Post Quantum Cryptography My thoughts on Post Quantum Cryptography in 2022 -------------------------------------------------------------------------------- Post Quantum Cryptography ========================= 5 min read /[cendyne: access-granted]-----------------------------------------------------\ | Today we rely primarily upon cryptography that is hard for classical | | computers to crack. The underlying strength relies on trapdoor functions | | [L1], which are easy to go one way and hard to go the other way. We consider | | something secure if the cryptography is so hard to crack with current | | methods that the time taken to intelligently explore all possibilities would | | surpass the heat death of the universe. | \------------------------------------------------------------------------------/ /[cendyne: looking-ych]--------------------------------------------------------\ | We expect the future will deliver quantum computers that can disrupt | | classical cryptography and undo the trapdoor functions in use today. We call | | that future "post-quantum". Post-quantum cryptography (PQC) is cryptography | | that is resistant to an adversary with a sufficiently advanced quantum | | computer. PQC is an active field of research and PQC solutions are still | | being investigated and analyzed. | \------------------------------------------------------------------------------/ /------------------------------------------------------------[kyrmeso: hopeful]\ | "Crypto Agile" has been a buzz word in the security space lately. Can I be | | agile and transition to PQC now? | \------------------------------------------------------------------------------/ /[cendyne: galaxy-brain2]------------------------------------------------------\ | Only as an experiment! By experimenting you will see where your existing | | system will break. However, PQC algorithms have not reached approved and | | recommended status! (2022) The keys and signatures (either or) are | | absolutely massive. If your system limits how large your key sizes and | | signatures may be then your system will break because of PQC. | \------------------------------------------------------------------------------/ /---------------------------------------------------------------[kyrmeso: blep]\ | I've heard about doing hybrids, what about that? | \------------------------------------------------------------------------------/ /[cendyne: bonked]-------------------------------------------------------------\ | Hybrids exist as a transitionary stage in case classical cryptography is | | broken. But the PQC side may also be broken like SIKE did [L2]. | \------------------------------------------------------------------------------/ /-----------------------------------------------------------[kyrmeso: ych-boop]\ | What about Hybrid TLS Certificates [L3] ? | \------------------------------------------------------------------------------/ /[cendyne: conspiracy]---------------------------------------------------------\ | X.509 [L4], the technology behind certificates, is an extensible | | specification for storing cryptographically bound assertions and | | establishing trust. While the technology is sound, paying money for these | | certificates is not. NIST and others have not settled on what our future | | holds. Browsers and other applications will not deploy PQC algorithms | | outside of limited experiments. | \------------------------------------------------------------------------------/ /---------------------------------------------------------------[kyrmeso: give]\ | My CISO thinks we should get these in production and he found a vendor ready | | to sell us some certificates at a discount! | \------------------------------------------------------------------------------/ /[cendyne: bullshit2]----------------------------------------------------------\ | Push back on that. Wait until Lets Encrypt deploys PQC hybrid certificates | | before hopping on the bandwagon with any certificate authority. History | | repeats itself as the PKI dot com bubble [L5] toots its horns again. | \------------------------------------------------------------------------------/ /---------------------------------------------------------------[kyrmeso: math]\ | How would I do a crypto agile hybrid algorithm for my application? | \------------------------------------------------------------------------------/ /[cendyne: objection]----------------------------------------------------------\ | That's dangerous! Do you really want to roll your own cryptography [L6] ? | | Without knowing these tools or options, you might invent a flexible | | cryptography engine. With that in place, can you protect yourself from | | downgrade attacks [L7] ? Will you have dedicated resources later to migrate | | away from whatever crypto you invented when it breaks? PQC is an active area | | of research. Unless you are experimenting, stay far away and do not bring | | cryptographic experiments into your product. | \------------------------------------------------------------------------------/ /--------------------------------------------------------------[kyrmeso: money]\ | Oh! So I should buy a product off the shelf instead! They've done the | | experiments already to know what's good! | \------------------------------------------------------------------------------/ /[cendyne: cupcake]------------------------------------------------------------\ | Don't waste your business's resources. PQC is still new and being evaluated | | by experts [L8]. Adding PQC to your application is likely premature [L9]. | | You can be crypto agile without PQC, for more see Cryptographic Agility | | [L10]. | \------------------------------------------------------------------------------/ -------------------------------------------------------------------------------- [L1]: https://en.wikipedia.org/wiki/Trapdoor_function [L2]: https://eprint.iacr.org/2022/975.pdf [L3]: https://archive.ph/3gsEj [L4]: https://www.itu.int/rec/T-REC-X.509-198811-S [L5]: https://en.wikipedia.org/wiki/Dot-com_bubble [L6]: https://archive.ph/M1YYw [L7]: https://en.wikipedia.org/wiki/Downgrade_attack [L8]: https://www.nist.gov/news-events/news/2022/07/nist-announces-first-four- quantum-resistant-cryptographic-algorithms [L9]: https://lwn.net/Articles/890788/ [L10]: /topics/crypto-agility.html