The National Security Agency (NSA, USA) has announced the “Commercial National Security Algorithm Suite 2.0” (CNSA 2.0, you can find the announcement here and some FAQ here).
There are a few points of interest related to this announcement:
- first of all, NIST has not completed the selection and standardization of all possible Post Quantum Cryptography algorithms, which should be completed by 2024, but the NSA has anyway decided to require the implementation of the algorithms already standardized by NIST (see NIST SP 800-208) and to suggest to get ready to implement the others which will be standardized in the next years; this can be interpreted as NSA has some kind of urgency in introducing the new algorithms and that it foresees that Quantum Computers able to break current cryptographic algorithms like RSA will arrive in a not too far future;
- the already standardized new PQC algorithms are to be used only for software and firmware signing, and the transition to them must begin immediately;
- the timelines are quite short considering the time it takes to implement, also in hardware, all the new algorithms, summarizing: the already standardized new PQC algorithms must be implemented by 2025 and exclusively used by 2030; all others new PQC algorithms should be supported or implemented by 2025 and exclusively used by 2033;
- the above mentioned timelines suggest that NSA believes that a Quantum Computer able to break current cryptographic algorithms like RSA could be available by 2035 or around.
Cryptographic algorithms change, evolve, are retired. This is nothing new, but still we are not good in swapping an old, weak or deprecated algorithm for a new one. There are many issues that make this quite complex, like
- algorithms can be implemented in hardware for performance, substituting them with software implementations can notably degrade the performance of the system, and new hardware implementation can take years to implement and require changing many hardware components
- new algorithms have different software interfaces which can require that all programs using them have to be updated accordingly.
Experience of the last 30 years shows us that it can take many years to change to new cryptographic algorithms: from DES to AES, from MD4 and MD5 to SHA-0, SHA-1, SHA-2 and SHA-3. To make things even more complicated, long term sensitive information must be kept securely encrypted for many years, which requires using algorithms which will remain effective for the same time span, whereas digital signatures must be re-applied with the new and stronger algorithms before the old ones are deprecated.
To all this, we can add the threat of Quantum Computers which, in case they will become really operational, will be able to break practically all current asymmetric algorithms (eg. RSA). Do we need to change all asymmetric algorithms with the new Post Quantum Cryptographic algorithms as soon as these will be available? And how long will this take? What if one of these new PQC algorithms, which are based on new types of math, will be broken short time after its deployment?
So we need to vastly improve the “agility” of swapping from old to new cryptographic algorithms and to be proactive in doing it. This requires designing new interfaces and processes which will easily allow to swap one cryptographic algorithm for a new one.
Post Quantum Cryptography (PQC) is the name which describes new cryptographic algorithms which should be safe to use even if a real Quantum Computer will arrive. NIST competition to designate these algorithms has started in 2016, now is in its 4th round and is supposed to end by 2024.
This year NIST, for round 4, has selected 4 final candidates and 4 potential replacements in case any of the 4 front runners will drop out. But this year already two candidates have been invalidated due to the discovery of serious security weaknesses: in February, at the end of round 3, it was the case of Rainbow, and these days (see here), in round 4, is the case of SIKE, a potential replacement candidate.
The weaknesses discovered apply only to the algorithms which have been invalidated, but the fact that they have been discovered so late in the NIST selection process should make us wonder if the timeline will be maintained or more time will be needed to completely test and evaluate these new algorithms.
I do not really know what is going on, but news on Quantum Computers (or “Quantum Information Science” – QIS) and Post Quantum Crypto keep piling up, the last one coming from the White House (see eg. here).
Openssh has released a few days ago version 9.0 (here the announcement) which features the “hybrid Streamline NTRU Prime + x25519 key exchange method by default.” In other words, the key exchange is performed by the standard X25519 ECDH key exchange algorithm (the previous default) paired with the NTRU Prime, a Post Quantum Crypto algorithm “believed to resist attacks enabled by future quantum computers.” If one of the two algorithms fails to protect the confidentiality of the encryption key, the other should continue to protect it, even if a quantum computer will be able to successfully attack X25519 ECDH alone.
We do not know if or when Quantum Computers will arrive: 10 years “at best” for Quantum Computing, “at worst” for Cryptography.
Today Post Quantum Cryptography (PQC) aims to provide algorithms resistant to Quantum Computers but it is still in an development phase (see eg. NIST for details).
Concerning information security and Quantum Computer, today we should worry about at least two issues:
- how long it will take to perform the transition to Post Quantum Crypto algorithms;
- how to protect information encrypted today with standard algorithms but that should still be protected in 10 or more years.
For the second point, one possibility is to adopt already today the emerging PQC algorithms and “double encrypt” sensitive long-term data with a current algorithm and PQC-devel algorithm, with the hope that if one of the two fails the other will keep protecting the data. And based on this IBM announcement (see also here), this seems to be starting right now.
These days I keep coming back to the “security patching and updates” issue. So I am going to add another couple of comments.
The first is about Ripple 20 (here the official link but the news is already wide spread) which carries an impressive number of “CVSS v3 base score 10.0” vulnerabilities. The question is again:
how can we secure all of these Million/Billion vulnerable devices since it seems very likely that security patching is not an option for most of them?
The second one is very hypothetical, that is in the “food for thought” class.
Assume, as some says, that in 2030 Quantum Computers will be powerful enough to break RSA and other asymmetrical cryptographic algorithms, and that at the same time (or just before) Post Quantum Cryptography will deliver us new secure algorithms to substitute RSA and friends. At first sight all looks ok: we will have just to do a lot of security patching/updating of servers, clients, applications, CA certificates, credit cards (hardware), telephone SIMs (hardware), security keys (hardware), Hardware Security Modules (HSM) and so on and on… But what about all those micro/embedded/IoT devices in which the current cryptographic algorithms are baked into? And all of those large devices (like aircrafts but also cars) which have been designed with cryptographic algorithms baked into them (no change possible)? We will probably have to choose between living dangerously or buy a new one. Or we could be forced to buy a new one, if the device will not be able to work anymore since its old algorithm will not be accepted by the rest of the world.
PS. Concerning Quantum Computers, as far as I know nobody claims that a full Quantum Computer will be functioning by 2030, this is only the earliest possible estimate of arrival, but it could take much much longer, or even never!
PS. I deliberately do not want to consider the scenario in which full Quantum Computers are available and Post Quantum Cryptography is not.
NIST has announced the conclusion of the first round of the standardization process for post-quantum-cryptography algorithms, that is public key and digital signature algorithms which are not susceptible to attacks by quantum computers.
The announcement can be found here and a report on the 26 participants to the second round can be downloaded from here.
Wired reports in this article of a recent advance in deployed cryptography by Google.
Last summer the NSA published an advisory about the need to develop and implement new crypto algorithms resistent to quantum computers. Indeed if and when quantum computers will arrive, they will be able to crack easily some of the most fundamental crypto algorithms in use, like RSA and Diffie Hellman. The development of quantum computers is slow, still it continues and it is reasonable to expect that sooner or later, some say in 20 years, they will become reality. Also the development of new crypto algorithms is slow, so the quest for crypto algorithms resistant to quantum computers, also called post-quantum crypto, has already been going on for a few years.
Very recently Google has announced the first real test case of one of these new post-quantum algorithms. Google will deploy to some Chrome Browsers an implementation of the Ring-LWE post-quantum algorithm. This algorithm will be used by the chosen test users, to connect to some Google services. Ring-LWE will be used together with the current crypto algorithms adopted by the browser. Composing the current algorithms with Ring-LWE will guarantee a combined level of security, that is the minimum level of security is that of the strongest algorithm used in the combination. It should be noted that Ring-LWE is a much more recent crypto algorithm compared to the standard ones, and its security has not been established yet to a comparable level of confidence.
If the level of security will not decrease and hopefully just increase, it has to be seen how it will work in practice in particular for performances.
For modern cryptography this two-year Google’s project could become a cornerstone for the development and deployment of post-quantum algorithms.
I am still interested in developements in the area of Quantum phenomena which can be used in ICT and in particular in ICT Security. Recently there have been quite a few announcements of interest. Here are a some of them:
- A scientific paper proposes on a new way of generating Quantum Random Number, that is ‘real random numbers’ (whatever that means) by using every day technology like the camera of our smart phone; this does not mean that the smart phone camera is enough to produce real random numbers (for the moment you still need a computer to process the data produced by it) but it is a sign that the technology is providing us with tools of unprecedented power, and soon our smart phone will be enough for a good many things;
- New developments in Quantum Cryptography (se here and here for details) would make it easier to implement Quantum Cryptography in practice; this is nice, even if it does not changes dramatically the current status and relevance of Quantum Cryptography;
- Another article (see here for a comment) leaves me instead quite puzzled: either I don’t understand it or there is something fundamentally flawed in the argument otherwise it will look like it is possible to obtain quantum effects in classical physics, which is just what it is not.