docs/documentation/platform/pki/concepts/pqc-algorithms.mdx
Post-Quantum Cryptography (PQC) refers to cryptographic algorithms designed to be secure against attacks by quantum computers. Traditional algorithms like RSA and ECDSA rely on mathematical problems (integer factorization, discrete logarithm) that quantum computers could efficiently solve using Shor's algorithm.
PQC algorithms are based on different mathematical foundations, such as lattice problems, that are believed to resist both classical and quantum attacks.
Infisical supports the following NIST-standardized post-quantum signature algorithms for certificate authorities and certificate issuance:
ML-DSA (formerly known as CRYSTALS-Dilithium) is a lattice-based digital signature scheme standardized in FIPS 204. It offers a strong balance of security, performance, and key/signature size.
<Note> ML-DSA is the recommended PQC algorithm for most use cases due to its efficient key generation, signing, and verification performance. </Note>You can create a Certificate Authority with a PQC key algorithm through the Infisical UI or API.
<Tabs> <Tab title="Infisical UI"> When creating a new Internal CA, select one of the ML-DSA variants from the **Key Algorithm** dropdown: - **ML-DSA-44** for NIST Level 2 security - **ML-DSA-65** for NIST Level 3 security - **ML-DSA-87** for NIST Level 5 security </Tab> <Tab title="API"> When creating a CA via the API, set the `keyAlgorithm` field to one of: - `ML-DSA-44` - `ML-DSA-65` - `ML-DSA-87````bash
curl --request POST \
--url https://your-infisical-instance.com/api/v1/pki/ca \
--header 'Authorization: Bearer <access-token>' \
--header 'Content-Type: application/json' \
--data '{
"projectSlug": "your-project",
"type": "root",
"commonName": "My PQC Root CA",
"keyAlgorithm": "ML-DSA-65",
"notAfter": "2035-01-01"
}'
```
When using PQC algorithms, keep the following constraints in mind:
keyEncipherment, keyAgreement, and dataEncipherment are not valid for PQC certificates. Requesting these usages will return an error.