While quantum computers hold much promise, they also represent a critical threat to the security of the internet, as they may undo current cryptographic defenses. To develop new quantum-proof cryptography, the leading standards authority NIST has invited researchers all over the world to design solutions. Now, an algorithm developed at the Eindhoven University of Technology (TU/e) has been selected to become a new standard for post-quantum cryptography. Two other TU/e solutions have been chosen as promising runner-ups for further consideration.
The last decade has seen much progress in the development of quantum computers and the entire ecosystem they will enable. The Netherlands has been one of the leading players in this with several centers devoted to research. This includes the Center for Quantum Materials and Technology Eindhoven (part of Eindhoven Hendrik Casimir Institute), and most recently, the establishment of Quantum Delta NL and a 615 million euro grant from the Dutch government’s National Growth Fund to accelerate quantum technology.
With this success, there is one dark shadow: one of the areas where quantum computers outperform their classical counterparts is in breaking some of the underlying cryptographic systems that cyber security relies on. At present quantum computers are not yet stable and large enough to enable such attacks, but developments are going so fast that security researchers worldwide have been put on alert to solve this problem.=
Collect now, decrypt later
The vulnerable systems fall in the category of so-called public-key cryptography, which you can find in any connection that your browser makes when visiting any site with https, as well as in WhatsApp and other chat systems.
The systems fall into two categories for different use cases. First, there is Key Encapsulation Methods (KEMs) for initiating a confidential conversation between parties who have not met, and second there are signature systems to ensure authenticity and integrity of the conversation, and to make sure that the connection is really with the party they claim to be.
Both need to be replaced long before quantum computers arrive. This is because many hackers work on the principle of 'collect now, decrypt later': they collect and store today's traffic which is encrypted with pre-quantum cryptography, and keep it stored to decrypt it at a later date when they have a quantum computer.
Data which has long-term value such as trade secrets and company strategies will then be open to industrial espionage and privacy-sensitive personal data will no longer be private.
NIST competition
To focus attention on finding secure replacements that can withstand attacks even with a large quantum computer, the US National Institute for Standards and Technology (NIST) in 2016 launched an open competition in post-quantum cryptography where researchers from all over the world could submit their systems for consideration for a future standard.
After a lengthy process, that involved three rounds of evaluations and further tweaks, NIST has announced the winners. These four cryptosystems will move on to be standardized to become widely deployed. One of the winners is the TU/e designed SPHINCS+ system, a signature system that prioritizes long-term security.
Andreas Hülsing, leader of the SPHINCS+ team and assistant professor at the Coding theory and Cryptography group at the department of Mathematics and Computer Science: "In many applications, the cost of cryptography is negligible compared to the overall cost, while security requirements are high. Think of document signatures or software updates. We are happy that with SPHINCS+ NIST also picked a solution with strong security for such use cases."
Deep TU/e involvement
Besides the direct involvement of TU/e researchers Hülsing and Tanja Lange, the TU/e research on post-quantum cryptography has had a profound impact in the NIST competition. Along with former PhD student Peter Schwabe, three out of the four winners have a connection with TU/e.
NIST is also advancing two other systems with a TU/e involvement to a fourth round for further consideration: KEM Classic McEliece with Tanja Lange and former PhD students Tung Chou, Ruben Niederhagen, Christiane Peters, and Peter Schwabe on the team, as well as KEM SIKE, involving former PhD student Michael Naehrig.
Lange raises some concern about NIST's decision to postpone standardizing Classic McEliece. "While NIST acknowledges the solid security track record of Classic McEliece, it speculates that adoption might be low. This is choosing the wrong priorities when security should be job #1." Lange recommends the system to users dealing with data of long-term value.
What’s next?
What lies ahead now is work to nail down the subtle details of the standards and several rounds of review, but according to Lange, industry can already start exploring how to upgrade to post-quantum cryptography and which of the selected systems fit their use case.
“I would recommend all concerned parties to keep existing pre-quantum systems next to the new post-quantum systems, so that the security is as strong as the strongest of the systems. They should also keep in mind that collect-now decrypt-later means that the migration to post-quantum cryptography has to happen long before large quantum computers become a reality.”
This article was first published on 6 July by TU/e.