While we hear a lot about how quantum will likely break current cryptography systems, this article spells out why quantum computing poses a threat to security and how the chip industry is getting ready for that post-quantum world.
Device connected to the Wi-Fi router? Check. Bills paid online? Check. And, while doing those things, did you stop to consider how secure those actions were? Unlikely. Since the wild-west feeling of the internet’s introduction back in the 1990s, we’ve left security to the experts. And they’ve done an excellent job. While passwords are stolen and access is hacked, the algorithms that implement security, such as AES (advanced encryption standard) and ECC (elliptic-curve cryptography), remain unbroken.
Today’s cryptography relies on four things. The first is math problems, which are easy to solve if you know the secret key but almost impossible if you don’t. Actually, this point needs clarification – almost impossible using today’s computing capability. Secondly, the algorithm must not have weaknesses. The longest attack is a brute force approach, trying all possible keys until the correct one is found. Researchers using cryptanalysis (the science of breaking codes) sometimes find shortcuts that reduce the number of keys they need to try, making key discovery simpler.
The third aspect is implementation. It’s no good selecting a secure algorithm if executing the implementation somehow leaks the secret key used. The final element is human – we need to keep our secrets, well, secret. Because today’s systems are so challenging to crack, hackers prefer to use social engineering to get us to give up passwords and circumvent two-factor authentication systems. We need to remain aware of such schemes and how to avoid being drawn in.
Until recently, all was well with cryptography. As computing power has grown, AES and ECC have used increasingly longer keys, ensuring that brute force attacks require as long now as they did with shorter keys a decade before. But unfortunately, computer performance is no longer growing at a steady pace. Instead, it is making a quantum leap.
Quantum computers change the status quo when it comes to performing calculations. Unlike digital processors with their ones and zeros, quantum computers harness the power of quantum mechanics using quantum bits (qubits). These machines will have the potential to deliver tremendous benefits for humanity, such as simulating complex biological systems that lead us to improved medical therapies. But they also make some of today’s complex math problems look like child’s play: unfortunately, some of these math problems form the foundation for our current cryptographic standards.
Today, quantum computers are exceptionally expensive and complex to operate, and the largest has less than 200 qubits. However, the speed with which the number of qubits increases in these machines is worrying. Knowing that only around 4,000 stable qubits are required to break RSA-768 encryption (and more for the larger versions of RSA which are used in the field) it really is only a matter of time before Internet security, as we know it, is broken.
The risks of quantum computers to cryptography have been apparent for some time. This led NIST, the National Institute of Standards and Technology, to launch a competition in 2016 to find new, quantum-resistant algorithms. This year, in 2022, the first four algorithms were announced.
The challenge for NIST was finding algorithms that were both quantum-secure and suited to today’s Internet applications. While computers and smartphones have ample processing power and memory, billions of small, microcontroller-powered internet of things (IoT) devices are being added every day. These devices have limited computing performance, kilobytes of memory, and must draw so little energy that their batteries last for years.
CRYSTALS-Kyber has been selected for key exchange, an algorithm NXP helped develop. Noted for its comparatively small key size (although much larger than what we’re used to) and speed of operation, it relies on the learning-with-errors (LWE) problem over module lattices.
Digital signatures have received three possible alternatives. CRYSTALS-Dilithium and FALCON also make use of lattice-based cryptography and are pretty efficient. To provide mathematical diversity, SPHINCS+ has also been selected. Slower, by comparison, this algorithm is a hash-based signature scheme.
While the algorithms have been selected, there is still some work to do before we can start using them. One aspect is implementation – how will key exchange occur, and what will security certificates look like? Another is hardware support. Work has already been undertaken to test the software, with benchmarks available for the workhorse of embedded systems, the Arm Cortex-M4. However, there is still much to do.
Many processors acquired additional instructions to optimize the execution of AES, and dedicated security chips that support ECC are available from various semiconductor vendors. We should expect quantum-secure hardware to emerge in the next couple of years in the form of dedicated instructions, hardware acceleration IP, and dedicated security chips.
Researchers have undertaken much work around security implementation over the years. Power and RF analysis, coupled with decapping and probing, have uncovered weaknesses in security chips. The semiconductor industry has responded, ensuring that devices are less “leaky” by implementing suitable countermeasures. These are currently considered adequate, even as we move into a post-quantum era but will have an additional impact on the size and practical performance.
Today, there is little that can be done practically to move to quantum cryptography. However, there are ways to prepare. Perhaps the most important is to ensure that good IT security practices continue to be promoted. There is a significant risk that bad actors will go on a data harvesting spree, collecting encrypted data and communications, knowing they will be able to crack security keys in the coming years. And this won’t require possessing a quantum computer – it’s expected that these will be offered at hourly rates as a cloud service.
Security audits are another planning task, understanding what encryption is used and where, and what data and systems will require updating. For those developing new IoT solutions or maintaining existing ones, it is time to start the quantum conversation with hardware, software, and service suppliers to understand their security upgrade plans. Finally, talk to semiconductor vendors to learn what they are planning and how it will change the implementation of security in your products.
Joppe W. Bos is a senior principal cryptographer at the Competence Center for Cryptography and Security at NXP Semiconductors. He also currently serves as the secretary of the International Association for Cryptologic Research (IACR) and the co-editor of the Cryptology ePrint Archive. His research focuses on computational number theory and high-performance arithmetic as used in applied cryptography.
You must Sign in or Register to post a comment.
This site uses Akismet to reduce spam. Learn how your comment data is processed.