The recent advances and attention to quantum computing have raised security concerns among IT professionals. The ability of a quantum computer to efficiently solve (elliptic curve) discrete logarithm, and integer factorization problems poses a threat to current public key exchange, encryption, and digital signature schemes. Such schemes are widely used in protocols and products that offer encryption. These include VPN devices, routers and switches, media products that encrypt media communication and practically all offerings that encrypt and/or authenticate data in-transit or at-rest. Thus, the industry and academia have been working on coming up with post-quantum schemes that would be secure against a quantum computer as we have discussed before. At Cisco, we have been looking into PQ signatures and their use-cases for almost five years. At the ETSI/IQC Quantum Safe Cryptography Workshop 2019 last month, we presented some of our experimental results related to two PQ signature use-cases, software signing and TLS authentication. We summarize them below.
We considered Hash-Based Signatures (HBS) for software signing and secure boot. We have discussed HBS before. In our most recent work, we evaluate LMS and SPHINCS+ HBS schemes for use in image signing. We propose suitable parameters and show that their acceptable performance makes them good candidates for the software signing use-case.
We then considered PQ signatures in TLS 1.3. Using PQ signatures in TLS is essential in a PQ future. PQ Key Exchange is admittedly more urgent because of potential “store-and-decrypt later when a quantum computer is available” scenarios. Some of our industry peers like AWS, Cloudflare, Google, and Microsoft have been focusing on PQ Key Exchange. On the other hand, migrating to new algorithms for TLS authentication usually takes a long time and should not be neglected indefinitely. In the past, we have looked into HBS for use in X.509 PQ certificates. Given their challenges, we recently evaluated the NIST PQ Project candidate signature schemes for TLS authentication. Our experiments show that Dilithium and Falcon are the best available options but come with some impact on TLS performance. We also analyze challenges and potential solutions introduced by these algorithms.
Our ETSI presentation can be found in the ETSI workshop slides and our companion write-up paper is in eprint. We will continue working on these topics to address open questions and confirm our early results with further testing. We will share more detailed results in due time.
Other than our presentation, the three-day ETSI/IQC Quantum Safe Cryptography Workshop 2019 included many interesting presentations on quantum-secure cryptography that triggered interesting private discussions. We would like to thank ETSI for organizing the workshop and AWS for hosting it.