Quantum computers will rapidly solve complex mathematical problems. This includes the ability to break both RSA and ECC encryption in seconds. In response, NIST has been leading an effort to define new cryptographic algorithms that will withstand attacks from quantum computers.
NIST started this process in 2015. Beginning with almost 70 candidate algorithms, NIST narrowed the field down to a set of finalists over 3 selection rounds. We now have a well-defined set of algorithms that are potential replacements to the currently used algorithms. Implementations of each finalist are available. NIST is expected to announce the initial set of algorithms to be standardized within just a few months.
With implementations of the finalist algorithms available and standards forthcoming, companies will begin in earnest to migrate from classical crypto solutions to the new post-quantum crypto (PQC) algorithms. As companies begin this process, some of the questions they must answer are: where are hardware implementations required, and where are software implementations sufficient?
Migration to post-quantum crypto algorithms
Migration to PQC algorithms is a major undertaking. Digital certificates using RSA or ECC encryption are used to provide identities and enable secure communication for everything from websites, DevOps processes, credit cards, and cloud services to connected vehicles, IoT devices, electronic passports, document signing, and secure email. Use of ECC and RSA encryption is pervasive; all systems using RSA and ECC encryption will need to be updated to use the new PQC algorithms.
Many large enterprises are already planning for this migration. Some have created a “Crypto Center of Excellence” or similarly named group to lead this effort. Due to the number of systems requiring updates, and the interdependencies of these systems, this will be a large, multi-year project for most enterprises.
For most enterprises the first step is cataloguing their systems using encryption. Next, companies must determine the risk associated with each system. They can then begin developing a roadmap for migration to PQC.
As part of this process, companies need to identify the details of crypto implementations, including:
- What systems are using classical encryption algorithms (RSA or ECC)?
- Which encryption algorithms are used?
- What processes on each system are using encryption?
- What are the dependencies between systems using encryption?
- Where on each system are cryptographic primitives implemented? (In hardware or in software)?
- For software implementations, what software libraries are used?
Once this information is available, a roadmap to update crypto components can be developed. RSA and ECC encryption are frequently used for secure communication, so companies must take into consideration dependencies between systems and devices. If one device is updated, but the systems it communicates with are not, the devices will either fail to communicate or will revert to using classical crypto until all devices are updated.
Supply chain considerations and post quantum crypto implementations
With a full inventory of systems using cryptography in hand – including details on algorithms, crypto libraries and hardware accelerators used – they can begin planning to migrate to PQC. Planning must take into consideration where systems are sourced and what systems are internally controlled vs. externally controlled. Many enterprise systems include hardware and software components developed by third-party vendors. The process of upgrading will require coordination across the entire supply chain.
Crypto implementations may be built into many different layers of the technology stack. Hardware platforms often include crypto acceleration and hardware-based secure key storage. The operating system may utilize the hardware crypto primitives but may also include a crypto library. Furthermore, applications may include their own crypto libraries.
On systems with multiple applications, several crypto implementations may be present and each needs to be updated. Furthermore, these systems rely on digital certificates issued by a PKI system or certificate authority that must also be updated. Migration to PQC algorithms requires all these systems to be updated in a coordinated fashion.
In addition to supply chain considerations, organizations need to address interoperability with partners, customers, and third-party service providers. These systems will also require updating, and these updates must be coordinated to ensure ongoing compatibility.
It should be clear by now that migration of existing systems to PQC algorithms requires significant coordination between internal software development groups, vendors, partners, and customers. For each system, both internal and external, it is important to determine where the crypto algorithms should be implemented. Should software-based crypto libraries be used? Or is there a need for hardware-based crypto primitives?
It will be no surprise, there is no one-size-fits-all answer to this question.
For many systems, initial migration to PQC will require use of software libraries with PQC algorithms implemented in software. This is the fastest upgrade path. It will allow independent upgrades to software applications, without dependency on new hardware or operating systems. Given the complex set of dependencies, this is a necessary step.
Starting with software-based PQC reduces dependencies on long hardware design lifecycles and hardware update schedules. New hardware designs generally take 12-24 months. Even if companies are starting now, platforms will not support PQC algorithms in hardware for at least a year or two. Once new hardware designs are available, companies will need to plan the rollout of new hardware. Generally, companies cannot afford to replace all hardware systems at once.
Once hardware support for PQC becomes available, companies can begin migrating to hardware-based PQC, but it will take years to replace all platforms with new systems providing PQC in hardware. Software-based PQC solutions provide a critical migration path.
The flip side of this argument, however, is that hardware-based support for crypto implementations provides a greater level of security than software-based systems. Current security best practices rely on using a crypto co-processor such as a TPM chip, Secure Element, or HSM to perform security critical operations. This allows isolation of cryptographic keys in hardware that cannot be accessed by application code; protecting them, even if the device is compromised by a cyberattack. These crypto processors also provide countermeasures to side-channel attacks.
The use of hardware-based security for PQC implementations is particularly important when you consider the threat landscape for PQC. PQC is needed to protect systems from attacks using quantum computers to break encryption. Quantum computing technology is rapidly advancing but is still in the early stages of development.
For the foreseeable future, quantum computing will remain the province of very large corporations and nation-states. This will change over time, but early adopters of PQC are companies and systems that include nation-state actors in their threat model.
Nation-state actors have extremely deep pockets and sophisticated capabilities to carry out cyberattacks. They often have access to zero-day vulnerabilities allowing them to defeat software-based security solutions and penetrating security perimeters. As a result, they can often install malware on target adversaries computing devices. With malware on a target computer, nation-states can monitor any operations performed in software, including crypto operations.
In this manner, they can discover crypto keys even on systems using PQC. While they have not defeated the PQC algorithms, they would be able to defeat the overall security solution. This is akin to a robber getting hired by a bank as a trusted employee and then stealing the vault codes. The robber may not have “cracked the safe,” but is still able to gain access to its contents.
RSA and ECC-based encryption systems started with software-based implementations. Over time, hardware security co-processors, security elements, and TPM chips have become increasingly cost effective and widely available, allowing a migration to hardware-based crypto. Security critical systems were early adopters of these hardware-based security solutions.
PQC algorithms will follow a similar path. Companies are beginning to invest in hardware-based crypto for securing critical systems. Over time, hardware-based solutions will become cost effective and be widely adopted for PQC. For security-critical applications, companies can begin implementing hardware-based PQC now.