Page 42

PQC_for_Dummies

42 Post Quantum Crypto for Dummies is only certifying that the NIST-approved portion is correctly implemented and used, and it says nothing about the security of the quantum-resistant portion of the hybrid mode. Hybrid modes may be an initial step for the migration to post-quantum primitives. However, NIST continues to believe that the long term solution to the threat of quantum computers is to provide standards for postquantum public key cryptography «(https://csrc.nist.gov/Projects/Post- Quantum-Cryptography/faqs). This is good news for applications that are, e.g., required by law to use certified implementations, but still wish to add a layer of protection against quantum attacks. The solutions that are certifiable in thisway come from two different usage scenarios: key exchange and digital signatures. For key exchange, both parties would establish two shared secrets — one with a NIST-approved current scheme and the second with a post-quantum scheme like NewHope — and then derive a session key using both secrets as input. A digital signature solution would sign a given message twice, first with a quantum-secure method, e.g. stateful hashbased signatures (HBS), and then sign the message together with the first signature again with a signature scheme validated by NIST. An area where double signatures using stateful HBS seem particularly suitable is code signing. A real-world example of a hybrid approach to key exchange is the aforementioned experiment by Google, performed during the connection establishment between the Chrome browser and Google’s servers. The initial key exchange was protected both by a standard key exchange scheme as well as by the NewHope key exchange scheme. The latter is an example of a lattice-based algorithm, which derives its strength from the shortest vector problem in ideal lattices. That problem is believed to be computationally hard and not affected by quantum computers. Symmetric Crypto to the Rescue Asymmetric cryptography, e.g. RSA and elliptic-curve cryptography (ECC), is based on mathematical structures. In contrast, most symmetric cryptographic algorithms can be considered wild bit-twiddling. In several iterations bits are hop-scotching about and are then given a good shaking in what feels like a cryptographic tumble-dryer. Grover’s algorithm can be used to accelerate brute-forcing symmetric cryptography. The outcome is not too bad though. The effective key size is cut in half; in the age of quantum computing, AES-256 becomes as secure as AES-128 today. That is, it is still secure.


PQC_for_Dummies
To see the actual publication please follow the link above