This is a dire scenario and companies and governments are starting to realise this. “Every day of waiting to roll out new systems is a day of data lost,” says Tanja Lange of the Eindhoven University of Technology. For the past three years, Lange has been running a EUR 4 million project to develop cryptology that can resist the power of quantum computers. And whilst the consortium has made tremendous advances that single companies can already use, there is a growing risk that end-users do not have access to post-quantum cryptography by the time a big quantum computer is built. Cryptography consists of two main components: symmetric cryptography – the workhorse for encrypting large volumes of data and for ensuring its integrity – and asymmetric cryptography, which is needed only at the beginning of the connection in order to get a shared key for the symmetric system. As Lange explains, “Asymmetric cryptography needs easy operations in one direction and impossibly hard ones in the other, except for those that have an extra key. Such a system can be compared to a padlock that can be closed with a simple push on the shackle but requires a key to be unlocked, so there is an asymmetry between closing and opening it.” Current computers are not very good at solving the mathematical problems used in current asymmetric cryptography, whereas quantum computers have some extra operations that make them trivial to break. And as these quantum computers are expected around 2025, the clock is clearly ticking. “With PQCRYPTO we have analysed exactly how vulnerable current systems are to quantum computers, how strong other, lesser-known systems are, and how to design new ones that can stand up to attacks using quantum computers while being more convenient to use,” Lange explains. Whilst the NIST (US National Institute for Standards and Technology) is currently running a competition to define the next-generation cryptosystems based on criteria such as confidence in the security of the system, speed, size and its practicality, Lange and her team have been trying to fulfil the demand of those who do not want to wait five or seven years to protect their data. “One encryption system we have very high confidence in uses cryptographic keys of 1MB,” she explains. “Before you can start sending encrypted data, you first need to download this key. But on today's Internet, 1MB can still be problematic when network connections keep cutting.” Before this system can be widely deployed, many details still need to be worked out to avoid the likes of denial-of-service attacks. But it can already be used for file encryption or email, where keys are downloaded only once. One of the post-quantum systems developed under PQCRYPTO (Post-quantum cryptography for long-term security), called New Hope, was recently at the centre of a Google-led experiment for some of their Chrome users. They concluded that the system was usable and, should it be needed, could be deployed for all connections to Google without feeling too much load on computation or bandwidth. Despite all this progress, the road is still long before online communications become quantum-proof, and more research is needed to study the exact complexity of quantum attacks against NIST candidates, making the latter more practical and integrating them securely. As Lange points out, Internet-wide deployment will only happen when all stakeholders have agreed on a single system.
PQCRYPTO, quantum computer, asymmetric cryptography, post-quantum cryptography, data, NIST, encryption