The NIST standardization competition for the quantum-safe crypto-algorithms is not over yet, yet another candidate has been cracked.
There were only seven left – and that’s only if you generously count all the wobbly candidates. It had started so promisingly when the American National Institute of Standards and Technology (NIST) launched the search for quantum-secure cryptographic methods (PQC, Post Quantum Cryptography) a little more than five years ago.
Spurred on by the open competitions for freestyle AES (1997 – 2000) and SHA-3 (2007 – 2012), the community really worked hard this time: almost 70 submissions ultimately came together for the race against time to save the world , as we know it. Because, let’s remember, a single sufficiently large quantum computer will probably crack all cryptography that we use on a large scale at some point in the next five to twenty years, including all asymmetric (and thus also hybrid) encryption – and all digital signatures.
Of course, many suggestions were quickly screened out at the beginning, there is always a bit of a loss, and so in 2020 there were still a quarter of the candidates left who might (!) be suitable to protect us from the threatening cryptocalypse.
Please panic now!
Now, in September 2022, would be a good time to start panicking. Without the newfangled algorithm SIKE, which recently broke quite classically without a quantum computer with a PC within an hour, we still have a total of seven horses in the race, which hopefully (!) will be able to pull the cart out of the mud, but three of them are still under observation. If it were biological extinction going on at this rate, we would have about four years to live.
So things are getting tight: Not only are we running out of time to plan and carry out an unprecedented large-scale migration of all technology, from mainframes to banking apps to pacemakers. We could also run out of algorithms. In particular, encryption methods are becoming thin, because only one (!) of these is recommended at the moment.
Now we have to keep our fingers crossed that at least that will hold up, while at the same time we have to hit it with all the expertise we have. Because the only thing more dangerous than not having any safe algorithms left is to think you have any safe algorithms left.
All data lost
Those (few) who have already carried out serious real-life field tests with PQC algorithms like to emphasize that their experiments are safe because they use classical and post-quantum algorithms in parallel (signature) or in series (encryption). . That’s true – but only until the quantum computer is there. Then from one day to the next we will need the new procedures everywhere – and we will still lose all the data that someone has snorkeled at some point. And the hope for quantum cryptography (in contrast to post-quantum cryptography, cryptography under use of Quantum effects) should not lull us too much, since this works in principle, but will not be suitable for large-scale use for a very long time.
Imagine if the dreams of crypto visionaries Ralph Merkle, Whitfield Diffie and Martin Hellman had not come true in 1976. James Ellis, Clifford Cocks and Malcolm Williamson would not have anticipated their invention and that of RSA at the British Slouch Hat Nerds (GCHQ). And nobody would have figured out how to encrypt things with one key but only decrypt them with another. It is unclear whether the Internet – especially (but not only) as an economic space – could have developed anywhere near the way we use it today.
Schrödinger’s face
If I were with Extinction Rebellion, I wouldn’t know today whether I should chain myself to the information superhighway to prevent further carelessly fossil “encrypted” data (using RSA or elliptic curves) from being sent, or to the last surviving methods in the NIST competition. So we’re in the uncomfortable position of sitting on a shrinking sack of potentially salvaging algorithms that we don’t know (like Erwin Schrödinger’s famous cat) might be dead (easily broken) yet.
In principle, this is the case with all algorithms that are not provably secure according to certain criteria. But with the PQC we slept too long, relying too much on RSA, elliptic curves and the like. Let’s hope that doesn’t take revenge and we The Big Migration™ firstly, to be able to tackle it early enough and secondly, not to embrace mathematics that then collapses beneath us.
Software and crypto agility are keywords that sound halfway harmless. For us, however, they could mean that we will have to change our entire trust technology within a short period of time – probably even more than once. Here’s an idea: I’m going to secure the word mark “Crypto-Agile at Scale” right away – if only it serves to kindly trigger those of my valued readership who love Consultant Speak so much.
