Post-Quantum Cryptography

The evolution of quantum computing capabilities poses a threat as they can potentially render obsolete the most widely used cryptographic algorithms, such as public key cryptography, which underpin the cybersecurity solutions we rely on today to keep information and communications safe. The timing of the threat is uncertain. However, significant progress is being made in the evolution of quantum computing performance, quantum algorithms, and error correction.

The security of Public and Private key algorithm-based, such as RSA- and elliptic curve-based public key encryption and digital signature schemes, relies upon the difficulty of solving specific underlying mathematical problems. RSA-based protocols rely on the hardness of finding the prime factors of large integers, while elliptic curve-based methods and Diffie-Hellman key exchanges rely on the hardness of the discrete log problem. Security of these asymmetric protocols is founded on the assumption that a computationally or time-bounded attacker is unable to efficiently compute the prime factors of large integers or solve the discrete log problem. The advent of quantum computing fundamentally changes our assumptions regarding the computing power available to bad actors. Shor’s algorithm, for example, enables the efficient factorisation of large integers and allows attackers to solve the discrete log problem efficiently. Importantly, Shor’s algorithm can achieve an exponential speedup, relative to known classical methods, rendering it infeasible to increase key sizes. Consequently, a sufficiently large fault-tolerant quantum computer poses a threat to systems and protocols that utilise public key cryptography and/or digital signatures, and large-scale changes are required to retain present-day security assurances in the face of this quantum threat

PQC refers to a category of cryptographic protocols aiming to provide security against quantum-empowered adversaries by using classical (i.e. non-quantum) techniques. Since the quantum-threat to symmetric algorithms posed by Grover’s algorithm is less severe, the pathway to a post-quantum status is perhaps more straight-forward for symmetric protocols. Namely, it remains feasible to retain similar cryptographic methods, in the presence of a quantum-empowered adversary, by employing a higher level of security. For example, in some cases increasing the bit-size of keys under the correct design paradigm may be sufficient to retain an adequate level of security in the face of Grover’s algorithm. Such changes can elevate symmetric protocols from quantum-vulnerable to post-quantum secure.

Prior to the availability of a Cryptographically Relevant Quantum Computer (CRQC), motivated bad actors may harvest data and store it, with the goal of decrypting it once quantum computing capabilities become available. This attack undermines the security of data with long-lived confidentiality needs, such as corporate IP, state secrets or individual bio-data. It is widely believed that some actors are already engaging in this type of attack

Prior to the availability of a Cryptographically Relevant Quantum Computer (CRQC), motivated bad actors may harvest data and store it, with the goal of decrypting it once quantum computing capabilities become available. This attack undermines the security of data with long-lived confidentiality needs, such as corporate IP, state secrets or individual bio-data. It is widely believed that some actors are already engaging in this type of attack.

• Transparency and accountability from strategy/funding to execution
• Coordination of internal and external stakeholders
• Awareness and skills building across relevant teams
• Engagement with the supply chain
• Coherence with overall cybersecurity governance, risk and compliance, managing evolution of standards, regulation and legislation
• Definition of processes and operationalisation of the implementation

Data transits from a base station to a network security gateway may be secured with IPSec, typically using asymmetric (quantum vulnerable) methods for key exchange. Similar to other contexts in which IPSec is used to secure data in transit, it is expected that the asymmetric key exchange methods currently used will need to be modified to PQC variants, either as standalone PQC or in a hybrid mode combining currently used methods with PQC algorithms.

• As the number of IoT devices and IoT solutions increases, so do opportunities for attackers. Tampering, eavesdropping, malware, and unauthorised access are some examples of how confidentiality, integrity of data and availability of systems can be compromised. Cryptography underpins the security of IoT solutions: keeping the data secure through encryption, securing communications, providing user authentication to prevent unauthorised access, and validating data integrity. The quantum threat to cryptography in the context of IoT should be considered throughout the solution’s lifecycle and across all components: a plan for implementing measures to mitigate existing and new solutions will provide opportunities to reduce costs and manage risks.
• Mutual authentication, end-to-end encryption, and secure firmware updates are essential to ensure the security of IoT devices. Those mutual authentications are based on PKI which requires to be quantum safe. Therefore, it is important to implement proactive measures to address the quantum threat in IoT systems.

• The challenges of integrating PQC algorithms into existing security protocols like IPSec, TLS, DTLS, and SSH are related to new requirements on IoT devices to support new PQC and potentially impact performance:
  • Efficiency of the (quantum-resistant) cryptographic algorithms (mainly RAM, code size, latency, computation time)
  • Energy: large parameters (public key, signature, ciphertext) will contribute to a lot of energy consumption in relation to transmission on the air interface.

Data transmitted by IoT devices connected to cellular networks can be encrypted with symmetric cryptographic algorithms over the air interface, as usually happens for data encryption from user equipment. The quantum threat is much less severe for symmetric cryptography, so these methods are expected to remain sufficiently secure.