By David Hook
This morning, I watched another sunrise from my home office window and saw the successful conclusion of another International Cryptographic Module Conference. Yes, here in Australia, or “Ozcatraz” as many of us locals now know it (mostly fondly), we are still doing everything remotely. That said, while it is true that I could not be at ICMC 2021 physically, ICMC 2021 was another reminder that if one combines the Internet with enough caffeinated drinks and chocolate there is no need to miss out!
For people not familiar with ICMC, the conference is more than just about certifying modules and compliance efforts both from a proprietary and open source point of view. It also provides a look at the issues that different environments, such as IoT, can cause in this task and provides another window on upcoming algorithms and standards that NIST and other organisations are working on. This last item was especially of interest to us at Bouncy Castle as it provided a bit more of a community perspective, in addition to further announcements from NIST, on the post-quantum cryptography (PQC) competition and the post-quantum threat in general.
First the news from NIST, they are still on track to end Round 3 in December 2021 with an announcement either at the end of the year or in January 2022. There are increasing concerns around the multi-variate signature submissions, so there is a feeling now that further work would be worthwhile to expand the number of signature candidates. While this has led to increasing interest in the alternative candidates, especially SPHINCS+, there was also an announcement that there will be a new call for submissions next year for additional post-quantum signature algorithms. The original post-quantum competition started in 2016 and there has been a lot of research and analysis since then. The hope is that a new call for submissions will produce some interesting, and useful, new algorithms. The expectation then is that 2022 will be spent reviewing drafts and comments, with 2023 seeing the release of the final special publications describing the algorithms.
So where does this put the rest of us? Several talks looked at the current state of the quantum computing and what it might mean for the future. The answer to that question is: it depends a bit on what you are doing.
If you’re looking at deploying a PKI that will be used for something like remote update and your expectation is that what you deploy will be out in the field for 10+ years, it would be a good idea to start looking at using a post-quantum secure signature algorithm. There are two, LMS and XMSS, described in SP 800-208, “Recommendation for Stateful Hash-Based Signature Schemes”, which are also described in RFC 8554 and RFC 8391 respectively. Of these, LMS now has a CMS/PKIX profile defined in RFC 8708 as well, so it is probably the most operational ready from a standards and cross-compliance point of view. While these algorithms are regarded as post-quantum secure, there is a word of caution around them. “Stateful” in this case refers to the fact that the private keys for the algorithm change each time a signature is generated and a failure to manage this properly can destroy the security of the system. They need to be used with care.
If you are not in the 10+ year bracket, as William Layton from NSA Cybersecurity pointed out, you probably want to be worrying more about things like malware and supply chain security in the immediate future, as we are aware that there are real problems in that space. That said, you also want to be starting to experiment with PQC now, as the reality is that once the new standards are available, there will be an expectation, starting from Government, that applications will start using them. Not in a panic, but slowly and steadily, largely to avoid a panic later. This was also pointed out in Brian LaMacchia’s talk, who made the point that at Microsoft they consider that the question “what is your plan for post-quantum security?” is one that they expect customers to be asking.
For people who wonder why they should take such a long-term view on this, it is worth looking at the example of SHA-1. We first saw theoretical attacks against SHA-1 in 2005, by 2010 the security of the algorithm had become sufficiently problematic that NIST had transitioned away from it in some use cases, and in early 2017 researchers at Google had found a way to produce PDFs which hashed to the same digest, essentially rendering it useless from a security point of view. It is now 2021, sixteen years after the first theoretical attacks, and some people are still struggling to stop using SHA-1 or deal with the consequences of earlier use. It’s tempting, with all the talk about crypto agility to think that a migration like this, from one class of algorithm to another is already a done deal. The reality is that migration issues are not all going to show up until migration is actually attempted, and that will take time and, if past experience with SHA-1 is anything to go by, likely a lot of it. In this case, we are not just considering a single message digest algorithm, but a whole range of algorithms and protocols.
There are a couple of paths to go down in terms of preparation now. The first is simple experimentation, find out more about the algorithms themselves, the key sizes, and the constraints. The second is to look at hybrid algorithms, an area which does show some promise in allowing us to harden existing infrastructure by augmenting it with post-quantum algorithms and techniques.
For finding out where things are at now, the definitive place to follow progress is at the NIST Post-Quantum Cryptography page. Another worthwhile resource is the ENISA publication Post-Quantum Cryptography: Current state and quantum mitigation, which provides a thorough review of the Round 3 submissions as well as a discussion on possible mitigation techniques for dealing with the future, including the use of hybrids. A more formal approach to a hybrid algorithm is provided i ETSI TS 103 744 V1.1.1 – but again a note of caution: Go gently! The speaker from NSA Cybersecurity did report that they have already encountered situations where a rush to introduce a hybrid technique had led to the weakening of an otherwise secure implementation due to programming error. A reminder for all of us, including myself, of just how much “fun” a “one line change” can cause. Further to this, the NSA have also published an FAQ on Quantum Computing which, like the ENISA document, also provides a very thoughtful view of things while additionally serving as a reminder that we really have run out of 3 letter acronyms. Attempted “humour” aside, it is also well worth a read.
So, in summary: quantum computers are coming and, while its tempting to think of quantum computing as a train rushing towards us down a tunnel, we do have a choice. There is no need to keep standing on the tracks admiring the approaching headlight. It would be much better to prepare and move to a nearby embankment, perhaps sit on a blanket, and from there safely observe the train in all its might and glory as it comes rushing out of the tunnel and into the light. Interesting times indeed.
Join me to PrimeKey Tech Days on September 13-16, as I talk more about hardcore cryptography and give a workshop on PKI at the Edge. Stay safe with a yearly shot of PKI!