Post Quantum Cryptography

https://access.redhat.com/blogs/766093/posts/3031361?sc_cid=7016000000127ECAAY

The SSL/TLS protocol uses RSA, Diffie-Hellman (DH) or Elliptic Curve Diffie-Hellman (ECDH) primitives for the key exchange algorithm.

RSA is based on the fact that when given a product of two large prime numbers, factorizing the product (which is the public key) is computationally intensive, but a quantum computer could efficiently solve this problem using Shor’s algorithm. Similarly, DH and ECDH key exchanges could all be broken very easily using sufficiently large quantum computers.

For symmetric ciphers, the story is slightly different. It has been proven that applying Grover’s algorithm the strength of symmetric key lengths are effectively halved: AES-256 would have the same security against an attack using Grover’s algorithm that AES-128 has against classical brute-force search. Hashes are also affected in the same way symmetric algorithms are.

Therefore, we need new algorithms which are more resistant to quantum computations. This article introduces you to 5 proposals, which are under study.

228 Comments

  1. Tomi Engdahl says:

    Suomalainen salaus pääsee suosituille FPGA-piireille
    https://etn.fi/index.php/13-news/14938-suomalainen-salaus-paeaesee-suosituille-fpga-piireille

    Otaniemessä päämajaansa pitävä Xiphera kehittää salauslohkoja, joilla voidaan toteuttaa jopa kvanttiturvallinen salaus niin ASIC- kuin FPGA-piireille. Nyt yhtiö kertoo liittyneensä Microchipin kumppaniverkostoon.

    Tämä tarkoittaa, että Xipheran IP-lohkot ovat päässeet Microchipin IP-kirjastoon. Microchipin asiakkaat voivat nyt integroida Xipheran IP-lohkoja osaksi ratkaisujaan esimerkiksi suosituilla PolarFire-sarjan piireillä.

    Xipheran kryptografisten IP-ytimien ja Microchipin FPGA-piirien yhdistelmä on erityisesti suunnattu kriittisten sovellusten turvallisuuteen, mukaan lukien teollisuuden IoT-ratkaisut, puolustusteollisuus ja avaruustekniikka.

    Reply
  2. Tomi Engdahl says:

    IBM Delivers Roadmap for Transition to Quantum-safe Cryptography
    https://www.securityweek.com/ibm-delivers-roadmap-for-transition-to-quantum-safe-cryptography/

    IBM’s Quantum Safe Roadmap was designed to help federal agencies and business meet the requirements and the deadlines for quantum safe cryptography.

    IBM has introduced a quantum-safe roadmap to help the complex organizational transition to post-quantum cryptography at this year’s annual Think conference.

    There are deadlines by which federal agencies must complete the transition to quantum-safe cryptography. Business is expected to follow the same path, but it is a long and difficult route. IBM has developed a three-stage solution it calls the IBM Quantum Safe Roadmap.

    “This roadmap serves as a commitment to transparency, predictability, and confidence as we guide industries along their journey to post-quantum cryptography. There’s a lot happening at once — new algorithms, standards, best practices, and guidance from federal agencies. We hope that this roadmap will serve as a navigational tool through this complex landscape,” it announced.

    The background is the assumption that much of our current cryptography will be easily cracked with the arrival of cryptographically relevant quantum computers, which are expected earlier than general-purpose quantum computers. Even though this may be several or even many years in the future, encrypted confidential data stolen by nation-state or criminal gangs now will become readable at that time. Quantum safety is a pressing concern.

    How IBM Quantum is bringing organizations along their quantum-safe technology journey
    https://research.ibm.com/blog/quantum-safe-roadmap

    By decade’s end, practical quantum computing solutions could impact computing strategies across industries. But it will also profoundly alter how we secure our digital data fabric through cryptography. Organizations are already examining how to upgrade their cybersecurity to prepare for this new computational era.

    At this year’s Think event, the premier IBM conference for business and technology leaders, we announced our quantum-safe roadmap, and how we plan to use technology to equip industries with the cybersecurity capabilities required for this new era. Supporting that roadmap is IBM Quantum Safe technology: a comprehensive set of tools, capabilities, and approaches combined with deep expertise for an end-to-end journey to make your organization quantum safe. We’re excited to present our IBM Quantum Safe Roadmap — and launch the era of quantum safe.

    Starting your quantum-safe journey

    Last July, the National Institute of Standards and Technology (NIST) announced that they had selected four quantum-resistant algorithms for standardization — IBM, in collaboration with a number of industry and academic partners, contributed CRYSTALS-Kyber public-key encryption, CRYSTALS-Dilithium digital signature algorithms, and the Falcon digital signature algorithm to NIST. Read more.three of which were developed by IBM, alongside academic and industry collaborators. That announcement was the world’s wake-up call to start the quantum-safe transition. At IBM, we had already started making our technology quantum safe, including the IBM z16 mainframe, and IBM Tape storage technology. But we realized that our clients have unique needs when it comes to embarking on their own quantum-safe transitions.

    This need for agility is why we launched IBM Quantum Safe. We see the journey to quantum safe as comprising three key actions:

    Discover: Identify cryptography usage, analyze dependencies and generate a Cryptography Bill of Materials (CBOM).
    Observe: Analyze cryptography posture of compliance and vulnerabilities and prioritize remediation based on risks.
    Transform: Remediate and mitigate with crypto-agility and built-in automation.

    Around those three actions, we developed an end-to-end solution to prepare clients for the post-quantum era: IBM Quantum Safe technology. Included are three technology capabilities, one corresponding with each of the three actions of this quantum-safe transition.

    For the Observe stage, we developed IBM Quantum Safe Advisor. Advisor integrates with network and security scanners in your IT environment, consolidating and managing CBOMs and collecting metadata from other network components to generate a comprehensive cryptographic inventory. With its policy-based enrichment, Advisor creates a prioritized list of at-risk assets and data flows, equipping you to analyze your cryptographic posture and compliance.

    And for the Transform stage, we developed IBM Quantum Safe Remediator, which allows you to test quantum-safe remediation patterns so that you understand the potential impact on systems and assets. Remediator enables you to address any pattern that suits your organization to be quantum safe. It allows you to work with different quantum-safe algorithms, certificates and key management services.

    The IBM Quantum Safe Roadmap

    The transition to post-quantum cryptography has already begun. Last year, the White House sent out a memorandum1 to the heads of executive departments and agencies declaring that all agencies were required to submit a cryptographic inventory of systems that would be vulnerable to a cryptographically relevant quantum computer. Today, we’re tracking quantum-safe milestones into the future, and maturing our product to help organizations, including US federal agencies, hit these milestones. We’re calling this our IBM Quantum Safe Roadmap.

    We’re releasing Explorer and Advisor and the first generation of Remediator with these milestones in mind. This year, we expect organizations that work with us to use these tools to complete their cryptography inventory and create a CBOM. We’re already working with government agencies to help them complete these inventories on high-priority applications.

    Reply
  3. Tomi Engdahl says:

    Enhancing TLS Security: Google Adds Quantum-Resistant Encryption in Chrome 116
    https://thehackernews.com/2023/08/enhancing-tls-security-google-adds.html

    Google has announced plans to add support for quantum-resistant encryption algorithms in its Chrome browser, starting with version 116.

    “Chrome will begin supporting X25519Kyber768 for establishing symmetric secrets in TLS, starting in Chrome 116, and available behind a flag in Chrome 115,” Devon O’Brien said in a post published Thursday.

    Kyber was chosen by the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) as the candidate for general encryption in a bid to tackle future cyber attacks posed by the advent of quantum computing. Kyber-768 is roughly the security equivalent of AES-192.

    Reply
  4. Tomi Engdahl says:

    What are quantum-resistant algorithms—and why do we need them?
    When quantum computers become powerful enough, they could theoretically crack the encryption algorithms that keep us safe. The race is on to find new ones.
    https://www.technologyreview.com/2022/09/14/1059400/explainer-quantum-resistant-algorithms/

    Reply
  5. Tomi Engdahl says:

    Google Releases Security Key Implementation Resilient to Quantum Attacks
    https://www.securityweek.com/google-releases-security-key-implementation-resilient-to-quantum-attacks/

    Google has released the first quantum-resilient FIDO2 security key implementation as part of its OpenSK project.

    Google on Tuesday released what it described as the first FIDO2 security key implementation that should be resistant to quantum attacks.

    There has been significant progress in quantum computing in the past years and tech giants are increasingly focusing on quantum security. The main concern is related to encryption — current cryptography will not be able to protect information against quantum attacks, which is why quantum-resilient cryptography is needed.

    In partnership with the Swiss university ETH Zurich, Google has developed a quantum-resilient security key implementation that leverages a hybrid signature scheme involving traditional elliptic-curve cryptography (specifically ECDSA) and CRYSTALS-Dilithium, a quantum scheme that NIST recently standardized, saying it offers “strong security and excellent performance”.

    Reply
  6. Tomi Engdahl says:

    Salausalgoritmit täytyy vaihtaa – ”jonkinlainen päivämäärä pitää olla”
    Mikko Pulliainen18.8.202310:30|päivitetty18.8.202313:52SALAUS
    Kun kvanttitietokoneen teho kasvaa tarpeeksi suureksi, se kykenee ­peittoamaan nykyiset salausmenetelmät.
    https://www.tivi.fi/uutiset/salausalgoritmit-taytyy-vaihtaa-jonkinlainen-paivamaara-pitaa-olla/58dfd1a7-d8e3-4ca1-b46b-6c2edfb77462

    Reply
  7. Tomi Engdahl says:

    Google announces new algorithm that makes FIDO encryption safe from quantum computers https://arstechnica.com/security/2023/08/passkeys-are-great-but-not-safe-from-quantum-computers-dilithium-could-change-that/

    New approach combines ECDSA with post-quantum algorithm called Dilithium.

    Bleeping Computer:
    https://www.bleepingcomputer.com/news/security/google-released-first-quantum-resilient-fido2-key-implementation/

    Reply
  8. Tomi Engdahl says:

    Kvanttitietokoneen teho kasvaa ja uhkaa tietoturvaa – Pian sillä voi murtautua valtioiden kriittiseen infrastruktuuriin
    Kun kvanttitietokoneen teho kasvaa tarpeeksi suureksi, se kykenee peittoamaan nykyiset salausmenetelmät. Tämä on vain ajan kysymys.
    https://www.tekniikkatalous.fi/uutiset/kvanttitietokoneen-teho-kasvaa-ja-uhkaa-tietoturvaa-pian-silla-voi-murtautua-valtioiden-kriittiseen-infrastruktuuriin/57922bda-f9d2-4c88-8ccd-d9af6e9b187d

    Reply
  9. Tomi Engdahl says:

    US Government Publishes Guidance on Migrating to Post-Quantum Cryptography

    CISA, NSA, and NIST urge organizations to create quantum-readiness roadmaps and prepare for post-quantum cryptography migration.

    https://www.securityweek.com/us-government-publishes-guidance-on-migrating-to-post-quantum-cryptography/

    Reply
  10. Tomi Engdahl says:

    Data Protection
    How Quantum Computing Will Impact Cybersecurity
    https://www.securityweek.com/how-quantum-computing-will-impact-cybersecurity/

    While quantum-based attacks are still in the future, organizations must think about how to defend data in transit when encryption no longer works.

    Quantum computers live in research universities, government offices, and leading scientific companies and, except in rare circumstances, find themselves out of reach of bad actors. That may not always be the case, though.

    As research on quantum computers continues to move the technology forward, there is a growing concern that these computers might soon break modern cryptography. That would make all current data encryption methods obsolete and require new cryptography methods to protect against these powerful machines.

    While the concept of quantum computers is not new, the discourse around them has increased in recent months thanks to continued federal action.

    The Power of Quantum Computing

    Even the fastest computers today struggle to break security keys thanks to complexity. It would take years for a system to break down the standard keys, even in the best-case scenarios. This is what makes encryption such a valuable security defense.

    Quantum computing looks to dramatically change this time from years to a few hours. While it can quickly get complicated, experts believe many public-key encryption methods popular today, such as RSA, Diffie-Hellman, and elliptic curve could one day be relatively simple for quantum computers to solve.

    The good news in this scenario is that commercial quantum computing remains in the distance. A study from the National Academies believes future code-breaking quantum computers would need 100,000 times more processing power and an error rate of 100 times better. These improvements could be more than a decade away, but they are something security leaders need to consider now.

    It will be too late if we wait until those powerful quantum computers start breaking our encryption.

    Leveraging Defense In-Depth

    While quantum-based attacks are still in the future, organizations must think about how to defend data in transit when encryption no longer works. Best practices include things like segmenting networks, leveraging 5G private networks, and leveraging Zero Trust architectures.

    Organizations must also secure data at rest. Many databases feature encryption that could become moot in the future. Organizations may need to store certain data offline or have a practice of re-encrypting old files once newer encryption technologies become available.

    Right now, everything from browser cache, to password managers, to local Outlook email files is encrypted. If that encryption becomes breakable, organizations may need to reduce the distribution overall to limit risk, at least until better quantum encryption is created.

    Reply
  11. Tomi Engdahl says:

    Data Protection
    How Quantum Computing Will Impact Cybersecurity
    https://www.securityweek.com/how-quantum-computing-will-impact-cybersecurity/

    While quantum-based attacks are still in the future, organizations must think about how to defend data in transit when encryption no longer works.

    Reply
  12. Tomi Engdahl says:

    Kvanttikoneiden hyökkäykset kestävä salaus tulee ensi vuonna
    https://etn.fi/index.php/13-news/15271-kvanttikoneiden-hyoekkaeykset-kestaevae-salaus-tulee-ensi-vuonna

    Kvanttiuhkasta on puhuttu jo pitkään. Kun kvanttikoneet ovat kaupallisesti tarjolla, kaikki nykyiset salaustekniikat joutuvat romukoppaan, maalailee moni. Standardointijärjestö NIST yrittää hillitä paniikkia. Kvanttikoneiden hyökkäykset kestävät salausstandardit valmistuvat jo ensi vuonna.

    Kvanttiuhka tarkoittaa sitä, että kvanttikoneilla pystyy helposti murtamaan nykyiset julkiseen avaimeen perustuvat asymmetriset salaukset. Pahimmillaan tämä tarkoittaa koko internetin tietoturvan kaatumista. Sähköpostit, tekstiviestit, pankkisalaisuus, kaikki olisi mennyttä. Onneksi kvanttitietokoneet eivät tule olemaan laajasti saatavilla vielä vuosiin, todennäköisesti vuosikymmeniin.

    Reply
  13. Tomi Engdahl says:

    How Quantum Computing Will Impact Cybersecurity
    https://www.securityweek.com/how-quantum-computing-will-impact-cybersecurity/

    While quantum-based attacks are still in the future, organizations must think about how to defend data in transit when encryption no longer works.

    Quantum computers live in research universities, government offices, and leading scientific companies and, except in rare circumstances, find themselves out of reach of bad actors. That may not always be the case, though.

    As research on quantum computers continues to move the technology forward, there is a growing concern that these computers might soon break modern cryptography. That would make all current data encryption methods obsolete and require new cryptography methods to protect against these powerful machines.

    While the concept of quantum computers is not new, the discourse around them has increased in recent months thanks to continued federal action.

    Reply
  14. Tomi Engdahl says:

    Quantum Resistance and the Signal Protocol https://signal.org/blog/pqxdh/

    Today we are happy to announce the first step in advancing quantum resistance for the Signal Protocol: an upgrade to the X3DH specification which we are calling PQXDH. With this upgrade, we are adding a layer of protection against the threat of a quantum computer being built in the future that is powerful enough to break current encryption standards.

    Reply
  15. Tomi Engdahl says:

    Suomalainen tekniikka suojaa kvanttihyökkäyksiltä
    https://etn.fi/index.php/13-news/15347-suomalainen-tekniikka-suojaa-kvanttihyoekkaeyksiltae

    Loppusyksystä espoolainen Xiphera julkisti ensimmäisen kvanttiturvallisen tuotteensa, joka voidaan IP-lohkona integroida FPGA- ja ASIC-piireille. Nyt yhtiö kertoo ensimmäisestä asiakkaastaan xQlve-tuotteelle: QuickLogic aikoo tuoda sen eFPGA-piireilleen.

    Xipheran xQlave-tuoteperhe koostuu kvanttiturvallisten algoritmien turvallisista ja tehokkaista toteutuksista. Tuoteperheen ensimmäiset tuotteet tukevat CRYSTALS-Kyber- avaintenvaihtoalgoritmia, joka on yksi standardointijärjestö NIST:n (National Institute of Standards and Technology) viime vuonna käydyn PQC-kilpailun voittajista.

    XQlave-tuoteperhe vastaa useisiin asiakkaan tarpeisiin IP-lohkoillaan

    Xipheran xQlave™ PQC -ratkaisujen yhdistäminen perinteisiin salausalgoritmeihin (ECC tai RSA) hybridimalliksi mahdollistaa tulevaisuuden kestävän suojatun järjestelmän uusilla ja jo olemassa olevilla eFPGA-alustoilla.

    Reply
  16. Tomi Engdahl says:

    The Signal Protocol used by 1+ billion people is getting a post-quantum makeover
    Update prepares for the inevitable fall of today’s cryptographic protocols.
    https://arstechnica.com/security/2023/09/signal-preps-its-encryption-engine-for-the-quantum-doomsday-inevitability/

    The Signal Protocol is a key ingredient in the Signal, Google RCS, and WhatsApp messengers, which collectively have more than 1 billion users. It’s the engine that provides end-to-end encryption, meaning messages encrypted with the apps can be decrypted only by the recipients and no one else, including the platforms enabling the service. Until now, the Signal Protocol encrypted messages and voice calls with X3DH, a specification based on a form of cryptography known as Elliptic Curve Diffie-Hellman.

    Currently, the largest quantum computer known to be in existence today runs with just 433 qubits. Estimates vary widely as to how long it will be until there’s a large and robust enough quantum computer to break ECC and other vulnerable algorithms. Some expert forecasts predict as few as five years, while others say it could be 30 or more years out.

    Enter PQC
    There is little disagreement, however, that there will come a day when many of the most widely used forms of encryption will die at the hands of quantum computing. To head off that doomsday eventuality, engineers and mathematicians have been developing a new class of PQC, short for post-quantum cryptography.

    The PQC added to the Signal Protocol on Monday is called PQXDH. It uses the same X3DH specification the Signal Protocol has always employed. On top, it adds an additional layer of encryption using Crystals-Kyber, one of four PQC algorithms the National Institute of Standards and Technology selected last year as a potential replacement to ECC and other quantum-vulnerable forms of encryption.

    Reply
  17. Tomi Engdahl says:

    To Schnorr and beyond (Part 1)
    https://blog.cryptographyengineering.com/2023/10/06/to-schnorr-and-beyond-part-1/

    In this post I’m going to talk about signature schemes, and specifically the Schnorr signature, as well as some related schemes like ECDSA. These signature schemes have a handful of unique properties that make them quite special among cryptographic constructions. Moreover, understanding the motivation of Schnorr signatures can help understand a number of more recent proposals, including post-quantum schemes like Dilithium — which we’ll discuss in the second part of this series.

    Reply
  18. Tomi Engdahl says:

    Researcher Claims to Crack RSA-2048 With Quantum Computer
    As Ed Gerck Readies Research Paper, Security Experts Say They Want to See Proof
    https://www.bankinfosecurity.com/blogs/researcher-claims-to-crack-rsa-2048-quantum-computer-p-3536

    Reply
  19. Tomi Engdahl says:

    Post-quantum cryptography counters computing like Schrödinger’s Cat
    https://interestingengineering.com/innovation/post-quantum-cryptography-schrodingers-cat

    Businesses and government agencies must scan code for RSA & old protocols, replacing them with post-quantum cryptography to thwart quantum threats to encryption.

    Reply
  20. Tomi Engdahl says:

    Miksi kvanttitietokoneiden kehityksen ja niiden väistämättömän yleistymisen tulisi kiinnostaa jokaisen yrityksen tietoturvavastaavaa? Viestintäkonsulttimme Ari perehtyi aiheeseen Kyberturvallisuuskeskuksen Tietoturva 2024 -seminaarissa. Lue blogistamme asiantuntijapuheenvuorojen parhaat palat!

    https://blog.netprofile.fi/kvanttiuhka-nousee-miksi-se-koskee-jokaista-firmaa?utm_source=facebook&utm_medium=paid&utm_campaign=arin-kvanttiblogi&fbclid=IwAR0kq01zGq_SHhpTxlDAXIg5TE_hE_5rcn8ilwjXXHuVhNItVgN3ApXVQk8_aem_AYHJ99pioCb7Ee_dgUZSKzWjSuWJhLZ6ZpeSWusITKcVWSo7M-e8aoAXteCrgX0CbSCEIgllXKw6eoSjgiB-fNyU&utm_id=6540721481698&utm_content=6540721484898&utm_term=6540721483698

    #kvanttitietokone #tietoturva #viestintä

    Reply
  21. Tomi Engdahl says:

    Equinixin asiakkaille käyttöön kvanttitason kyberturvaa
    https://etn.fi/index.php/13-news/16213-equinixin-asiakkaille-kaeyttoeoen-kvanttitason-kyberturvaa

    Quside ja Equinix ovat solmineet merkittävän yhteistyösopimuksen, joka tuo edistykselliset kvanttilukujen satunnaisgenerointiteknologiat tuhansien yritysten ulottuville maailmanlaajuisesti. Tämä teknologia parantaa yritysten kykyä puolustautua kehittyneitä kyberuhkia vastaan ainutlaatuisen entropiaratkaisun avulla.

    Yhteistyön myötä Equinixin asiakkaille avautuu pääsy Qusiden innovatiivisiin kvanttilukujen satunnaisgenerointiteknologioihin, mikä merkittävästi parantaa kykyä suojautua yhä kehittyneempiä kyberuhkia vastaan. Kyberturvallisuudessa entropia, eli satunnaisuus, on avainasemassa ennakoimattomien satunnaislukujen tuottamisessa, jotka ovat kriittisiä tehokkaassa kryptografiassa.

    Reply
  22. Tomi Engdahl says:

    Ripple publishes math prof’s warning: ‘Public-key cryptosystems should be replaced’
    Mathematician Massimiliano Sala says current encryption methods won’t protect blockchain systems from quantum computers.
    https://cointelegraph.com/news/ripple-math-warning-public-key-cryptosystems-quantum-computers

    Reply
  23. Tomi Engdahl says:

    Data Protection
    Zoom Adding Post-Quantum End-to-End Encryption to Products

    Zoom is announcing post-quantum end-to-end encryption on Meetings, with Phone and Rooms coming soo

    https://www.securityweek.com/zoom-adding-post-quantum-end-to-end-encryption-to-products/

    Video communications giant Zoom announced on Tuesday that post-quantum end-to-end encryption (E2EE) has been added to Zoom Workplace.

    The feature, which leverages the Kyber 768 key encapsulation method, is currently available worldwide in Zoom Meetings, with Zoom Phone and Zoom Rooms coming soon.

    Zoom claims it is the first unified communications-as-a-service company to offer a post-quantum E2EE solution for video conferencing.

    “Since we launched end-to-end encryption for Zoom Meetings in 2020 and Zoom Phone in 2022, we have seen customers increasingly use the feature, which demonstrates how important it is for us to offer our customers a secure platform that meets their unique needs,” said Michael Adams, CISO at Zoom.

    Reply
  24. Tomi Engdahl says:

    Zoom Video Communications kertoo lisänneensä kokouksiinsa salauksen, joka tukee NIST-järjetön määrittelemiä kvanttikoneiden hyökkäyksen kestävää salausalgoritmia. Käytänössä koko Zoom Workplace -ympäristöön on lisätty PQC- eli kvanttikoneiden jälkeisen ajan salaus. Zoom puhuu salauksesta termillä ”kvanttikoneiden kestävä E2EE” ( PQC end-to-end encryption).

    Tällä hetkellä tuki on Zoom Meetings -kokouksille, mutta kvanttiajan E2EE-salaus on tulossa pian myös Zoom Phone -puheluille ja Zoon Rooms -työtiloille.

    https://etn.fi/index.php/13-news/16237-zoom-kokoukset-kestaevaet-nyt-kvanttihyoekkaeykset

    Reply
  25. Tomi Engdahl says:

    Koska Zoomin palvelimilla ei ole tarvittavaa salauksen purkuavainta, Zoomin palvelimien kautta välitettävä salattu data on mahdotonta purkaa. Zoomin PQC-salaus käyttää Kyber 768:aa, National Institute of Standards and Technologyn (NIST) standardoimaa algoritmia Module Lattice -pohjaisena avainkotelointimekanismina suojaukseen.

    https://etn.fi/index.php/13-news/16237-zoom-kokoukset-kestaevaet-nyt-kvanttihyoekkaeykset

    Reply
  26. Tomi Engdahl says:

    https://medium.com/@hwupathum/x25519kyber768-post-quantum-key-exchange-for-https-communication-70eba681931d

    The X25519Kyber768 algorithm combines the elliptic curve-based X25519 with the Kyber768 post-quantum key exchange scheme, offering a robust and quantum-resistant solution for securing HTTPS communication.

    This hybrid mechanism combines the output of two cryptographic algorithms to create the session key used to encrypt the bulk of the TLS connection:

    X25519 — an elliptic curve algorithm widely used for key agreement in TLS today
    Kyber-768 — a quantum-resistant Key Encapsulation Method, approved by NIST

    However, the shared key sizes of X25519Kyber768 are significantly larger than traditional X25519, which might reduce the efficiency of the key exchange process.

    Reply
  27. Tomi Engdahl says:

    Post-Quantum TLS on Embedded Systems
    Integrating and Evaluating Kyber and SPHINCS+ with mbed TLS
    https://eprint.iacr.org/2020/308.pdf

    Reply
  28. Tomi Engdahl says:

    Google Publishes Plans For Post-Quantum Cryptography
    Secure email firm Tuta has also upgraded its systems to be quantum-proof
    https://www.mescomputing.com/news/4184590/google-publishes-plans-post-quantum-cryptography

    Google has published a threat model for the arrival of quantum computers that can crack commonly used cryptosystems such as RSA and ECC.

    “If we do not encrypt our data with a quantum-secure algorithm right now, an attacker who is able to store current communication will be able to decrypt it in as soon as a decade,” Google security researchers write in a blog post.

    They quote research by the Global Risk Institute that assigns a probability of 17%-31% to a quantum computer being able to crack RSA-2048 in 24 hours.

    In 2022, the U.S. National Institute of Standards and Technology (NIST) announced four candidates to be standardized as recommended public key post-quantum cryptography (PQC) algorithms. These algorithms are recommended to replace asymmetric cryptosystems based on elliptic curves and prime factorization which are theoretically vulnerable to quantum computers, as these devices can effectively guess a huge number of possibilities at once.

    https://bughunters.google.com/blog/5108747984306176/google-s-threat-model-for-post-quantum-cryptography

    Reply
  29. Tomi Engdahl says:

    Securing tomorrow today: Why Google now protects its internal communications from quantum threats
    https://cloud.google.com/blog/products/identity-security/why-google-now-uses-post-quantum-cryptography-for-internal-comms

    When you visit a website and the URL starts with HTTPS, you’re relying on a secure public key cryptographic protocol to shield the information you share with the site from casual eavesdroppers. Public key cryptography underpins most secure communication protocols, including those we use internally at Google as part of our mission to protect our assets and our users’ data against threats. Our own internal encryption-in-transit protocol, Application Layer Transport Security (ALTS), uses public key cryptography algorithms to ensure that Google’s internal infrastructure components talk to each other with the assurance that the communication is authenticated and encrypted.

    Widely-deployed and vetted public key cryptography algorithms (such as RSA and Elliptic Curve Cryptography) are efficient and secure against today’s adversaries. However, as Google Cloud CISO Phil Venables wrote in July, we expect large-scale quantum computers to completely break these algorithms in the future. The cryptographic community already has developed several alternatives to these algorithms, commonly referred to as post-quantum cryptography (PQC), that we expect will be able to resist quantum computer-driven attacks. We’re excited to announce that Google Cloud has already enabled one of the algorithms on our internal ALTS protocol today.

    https://bughunters.google.com/blog/5108747984306176/google-s-threat-model-for-post-quantum-cryptography

    Reply
  30. Tomi Engdahl says:

    Is AES post-quantum?
    We consider the secret key setting and, in particular, AES-256, the recommended primitive and one of the few existing ones that aims at providing a post-quantum security of 128 bits.

    Quantum Security Analysis of AES
    https://eprint.iacr.org/2019/272.pdf

    Reply
  31. Tomi Engdahl says:

    Security Highlight: Post-Quantum Cryptography on Embedded: challenges and opportunities
    https://www.riscure.com/post-quantum-cryptography-on-embedded-challenges-and-opportunities/

    Apple’s recent announcement regarding the integration of Post-Quantum Cryptography (PQC) into iMessage underscores the urgency and importance of adopting quantum-resistant encryption methods. We are moving to an era where quantum computing threatens the confidentiality of current cryptographic protocols, specifically around “harvest now, decrypt later” attacks: the ability to store communications today, and crack the keys once we have a functional quantum computer. With embedded systems that can be physically attacked, we need to even move a step further: hardware attack resistant PQC. This is announcement presents an opportunity to discuss the challenges in implementing post-quantum cryptography algorithms.

    The Need and Challenges for PQC in Embedded Systems

    Take, for instance, your average embedded SoC. It comes with a root of trust, which typically uses Elliptic Curve Cryptography (ECC) to authenticate its system code before running it. With quantum computers, the ECC private keys can be broken with only the knowledge of the public keys. This leads to breaking code authentication, allowing attackers to run arbitrary code on the system, and bypassing any local security controls.

    Now consider the hypothesis we’ll have quantum computing in 5-10 years. Embedded systems, integral to a myriad of applications from automotive to IoT devices, are particularly at risk due to their long service life (e.g. up to 20 years in the automotive industry) and exposure to physical attacks.

    Implementing PQC in embedded systems presents unique challenges. These systems often operate with limited processing power, memory, and energy, constraints that are magnified in ASIC and software implementations alike. Additionally, the potential for side-channel and fault attacks necessitates that PQC implementations are designed with these vulnerabilities in mind.

    Current State of PQC in Embedded Systems

    The non-updateable nature of many embedded systems, exemplified by non-modifiable ROM code implementing the root of trust, highlights the urgency of incorporating PQC today. However, the relative youth of PQC, illustrated by the breaking of the SIKE algorithm last year suggests caution. The “belts and suspenders” approach, combining ECC with PQC, as seen in Apple’s iMessage protocol, emerges as a pragmatic interim solution. It is not without risk: we know from experience that more code means more FI attack surface, and if ECC gets broken with QC we still need local attack resistance in PQC.

    Yet, combining multiple algorithms may not always be feasible due to the functional and performance constraints of embedded devices. As the field evolves, requests for verifying SCA and FI resistance in PQC implementations are increasingly common among customers, especially when they are exploring the right balance between security and performance.

    Best practices

    As PQC continues to develop, adhering to the latest research on countermeasures, and avoiding blindly taking “vanilla” open-source implementations without SCA and FI protections is critical. The path forward involves preparing for the eventuality of some PQC algorithms being compromised, necessitating a strategy for crypto agility to migrate to alternative solutions or mitigate the impacts of compromised embedded systems. This approach will become integral as certification schemes evolve to phase out outdated or broken algorithms.

    Reply
  32. Tomi Engdahl says:

    https://github.com/microsoft/PQCrypto-VPN
    Welcome to the PQCrypto-VPN project!

    Please start with our project page at Microsoft Research for an overview of this project.

    This project takes a fork of the OpenVPN software and combines it with post-quantum cryptography. In this way, we can test these algorithms with VPNs, evaluating functionality and performance of the quantum resistant cryptography. Because this project is experimental, it should not be used to protect sensitive data or communications at this time. Further cryptanalysis and research must first be done over the next few years to determine which algorithms are truly post-quantum safe.

    Reply
  33. Tomi Engdahl says:

    Long-lived secrets/signatures are in danger
    • Capture now, decrypt later
    • Need to understand impact on
    • Standards (TLS, SSH, IKE, PKI, S/MIME, …)
    • Products and services
    • Longer key/message/sig sizes
    • Slower running times
    • Code agility
    • Early deployment of hybrid scenarios
    • Today’s assurance + safety net against QC

    Reply
  34. Tomi Engdahl says:

    How does Post-Quantum Cryptography affect the TLS protocol?
    https://xiphera.com/how-does-post-quantum-cryptography-affect-the-tls-protocol/

    The emerging threat of quantum computers changes the way we look at and implement communications security of today. How can Post-Quantum Cryptography (PQC) be used for protecting the widely used TLS 1.3 protocol?

    Transport Layer Security (TLS) is perhaps the most well-known cryptographic protocol. It is used for providing communication in a large variety of applications security including secure web browsing. Typically, web browsers show a lock icon next to the URL link when it is using the protected HTTPS protocol; this means that the communication is protected with TLS. Although secure web browsing is the most visible application of TLS, it is nowadays used in a large variety of different applications including also machine-to-machine communication protocols.

    New post-quantum winds

    The most significant new thing in contemporary cryptography is the shift to Post-Quantum Cryptography (PQC). The traditional asymmetric (public key) cryptography methods RSA and Elliptic Curve Cryptography (ECC) are vulnerable to quantum attacks if large enough quantum computers become reality. PQC are algorithms that are not affected by the emerging quantum threat and are eventually to be used as replacements of the current RSA and ECC.

    Various standardisation bodies and government authorities are currently setting standards and requirements for shifting to PQC in practical systems. Most importantly, the American NIST has been running a standardisation process for finding secure and efficient PQC algorithms for key exchange and digital signatures. In summer 2022, they concluded the selection process and announced four algorithms – one for key exchange and three for signatures – that are to be included in the first PQC standard. The key exchange algorithm is called CRYSTALS-Kyber and the primary signature algorithm is called CRYSTALS-Dilithium.

    Being new, PQC algorithms have not yet reached the same level of confidence in their security that, for example, RSA and ECC have. As a consequence, it is generally recommended not to directly replace the traditional algorithms with the new PQC algorithms but, instead, use a hybrid solution where the security relies on both ECC and PQC. In such a hybrid solution, PQC offers protection against future adversaries that may be able to leverage quantum computers in attacks, and ECC provides fallback security against possible, yet unlikely, failures of PQC algorithms under more traditional cryptanalytic attacks.

    Enter Post-Quantum TLS

    Both the key exchange and server (and client) authentication of TLS Handshake rely heavily on the use of asymmetric cryptography and, nowadays, especially on ECC. Thus, the security of the TLS Handshake as defined in TLS 1.2 or TLS 1.3 is affected by the quantum threat, and there must be a roadmap for adopting PQC algorithms in TLS.

    Indeed, the work for Post-Quantum TLS (PQ-TLS) has already began: for example, Stebila (Univ. Waterloo), Fluhrer (Cisco), and Gueron (Amazon Web Services) have published an internet draft describing the use of hybrid key exchange in TLS 1.3.

    They propose four such combinations in their draft, where different elliptic curves are combined with CRYSTALS-Kyber. These combinations and their different key lengths are targeted for various use cases depending on their communication bandwidths and other requirements.

    It is noteworthy that the above proposal is only for key exchange, and it does not propose anything for authentication (that is, digital signatures). The motivation for this is that the proposal suggests a protection method against future adversaries and assumes that quantum attacks are not possible today. Hence, TLS session needs to be protected against adversaries who record session communication so that they could later break the security with a quantum computer and find out what was being communicated. Such an adversary could break the confidentiality protection of the TLS session by finding out the shared secret key by breaking ECC with a quantum computer, but breaking authentication retrospectively would not help the adversary because the session would have been closed long time ago.

    Reply
  35. Tomi Engdahl says:

    https://www.microsoft.com/en-us/research/project/post-quantum-tls/

    The Transport Layer Security (TLS) protocol

    The Transport Layer Security (TLS) protocol is one of the most widely-used security protocols in use today, protecting the information exchanged between web clients and servers all around the world. While TLS is secure against today’s classical computers, the asymmetric cryptography in TLS is unfortunately vulnerable to future attacks from quantum computers.

    Both the RSA and Elliptic Curve Diffie-Hellman asymmetric algorithms which set up the TLS exchange will succumb to Shor’s algorithm on a sufficiently large quantum computer. While a quantum computer of that size and stability may be 5 to 15 years off, cryptographers from around the world are already working to identify new, quantum-safe algorithms.

    Post-Quantum Cryptography TLS

    Given the importance of TLS, preparing for the transition to post-quantum cryptography needs to start now. Asymmetric cryptography in TLS is vulnerable in two places:

    Key exchange: the server and client exchange cryptographic messages use asymmetric key exchange algorithms (such as RSA and ECDH) to derive a symmetric key. The symmetric key then encrypts the rest of the session. (As above, the symmetric key algorithms used in key exchange (e.g., AES) aren’t as vulnerable to quantum computers so we simply need to increase their key length to secure against a quantum adversary.)
    Authentication: during this step, the server (and optionally the client) proves its identity using its certificate’s public key, involving signature algorithms such as RSA or ECDSA.

    In the future, quantum-safe algorithms will replace the use of RSA, ECDH, and ECDSA.

    We recommend using these schemes in hybrid mode until the cryptographic community gains full confidence in the new post-quantum cryptography. In hybrid mode, both key exchanges and signatures are performed in parallel, generating both a classical exchange/signature and a post-quantum one. The resulting messages/signatures are combined, offering the security against both current and future attacks.

    The PQ fork of OpenSSL can be obtained here: https://github.com/open-quantum-safe/openssl/tree/OQS-OpenSSL_1_1_1-stable

    Reply
  36. Tomi Engdahl says:

    The integration of Side-Channel Attack and Fault Injection resistant Post-Quantum Cryptography in embedded systems is not just a technological necessity; it’s a strategic imperative to protect against the dual threats of quantum computing and physical attacks.

    https://www.riscure.com/post-quantum-cryptography-on-embedded-challenges-and-opportunities/

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*