Why should we be ready for Quantum-Safe Cryptography
Published:
Quantum computers are still in the early stages of development, and there are many technical challenges that need to be overcome before they can be widely used. However, they have the potential to revolutionize fields such as pharmaceuticals, finance, and defense, and researchers are actively working to develop practical applications for them.
However, quantum computers not only offers computing power to aforementioned application, but it is also a threat to the security, especcially to secure communications over the Internet nowsaday.
In this tutorial, we will focus on the question “Why we should prepare for quantum-safe cryptography?”. We won’t go to details how a quantum computer could break currently wide-used public key cryptosystems in communications over Internet. For more details on this, I had another article How a quatum computer break RSA
here.
Quantum Computers
Roughly, a quantum computer is based on principles of quantum mechanics, such as superposition
and entanglement
, to perform operations on data. While the basic unit of information in a classical computer is a bit, which can be either a $0$ or a $1$, the basic unit in quantum computers is qubits, which can exist in multiple states simultaneously due to superposition (i.e., , it can be a $0$, a $1$, or both at the same time) and can be entangled, meaning the state of one qubit is directly related to the state of another. This mechanism allow quantum computers to perform many calculations in parallel, and thus to solve certain problems exponentially faster than classical computers.
Quantum threats
In 1994, Peter Shor developed the first quantum algorithm* that can efficiently solve the factorization problem, which RSA cryptosystem relies on, and dicrete logarithm problem, which ElGamal cryptosystems and ECC relies on. The impact of this is potentially very wide in which most of secure commnunication protocols such as HTTPS, SSL/TLS, and digitally signed documents are currently implemented those algorithms.
Another threat that quantum computers present is Harvest Now, Decypt Later (or HNDL
) attack. Hackers can collect a vast of encrypted data now, then decipher them once the quantum compters become mainstream. Imagine that your personally identifiable information (PII) such as DNA or other genetic data could be revealed publicly even it is transferred in a current secure encrypted form. Other sensitive information such as state secrets must remain confidental for years or even decades. That would give enough time for bringing quantum computers into the real world.
Quantum risk thus is real now.
Quantum-Safe Cryptography
To counter quantum threats, researchers are developing and promoting quantum-resistant or quantum-safe cryptography. These cryptographic algorithms are designed to be secure against quantum attacks and typically rely on mathematical problems that quantum algorithms find difficult to solve. Examples include lattice-based cryptography, hash-based cryptography, and code-based cryptography. Transitioning to these quantum-resistant algorithms is crucial for maintaining the confidentiality and integrity of data in a post-quantum computing era. Additionally, initiatives like the National Institute of Standards and Technology (NIST) Post-Quantum Cryptography Standardization project are underway to standardize quantum-resistant cryptographic algorithms.
PQC NIST Competition
At the PQCrypto conference (2016) organized in Fukuoka, Japan, NIST announced a program and competition to standardize Post-Quantum Cryptography. After three rounds, in July 2022, NIST announced four (4) winners
, including one Key Encapsulation Mechanism (KEM) and three digital signature algorithms, and four additional algorithms going to the 4th round. Winners are:
- CRYSTALS-Kyber: Lattice-based KEM algorithm
- CRYSTALS-Dilithium, FALCON: Lattice-based digital signature algorithms
- SPHINCS+: Hash-based digital signature algorithm
In August 2023, NIST released initial public drafts of three Federal Information Processing Standards (FIPS) on three of four winners and requested public comments on them. They are:
- FIPS 203, Module-Lattice-Based Key-Encapsulation Mechanism Standard. This standard is based on CRYSTAL-Kyber algorithm.
- FIPS 204, Module-Lattice-Based Digital Signature Standard. This standard is based on CRYSTAL-Dilithium algorithm.
- FIPS 205, Stateless Hash-Based Digital Signature Standard. This standard is based on SPHINCS+ algorithm.
Implementation of Quantum-Safe Cryptography in OpenSSL
OpenSSL, an open-source software library, is widely used in the field of secure communications. It includes implementations of TLS (Transport Layer Security) protocol, as well as cryptographic algorithms and tools for managing digital certificates. It supports a variety of cryptographic algorithms, including symmetric and asymmetric encryption, hash functions, and digital signatures.
Currently, assymetric cryptography supported in OpenSSL as well as the TLS protocol is vulnerable to quantum computers. That includes key exchange algorithms such as RSA and ECDH or digital signature algorithms for authentication of server such as RSA and ECDSA.
Open Quantum-Safe is a project that implements quantum-resistant cryptographic algorithms and integrates them to OpenSSL. The project forked OpenSSL 1.1.1 and integrates quantum-resistant assymetric cryptography into OQS-OpenSSL_1_1_1-stable. As OpenSSL 1.1.1 was no longer supported after September 2023 (see https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/), the OQS project is implementing oqsprovider that is compatible to OpenSSL 3.x.
As mentioned in the project’s website, the following quantum-safe algorithms are supported:
KEM algorithms
- BIKE
- CRYSTALS-Kyber
- FrodoKEM
- HQC
Signature algorithms
- CRYSTALS-Dilithium
- Falcon
- SPHINCS-SHA2
- SPHINCS-SHAKE
Furthermore, OQS-OpenSSL_1_1_1-stable
, and oqsprovider
also support hybrid mode, which combines a classical cryptographic algorithm such as RSA, ECDSA or ECDH with a post-quantum cryptographic algorithms. The benefit of this approach is that it still supports the classical cryptographic algorithms to secure existing threats while also uising QSC to secure data against HNDL attacks.
Demo
OpenSSL is a command-line tool that can be used for a variety of cryptographic operations. Imagine you are setting up a TLS server and a TLS client, you must first generate a server’s certificate that can be either a self-signed or part of a chain.
Server generate the root CA certificate
This shell command generate a root CA certificate for TLS using a hybrid approach: ECDSA_p256 and dilithium2. The folder apps is a subfolfer in OQS-OpenSSL_1_1_1-stable
or oqsprovider
.
apps/openssl req -x509 -new -newkey p256_dilithium2 -keyout p256_dilithium2_CA.key -out p256_dilithium2_CA.crt -nodes -subj "/CN=oqstest CA" -days 365 -config apps/openssl.cnf
Generate a server certificate
- Generate server’s key pair
apps/openssl req -new -newkey p256_dilithium2 -keyout p256_dilithium2_srv.key -out p256_dilithium2_srv.csr -nodes -subj "/CN=oqstest server" -config apps/openssl.cnf
- The CA generates the signed server certificate
apps/openssl x509 -req -in p256_dilithium2_srv.csr -out p256_dilithium2_srv.crt -CA <SIG>_CA.crt -CAkey p256_dilithium2_CA.key -CAcreateserial -days 365
Launch TLS Server
Once having a server certificate, you can launch your TLS server.
apps/openssl s_server -cert p256_dilithium2_srv.crt -key p256_dilithium2_srv.key -quiet -tls1_3
Connect client to the TLS Server
On your client machine, run this command to establish a quantum-safe connection and send a message Hello OQS
to the TLS server. Assume that your TLS server’s IP address is 192.168.1.1 and you are using the port 443 for a TLS connection.
echo "Hello OQS" | apps/openssl s_client -groups p256_kyber512 -CAfile p256_dilithium2_CA.crt -connect 192.168.1.1:443
Closing
This tutorial discussed the reason why we need to start implementing quantum-resistant asymmetric cryptographic algorithms in our communication applications from now. It also gives you some information about Open Quantum Safe project and some basic commands to setup a secure quantum-safe TLS connection. Hope you find it fun and useful!