In our last blog post, ISEC7 Government Services discussed quantum computing and the challenges it poses. This week we will cover post-quantum security in depth to help you better understand different methods of cryptography, laws and regulations around post-quantum security, and what software vendors and manufacturers are currently offering.
What is Post-Quantum Security?
Post-quantum security refers to the development and implementation of cryptographic techniques and algorithms that remain secure even in the presence of powerful quantum computers. Quantum computers have the potential to solve certain mathematical problems, such as integer factorization and discrete logarithms, much more efficiently than classical computers. As a result, cryptographic systems that rely on these mathematical problems, such as Rivest–Shamir–Adleman (RSA and Elliptic Curve Cryptography (ECC), may become vulnerable to attacks once large-scale quantum computers become available.
Post-quantum security aims to address this vulnerability by designing cryptographic algorithms that are resistant to quantum attacks, based on mathematical problems believed to be hard for both classical and quantum computers to solve efficiently. As quantum computing technology advances, the need for post-quantum security becomes increasingly important to ensure the long-term security of sensitive information and communication systems. Researchers and cryptographic experts are actively exploring and developing post-quantum cryptographic solutions to safeguard data against the potential threat of quantum attacks.
What Are the Different Approaches?
Technological approaches to address the challenges to security posed by quantum computing include Quantum Random Number Generator (QRNG), Quantum Key Distribution (QKD), and Post-Quantum Cryptography (PQC).
1) Quantum Random Number Generator (QRNG)
One strategy involves addressing the inadequate entropy presently utilized by endpoints during encryption key generation. These random numbers lack sufficient randomness and are overly predictable, particularly when relying on legacy random number generators, not to mention inherent flaws in existing Random Number Generators (RNGs). Current solutions for generating randomness, such as Pseudorandom Number Generators (PRNGs) or Cryptographic Pseudorandom Number Generators (CPRNGs), all depend on algorithms or mathematical principles. In contrast, Quantum Random Number Generators (QRNGs) are hardware-based technologies that leverage physics to generate truly random numbers, known as quantum entropy. QRNGs have been in practical use for several years, particularly in industries such as online casinos where high randomness levels are crucial for gaming and gambling services (e.g., slot machines).
QRNGs are accessible in various hardware forms, sometimes as compact as a chipset within a mobile phone. Typically, they include a light-emitting diode (LED) and an image sensor. The LED emits a random number of photons (particles of light), which the sensor captures and counts, yielding a sequence of random numbers that can be disseminated to applications. For instance, they can be used to generate robust, quantum-safe encryption keys.
Quantis Quantum Random Number Generator (QRNG) chipset
2) Quantum Key Distribution (QKD)
Another challenge in contemporary cryptography resides in the fact that the exchange of keys between two parties takes place over the same insecure communication channel as the data.
Traditional key distribution
This is precisely the issue that Quantum Key Delivery (QKD) seeks to address, using photons transmitted via a dedicated fiber optic connection to create matching encryption keys at both ends of the link. Leveraging principles from quantum physics like superposition and entanglement, these photons cannot be observed or intercepted without altering their state. Consequently, attempts to steal or tamper with the keys would be detected, effectively thwarting any potential Man-In-The-Middle (MITM) attack.
Quantum Key Distribution (QKD)
Quantum Key Distribution (QKD) operates entirely on hardware and requires specialized hardware devices known as quantum repeaters, which are interconnected via dedicated point-to-point optical fiber links. One constraint is the current maximum secure distance for quantum key distribution, which stands at approximately 100km; however, certain vendors have devised alternative methods to circumvent this limitation. Additionally, certain foreign government entities are exploring the utilization of satellites as relays, employing line-of-sight (LOS) transmissions to transmit photons, thereby surpassing this constraint, and enabling long-distance delivery.
3) Post-Quantum Cryptography (PQC)
It is estimated that traditional computing would require approximately 300 trillion years to breach RSA asymmetric encryption utilizing a 2048-bit key length, rendering it theoretically nearly "unbreakable."
However, with quantum computing, some researchers project this duration could be drastically reduced to just 8 hours. Therefore, ongoing initiatives from the National Security Agency (NSA) and the National Institute of Standards and Technology (NIST) aim to identify a quantum-safe alternative to current encryption methods. Post-Quantum Cryptography (PQC) encompasses next-generation cryptographic algorithms designed to withstand cyberattacks from both traditional and quantum computers.
Post-Quantum Cryptography (PQC) refers to cryptographic algorithms and protocols designed to resist attacks from quantum computers, as replacements for the existing ones, aiming to provide a new generation of cryptographic tools that can withstand attacks from both classical and quantum computers, thereby ensuring the long-term security of sensitive information.
One approach involves fortifying the widely utilized Transport Layer Security (TLS) protocol by integrating Key Encapsulation Mechanism (KEM) for securing symmetric key exchanges using asymmetric encryption. In this process, one party employs the public key to "encapsulate" the symmetric key, while the other party employs its private key to "decapsulate" and retrieve the symmetric key. This symmetric key is subsequently utilized to encrypt all exchanged information. KEM operates similarly to Public Key Encryption (PKE) by leveraging a combination of public and private keys. However, unlike PKE, asymmetric keys in KEM are utilized not to safeguard an actual message but rather an encryption key, which is subsequently utilized to safeguard the message.
Key Encapsulation Mechanism (KEM)
Post-Quantum Cryptography (PQC) operates as software, not hardware, eliminating the need for users to invest in new equipment, and seamlessly integrates with existing communication mediums such as optical fiber, satellite, 4G/5G, and copper, along with network protocols like TCP/IP, and equipment including routers and switches. Moreover, it is compatible with various types of endpoints, including mobile devices, desktop computers, and back-end servers, regardless of their location—whether locally or in the cloud.
Last summer, NIST selected four algorithms that will be standardized as part of the Post-Quantum Cryptography (PQC) Standardization Process: CRYSTALS–KYBER, quantum-resistant cryptographic algorithm specially adapted to general encryption tasks that require quick exchange of small encryption keys, along with three digital signature schemes: CRYSTALS–Dilithium, FALCON, and SPHINCS+.
How Is the Industry Preparing for It?
Protecting against post-quantum attacks requires hardening of all the components involved in these exchanges, and both software vendors and hardware manufacturers are already working on ensuring today and tomorrow’s communications remain secure against such attacks.
Hardware Manufacturers
Network Appliances
Network appliances vendors are working on integrating post-quantum technology into their appliances. There are currently two protocols available for clients (ex: a mobile VPN client), to securely request key generation and distribution with their back-end counterpart (ex: VPN Access Point). The first one, ETSI GS QKD 014 Rest-based delivery API, developed by the European Telecommunications Standards Institute (ETSI), and aims to become the standard protocol for Quantum Key Delivery (QKD), while the other called Cisco Secure Key Integration Protocol (SKIP), is a proprietary protocol developed by Cisco, soon to be available on their own network appliances.
Desktop Computers
The world’s largest personal computer recently manufactured the first quantum laptop computer available at consumer electronic retailer shops, that reinforces the security of data and applications by using stronger encryption and protecting critical processes like authentication, payment, and unlocking, among others.
Mobile Devices
Some mobile devices manufacturers, in partnership with other companies specialized in quantum computing and post-quantum security, are starting to release top-shelf mobile devices equipped with quantum technology. In that case, the mobile devices are equipped with a QRNG chip that will provide quantum entropy when random data is required, for example during encryption key generation.
Software Vendors
Instant Messaging (IM) Platforms
Instant Messaging (IM) platforms rely on End-to-end encryption (E2EE) to ensure that messages exchanged between users remain confidential and secure throughout transmission, by encrypting them using a unique encryption key only known to the sender and recipient, so even if intercepted during transit, those messages would not be usable to an eavesdropper. However, considering post-quantum security concerns, it is critical for these platforms transmitting such critical information to ensure protection for both current communications, as well as possible interceptions from a malicious actor aiming to decrypt them in the future (see “Harvest now, decrypt later” attack).
Some vendors have already started adding quantum-resistant mechanisms into their End-to-End Encryption (E2EE) specifications, usually in the form of implementing NIST-approved PQC algorithms at the different stages involved in the process, like key agreement/establishment (creation and distribution of cryptographic keys between both parties), rekeying (periodical replacing of encryption keys) and authentication (relying on digital signatures and cryptographic certificates).
Web Browsers
One of the most widely used web browser was recently added support for a new hybrid PQC algorithm called “X25519Kyber768”, combining X25519 for key exchange and Kyber-768 for PQC KEM, representing the first real opportunity to start using PQC for secure communications relying on famous TLS. And this is just a first step forward, as the company that owns it, one of the largest technology companies in the world, also announced that they are also slowly rolling out support for their back-end servers too.
Laws and Regulations in the US
Although there currently are no special laws or regulations in the United States that mandate governmental and federal agencies to implement quantum-resistant cryptography to protect against quantum cyberattacks, the U.S. government has been actively engaged in researching, developing, and preparing for the advent of quantum computing and its potential implications for cybersecurity.
In December 2022, the U.S. Congress passed “H.R.7535 - Quantum Computing Cybersecurity Preparedness Act“ in order to encourage federal agencies to adopt quantum-resistant cryptography.
Various cybersecurity laws, policies, and directives emphasize the importance of addressing emerging threats and vulnerabilities in cyberspace, and agencies such as the National Institute of Standards and Technology (NIST) have been actively involved in evaluating and standardizing cryptographic algorithms, including those resilient to quantum attacks.
Development and Implementation
Need for the development and implementation of robust cryptographic algorithms and encryption methods that are resistant to attacks from quantum computers. This indicates a recognition of the potential threat posed by quantum computing to traditional cryptographic systems.
Research and Innovation
Increased research and innovation efforts aimed at advancing quantum-resistant cryptography. This suggests an intention to invest resources into exploring and developing new cryptographic techniques that can withstand the capabilities of quantum computers.
Collaboration and Coordination
Importance of collaboration and coordination among government agencies, industry partners, and academic institutions to address the challenges posed by quantum computing to cybersecurity effectively, implying the recognition of the multifaceted nature of the issue and the need for a coordinated effort to develop and deploy quantum-resistant encryption solutions.
International Engagement
Importance of international engagement and cooperation in promoting quantum-resistant cryptography, with a recognition of the global nature of cybersecurity threats and the need for international collaboration to mitigate risks to cryptographic systems.
With quantum computing fast on the rise, the best practice for your organization is to get post-quantum ready. For now, we recommend reviewing your security posture and ensuring all your communications, especially over the Internet, are secured using the highest recommended level of encryption. The same goes for your data, especially data stored externally. Additionally, start investigating what some vendors are already offering in terms of post-quantum security. Please reach out to the team at ISEC7 Government Services with any questions and we would be happy to help you assess options to best protect your data and infrastructure.