The Race to Ensure Post Quantum Data Security

By John Russell

July 21, 2022

Fault-tolerant quantum computers won’t exist for years – a decade is the most common estimate. When they do arrive, thanks to Shor’s now-famous algorithm, they will be able to crack the most widely-used encryption methods, which are based on factoring. Earlier this month, the National Institute of Standards and Technology (NIST) settled on four algorithms – one for public-key-encryption (KEM) and three for digital signatures – based on lattice problems and hash functions, for incorporation into new post-quantum encryption standards.

These are deliverables of NIST’s post-quantum cryptography standardization project (PQC), begun in 2016 and involving multiple rounds of submissions by industry, academia, and public entities, and assessment by NIST. This was the third round. A final fourth round is planned to consider four more algorithms.

NIST has issued a thorough report detailing the PQC process and sharing, for example, benchmark data across multiple processor types, and explaining NIST’s rationale for the selections. Three selection criteria were used: 1) security (most important), 2) cost and performance, and 3) algorithm and implementation characteristics. The latest NIST report isn’t news in the sense that the quantum community and virtually all enterprise data security professionals have been closely tracking NIST’s PQC efforts.

Even as NIST works to formalizes the new standards, it has begun a new project – Migration to Post Quantum Cryptography – in collaboration with industry to develop tools and migration practices to protect data. That project is being run by NIST’s National Cybersecurity Center of Excellence (NCCoE). Here’s a snapshot of the program’s main goals:

  • Demonstrate the use of automated discovery tools to identify instances of quantum-vulnerable public-key algorithm use, where they are used in dependent systems, and for what purposes.
  • Once the public-key cryptography components and associated assets in the enterprise are identified, the next project element is prioritizing those applications that need to be considered first in migration planning.
  • Finally, the project will describe systematic approaches for migrating from vulnerable algorithms to quantum-resistant algorithms across different types of organizations, assets, and supporting technologies.

NIST issued a Cooperative Research and Development Agreement (CRADA) to work on the project and last week disclosed the list of vendors who’ve signed on to participate so far: Amazon Web Services, Inc. (AWS), Cisco Systems, Inc., Crypto4A Technologies, Inc., Cryptosense SA, InfoSec Global, ISARA Corporation, Microsoft, Samsung SDS Co., Ltd., SandboxAQ, Thales DIS CPL USA, Inc., and Thales Trusted Cyber Technologies, VMware, Inc.

Bottom line: The race to develop tools to protect data from quantum computer-based attacks has begun in earnest.

It’s been reported that more than 20 billion devices will need to upgrade their software to PQC before quantum computers crack RSA encryption. “Adversaries are already engaged in Store Now Decrypt Later (SNDL) attacks — stealing and storing encrypted data (e.g., financial records, intellectual property, medical records, etc.) to crack and exploit later when quantum computers become readily available,” says Google spinout, SandBoxAQ, a CRADA participant.

The first step, of course, was selection of the first set of PQC algorithms, intended for use in public-key encryption (KEMs) and digital signatures. HPCwire recently talked with Vadim Lyubashevsky, a prominent cryptography analyst and IBM researcher whose contributions have been important for the NIST PQC. Lyubashevsky provided insight into development and characteristics of effective encryption.

The history of cryptography is fascinating. It blends political and industrial intrigue and clever mathematics, and has affected the outcomes of war. The enigma machine for decoding German communications during World War II is perhaps the most dramatic modern example. Cryptography features an exotic vocabulary – one-way functions, computational hardness, average case and worst case hardness, NP-completeness, supersingular isogeny key exchange, and lattice problems – that is opaque to most except cryptographers and mathematicians. Yet securing data and communications is fundamental to so many areas of life.

Interestingly, most modern encryption schemes begin as problems that mathematicians can’t solve with current RSA factoring-based encryption as an example.

Lyubashevsky said, “The way we gauge [cryptographic] strength is by having people try to solve the underlying mathematical problem. If the community dedicates a lot of effort to it for a few decades and it’s not successful, then we think that it’s secure, the underlying mathematical problem. Then we build cryptography, based on that problem. It’s the reason we think that factoring is secure against [attack from] classical computers; people have been trying to solve factoring for over 40-50 years and haven’t been successful so we think it’s okay.”

“The problems that they originally came up with in the 1970s, these factoring discrete logarithms and all the things about elliptic curves. They stayed classically hard. Of course, better algorithms for factoring appeared but in some sense, there wasn’t some catastrophic break and all of a sudden, somebody just broke it. But now, when a quantum [fault tolerant] computer exists, it will be completely broken.”

“The same thing with lattice algorithms. People have been trying for a shorter amount of time, let’s say seriously trying for 20-25 years, to break these underlying mathematical problems,” he said. So far, no game-changing algorithm for solving lattice problems on a quantum computer has arisen.

The lattice problem, upon which three of the NIST PQC selected algorithms are based, is commonly illustrated as The Knapsack Problem and dates back to the late 1890s. This description is from Wikipedia: “Given a set of items, each with a weight and a value, determine the number of each item to include in a collection so that the total weight is less than or equal to a given limit and the total value is as large as possible. It derives its name from the problem faced by someone who is constrained by a fixed-size knapsack and must fill it with the most valuable items. The problem often arises in resource allocation where the decision-makers have to choose from a set of non-divisible projects or tasks under a fixed budget or time constraint, respectively.”

IBM Research has even published a short video describing the knapsack problem and its relevance to quantum cryptography.

Lattice reduction algorithms can be used to tackle the problem but the computational resources required are impractical. Wikipedia, once again: “The conjectured intractability of such problems is central to the construction of secure lattice-based cryptosystems: Lattice problems are an example of NP-hard problems which have been shown to be average-case hard, providing a test case for the security of cryptographic algorithms. In addition, some lattice problems which are worst-case hard can be used as a basis for extremely secure cryptographic schemes. The use of worst-case hardness in such schemes makes them among the very few schemes that are very likely secure even against quantum computers.”

Likewise, hash function cryptography also has a lengthy history. These functions are said to be one-way functions, which means it is practically infeasible to invert or reverse the computation. Ideally, the only way to find a message that produces a given hash is to attempt a brute-force search of possible inputs to see if they produce a match, or use a rainbow table of matched hashes.

Lyubashevsky points out that work on these difficult mathematical problems often starts out seeking solutions for useful applications.

“These are natural mathematical problems. If somebody does find a fast algorithm for them, it will have positive effect in the areas of optimization and things like that,” he said. “So these are questions people are interested in solving positively. But since they couldn’t, you know, we base cryptography on it. As far as quantum computing goes, it’s kind of the same story. People who specialize in quantum algorithms know these lattice problems. A lot of these lattice cryptography problems originated from people working in quantum algorithms trying to find a new type of algorithms that a quantum computer can solve and they didn’t succeed.”

In its PQC program, NIST asked for security equivalence of AES-128 and AES-192 (AES, advanced encryption standards) against quantum computers. The 128 and 192 refer to the bit size of keys. There is also an AES-256 but that was not requested.

The PQC program included five security strength categories “based on the computational resources required to perform certain brute-force attacks against the existing NIST standards for AES and SHA in a variety of different models of the cost of computation, both classical and quantum…The idea is that in order to meet, for example, category 1, the best attack violating the security definition of a parameter set should cost more than a brute-force key search attack on a single instance of AES-128, according to any plausible assumption regarding the relative cost of the various computational resources involved in a real-world attack.[i]”  (A list of the five security strengths is included at the end of the article.)

As acknowledged by NIST, there’s room for some disagreement about what constitutes relative computational cost – “including quantum gates, classical gates, quantum memory, classical memory, hardware, energy, and time” – and how much of a given resource an attack actually requires.”

Talking about the submissions to NIST, Lyubashevsky said, “We had to provide them the parameters for which we believe these (AES) problems are secure at these levels. Now, of course, it’s a bit messy. Things do change a bit even during the standardization effort. There were attacks that lowered security by, you know, five bits or 10 bits. This does require us to increase parameters.”

This type of ongoing change has happened with factoring schemes, said Lyubashevsky, “because the original things that were proposed in or 1970s can be broken on a cell phone now, and not just because better technology exists, but because better algorithms have been developed.”

Focusing on the NIST PQC effort, “All these algorithms kind of existed before in this [NIST PQC] competition with lattice algorithms. The main positive effect of the standardization effort is that it got a lot more cryptanalysts looking at these problems. I think most cryptanalysts work for government agencies like the NSA, GCHQ, and places like that,” said Lyubashevsky.

Given all the scrutiny, Lyubashevsky thinks we can be confident about the security of the PQC algorithms selected. Moreover, he thinks advancing computational hardware technology isn’t a big threat.

“Cryptography should not be affected by any of this (advancing supercomputers), because we believe the hardness of the problem (lattice) is exponential. If you increase your computing power by a factor of two, you just increase the key by one bit, I mean there is a limit to how much computing can increase; you cannot probably do more operations beyond some energy threshold.” There’s only so much energy available on the planet, he wryly chides, “the security of the cryptography kind of goes above this threshold, and it’s not hard to get it above it,” he said.

The lattice algorithms used for public-key encryption are faster and smaller than hash function algorithms, according to Lyubashevsky.

“You can’t get public key encryption from hash functions; you can only get digital signatures. It’s slower and bigger but one big advantage is that the security of hash functions, are not really based on any mathematical problem, it’s just random stuff and should be hard to invert. People will be very, very surprised if something like SHA-3 (secure hash algorithm-3) falls to quantum computing,” he said. “This would be a complete shock and a lot of symmetric key cryptography would be broken. This is not something that we’re even discussing in terms of this NIST standardization effort,” he said.

NIST intends to select at least one more KEM for standardization after the fourth final round of assessments. Lyubashevsky notes there are always tradeoffs between encryption schemes and implementations of the same scheme. For example the submitted algorithms may vary in size, may require different amounts of computational resources, have have different performance characteristics.

“Maybe with respect to some new candidates that’s something NIST will consider in round four. For example, there’s this other type of mathematics based on supersingular isogeny math. It provides solutions smaller than lattices, but it’s very, very slow. So that’s something they may want to standardize in the fourth round. They want different digital signatures [and] there you also have a lot of tradeoffs. Something can have a much smaller signature but a much larger public key. The lattice-based scheme is very balanced, whereas other kinds of specialist schemes can have an advantage in one area and a big disadvantage from another,” he said.

Despite the work still to be done, NIST wants industry and the encryption community to push ahead and not wait. “Even though the third round is ending and NIST will begin to draft the first PQC standards, standardization efforts in this area will continue for some time. This should not be interpreted to mean that users should wait to adopt post-quantum algorithms. NIST hopes for rapid adoption of these first standardized algorithms,” is the guidance from the just-released report.

Lyubashevsky says the need to revamp security has highlighted the ad hoc way in which encryption has often been applied and spotlights the need for a more orderly approach going forward.

“I was a bit surprised when the folks at IBM who actually work on this stuff [deployment and products] said finding the cryptography in data is hard because the crypto is intermingled with everything else, with all the other code and the all the other programs. It’s hard to find and [therefore] hard to yank out and put something else in. This was all an artifact from the 80s and 90s,” he said.

What’s needed now, said Lyubashevsky, is a more modular approach. “If we’re going to change everything, let’s at least do it right. Let’s make everything modular so if something needs to be changed in the future, for whatever reason, it’s easy to take out and plug in something new. This is also important in quantum safe cryptography because you don’t have an algorithm that is best at everything; you have some that are very fast, you have some that are very slow, but have slightly smaller keys. There will be scenarios where one is better than the other. And maybe you don’t quite know which one it will be and you want to be agile. You want to be able to quickly put algorithms in and take algorithms out.”

Link to latest NIST report

Link to NIST migration project

Strength Categories from NIST

1)  Any attack that breaks the relevant security definition must require computational resources comparable to or greater than those required for key search on a block cipher with a 128-bit key (e.g. AES-128)

2)  Any attack that breaks the relevant security definition must require computational resources comparable to or greater than those required for collision search on a 256-bit hash function (e.g. SHA-256/ SHA3-256)

3)  Any attack that breaks the relevant security definition must require computational resources comparable to or greater than those required for key search on a block cipher with a 192-bit key (e.g. AES-192)

4)  Any attack that breaks the relevant security definition must require computational resources comparable to or greater than those required for collision search on a 384-bit hash function (e.g. SHA-384/ SHA3-384)

5)  Any attack that breaks the relevant security definition must require computational resources comparable to or greater than those required for key search on a block cipher with a 256-bit key (e.g. AES-256)

[i] Status Report on the Third Round of the NIST Post-Quantum Cryptography Standardization Process, https://csrc.nist.gov/publications/detail/nistir/8413/final

Subscribe to HPCwire's Weekly Update!

Be the most informed person in the room! Stay ahead of the tech trends with industry updates delivered to you every week!

Google’s DataGemma Tackles AI Hallucination

September 18, 2024

The rapid evolution of large language models (LLMs) has fueled significant advancement in AI, enabling these systems to analyze text, generate summaries, suggest ideas, and even draft code. However, despite these impress Read more…

Quantum and AI: Navigating the Resource Challenge

September 18, 2024

Rapid advancements in quantum computing are bringing a new era of technological possibilities. However, as quantum technology progresses, there are growing concerns about the availability of resources—a challenge remin Read more…

Intel’s Falcon Shores Future Looks Bleak as It Concedes AI Training to GPU Rivals

September 17, 2024

Intel's Falcon Shores future looks bleak as it concedes AI training to GPU rivals On Monday, Intel sent a letter to employees detailing its comeback plan after an abysmal second-quarter earnings report with critics calli Read more…

AI Helps Researchers Discover Catalyst for Green Hydrogen Production

September 16, 2024

Researchers from the University of Toronto have used AI to generate a “recipe” for an exciting new catalyst needed to produce green hydrogen fuel. As the effects of climate change begin to become more apparent in our Read more…

The Three Laws of Robotics and the Future

September 14, 2024

Isaac Asimov's Three Laws of Robotics have captivated imaginations for decades, providing a blueprint for ethical AI long before it became a reality. First introduced in his 1942 short story "Runaround" from the "I, R Read more…

Microsoft, Quantinuum Use Hybrid Workflow to Simulate Catalyst

September 13, 2024

Microsoft and Quantinuum reported the ability to create 12 logical qubits on Quantinuum's H2 trapped ion system this week and also reported using two logical qubits on an H1 system to simulate an iron catalyst's low ener Read more…

Google’s DataGemma Tackles AI Hallucination

September 18, 2024

The rapid evolution of large language models (LLMs) has fueled significant advancement in AI, enabling these systems to analyze text, generate summaries, sugges Read more…

Quantum and AI: Navigating the Resource Challenge

September 18, 2024

Rapid advancements in quantum computing are bringing a new era of technological possibilities. However, as quantum technology progresses, there are growing conc Read more…

Shutterstock_2176157037

Intel’s Falcon Shores Future Looks Bleak as It Concedes AI Training to GPU Rivals

September 17, 2024

Intel's Falcon Shores future looks bleak as it concedes AI training to GPU rivals On Monday, Intel sent a letter to employees detailing its comeback plan after Read more…

The Three Laws of Robotics and the Future

September 14, 2024

Isaac Asimov's Three Laws of Robotics have captivated imaginations for decades, providing a blueprint for ethical AI long before it became a reality. First i Read more…

GenAI: It’s Not the GPUs, It’s the Storage

September 12, 2024

A recent news release from Data storage company WEKA and S&P Global Market Intelligence unveiled the findings of their second annual Global Trends in AI rep Read more…

Shutterstock 793611091

Argonne’s HPC/AI User Forum Wrap Up

September 11, 2024

As fans of this publication will already know, AI is everywhere. We hear about it in the news, at work, and in our daily lives. It’s such a revolutionary tech Read more…

Quantum Software Specialist Q-CTRL Inks Deals with IBM, Rigetti, Oxford, and Diraq

September 10, 2024

Q-CTRL, the Australia-based start-up focusing on quantum infrastructure software, today announced that its performance-management software, Fire Opal, will be n Read more…

AWS’s High-performance Computing Unit Has a New Boss

September 10, 2024

Amazon Web Services (AWS) has a new leader to run its high-performance computing GTM operations. Thierry Pellegrino, who is well-known in the HPC community, has Read more…

Everyone Except Nvidia Forms Ultra Accelerator Link (UALink) Consortium

May 30, 2024

Consider the GPU. An island of SIMD greatness that makes light work of matrix math. Originally designed to rapidly paint dots on a computer monitor, it was then Read more…

AMD Clears Up Messy GPU Roadmap, Upgrades Chips Annually

June 3, 2024

In the world of AI, there's a desperate search for an alternative to Nvidia's GPUs, and AMD is stepping up to the plate. AMD detailed its updated GPU roadmap, w Read more…

Nvidia Shipped 3.76 Million Data-center GPUs in 2023, According to Study

June 10, 2024

Nvidia had an explosive 2023 in data-center GPU shipments, which totaled roughly 3.76 million units, according to a study conducted by semiconductor analyst fir Read more…

Shutterstock_1687123447

Nvidia Economics: Make $5-$7 for Every $1 Spent on GPUs

June 30, 2024

Nvidia is saying that companies could make $5 to $7 for every $1 invested in GPUs over a four-year period. Customers are investing billions in new Nvidia hardwa Read more…

Comparing NVIDIA A100 and NVIDIA L40S: Which GPU is Ideal for AI and Graphics-Intensive Workloads?

October 30, 2023

With long lead times for the NVIDIA H100 and A100 GPUs, many organizations are looking at the new NVIDIA L40S GPU, which it’s a new GPU optimized for AI and g Read more…

Shutterstock 1024337068

Researchers Benchmark Nvidia’s GH200 Supercomputing Chips

September 4, 2024

Nvidia is putting its GH200 chips in European supercomputers, and researchers are getting their hands on those systems and releasing research papers with perfor Read more…

IonQ Plots Path to Commercial (Quantum) Advantage

July 2, 2024

IonQ, the trapped ion quantum computing specialist, delivered a progress report last week firming up 2024/25 product goals and reviewing its technology roadmap. Read more…

Google Announces Sixth-generation AI Chip, a TPU Called Trillium

May 17, 2024

On Tuesday May 14th, Google announced its sixth-generation TPU (tensor processing unit) called Trillium.  The chip, essentially a TPU v6, is the company's l Read more…

Leading Solution Providers

Contributors

Intel’s Next-gen Falcon Shores Coming Out in Late 2025 

April 30, 2024

It's a long wait for customers hanging on for Intel's next-generation GPU, Falcon Shores, which will be released in late 2025.  "Then we have a rich, a very Read more…

Atos Outlines Plans to Get Acquired, and a Path Forward

May 21, 2024

Atos – via its subsidiary Eviden – is the second major supercomputer maker outside of HPE, while others have largely dropped out. The lack of integrators and Atos' financial turmoil have the HPC market worried. If Atos goes under, HPE will be the only major option for building large-scale systems. Read more…

xAI Colossus: The Elon Project

September 5, 2024

Elon Musk's xAI cluster, named Colossus (possibly after the 1970 movie about a massive computer that does not end well), has been brought online. Musk recently Read more…

Department of Justice Begins Antitrust Probe into Nvidia

August 9, 2024

After months of skyrocketing stock prices and unhinged optimism, Nvidia has run into a few snags – a  design flaw in one of its new chips and an antitrust pr Read more…

MLPerf Training 4.0 – Nvidia Still King; Power and LLM Fine Tuning Added

June 12, 2024

There are really two stories packaged in the most recent MLPerf  Training 4.0 results, released today. The first, of course, is the results. Nvidia (currently Read more…

Spelunking the HPC and AI GPU Software Stacks

June 21, 2024

As AI continues to reach into every domain of life, the question remains as to what kind of software these tools will run on. The choice in software stacks – Read more…

Nvidia H100: Are 550,000 GPUs Enough for This Year?

August 17, 2023

The GPU Squeeze continues to place a premium on Nvidia H100 GPUs. In a recent Financial Times article, Nvidia reports that it expects to ship 550,000 of its lat Read more…

Shutterstock 1886124835

Researchers Say Memory Bandwidth and NVLink Speeds in Hopper Not So Simple

July 15, 2024

Researchers measured the real-world bandwidth of Nvidia's Grace Hopper superchip, with the chip-to-chip interconnect results falling well short of theoretical c Read more…

  • arrow
  • Click Here for More Headlines
  • arrow
HPCwire