The Race to Ensure Post Quantum Data Security

By John Russell

July 21, 2022

Fault-tolerant quantum computers won’t exist for years – a decade is the most common estimate. When they do arrive, thanks to Shor’s now-famous algorithm, they will be able to crack the most widely-used encryption methods, which are based on factoring. Earlier this month, the National Institute of Standards and Technology (NIST) settled on four algorithms – one for public-key-encryption (KEM) and three for digital signatures – based on lattice problems and hash functions, for incorporation into new post-quantum encryption standards.

These are deliverables of NIST’s post-quantum cryptography standardization project (PQC), begun in 2016 and involving multiple rounds of submissions by industry, academia, and public entities, and assessment by NIST. This was the third round. A final fourth round is planned to consider four more algorithms.

NIST has issued a thorough report detailing the PQC process and sharing, for example, benchmark data across multiple processor types, and explaining NIST’s rationale for the selections. Three selection criteria were used: 1) security (most important), 2) cost and performance, and 3) algorithm and implementation characteristics. The latest NIST report isn’t news in the sense that the quantum community and virtually all enterprise data security professionals have been closely tracking NIST’s PQC efforts.

Even as NIST works to formalizes the new standards, it has begun a new project – Migration to Post Quantum Cryptography – in collaboration with industry to develop tools and migration practices to protect data. That project is being run by NIST’s National Cybersecurity Center of Excellence (NCCoE). Here’s a snapshot of the program’s main goals:

  • Demonstrate the use of automated discovery tools to identify instances of quantum-vulnerable public-key algorithm use, where they are used in dependent systems, and for what purposes.
  • Once the public-key cryptography components and associated assets in the enterprise are identified, the next project element is prioritizing those applications that need to be considered first in migration planning.
  • Finally, the project will describe systematic approaches for migrating from vulnerable algorithms to quantum-resistant algorithms across different types of organizations, assets, and supporting technologies.

NIST issued a Cooperative Research and Development Agreement (CRADA) to work on the project and last week disclosed the list of vendors who’ve signed on to participate so far: Amazon Web Services, Inc. (AWS), Cisco Systems, Inc., Crypto4A Technologies, Inc., Cryptosense SA, InfoSec Global, ISARA Corporation, Microsoft, Samsung SDS Co., Ltd., SandboxAQ, Thales DIS CPL USA, Inc., and Thales Trusted Cyber Technologies, VMware, Inc.

Bottom line: The race to develop tools to protect data from quantum computer-based attacks has begun in earnest.

It’s been reported that more than 20 billion devices will need to upgrade their software to PQC before quantum computers crack RSA encryption. “Adversaries are already engaged in Store Now Decrypt Later (SNDL) attacks — stealing and storing encrypted data (e.g., financial records, intellectual property, medical records, etc.) to crack and exploit later when quantum computers become readily available,” says Google spinout, SandBoxAQ, a CRADA participant.

The first step, of course, was selection of the first set of PQC algorithms, intended for use in public-key encryption (KEMs) and digital signatures. HPCwire recently talked with Vadim Lyubashevsky, a prominent cryptography analyst and IBM researcher whose contributions have been important for the NIST PQC. Lyubashevsky provided insight into development and characteristics of effective encryption.

The history of cryptography is fascinating. It blends political and industrial intrigue and clever mathematics, and has affected the outcomes of war. The enigma machine for decoding German communications during World War II is perhaps the most dramatic modern example. Cryptography features an exotic vocabulary – one-way functions, computational hardness, average case and worst case hardness, NP-completeness, supersingular isogeny key exchange, and lattice problems – that is opaque to most except cryptographers and mathematicians. Yet securing data and communications is fundamental to so many areas of life.

Interestingly, most modern encryption schemes begin as problems that mathematicians can’t solve with current RSA factoring-based encryption as an example.

Lyubashevsky said, “The way we gauge [cryptographic] strength is by having people try to solve the underlying mathematical problem. If the community dedicates a lot of effort to it for a few decades and it’s not successful, then we think that it’s secure, the underlying mathematical problem. Then we build cryptography, based on that problem. It’s the reason we think that factoring is secure against [attack from] classical computers; people have been trying to solve factoring for over 40-50 years and haven’t been successful so we think it’s okay.”

“The problems that they originally came up with in the 1970s, these factoring discrete logarithms and all the things about elliptic curves. They stayed classically hard. Of course, better algorithms for factoring appeared but in some sense, there wasn’t some catastrophic break and all of a sudden, somebody just broke it. But now, when a quantum [fault tolerant] computer exists, it will be completely broken.”

“The same thing with lattice algorithms. People have been trying for a shorter amount of time, let’s say seriously trying for 20-25 years, to break these underlying mathematical problems,” he said. So far, no game-changing algorithm for solving lattice problems on a quantum computer has arisen.

The lattice problem, upon which three of the NIST PQC selected algorithms are based, is commonly illustrated as The Knapsack Problem and dates back to the late 1890s. This description is from Wikipedia: “Given a set of items, each with a weight and a value, determine the number of each item to include in a collection so that the total weight is less than or equal to a given limit and the total value is as large as possible. It derives its name from the problem faced by someone who is constrained by a fixed-size knapsack and must fill it with the most valuable items. The problem often arises in resource allocation where the decision-makers have to choose from a set of non-divisible projects or tasks under a fixed budget or time constraint, respectively.”

IBM Research has even published a short video describing the knapsack problem and its relevance to quantum cryptography.

Lattice reduction algorithms can be used to tackle the problem but the computational resources required are impractical. Wikipedia, once again: “The conjectured intractability of such problems is central to the construction of secure lattice-based cryptosystems: Lattice problems are an example of NP-hard problems which have been shown to be average-case hard, providing a test case for the security of cryptographic algorithms. In addition, some lattice problems which are worst-case hard can be used as a basis for extremely secure cryptographic schemes. The use of worst-case hardness in such schemes makes them among the very few schemes that are very likely secure even against quantum computers.”

Likewise, hash function cryptography also has a lengthy history. These functions are said to be one-way functions, which means it is practically infeasible to invert or reverse the computation. Ideally, the only way to find a message that produces a given hash is to attempt a brute-force search of possible inputs to see if they produce a match, or use a rainbow table of matched hashes.

Lyubashevsky points out that work on these difficult mathematical problems often starts out seeking solutions for useful applications.

“These are natural mathematical problems. If somebody does find a fast algorithm for them, it will have positive effect in the areas of optimization and things like that,” he said. “So these are questions people are interested in solving positively. But since they couldn’t, you know, we base cryptography on it. As far as quantum computing goes, it’s kind of the same story. People who specialize in quantum algorithms know these lattice problems. A lot of these lattice cryptography problems originated from people working in quantum algorithms trying to find a new type of algorithms that a quantum computer can solve and they didn’t succeed.”

In its PQC program, NIST asked for security equivalence of AES-128 and AES-192 (AES, advanced encryption standards) against quantum computers. The 128 and 192 refer to the bit size of keys. There is also an AES-256 but that was not requested.

The PQC program included five security strength categories “based on the computational resources required to perform certain brute-force attacks against the existing NIST standards for AES and SHA in a variety of different models of the cost of computation, both classical and quantum…The idea is that in order to meet, for example, category 1, the best attack violating the security definition of a parameter set should cost more than a brute-force key search attack on a single instance of AES-128, according to any plausible assumption regarding the relative cost of the various computational resources involved in a real-world attack.[i]”  (A list of the five security strengths is included at the end of the article.)

As acknowledged by NIST, there’s room for some disagreement about what constitutes relative computational cost – “including quantum gates, classical gates, quantum memory, classical memory, hardware, energy, and time” – and how much of a given resource an attack actually requires.”

Talking about the submissions to NIST, Lyubashevsky said, “We had to provide them the parameters for which we believe these (AES) problems are secure at these levels. Now, of course, it’s a bit messy. Things do change a bit even during the standardization effort. There were attacks that lowered security by, you know, five bits or 10 bits. This does require us to increase parameters.”

This type of ongoing change has happened with factoring schemes, said Lyubashevsky, “because the original things that were proposed in or 1970s can be broken on a cell phone now, and not just because better technology exists, but because better algorithms have been developed.”

Focusing on the NIST PQC effort, “All these algorithms kind of existed before in this [NIST PQC] competition with lattice algorithms. The main positive effect of the standardization effort is that it got a lot more cryptanalysts looking at these problems. I think most cryptanalysts work for government agencies like the NSA, GCHQ, and places like that,” said Lyubashevsky.

Given all the scrutiny, Lyubashevsky thinks we can be confident about the security of the PQC algorithms selected. Moreover, he thinks advancing computational hardware technology isn’t a big threat.

“Cryptography should not be affected by any of this (advancing supercomputers), because we believe the hardness of the problem (lattice) is exponential. If you increase your computing power by a factor of two, you just increase the key by one bit, I mean there is a limit to how much computing can increase; you cannot probably do more operations beyond some energy threshold.” There’s only so much energy available on the planet, he wryly chides, “the security of the cryptography kind of goes above this threshold, and it’s not hard to get it above it,” he said.

The lattice algorithms used for public-key encryption are faster and smaller than hash function algorithms, according to Lyubashevsky.

“You can’t get public key encryption from hash functions; you can only get digital signatures. It’s slower and bigger but one big advantage is that the security of hash functions, are not really based on any mathematical problem, it’s just random stuff and should be hard to invert. People will be very, very surprised if something like SHA-3 (secure hash algorithm-3) falls to quantum computing,” he said. “This would be a complete shock and a lot of symmetric key cryptography would be broken. This is not something that we’re even discussing in terms of this NIST standardization effort,” he said.

NIST intends to select at least one more KEM for standardization after the fourth final round of assessments. Lyubashevsky notes there are always tradeoffs between encryption schemes and implementations of the same scheme. For example the submitted algorithms may vary in size, may require different amounts of computational resources, have have different performance characteristics.

“Maybe with respect to some new candidates that’s something NIST will consider in round four. For example, there’s this other type of mathematics based on supersingular isogeny math. It provides solutions smaller than lattices, but it’s very, very slow. So that’s something they may want to standardize in the fourth round. They want different digital signatures [and] there you also have a lot of tradeoffs. Something can have a much smaller signature but a much larger public key. The lattice-based scheme is very balanced, whereas other kinds of specialist schemes can have an advantage in one area and a big disadvantage from another,” he said.

Despite the work still to be done, NIST wants industry and the encryption community to push ahead and not wait. “Even though the third round is ending and NIST will begin to draft the first PQC standards, standardization efforts in this area will continue for some time. This should not be interpreted to mean that users should wait to adopt post-quantum algorithms. NIST hopes for rapid adoption of these first standardized algorithms,” is the guidance from the just-released report.

Lyubashevsky says the need to revamp security has highlighted the ad hoc way in which encryption has often been applied and spotlights the need for a more orderly approach going forward.

“I was a bit surprised when the folks at IBM who actually work on this stuff [deployment and products] said finding the cryptography in data is hard because the crypto is intermingled with everything else, with all the other code and the all the other programs. It’s hard to find and [therefore] hard to yank out and put something else in. This was all an artifact from the 80s and 90s,” he said.

What’s needed now, said Lyubashevsky, is a more modular approach. “If we’re going to change everything, let’s at least do it right. Let’s make everything modular so if something needs to be changed in the future, for whatever reason, it’s easy to take out and plug in something new. This is also important in quantum safe cryptography because you don’t have an algorithm that is best at everything; you have some that are very fast, you have some that are very slow, but have slightly smaller keys. There will be scenarios where one is better than the other. And maybe you don’t quite know which one it will be and you want to be agile. You want to be able to quickly put algorithms in and take algorithms out.”

Link to latest NIST report

Link to NIST migration project

Strength Categories from NIST

1)  Any attack that breaks the relevant security definition must require computational resources comparable to or greater than those required for key search on a block cipher with a 128-bit key (e.g. AES-128)

2)  Any attack that breaks the relevant security definition must require computational resources comparable to or greater than those required for collision search on a 256-bit hash function (e.g. SHA-256/ SHA3-256)

3)  Any attack that breaks the relevant security definition must require computational resources comparable to or greater than those required for key search on a block cipher with a 192-bit key (e.g. AES-192)

4)  Any attack that breaks the relevant security definition must require computational resources comparable to or greater than those required for collision search on a 384-bit hash function (e.g. SHA-384/ SHA3-384)

5)  Any attack that breaks the relevant security definition must require computational resources comparable to or greater than those required for key search on a block cipher with a 256-bit key (e.g. AES-256)

[i] Status Report on the Third Round of the NIST Post-Quantum Cryptography Standardization Process, https://csrc.nist.gov/publications/detail/nistir/8413/final

Subscribe to HPCwire's Weekly Update!

Be the most informed person in the room! Stay ahead of the tech trends with industry updates delivered to you every week!

MLPerf Inference 4.0 Results Showcase GenAI; Nvidia Still Dominates

March 28, 2024

There were no startling surprises in the latest MLPerf Inference benchmark (4.0) results released yesterday. Two new workloads — Llama 2 and Stable Diffusion XL — were added to the benchmark suite as MLPerf continues Read more…

Q&A with Nvidia’s Chief of DGX Systems on the DGX-GB200 Rack-scale System

March 27, 2024

Pictures of Nvidia's new flagship mega-server, the DGX GB200, on the GTC show floor got favorable reactions on social media for the sheer amount of computing power it brings to artificial intelligence.  Nvidia's DGX Read more…

Call for Participation in Workshop on Potential NSF CISE Quantum Initiative

March 26, 2024

Editor’s Note: Next month there will be a workshop to discuss what a quantum initiative led by NSF’s Computer, Information Science and Engineering (CISE) directorate could entail. The details are posted below in a Ca Read more…

Waseda U. Researchers Reports New Quantum Algorithm for Speeding Optimization

March 25, 2024

Optimization problems cover a wide range of applications and are often cited as good candidates for quantum computing. However, the execution time for constrained combinatorial optimization applications on quantum device Read more…

NVLink: Faster Interconnects and Switches to Help Relieve Data Bottlenecks

March 25, 2024

Nvidia’s new Blackwell architecture may have stolen the show this week at the GPU Technology Conference in San Jose, California. But an emerging bottleneck at the network layer threatens to make bigger and brawnier pro Read more…

Who is David Blackwell?

March 22, 2024

During GTC24, co-founder and president of NVIDIA Jensen Huang unveiled the Blackwell GPU. This GPU itself is heavily optimized for AI work, boasting 192GB of HBM3E memory as well as the the ability to train 1 trillion pa Read more…

MLPerf Inference 4.0 Results Showcase GenAI; Nvidia Still Dominates

March 28, 2024

There were no startling surprises in the latest MLPerf Inference benchmark (4.0) results released yesterday. Two new workloads — Llama 2 and Stable Diffusion Read more…

Q&A with Nvidia’s Chief of DGX Systems on the DGX-GB200 Rack-scale System

March 27, 2024

Pictures of Nvidia's new flagship mega-server, the DGX GB200, on the GTC show floor got favorable reactions on social media for the sheer amount of computing po Read more…

NVLink: Faster Interconnects and Switches to Help Relieve Data Bottlenecks

March 25, 2024

Nvidia’s new Blackwell architecture may have stolen the show this week at the GPU Technology Conference in San Jose, California. But an emerging bottleneck at Read more…

Who is David Blackwell?

March 22, 2024

During GTC24, co-founder and president of NVIDIA Jensen Huang unveiled the Blackwell GPU. This GPU itself is heavily optimized for AI work, boasting 192GB of HB Read more…

Nvidia Looks to Accelerate GenAI Adoption with NIM

March 19, 2024

Today at the GPU Technology Conference, Nvidia launched a new offering aimed at helping customers quickly deploy their generative AI applications in a secure, s Read more…

The Generative AI Future Is Now, Nvidia’s Huang Says

March 19, 2024

We are in the early days of a transformative shift in how business gets done thanks to the advent of generative AI, according to Nvidia CEO and cofounder Jensen Read more…

Nvidia’s New Blackwell GPU Can Train AI Models with Trillions of Parameters

March 18, 2024

Nvidia's latest and fastest GPU, codenamed Blackwell, is here and will underpin the company's AI plans this year. The chip offers performance improvements from Read more…

Nvidia Showcases Quantum Cloud, Expanding Quantum Portfolio at GTC24

March 18, 2024

Nvidia’s barrage of quantum news at GTC24 this week includes new products, signature collaborations, and a new Nvidia Quantum Cloud for quantum developers. Wh Read more…

Alibaba Shuts Down its Quantum Computing Effort

November 30, 2023

In case you missed it, China’s e-commerce giant Alibaba has shut down its quantum computing research effort. It’s not entirely clear what drove the change. Read more…

Nvidia H100: Are 550,000 GPUs Enough for This Year?

August 17, 2023

The GPU Squeeze continues to place a premium on Nvidia H100 GPUs. In a recent Financial Times article, Nvidia reports that it expects to ship 550,000 of its lat Read more…

Shutterstock 1285747942

AMD’s Horsepower-packed MI300X GPU Beats Nvidia’s Upcoming H200

December 7, 2023

AMD and Nvidia are locked in an AI performance battle – much like the gaming GPU performance clash the companies have waged for decades. AMD has claimed it Read more…

DoD Takes a Long View of Quantum Computing

December 19, 2023

Given the large sums tied to expensive weapon systems – think $100-million-plus per F-35 fighter – it’s easy to forget the U.S. Department of Defense is a Read more…

Synopsys Eats Ansys: Does HPC Get Indigestion?

February 8, 2024

Recently, it was announced that Synopsys is buying HPC tool developer Ansys. Started in Pittsburgh, Pa., in 1970 as Swanson Analysis Systems, Inc. (SASI) by John Swanson (and eventually renamed), Ansys serves the CAE (Computer Aided Engineering)/multiphysics engineering simulation market. Read more…

Choosing the Right GPU for LLM Inference and Training

December 11, 2023

Accelerating the training and inference processes of deep learning models is crucial for unleashing their true potential and NVIDIA GPUs have emerged as a game- Read more…

Intel’s Server and PC Chip Development Will Blur After 2025

January 15, 2024

Intel's dealing with much more than chip rivals breathing down its neck; it is simultaneously integrating a bevy of new technologies such as chiplets, artificia Read more…

Baidu Exits Quantum, Closely Following Alibaba’s Earlier Move

January 5, 2024

Reuters reported this week that Baidu, China’s giant e-commerce and services provider, is exiting the quantum computing development arena. Reuters reported � Read more…

Leading Solution Providers

Contributors

Comparing NVIDIA A100 and NVIDIA L40S: Which GPU is Ideal for AI and Graphics-Intensive Workloads?

October 30, 2023

With long lead times for the NVIDIA H100 and A100 GPUs, many organizations are looking at the new NVIDIA L40S GPU, which it’s a new GPU optimized for AI and g Read more…

Shutterstock 1179408610

Google Addresses the Mysteries of Its Hypercomputer 

December 28, 2023

When Google launched its Hypercomputer earlier this month (December 2023), the first reaction was, "Say what?" It turns out that the Hypercomputer is Google's t Read more…

AMD MI3000A

How AMD May Get Across the CUDA Moat

October 5, 2023

When discussing GenAI, the term "GPU" almost always enters the conversation and the topic often moves toward performance and access. Interestingly, the word "GPU" is assumed to mean "Nvidia" products. (As an aside, the popular Nvidia hardware used in GenAI are not technically... Read more…

Shutterstock 1606064203

Meta’s Zuckerberg Puts Its AI Future in the Hands of 600,000 GPUs

January 25, 2024

In under two minutes, Meta's CEO, Mark Zuckerberg, laid out the company's AI plans, which included a plan to build an artificial intelligence system with the eq Read more…

Google Introduces ‘Hypercomputer’ to Its AI Infrastructure

December 11, 2023

Google ran out of monikers to describe its new AI system released on December 7. Supercomputer perhaps wasn't an apt description, so it settled on Hypercomputer Read more…

China Is All In on a RISC-V Future

January 8, 2024

The state of RISC-V in China was discussed in a recent report released by the Jamestown Foundation, a Washington, D.C.-based think tank. The report, entitled "E Read more…

Intel Won’t Have a Xeon Max Chip with New Emerald Rapids CPU

December 14, 2023

As expected, Intel officially announced its 5th generation Xeon server chips codenamed Emerald Rapids at an event in New York City, where the focus was really o Read more…

IBM Quantum Summit: Two New QPUs, Upgraded Qiskit, 10-year Roadmap and More

December 4, 2023

IBM kicks off its annual Quantum Summit today and will announce a broad range of advances including its much-anticipated 1121-qubit Condor QPU, a smaller 133-qu Read more…

  • arrow
  • Click Here for More Headlines
  • arrow
HPCwire