Post-quantum digital signature and the reform of law 527 of 1999 in Colombia

By Daniel Peña Valenzuela

Introduction

Law 527 of 1999 marked a milestone in the regulation of electronic commerce in Colombia by recognizing the digital signature as a legal mechanism equivalent to the handwritten signature. This recognition consolidated trust in electronic transactions and granted evidentiary security to digital documents. The advent of quantum computing, however, poses an unprecedented challenge: the cryptographic algorithms underpinning digital signatures, such as RSA and ECC, may become vulnerable to the processing power of quantum computers. In this context, it is necessary to rethink the legal category of the digital signature and project regulatory reforms to ensure its validity in a post-quantum environment.

1. Digital signature under Law 527 of 1999

Law 527 establishes that the digital signature is an authentication mechanism based on public-key cryptography, guaranteeing the integrity and authenticity of electronic documents. The principle of technological neutrality allows any reliable method to be considered a digital signature, provided it meets security and functional equivalence standards. This principle must be reinterpreted in light of quantum risks, since legal validity depends on the technical robustness of the algorithms employed.

2. Quantum threat to digital signatures

Advances in quantum computing, particularly Shor’s algorithm, enable the factorization of large numbers and the resolution of discrete logarithm problems in polynomial time, directly undermining RSA and ECC. Likewise, Grover’s algorithm reduces the complexity of brute-force attacks on symmetric systems. These developments imply that current digital signatures may become vulnerable, weakening their evidentiary value in judicial and contractual processes.

3. Verifiable technical elements

The transition to a post-quantum environment requires the adoption of algorithms resistant to quantum attacks. The NIST (National Institute of Standards and Technology) selected between 2022 and 2024 algorithms such as CRYSTALS-Kyber for encryption and CRYSTALS-Dilithium for digital signatures. Similarly, ISO/IEC JTC 1 is working on international standards for post-quantum cryptography applicable to digital signatures. These verifiable technical elements form the basis upon which Colombian legislation must be reformed.

4. Need for reform of Law 527

The reform must explicitly recognize post-quantum algorithms as valid for digital signatures. It should also establish mechanisms for international interoperability with NIST and ISO standards, introduce the principle of technological resilience, and reinforce evidentiary guarantees to ensure that post-quantum digital signatures retain their functional equivalence with handwritten ones.

5. International comparison

In the European Union, the eIDAS 2.0 Regulation discusses the integration of quantum-resistant mechanisms. In the United States, NIST leads the standardization of post-quantum algorithms, directly impacting the validity of digital signatures. In Latin America, Colombia and Mexico have not yet explicitly incorporated the quantum threat into their legal frameworks, creating a regulatory gap and an opportunity for regional leadership.

Conclusions

The digital signature, as a legal category, faces a structural challenge in the quantum era. Reforming Law 527 is essential to recognize the post-quantum digital signature, adopt international standards, and guarantee the continuity of its functional equivalence. The post-quantum future does not eliminate the digital signature but requires its legal and technical transformation. Colombia must anticipate this transition to maintain legal certainty in electronic commerce and strengthen trust in digital transactions.