Quantum-Safe Cryptography & Standards: QSC, PQC, QKD & More!

What is “quantum”, really?
The emperor's new (quantum) clothes: cutting through the quantum hype

It’s hard to move in security circles today without hearing someone pontificating about “quantum”. Maybe you keep hearing how all cryptography and security of the internet will be devastated by a quantum computer.  

Believe me, I hate adding noise to an already blaring chorus — but when so much quantum stuff I hear is just wrong or fear-mongering, I truly feel a sense of duty to take out some of the hype and junk before someone acts on bad advice in good faith.

I know, there are about 100,000 blogs out there on quantum, so why is this one different? Mainly because I’m not going to retread old ground. Instead, I will provide clarity on the lesser-explained elements, arm you with some facts to challenge quantum hobbyists, and give you a solid grounding in quantum vocabulary and standards. 

So if you’re interested, read on. I’ll never miss a chance to talk about quantum-safe cryptography and standards! After this, you should know:

• What we mean by "quantum-safe cryptography".
• The differences between post-quantum cryptography (PQC) and quantum key distribution (QKD) — and why many pros prefer PQC.
  
• The latest status of the NIST post-quantum cryptography process.

Quantum-safe cryptography: PQC or QKD?

Quantum computing is an entire field unto itself, and not something we can define in simple terms. The good news is that we can define quantum-safe cryptography! QSC refers to algorithms that cannot be cracked or weakened by a quantum computer (QC).

Today, quantum-safe cryptography encompasses two types post-quantum cryptography and quantum key distribution. (For more on terminology and distinctions, do check out this excellent proposed standard on the subject.)

There’s one important distinction I have to make: When I talk about “quantum”, I’m almost surely talking about post-quantum cryptography (PQC). When other people talk about “quantum”, they sometimes mean quantum key distribution (QKD). So let’s clear up this point:

• Post-quantum cryptography (PQC) is cryptography that isn’t weakened or completely broken by a quantum computer running Shor’s algorithm or Grover’s algorithm. 
• In quantum key distribution (QKD), a key is shared on a physical wire or via satellite between two or more nodes/endpoints, and is secure “by the magic of quantum physics”. Concretely, this is because of superposition, i.e. that a quantum system can be in multiple states at the same time until it is measured. Loosely, this is secure because the key only collapses to a fixed state when observed, so if anyone steals it, they must have observed it, and you’ll know that happened because the key is now fixed.  

If that doesn’t make sense, don’t worry because I’m not going to discuss it further except to say… 

Quantum squads: choosing PQC or QKD 

Quantum-safe cryptography (QSC) encompasses both PQC and QKD. So how do you know which one to choose — better yet, which squad should you support?

Like most technologists, I greatly favour PQC. Why? Well, the security aspects of PQC are better-researched. Importantly, we also have the infrastructure to support PQC today. 

In contrast, QKD requires bespoke hardware. To be deployed at scale and in support of the traffic volume that the internet requires, QKD requires all kinds of new networks to be built, with lots and lots of relay nodes to tackle the geographic and distance limitations. And, even if we did have all that, QKD also can’t do authentication — that’s a hard no from me. 

So whilst QKD is pretty cool, it’s not suitable for many reasons, and I greatly prefer PQC. As for the rest of us…does everyone prefer PQC? Well, let’s look at standards.

Quantum standards and making mistakes 

Luckily, whenever there are emerging and developing technologies like quantum cryptography, there are standards! The National Institute of Standards and Technology (NIST) has been creating standards for all sorts of technologies, including quantum-safe cryptography, for ages and ages. 

Yes, NIST published SP 800-208 in December 2019, aimed at the niche use case of long-lasting embedded systems that need occasional firmware updates. And, since June 2022, one key encapsulation mechanism and three signature algorithms have been standardised (as we’ll cover shortly). 

However, these latter algorithms are still not implemented in protocol standards, or even de facto large libraries — wait until they are. If you do this yourself, you’re likely to make a mistake. This mistake very likely will: 

• Increase your attack surface. 
• Have far worse ramifications than the (currently non-existent) quantum threat.

So, it’s crucial to wait for well-researched, international standards and implementations. 

Quantum-safe algorithms & the latest on NIST’s post-quantum process

Since 2017, NIST has led a process to solicit, evaluate, and standardise quantum-resistant public-key cryptographic algorithms.

 A long-running joke is that the whole NIST post-quantum process was designed to keep cryptographers (like me!) in business. We had done pretty well with ubiquitous encryption, efficient and small elliptic curve key exchanges and signatures, AES and SHA3. What was left to do? 

Design against a theoretical quantum attack, of course!

Most quantum-safe schemes are based on 1 of 5 underlying hard problems (each class of hard problems is analogous to the difficulty of factoring a large modulus). Quantum-safe algorithms are grouped by these underlying hard problems, as follows:

• Lattice-based
• Hash-based
• Isogeny-based
• Multivariate-based
• Code-based

So far, NIST has finalised four algorithms in its standardisation process:

• CRYSTALS-Kyber, a lattice-based key encapsulation mechanism
• CRYSTALS-Dilithium, a lattice-based signature scheme
• FALCON, a lattice-based signature scheme
• SPHINCS+, a hash-based signature scheme

The eagle-eyed among you will note that 3 of those 4 are all based on lattices, which limits your choice if you’re not a fan of lattices. (Thankfully, I am a fan.) But if you’re not, don’t fear! NIST put these algorithms. with different underlying hard problems, into a group for further research:

• BIKE, HQC and Classic McEliece: all code-based KEMs/PKE schemes
• SIKE: isogeny-based key exchange

This “further research” group turned out to be a great idea, because SIKE was broken shortly afterwards. This validates that these algorithms did require further study before being standardised.

Remember, wait for standards!

Until standards and implementations are available, you could do some things that are good for both cybersecurity and any potential quantum threat, such as: 

• Auditing your systems.
• Making an asset inventory.
• Planning lifecycle management. 

This is good security practice anyway, and will be helpful, should you ever need to migrate to a post-quantum solution — once standards have been set, of course.

A nod to the world’s cryptographers

There are people in this world who are legit cryptographers; that’s their job title, they live and breathe cryptography, devouring academic papers, research, implementations and number theory. 

And then there are people who know what public-key cryptography is as it relates to certificates on the internet. Nothing wrong with that. Just remember that cryptography is a profession, like civil engineering, and the same way you wouldn’t build bridges if you have a passing interest in civil engineering, nor should you be advising on cryptography because you can describe RSA.

So, no matter how enthusiastic you or your staff are: don’t roll your own cryptography, do use tested implementations, and always wait for standards that have been thoroughly researched. 

In the meantime, here’s a superposition joke for you: Schrödinger’s cat walks into a bar, and doesn’t. (…And that is why no-one makes jokes about quantum physics. 😜)

Quantum quiz time

Test time! You should be able to tell me now:

• What quantum-safe cryptography means.
  
• The differences between PQC and QKD.
  
• What’s the latest with the NIST post-quantum cryptography process?