Before we start:

What is post-quantum cryptography?

21. January 2021

Quantum computers  promise a computing capacity that today’s computers can only dream of. This opens up completely new possibilities – for example in the development of medicines, or the improvement of traffic flows or weather forecasts. But the catch is this: these supercomputers of tomorrow will be able effortlessly to hack encryption methods which are considered secure today. Lucie Plaga of TÜViT explains why this is already a problem, what post-quantum cryptography is all about, and why you don’t need a quantum computer for it

#explore:What makes the quantum computer a problem for today's encryption systems?

Lucie Plaga: Unlike a conventional computer, a quantum computer is based on computations using quantum particles, which also allows for other computational operations. Quantum particles include individual atoms or light particles, for example. And this is a serious problem for asymmetric encryption methods. These are used wherever the communicating systems can’t exchange their “secrets”, meaning their security key, in advance. Senders and recipients use different keys—a private key and a public one that might, for instance, be stored in the cloud. All our online communication and data exchanges between vehicles, devices and machines on the Internet of Things are based on asymmetric cryptography. There’s no way a classic computer can crack this encryption, but it’s no match for a quantum computer.

At the moment, quantum computers are still rare and a long way away from widespread use. So why is this a problem that we need to be looking at today?

We don’t expect bigger quantum computers to be in use sooner than ten to thirty years from now. But it’s going to take time to change over from our current systems. And a lot of data and products have very long life cycles. For example, you can store health data today for decryption in ten years. And if I’m going to buy a networked device or car, I need assurances that it will continue to work in the future and can’t be hacked by a quantum computer.

The algorithms of post-quantum cryptography have a different mathematical basis. This makes them safe from attacks by both today’s systems and quantum computers.

Lucie Plaga, Information Technology Security Consultant at TÜViT

How can this problem be solved?

Two solutions are currently being discussed: the first is quantum cryptography, which itself uses the effects of the quantum computer to run a new kind of cryptography or encryption. But this is virtually impossible to implement, and that not just for small providers and products. From our point of view, what we call post-quantum cryptography makes more sense and is much more practical. Contrary to what the name suggests, it will work on today’s computers or microcontrollers, but is still safe from attacks by quantum computers.

What distinguishes post-quantum cryptography from previous encryption methods?

The algorithms of post-quantum cryptography have a different mathematical basis. This makes them safe from attacks by both today’s systems and quantum computers. There are currently seven finalists in the biggest standardisation process – and a number of these will be standardised in the future. Unlike today, with these procedures there won’t just be one standard for all systems and applications. Each of these algorithms has its own advantages - and disadvantages: Some of them are only suitable for signatures, others for encryption; some use huge amounts of memory or are very slow. What this means is that you need to select the right algorithm for your application.

How can post-quantum cryptography be implemented in today's computer systems?

The good news is that we don’t need to turn the overall concept of today’s cryptography on its head; we can instead just swap individual components and algorithms. Implementing a post-quantum algorithm is just like implementing a classic one – by which I mean you use the same programming languages and hardware modules. Especially when hardware is involved – for example, a bank card chip – this is, of course, a longer process, in which manufacturers have to take into account from the outset how they’re going to make these new algorithms work on their systems. If we at TÜViT are involved in such a process, we look, for example, at which post-quantum algorithm is the best fit for the device and application in question. For a software update for a car, for example, this would be a signature algorithm to allow the car’s system to check whether the software is actually coming from the vehicle manufacturer and not from a hacker. It makes sense for companies to involve security experts in this kind of process. After all, some things can go wrong during implementation, which might mean that even a notionally secure algorithm won’t protect their secrets.

How do such implementation errors creep in?

There are three major types of error: first of all, you have specific implementation errors that incorrectly implement a standard. This doesn’t really happen with the manufacturers we work with. More critical and commonplace are side-channel and fault injection attacks. In the latter, the smart card, USB stick or microprocessor are stressed by voltage pulses, for example, to provoke malfunctions in the security system. Side-channel attacks transmit information through a channel that isn’t intended for this purpose. For example, attackers can draw conclusions about the key used from the device’s computing time or power consumption.

How can these errors be avoided?

If we’re asked to test such products, we might for instance require the cryptographic operations to be performed in a random sequence. This effectively throws a veil over the encryption processes. Another important measure is redundancy: a cryptographic computation has to be executed several times and compared internally, so that a hacker can’t “inject” errors into this computation via voltage shock, for example, as a way of bypassing the post-quantum algorithm which is in itself actually mathematically secure.

About Lucie Plaga

Lucie Plaga is an Information Technology Security Consultant at TÜViT in Essen. A trained physicist, her area of expertise is post-quantum cryptography, side-channel and fault injection attacks, and, as a “good” hacker, she also puts the security systems of smart cards and microprocessors to the test in the hardware laboratory.