Advantages and Disadvantages of Post-Quantum Cryptography as a Possible Solution to the Crypto Apocalypse

Due to the widespread adoption of various digital technologies, sharing of digital information has become a vital aspect of people’s lives. Through the Internet, one can have access to their personal medical records, financial data and carry out transactions online. As a result of this, information security is now considered pivotal in ensuring that one does not become a target of interest for adversaries whom may try to intercept this online data. Cryptography has been designed with this in mind, thereby providing a means for organizations and people to protect their sensitive information from cyber-attacks through data encryption techniques. However, in the past few years, a substantial amount of research has gone into quantum computing. According to Pelner and Cooper, a quantum computer is a scalable system that can efficiently perform the extra quantum operations necessary for solving computational problems such as the difficulty of factoring large numbers. This machine has the capability to solve mathematical problems that are difficult for conventional computers. It thus, has enough power to launch efficient attacks on encrypted data that is protected by classical cryptographic techniques used today. Currently, there has not yet been a breakthrough in the creation of a large-scale quantum computer. However, we should still be very concerned about the successful creation of such as it would render most of the cryptosystems we use today useless - the crypto apocalypse. It is no longer a question of ‘if’ but ‘when’. In response to this, different parties such as governmental organizations and researchers are looking at post-quantum cryptography as a way of addressing this issue. According to the National Institute of Standards and Technology (NIST), the goal of post-quantum cryptography is to develop cryptographic systems that are secure against both quantum and classical computation and can be applied to existing applications and networks. It involves the development of new cryptosystems that are quantum-safe, and that can replace the current vulnerable cryptosystems in use today.

Background

Public key cryptography has been used to protect the online information of users on the Internet since its invention. The main cryptosystems that are used to implement cryptography are the Diffie-Hellman key exchange, the RSA (Rivest-Shamir-Adleman) cryptosystem and the ECC (Elliptic Curve Cryptography) cryptosystem. For RSA, its security mainly depends on the difficulty of the integer factorization problem, whereas algorithms such as the Diffie-Hellman key exchange, Digital Signature Algorithm (DSA) and ECC depend on the difficulty of the discrete logarithm problem.

In RSA, the public key is derived by carrying out a multiplication of two secret prime numbers p and q to give the key N. The security of this algorithm is contingent on the difficulty of finding the factors p and q. However, in 1994, Peter Shor demonstrated a fast quantum algorithm that could find the factors p and q, by applying a quantum Fourier transform, and thus breaking the RSA cryptosystem. It is fairly easy for today’s computers to multiply very large numbers, but the reverse is not. When given a large number, these computers are unable to find the prime factors. However, with Shor’s algorithm, factoring would be quite easy with a quantum computer. He further introduced another algorithm that could rapidly replace product mod p with addition of points on an elliptic curve mod p thus breaking ECC. The implementations of this algorithm would require quantum factoring at scale due to the number of qubits and qubit operations required. In 1996, Grover described an algorithm that speedily searched an unordered database of size N using quantum queries. With quantum computing, this algorithm would break cryptographic systems that use 2128 security such as AES keys that are 128-bit long.

There has been a lot of doubt that a large-scale quantum computer can be developed in the near future, that can proficiently run Shor and Grover’s algorithms. In order for organizations to be prepared for such an event, they should consider the following:

• x: How long should information remain secure?
• y: How long would it take to implement tools that make the infrastructure safe?
• z: How long will it take for a quantum computer to be built that can break current classical cryptosystems?

If x + y is greater than z, then this should be taken as a serious issue since a quantum computer will be built before encrypted information is made secure from quantum attacks.

Current State of the Art

Due to the increasing maturity of quantum computing, classical public-key algorithms such as Diffie-Hellman, RSA and ECC are becoming more vulnerable to quantum attacks over time. Several research institutes, as well as companies are now increasing their efforts to develop new mathematical techniques that can build cryptographic primitives that are resilient to quantum attacks. In August 2016, NIST initiated a post-quantum cryptography project with the main objective of analysing and standardizing a number of quantum-resistant public key cryptosystems, that would eventually be adopted by industry.

Several classes of mathematical problems have been proposed and hypothesized to resist quantum attacks. These classes offer new ways to build public key cryptography that is quantum-safe, but they still present a number of challenges such as large key and signature sizes, which current public key cryptosystems do not face.

Lattice-Based Cryptography

Of all the primitives believed to be quantum-resilient, lattice-based cryptosystems have attracted the most interest. Two NP-hard problems that are associated with lattices are the Shortest Vector Problem (SVP) and the Closest Vector Problem(CVP) as stated by Perlner and Cooper. Both problems require one to find the shortest vector in a lattice or find the closest lattice vector to an arbitrary non-lattice vector. There are no quantum or classical algorithms that can solve these hard problems.

Main Lattice-Based Schemes

There are two main lattice-based schemes that have been developed and show the best performance, practicality and security:

1. NTRU. This scheme was introduced by Hoffstein, Pipher and Silverman in the 1990s. NTRU-based schemes have a better performance because they have an extra symmetry that allows them to have much smaller keys than other systems such as the McEliece system which we shall see in the code-based category of cryptography primitives. Due to this performance, the NTRU scheme is faster than classical public key cryptography. However, as stated by Bernstein and Lange, there are a number of potential attack methods against NTRU that can be done by exploiting the cyclotomic structure of xp - 1 of lattice-based systems. They recommended changing the structure from that to xp - x - 1.
2. LWE. The Learning with Error (LWE) system is famous due to the fact that it is based on a worst-case hardness instance of lattice problems that render all cryptographic operations based on it secure. Linder and Peikert created LP-LWE that followed this principle, and an improvement - the Ring Learning with Error (R-LWE) was introduced to boost the efficiency of this cryptosystem.

Advantages of Lattice-Based Cryptography

1. Lattice-based algorithms are very fast and efficient because of their linear algebra-based matrix and vector operations on integers.
2. Their keys are hard to break in the worst case as well as in the easiest case (worst-case to average-case reduction) which makes the system quantum-safe.
3. Lattice-based implementations can be used in other security services such as fully homomorphic encryption, identity-based encryption and attribute-based encryption.

Disadvantages of Lattice-Based Cryptography

It is quite difficult to give accurate estimations of the security of these systems on existing software and hardware platforms. Their implementations on these platforms are vulnerable to physical attacks such as timing attacks, fault attacks and power analysis.

Hash-Based Cryptography

These systems offer one-time signatures that are created using hash functions. These hash functions are based on designs of signatures such as the Lamport-Diffie signature. However, the disadvantage with this signature is that it could not be used more than once securely. Therefore, in 1979, Merkle introduced an idea where the Lamport-Diffie signature could be combined with binary trees so that signing keys could be used for a number of signatures limited by the size of the tree as opposed to using the keys for a single time only. However, this method faced a number of challenges such as large key and signature sizes and a slow generation of signatures.

Save your time!
We can take care of your essay

• Proper editing and formatting
• Free revision, title page, and bibliography
• Flexible prices and money-back guarantee

Place Order

Advantages of Hash-Based Cryptography

According to Bernstein, hash functions are only affected by Grover’s algorithm, and not Shor’s algorithm, which makes Merkle’s signatures a great prospect for post-quantum signatures. Hash-based cryptosystems are also quite fast since they only need to compute hash functions. They are also quite security proof since the hash functions are both collision and preimage resistant.

Disadvantages of Hash-Based Cryptography

Schemes related with the Merkle signature face a challenge in that the signer must keep a record of previously used signatures (statefulness). If this is not done, it would lead to insecurity especially in large-scale environments. Moreover, these schemes only produce a limited number of signatures, and increasing this number would just lead to an increase in signature size, which would be ineffective.

Code-Based Cryptography

Error-correcting codes have always been used to add redundancy to digital communications by enabling the receiver to correct errors in real time during transmission. In 1978, McEliece introduced code-based cryptography by proposing a scheme that was built on Goppa codes and whose security relied on the syndrome decoding problem. Goppa codes are error-correcting codes that could be used as part of a secure coding scheme by keeping the encoding and decoding functions private, and only sharing publicly a disguised encoding function that could map a plaintext to a ciphertext. Decoding of the ciphertext could only be done by having the secret decoding function, in order to recover the plaintext. This is difficult for quantum and classical computers to reverse since it is based on the syndrome decoding problem which is an NP-problem.

Advantages and Disadvantages of Code-Based Cryptography

The McEliece scheme is quite fast in doing both encryption and decryption. But it is not quite practical for adoption since it requires very large key sizes. Recent attempts have been made to reduce the key sizes but this has led to their structure being more prone to attacks.

Multivariate Polynomial Cryptography

These are public key-based systems that rely on the difficulty of solving multivariate polynomials over finite fields. One of the most recognized encryption schemes in this category is the Simple Matrix encryption scheme. Operations are done in a single finite field and the decryption procedure comprises only of the solution of linear systems. This makes the cryptosystem very efficient against quantum attacks.

Multivariate cryptosystems are also being used for digital signatures. Patarin broke the C* system that had been created by Matsumoto and Imai, then introduced a strong system known as Hidden Field Equations (HFEv-) which can get secure signatures that are comparable to RSA and ECC signature sizes.

Advantages and Disadvantages of Multivariate Polynomial Cryptography

This primitive is quite fast and has historically been a good approach for signatures, especially since it offers shorter signatures than those offered by other schemes. But the security of these systems is not assured as quite a number of multivariate cryptosystems have been broken over the years.

Fields of Application for Post-Quantum Cryptography

Quantum computing will create many challenges for organizations, governments and individuals who get caught still using applications and networks that do not use quantum- safe cryptography. Therefore, post-quantum cryptography will be highly useful in the following areas:

1. Medicine and health. These services rely on the core values of confidentiality of patient data, and most of these providers would be legally liable should this data be compromised. Consequently, it is paramount to protect information related to medicine and healthcare using post-quantum cryptography solutions that can ensure that this type of long-term information remains secure.
2. Financial services. Financial organizations such as banks rely heavily on IT infrastructure that is assured to provide confidentiality, integrity and availability. A good example of this is the credit card information that is encrypted during transmission when carrying out transactions online. It is necessary for this industry sector to realize the importance of using quantum-safe schemes that can protect against quantum attacks, and at the same time offer efficiency and speed in encryption, decryption and key generation.
3. Connected vehicles. As an emerging field, stakeholders need to assure the customers of the safety of the vehicles against cyber-attacks from adversaries. With quantum computing, an attacker could break the cryptographic systems used in the vehicle-to-vehicle communications. Therefore, the designers of these vehicles need to migrate towards quantum-safe security, in a more and more connected and vulnerable world.

Future Directions

The world is not yet prepared to fully switch to post-quantum cryptography. There are a number of challenges facing this research area that we must highlight first before deciding the path forward:

1. Efficiency. Despite many research efforts, post-quantum cryptography still suffers from a constraint on time and space. Post-quantum systems have not yet reached the level of performance of some of the state-of-the-art classical algorithms such as RSA and ECC.
2. Confidence. Many public key schemes that have been proposed in the past few years such as those based on multivariate polynomial cryptography, have been broken by cryptanalysts. It is vital that confidence is built into the quantum-safe systems that are being proposed by ensuring that cryptanalysts actively search for vulnerabilities on these systems.
3. Usability. The usability of post-quantum solutions is lacking, as many of them cannot fit into established protocols and applications due to varying degrees of design. They need to be flexible enough to be implemented on a wide array of both software and hardware applications. Moreover, these solutions need to be safe from physical attacks such as timing and side-channel attacks.

Since quantum computing poses a credible threat to conventional classical cryptosystems, the world must realize the importance of carrying out more research in post-quantum cryptography. This problem requires strategic thinking and long-term planning. The following are some recommendations that can be implemented:

• Organizations should work with global bodies such as NIST and the European Telecommunications Standards Institute (ETSI) to single out the quantum-safe algorithms and techniques that require standardization and which do not.
• Organizations should look at ways to reduce costs that may be incurred when the time comes to switch their technologies to a quantum-safe environment.
• Organizations with advanced research teams should take these algorithms and test them on real products in order to determine the performance and security of these approaches in a real-world environment.
• Security researchers should investigate current quantum safe primitives that are being created and try to discover potential vulnerabilities in order to ensure that the solutions that are standardized offer top-notch security against quantum attacks.
• Security researchers should carry out performance tests on quantum-safe algorithms and submit this data for further analysis by the research community.
• The government can assist by ensuring that there is continuous support and funding at all stages of the post-quantum cryptography research process in order to encourage more research efforts in the area.
• Security product vendors should carry out market and product research to determine if there is a justified business case to add quantum-safe solutions to their product roadmaps.

Conclusion

It is uncertain when we can expect to have a functional, large-scale quantum computer. In light of this being quite likely, this paper has addressed the benefits of employing post-quantum cryptography in a world with quantum computers. However, there is still a lot of work that needs to be done to ensure that we are not too late to provide information security in a quantum era. It is of the utmost importance that planning and collaboration takes place to produce quantum-safe cryptosystems that can help avoid the looming crypto apocalypse.

References

1. R. A. Perlner and D. A. Cooper, “Quantum Resistant Public Key Cryptography”, Proceedings of the 8th Symposium on Identity and Trust on the Internet - IDtrust 09, 2009.
2. L. Chen, S. Jordan, Y.-K. Liu, D. Moody, R. Peralta, R. Perlner, and D. Smith-Tone, “Report on Post-Quantum Cryptography”, 2016.
3. G. Alagic, J. Alperin-Sheriff, D. Apon, D. Cooper, Q. Dang, Y.-K. Liu, C. Miller, D. Moody, R. Peralta, R. Perlner, A. Robinson, and D. Smith-Tone, “Status Report on the First Round of the NIST Post-Quantum Cryptography Standardization Process”, 2019.
4. P. W. Shor, “Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer”, SIAM Review, vol. 41, no. 2, pp. 303–332, 1999.
5. L. K. Grover, “A Fast Quantum Mechanical Algorithm for Database Search”, Proceedings of the twenty-eighth annual ACM symposium on Theory of computing - STOC 96, 1996.
6. D. J. Bernstein and T. Lange, “Post-Quantum Cryptography – Dealing with the Fallout of Physics Success”, pp. 1–20, Apr. 2017.
7. M. Mosca, “Cybersecurity in an Era with Quantum Computers: Will We Be Ready?”, IEEE Security & Privacy, vol. 16, no. 5, pp. 38–41, 2018.
8. J. Mulholland, M. Mosca, and J. Braun, “The Day the Cryptography Dies”, IEEE Security & Privacy, vol. 15, no. 4, pp. 14–21, 2017.
9. European Telecommunications Standards Institute, “Quantum Safe Cryptography and Security: An Introduction, Benefits, Enablers and Challenges,” pp. 1–64, Jun. 2015.
10. D. J. Bernstein, “Introduction to Post-Quantum Cryptography”, Post-Quantum Cryptography, pp. 1–14.
11. A. Khalid, T. Oder, F. Valencia, M. O. Neill, T. Güneysu, and F. Regazzoni, “Physical Protection of Lattice-Based Cryptography”, Proceedings of the 2018 on Great Lakes Symposium on VLSI - GLSVLSI 18, 2018.