In this article, we focus on ENISA’s perspective on quantum mitigation and integration into existing protocols.
With an estimated arrival for 2030, mainstream quantum computing will soon be here. Once it is available, data encrypted under most currently used algorithms will not be quantum-proof. If your business requires you to encrypt data and store it for an extended length of time, you are already at risk once hackers are able to gain access to quantum computers. Why? Because there is a high probability of some organizations falling victim to “harvest now, decrypt later” attacks before Quantum Computing arrives. Therefore, the time to prepare is indeed now rather than later to protect encrypted data.
In this next article in our series of post quantum perspectives from different institutions around the world, we focus on ENISA’s view and recommendations for quantum migration and integration into existing protocols.
Quantum Mitigation Methods
Even though NIST is still going through the process of approving and releasing quantum algorithms, it is advisable to begin quantum mitigation efforts before quantum computing arrives. There are two viable options at this time to do this:
- Instituting a hybrid solution of pre-quantum and post-quantum schemes,
- Taking protective measures for pre-quantum cryptography.
Hybrid Pre-Quantum and Post-Quantum Schemes
A hybrid pre-quantum and post-quantum scheme combines current classical public key cryptography, like RSA, with currently available post-quantum cryptography, like that of which has been picked by NIST after its third round of evaluations. Using such a hybrid scheme can make the migration to a standardized post-quantum scheme easier, especially when there are issues of certification and compliance. The post-quantum scheme will provide protection for encrypted data that falls victim to a harvest now, decrypt later attack.
ENISA recommends that for signature schemes, it is better to combine the two schemes, but use them independently. What this means is that two public keys are distributed, and two signatures are always sent (one for each scheme).
Protecting Pre-Quantum Cryptography
Not everyone wants to deploy post-quantum systems before standardization takes place. However, they have concerns over whether their long-term data encryption is sufficient enough to stand up to post-quantum when it arrives. For those users, it can be possible to protect their systems by using a public key operation, but by also including shared secret data in the key derivation.
Protection from man-in-the-middle attacks can be achieved through key continuity, which is included in the key agreement protocol ZRTP. While this protocol does not specify security against quantum adversaries, it does provide protection from such. Each time the public-key operation occurs, the shared secret data updates by hashing in new data. This ensures continued secrecy and post-compromise security against pre-quantum attacks.
Challenges Await with Integration
Quantum computing is expected to be a major disruptor. And this is why various institutions like NIST and ENISA are sounding the alarm to become prepared before it arrives. We have been warned for the past two decades that quantum machines are coming. But when it does come, it will make current cryptographic systems insecure. Current public key cryptography might be unable to protect what it can now, like digital signatures, electronic identities and sensitive/confidential data. Therefore, the integration of post-quantum solutions needs to begin sooner than later.
There are multiple challenges awaiting those who begin to move forward with integrating post-quantum technology into their systems. For instance, integration involves much more than simply choosing a new quantum-resistant crypto-algorithm from NIST’s approved list. Any proposed post-quantum computing migration efforts will either need to be integrated with current protocols and systems or will need to have new systems and protocols designed.
One size fits all may not be suitable for all systems. It may be necessary for some organizations to choose multiple options to deal with their different use cases. Such circumstances can increase their overhead for standardizing and implementing post-quantum migrations.
There is of course the risk factor because of some of the uncertainty surrounding the actual security levels provided by proposed PQC systems in their earliest stages. It is not inconceivable that new cryptanalytic attacks become known after current systems migrate to post-quantum computing that can thwart post-quantum algorithms.
ENISA suggests that those who are prepared to start their preparations for post-quantum technology now may need to make a trade-off. By adopting quantum resistance that has not yet been fully put to the test instead of staying with their current proven cryptosystem could put them at risk. A better solution may be to stick with a hybrid scheme and become more crypto-agile. This will allow them to be ready when post-quantum computing matures and new security models, proofing techniques and supporting tools become available to identify non-secure cryptographic tools and replace them when needed.
It is also recommended by ENISA that existing protocols may require updates and tweaks to ensure proper integration with post-quantum computing. However, it is further recommended to not make major changes until it is decided whether one or more post-quantum computing systems will be used.
In line with ENISA’s recommendations, companies now need to commence and prepare for post-quantum technology and protect the future of their business. By identifying and evaluating vulnerabilities, this leads to a quantum-safe roadmap for future proof-of-concept for products and crypto infrastructure ‘compatibility’. Start by testing PQC algorithms in your environment!