Our Contribution to The White House PQC Roundtable

Part 1: When (and When Not) to Use Hybrid Encryption

In early 2024, the National Institute of Standards and Technology (NIST) plans to release the first set of Post Quantum Cryptography (PQC) standards. This will mark the beginning of a multiyear cryptographic transition for government agencies and commercial businesses that is certain to be fraught with challenges, uncertainties, and unforeseen risks.

Under the guidelines set forth by NSM-10 and the Quantum Computing Cybersecurity Preparedness Act (H.R. 7535) “a whole of government” approach is needed to ensure the successful PQC migration by federal agencies.

On Jan. 26, 2024, the White House Office of Management and Budget (OMB), the White House Office of Science and Technology Policy (OSTP), and members of the intergovernmental PQC Migration Working Group convened to inform a strategy that will guide this process for agencies.

As a member of the PQC Migration Working Group, Quantum Xchange was asked to participate in the PQC Roundtable event, preparing responses to an advanced set of questions intended to drive the Jan. 26 agenda and inform formal guidance to be delivered to Congress later this year.

We will share these responses in a three-part blog series starting here. We hope readers will find the content useful in their post-quantum planning and cryptographic migration.

Q: Among the four functions of cryptography (Confidentiality, Integrity, Authentication, and Non-Repudiation) which should be prioritized for migration to PQC?

What are the four fundamental goals of cryptography?Confidentiality is considered the most crucial aspect to prioritize for migration to Post-Quantum Cryptography (PQC), primarily due to the emerging threats posed by quantum computing. The ability of quantum computers to potentially break current encryption methods makes it vital to safeguard sensitive data’s confidentiality. In addition, the risk that quantum computing presents to current authentication methods underscores the importance of securing identity verification processes with PQC.

It’s noted that in asymmetric key cryptography these functions are interrelated. A compromise in confidentiality can lead to compromises in integrity and non-repudiation, and vice versa. The migration to PQC also presents an opportunity to reconsider the public key infrastructure (PKI).

Prioritization should also consider the immediate and near-term threats. Data confidentiality is at immediate risk because data transmitted today could be intercepted and stored for future decryption using quantum computing. Therefore, Confidentiality is the most pressing requirement.

Following this, Authentication is critical to protect against breaches on the advent of quantum computing (referred to as Q-day).

Lastly, the functions of Integrity and Non-Repudiation, likely to be addressed with post-quantum digital signatures, are also important but follow in priority.

What cryptography protocols are vulnerable to a quantum computer?Q: Where will the use of hybrid cryptography (both PQC and quantum-vulnerable algorithms) be most appropriate?

Hybrid cryptography is most suitable in scenarios where robust security against both current and future quantum threats is critical. This includes:

  • High-Security Sectors: Fields like finance, government, defense, and healthcare require stringent protection of sensitive information. Hybrid cryptography offers a safeguard against both immediate and emerging quantum computing risks.
  • Long-Term Data Protection: For information that needs to be secured over extended periods, particularly beyond the advent of quantum computing, hybrid cryptography provides a more resilient solution.
  • Transitioning to Quantum-Resilient Security: As we move towards quantum-safe standards, hybrid cryptography facilitates a smoother transition. It allows for compatibility with existing systems while preparing for future quantum and non-quantum computing threats.
  • Regulatory Compliance: Industries that must adhere to evolving data security regulations, such as finance and healthcare, can benefit from hybrid cryptography to meet these standards.

The rationale for hybrid cryptography is grounded in its proactive approach to diversification, akin to a multi-layered defense strategy. It acknowledges that like any technology, cryptography has potential points of failure, from software bugs to compromised security certificates.

Crypto-diversification, as part of a defense-in-depth strategy, involves using a mix of asymmetric, symmetric, and quantum-based encryption methods. This approach is distinct from crypto-agility, which is more reactionary and involves changing or swapping encryption algorithms in response to breaches or vulnerabilities. Hybrid cryptography is seen as a proactive measure that assumes all math-based encryption may weaken or fail over time.

Additionally, the evolving nature of PQCs, which might require constant updates and could have vulnerabilities, further underscores the importance of considering hybrid modes or architectures. This approach helps mitigate risks associated with the potential compromise of a PQC implementation or the algorithm itself.

Historical precedents in cryptography suggest the necessity for such a hybrid approach, as it provides a more comprehensive and resilient defense against a range of cryptographic threats.

How do you implement hybrid cryptography?Q: Is there a common lexicon so implementers will know when a cryptographic system is hybrid?

The concept of a hybrid cryptographic system is complex, and the idea of developing a common lexicon to denote “hybridness” is an interesting one. However, it’s suggested that simply labeling such systems as “hybrid” might be sufficient. This straightforward terminology could effectively communicate the combined use of PQC and classical (quantum-vulnerable) algorithms in a cryptographic system.

The term “non-hybrid” doesn’t automatically imply vulnerability to quantum computing. For example, symmetric cryptography with pre-shared AES keys is considered quantum-resistant. Conversely, even PQC systems can be vulnerable to conventional digital computer attacks due to improper use or implementation bugs.

The suggestion is made to focus more on creating a measure of inherent risk in cryptographic systems. This measure would consider various factors, including the choice of algorithms, redundancies, implementation quality, and key length.

Since cryptographic systems have multiple components, each with varying levels of security efficacy, the overall strength of a system is only as robust as its weakest link. Therefore, quantifying these aspects could provide a more nuanced and comprehensive understanding of a cryptographic system’s security, beyond the simple binary of “hybrid” or “non-hybrid.” This approach would aid in assessing the overall security posture of cryptographic systems in a more detailed and meaningful way.

Is hybrid encryption secure?Q: In what use cases should hybrid cryptographic systems not be implemented?

Hybrid cryptographic systems, which combine PQC and classical algorithms, are not recommended for implementation in certain scenarios:

  • Low-Security Requirements: In situations where the level of data security required is not high, particularly when the data being protected is not of a sensitive nature. Implementing complex hybrid systems in such cases may be unnecessary.
  • Limited Resource Environments: Environments such as Internet of Things (IoT) devices often have constrained resources. The additional computational and power demands of hybrid cryptographic systems may be unfeasible in these contexts.
  • Short Lifecycle Data: If the data in question is only relevant for a very short duration and does not require protection over a long term, the use of hybrid cryptography might be overkill. This is applicable to information that rapidly becomes outdated or irrelevant.
  • Environments with Limited Quantum Threat: In closed systems or environments where the likelihood of quantum computing attacks is considered minimal or non-existent, the deployment of hybrid cryptographic systems may not be warranted. In such cases, the benefits of hybrid cryptography do not justify its complexity and potential costs.

In each of these scenarios, the trade-offs involved in implementing hybrid cryptographic systems — including complexity, resource demands, and cost — do not align well with the specific needs or constraints of the environment. Hence, alternative cryptographic solutions better suited to these specific conditions are recommended.

What is the future of quantum proof encryption?Q: What should the target date be for only requiring all algorithms to follow PQC standards?

We propose the proposed target date of December 2024. This suggestion stems from the growing threat posed by quantum computers to current cryptographic methods, particularly those based on RSA and Diffie-Hellman (DH) algorithms.

PQC algorithms, which utilize a different kind of mathematical foundation, are not yet provably secure against quantum attacks. This is primarily because, as of now, there is no quantum algorithm equivalent to Shor’s algorithm that can break them.

The urgency for this transition is heightened by the rapid advancements in Artificial Intelligence (AI) and Large Language Models (LLMs), which are accelerating the invention of new methods and the development of algorithms. Such advancements could potentially put lattice-based PQC methods at risk.

Consequently, the suggested target date of December 2024 reflects a sense of urgency to adapt to PQC standards, acknowledging the fast-evolving landscape of cryptographic threats and the technological advancements that might soon challenge the current state of PQC algorithms.

This target date implies a swift and proactive approach to updating cryptographic standards, considering the potential vulnerabilities and the pace of technological advancement in both quantum computing and AI-driven algorithm development.

Don’t miss Part 2 and Part 3 of this three-part series.

Subscribe to the Quantum Xchange Monthly Newsletter

Quantum Xchange does not share or rent your information to any third parties.