Device owners using Trusted Platform Modules (TPMs) now have additional options for protecting sensitive data against potential quantum threats, following an updated specification from the Trusted Computing Group. The specification, Trusted Platform Module 2.0 v185, includes support for two post-quantum cryptography (PQC) algorithms: ML-KEM and ML-DSA.
PQC refers to cryptographic algorithms designed to remain secure against cryptographically relevant quantum computers (CRQCs). Such systems are expected to pose risks to widely used methods such as RSA and elliptic curve cryptography (ECC). Within the updated specification, ML-KEM can be used for the TPM’s Endorsement Key to support long-term confidentiality, including scenarios where encrypted data may be recorded and decrypted at a later time. ML-DSA provides a signing method that signs entire messages rather than relying on traditional digest-based approaches.
The update also introduces new TPM commands—SignVerifySequenceStart, SignSequenceComplete, and VerifySequenceComplete—which enable signing and verification across messages of varying sizes.
Both ML-KEM and ML-DSA are standardised by the National Institute of Standards and Technology, reflecting their role in post-quantum cryptography efforts.
In addition, TPM 2.0 v185 adds support for Curve25519 and Curve448, improving compatibility with systems and protocols that use these curves, including ISO 15118.
The update forms part of ongoing efforts to incorporate post-quantum cryptography into hardware-based security standards.
