A year ago today, the National Institute of Standard and Technology (NIST) published the first official standard for the Post-Quantum Cryptography (PQC) algorithm. The standard was a result 2022 memorandum From the Biden administration, which requires federal agencies for PQC-based security infection by 2035.
Cryptography depends on mathematics problems that are almost impossible to solve, but it is easy to check if a solution is correct. Armed with such mathematics problems, only a secret key holders can check their solution and get access to secret data. Today, most online cryptography depends on one of the two algorithms: either RSA or Elliptical curve cryptography,
The reason for anxiety is that quantum computer, if a large enough is made anytime, will work easier for the “hard” problems underlying in the current cryptographic methods. Fortunately, there are other mathematics problems that seem equally difficult for quantum computers and their existing classical counterparts. This is the basis of post-quantum cryptography: cryptography that is safe against imaginary quantum computers.
Adoption work is now going on with mathematics behind PQC, and with standards in hand. This is not an easy achievement: every computer, laptop, smartphone, self-driving car, or IOT device will have to be fundamentally replaced by the way of running cryptography.
Ali L Kafarani The Oxford Mathematical Institute has a research fellow, which contributed to the development of PQC standards of the Nist. He also founded a company, PqshieldTo help bring post-quantum cryptography to the real world by assisting original equipment manufacturers in implementing new protocols. He spoke together IEEE spectrum About this How to adopt adoption and whether new standards will be applied on time to defeat the emerging threat of quantum computers.
What has changed in the industry since the arrival of Nist PQC standards?
Ali L KafaraniPqshield
Ali L Kafarani: Before the standards came to the fore, a lot of people were not talking about it at all, “If it is working, don’t touch it.” Once the standard was published, the whole story changed, as it is no longer a fictional quantum propaganda, it is a compliance issue. There are standard published by the US government. There is a deadline for adoption. And the 2035 (time limit) (National Security Agency) came up with publication, and was adopted in a formal law which passed the Congress and hence there is no way around it. Now this is a compliance issue.
Earlier, people used to ask us, “When do you think we have a quantum computer?” I don’t know when we are going to be a quantum computer. But this is the issue, because we are talking about a risk that can be physical at any time. Some other, more intelligent people who have access to a wide range of information fixed in 2015 to classify quantum computing as a real danger. So this year was a transformative year, because this question “Why do we need it?” “How are we going to use it?” And the entire supply chain began to see who is going to do what to build a quantum-enabled network security kit, from chip design to network safety layer, important national infrastructure.
Challenges in PQC Implementation
What are some difficulties to implement Nist standards?
El Kafrani: You have beautiful mathematics, you have algorithms from the nist, but you also have a wild west of cyber security. This infrastructure moves from the smallest sensor and car keys etc., to the largest server sitting there and trying to crunch hundreds of thousands of transactions per second, with each different security requirements, with each different energy consumption requirements. Now this is a different problem. This is not a mathematical problem, it is an implementation problem. This is where you need a company like PQSHIELD, where we gather hardware engineers, and firmware engineers, and software engineers, and mathematicians and mathematicians, and all the rest around them actually say this, “What can we do with this special use?”
Cryptography is the backbone of cyber security infrastructure, and worse, it is an invisible piece that no one breaks until it breaks. If it is working, no one touches it. They only talk about it when there is a violation, and then they try to fix things. Finally, they usually put bandids on it. This is normal, as enterprises cannot sell safety facilities to customers. They were simply using it when governments force them, such as when a compliance is an issue. And now this is a very big problem, as someone is telling them, “You know that, all the cryptography that you have been using for the last 15 years, 20 years, you really need to change it.”
Are there security concerns for PQC algorithm implementation?
El Kafrani: Well, we have not done this before. This war-testing has not been done. And now what we are saying is, “Hey, AMD and the rest of the hardware or semiconductor world and put all those new algorithms into the hardware, and we rely on, they are going to work fine, and then no one is going to be able to hack them and remove the key.” It’s not easy, right? Nobody dare to say this.
Therefore, in PQSHIELD, we have vulnerability teams who are trying to break their own designs, designing things separately from those teams. you have to do this. You should be one step ahead of the attackers. You need to do all this, and all this you can do, because you can’t say, “Okay, I have found something that is safe. No one can break it.” If you say, you eat a humble pie in 10 years, because maybe someone will bring a way to break it. You need to do this continuous innovation and continuous security test for your products.
Because PQC is new, we have not tried to bypass all the creativity of the attackers, and come with them creative and dirty Side-channel attacks It only laughs at mathematics. For example, some attacks see energy consumption that the algorithm is taking on your laptop, and they extract the key by difference in energy consumption. Or there are attacks of time that see how much time it takes to encryp the same message 100 times and how it is changing, and they can actually remove the key. So there are different ways to attack algorithms, and it is not new. We do not yet have billions of these devices in our hands that people have tested post-quantum cryptography.
PQC Adoption Progress in Adoption
How would you say that adoption is still going on?
El Kafrani: The fact is that a lot of companies began only when the standard was published, it puts us in a situation where there are some that are well advanced in their thoughts and their processes and their adoption, and there are others who are completely new to it because they were not paying attention, and they could just down the road. Most of those who could do the road down are those who do not sit high in the supply chain, because they felt it was someone else’s responsibility. But they did not understand that when it comes to their needs and deadline and integration, they had to affect their suppliers and many things that they have to prepare. What is going on now: a lot of them are doing.
Now, some of those who sit high in the supply chain have made a lot of progress and have started embedding the post-quantum cryptography design in new products, and are trying to make a way to upgrade products that are already on the ground.
I don’t think we are in a great place, where everyone is doing what they are going to do. It’s not like that. But I think from last year, when many people were asking, “When do you think we are going to do a quantum computer?” And now asking “How can I be obedient? Where do you think I should start? And how can I evaluate to understand the infrastructure to understand where the most valuable assets are, and how can I protect them? What effect can I have on my suppliers?” I think there is heavy progress.
is it enough? This is never enough in security. Security is difficult. It is a multi-disciplinary subject. There are two types of people: who prefer to manufacture safety products, and who would like to break them. We are trying to achieve most of the people who prefer to break them into the right part of history so that they can actually strengthen products rather than making existing people unsafe for exploitation.
Do you think we are going to make it till 2035?
El Kafrani: I think most of our infrastructure should be quantum safe by 2035, and this is a good thing. This is a good idea. Now, what happens if quantum computers become reality before that? It is a good theme for a TV series or for a film. What happens when most secrets are readable? People are not thinking about it very difficult. I don’t think anyone has any answer to this.
From your site articles
Related articles around web
