A Discussion on Hybrid Certificates: A Foundation for Post-Quantum Migrations

Atsushi Yamada recently joined Sectigo’s Tim Callan, Chief Experience Officer, and Jason Soroko, SVP of Product, on the Root Causes: PKI & Security podcast, to discuss the role of hybrid certificates in post-quantum cryptography (PQC) and ongoing crypto agility. 

Before jumping in, let’s define some terms. 

According to the Accredited Standards Committee (ASC) X9’s 2022 Report on Quantum Computing Risks, post-quantum cryptography is:

The branch of cryptography concerned with the development of asymmetric cryptographic systems resistant to attacks which utilize either quantum computers or classical computers.

A hybrid certificate is essentially one certificate that supports multiple cryptographic algorithms. The ISARA Catalyst™ Crypto Agile PKI is an approach to creating hybrid certificates by encoding information about a second cryptographic algorithm in optional X.509v3 extensions. The result is a backwards compatible and standards-compliant certificate that supports, for example, both classic and quantum-safe public keys and signatures. 

One of the key advantages of Catalyst certificates over other styles of hybrid certificates is their ability to be used simultaneously by existing systems as well as those that have had post-quantum upgrades. When an organization starts to migrate its systems and applications to quantum-safe cryptography, they won’t need to support two separate public key infrastructures (PKIs) — one for traditional certificates and one for post-quantum certificates — since they will already have backwards compatible, two-in-one, hybrid certificates in place.

Hybrid certificates are important because they enable organizations to have a seamless, cost-effective, and simplified migration to post-quantum security today to protect connected devices and the Internet of Things (IoT) — as well as complex PKIs — with no impact to end users. 

ISARA Makes Hybrid Certificates IP Widely Available: Bridge to Quantum Computing

“Our business is to help customers migrate to PQC,” states Yamada. ISARA made its critical digital certificate methodology widely available in October 2022 by dedicating the patents to the public; you can read more about that here.

Callan commented that making these patents open source allows the industry to have a singular standard for crypto agility now and into the deep future. He asked why ISARA did this, to which Yamada answered, "Certain things need to be shared to encourage the world to deploy."

"They really are foundational to move us forward in crypto agility and post-quantum certificates…we're going to be able to bridge between today's systems and the systems that we're going to need to have," stated Callan. Added Soroko, "Don't imagine hybrid certificates are a one-time phenomenon while we migrate to PQC. Think about hybrid certificates as a continual ongoing part of our crypto agility systems that will be used time and again in the decades to come, as we continue to upgrade our cryptography."

What is the future of hybrid certificates? What will happen to the RSA algorithm? What is NIST calling for? Learn more in the Sectigo podcast!