Endpoint

5/23/2018
11:45 AM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

What Should Post-Quantum Cryptography Look Like?

Researchers are tackling the difficult problem of transitioning toward a new mode of cryptographic protections that won't break under the pressure of quantum computing power.

As quantum computing starts barreling away from the theoretical world and into the  realm of reality, the security community is on a timer. Most experts say that once quantum computers come online, they'll have the computational powers to easily break modern cryptography. A new report out today from the Cloud Security Alliance's Quantum Safe Security Working Group says that security researchers, vendors and enterprises need to start working now if they want to beat quantum's cryptographic buzzer.

Considering how long it takes for the IT world to transition to new encryption measures when old ones wear thin, the CSA report warns that the window until quantum reaches widespread adoption - about 10 to 15 years - might not be as long as it seems right now. 

"Cryptographic transitions take time, often a very long time," the report explains, pointing to the decade-long transition it took to get from 1024- to 2048-bit RSA key sizes, or the move to elliptic curve-based cryptography (ECC). "The transition to quantum-resistant cryptography is likely to take at least ten years. It is therefore important to plan for transition as soon as possible," according to the report.

The good news is that researchers have been working on this problem for a long time and they've got some good ideas on where cryptography should be headed. For example, NIST just last month held a workshop that featured some 80 research submissions in its Post Quantum Crypography Standardization initiative. The CSA report offers a breakdown of five of the most promising categories of cryptographic methods that could stand as post-quantum cryptography alternatives.

The five major contending algorithmic classes are:

  • Lattice-based cryptography,
  • Hash-based schemes,
  • Elliptic curve isogenies,
  • Multivariate cryptography, and
  • Code-based cryptography.

According to Roberta Faux, lead author of the CSA report, there are pros and cons for each class of algorithm and it's going to take some time for researchers, and later, security engineers, to figure out which is best for a workable standard. 

For example, she says the community is going to have to have a lively debate to balance out three big trade-offs, namely key size, bandwidth and confidence level. 

If you consider code-based schemes, they've got a fast computational speed and they've been around so long that they've got a high degree of confidence from many in the security community. But their key size is large - some might say impractically so, Faux says. Meanwhile, isogeny-based cryptography has got small key sizes but the computation is still expensive and it's relatively new so there's less confidence there.

"I think the community agrees that we still need more time  to investigate the wide range of post-quantum cryptographic algorithms," Faux says, "and [to] understand the issues involved in migrating from existing public key cryptography to post-quantum cryptography."

Related Content:

 

 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
holochain-wins
50%
50%
holochain-wins,
User Rank: Apprentice
5/24/2018 | 10:11:36 PM
answer to post quantum cryptography
It seems many are mistaken about some things so I will elaborate some: going dark is already here. Almost like America's Berlin wall is falling, without highly secure encryption our countries military would be vulnerable overnight. Without CONTINUED research and development within the United States to stay ahead, making larger conventional munitions would be useless. 

What would post-quantum look like?

ANSWER: Since the marketing hype of late promotes how encryption will be cracked in days in the future, is NOT taking into account places like FreeEmailEncryption's algorithms have already made cracking obsolete currently in the field. They use a charding technique, morphing dynamic algo, million bit variable offline key generation for using with supercomputers, and there defeat of brute force cracking with key/message expiration, man in the middle protection, padding, alerting. They even have a way to setup attackers with a honey pot. So replay attacks are stopped and cracking can not happen. That is post quantum. It is here today. Since there method relies heavily on cracking with trillions of computations to solve the password, quantum level brute forcing is 19th century cryptanalysis! The future will have users generating trillion bit keys on morphic algorithms using inhome supercomputers or distributed applications on holochains the new internet.
New Free Tool Scans for Chrome Extension Safety
Dark Reading Staff 2/21/2019
Making the Case for a Cybersecurity Moon Shot
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  2/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-6485
PUBLISHED: 2019-02-22
Citrix NetScaler Gateway 12.1 before build 50.31, 12.0 before build 60.9, 11.1 before build 60.14, 11.0 before build 72.17, and 10.5 before build 69.5 and Application Delivery Controller (ADC) 12.1 before build 50.31, 12.0 before build 60.9, 11.1 before build 60.14, 11.0 before build 72.17, and 10.5...
CVE-2019-9020
PUBLISHED: 2019-02-22
An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. Invalid input to the function xmlrpc_decode() can lead to an invalid memory access (heap out of bounds read or read after free). This is related to xml_elem_parse_buf in ext/xmlrpc/libxmlrpc...
CVE-2019-9021
PUBLISHED: 2019-02-22
An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. A heap-based buffer over-read in PHAR reading functions in the PHAR extension may allow an attacker to read allocated or unallocated memory past the actual data when trying to parse the file...
CVE-2019-9022
PUBLISHED: 2019-02-22
An issue was discovered in PHP 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.2. dns_get_record misparses a DNS response, which can allow a hostile DNS server to cause PHP to misuse memcpy, leading to read operations going past the buffer allocated for DNS data. This affects php_parser...
CVE-2019-9023
PUBLISHED: 2019-02-22
An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. A number of heap-based buffer over-read instances are present in mbstring regular expression functions when supplied with invalid multibyte data. These occur in ext/mbstring/oniguruma/regcom...