Ask the right questions

• The FIPS 140-3 Validation of a classic HSM does not make it quantum-safe
• A classic HSM providing PQC algorithm support does not make it quantum-safe
• Adding QRNG to a classic HSM does not make it quantum-safe
• HSMs without quantum-safe roots of trust (RoT) injected at manufacturing time are not quantum-safe and will never become quantum-safe in the future
• Classic HSMs performing load-balancing or other HSM to HSM secure communication are subject to Harvest Now / Decrypt later attacks

The QxHSM is Quantum-Safe

Many people mistakenly believe that a FIPS 140 validation means an HSM is quantum-safe. In reality, not only does FIPS validation not address quantum-readiness, but the process can make designing a quantum-safe HSM particularly challenging. During our validation, we had to strongly advocate for using hybrid signatures and key exchange techniques to ensure our HSMs were quantum-safe by design—not an afterthought. Ultimately, we were able to point to NIST’s FAQ on hybrid signatures and key exchange schemes to support our approach. Our design uses LMS+ECDSA for firmware updates and Classic McEliece+ECDH for HSM-to-HSM secure communications. This quantum-safe by design approach guarantees quantum-safe delivery of all firmware updates and mitigates the risk of “harvest now, decrypt later” attacks on HSM communications. If you’re planning your PQC transition and use HSMs, remember: they are the foundation of your future PQC stack and must be quantum-safe by design. Ask your vendors how they ensure quantum-safe firmware updates and secure HSM-to-HSM communication, you might not like their responses.