Quantum Computer-Resistant Encryption: Previously unsuitable for TLS
The US agency NIST has selected new encryption methods that are designed to resist attacks from quantum computers. On closer inspection, however, they are hardly suitable.
Quantum-resistant cryptography (QCRC) continues to be the subject of intense discussion among experts. Specialists who specify the protection of Internet traffic using Transport Layer Security (TLS) recently exchanged views on the subject at the 114th meeting of the Internet Engineering Task Force (IETF) in Philadelphia. An interim conclusion is: big keys cause big problems.
Powerful quantum computers are still some way off, but encryption specialists want to develop robust protocols today, because quantum computers using methods such as the Shor algorithm will easily crack many of the encryptions that are common today. Years ago, the US authority NIST therefore called for a competition and, after evaluating the candidates, recently selected one algorithm for the exchange of keys and three for signatures. They should be able to withstand future decryption attacks. The winners of the signature contest are Dilithium-II, Falcon-512 and Sphincs+, and Kyber was chosen for key exchange.
Use questionable
However, it is questionable whether they will ever be used on a broad front, as might be hoped. Because both the three signature algorithms and Kyber generate significantly larger data packets compared to today’s methods, so that they exceed the maximum packet size on many Internet routes (MTU, Maximum Transmission Unit). At first glance, this doesn’t seem like a big deal, because senders can chop up oversized packets if they find they exceed the MTU.
In practice, however, this leads to at least considerable delays in the establishment of TLS connections. According to Google’s Martin Thomson, there is a problem when the oversized keys during the handshake force the packets to be fragmented, because this requires additional transmission steps (more round trips). And with Datagram Transport Layer Security, which is based on UDP, additional round trips cannot be implemented at all, warn Sophia Celi from Cloudflare and Thom Wiggers from Radboud University in the Netherlands.
According to Eric Rescorla, CTO of Mozilla, the only good news is that powerful quantum computers are still a thing of the future. However, the fundamental problem of the current TLS technology remains unsolved: If you save all the packets of a TLS connection and attack them years later with a quantum computer, you can subsequently break up today’s confidential transmissions. The IETF also wants to prevent this as far as possible, which is why it is working in many working groups on the topic of quantum computer resistance. Meanwhile, NIST has announced another round for new, perhaps “more frugal” candidates.
