The Quantum Menace: An Analysis of Postquantum TLS Collin Berman Reid Bixler [email protected] [email protected] Abstract key exchange allows for the two users to initi- ate a channel of communication and securely talk With the introduction of quantum comput- with one another. The authentication allows for ing, the inherent security of the TLS pro- proving that users are who they say that they are. tocol becomes endangered. Risks of los- While TLS is considered secure by todays stan- ing the privacy and integrity of communi- dards, there are actually some risks that most ei- cations over the internet are too great to ther do not realize or do not care about. That is, not consider preventative measures against the Quantum Menace. With the introduction of quantum attacks. We look at the current quantum computing, the inherent security of many key exchange protocol for TLS to deter- widespread algorithms is at risk of being broken. mine the flaws caused by quantum com- Specifically for TLS, things such as ECDH, RSA, puters. Our research focuses on analysing and DSA can be brute forced with much better ef- current alternatives that are quantum se- ficiency with a quantum algorithm known as Shors cure as well as other cryptographic meth- Algorithm. Luckily enough, quantum comput- ods that have not yet been considered for a ers are still in their early stages and some sug- post-quantum TLS. We offer final recom- gest that quantum computers will never be pow- mendations on where the TLS community erful enough to break our current level cryptogra- should go from now in order to mitigate phy. However, because we as security researchers the risk of the quantum menace. would rather focus on proactive measures rather than reactive ones, we want to find alternatives be- 1 Introduction fore there is capable quantum computing. The primary goal of the TLS protocol is to provide Specifically, we are going to focus on finding privacy and data integrity between two communi- solutions for key exchange rather than authenti- cating applications (Dierks and Rescorla, 2008). cation, because a broken key exchange allows for With TLS, clients and servers are able to securely attackers to read past communications. In terms communicate with one another with little to no of security of the communication over the inter- risk of having a third party read or alter their mes- net, focusing on privacy is more essential than data sages. TLS is used widely across the internet and integrity. In this paper, we go about analyzing a is essentially the defacto standard for secure com- number of post-quantum secure TLS implementa- munications, often even being implemented into tions as well as potential alternative cryptographic applications where an alternative protocol may be methods that have not yet been implemented into more useful. In order of priority, the makers of TLS. We finalize this analysis with a comparison TLS desire cryptographic security, interoperabil- between post-quantum TLS methods in order to ity, extensibility, and relative efficiency. The secu- determine where the security community should rity behind TLS is based off of a number of secure be heading towards. algorithms based off of hashing, symmetric cryp- 2 Post Quantum Computing tography, prime-factorization, elliptic curves, and other cryptographic methods. Quantum computing is slowly gaining traction Notably, there are essentially two portions of since it was theorized in 1982 by Richard Feyn- the TLS protocol that use these algorithms for man. It relies on quantum principles and super po- either key exchange or for authentication. The sitioning of particles to perform computational op- erations significantly faster than classical comput- on the number of signatures that can exist for a ers (Feynman, 1982). There already exist quan- generated key, even with the existence of loga- tum algorithms, which use quantum logic gates rithmically scaling Merkle trees. Also, with hash- to solve problems that were once thought com- ing, we can turn one-time hashing into multiple by putationally unsolvable. One of these algorithms, adding new public keys in each message, which is Shor’s Algorithm, is able to easily determine the also known as chaining. By doing this, the signa- prime factors of a large number (i.e. integer fac- ture of the nth message includes all n-1 previous torization) within a polynomial time (Shor, 1999). signed messages. With Merkle Trees, it is possi- Before this algorithm, integer factorization was ble to have provable reductions that say that the considered non-polynomial, also known as NP, security of the single-signing function will be the such that given a NP problem, one could verify its same security as the tree. One of the potential solutions quickly but it could not be solved within drawbacks of hashing is the fact that over time, a reasonable time, often taking longer than the ex- researchers will eventually find ways to produce pected lifespan of the universe to solve (Ladner, collisions, which can map two different inputs to 1975). This is a major problem for the security the same output. This is why the security commu- of many of today’s technologies which rely on the nity often is always looking for a new and better hardness of prime factorization. hash function. While quantum computers are only in their in- 2.2 Code-Based Cryptography fantile stage, the potential security risks behind broken encryption schemes from quantum algo- The methods often considered with code-based rithms would be unfathomable in today’s world. cryptography is McEliece and Niederreiter. With If anybody were able to obtain a quantum com- these, the public key is made up of a dt x n ma- puter capable of performing significant computa- trix K and a message m is encrypted by multiply- tions, breaking into many secure systems would ing this matrix K by m. The receiver will receive be completely feasible. As mentioned earlier, TLS a Hidden Goppa code to decrypt this message. uses ECDH, RSA, and DSA for the key exchange These cryptographic systems have extremely ef- protocol in TLS, to name a few. ECDH is reliant ficient key generation, encryption, and decryption. on elliptic curve cryptography, which requires low However, often the problem is the very long public computing power for implementation but massive keys required. amounts to brute force an attempt to break it. 2.3 Lattice-Based Cryptography However, a modified Shor’s algorithm could no- tably decrease the computational requirement for Lattices have gotten a lot of attention from the a brute force attempt (Sullivan, 2013). With a postquantum community and a majority of cur- working quantum computer capable of significant rent quantum-secure systems are done with lattice computation, any current and previous TLS com- cryptosystems. Lattices are reliant on the Short- munications could be viewed by attacking the key est Vector Problem and the Closest Vector Prob- exchange protocol. lem, which have not yet been reduced to a polyno- However, there still exist a number of mial time to break. There are a number of different cryptographic systems that are actually se- methods including NTRU, LWE, and BLISS. cure against quantum attacks. These include: 2.4 Multivariate-Quadratic-Equations hash-based cryptography, code-based cryptog- Cryptography raphy, lattice-based cryptography, multivariate- quadratic-equations cryptography, and secret-key These rely on a sequence of polynomials and vari- cryptography. ables with coefficients. Each polynomial is re- quired to have a degree of at most 2, with no squared terms. Its possible to verify these signa- 2.1 Hash-Based Cryptography tures with a standard hash function, which will With hashing, when given an input x there will be result in shorter public keys. There are quite a an output y that should not be able to easily go number of current methods including: Rainbow, back to find x. Before the interest in postquan- Hidden Field Equations (HFE), and UOV Cryp- tum security, many researchers didnt focus much tosystems. One of the major problems with these on hash-based cryptography because of the limit systems is that, while efficient, the security is not fully understood and new attacks are found on a Hiltgen, Vaudenay, and Vaugnoux (Canvel et al., regular basis. 2003) were able to intercept passwords in a TLS channel by measuring differences in timing arising 2.5 Secret-Key Cryptography from whether or not a forged message authentica- Otherwise known as symmetric cryptography, tion code (MAC) is valid. This attack was possi- this uses either Stream Ciphers or Block Ci- ble even though Krawczyk (Krawczyk, 2001) had phers. These cryptosystems are widely used proven that the way MACs are validated is secure. and implemented including: Twofish, Serpent, Due to the effectiveness of these attacks, we AES (Rijndael), Blowfish, CAST5, Kuznyechik, only consider a protocol to be ready for TLS RC4, 3DES, Skipjack, Safer+/++ (Bluetooth), deployment if it has been implementing to be and IDEA. There already exist some symmet- resistant to timing attacks. Programmers typi- ric key management systems like Kerberos and cally achieve protection against timing attacks by 3GPP, which offers the benefit of already being writing constant-time programs, that is, programs widespread. whose runtime do not depend on secret day. This involves avoiding branching on secret data as de- 3 PQC in TLS scribed above, but also requires avoiding mem- 3.1 TLS Specifics ory accesses based on secret data, since recently- accessed data stored in the cache can be read faster Although many post-quantum cryptosystems have than data from main memory (Bernstein, 2005). been proposed by researchers, not all are ready for widespread deployment. Cryptographic software 4 Current Implementations needs to be carefully written to avoid so called side-channel attacks, which can introduce vulner- In this section we investigate post-quantum cryp- abilities into an otherwise secure protocol.