Towards Quantum-Safe Trust Services: the race against time to prevent the Quantum Meltdown

Avatar von Pierluigi Pilla
Trust Services & Technologies Director

Imagine a world where the very foundations of digital security crumble overnight. This isn’t some distant sci-fi plot — this is the imminent threat posed by quantum computing sometimes referred to as Quantum Meltdown.

ENISA, the European Union’s cybersecurity agency, has issued a report warning of a significant risk by 2030 and urging individuals and organizations with valuable data today to begin long-term planning to protect it.

But don’t panic, we at Namirial have always nurtured talents to position ourselves at the forefront of applied research in cryptographic technologies and the situation is under control!

We constantly participate in several research programs and have established cooperation with leading research centers and technology providers in the world to face the most challenging and imminent cyber threats.

We are proud to share this success story which sees Namirial, with his excellence center in PKI technology based in Napoli, collaborating with the “Casa delle Tecnologie Emergenti di Napoli”, in a research project that was dealing with the development and testing of a complete communication infrastructure based on Post Quantum Cryptography algorithms to ensure the authenticity, integrity, and non-repudiation of digitally signed files.

But a super-robust Post Quantum Infrastructure wouldn’t be complete without a super-safe communication channel, right? This is why the developed Post Quantum Infrastructure was also coupled with a Quantum Key Distribution (QKD) network.

But let’go step-by-step.

For decades, our digital lives have been safeguarded by Public Key Infrastructure (PKI), a cryptographic fortress established in the 1970s.

PKI relies on two main cryptographic principles:

  1. Asymmetric Encryption: this involves the use of two keys (public and private) that work together. What one key locks (encrypts), only the other can unlock (decrypt). The security comes from the fact that while the public key is easy to share, the private key is hard to guess.
  2. Trust through Certificate Authorities (CAs): to make sure that public keys really belong to the people they claim to, PKI uses Certificate Authorities (CAs). CAs are trusted organizations that verify identities and issue digital certificates—electronic documents that link a person’s or organization’s public key to their identity.

PKI also helps prove who you are online. This is where digital signatures come in:

  • Signing: When you send a message, you can use your private key to create a digital signature. This signature is unique to you and the message, proving that you really sent it.
  • Verification: The recipient can use your public key to verify the signature. If the signature checks out, they know the message is really from you and hasn’t been altered.

In Public Key Infrastructure (PKI), the traditional asymmetric encryption algorithms that are commonly used to ensure secure communication and data protection are the RSA (Rivest-Shamir-Adleman) and ECC (Elliptic Curve Cryptography), although they differ in their underlying mathematics, efficiency, and performance.

RSA relies on the difficulty of factoring large composite numbers into their prime factors. The security of RSA comes from the fact that while it’s easy to multiply two large prime numbers, it’s extremely hard to reverse the process and factorize the resulting product.

This algorithmrequires large key sizes to achieve a high level of security. For instance, a 2048-bit RSA key is commonly used today for strong security, but 3072-bit or even 4096-bit keys are used for enhanced security.

ECC is based on the algebraic structure of elliptic curves over finite fields. The security of ECC comes from the difficulty of the Elliptic Curve Discrete Logarithm Problem (ECDLP). In simple terms, given a point on the curve, it is computationally hard to determine the scalar multiplier that was used to reach that point.

This algorithmprovides comparable security to RSA but with much smaller key sizes. For example, a 256-bit key in ECC can offer a similar level of security to a 3072-bit RSA key. This smaller key size results in faster computations and less resource consumption.

Over the past few years, the recommendation to increase RSA key lengths or switch to ECC algorithms has become increasingly prevalent. As computing power grows, so does the ability to crack cryptographic systems. These measures offer a robust defense against evolving “traditional” threats, ensuring the continued security of digital communications.

However, while with classical computers working with a binary logic, breaking RSA or ECC is like trying to find two specific needles in a haystack the size of the universe, quantum computers can exploit the principles of quantum mechanics to solve these problems exponentially faster.

Using quantum bits, or qubits, quantum computers can perform multiple calculations simultaneously. This parallelism allows them to tackle certain types of problems, like prime factorization, far more efficiently than classical machines.

The real threat to RSA comes from Shor’s algorithm, a quantum algorithm specifically designed for integer factorization. If implemented on a sufficiently powerful quantum computer, Shor’s algorithm could factor large numbers exponentially faster than the best classical algorithms.

While Shor’s algorithm is often associated with the threat to RSA encryption (due to its ability to factor large numbers), it also poses a threat to ECC. Specifically, Shor’s algorithm can solve the Elliptic Curve Discrete Logarithm Problem (ECDLP) exponentially faster than classical algorithms.

If a quantum computer successfully implements Shor’s algorithm, it could break the security of RSA or ECC by determining the private key from the public key. This would render any system relying on them for encryption, digital signatures, or key exchange vulnerable to attacks where the encrypted data could be decrypted, or the signatures could be forged.

The threat posed by quantum computers necessitates a transition to quantum-resistant cryptographic methods. Current RSA and ECC implementations would need to be replaced with post-quantum algorithms, which are designed to be secure against quantum attacks.

In response to the quantum threat, researchers are developing new cryptographic algorithms that are believed to be resistant to quantum attacks:

  • Lattice-Based Cryptography: based on hard problems related to lattice structures in high-dimensional spaces. These are considered strong candidates for quantum resistance.
  • Hash-Based Cryptography: utilizes hash functions to create digital signatures. It relies on the security of hash functions, which are not easily broken by quantum algorithms.
  • Code-Based Cryptography: based on the difficulty of decoding random linear codes. It has been studied extensively and is seen as a promising quantum-resistant alternative.

Recently, the National Institute of Standards and Technology (NIST) has announced the first four quantum-resistant cryptographic algorithms designed to protect against future quantum computer threats. These algorithms, which include CRYSTALS-Kyber for general encryption and CRYSTALS-Dilithium, FALCON, and SPHINCS+ for digital signatures, will become part of a post-quantum cryptographic standard expected in about two years. The algorithms are selected to withstand the potential of quantum computers breaking current encryption methods, ensuring long-term data security.

As we noted earlier, NIST’s announcement is no shock. We’ve been closely monitoring the research being done in this area, so we’re excited to share the tangible outcomes of our work.

The tasks that were delivered in our research project were:

  1. Modification of CA Software: Updating our Certification Authority software to support the post-quantum cryptography (PQC) algorithms suggested by NIST.
  2. Middleware Development: Creating a middleware to communicate with a Hardware Security Module (HSM) that supports PQC algorithms.
  3. HSM Preparation: Configuring the HSM to support PQC algorithms by using open-source libraries within a protected hardware environment.
  4. Certificate Generation:
    – Creating a self-signed CA certificate using PQC algorithms.
    – Generating a user certificate signed with the CA key and PQC algorithms.
  5. Remote Signing Server Modification: Updating the server to perform remote signing using the user’s key and PQC algorithms.
  6. Verification Software Development: Creating software to verify files digitally signed using PQC algorithms.

An additional interesting aspect of this project was that the developed PKI complemented an infrastructure where the communication channel is secured through a Quantum Key Distribution network. This ensures both the confidentiality and integrity of the communication using technology specifically designed to resist quantum computing attacks.

The advent of quantum computing marks a significant leap forward in technological advancement. Its potential to revolutionize fields like materials science, drug discovery, and artificial intelligence is immense. While there are concerns about its impact on encryption, it’s important to remember that the cryptographic community and Namirial as part of it is actively working on developing quantum-resistant algorithms to safeguard our digital world. As science continues to progress, we can be confident that the benefits of these advancements will far outweigh any potential risks, ensuring a secure and prosperous future.

We would like to extend our gratitude to:

Fabrizio Balsamo – R&D Manager

Paolo Campegiani – Head of Innovation

Giulio Di Clemente – R&D Analyst

for their valuable contribution to this article.

Avatar von Pierluigi Pilla
Trust Services & Technologies Director