Towards security recommendations for publickey infrastructures for production environments in the postquantum era
EPJ Quantum Technology volume 8, Article number: 14 (2021)
Abstract
Quantum computing technologies pose a significant threat to the currently employed publickey cryptography protocols. In this paper, we discuss the impact of the quantum threat on public key infrastructures (PKIs), which are used as a part of security systems for protecting production environments. We analyze security issues of existing models with a focus on requirements for a fast transition to postquantum solutions. Although our primary focus is on the attacks with quantum computing, we also discuss some security issues that are not directly related to the used cryptographic algorithms but are essential for the overall security of the PKI. We attempt to provide a set of security recommendations regarding the PKI from the viewpoints of attacks with quantum computers.
Introduction
In the digital era, cryptography plays a central role in ensuring the security and privacy of communications, which are crucial for various fields ranging from personal data to critical infrastructure. Cryptographic techniques are used throughout government and industry to authenticate the source and protect the confidentiality and integrity of information. Existing cryptographic tools substantially use the concept of publickey cryptography. It is a technique that enables entities to securely communicate on an insecure public network by solving the key distribution problem, and reliably verify their identities via digital signatures. Publickey cryptography is also known as asymmetric cryptography since the parties of communications use two types of keys: Public keys, which may be known to others, and private keys, which may never be known by any except its owner. This is its important difference in compare with symmetric cryptography, which relies on the use of the only one secret key shared between the parties (however, the problem of key distribution for symmetric cryptography is challenging; see below).
In its turn, publickey cryptography forms a basis for a public key infrastructure (PKI), which is a set of roles, policies, hardware, software, and procedures needed to establish compliance between realworld parties of communications (like people, manufacturers, or devices) and public keys. Certificates are basic digital documents that state the correspondence between an entity and its public key [1]. PKI plays a crucial role in protecting many processes and, in particular, all phases of product development and distribution in production environments.
Security of publickey cryptography, which defines the security of PKIs, relies on the concept of NP problems, which have proof verifiable in polynomial time. For example, multiplying two large prime numbers is computationally easy (at it is then easy to correct that multiplication of two prime numbers gives the correct integer number), but finding the prime factors of a given product is hard — it can take a conventional computer thousands years to solve for large numbers. In terms of publickey cryptography, this means that the key distribution problem (signing documents and checking the signature using the public key) is computationally easy, whereas obtaining a private key with the known public key is computationally hard. NP problems, such as integer factorization and discrete logarithm problems, are used in modern cryptosystems RivestShamirAdleman (RSA) cryptosystem [2] and DiffieHellman scheme [3], correspondingly. Under the assumption that existing computers could not solve these mathematical tasks in a reasonable time, modern publickey cryptography techniques, such as RSA and DiffieHellman schemes, seem to be secure.
A new generation of computing devices, which use operate on the principles of quantum physics, socalled quantum computers, would allow solving various mathematical tasks much faster than their classical counterparts. Examples of such tasks include NP problems, which are behind the security of mentioned above RSA and DiffieHellman schemes, with the use of quantum Shor’s algorithm [4]. In practice, this means that an adversary with a quantum computer will be able to obtain a private key from a corresponding public key. Consequently, quantum computers with enough computing power (socalled quantum volume) would allow breaking popular and widely deployed tools for cryptographic protection. Quantum computing also has an impact on symmetric cryptography since quantum Grover’s algorithm [5] provides a quadratic speedup in the brute force search, but this is not dramatic. Thus, quantum computing poses a threat to currently used information security protocols based on PKI, in particular those used in the Transport Layer Security (TLS), which is the security protocol behind the Hypertext Transfer Protocol Secure (HTTPS) [6].
However, not all existing security tools are vulnerable to attacks with quantum computers [7, 8]. Currently, serious efforts are concentrated on developing quantumresistant cryptographic tools and the strategy of their deployment to the currently existing infrastructure. A number of cryptographic systems, which use these methods, are considered as candidates in the National Institute of Standards and Technology (NIST) PostQuantum Cryptography Standardization and by European Telecommunications Standards Institute (ETSI).
The deployment of quantumresistant solutions are of significant importance for many information systems. Here we focus on largescale production environments, where most of the security tools for protecting supply chains, distribution networks, financial management systems and communications, and control systems are based on public key infrastructure (PKI) [1, 9–12]. We use the typical structure of PKI of a production environment, which is provided by Bosch and presented below, as an example for analysis from the viewpoint of potential attacks with quantum computing. To avoid major losses [13], companies and firms that substantially use PKI should pay attention to the quantum threat and create a postquantum security strategy.
In this work, we consider the impact of the quantum threat on PKI, which is used for protecting production environments. We analyze the security issues of the model of injecting the trusted certificate and provide security recommendations regarding the PKI from attacks with quantum computers. Although realworld production environments are frequently considered as a subject of the analysis from the viewpoint of upcoming threats from quantum computing technologies, our work (to the best of our knowledge) demonstrates the first detailed holistic consideration of strategic changes in PKI for providing postquantum security. We also discuss the applicability of postquantum algorithms in the security systems for production environments.
Our paper is organized as follows. In Sect. 2 we analyze an impact of quantum computers on modern cryptographic tools. In Sect. 3 we consider quantum security of stateoftheart PKI model for a production environment. In Sect. 5 we discuss the applicability of postquatnum algorithms. In Sect. 4 we form security recommendations that are based on our analysis. We conclude in Sect. 6.
Impact of quantum computers on cryptography
Here we briefly review the stateoftheart in cryptoanalysis with the use of quantum computers (for a review, see Ref. [14]). Then we consider existing options for protecting PKI in the postquantum era.
Quantum threat for cryptography
Symmetric cryptography
Cryptography implies various techniques, which can be divided into two large categories: symmetric (privatekey cryptography) and asymmetric (publickey cryptography). Symmetric cryptographic techniques use the same key for encryption and decryption processes. Symmetric cryptography is fast, relatively easy to implement and operate, but it suffers from two main difficulties. The first is the issue of the confidential key distribution between distinct parties. Symmetric cryptography is still widespread among some organizations that use, for example, trusted couriers for the key distribution that is indeed complicated in the era of digital communications. The second problem is the need to change keys quite frequently to reduce the probability of discovering keys by an attacker. Therefore, symmetric cryptographic techniques are useful only under the condition of having an efficient method for distribution and changing keys.
Quantum computers have an impact on symmetric cryptographic primitives, but exponential speedups in their cryptanalysis are not expected. Grover’s algorithm would allow quantum computers a quadratic speedup in brute force search [5]. Then the key management in terms of the key size and the key refresh time for such primitives needs to be reconsidered. For example, AES256 is considered quantumsecured with 128 bits of quantum security (in the view of quadratic speedup in brute force search).
Publickey (asymmetric) cryptography
The situation differs for the currently deployed publickey (asymmetric) cryptography tools, which use a pair of public/private keys. Publickey cryptographic primitives are mainly mathematical problems that are believed to be computationally hard. They are used as the basis in popular cryptographic schemes such as RSA, DiffieHellman, ECDSA (Elliptic Curve Digital Signature Algorithm), etc [7].
However, quantum computers can solve the problems, which are behind the security of these primitives in polynomial time using Shor’s algorithm [4]. The question of the required resources from the side of quantum computers for factoring integers and computing discrete logarithms in finite fields with the use of Shor’s algorithm [4] is a subject of extended research activities [4, 15–20]. One of the latest result [20] is the scheme that uses \(3n+0.002n\lg {n}\) logical qubits (i.e. qubits wokring without errors), \(0.3n^{2}+0.0005n^{3}\lg {n}\) Toffoli gates, and \(500n^{2}+n^{2}\lg {n}\) measurement depth to factor nbit RSA integers. This means that 2048 bit RSA integers can be factorized in 8 hours using 20 million noisy qubits [20], whereas one of the largest existing gatebased quantum computers has about 53 noisy qubits [21]. Alternative proposal is to use a computing protocol with a multimode memory, which allows factoring 2048 RSA integers in 177 days with 13,436 qubits [22]. Thus, current quantum computers are quite far from being capable of executing Shor’s algorithms for cryptographically relevant problem sizes [20]. There is an increasing interest in alternative schemes for quantum factoring, such as variational quantum factoring [23]. Variational quantum factoring is an alternative to Shor’s algorithm, which employs established techniques to map the factoring problem to the ground state of an Ising Hamiltonian. It starts by simplifying equations over Boolean variables in a preprocessing step to reduce the number of qubits needed for the Hamiltonian. The examination of a more detailed analysis of the potential scalability of such an approach using realistic noisy intermediatescale quantum devices is under investigation [23].
Thus, the existence of Shor’s algorithm makes the corresponding publickey cryptography methods vulnerable. Therefore, most of the existing and currently used primitives used in PKI should be replaced to guarantee security against quantum attacks. In this case, it is not enough to reconsider the key size — these algorithms should be replaced as soon as they are no longer secure.
Store now – decrypt later
One of the most important existing problems is related to the socalled “store now – decrypt later” attack. The idea is that the adversary is harvesting data in encrypted form, in the hope that quantum computing will help them to uncover valuable information from it in the future. That is why for some particular applications dealing with longterm sensitive information, one should think about the priority replacement of cryptographic primitives on quantumsecured ones. This fact is expressed in Mosca’s theorem says, which states the following: We need to start worrying about the impact of quantum computers when the amount of time that we wish our data to be secure for (X) is added to the time it will take for our computer systems to transition from classical to postquantum (Y) is greater than the time it will take for quantum computers to start breaking existing quantumsusceptible encryption protocols (Z).
Importantly, this paradigm can be extended to the idea of cryptographic agility (cryptoagility), which is the capacity for information security systems to switch on alternatives to the original encryption method or cryptographic primitive without significant change to system infrastructure. In the terms of Mosca’s theorem this requires to the minimization of the transition time to quantum resistant solutions.
Quantumresistant cryptography
There are several ways to protect information infrastructure in the era of quantum computers, the socalled postquantum era [7]. The crucial problems, which are typically solved using publickey cryptography primitives, are related to the key distribution problem and digital signatures. There exist several practical ways of solving these problems in the postquantum era.
Quantum key distribution
The first is to replace publickey cryptography with quantum key distribution (QKD, also known as quantum cryptography), which is a hardware solution based on transmitting information using individual quantum objects [24]. The main advantage of this approach is that the security relies not on any computational assumptions but the laws of quantum physics. The idea of QKD is that two legitimate users (Alice and Bob) have the preshared authentication key and the communication channel. Then they establish a QKD protocol that allows them to obtain a raw quantum key, which contains some errors and some information about the key that is potentially known to the adversary. In the QKD security proofs, it is assumed that all errors in raw quantum keys are due to eavesdropping [24]. Alice and Bob initiate the postprocessing procedure using the authenticated public channel. As a result, Alice and Bob have a key for applications, and it is proven to be informationtheoretically secure against arbitrary attacks, including the quantum ones [25]. QKDgenerated keys can be used for conventional symmetric encryption, such as AES, and used to frequently refresh keys.
Remarkable progress in the deployment of several quantum key distribution networks around the globe has been performed. Various industry cases of QKD use, such as those in finance, telecommunications, and data center infrastructure, have been demonstrated [26, 27]. The largest QKD network is by now deployed in China, which spans 4600 km and includes the link between the cities of Shanghai, Hefei, Jinan, and Beijing and a satellite link spanning 2600 km between two observatories [28]. The operation of such QKD networks requires the use of trusted relay nodes because of the presence of optical losses in communication channels, limiting the distance for the realization of the QKD protocol.
At the current stage, QKD technology faces several challenges [24], which makes it best suitable for some domainspecific applications, such as the protection of highlyloaded communications links at a distance, which does not require the use of intermediate nodes [29, 30]. We note that the practical implementation of digital signatures based on quantum key distribution in the industrial environments seems to be quite complicated from the practical point of view.
Postquantum cryptography
An alternative way to guarantee the security of communications is to switch to a new type of publickey cryptosystems. Fortunately, not all publickey cryptosystems are vulnerable to attacks with quantum computers [8]. Several cryptosystems for key distribution and digital signature, which strive to remain secure under the assumption that the attacker has a largescale quantum computer, have been suggested. These schemes are in the scope of socalled postquantum cryptography. Postquantum protocols are based on different mathematical approaches, such as the shortest vector problem in a lattice [31–33], learning with errors [34–44], solving systems of multivariate quadratic equations over finite fields [45–50], finding isogenies between elliptic curves [51–58], decoding problems in an errorcorrecting code [59–66], security properties of cryptographic hashfunctions [67–72], and other primitives [73].
Hybrid quantumsecured cryptography
A useful strategy is the combination of different cryptographic techniques [74]. For example, one can combine QKD with symmetric encryption or with postquantum cryptography, where the latter can be used for various purposes (e.g. for authentication purposes in QKD protocol [75]). In addition, a hybrid quantumsecured infrastructure may use QKD for protecting highlyloaded communications link at the distance, which do not require the use of intermediate nodes, whereas endusers without direction connections can be protected by means of postquantum cryptography.
Standardization processes
Both quantum and postquantum cryptography undergo active standardization processes. In particular, standardization of the QKD technology is considered by several agencies, such as ETSI and ITU.
The standardization of the postquantum cryptography currently is centered around the NIST initiative [76], which are intended to choose and standardize postquantum algorithms for stateless digital signatures and key encapsulation mechanisms/public key encryption. The process is similar to the previous hash function and AES NIST competitions. Up to date, two rounds have already finished [77] and the third round is in progress. The final third round should result in a choice of algorithms for standardization.
Analysis of quantum security of stateoftheart PKI model for a production environment
PKI is a set of measures that are needed to use digital certificates and manage publickey encryption [1, 9–12]. The main goal of PKI is to bind entities with public keys of asymmetric cryptosystems. The binding is established with the use of certificates. A certificate is a dataset that gives information about the entity and its public key. The certificate is signed by a trusted third party, whose public key is known.
The core idea of the PKI is to achieve the root of trust during all phases of the product development and distribution. That is why it is important to implement the key hierarchy and protection of the data in rest to guarantee the PKI resistance against various possible threats. Additionally, an efficient PKI model should contain mechanisms for the control of already enrolled certificates and keys in a way that allows revocating keys and detecting the compromise of the particular parts of the system. On the basis of widely used assumptions we can separate the PKI tasks in the following way:

1.
enrollment and provision of new certificates;

2.
authentication and verification of involved parties and certificates;

3.
revocation and detection of compromised or expired certificates.
Currently used PKI schemes are mostly based on nonquantumresistant cryptographic mechanisms. This section aims to analyze the stateoftheart PKI model for formulating security recommendations. In the underlying sections, we describe security aspects for each of the listed functional parts.
PKI model for production environments
Our further analysis is presented for a specific PKI model, which is used in production environments (we use the concrete scheme, which is provided by Bosch). The diagram that described the existing scheme of the certificates enrollment is shown in Fig. 1. The main functional goal of this scheme is to inject the trusted certificate into the final product. In this particular case, the final product is a produced device.
We use the following assumptions regarding the provided scheme.

1.
The main certificate authority (CA, PKI Frontend) is considered to be trusted. The compromise of the core CA may lead to the security breach in the PKI regardless of applied security countermeasures. An alternative solution is to develop the PKI model that is based on the decentralized root of trust. However, this topic is outside the context of the present paper as the decentralized PKI requires technologies similar to blockchains (whose cryptographic security is also a subject of research [78, 79]).

2.
The perimeter of the production zone and service zones are trusted or at least contain mechanisms to notify other parties about derivations of planned activities (e.g. certificate enrollment) from expected behaviour. Such behaviour may be caused by various reasons that include:

unauthorized access to the system by the malicious or unauthorized actor;

malfunction of the system caused by environmental conditions, power supply, hardware or software issues;

infection of the system with malware.
The information regarding the current state of the production and service zones must be handled by the monitoring system, which may efficiently notify authorized parties. Communication channels and threshold values used to detect the compromise must be aligned between parties during the development of the monitoring system. As an example, it is not possible to share the information about the current state of the service zone using the same communication channel, which is used for the communication with the production line as both of them (including the communication channel itself) may be compromised.


3.
The used algorithms at the current stage are compliant against publicly available standards (e.g. NIST FIPS 1402 [80]). The misuse of cryptography modes and parameters may compromise the data in rest regardless of applied countermeasures.

4.
The malicious actor may be one of the following:

an external party aiming to compromise the confidentiality of data in transit to access the content of the firmware update and device configuration;

device manufacturers, which are not authorized to access proprietary information regarding the internal structure of the device and software; for example, such a manufacturer may have physical access to one of the devices distributed in the market aiming to perform the reverseengineering of the device to clone it and create a similar product;

a group of highly experienced specialists in the field of informational security aiming to compromise proprietary information about the production line, company, and products.

As soon as we consider a specific example of the currently used scheme of relations between involved parties and the set of business requirements for this scheme, we adjust our assumptions based on the provided scheme as follows.

1.
All parties (manufacturer, maintainer, operator) may want to inject their own certificates, which are not related to a specific PKI model or associated with each other.

2.
The device should be able to generate a certificate by itself.

3.
All parties may use one of the following mechanisms to inject certificate:

(a)
the company frontend;

(b)
special application programming interface on the device itself;

(c)
directly uploads the certificate on the device using the device’s API.

(a)
Some additional technical details are placed in Appendix A.
We note the following potential weaknesses in the provided scheme.

1.
The public network is compromised and anyone can get access to transmitting data. This situation includes eavesdropping and modification of data in transit. Moreover, in some cases, it may be possible to save communication data and decrypt it lately with access to the operable quantum computer.

2.
The provided scheme does not cover the aspect of communications between parties.

3.
The injection process takes place (in the scheme as is) without verification of the device/backend integrity. The device integrity must be achieved through the hardware level isolation (virtualization) technologies and embedded in the protected memory shared with the backend private key and information regarding the device itself (hardware identifies, device specifications). The attestation process may be performed inside the isolated environment of the device to verify its integrity against embedded information. Additionally, the device may integrate various tamper detection techniques, both software and hardware to verify its integrity. The private key stored inside protected memory grants the trustworthiness of the attestation data. The verification of the backend authenticity may be achieved through the verification of shared by the backend certificate within an isolated environment against embedded in the protected memory information.
The manual injection of the certificate is considered to be a ‘work around’ and is not related to a unified structure provided by the PKI. Then we build a proposed scheme based on assumption that injection of certificates took place using a company’s frontend or the device API. Moreover, the usage of the unified method of certificate injection allows describing each of the participants involved in the injection equally. In other words, the relations between the manufacturer and the integrator are not taken in place as both of them are seen by the PKI as regular nodes.
Security recommendations
Here we would like to summarize recommendations regarding the overall structure of the PKI with the focus on threats coming from quantum computing. We recommend improving the scheme in a number of aspects. First, one needs to take into account existing (nonquantum) attacks on PKI schemes. Second, it is important to take into account possible risks, which are related to quantum threats. These recommendations are a basis for the improvement of security aspects of the final holistic solution for PKI. Our list of recommendations is as follows:

Cryptography in place.

CAs certificates and cryptography considered to be unified. We assume that all parties sharing the same set of software development kits (SDKs) and software/hardware to perform required cryptography operations. To achieve this, the first step is to enforce universal security requirements for the software.

Software should pass security evaluation and should be developed according to the Security Code Practice.

SDKs in this model are assumed to be unified. Then it is possible to improve the security of cryptography operations. For example, it is possible to embed the information regarding the current state of the service zone and used software in the certificate itself to ensure that the state of the CA is trusted. Moreover, the time required for the migration of the architecture to the postquantum era, in this case, is significantly reduced since one can use the unified mechanism of the software update and deployment.

We recommend using the X.509 format for the certificate. This due to the fact that it supports an extensible scheme of embedded data. It is possible to store multiple public keys from different algorithms in the same certificate. For example, it is possible to embed in the signed certificate both keys RSA key and postquantum Falcon key. Such an approach allows both supporting existing standards in cryptography and ensuring postquantum security. However, the rollback protection mechanism must be implemented and enforced to mitigate downgrade attacks against the hybrid scheme.


Communications.

Parties during the communication may operate in different time zones and conditions. Then it is possible for one of the parties to be unavailable during the required time period. A presumable solution for such a challenge is to use limited use certificates with a very short lifetime, which are signed with the private key of the CA.

Attacks with quantum computers are able to completely compromise the PKI model that is based on the usage of a set of algorithms, which are not resistant to quantum attacks. The extensible scheme, which allows one to replaces signing algorithms onafly requires significant changes in the manufacturing cycle (e.g. firmware verification, secure boot, certificates enrollment).

As an additional improvement, it is recommended to develop the PKI model with the possibility to extend a set of used algorithms with the support of postquantum algorithms and to perform a regular evaluation of the implemented scheme. It should be ensured that the scheme works in a cryptoagile manner.


Enrollment and provision of certificates.

The enrollment process is the initial point of the PKI model, so it deserves additional attention before the process of certificate generation can be started. As a consequence, the PKI model should include the trusted channel between parties, which allows parties to ensure their states and initializing the enrollment process.

We do not recommend using the same channel both for the exchange of certificates (cryptographic materials) and control signals.

We recommend using hardwarebacked authentication methods for the critical parts of the enrollment process (e.g. confirmation of the signing of the second level certificate). This can be done with the help of USB tokens or similar solutions.

It is possible also to improve the trustworthiness of CAs. This can be done via using technologies that allow the device to bind between the key pair and the device itself (CA) without a possibility to expose the private key to an untrusted environment. However, existing implementations only support a classic set of cryptographic operations and primitives such as AES256 or RSA. It is required to develop special software for the trusted execution environment., which will support postquantum algorithms.

Assume that the set of used cryptographic algorithms and protocols is unified. Then the authentication of parties and verification processes are also unified. This assumption is applicable to both the production line and the endpoint device itself. It is important to keep inline both software and certificates on both ends.

We recommend keeping in mind the following recommendations regarding key hierarchy.


Certificates revocation and compromise detection.

If the enrollment in the device certificates (or CA itself) was compromised or expired, the functionality of the device should be limited. The related system should be isolated from the device itself. It is hard to achieve if the device is isolated from the public network. For this type of device, it is important to enforce policies regarding the lifetime of certificates.

Revocation lists should be maintained and updated on a regular basis. For offline devices, it can be delivered with firmware updates.

We recommend developing the PKI model in such a way that allows one to precisely revoke certificates for a specific set of devices. For example, if the specific model of the device is compromised, the revocation of the certificate would not affect other products.

We place a more technical and detailed descriptions of these recommendations in Appendix B.
Appropriate postquantum cryptographic scheme
Here we discuss the applicability of postquantum algorithms, which depends on their parameters. In particular, we present the results of collecting benchmarks for various postquantum signature schemes, which can be used for deploying quantumsecured PKI. We use (i) security and (ii) performance (time and key sizes) of the algorithms All of the presented algorithms are currently in the third round of the NIST standardization process.
For this analysis, we take algorithms with classical security on the level of about 190 bits; see Table 1. We note that all basic mathematical approaches used in postquantum cryptography: multivariate cryptography, zeroknowledge proof systems, cryptographic hash functions, and lattices – are presented.
For our tests of the algorithms with respect to time and memory consumptions, we use Intel(R) Core(TM) i56267U CPU @ 2.90GHz, see Table 2. We note that the parameters can alternate as the security level changes. Falcon and qTESLA demonstrate pretty good tradeoffs both in memory and time consumption. However, for some special cases where one is interested in the smallest public keys size or signatures size, there are more preferable variants. We also note that the basic mathematical approach and status of a security proof should also be considered.
Conclusion
The impact of quantum computing is an important aspect that is analyzed account in the development of PKI systems to protect production environments. We have analyzed the security issues of the model of injecting the trusted certificate and provide security recommendations regarding the PKI from attacks with quantum computers. Although our main focus is on the attacks with quantum computing, we also discuss some security issues that are not related to the used cryptographic algorithms but are important for the overall security of the PKI. Examples of such recommendation include:

universal security requirements for the used software and SDKs;

choosing the format of certificates that support cryptoagility and hybrid schemes;

limited use certificates with a very short lifetime, which are signed with the private key of the CA;

the monitoring of the modern cryptography solutions concerning nonquantum attacks and to develop maintenance procedures used to migrate possible threats;

enforcing the mechanisms that allow one to revoke certificates for a specific set of devices.
The central recommendation is to realize the ability to use the hybrid cryptographic schemes [74] using currently standartized solutions and postquantum solutions. Importantly, the candidate for the postquantum part should be chosen according to the requirements on the size of the communications and/or time. We have also presented various benchmark postquantum cryptographic primitives and discussed their applicability in the security systems for production environments.
Availability of data and materials
The data that support the findings of this study are available from the corresponding author (AKF) on reasonable request.
Abbreviations
 PKI:

public key infrastructure
 NP:

nondeterministic polynomial time
 RSA cryptosystem:

RivestShamirAdleman (RSA) cryptosystem
 TLS:

Transport Layer Security
 HTTPS:

Hypertext Transfer Protocol Secure
 ECDSA:

Elliptic Curve Digital Signature Algorithm
 NIST:

National Institute of Standards and Technology
 CA:

Certificate Authority
 SHA:

Secure Hash Algorithms
 AES:

Advanced Encryption Standard
 CSR:

Certificate Signing Request
 TPM:

Trusted Platform Module
 TEE:

Trusted Execution Environment
 SDK:

Software Development Kit
References
 1.
Adams C, Lloyd S. Understanding PKI: concepts, standards, and deployment considerations. 2nd ed. Reading: AddisonWesley; 2002.
 2.
Rivest RL, Shamir A, Adleman L. A method for obtaining digital signatures and publickey cryptosystems. Commun ACM. 1978;21:120.
 3.
Diffie W, Hellman ME. New directions in cryptography. IEEE Trans Inf Theory. 1976;22:644.
 4.
Shor PW. Polynomialtime algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM J Comput. 1997;26:1484–509.
 5.
Grover LK. A fast quantum mechanical algorithm for database search. In: Proceedings of 28th annual ACM symposium on the theory of computing. New York, USA. 1996. p. 212.
 6.
See Report by Digicert: Are you ready for the quantum leap?
 7.
Wallden P, Kashefi E. Cyber security in the quantum era. Commun ACM. 2019;62:120.
 8.
Bernstein DJ, Lange T. Postquantum cryptography. Nature. 2017;549:188.
 9.
Landrock P. PKI, past, present and future. In: Proceedings of the IEE seminar on quantum cryptography: secure communications for business (Ref. No. 2005/11310) 2005.
 10.
Höglund J, Lindemer S, Furuhed M, Raza S. PKI4IoT: towards public key infrastructure for the Internet of Things. Comput Secur. 2020;89:101658.
 11.
Yong Y, Yu L. Security considerations based on PKI/CA in manufacturing grid. Wuhan Univ J Nat Sci. 2006;11:1414.
 12.
Hanke M. Embedded PKI in industrial facilities. In: Proceedings of the ISSE/SECURE 2007 securing electronic business processes: highlights of the information security solutions Europe/SECURE 2007 conference. Wiesbaden: Vieweg; 2007. p. 347–54.
 13.
Mulholland J, Mosca M, Braun J. The day the cryptography dies. IEEE Secur Priv. 2017;15:14–21.
 14.
Mavroeidis V, Vishi K, Zych MD, Jøsang A. The impact of quantum computing on present cryptography. Int J Adv Comput Sci Appl. 2018;9:405.
 15.
Griffiths RB, Niu CS. Semiclassical Fourier transform for quantum computation. Phys Rev Lett. 1996;76:3228. arXiv:quantph/9511007.
 16.
Zalka C. Shor’s algorithm with fewer (pure) qubits. quantph/0601097 (2006).
 17.
Fowler AG, Mariantoni M, Martinis JM, Cleland AN. Surface codes: towards practical largescale quantum computation. Phys Rev A. 2012;86:032324. arXiv:1208.0928.
 18.
Ekerå M, Håstad J. Quantum algorithms for computing short discrete logarithms and factoring RSA integers. Lecture notes in computer science (LNCS). vol. 10346. Berlin: Springer; 2017. p. 347.
 19.
Gidney C, Fowler AG. Flexible layout of surface code computations using AutoCCZ states. arXiv:1905.08916 (2019).
 20.
Gidney C, Ekerå M. How to factor 2048 bit RSA integers in 8 hours using 20 million noisy qubits. arXiv:1905.09749 (2019).
 21.
Arute F, Arya K, Babbush R, Bacon D, Bardin JC, Barends R, Biswas R, Boixo S, Brandao FGSL, Buell DA et al.. Quantum supremacy using a programmable superconducting processor. Nature (London). 2019;574:505.
 22.
Gouzien E, Sangouard N. Factoring 2048 RSA integers in 177 days with 13436 qubits and a multimode memory. arXiv:2103.06159.
 23.
Anschuetz ER, Olson JP, AspuruGuzik A, Cao Y. Variational quantum factoring. Lect Notes Comput Sci. 2019;11413:74.
 24.
Gisin N, Ribordy G, Tittel W, Zbinden H. Quantum cryptography. Rev Mod Phys. 2002;74:145.
 25.
Scarani V, BechmannPasquinucci H, Cerf NJ, Dušek M, Lütkenhaus N, Peev M. The security of practical quantum key distribution. Rev Mod Phys. 2009;81:1301.
 26.
https://www.idquantique.com/quantumsafesecurity/overview/.
 27.
 28.
Chen YA, Zhang Q, Chen TY, Cai WQ, Liao SK, Zhang J, Chen K, Yin J, Ren JG, Chen Z, Han SL, Yu Q, Liang K, Zhou F, Yuan X, Zhao MS, Wang TY, Jiang X, Zhang L, Liu WY, Li Y, Shen Q, Cao Y, Lu CY, Shu R, Wang JY, Li L, Liu NL, Xu F, Wang XB, Peng CZ, Pan JW. An integrated spacetoground quantum communication network over 4600 kilometres. Nature (London). 2021;589:214.
 29.
Lo HK, Curty M, Tamaki K. Secure quantum key distribution. Nat Photonics. 2014;8:595–604.
 30.
Diamanti E, Lo HK, Yuan Z. Practical challenges in quantum key distribution. npj Quantum Inf. 2016;2:16025.
 31.
Regev O. On lattices, learning with errors, random linear codes, and cryptography. J ACM. 2009;56:40.
 32.
Hanrot G, Stehle D. Improved analysis of Kannan’s shortest lattice vector algorithm. Lect Notes Comput Sci. 2007;4622:170.
 33.
Micciancio D, Goldwasser S. Complexity of lattice problems: a cryptographic perspective. Berlin: Springer; 2002.
 34.
Regev O. The learning with errors problem. In: Proceedings of the IEEE 25th annual conference on computational complexity. 2010. p. 191–204.
 35.
Lyubashevsky V, Peikert C, Regev O. On ideal lattices and learning with errors over rings. Lect Notes Comput Sci. 2010;6110:1.
 36.
Naehrig M, Alkim E, Bos J, Ducas L, Easterbrook K, LaMacchia B, Longa P, Mironov I, Nikolaenko V, Peikert C, Raghunathan A, Stebila D. FrodoKEM. https://csrc.nist.gov/projects/postquantumcryptography/round3submissions. Accessed 05 Aug 2020.
 37.
Schwabe P, Avanzi R, Bos J, Ducas L, Kiltz E, Lepoint T, Lyubashevsky V, Schanck JM, Seiler G, Stehle D. CRYSTALSKYBER. https://csrc.nist.gov/projects/postquantumcryptography/round3submissions. Accessed 05 Aug 2020.
 38.
Albrecht MR, Player R, Scott S. On the concrete hardness of learning with errors. J Math Cryptol. 2015;9:169.
 39.
Kirchner P, Fouque PA. An improved BKW algorithm for LWE with applications to cryptography and lattices. Lect Notes Comput Sci. 2015;9215:43.
 40.
Arora S, Ge R. New algorithms for learning in presence of errors. Lect Notes Comput Sci. 2011;6755:403.
 41.
Schnorr CP, Euchner M. Lattice basis reduction: improved practical algorithms and solving subset sum problems. Math Program. 1994;66:181.
 42.
Chen Y, Nguyen PQ. BKZ 2.0: better lattice security estimates. Lect Notes Comput Sci. 2011;7073:1.
 43.
Alkim E, Avanzi R, Bos J, Ducas L, de la Piedra, Pöppelmann T, Schwabe P, Stebila D. NewHope. https://csrc.nist.gov/projects/postquantumcryptography/round3submissions. Accessed 05 Aug 2020.
 44.
Lyubashevsky V, et al. CRYSTALSDilithium. https://csrc.nist.gov/projects/postquantumcryptography/round3submissions. Accessed 05 Aug 2020.
 45.
Patarin J. Hidden fields equations (HFE) and isomorphisms of polynomials (IP): two new families of asymmetric algorithms. Lect Notes Comput Sci. 1996;1070:33.
 46.
Faugère JC, Joux A. Algebraic cryptanalysis of hidden field equation (HFE) cryptosystems using Gröbner bases. Lect Notes Comput Sci. 2003;2729:44.
 47.
Beullens W, Preneel B. Field lifting for smaller UOV public keys. Lect Notes Comput Sci. 2017;10698:227.
 48.
Casanova A, Faugère JC, MacarioRat G, Patarin J, Perret L, Ryckeghem J. GeMSS: a Great Multivariate Short Signature. https://csrc.nist.gov/projects/postquantumcryptography/round3submissions. Accessed 05 Aug 2020.
 49.
Beullens W, Preneel B, Szepieniec A, Vercauteren F. LUOV. https://csrc.nist.gov/projects/postquantumcryptography/round3submissions. Accessed 05 Aug 2020.
 50.
Ding J, et al. Rainbow. https://csrc.nist.gov/projects/postquantumcryptography/round3submissions. Accessed 05 Aug 2020.
 51.
Jao D, De Feo L. Towards quantumresistant cryptosystems from supersingular elliptic curve isogenies. Lect Notes Comput Sci. 2011;7071:19.
 52.
Costello C, Jao D, Longa P, Naehrig M, Renes J, Urbanik D. Efficient compression of SIDH public keys. Lect Notes Comput Sci. 2016;10210:679–706.
 53.
Costello C, Longa P, Naehrig M. Efficient algorithms for supersingular isogeny DiffieHellman. Lect Notes Comput Sci. 2016;9814:572.
 54.
Koziel B, Azarderakhsh R, Mozaffari Kermani M, Jao D. Postquantum cryptography on FPGA based on isogenies on elliptic curves. IEEE Trans Circuits Syst I, Regul Pap. 2017;64:86.
 55.
Galbraith SD. Constructing isogenies between elliptic curves over finite fields. LMS J Comput Math. 1999;2:118.
 56.
Delfs C, Galbraith SD. Computing isogenies between supersingular elliptic curves over \(\mathbb{F}_{p}\). Des Codes Cryptogr. 2016;78:425.
 57.
Zhang S. Promised and distributed quantum search computing and combinatorics. Lect Notes Comput Sci. 2005;3595:430.
 58.
Tani S. An improved claw finding algorithm using quantum walk. Lect Notes Comput Sci. 2007;4708:536.
 59.
Berlekamp E, McEliece R, van Tilborg H. On the inherent intractability of certain coding problems (corresp.). IEEE Trans Inf Theory. 1978;24:384.
 60.
Alekhnovich M. More on average case vs approximation complexity. In: Proceedings of the 44th annual IEEE symposium on foundations of computer science. 2003. p. 298–307.
 61.
May A, Ozerov I. On computing nearest neighbors with applications to decoding of binary linear codes. Lect Notes Comput Sci. 2015;9056:203.
 62.
Becker A, Joux A, May A, Meurer A. Decoding random binary linear codes in \(2^{n}/20\): how \(1+1 = 0\) improves information set decoding. Lect Notes Comput Sci. 2012;7237:520.
 63.
Bernstein DJ. Grover vs. McEliece. Lect Notes Comput Sci. 2010;6061:73.
 64.
Drucker N, Gueron S, Kostic D. Fast polynomial inversion for post quantum QCMDPC cryptography. Lect Notes Comput Sci. 2020;12161:110.
 65.
Huelsing A, Butin D, Gazdag S, Rijneveld J, Mohaisen A. XMSS: eXtended Merkle Signature Scheme, RFC 8391 (2018).
 66.
McGrew D, Curcio M, Fluhrer S. LeightonMicali HashBased Signatures, RFC 8554 (2019).
 67.
Buchmann J, Dahmen E, Hülsing A. XMSS – a practical forward secure signature scheme based on minimal security assumptions. Lect Notes Comput Sci. 2011;7071:117.
 68.
Bernstein DJ, Hülsing A, Kölbl S, Niederhagen R, Rijneveld J, Schwabe P. SPHINCS+. https://csrc.nist.gov/projects/postquantumcryptography/round3submissions. Accessed 05 Aug 2020.
 69.
Hülsing A, Rijneveld J, Song F. Mitigating multitarget attacks in hashbased signatures. Lect Notes Comput Sci. 2016;9614:387.
 70.
Bernstein DJ, Hülsing A. Decisional secondpreimage resistance: when does SPR imply PRE? Lect Notes Comput Sci. 2019;11923:32.
 71.
Rogaway P, Shrimpton T. Cryptographic hashfunction basics: definitions, implications, and separations for preimage resistance, secondpreimage resistance, and collision resistance. Lect Notes Comput Sci. 2004;3017:371.
 72.
Kudinov M, Kiktenko E, Fedorov A. Official Comments (Round 3) – SPHINCS+. https://csrc.nist.gov/CSRC/media/Projects/postquantumcryptography/documents/round3/officialcomments/SphincsPlusround3officialcomment.pdf. Accessed 05 Aug 2020.
 73.
Chase M, et al. The picnic signature scheme. https://csrc.nist.gov/projects/postquantumcryptography/round3submissions. Accessed 05 Aug 2020.
 74.
Kabanov IS, Yunusov RR, Kurochkin YV, Fedorov AK. Practical cryptographic strategies in the postquantum era. AIP Conf Proc. 2018;1936:020021.
 75.
Wang LJ, Zhang KY, Wang JY, Cheng J, Yang YH, Tang SB, Yan D, Tang YL, Liu Z, Yu Y, Zhang Q, Pan JW. Experimental authentication of quantum key distribution with postquantum cryptography. arXiv:2009.04662 (2020).
 76.
NIST. PostQuantum Cryptography Standardization Webpage. https://csrc.nist.gov/projects/postquantumcryptography/postquantumcryptographystandardization.
 77.
Alagic G, et al. Status Report on the Second Round of the NIST PostQuantum Cryptography Standardization Process. https://csrc.nist.gov/publications/detail/nistir/8309/final. Accessed 05 Aug 2020.
 78.
Kiktenko EO, Kudinov MA, Fedorov AK. Detecting bruteforce attacks on cryptocurrency wallets. arXiv:1904.06943 (2019).
 79.
Fedorov AK, Kiktenko EO, Lvovsky AI. Quantum computers put blockchain security at risk. Nature. 2018;563:465.
 80.
 81.
Coppersmith D. In: Proceedings of the EUROCRYPT 1996: advances in cryptology – EUROCRYPT ‘96. 1996. p. 178–89.
Acknowledgements
We thank Bosch for providing the PKI scheme.
Funding
This work is supported by Bosch.
Author information
Affiliations
Contributions
All the authors contributed to the analysis of the data. SEY, MK, NP, DN, and EK have prepared the set of recommendation. DN, MA, and EOK performed benchmarking postquatnum algorithms. AKF and EOK wrote the manuscript with significant contribution of all the authors. AKF, AG, and AB supervised the project. All authors read and approved the final manuscript.
Corresponding author
Ethics declarations
Competing interests
Owing to the employments and consulting activities of SEY, MK, NP, DN, MA, AG, EOK, and AKF, they have financial interests in the commercial applications of quantumsecured cryptography.
Appendices
Appendix A: Additional assumptions in the PKI analysis
We also would like to note that the provided scheme is based on the following additional assumptions.

The actual process of the certificate injection for both external parties (Manufacturer and Operator) is equal as both parties rely on the PKI provided by the Maintainer.

The communication of devices with the PKI frontend may be limited during the production phase due to the limited time or security concerns regarding the perimeter’s isolation. Due to the described limitation, it may be required to set up the PKI frontend, which mirrors the functionality of the actual PKI frontend. This may be achieved with the usage of the 2nd level certificate issued by the Maintainer.

To implement the protection of data in transit for both parties participating in the certificate injection, it is required to embed the SHA hash of the production line PKI frontend and the main PKI frontend of the Maintainer. It will allow performing the certificate pinning during the TLS communication. It is also strongly recommended to use the TLS protocol version at least 1.2.

As a part of the certificate signing request (CSR) creation, it is obligatory for the device to perform selfattestation. It may be implemented with the trusted platform module (TPM) and the trusted execution environment (TEE) on the device.

The TPM/TEE of the device contains the private key of the Manufacturer; the public part of the key is distributed to the PKI frontend.
Appendix B: Security recommendations
Here we provide a detailed list of recommendations regarding the overall structure of the PKI. Below we analyze cryptography in place and in communications, as well as cryptographic attacks.
B.1 Cryptography in place
As CAs certificates and cryptography considered to be unified, we additionally assume that all parties sharing the same set of software development kits (SDKs) and software/hardware to perform required cryptography operations. To achieve this, the first step is to enforce universal security requirements for the software. Additionally, such software should pass security evaluation and should be developed according to the Security Code Practice.
As SDKs in this model are assumed to be unified, it is possible to improve the security of cryptography operations. For example, it is possible to embed the information regarding the current state of the service zone and used software in the certificate itself to ensure that the state of the CA is trusted. Moreover, the time required for the migration of the architecture to the postquantum era, in this case, is significantly reduced since one can use the unified mechanism of the software update and deployment.
We recommend using the X.509 format for the certificate. This due to the fact that it supports an extensible scheme of embedded data. It is possible to store multiple public keys from different algorithms in the same certificate. For example, it is possible to embed in the signed certificate both keys RSA key and postquantum Falcon key. Such a hybrid approach allows both supporting existing standards in cryptography and ensuring postquantum security. However, the rollback protection mechanism must be implemented and enforced to mitigate downgrade attacks against the proposed hybrid scheme.
B.2 Communications
The communication of involved parties considered to be going over the TLS connection. As the algorithm allows one to communicate certificate pinning for both parties, it is possible to implement a mutual authentication for involved parties. However, the TLS protocol by itself is not able to provide neither the integrity nor uniqueness of the data going through the tunnel. Moreover, as from the perspective of the public network the data itself is not encrypted from the perspective of cryptography as the TLS protocol is supposed to be used only as a way to perform the mutual authentication of parties.
As parties during the communication can operate in different time zones and conditions, it is possible for one of the parties to be unavailable during the required time period. A presumable solution for such a challenge is to use limited use certificates with a very short lifetime, which are signed with the private key of the CA. In that case, parties are able to exchange required cryptographic data for a specific set of tasks, which should be done in the near future. The actual confirmation from the involved parties can be received lately. If the certification process and signing keys at some point become compromised, then it is possible to revoke specific sets of certificates without the affection of the overall certificate chain. This is important for the continuation of the production processes.
B.2.1 Cryptography attacks
Cryptography plays a central role in the mentioned processes. However, at some point, the used cryptography tools may become vulnerable due to finding new attacks against specific modes of cryptography algorithms or due to the significant breakout in cryptoanalysis. For example, multiple algorithms were broken and found vulnerable due to the increased computation speed (e.g. Digital Encryption Standard). However, modern algorithms use the key length, which is resistance against sizeable achievements with respect to solving computational problems.
At the same time, asymmetric algorithms are much more tricky in their implementation. They are usually based on the assumption that a specific set of mathematical operations is hardly possible to be inverted. Wrong or improper optimizations of such algorithms may lead to the massive compromise of private keys. Examples of such drawbacks include Coppersmith’s attack against the RSA algorithm [81], which is caused by the weak exponent that is used to speed up the computation of keys. Then one of the main recommendations is to perform the monitoring of the modern cryptography solutions and to develop maintenance procedures used to mitigate possible threats. For the maintenance and development team, it is crucial to follow established procedures during the initial phase of the project routines, required to mitigate possible security breaches caused by modern attacks against classic cryptography.
As it is mentioned, the security of asymmetric keys based on some assumptions on the computational complexity of some mathematical problems (see above). Attacks with quantum computers are able to completely compromise the PKI model that is based on the usage of a set of algorithms, which are not resistant to quantum attacks. The extensible scheme, which allows one to replaces signing algorithms onafly requires significant changes in the manufacturing cycle (e.g. firmware verification, secure boot, certificates enrollment).
As an additional improvement, it is recommended to develop the PKI model with the possibility to extend a set of used algorithms with the support of postquantum algorithms and to perform a regular evaluation of the implemented scheme. It should be ensured that the scheme works in a cryptoagile manner. This means that tools support the replacement of algorithms onthefly without a significant downgrade of the scheme performance and reflection on the production line. In addition, it is possible to develop the PKI model using a hybrid approach (see above), which allows switching between classic and postquantum algorithms at the authority side. While certificates themselves can be signed both by classical and postquantum secure algorithms.
B.3 Enrollment and provision of certificates
The enrollment process is the initial point of the PKI model, so it deserves additional attention before the process of certificate generation can be started. As a consequence, the PKI model should include the trusted channel between parties, which allows parties to ensure their states and initializing the enrollment process. In a previous section, it is mentioned that all communication between parties should be conducted over the mutually authenticated channel. However, we do not recommend using the same channel both for the exchange of certificates (cryptographic materials) and control signals.
Additionally, we recommend using hardwarebacked authentication methods for the critical parts of the enrollment process (e.g. confirmation of the signing of the second level certificate). This can be done with the help of USB tokens or similar solutions.
By taking future steps, it becomes possible also to improve the trustworthiness of CAs. This can be done via using technologies that allow the device to bind between the key pair and the device itself (CA) without a possibility to expose the private key to an untrusted environment. Moreover, depending on the used implementation it is possible to perform secure key wrapping for symmetric and asymmetric keys in a way that allows transferring keys over insecure channels, which are encrypted with the public key from the Trust Zone. The usage of the symmetric keys allows adding the encryption layer to the communication channel between parties. However, existing implementations only support a classic set of cryptographic operations and primitives such as AES256 or RSA. It is required to develop special software for the TEE, which will support postquantum algorithms.
B.3.2 Authentication of parties and certificates verification
Assume that the set of used cryptographic algorithms and protocols is unified. Then the authentication of parties and verification processes are also unified. This assumption is applicable to both the production line and the endpoint device itself. As a consequence, it is important to keep inline both software and certificates on both ends. As a matter of this paper to provide recommendations regarding key hierarchy, details regarding the process of the OvertheAir (OTA) updates and CAs themselves are considered to be outside of the context of this document.
We recommend keeping in mind the following recommendations regarding key hierarchy.

The verification process should involve an Access Control List (ACL) to limit the access granted to involved parties. For example, revocation lists must be signed with the root CA certificate itself.

The certificate itself can be bound with the device itself. For example, during the communication with the backend, the device can provide unique identifiers of connected peripheral components along with the unique challenge provided by the backend. This information may be used as a part of the attestation certificate provided by the device.

The certificate itself can be collapsed. For example, the device may ask the root CA to provide a new certificate using the thirdlevel certificate issued by the manufacturer as evidence. For specific cases, this functionality may reduce the complexity of the overall system. Moreover, it allows implementing a flexible scheme for the usage of short life certificates.

Runtime environment and used cryptographic software must be uptodate (e.g., TLS protocol version and its implementations).
B.4 Certificates revocation and compromise detection
Remind that the certificate revocation is a process, which can be performed both as a part of regular activities (certificate expiration) or due to the compromise.

If the enrollment in the device certificates (or CA itself) was compromised or expired, the functionality of the device should be limited. The related system should be isolated from the device itself. It is hard to achieve if the device is isolated from the public network. For this type of device, it is important to enforce policies regarding the lifetime of certificates.

Revocation lists should be maintained and updated on a regular basis. For offline devices, it can be delivered with firmware updates.
Thus, we recommend developing the PKI model in such a way that allows one to precisely revoke certificates for a specific set of devices. For example, if the specific model of the device is compromised, the revocation of the certificate would not affect other products.
B.5 Symmetric key server
As an alternative for the implementation of a system aiming to protect intellectual property and authentication of parties, it is possible to integrate into the production environment a key server. Key servers perform the authentication of parties using a stored list of hashes of passwords.
In the current state of business requirements regarding the injection of certificates, it is hardly possible to use the plain key server implementation for each involved party. However, it may be possible to improve the introduced scheme of the PKI with some elements of the symmetric key server. We note that symmetric cryptographic algorithms are considered resistant against the attacks with quantum computers (under the condition that the key distribution process is also based on quantumsecured schemes).
For example, production line servers, which inject the operator certificate, may be authorized with credentials to the main PKI frontend to provide the current state of the certificate enrollment. As it may be hard to enforce the usage of the unified backend/software for the production environment, the implementation of the authentication of manufacturers based on the credentials may allow mitigating some problems. For example, the manufacturer may use the key server to provide the information regarding injected certificates to the PKI frontend. Consequently, the PKI frontend may use this information during the enrollment of the operator certificate. In that way, the PKI environment of the manufacturer may be completely isolated from the maintainer.
The scalability of the key server is usually quite limited as it requires storing a significant amount of data and processing a large amount of requests 24/7. However, it may be possible to introduce it as a part of the PKI model to mitigate some bottlenecks.
Rights and permissions
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article’s Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.
About this article
Cite this article
Yunakovsky, S.E., Kot, M., Pozhar, N. et al. Towards security recommendations for publickey infrastructures for production environments in the postquantum era. EPJ Quantum Technol. 8, 14 (2021). https://doi.org/10.1140/epjqt/s4050702100104z
Received:
Accepted:
Published:
Keywords
 Postquantum cryptography
 Production environment
 Public key infrastructure