Post Quantum Cryptography
Hardening Communication Against Quantum-Computing the Direct Way
The technological hurdles still being heavily challenging, with enormous efforts invested in developing Quantum-Computing (QC), science and industry evolve continuously in the direction of reliable and usable hardware systems to tackle heavy and complex mathematical problems. This development also paves the way to vulnerability of state-of-the-art encryption which relies on the assumption the corresponding mathematical operations and tasks are practically unsolvable (on time scales of a million years or more). Used for communication innumerable times per day and all around the world, from popular private messenger chats over sensitive economic data transfer to (inter-)national security reports, present standards of electronic communication are about to lose confidentiality with upcoming QC systems. This makes concerted and swift action to identify weak spots and harden telecommunication against QC inevitable tasks postponing is unacceptably risky.
Risk analysis starts assessing the level of vulnerability against between the two main branches of modern cryptography, the symmetric (shared private key) and asymmetric (public key) ciphers. For symmetric cryptosystems, all communication partners share a common private/secret key. Here, a QC attack to intercept information is based on a brute force key search, using the quantum search algorithm by Grover. Fortunately, this approach reduces the effort only by an exponent of ½ , keeping it basically exponentially complex with respect to the key length. Doubling it (i.e., from 128 to 256 bits) remedies the QC vulnerability of symmetric ciphers and implementations of the corresponding AES-256 standard already protect suitably well against QC attacks. Therefore, the main focus of QC resilience lies on state-of-the-art asymmetric ciphers which use both a public and a private key, for encryption and decryption, respectively. The private can be extracted from the public key by means of a mathematical operation, either a prime factorization or calculation of the discrete logarithm, for the respective asymmetric approach. Since the public key is an extremely large number in current asymmetric ciphers, this task is exponentially heavy, and therefore unfeasible on conventional computing hardware. On a quantum computer, however, the quantum algorithms by Shor, for factorization and calculation of discrete logarithms, reduce the effort to a polynomial complexity in the length of the public key, making asymmetric cryptography vulnerable to QC the day it becomes available.
The Quantum Technology Versus the Pragmatic Approach
Not only does quantum technology (QT) provide a key to break encryption measures in widespread use, it also offers a way to protect telecommunication against QC-based and other attacks – by the so-called quantum key distribution (QKD). However, as implementation of effective QC stays a technological challenge, so does QKD (compare section „Why is QKD not used instead of PQC?“). Although QKD has matured stronger than QC in recent years, usually a more pragmatic approach from outside QT is favoured by experts and organizations from the IT security community to make encryption robust against QC vulnerability. Approaches and algorithms of latter, conventionally cryptographic type are summarized under the term post quantum cryptography (PQC). They replace cryptography algorithms prone to QC code breaking by alternatives predictably unbreakable according to present knowledge even on the improving performance scale of future quantum computers.
Post Quantum Cryptography – Approaches and Implementations
A cryptosystem, to fulfil the central requirement of PQC, needs to be computationally unbreakable by means of QC. The mathematical procedure necessary to extract the private key must be an (super-)exponentially complex task even for known or conceivable quantum algorithms. It must not be prone to QC, like the Rivest-Shamir-Adleman (RSA) algorithm is to quantum factorization or the digital signature algorithm (DSA) and Diffie-Hellman key exchange (DHKE) are to quantum calculation of discrete logarithms, to list the most prominent counter examples to PQC. In the following, close to mature QC-hardened approaches to replace, complement or improve the conventional asymmetric algorithms are listed, for key transport and/or digital signatures:
Lattice-based
In lattice-based approaches to PQC, the “quantum-hard” problem is based on the mapping of points randomly sampled close to points on a regular lattice to the respective closest lattice points. …
The higher the dimension of the lattice space gets, the harder this task becomes effectively. For storage efficiency, the matrix operations necessary in the simplest application case are replaced by polynomial rings usually or hybrid solution combining the two forms (matrix & rings calculations). The resulting public key schemes are significantly slower than symmetric schemes wherefore they are mainly used for key encapsulation mechanism (KEM), the key establishment between two communicators. Lattice-based cryptosystems provide a larger versatility than other realizations of PQC and a good trade-off between security & cryptanalytic strength. Realizations undergoing the process of standardization by NIST are KYBER (internally termed ML-KEM) for KEM usage, as well as DILITHIUM (first ML-SIG, now ML-DSA by NIST) and FALCON (first labelled as FN-SIG, now FN-DSA) as candidates for PQC digital signature schemes.
Code-based
The mathematical task behind code-based approaches to PQC is the so-called syndrome-decoding problem. Inspired by algorithms originally developed to tackle errors in electronic communication (detection & correction), to provide fault tolerance for digital messages, these are adapted for encryption. …
Combining a message and redundant information (artificially introduced errors) into a codeword,the decoding of the latter is (super-) exponentially hard even for state-of-the-art quantum algorithms, turning the encoding into an encryption mechanism. Prominent schemes of code-type are the McEliece, BIKE, and HQC codes, submitted to NIST for the PQC standardization process still ongoing.
Hash-based
Though being tested against weak spots of principal type and implementation, leading standardization and cyber security agencies insist that these PQC algorithms are used only…
in hybrid combination with conventional methods in use and well-established on a time scale of decades. Recently, NIST has published its selection of four PQC schemes:
(CRYSTALS-) KYBER – ML-KEM (FIPS 203)
(CRYSTALS-) DILITHIUM – ML-DSA (FIPS 204)
SPHINCS+ – SLH-DSA (FIPS 205)
Furthermore, FALCON – FN-DSA (FIPS 206) is supposed to use FALCON algorithm for digital signature purposes, but is not released as a full standard yet.