- Current data security needs include the diversification of cryptography, the need to achieve mutual trust in the cyber world, the complex topology of data encryption and, of course, quantum resistance. Existing data security techniques are outdated and not capable of addressing these challenges.
- The quantum threat is getting more real every day and has already been reshaping the way we think about data encryption. Large-scale quantum computers, capable of efficiently breaking the existing public-key cryptography, are expected to be operational in the next 10 years; therefore, there is a rather tight deadline for developing and implementing an adequate defence. The solution is post-quantum cryptography, with its cryptographic algorithms able to provide quantum resistance when implemented on today’s computers.
- Cryptographic agility is an approach to the solution required to meet current and future data security demands. Agile cryptography will provide the basis and the platform for system flexibility and the ability to adapt quickly to newly developed cryptographic algorithms.
e are currently living in a world with zettabytes of digital data. The amount of data has been growing exponentially, doubling every two years, and this growth trend is expected to continue toward 2020 and beyond. Much of this data is private and sensitive; therefore, it requires protection, which in our digital age implies encryption. There are numerous security standards and guidelines that state the need for such protection; however, most of them do not answer the “how?” question. Fortunately, this is not the case with cryptographic standards, such as the National Institute of Standards and Technology (NIST) Suite B, which attempts to answer this question and acknowledges the importance of constant change and evolution to adapt to growing data security demands. A cryptographic algorithm or protocol update is usually needed if an encryption algorithm becomes weak or is expected to soon be totally broken. Since modern information technology (IT) infrastructures are large and complex, it might take them years to switch to a new encryption standard. What would happen to all the valuable and increasingly vulnerable data in the meantime, during the transition?
A few years ago, conducting such a transition was still a manageable task, but this is no longer true. Transitions become inefficient and incapable of keeping pace with the rapidly growing IT environment and the constant discovery of cryptographic vulnerabilities. In addition, an increasing number of countries are developing and adopting their own cryptographic standards. As the old approach to data encryption updates does not work anymore, the obsolete methodologies should be deprecated in favour of more flexible and efficient options that support changing data protection and encryption standards. This shift to cryptographic agility is the most reasonable approach to ensure data safety now and in the foreseeable future.
A Brief History of Cryptographic Standards
The concept of cryptographic standards goes back to the 1970s and describes cryptographic algorithms, which are considered safe to use for symmetric-key encryption,1 hash functions,2 digital signatures,3 key agreements4 and public-key encryption.5 Abbreviations such as RSA (Rivest, Shamir and Adleman), AES (Advanced Encryption Standard) or ECC (elliptic curve cryptography) are known well beyond the cryptographic or IT community. The cryptographic standards are constantly evolving: whenever a cryptographic algorithm becomes weak or broken, it needs to be replaced, which was the case with SHA-1 (Secure Hash Algorithm 1).6 Cryptographic standards are developed and adopted on different levels: besides global standards, some countries and corporations create and implement their own sovereign cryptography, which further increases the diversity of cryptographic standards.
Furthermore, the quantum threat anticipated in the foreseeable future has already had an important influence on cryptographic standards, as the standards must again change to provide quantum-resistant algorithms. Currently, NIST and other cryptographic standardization bodies are holding a post-quantum crypto competition to discover, analyze and establish new algorithms that could be candidates for inclusion in quantum-safe standards.
Another approach to security in the quantum world is using quantum signalling, namely the QKD (quantum key distribution) solution; however, this solution can be applied only to common secret-key establishment, which could basically be viewed as the key agreement protocol. Since it has other significant limitations, including the need for totally new hardware for all users on the network and physical distance constraints, the QKD solution may be appropriate for specialized environments, but not for large-scale usage, contrary to post-quantum solutions that can be used on classical computers.
The Quantum Threat
Quantum computers already exist today. At this point, they are small-scale, but in 10 to 15 years — or even sooner, according to some industry experts — large-scale quantum computers will become a reality. They will bring numerous benefits by performing faster computations, finding optimal solutions and cracking some of today’s unsolvable problems. This prospect appears to be exciting, until the possibility of quantum computers solving the so-called “hard problems” — the mathematical problems currently considered “realistically unsolvable” by means of classical computers — is considered. Such a development would attack the cornerstones of modern cryptography. In the hands of an adversary, these great computational capabilities may become a powerful weapon and a serious threat to data security.
How exactly is cryptography affected by quantum algorithms? A quantum computer delivers an exponential speed-up in performing an unsorted database search, using the famous Grover’s quantum algorithm (Grover 1996). This speed-up reduces the security level by a factor of two and applies to any symmetric cryptographic primitive, including encryption schemes (such as AES), hash functions (such as SHA-3) or message authentication codes (MACs). For example, AES-128 has 128-bit “classical” security, which is currently considered a minimum accepted security level for “safe” cryptography; however, for a quantum adversary, it will provide only 64-bit security. This is a crucial consequence that must be addressed. Fortunately, there is a fix: the size of keys for all symmetric cryptographic primitives will need to be doubled.
Asymmetric cryptography is in a significantly worse situation. Using a very clever quantum algorithm by Shor (1994), quantum computers will be able to efficiently factor integers and find discrete logarithms: these are the problems that guarantee the security of all contemporary standardized public-key cryptography, which includes public-key encryption schemes (such as RSA), key agreement schemes (such as Diffie-Hellman) and digital signatures (such as ECDSA [Elliptic Curve Digital Signature Algorithm]). This means that all of today’s public-key cryptography will be broken by quantum adversaries and, contrary to symmetric cryptography, there is no fix, and the entire public-key cryptography must be replaced by post-quantum cryptographic schemes. Such a transition is feasible, but the technological and implementation process is time-consuming and complicated.
A decade ago, it was conventional to use one or just a few cryptographic standards, and potentially devastating attacks on data, in some distant future, were not perceived as a tangible and recurring threat. Since then, things have changed and neither the old approach to data security nor the current infrastructure is capable of meeting the challenge of constant diversity and change. The solution to this challenge is agility — cryptographic agility.
Whenever a cryptographic algorithm is found to be vulnerable to a certain attack, it can take years to switch from that algorithm to a newer and safer one, due to the incompatibility of software and hardware cryptographic implementations. As different cryptographic algorithms have different input and output parameters, a lot of the software and hardware around them would require adaptations, re-coding or even replacement. But in this fast-paced world, we cannot afford the luxury of hard-coded cryptographic implementations, which jeopardize the safety of sensitive data and communications by taking a long time to switch the encryption component. Cryptographic agility will support swappable cryptography in real time, ensuring continuous data protection.
The world has been moving toward diversified cryptographic standards, which creates a complex compatibility problem for communications between the parties that use different cryptographic standards. A cryptographically agile platform would allow a plug-and-play installation of the different cryptographic modules required to establish a secure connection. It would also solve the mutual trust issue that currently exists.
As for data encryption, there is a complex and constantly changing multi-level hierarchy of data encryption requirements, which largely depend on data classification and usage, including commercial, government and military. Thus, “hard-coding” the requirements of such complicated topology is problematic; they should instead be managed and efficiently addressed by cryptographic agility. This will allow the grading of data according to its protection level and apply a specific data encryption algorithm, required by the regulations. If requirements change, the flexible system will support an easy crypto replacement. Importantly, this approach provides control of data classification and security through cryptographic agility.
Cryptographic agility is no longer nice to have, it is a must-have. Sticking to old methods will not be sufficient, even in the near future. There is a strong threat of losing large quantities of extremely sensitive data or being unable to meet the rapidly increasing data protection requirements. Switching to agile cryptography will not only address the above difficulties and demands in a much easier, secure and efficient way, but will also provide a comprehensive platform for cryptographic development for many years — even decades — to come.
As stated above, there is a rather tight deadline of less than 10 years to address the quantum threat throughout the whole IT infrastructure. Currently, there are two proposed solutions: quantum cryptography (namely the QKD) and post-quantum cryptography. Regrettably, QKD is limited to only key agreement techniques, has physical distance constraints and requires a very expensive hardware change. Post-quantum cryptography works on the algorithm level: although its cryptographic algorithms run on classical computers, they are based on intractable and hard problems for quantum computers.
As symmetric cryptography can efficiently address the quantum threat by increasing key sizes, most post-quantum research and development has been happening around public-key cryptography. Over the past few years, the following six major groups of solutions have been proposed:
- elliptic-curve isogeny-based cryptography;
- hash-based signatures;
- lattice-based cryptography;
- code-based systems;
- multivariate polynomials-based systems; and
- other, such as braids-based cryptography.
The first three groups on the list seem the most promising. But as each of the categories has pros and cons, a combination will most likely be required for a new quantum-resistant cipher suite.
NIST, foreseeing an approaching quantum threat, has announced a call for proposals for post-quantum cryptography standards.7 The US National Security Agency has also made an announcement with regard to the need for post-quantum standards. Organizations such as the European Telecommunications Standards Institute are also taking steps in this direction.
Post-quantum solutions are available today. In fact, they are commercially available. However, time is the crucial missing piece of this puzzle for the IT community. The standardization process will take at least five more years. The technological and organizational switch might take considerable time, unless the actions of transitioning to post-quantum cryptography are taken today.
Some of the reasons for switching to post-quantum cryptography in a timely manner are:
- the technical transition is going to take years;
- for many products, the production cycle can be a decade or even two;
- the messages encrypted with classical techniques today can be successfully decrypted tomorrow by quantum adversaries; and
- quantum computers might be here sooner than we expect.
What is standing in the way of progress, given that post-quantum solutions already exist? Primarily, it is lack of awareness: many industries are either unaware of or do not completely understand the consequences of not addressing the quantum threat as soon as possible. Additional efforts are required to raise awareness of the fact that in order to preserve data security, urgent measures should be taken to adopt post-quantum cryptography.
The world is rapidly changing. From the perspective of data security and cryptography, numerous approaches and demands are being observed that were not present a decade or two ago. They include the diversification of cryptography, the re-establishment of mutual trust in the cyber world and the complicated topology of data encryption requirements, not to mention the quantum threat. The old and established methods are slow and lack flexibility — they have been struggling to meet the above challenges.
The solution to these ongoing challenges is cryptographic agility. Contemporary data and communication infrastructures are so complex and on such a large scale that non-agile approaches are not capable of properly addressing all transition needs within the rather tight deadline imposed by the increasing change, which will cause major data loss and breaches.
The quantum threat is approaching, and although large-scale quantum computers might only be available in about 10 years, we are already affected by them, as the data encrypted today could be recorded by adversaries and decrypted once they have a quantum computer in their possession. The solutions are already available and post-quantum cryptography implemented in a timely manner will be able to handle the quantum threat, but the IT industry requires greater awareness and understanding of cryptographic agility as the crucial component for managing this transition and adapting to the quantum-resistant development.
In summary, the world of data security has been dramatically changing while setting new requirements, which cannot be efficiently addressed by the old data protection techniques. New methods, namely post-quantum cryptography and cryptographic agility, must be adopted.
1 Encryption schemes where two parties use the same shared key to encrypt and decrypt.
2 One-way function from arbitrary-size information to fixed-size output. It should be computationally infeasible to reverse hash function computation.
3 A computation on the data value that can be verified by other users with public information. Used to ensure that the data origin and data content have not been modified or forged.
4 Methods of establishing a common secure key by two parties, by exchanging their public information over an open (unprotected) channel.
5 Methods for encrypting data using the receiver’s public key and decrypting data using own private key.
6 Practical collision attack was performed.
7 See https://csrc.nist.gov/Projects/Post-Quantum-Cryptography.
Grover, Lov K. 1996. “A fast quantum mechanical algorithm for database search.” In Proceedings of the twenty-eighth annual ACM symposium on Theory of computing, 212–19. New York, NY: ACM. DOI: http://dx.doi.org/10.1145/237814.237866.
Shor, P. W. 1994. “Algorithms for quantum computation: discrete logarithms and factoring.” In Proceedings of the 35th Annual Symposium on Foundations of Computer Science, 124–34. Washington, DC: IEEE Computer Society. https://doi.org/10.1109/SFCS.1994.365700.