Quantum-safe: Hype and Reality

Quantum computers as a risk

For the past decades by now, quantum computers have been hyped up as a massive risk to current asymmetric key exchange methods such as Diffie-Hellman and RSA. However, quantum computers are still in an embryonic stage despite decades of massive financial support. For the next few years, it can be assumed that there will be no quantum computer that poses a serious threat to current asymmetric key exchange methods. There is however a risk that data traffic will be recorded and can be cracked if a capable quantum computer becomes available. However, this only applies to current asymmetric key exchange methods and to symmetric keys with less than 256 bit key length. For a detailed look at this, see the article "Quantum-safe Cryptography: Hype vs. Reality"  Studies and recommendations from the German Federal Office for Information Security (BSI) on the subject can be found here

Protection against quantum computers

To protect against successful attacks on key exchange and encrypted data from both classical and quantum computers, there are basically five options:

  1. Symmetric key exchange
    On the one hand, fully symmetric methods require the prior distribution of a secret shared with the other participants. The serious drawback is the lack of perfect forward secrecy. If the shared secret becomes known, all previously recorded communication can be decrypted.
  2. Asymmetric key exchange with additional symmetric key as element
    There is also the possibility of additional use of a pre-distributed symmetric key, which combines the advantages of a symmetric key in terms of resistance with the advantages of asymmetric key exchange. The symmetric key and the key resulting from the asymmetric key exchange are both used as input for the actual key obtained through a key derivation function. However, there remains the problem of secure distribution and storage of the symmetric key. 
  3. Symmetric encryption of asymmetric key exchange
    Symmetric encryption with sufficiently long keys is quantum secure. With a symmetric signature, an asymmetric key exchange method can be symmetrically secured. This is the most efficient method for network encryption, but is only practical for static inter-site networks. A further method is to encrypt the control plane as the network between devices at network layer with symmetric encryption.
  4. QKD (Quantum Key Distribution)
    QKD transmits keys as photons over an optical link. The maximum terrestrial distance is less than 200km. QKD is only practical for static site networks and requires an optical link for this purpose. The most serious disadvantages are the need for an optical link, the short terrestrial distance and the cost. Since it does not work over terrestrial packet networks such as Ethernet or IP, its use is limited to optical Layer 1 networks. While QKD over satellites is a further option, it is a very inefficient way due to the complexity and the cost. Furthermore, weather conditions do impact the transfer of photons. Devices must also authenticate each other, and this is done in a traditional way.
  5. PQC (Post-Quantum Cryptography)
    A general-purpose solution is offered by the use of key exchange methods that are also resistant to attacks by quantum computers. Several such techniques are available, but so far their resistance to attacks by quantum computers has not been proven. There are initial systems that already implement PQC. One of the first was a Layer 3 (IP) encryptor developed by VDOM Research in Russia using Kyber1024. In the meantime, there are also established vendors such as Atmedia, Secunet and Securosys, which started to provide optional support for Frodo, a quantum-safe key exchange method, since 2020. In the meantime, vendors have emerged that falsely claim to be the first to offer quantum-safe key exchange. In general, however, it should be noted that the chosen algorithms in their current form do not necessarily correspond to what will be widely used in a few years. Currently, the algorithms are not yet fully mature and tested. A competition is currently underway in both the USA (NIST) and China that should lead to the standardization of PQC algorithms.

QRNG (Quantum Random Number Generator) do not provide any additional security benefit

Random number generators generate random numbers. For that it needs a good entropy source and that is definitely present in a QRNG. Only that the random number with good entropy does not protect in the least against attacks by quantum computers and is therefore not quantum safe. Moreover, there are many possibilities for a good entropy source. And such are widely used. Just not in purely software-based solutions. And QRNG is hardware.

QKD and QRNG: The Q for Quantum as a marketing tool

From a marketing point of view, QKD and QRNG are optimal for confusing customers. QKD makes sense in very few cases. Over long distances, QKD does not work terrestrially. And operating an optical network just to be able to exchange keys via photons makes no sense. At most in combination with layer-1 encryptors for optical networks over short terrestrial distances. Distances can be covered by satellites, but this is not only extremely costly and inefficient for achieving quantum security, but also depends on the weather conditions at the transmitter and receiver. Quantum security can also be achieved much more cost-effectively and efficiently. Symmetric overcryption of asymmetric key exchange is less expensive, also works with packet networks, and is quantum secure.

Migration to post-quantum cryptography

At some point, there will be powerful quantum computers. We should prepare for that. The BSI has published recommendations for action based on the state of the art. They provide a good overview of the possibilities that already exist and show how migration to PQC is possible.