Secondary root certificate maintains security of communications between servers and clients to facilitate a phased transition from current to quantum-safe cryptography

Tokyo – TOPPAN Holdings Inc. (TOPPAN Holdings), the National Institute of Information and Communications Technology (NICT), and ISARA Corporation (ISARA) have successfully conducted a proof of concept confirming the effectiveness of technology for seamless migration from current cryptography to Post-Quantum Cryptography (PQC) for certificate authority frameworks that form the base of the security infrastructure of internet communications.

The security of internet-based communications is supported by digital certificates that verify the identities of communicating entities and public-key infrastructure1 based on certificate authorities that issue and sign certificates. However, there is a risk that current public-key cryptosystems could be vulnerable to attacks from quantum computers in the future, necessitating a prompt migration to PQC. At the same time, the transition phase could see service disruptions or outages when new cryptographic algorithms are applied to root certificate authorities, which serve as the foundational trust anchors for security infrastructure.

ISARA has developed digital certificates issued via a secondary crypto-agile root certificate2 to facilitate migration from current cryptography such as ECDSA3 to PQC algorithms such as ML-DSA.4 In the proof of concept, this secondary root certificate was integrated into a smart card system developed by TOPPAN Holdings on a quantum cryptography network testbed constructed by NICT. The ability to transition smoothly to PQC without disruption to existing authentication infrastructure was demonstrated through simulation of a transitional phase ecosystem in which both current cryptography and PQC are used for smart-card-enabled ID verification and internet access. This will help enable a phased migration to security levels sufficient to counteract the threat of quantum computers without interrupting services in sectors such as healthcare, finance, and government, where confidentiality must be maintained for extended periods.

A part of the work was performed for Council for Science, Technology and Innovation (CSTI) Cross-ministerial Strategic Innovation Promotion Program (SIP), “Promoting Application of Advanced Quantum Technologies to Social Challenges” (Project management agency: QST).?The details of the proof of concept will be presented at QUANTUM COMPUTING EXPO TOKYO [Spring], which will take place from April 15 through 17 at the Tokyo Big Sight exhibition center.

Background

The internet security ecosystem is built upon digital certificates that use public-key cryptography to verify the identities of communicating entities, certificate authorities—trusted third-party organizations that issue and validate the certificates, and certificate chains, all of which are verified. However, quantum computers may be able to crack the public-key cryptography that currently underpins this infrastructure. Preparations for migration to PQC are therefore underway globally, and the U.S. National Institute of Standards and Technology (NIST) has selected algorithms such as ML-DSA and ML-KEM5 as part of its PQC standardization efforts. A prompt transition is essential in sectors such as finance, healthcare, and government, where sensitive information needs to be protected over the long term.

Considerable care is required when changing the cryptographic algorithms of root certificates because it can have a critical effect on the entire social infrastructure. Communication may not be successful if legacy devices that only support current cryptography algorithms cannot verify new PQC certificates. A simultaneous PQC upgrade of all usage environments is also not practically feasible, and service outages during the transition period must be avoided. This necessitates a secure and seamless migration to PQC, allowing legacy and PQC environments to co-exist at minimal cost while ensuring the continuation and interoperability of services.

TOPPAN, NICT, and ISARA have therefore verified the effectiveness of a secondary root certificate by applying it to a smart card system. This certificate allows hybrid certificates that also support PQC algorithms such as ML-DSA to be integrated into the certificate chain while maintaining compatibility with existing root certificates.

Overview of Proof of Concept

•Period: October 2025 to March 2026 (including system development)
•Location: Quantum cryptography network testbed node at TOPPAN
•Details of verification: Smart card authentication infrastructure was established using ISARA’s secondary root certificate. Cryptographic communication protocol connections and mutual authentication between clients and servers were verified for three phases of the transition to PQC. Authentication using the PQC CARD®6 was performed via connection with a private authentication server installed on the testbed to enable authentication on a closed network. After successful authentication, connection was made to an application that facilitates secure communication via quantum cryptography. The PQC implemented is aligned with NIST-standardized algorithms, including ML-DSA.

Phase 1: Legacy environment (current cryptography only)
Phase 2: Hybrid migration environment (hybrid of current cryptography and PQC)
Phase 3: Full PQC environment
Results: Testing confirmed that security was maintained even during the migration process and that it is possible to transition smoothly from existing smart card systems to PQC environments without system disruption. In addition, integration with a quantum cryptography network enabled a multi-layered defense that combines quantum key distribution to prevent eavesdropping between data endpoints and PQC authentication to verify the identity of users.

Roles of the Three Organizations

TOPPAN Holdings: Development and provisioning of smart card system; participation in the quantum cryptography network testbed.
NICT: Overall framework of the proof of concept; development and provisioning of the quantum cryptography network testbed.
ISARA: Development of secondary root certificate and provision of related technology.

Future Activities

Targeting full real-world implementation around 2030, TOPPAN Holdings, NICT, and ISARA plan to build on insights from the proof of concept by conducting limited practical implementations in sectors requiring high levels of security, such as healthcare and finance.

Based on the process established for smooth migration, TOPPAN Holdings aims to support PQC transition for a broad spectrum of existing systems beyond smart cards, including online services and IoT devices. TOPPAN Holdings will also work with NICT and its collaborative partners on enhancements using the quantum cryptography network testbed’s PQC to strengthen quantum-secure cloud technology infrastructure and pursue real-world application. These efforts will be leveraged to target establishment of data infrastructure that ensures the secure communication, storage, and use of sensitive information in the future.

1 Public key infrastructure: A framework that centrally manages information encryption, digital signatures, and identity verification by using public-key cryptography technologies and digital certificates to enable secure communication over the internet.

2 Secondary crypto-agile root certificate: A hybrid root certificate that supports signing with both current cryptography and PQC. It facilitates a seamless transition without disrupting existing systems by establishing a PQC-based certificate chain while also maintaining full backward compatibility with current cryptography verification processes.

3 ECDSA: A digital signature algorithm based on ECC public-key techniques. It provides the same level of security as the RSA public-key cryptosystem but with roughly one tenth the key size.

4 ML-DSA: A PQC digital signature algorithm standardized by NIST as FIPS 204. It is based on CRYSTALS-Dilithium, a digital signature algorithm applying lattice problems that are difficult for quantum computers to solve.

5 ML-KEM: A PQC key exchange algorithm standardized by NIST as FIPS 203. It is based on CRYSTALS-Kyber, a key exchange algorithm applying lattice problems that are difficult for quantum computers to solve.

6 PQC CARD®: A smart card equipped with PQC
https://www.holdings.toppan.com/en/news/2022/10/newsrelease221024_1.html