A talk at TASK
Notes
- RSA, DHKE, ECC are all vulnerable to Shor’s Algorithm (DLP, Elliptic Curve Discrete Logarithm)
- Grover’s Algorithm attacks Symmetric Cryptography, not as important as Shor’s Algorithm
- Shors will always convert to polynomial time
- Grovers search will reduce security level of symmetric crypto. But, you can increase the key size of symmetirc crypto and it usually will be safe
- Grover’s search increases the speed of the algorithm by a quadratic factor
- Harvest Now Decrypt Later, no quantum computers at the moment, but future we will have
- NIST POC standardization timeline:
- 2015 - NIST says we should submit new algorithms for quantum cryptography
- 2016 - Short listen 69 algorithms that can be used - lattice based, hash based, ECC based
- NIST 203, 204, 205 released
- NIST 203
- NIST 204
- NIST 205
- Lattice - its a grid with dotted points in thousands of dimensions
- Module LWE
- Module Short Integer Solution
- A 768-bit public key can result in 37x increase (ML-KEM public key)
- ML-DSA - how PQ signing works
- You have a context tree, everytime you do a signature, different applications can also do a signature. The verification is ad-hoc.
- For every new application, we must send a different context then
- Hybrid algorithms: both classical algorithms and quantum algorithms
- Dont know what will happen forward with quantum algorithms - we need to have a hybrid approach to be safe
- Layers of complexity:
- Most OpenSSL and nginx already have integration these algorithms
- TLS 1.3 allows ML-KEM to be plugged in nicely.
- TLS 1.3 allows classical keys and quantum keys (Hybrid approach)
- Performance between quantum and classical:
- ML-KEM key generation 12x faster
- ML-KEM encapsulation is far faster than RSA, but similar to ECC
- TLS-handshake with hybrid ML-KEM 2ms of overhead, but then settles on a symmetric key, so no overhead after that
- ML-DSA ~14kb for each handshake
- IETF TA WG actively in development unfortunately, PKI is not secure key
- A docker image openquantumsafe allows for very experimental setup (https://hub.docker.com/u/openquantumsafe), you can test some quantum algorithm and some hybrid ones
- TLS handshake is slow, what dominates is network latency
- ATMs and physical machines have hard-coded crypto, haha its harder to migrate
- How to scan your cryptographic estate:
- Use existing sources (Cert managers, HSM logs, EDR/NDR tools SBOM extensions)
- Filesystem scans detect crypto library calls, key files to detect what algos you are using
- Wireshark to check for what algos are being used (TLS handshake)
- testssl.sh to use command line check
- static analysis of the code, Semgrep
- Crypto agility, but there are more agilities now:
- Protocol agility
- Hardware agility
- API agaility
- Design agility
- Only 7% of US agencies are quantum secure
- Five phase quantum migration roadmap:
- Discover what crypto systems you are already using
- Assess risk, what data is at risk, categorize the risk levels
- Experiment with different PQC algorithms, use docker images, openSSL modes of operation
- Migrate, first migrate with hybrid, then depending on the circumstances you can move to pure quantum
- Governance policy, crypto SBOM
- Key takewaways:
- Post quantum crypto migration is a hard deadline 2035, 2030 is when everything should be moved
- Start with hybrid movement to TLS endpoints
- Tons of complexity involved like key size increase or API endpoints
- API breaking changes could be caused, when configurations are changed
- Make sure to build crypto agility
- RFCs in progress by IETF:
- VPN
- Hybrid scheme
- Digital certificates
- Resources:
- Open quantum safe - lots of docker images
- New standards NIST standards
- NCCoE migration guide
- ML-DSA has the option for you to use ephemeral seeds, so if you care about space, this is an option aswell