Quantum Safe Cryptography And Security ; An Introduction .

Quantum Safe Cryptography V1.0.0 (2014-10)White PaperQuantum Safe Cryptography and Security;An introduction, benefits, enablers and challengesISBN 979-10-92620-03-0DisclaimerThis document reflects the views of the authors.It does not necessarily represent the views of the entire ETSI membership.

2Quantum Safe Cryptography V1.0.0 (2014-10)ReferenceQuantum Key Distribution, Quantum Safe CryptographyKeywordsQuantum Key Distribution, Quantum SafeCryptography, Forward SecurityETSI650 Route des LuciolesF-06921 Sophia Antipolis Cedex - FRANCETel.: 33 4 92 94 42 00 Fax: 33 4 93 65 47 16Siret N 348 623 562 00017 - NAF 742 CAssociation à but non lucratif enregistrée à laSous-Préfecture de Grasse (06) N 7803/88Important noticeIndividual copies of the present document can be downloaded from:http://www.etsi.orgThe present document may be made available in more than one electronic version or in print. In any case of existing orperceived difference in contents between such versions, the reference version is the Portable Document Format (PDF).In case of dispute, the reference shall be the printing on ETSI printers of the PDF version kept on a specific network drivewithin ETSI Secretariat.Users of the present document should be aware that the document may be subject to revision or change of status.Information on the current status of this and other ETSI documents is available athttp://portal.etsi.org/tb/status/status.aspIf you find errors in the present document, please send your comment to one of the following services:http://portal.etsi.org/chaircor/ETSI support.aspCopyright NotificationNo part may be reproduced except as authorized by written permission.The copyright and the foregoing restriction extend to reproduction in all media. European Telecommunications Standards Institute 2014.All rights reserved.TMTMTMDECT , PLUGTESTS , UMTS and the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members.TM3GPP and LTE are Trade Marks of ETSI registered for the benefit of its Members andof the 3GPP Organizational Partners.GSM and the GSM logo are Trade Marks registered and owned by the GSM Association.ETSI

3Quantum Safe Cryptography V1.0.0 (2014-10)ContentsExecutive summary . 51 Scope and purpose . 62 Overview . 72.12.22.32.42.5What is cryptography and how is it used? . 7What is quantum computing? . 8How does quantum computing impact cryptography and security? . 9Why is quantum safety an important issue? . 9What does quantum-safe mean? . 103 Technology survey – current state of the art . 123.1 Pervasiveness of RSA and ECC in security products. 123.2 Cryptographic primitives that are quantum safe. 133.2.1 Quantum Key Distribution . 143.2.1.13.2.1.23.2.1.33.2.1.4How quantum key distribution works . 15Authenticating the QKD channel . 16QKD protocols and their implementations . 16QKD in networks. 173.2.2 Code-based cryptosystems . 173.2.3 Lattice-based cryptosystems . 183.2.4 Hash based cryptosystems . 193.2.5 Multivariate cryptosystems . 193.3 Comparison: classical and quantum safe . 204 Security protocols: potential for upgrade . 224.1 X.509 certificates . 224.1.1 Analysis of current algorithms . 224.1.2 Recommendations for quantum-safe X.509 certificates . 224.1.3 Technical concerns . 234.1.4 QKD and X.509 certificates . 234.2 Internet key exchange version 2 (IKEv2) . 234.2.1 Analysis . 234.2.2 Important security aspects of IKE . 234.2.3 Recommendations for quantum safe IKE. 244.2.4 On the use of QKD in IKE . 244.3 Transport layer security (TLS) version 1.2 . 244.3.1 Analysis of current TLS ciphersuites . 244.3.2 Recommendations for quantum-safe TLS. 254.3.3 Technical concerns . 254.3.4 On the use of QKD in TLS . 254.4 S/MIME . 264.4.1 Analysis of current algorithms in S/MIME version 3.2 . 264.4.2 Recommendations for quantum-safe S/MIME. 264.4.3 Technical concerns . 264.5 Secure shell (SSH) version 2 . 274.5.1 Analysis of current algorithms . 274.5.2 Recommendations for quantum-safe SSH . 274.5.3 Technical concerns for SSH . 284.5.4 On the use of QKD in the context of SSH . 285 Fields of Application and Use Cases . 29ETSI

4Quantum Safe Cryptography V1.0.0 (2014-10)5.1 Use Cases . 295.1.1 Encryption and authentication of endpoint devices. 295.1.2 Network infrastructure encryption . 305.1.3 Cloud Storage and computing . 305.1.4 Big data, data mining and machine learning. 315.1.5 SCADA (Supervisory Control and Data Acquisition) systems. 315.2 Fields of application. 315.2.1 Medicine and health . 315.2.2 Financial Services. 325.2.3 Mobile Applications. 325.2.4 Mobile Network Operator Wholesale . 336 Economics of quantum safe security. 346.1 Benefits of quantum safe security . 346.2 Challenges for quantum safe security . 346.3 Risk management: cryptography or insurance premiums. 356.4 Technology switching costs: gradual vs. immediate . 366.4.1 Avoiding technology switching costs . 367 Conclusions and opportunities for further work . 388 References . 399 Definitions, symbols and abbreviations . 439.19.2Definitions . 43Abbreviations. 45Annex A. 48Authors & contributors . 48History . 49FiguresFigure 1 - Cryptography Basics - Encryption and Decryption. 7Figure 2 - Breaks of the RSA cryptosystem in recent years using conventional computation. . 8Figure 3 - Cryptography Basics - Effect of a quantum attack. . 9Figure 4 - Lead time required for quantum safety . 10Figure 5 - Illustration of a typical prepare-and-measurement QKD setup. . 15Figure 6 - Relationship of Lattice-based problems . 18ETSI

5Quantum Safe Cryptography V1.0.0 (2014-10)Executive summaryRecent research in the field of quantum computing and quantum information theory has brought about a credible threatto the current state-of-the-art for information protection. The current data protection mechanisms that typicallycomprise cryptographic systems rely on computational hardness as a means to protect sensitive data. This is to say thatthere are cryptographic problems that are difficult or impossible to solve using conventional computing.Because of recent advances in quantum computing and quantum information theory, the quantum computer presents aserious challenge to widely used current cryptographic techniques. This is because some of the same cryptographicproblems, which are difficult or impossible to solve using conventional computing, become fairly trivial for thequantum computer.In the practical case, even encrypted information sitting in a database for 25 years, for instance, will be subject todiscovery by those having access to quantum computing platforms. The discovery of the content of such data may leadto serious consequences. These include the possible misuse of bank account numbers, identity information, itemsrelating to military security and other sensitive information.The current state-of-the-art cryptographic principles use well-studied methods that have been relied upon for more than20 years. Amongst cryptographic experts, well-studied, proven and mature techniques are the most preferred forsecurity reasons. However, such techniques were not designed to resist quantum attacks, because at the time of theirinvention, research into quantum computation was obscure and unknown to most cryptographic practitioners.New cryptographic techniques have emerged in recent decades that do provide protection against quantum threats.These techniques are termed “quantum safe” and consist of both techniques based on quantum properties of light thatprevent interception of messages, as well as classic computational techniques, all of which were designed to resistquantum attacks emerging from the rapidly accelerating research field of quantum computation.Cryptographic techniques are commonly found in many industries and fielded systems, usually as a component ofbroader network security products. These commonly available security products need to be upgraded with quantumsafe cryptographic techniques, and this paper explores some of the most pervasive security systems while givingpractical recommendations for upgrading to a quantum safe state. This is not a trivial undertaking, and requires theinterest and support of security product vendors, industry customers, academic researchers and standards groups.An important consideration is the cost of transitioning to quantum safe technologies. New products and trends tend tofollow a standard cycle of innovation starting with early adopters who pay high premiums, and ending withcommoditized product offerings with abundant competition. Quantum safe features will reset the innovation cycle formany common commoditized security products, but the real costs of concern are related to switching to new quantumsafe technologies.Quantum safe communication techniques are not compatible with techniques incumbent in products vulnerable toquantum attacks. In a well-ordered and cost efficient technology transition, there is a period of time where the newproducts are gradually phased in and legacy products are phased out. Currently, quantum safe and quantum vulnerableproducts can co-exist in a network; in some cases, there is time for a well-ordered transition. However, the window ofopportunity for orderly transition is shrinking and with the growing maturity of quantum computation research, for datathat needs to be kept secret for decades into the future, the window for transitioning may already be closed.This paper is designed to be a practical introduction and reference for those in the Information and CommunicationTechnology (ICT) community. The primary objective is to help raise awareness of the potential impacts of quantumcomputing on information security globally. This includes a 1) survey of current cryptographic principles, 2) thepossible impact of quantum computing on their effectiveness and 3) what can be done to mitigate the risks in aneconomically and technically practical manner. We further include discussion of the enablers of quantum safecryptographic techniques along with the realistic economic and technical challenges to its deployment in existingsystems and the impact of global standards. We also present a section defining acronyms and related terminology,which is designed to be a reference for those operating in the ICT space in fields other than information security andcryptography.ETSI

61Quantum Safe Cryptography V1.0.0 (2014-10)Scope and purposeUntil fairly recently, the Information and Communication Technology (ICT) industry has considered informationinterchange transactions across electronic networks to be secure when encrypted using what are considered to be anunbroken conventional cryptographic system. Recent research in the field of quantum computing has produced acredible and serious threat to this assumption. Some problems that are considered difficult or impossible to solve usingconventional computation platforms become fairly trivial for a quantum computer. Any information that has beenencrypted, or will be encrypted using many of the industry’s state-of-the-art cryptosystems based on computationalhardness is now under threat of both eavesdropping and attack by future adversaries who have access to quantumcomputation.This means that even encrypted information sitting in a database for 25 years for example, will be subject to discoveryby those with access to quantum computing platforms. The discovery of the content of such data could lead to veryserious consequences. These include the misuse of bank account numbers, identity information, items relating tomilitary security and other sensitive informati

Quantum Safe Cryptography V1.0.0 (2014-10) Quantum Safe Cryptography and Security ; An introduction, benefits, enablers and challenges ISBN 979-10-92620-03-0 White Paper Disclaimer This document reflects the