A year ago today, the National Institute of Standard and Technology (NIST) published the first official algorithms of the official standard for post-sur-Sur-sur-Quantum (PQC) cryptography. The standard is the result of a memorandum in 2022 of the Biden administration which obliges federal agencies to move to security based on PQC by 2035.
Cryptography is based on mathematical problems which are almost impossible to solve, but easy to check if a solution is correct. Armed with these mathematical problems, only the holder of a secret key can check their solution and have access to secret data. Today, most of online cryptography is based on one of the two of these algorithms: RSA or Elliptical Curve cryptography.
The cause of the concern is that quantum computers, if a fairly large is built, would facilitate the “hard” problems underlying the current cryptographic methods. Fortunately, there are other mathematical problems that seem just as difficult for quantum computers and their existing classic counterparts. It is the basis of post-quantum cryptography: secure cryptography against hypothetical quantum computers.
With mathematics behind PQC, and standards in hand, adoption work is underway. It is not an easy task: each computer, laptop, smartphone, autonomous car or IoT device will have to fundamentally change the way they execute cryptography.
Ali El Kaafarani is a researcher at the Oxford Mathematical Institute who contributed to the development of PQC NIST standards. He also founded a company, PQSHIELD, to help bring post-health cryptography to the real world by helping manufacturers of original equipment to implement new protocols. He spoke with Spectrum ieee about How the adoption takes place and if the new standards will be implemented in time to beat the imminent threat of quantum computers.
What has changed in industry since the release of PQC NIST standards?
Ali El KaafaraniPqshield
Ali El Kaafarani: Before the release of standards, many people were not talking about it at all, in the spirit of “if it works, do not touch it”. Once the standards have been published, the whole story has changed, because now it is not a hypothetical overhaul, it is a problem of conformity. There are standards published by the US government. There are deadlines for adoption. And 2035 [deadline] came with the publication of [the National Security Agency]And was adopted in formal legislation that adopted the congress and there is therefore no way to get around it. Now it’s a compliance problem.
Before, people asked us, “When do you think we are going to have a quantum computer?” I don’t know when we’re going to have a quantum computer. But that’s the problem, because we are talking about a risk that can materialize at any time. Some other smarter people who have access to a wider range of information decided in 2015 to classify quantum computers as a real threat. This year was therefore a year of transformation, because the question went from “why do we need it?” “How are we going to use it?” And the whole supply chain has started to study which will do what, from the design of fleas to the network safety layer, to the critical national infrastructure, to build a post-quantum compatible network safety kit.
Challenges in the PQC implementation
What are the difficulties of implementing NIST standards?
El Kaafarani: You have the magnificent mathematics, you have the Nist algorithms, but you also have the Far West of cybersecurity. This infrastructure ranges from the smallest sensors and car keys, etc., to the largest server seated there and trying to crunch hundreds of thousands of transactions per second, each with different safety requirements, each with different energy consumption requirements. Now this is a different problem. It is not a mathematical problem, it is a problem of implementation. This is where you need a company like PQSHIELD, where we bring together hardware engineers, firmware engineers, software engineers and mathematicians, and everyone around them to say: “What can we do with this special use case?”
Cryptography is the backbone of cybersecurity infrastructure, and worse than that, it is the invisible piece that does not care until it breaks. If it works, no one touches it. They only talk about it when there is a breach, then they try to repair things. In the end, they usually put bandaids there. This is normal, because companies cannot sell the safety functionality to customers. They simply used it when governments force them, as when there is a compliance problem. And now, this is a much more important problem, as someone said to him: “You know what, all the cryptography that you have been using for 15 years, 20 years, you have to change it, in fact.”
Are there security concerns for implementations of the PQC algorithm?
El Kaafarani: Well, we haven’t done it before. It was not tested in combat. And now, what we say is: “Hey, AMD and the rest of the equipment or the semiconductor world will put all these new algorithms in the equipment, and trust us, they will work well, and then no one can hack them and extract the key.” It’s not easy, right? No one has the courage to say that.
This is why, at Pqshield, we have vulnerability teams that try to break our own creations, separately from the teams that design things. You have to do this. You must have one step ahead of the attackers. That’s all you need to do, and that’s all you can do, because you can’t say: “Okay, I have something secure. No one can break it.” If you say that, you will eat a humble pie in 10 years, because maybe someone will find a way to break it. You just have to do this innovation, and continuous safety tests for your products.
Because PQC is new, we have still not seen all the creativity of the attackers trying to bypass the beautiful mathematics and to propose these creative and unpleasant attacks that make fun of mathematics. For example, some attacks examine the energy consumption that algorithm has your laptop, and they extract the key from energy consumption differences. Or there are synchronization attacks that look at how long you need to encrypt the same message 100 times and how it changes, and they can really extract the key. There are therefore different ways to attack algorithms there, and it’s not new. We simply do not have billions of these devices in our hands now that have a post-atertum cryptography that people have tested.
Progress in the adoption of PQC
How would you say that adoption takes place so far?
El Kaafarani: The fact that many companies have started that when the standards have been published, this puts us in a position where there are some who are well advanced in their thoughts and their processes and their adoption, and there are others that are completely new because they were not paying attention, and they were only lowering the box. The majority of those who kicked in the box are those who did not stay high in the supply chain, because they felt that it was the responsibility of someone else. But they did not understand that they had to influence their suppliers with regard to their requirements, their deadlines and their integration and so many things that they must prepare. This is what is happening now: many of them do a lot of work.
Now, those who sit high in the supply chain, of them have made great progress and have started to integrate post-quantity cryptography conceptions in new products, and try to find a way to modernize products that are already in the field.
I don’t think we are in an ideal place, where everyone does what he is supposed to do. This is not the case. But I think that from last year, when many people asked “when do you think we are going to have a quantum computer?” And now ask “How can I comply with?” Where do you think I should start? And how can I assess where the infrastructure to understand where the most precious assets are, and how can I protect them? What influence can I exert on my suppliers? ” I think huge progress has been made.
Is that enough? It is never safe enough. Security is damn difficult. It is a multidisciplinary subject. There are two types of people: those who like to build safety products and those who would like to break them. We try to get most of those who like to break them in the right side of history so that they can make products stronger rather than making existing existing vulnerable to exploitation.
Do you think we are going to do it by 2035?
El Kaafarani: I think the majority of our infrastructure should be a secure post-health by 2035, and that’s a good thing. It is a good thought to have. Now, what happens if quantum computers become reality before that? This is a good subject for a television series or for a film. What happens when most secrets are readable? People don’t think about it hard enough. I don’t think anyone has an answer for this.
From your site items
Related items on the web
