Category: Standardisation

Categories
Business Cryptography Standardisation

Don’t put all the eggs in the same basket..

Any risk averse person will tell you to not put all yours eggs in the same basket, because if you stumble and drop the basket, all the eggs in the basket will likely get broken. In the case of cryptography and the advancement in Quantum Computing, it is a precautionary tale to listen to.

NIST has been deciding on quantum resistant algorithms which will become the next generation of cryptographic standards. However, as scrutiny focuses on the select few, we have seen successful attacks on some of the contestants. Furthermore, quantum computers are based on a different computation power than current classical system. So, there is a risk that the new standards might become quantum vulnerable in the future. What happens then?

Well, ensure your eggs are distributed in several baskets, that is, be conscious of risk diversification. NIST and many others advocate for crypto-agility i.e. set the encryption in such a way that if the method fails, one can easily and quickly switch to another technique. Another way to distribute the risks might be to use double or triple encryption on your critical asset. Lets also not forget that encryption is one part of cybersecurity. To keep data in-transfer and data in storage protected for example, the network and storage used have to be secured by investing in firewalls, using VPNs, ensuring system are up-to-date, installing antiviruses etc. So layering security methods, using multiple encryption and ensuring crypto-agility are some of the things to consider. Security officers have always appraised the totality of a system when ensuring protection of assets but now, they have to add a flavour of quantum computing to their strategies.

We don’t fully know yet how the technology will evolve. It would likely be used as both offensive and defensive tools in the future. For now, we can imagine and we can prepare by eliminating single point of failures and having redundancies built in the system.

And, if the worse case scenario – that a system is quantum vulnerable and gets compromised – happens, what can then be done? Report it? Think of legal and reputational repurcussions? Find a way to change the value of the compromised data? It is a hard question and each group has to make their own contingency plan based on the value of their assets.

Categories
Cryptography Standardisation

The Chosen Ones – NIST PQC

Since my last blog post.. no wait..let me set the scene – NIST has chosen the future warriors (winners of its Post Quantum Cryptography competition) of cryptography from round 3 and kept potential contestants for another round 4! A mere month later, one of those contestants fell down on the spear of researchers and for some added theatrics, a justiciar came into play around the same time. (Dear readers, can you tell I’ve been watching many dramas with my Mum over the holidays?)

On 05 July 2022,  NIST (National Institute of Standards and Technology) chose CRYSTALS-Kyber technique to be standardised for general encryption, and CRYSTALS-Dilithium, FALCON and SPHINCS+ to be standardised for digital signatures, with a further four techniques still in review for general encryption (round 4). CRYSTALS-Kyber, CRYSTALS-Dilithium and Falcon are based on the mathematical problem of structured lattices and SPHINCS+ is based on hash functions.

This, however, is not the end of the line. The warriors now need to train before they can fight the just fight and become the real heroes! In other words, these four techniques will now need to become standards that the industry can take and implement in their systems. This process is expected to take another two years. Guidance on migrating quantum-vulnerable techniques to the quantum-resistant techniques has to be developed. Organisations across the world need to be prepared e.g methods on how to implement the standards in a crypto-agile manner need to be looked at. It will not be without challenges and it will not be an easy task. However, the sooner the standards are ready, the quicker assets that are vulnerable to “harvest now, decrypt later” attacks can be protected.  

The warriors also have four supporting fellows in the next round  of elimination; BIKE, SIKE, Classic McEliece and HQC. But drama was not far away when not even a month later, SIKE fell. NIST competition encourages public scrutiny and SIKE algorithm was broken through a research done at KU Leuven university. PQC Rainbow was another technique that fell earlier in the year in February. Although these caused speculations in the media about the techniques being evaluated, at this experimental level, it would be more concerning if all the algorithms passed without issues. Plus, with a select few algorithms around, attention is focused on them. The competition is working as intended and it is a worthy fight.

There is a question on whether it should have taken as long for scrutiny around the algorithms to kick in, and of the nature of investigations performed. Within a month of the chosen warriors taking position on the podium, a justiciar questioned the transparency of any communication between NIST and NSA (National Security Agency), and what that entailed on the competition selections (and on general public security and privacy rights). Well known Post Quantum Cryptography scientist, Daniel J. Bernstein has filed a lawsuit against NIST for not divulging information about its cooperation with NSA. That said, the algorithms are public and can be accessed, researched and investigated throughout the world and throughout the cryptography community.

Categories
Cryptography Standardisation

Happy World Quantum day! And a little bit about standardisation!

After a busy few months, I had to make time for a post. Mainly because I couldn’t let the first Quantum Day (14 April 2022) pass without having spent some brain cells on a quantum topic!

Recently, my focus on Quantum Technologies took a backseat while I adapted to something new. I have kept reading relevant articles when I could and made a point to attend my regular quantum computing centred meetups to keep an eye and a foot in… so to speak. Still, I have some catching up to do and this post might have more questions than answers as I navigate and research my thoughts. On the plus side, having questions is always a good starting place!

For the cybersecurity sector, the year 2022 can be a determining one. NIST is expected to announce the “winning” algorithms from their Post-Quantum Cryptography (PQC) competition and this will then bring about a new standard in cryptography. In this post, I want to catch up on the competition status and the latest news. I also touch on the idea of standardisation in Quantum Computing.

Shor’s algorithm and Grover’s algorithm, devised around three decades ago, combined with the processing power of commercial quantum computers expected within the next decade or so, will break or greatly diminish the cryptography based security of our technological world today. Shor’s algorithm for example, could be used to break RSA factorisation, which is the underlying mathematical problem protecting transactions on the internet. The current cryptography standards will become unsafe, and NIST since 2009 started looking at post-quantum cryptography methods (classical, quantum or a combination of both) that will not be broken with the advent of quantum computers, and from 2016, a call for proposals for post-quantum cryptosystems was made to the public. Unlike previous competitions, a clear winner is not expected due to the ongoing development in all aspects. Instead, a select few that have gone through NIST and public scrutiny will become the new standards. Thus, NIST is advocating the industry to be open minded and crypto agile – i.e. whichever system you move to, be ready to change, if for some reason that system is no longer deemed secure.

In 2022, the proposals analysis is at its 3rd round. From the 69 proposals in round 1 in 2017, 15 candidates remained at the beginning of this year and are under rigorous scrutiny. Attack proposals have already been placed on two finalist candidates in 2021 and in 2022. Now, one question would be, do we know all the attack prospects of the finalists? Discovering a weakness in a finalist that could become a world standard… would not disclosing that vulnerability be an advantage for the nefarious minded?

It is worth noting that the NIST competition is not close-ended either; they are open to new evaluations. For example, 8 of those 15 candidates in round 3 are alternate candidates who showed potential and could possibly go to a 4th round. From the 7 finalists including the two with attack proposals (it will depend how they handle the attacks, I presume), the initial standards will be chosen this year or at least by 2025.

If you use cryptography to secure your systems, the crypto-standards will change very soon and would require some work to get the systems to the new standard. NIST will of course provide guidelines. This brings my next questions! Currently how many systems are actually within existing standards? Can we expect resistance from companies to move to new standards? Are stakeholders and end-users aware of the crypto standards protecting their assets? Will there be compliancy or certification required and will those be region oriented e.g. for the UK, will this be governed by the National Physical Laboratory (NPL)? Finally, will there be sanctions or legal repercussion if a system is not transitioned to a new standard within a time limit? On the promising side of all these questions, the quantum industry and community is new and are aware of security aspects and standardisation benefits, thus everybody is designing, building and growing together from the outset.

Related Quantum Cybersecurity topics I would like to eventually explore are the standardisations expected for Quantum Key Distribution and Quantum Random Number Generators. I would also like to explore and reflect on the first set of Quantum Computing Governance Principles published by the World Economic Forum in January 2022, with particular attention to the themes of Security, Privacy and Standardisation.