HP Launches Printers with Quantum Resilient Cryptography

At this year’s HP Amplify printer conference, the firm announced ‘the world’s first business printers to protect against quantum computer attacks’.

The printers incorporate the Leighton-Micali Signature (LMS) which is a stateful hash-based signature (HBS) scheme. LMS was approved by NIST for post quantum use in 2020 and is described in Special Publication 800-208.

NIST describes the use case profile as, “The authentication of firmware updates for constrained devices. Some constrained devices that will be deployed in the near future will be in use for decades. These devices will need to have a secure mechanism for receiving firmware updates, and it may not be practical to change the code for verifying signatures on updates once the devices have been deployed.”

This could be a description of the modern printer. It explains HP’s motivation for incorporating LMS on two counts: private users and government sales.

On the first count, the modern printer is an edge device, quite similar in processing capabilities to a PC. But, as Steve Inch, print security strategist & product management lead at HP, told SecurityWeek, “Printers are traditionally the low man on the totem pole when it comes to priorities for security teams. It’s this box over in the corner. It doesn’t move; it’s just there. It’s not ignored but it’s a low priority for security teams.”

While edge devices generally, and especially printers, may be low priority for defenders, they are high priority for attackers – not least because they are internet-facing with an IP address. There are many ways that attackers can locate exposed printer IPs, and WithSecure research noted in June 2024, “Edge services are often internet accessible, unmonitored, and provide a rapid route to privileged local or network credentials on a server with broad access to the internal network.”

Printers don’t have the typical third party defensive apps, such as anti-malware, that can be used to protect them. This throws the security onus on the manufacturer. Inch believes it is incumbent on each manufacturer to counter the inherent insecurity of printers by building strong security into the hardware itself with layers of protection starting at the kernel level.

“Starting with the chipset and the ASIC we have incorporated a foundation for quantum resistance around the cryptography related to digital signatures. So, our devices have the BIOS boot-up, and when that BIOS is engaged, we can be confident in knowing that the device cannot be cracked.”

Advertisement. Scroll to continue reading.

Remember that printers can sit in the corner for ten years or more, while quantum decryption is thought by many to be less than 10 years away.

In this sense, HP is giving its users a helping hand in the wholesale migration to quantum resistant encryption by providing it on a plate (or in the ASIC). That’s no small matter. “I don’t think there is a human being on the planet that could unequivocally give you a demonstration of complete visibility into their encryption and the touch points in their infrastructure,” says Inch. Finding all those touchpoints and migrating the relevant algorithms to PQC is going to be a lengthy process

“The printers’ new ASIC chips are designed with quantum-resistant cryptography and enable the use of digital signature verification to protect firmware integrity against quantum attacks,” says HP.

The second reason for incorporating quantum resistant cryptography now is to protect its own commercial sales into government. NIST has long required that federal government agencies should complete the migration to quantum-resistant cryptography by 2035. Again, we have those 10 years. But in December 2024, the NSA threw a spanner in the works by declaring that all new acquisitions for national security systems must be CNSA 2.0 compliant from January 1, 2027. CNSA 2.0 provides the list of cryptographic algorithms that are considered-quantum-resilient – that is, those so defined by NIST.

That gives appliance manufacturers, such as HP, less than two years to ensure their devices are quantum resistant if they wish to sell into the national security systems market.

The dual purpose of launching these quantum resistant printers now at this year’s HP Amplify is to provide security for edge devices and ready-made quantum migration for commercial users: and to maintain HP’s access to the national security systems market.

The new printers also offer seamless integration with customers’ zero trust implementations. The printers incorporate HP’s Zero Trust Architecture, which, says Inch, “is almost plug and play with whatever flavor of zero trust is being used by the customer.” This is in furtherance of his principle that it is the printer manufacturer’s responsibility to embed security into the device rather than wait for the user to do something.