Quantum safe cryptography with the EP11 token

The EP11 token offers features for quantum safe cryptography.

Quantum safe or post-quantum cryptography denotes cryptographic algorithms that resist attacks from classical as well as from quantum computers. The CRYSTALS-Dilithium Digital Signature Algorithm is a digital signature scheme and one of the candidate algorithms in the NIST Post-Quantum Cryptography Standardization Process.

In the EP11 token, the CRYSTALS-Dilithium algorithm provides security category SHA384 / SHA3-384 and performance category Dilithium-1536x1280 (also called Dilithium-6-5). On the TKE workstation, you must enable Dilithium by setting domain (access) control point 65 on the used cryptographic coprocessors:

65    XCP_CPB_ALG_PQC_DILITHIUM           enable support for Dilithium algorithm

Because Dilithium keys can only sign or verify, the EP11 token only provides one single mechanism for all three operations: key generation, sign, and verify: CKM_IBM_DILITHIUM (see also Table 1).

With the EP11 token, you can also import and export Dilithium keys by wrapping or unwrapping them using AES or TDES key encrypting keys (KEKs). That is, you can protect Dilithium keys that are sent to another system, received from another system, or stored with data in a file.

Restrictions for using Dilithium keys

IBM® Dilithium keys cannot actively be used to transport (wrap and unwrap) other keys, but they can be transported using standard key types (AES, TDES).
IBM Dilithium keys cannot be derived from given keys. They can only be generated or imported from given key values.