In line with the content it proposes to raise cybersecurity awareness among companies and citizens, the French cybersecurity agency ANSSI recently published its very clear roadmap on post-quantum encryption.
Ventio has developed an expertise on the subject. Here are some explanations on these disruptive encryption technologies that will become essential in the years to come.
1 – Data security threatened by the power of quantum computers
Encryption methods, because they allow to translate data, for example plain text, into a string of unintelligible characters, are used in a multitude of domains because they allow to secure data by encrypting them during their storage or their transfer.
In concrete terms, among these encryption methods, the RSA public key algorithm is used to encrypt exchanges during secure communication between different parties, for example for e-commerce or for secure access to websites and servers.
But the advent of quantum computers and certain associated algorithms allowing the efficient factoring of large numbers threaten this method of protection. Indeed, the encryption protocols used today, although based on increasingly complex mathematical codes, will soon be no match for the computing power of quantum computers.
These pre-quantum encryptions could then be broken, which is a major risk for the protection of sensitive data. On a more macro level, if the encryption measures used on Cloud services, IoT systems, e-commerce sites, digital signatures etc… can be broken, the whole digital economy is weakened, or even collapses.
The ANSSI takes the threat very seriously and insists on the risk “Steal now, decrypt later”, especially when the data is of a sensitive nature requiring long-term protection, which is the case for certain health data.
In the quantum technology race, States as well as large companies (e.g. IBM, Google, Honeywell), are investing massively, and multiplying the communications as to the computing power reached.
Is it too late ?
2- Post-quantum encryption methods and future standards
To anticipate this evolution, new encryption methods are emerging, called “post-quantum”, in reference to their expected resistance to the powers of future quantum computers.
What are these post-quantum cryptographic approaches now under development?
While there are many alternatives to the current pre-quantum cryptography, two stand out for their popularity:
Both of them have applications allowing to do encryption as well as digital signature. We will not go into detail, and recommend the summary proposed in the book ‘13 défis de la cybersécurité’ in the related chapter, or for the most experienced some PhD theses on the subject (document 1, document 2, document 3).
In 2017, the National Institute Of Standards and Technology (NIST), which is the U.S. agency in charge of defining standards, issued a call for proposals to standardize one or more post-quantum encryption methods. Several dozen algorithms exploiting these general principles have been proposed, but none of these methods has been standardized yet and they are still in the experimental phase. Currently, phase 3 of this selection is underway and only a few finalists remain. Research takes time, and it is a race against time that is now underway.
For Ventio, as for most researchers, our preference is for lattice-based approaches which have attractive properties allowing computation on ciphers and whose first practical feasibilities of so-called “fully homomorphic” encryption are quite recent. Under the barbaric name of “homomorphic encryption” lies the possibility of delegating a computation to a third party without the latter being able to understand the data, the processing, or finally to interpret the result. It is to use the computing power of an empty brain, without allowing it to understand the logic of what it sees, nor of the reasoning, nor of the conclusions it draws from it.
This homomorphic property is particularly attractive for the “zero-trust” in a globalized digital world where some provide the computing resources, others the data to be processed, and above all where trust is not always present…
The algorithms under evaluation are available on the NIST website and can be integrated into secure communication solutions such as SSH (secure shell), with the OpenSSH Quantum Safe version for example.
Of course, the tech giants, including Microsoft and many others, are particularly advanced on this subject and are starting to offer this type of experimental service to protect communications between servers via post-quantum encryption.
For Ventio, the issue of long-term health data protection is central, and of course there is interest in these experimental methods. Today, due to the immaturity of post-quantum methods, we are driving to hybrid to protect our sensitive environments.
3- The transition to post-quantum using hybrid encryption
Convinced that the transition to these methods must be done gradually, Ventio uses methods that combine both today’s standard encryption and tomorrow’s methods. We therefore work in a hybrid way, in accordance with the strategy recommended in the ANSSI’s guidelines.
This transition phase is essential to guarantee additional resilient security over time.
The hybrid solution therefore consists of combining a post-quantum security algorithm, which may be proven to be resistant tomorrow, with a pre-quantum algorithm, which is considered to be strong today, but will certainly not be strong tomorrow.
A concrete example is SSH-hybrid communication between servers.
Thanks to the developments of the community interested in these approaches, post-quantum encryption algorithms, whether for key exchange or authentication, are functional and can be used in SSH communications.
Open SSH, which is open source and used in encryption solutions, can be extended with post-quantum key exchange and signature algorithms. It can be used to test, experiment, prove, or develop networks that communicate with these hybrid methods. Supported algorithms include the future NIST standards.
To be continued!
At Ventio, we have implemented Open SSH in hybrid and are testing these solutions for SSH connections and communications between servers, to go a step further in long term security and to anticipate the quantum revolution and its potential adverse effects. We can show you the direction where the wind blows towards these technologies. Contact-us to discuss your data protection needs, and anticipate your post-quantum transition with us. Rely on us to deploy and configure your hybrid protected environments.