Post Quantum Cryptography - Do the Locks Used Hold Up?

Shopping, making cashless payments, ordering online, signing contracts without a pen - our everyday lives are more convenient than ever. Many things require little effort and we hardly think about the complex mechanics behind these processes. Trust in the reliability of our digital world is high. But is this trust really justified?

Experts have been warning for decades that this very reliability could one day be jeopardized. Are all the everyday activities that we use as private individuals and the services that companies offer to generate revenue really secure? This question is currently also being discussed in the media in Switzerland.¹

To answer it, we need to take a closer look at two developments in the field of encryption:

Quantum computers

Quantum computers have the potential to solve certain mathematical problems on which many current encryption systems are based much faster than classical computers. While conventional computers would take billions of years to crack today’s cryptographic systems, quantum computers could reduce this time to seconds or minutes. This makes attacks on our current security mechanisms, and therefore on the world as we know it, realistic and threatening.

Post-quantum cryptography (PQC)

Post-quantum cryptography comprises new cryptographic methods that are resistant to attacks from quantum computers. These new encryption methods are designed in such a way that even if the expected breakthroughs in quantum computing research are achieved, decryption is not considered realistic. The two developments are in competition with each other. It will be decisive which of them achieves a breakthrough and the necessary degree of dissemination more quickly and thus shapes our digital world. What is the current state?

• Quantum computers are a new type of computer that are characterized by a special architecture. IBM is on of the pioneers in the field and is currently focusing its attention on this area and is attracting attention with the following projects.
  • “Quantum System Two” provides a basis for scalable supercomputers².
  • With the new Heron processor, 133 qubits are now available³.

This greatly increases the theoretical performance. In practice, however, this still depends on the associated software - here too, IBM is making further progress with the Qiskit SDK. In total, the manufacturer reports between 20 and 50 % performance and quality growth this year alone.⁴ This performance is not yet sufficient to pose a practical threat, but this is only a matter of time.

On the other hand, the standardization of the first important algorithms by NIST was officially completed just a few weeks ago.⁵ In order to understand the progress here, it is necessary to take a differentiated look at the use cases.

• Key exchange: On August 14, NIST officially published the standardization of ML-KEM from the CRYSTALS-Kyber proposal under “FIPS 203”. Apple has been using Kyber in its PQ3 protocol implementation of iMessage since this year, Signal has also implemented Kyber in its PQXDH protocol. ^{6 7} Cloudflare, Google and Microsoft support TLS using X25519Kyber768 as a hybrid protocol to test its practicality and stability in everyday use. In contrast to Signal, Apple goes one step further: by increasing the frequency of key exchange (“rekeying”), security is further improved. Even if a key is compromised, only a small part of the communication can be decrypted. These security advantages have been formally tested and confirmed by ETH Zurich under the direction of Prof. David Basin⁸.
• Signatures: The standardization of ML-DAS from CRYSTALS-Dilithium and FALCON (both lattice-based) as SLH-DSA under FIPS 204 and of SPHINCS+ (hash-based) under FIPS 205 has also been completed.
• Certificates: The CRYSTALS dilithium to be standardized can already be used to create key pairs today. The extension of the X.509 standard in 2019 also enables the use of hybrid setups via section 9.8 to facilitate a transition. [10] Previous certificates created using existing methods will be vulnerable and therefore useless once sufficiently powerful quantum computers become available. As these certificates are publicly accessible, special care must be taken here.
• Long-term encryption: According to the current status, symetric algorithms like AES256 are considered to be quantum-resistant if used correctly. However, this does not apply to their use in protocols like S/MIME, because those are hybrid encryption scheme which reliy on the vulnerable asymmetric RSA and ECC algorithms for the key exchange. This content of S/MIME encrypted messages can be decrypted in the future if they are intercepted today (“Harvest now, decrypt later”).

What can companies do now?

The introduction of PQC (post-quantum cryptography) is basically “just” the implementation of another algorithm that will replace existing procedures. To prepare your organization for this, you should ensure that

• the critical points at which cryptographic processes are used are centrally documented, e.g. for external connections, authentication or document signing;
• you know the cryptogarphic algorithms currently used at critical points in your organization;
• your organization has a certain agility in adapting and renewing algorithms. Even if current algorithms are considered secure today, there is always the possibility that vulnerabilities will be discovered tomorrow. Put yourself in a position today to replace weak cryptography in a controlled manner;
• your PKI infrastructure is capable of mapping a PQC migration;
• your HSM infrastructure is capable of handling PQC.

Nevertheless, there is still a strong dependency on product manufacturers, who must now incorporate the innovations into their products. Cryptography is only as secure as its weakest link in the chain. Pay particular attention to the capabilities to upgrade cryptographic algorithms when purchasing new products!

Are we secure or not?

With the standardization of FIPS 203, 204 and 205, PQC has gained a head start over quantum computing, although progress there is also promising. Nevertheless, the use of this technology will remain cost-intensive and it is unlikely that every potential attacker will have a quantum computer in the near future. It can therefore be assumed that attackers will carefully weigh up whether the decryption effort is worthwhile. Individuals will hardly be the focus of attention, but central services such as administrations and financial institutions will be - in other words, anyone who processes and exchanges long-lasting, sensitive data. We therefore recommend that these organizations consider the following questions now so that they can start using PQC as soon as possible:

• Are you aware of critical data streams that could be intercepted today and stored for future decryption attempts?
• Do you know of protected content today that could still be of value in 5, 10 or 15 years’ time if it is decrypted, for example electronically signed contracts or long-lived certificates?
• If you have to answer “no” to the above questions for your organization, there is indeed cause for concern. Do not hesitate to contact us - we will use our expertise to work with you to develop tailor-made solutions and provide comprehensive security for your organization.