By Thomas Pöppelmann, Infineon Technologies AG, Germany
Currently, the confidentiality and authenticity of communication between smart cards, smart phones, computers, servers, or industrial control systems is protected by cryptographic functions like digital signature and public-key encryption schemes. These schemes are usually based on RSA or elliptic curve cryptography (ECC). A widely used Internet standard that heavily relies on RSA and ECC is Transport Layer Security (TLS). When a website is accessed using “https” then TLS establishes an encrypted channel between the server and the browser. The authenticity of a website is checked in TLS using a public-key infrastructure where a chain of digital signatures allows the attribution of a public key to a specific site. Other examples for commonly used protocols are PGP, GPG, and especially S/MIME, which is popular in enterprise environments to encrypt email communication.
Today, cryptographic schemes like RSA and ECC are known to provide a high level of security. On classical computers the underlying factoring (RSA) and the discrete logarithms problem (ECC) turn out to be tremendously hard. However, when Peter Shor introduced his quantum-factoring algorithm in 1994, he showed an approach to break RSA and ECC on a then theoretical machine – the quantum computer. As a powerful enough quantum computer would factor the public key of the RSA cryptosystem in polynomial time, even largely increased parameters would not thwart this attack. Additionally, Shor’s algorithm can also be adapted to break ECC-based public keys. Moreover, symmetric cryptography, like AES or Triple-DES, could also be attacked quantumly by a different algorithm proposed by Grover. However, today it is common sense that a suitable countermeasure against Grover’s algorithm is the doubling of the length of the secret key (e.g., to move from AES-128 to AES-256). And it is important to note, that even though quantum computers are not available, yet, there is already the risk that they might be used in the future to break the encryption of communication data stored today.
One question is now – what makes quantum computers so powerful? Shortly described, quantum computers make direct use of quantum mechanical phenomena to accelerate processing. They operate on so-called quantum bits or qubits. Due to the superposition principle the qubit’s state is a probability what value (either zero or one) the qubit will become when it is measured in a process that also destroys the superposition. Another core principle of quantum computers is the principle of entanglement. By certain manipulation, qubits could be placed in connected state so that single qubits are meaningless and only the whole entangled state is important. A quantum algorithm now tries to manipulate the superposition of qubits in such a way that the correct solutions in the large solution space becomes more likely, when the qubits are measured, while wrong solutions get canceled out.
For years the construction of an adequately powerful quantum computer has been an extremely complicated and expensive endeavor. However in recent years the view is changing as some promising results appear that also spark further interest by governments and industry. Some experts forecast that the development of quantum computers capable to run disrupting algorithms like Shor’s or Grover’s might be realistic within a timeframe of 15 to 20 years.
To counter expected dangerous consequences associated with the launch of quantum computers, extensive research and development of alternative quantum safe cryptosystems is required. The most important approach is post-quantum cryptography (PQC). PQC refers to new cryptographic algorithms, executed on classical computers, that are supposed to be based on mathematical problems and foundations that are hard to solve – even for quantum computers. Usually, PQC schemes have the same high-level behavior as currently available ciphers so that they can act as a drop-in replacement. Among different flavors of post-quantum cryptography, lattice-based cryptography can be seen as promising, as it allows the construction of asymmetric public-key encryption and signature schemes that are well balanced in their security level, performance, and key as well as ciphertext sizes. However, the implementation of post-quantum cryptography is challenging as new solutions have to be found to overcome hardware constraints and as the schemes still need to be tuned for practical usage. One solution that tries to provide an easy to implement and secured cryptosystem is the so-called lattice-based NewHope key exchange scheme developed by Alkim, Ducas, Pöppelmann, and Schwabe. NewHope is designed to replace (or complement) current Diffie-Hellman or Elliptic Curve Diffie-Hellman-based key-exchange mechanisms to obtain long term confidentially, e.g., for TLS. NewHope achieves about 256-bits of security against known quantum adversaries and is about as fast or faster as ECC while having a ciphertext size of 2048 bytes. In 2016, the New Hope algorithm was successfully tested by Google in a public beta version of the Chrome browser.
As a leading provider of security solutions, Infineon actively researches the efficient implementation of PQC algorithms. With an implementation of the NewHope algorithm Infineon shows that PQC can be executed on contactless smart cards. The used SLE 78 chip family is popular in high-security applications like passports and ID cards. With this work the first step towards security in a post-quantum world is already done. Nevertheless, to establish an appropriate future level of security, more research is required that focuses on the optimization of PQC schemes for practical usage and on the implementation for low energy consumption, low memory footprint, and high security. Besides that, it seems that a post-quantum world will require cryptographic agility. This term describes the ability to switch, replace, or supersede cryptographic algorithms quickly in protocols as more and more cryptographic standards emerge. Recognizing the importance of these challenges, Infineon continuously collaborates with the academic community, customers and partners. And it pushes for future standards that can be executed efficiently and securely on small and embedded devices. This places Infineon in a pioneering position for quantum resistant encryption and authentication executed on security ICs.