Applied

Quantum-Safe
Security
Quantum-Resistant Algorithms
and Quantum Key Distribution

Applied Quantum-Safe Security: Quantum-Resistant Algorithms and Quantum Key Distribution © Copyright 2017, Cloud Security Alliance. All rights reserved 1
 The permanent and official location for Cloud Security Alliance Quantum-Safe Security
Working group is https://cloudsecurityalliance.org/group/quantum-safe-security/.

© 2017 Cloud Security Alliance – All Rights Reserved All rights reserved.

All rights reserved. You may download, store, display on your computer, view, print, and link to
the Applied Quantum-Safe Security white paper at https://cloudsecurityalliance.org/download/
applied-quantum-safe-security, subject to the following: (a) the Report may be used solely
for your personal, informational, non-commercial use; (b) the Report may not be modified or
altered in any way;(c) the Report may not be redistributed; and (d) the trademark, copyright or
other notices may not be removed. You may quote portions of the Report as permitted by the
Fair Use provisions of the United States Copyright Act, provided that you attribute the portions
to the Applied Quantum-Safe Security white paper.

Applied Quantum-Safe Security: Quantum-Resistant Algorithms and Quantum Key Distribution © Copyright 2017, Cloud Security Alliance. All rights reserved 2
 Acknowledgements

Cloud Security Alliance

Frank Guanco
Ryan Bergsma
Victor Chin
Stephen Lumpe

Quantum-Safe Security Working Group

Bruno Huttner, Co-Chair
Jane Melia, Co-Chair
Ludovic Perret
Lee Wilson

Special Thanks
Sauvik Bhattacharya
Tom Brennan
Roberta Faux
Dan Hiestand
Jens Jensen
Xu Lei
Xinhua Ling
Larry Ramos
Rino Sanchez
The members of the Quantum-Safe Security Working Group

Applied Quantum-Safe Security: Quantum-Resistant Algorithms and Quantum Key Distribution © Copyright 2017, Cloud Security Alliance. All rights reserved 3
1. Introduction: the Quantum-Safe Security Working group

The Quantum-Safe Security Working Group (QSS-WG) academic institutions that are developing quantum-resistant
is an industry forum, organized by the Cloud Security algorithmic solutions, as well as individuals working on physics-
Alliance. Its goal is to promote the understanding and based, quantum technology-reliant alternatives.
implementation of quantum-safe security : digital and
1

physical data security that is enhanced by protection The aim of this white paper is to
1
The terms in italics are
against attacks by a quantum computer, to which modern provide individuals in the security
defined in the Glossary of
security cryptosystems are vulnerable. industry and related fields with
Terms in Section 11.
applicable knowledge regarding
The QSS-WG is a unique forum that brings together the quantum computer and its
communities with different approaches to the common goal influence on cyber security. Cloud Security Alliance hopes
of quantum-safe security, a union that enables real, meaningful this information will help these interested parties find
dialogue. It is comprised of participating members, or the most suitable solutions for their specific issues and
followers, from various parts of the security industry. The most challenges as we all prepare for the quantum era.
active members come from commercial organizations and

2. The need for quantum-safe security

Over the last year or so, the perceived threat of the •• First, the transition to quantum-safe security means
quantum computer to modern cryptographic standards in significantly changing our security ecosystems, which
widespread use has increased dramatically. Government cannot be done overnight. The consensus is that five to 10
security agencies, such as the United States Government years may be required to adapt those systems to use new
National Security Agency (NSA) and the Communications- security algorithms and protocols.
Electronics Security Group (CESG), a group within the UK •• Second, most encrypted data has a long lifetime, often
Government Communications Headquarters (GCHQ), requiring secrecy ranging from a few years to a decade or
have called for a move to quantum-safe cryptographic longer. With current progress in data storage technology,
schemes. Standardization bodies such as the European a nearly unlimited amount of data in motion can be
Telecommunications Standards Institute (ETSI), the U.S. intercepted now and stored for future decryption. This
National Institute for Standards and Technology (NIST), is commonly known as the ‘download now, decrypt
and the International Organization for Standardization later’ or ‘harvesting’ type of attack. As expressed in
(ISO), have started investigating the need for new, global the ETSI white paper, Quantum Safe Cryptography
standards [CJLMPPS16]. These entities have arrived at and Security, [CCDDFGZ15] “Without quantum-safe
the same conclusion and the consensus is clear: the encryption, everything that has been transmitted, or
cryptographic foundation that underlies today’s cybersecurity will ever be transmitted, over a network is vulnerable
solutions needs to be retooled sooner rather than later, and to eavesdropping and public disclosure.” A quantum
the transition to quantum-safe security must begin now. computer will—in principle—be able to decrypt all the
confidential information which was previously encrypted
Although the arrival date for a practical quantum computer is using unsafe methods. Therefore, to prevent disruption in
still in debate, experts believe we will see a quantum computer the confidentiality of our cybersecurity systems, the time
capable of breaking current public key cryptosystems within for action is now. Finding new solutions that protect against
five to 15 years. This may seem to allow for considerable quantum attacks should be a hot topic for everyone in the
preparation time, but two factors shorten the perceived runway. cybersecurity industry.

Applied Quantum-Safe Security: Quantum-Resistant Algorithms and Quantum Key Distribution © Copyright 2017, Cloud Security Alliance. All rights reserved 4
3. An exercise in risk management

Security is not an absolute. There is no universal solution •• If you operate a large data center that requires daily
which would provide perfect security against all possible backups of terabytes of data from different companies
threats. Providing security is always an exercise that aims to between two locations, your security requirements are
assure a certain level of protection—at a given cost—and not the same as Mr. Smith, surfing the Internet to buy a
for an appropriate duration. However, one size does not fit new appliance.
all. Let us provide a few examples. •• If you are a government needing “perfect” security, you
•• If you are a software company providing applications could use a one-time pad (OTP), which has been proven
online, your most pressing concern is guaranteeing to be secure. However, security rests completely on
the authentication and integrity of your solutions. Your the randomness of the key and the security of the key
customers must be convinced they are downloading distribution, which must be addressed.
and installing the correct application on their device.
•• If you are a police force in operations, your first The conclusion: cryptographic tools must be adapted to fit
concern is availability, followed by confidentiality, over specific types of data. Any new tools developed to answer
your communications. the threat of the quantum computer must be tailored for
•• If you are a hospital transmitting patient medical records to specific applications.
a distant location, long-term privacy is a major requirement.

4. Digital and physical security

Since the discovery of public key cryptography about 40 140-2 level 3 or 4, as well as proactive and retrospective
years ago, the public’s understanding of computer security measures to protect the root keys for most certificates used on
has focused primarily on digital security methods, such as the Internet. This comprehensive approach leads to a physical
algorithms that provide authentication and encryption for security levels on par with Fort Knox.
online communications. Security of a cryptographic scheme is
based on mathematics and resilience against large computing Interestingly enough, while the understanding of keys as
power. In this framework, cryptographic keys are seen as an physical objects is well-accepted for storage applications,
abstract series of bits, ones and zeroes. To ensure the security the same does not yet apply to key distribution, which is still
of the scheme, this string has to be truly random (and of mostly seen on the digital abstract level. In reality, one can
course kept secret). also understand key distribution on the physical level. This
is typically the case for quantum key distribution (QKD), which
However, the physical security of data is also critical. For will be addressed in section 8. Quantum key distribution is an
example, security breaches affecting governments and large example of a physical system that can be used as an element
organizations are often linked to insiders, capable of physical of a complete security solution in much the same manner as
access not afforded the outside world. This, despite the fact an HSM (which stores the physical keys in another element of
that digital avenues may have been closed and intensive the security solution). The quantum computer itself is proof
security protocols employed. Cryptographic keys are not only that data is not only a series of bits, but may take other guises,
abstract random strings, but also real physical objects which and with unexpected outcomes.
should be stored in secured physical appliances. Serious
certificate authorities use hardware security modules (HSMs) New tools should include all physical and mathematical security
certified to Federal Information Processing Standards (FIPS) systems, each with its own practical application domain.

Applied Quantum-Safe Security: Quantum-Resistant Algorithms and Quantum Key Distribution © Copyright 2017, Cloud Security Alliance. All rights reserved 5
5. The impact of cloud computing on quantum-safe security strategies

The ongoing move toward the cloud for all our information networks are not re-tooled to be quantum-safe, the network
technology (IT) needs greatly increases the reliance on data infrastructure itself will be at serious risk to many post-
networks. Data is stored in huge data centers, and transferred quantum attack vectors. In the post-quantum era, denial of
between them at ever-increasing rates. The cloud model—with service attacks will be possible—perhaps even common—for
its associated storage and network requirements—enables networks that have not been re-tooled to be quantum-safe.
a stronger and more reliable IT infrastructure. This heavily Data “at rest” in enormous cloud data centers will also be
networked model also opens some serious new post-quantum at risk since quantum computers will effectively reduce the
threat vectors. One of the most serious threat vectors is a keys protecting that data to half of their original strength.
“data-vaulting” or harvesting attack where an attacker—in the Additionally, post-quantum attack vectors will compromise the
here and now—stores communications between the client and key management systems that generate, distribute and protect
the cloud so that data can be decrypted in the future when the keys needed to secure that data.
general purpose quantum computers are available. In the pre-
cloud past, much of this data would have moved over private Why do we expect attackers to go to such great lengths to
intranets not accessible by attackers. Today, it is physically attack cloud computing, both now and in the future? This can
transmitted over public telecommunication networks. be explained with an analogy: a famous American bank robber
Confidentiality and trust is restored by the use of virtual private of the 1930s, Willie Sutton, was asked by a reporter why he
networks (VPNs), which are based on cryptographic methods. robbed banks. Sutton allegedly answered: “Because that’s
where the money is.” In our connected world, data is the new
Current news reports inform us that organizations are asset. Hackers will concentrate their efforts on the largest data
orchestrating data vaulting attacks of public network collections, the modern-day equivalent of the banks during
communications traffic on a regular basis. Simultaneously, the last century. In fact, most money in circulation today is
governments, financial institutions, healthcare organizations not printed on paper or stamped into coins. It’s data—1s and
and many other entities are expected to keep their records 0s—securely transmitted over data networks, with the largest
confidential for decades to come. Alarmingly, information concentrations of information in cloud data centers. Any
compiled during a successful data vault attack and transmitted connections and links between these large data centers must
today may already be compromised by future quantum have the highest levels of protection possible. The need for
computers (if the data is being monitored and stored). In quantum-safe cybersecurity is greatly compounded in a cloud-
reality, general purpose quantum computers may be here based IT environment.
long before this data becomes non-confidential. Additionally, if

6. Current cryptographic tools

6.1 The Tools

Our most crucial communication protocols and key In order to fulfill these functions, we have several families of
management systems rely principally on three core tools at our disposal, namely:
cryptographic functions: •• Hash functions
•• Digital signatures •• Symmetric cryptography
•• Data encryption •• Asymmetric cryptography
•• Key exchange •• Quantum key distribution (QKD)

The relationship between the tools and the functions they fulfill is presented in Table 1 (following page).

Applied Quantum-Safe Security: Quantum-Resistant Algorithms and Quantum Key Distribution © Copyright 2017, Cloud Security Alliance. All rights reserved 6
 Tools Cryptographic function

Hash functions Digital signature (authentication, integrity)

Symmetric cryptography Data encryption

Asymmetric cryptography Key exchange

QKD

Table 1: Relationships between tools and cryptographic functions

The main applications for each of the tools are linked with a full red line; the secondary application has
a dotted red line (see text for details).

As is apparent from Table 1, asymmetric cryptographic a quantum computer with about 4,000 qubits would break
algorithms can be used for all functions . However,2
2048 bit RSA and DH, while a quantum computer with only
they are not often applied to data encryption because 2,300 qubits would already break 384 bit ECC. Therefore,
of the low encryption speed. Because of their speed, none of the aforementioned algorithms will withstand the
especially with specific hardware arrival of the quantum computer. The key to quantum-
2
Note, however, that not all implementations, symmetric safe cryptographic algorithms is to base them on difficult

asymmetric algorithms can algorithms (like advanced mathematical problems which neither classical computers

be used for all functions. encryption standard (AES)) are the nor quantum computers can break.
tool of choice for this purpose.
Symmetric cryptography (AES, 3 Data Encryption Standard
6. 2 The need for randomness (DES), etc.) and hash functions (Secure Hash Algorithm
It is important to note that all the functions above require (SHA)-2 and above, etc.) do not succumb as easily to
randomness for their implementation. A recent white quantum computers. A quantum computer algorithm
paper from the QSS-WG [MHMW15] explains this need, called “Grover’s search algorithm” can be used to attack
and suggests using quantum random number generators these [Grover96]. It provides, at most, quadratic speedup in
(QRNGs) to obtain them. Good, reliable random number comparison with search algorithms on classical computers.
generation is a requisite for all cryptographic applications. In addition, it has been shown that an exponential speed-
up for search algorithms is impossible, suggesting that
6.3 Quantum-safe status symmetric algorithms and hash functions should be usable
The standard asymmetric cryptographic algorithms in a quantum era. To offset the effect of Grover’s algorithm
currently in use are Diffie-Hellman (DH) key exchange, RSA on symmetric cryptographic algorithms, a simple approach
and elliptic curve cryptography (ECC). These algorithms base would be to double the symmetric key sizes and hash
their security on one of the following hard mathematical function sizes.
problems: the integer factorization problem; the discrete
logarithm problem; and the elliptic curve discrete logarithm A recent NIST document [CJLMPPS16] provides a table
problem. All of these problems are solved easily with Shor’s which summarizes the current situation and forecast
algorithm [Shor97] running on a general purpose quantum for hashes, symmetric cryptography and asymmetric
computer with a sufficient number of qubits. For example, cryptography in the post-quantum era. The conclusions

Applied Quantum-Safe Security: Quantum-Resistant Algorithms and Quantum Key Distribution © Copyright 2017, Cloud Security Alliance. All rights reserved 7
drawn from the table and the report are twofold. The NIST also makes a clear distinction between the quantum-
following quotes are from the report itself: resistant status of hash functions and symmetric
1. “Symmetric algorithms and hash functions should be cryptography (which are considered safe), and the new
usable in a quantum era…” asymmetric cryptographic algorithms (detailed below), which
2. “The search for algorithms believed to be resistant to are good candidates but require further scrutiny.
attacks from both classical and quantum computer
attacks has focused on public key algorithms…” In terms of resistance to quantum computer attacks,
QKD is in a different class because it is not based on hard
mathematical problems and the quantum computer has no
impact on its security.

7. Candidates for quantum-resistant algorithms

7.1 Definitions
The terminology for the algorithms that should be used recommended key size of 256 bits is considered as safe,
in the post-quantum era is still uncertain. Currently, two even against Grover’s algorithm.
(mostly) equivalent terms are being used by the security
industry. Some refer to post-quantum algorithms (PQAs), 7.3 Asymmetric key exchange and signature
while others prefer the term quantum-resistant algorithms In the process to establish a secure channel, public-key
(QRAs). Here, we will use the latter, which conveys the fact cryptography is mostly used for authentication and for
that the new algorithms should withstand the power of exchanging the secret keys, which will then be applied in a
the quantum computer. As explained in the NIST report symmetric scheme as in Section 7.2. We describe below some
[CJLMPPS16], there exist good candidates for QRAs for all of the most promising schemes; however, this area is still
our cryptographic applications, which we review below. changing quickly. The NIST competition launched in February
The QSS-WG has published a short white paper on this 2016 [M2016] will certainly help advance these issues.
topic [CHH15], and ETSI has also produced an extensive
document [CHH15]. 7.3.1 Code-based cryptography
The McEliece cryptosystem [McE78] has been around since
7.2 Symmetric cryptography 1978 and has not been broken. This is the oldest quantum-
It is widely believed that basic symmetric cryptosystems resistant algorithm. Other systems based on error-correcting
such as block ciphers (typically, AES) or hash functions (e.g., codes have been proposed. Code-based cryptosystems
SHA2 or SHA3) are QRAs. Indeed, the best-known quantum usually have very fast encryption and decryption algorithms.
attack against such cryptosystems is Grover’s algorithm These code-based algorithms have large key sizes. Recently,
[Grover96]. Thus, the advent of the quantum computer will in an attempt to decrease key sizes, some new code-based
require an increase in the key size (and a doubling of the bit cryptographic algorithms—which have added more structure
number). The current recommended key size of 256 bits is to the code—have been introduced [MB09, MTSB13]. The
considered as safe, even against Grover’s algorithm. added structure has tended to lead to successful attacks
against those proposals (e.g., [FOPT10], [FOPPT15] and
Symmetric encryption is used for data encryption. It relies [JSG16]). Code-based cryptography can be used in encryption
on the existence of a secret key, shared between users. The as well as in signature [CFS01].
most widespread algorithm, AES, is widely believed to be
a QRA. Due to Grover’s algorithm, it is also known that the 7.3.2 Lattice-based cryptography
advent of the quantum computer will require an increase in Lattice cryptography has been around for about 20
the key size (a doubling of the bit number). The current years, providing asymmetric cryptography and signing.

Applied Quantum-Safe Security: Quantum-Resistant Algorithms and Quantum Key Distribution © Copyright 2017, Cloud Security Alliance. All rights reserved 8
Of the original proposed lattice cryptographic schemes, 7.3.4 Hash-Based cryptography
one scheme—NTRU [HPS98]—has undergone scrutiny Hash-based signatures are digital signatures constructed
the duration of this period. As a result, NTRU has been using hash functions. Their security against both classical
enhanced and ultimately standardized [9]. Recently, and quantum attacks is well understood. However, all
additional lattice-based algorithms such as “learning with existing hash-based signature schemes have very large
errors” (LWE) [Reg05] and “ring learning with errors” (R-LWE) signature sizes compared to asymmetric key solutions.
[RLWE13] have been proposed and are receiving scrutiny. In general, with hash-based signatures, a private key is
Very recently, Google announced it will test an R-LWE actually made up of a series of subkeys. Each signature
algorithm in a test version of Chrome [G16]. The algorithm, is carried out with a different subkey. If the same subkey
dubbed “New Hope,” will be implemented in combination is ever used twice, the security of the entire public key is
with Google’s standard encryption (see Section 9.3.1 for the compromised. Therefore, a secure signature requires that
description of hybrid systems). In April 2016, an NIST Report one of two actions occur: either the signer must maintain
[CJLMPPS16] summarized the state of lattice cryptography, a record of every subkey that has been used (a stateful
as follows: signature); or the key must have so many subkeys—and
“Most lattice-based key establishment algorithms are such a large private key—that there is no chance the same
relatively simple, efficient, and highly parallelizable. key will be chosen at random twice (a stateless signature).
Also, the security of some lattice-based systems XMSS [XMSS] is a stateful hash-based signature scheme
are provably secure under a worst-case hardness with a large signature size that is currently undergoing
assumption, rather than on the average case. On standardization [6]. SPHINX [SPHINCS15] is a stateless hash-
the other hand, it has proven difficult to give precise based signature scheme with a large key size and a very
estimates of the security of lattice schemes against large signature size. Finally, the Leighton-Micali signature
even known cryptanalysis techniques.” scheme (LMSS) instantiates Merkle’s tree-based approach
with a one-time signature scheme of Lamport-Diffie-
Lattice cryptography is also expanding into other important Winternitz-Merkle. The Internet Engineering Task Force
areas of cryptography beyond the basic functions of signing (IETF) is reviewing a draft of this authored by David McGrew.
and public/private key encryption, such as homomorphic Note that the harvest attack, whereby the eavesdropper
encryption [G09] and code obfuscation [K14]. stores the data for later use (as described in Sections 2 and
5), does not apply to signatures schemes. Signatures are
7.3.3 Multivariate cryptography verified immediately after the transmission.
Multivariate cryptography is based on the difficulty of solving
systems of multivariate polynomials over finite fields. It is a
classical candidate in quantum-safe cryptography—dating
from the late 1980s—and has been well-identified by ETSI
[CCDDFGZ15] and NIST [CJLMPPS16]. The first multivariate
scheme, known as C*, was proposed by Matsumoto and Imai
[MI88]. Although C* has been broken, the general principle of
the Matsumoto and Imai scheme inspired a whole generation
of researchers that proposed improved variants based on
that original blueprint (see: [HFE96], [ETSI16]). Multivariate
cryptography has been very productive in terms of design
and cryptanalysis (see: [ETSI16], [DFSS], [FJ03], [BFP13]).
Overall, the situation is now more stable and the strongest
schemes have withstood the test of time. Multivariate
cryptography turned out to be successful as an approach to
signatures primarily because multivariate schemes provide
the shortest signature among quantum-resistant algorithms.

Applied Quantum-Safe Security: Quantum-Resistant Algorithms and Quantum Key Distribution © Copyright 2017, Cloud Security Alliance. All rights reserved 9
8. Current status of quantum key distribution

8.1 Principle advantage. A stark difference between algorithmic-

Quantum key distribution (QKD) [GRTZ02], provides a way based key distribution and QKD is that, for the later, an
to share a secret key between two users. It is based on the eavesdropper can only attempt to discover the key during a
transmission of physical particles, typically photons, over transmission. At the conclusion of a transmission, legitimate
a transparent channel. The basic idea is that any attempt users know if their key is safe or not. When QKD is utilized,
at eavesdropping on the transmission channel, which this basic equation will not change: The eavesdropper must
represents a measurement of the particles, modifies their intercept the key during those moments, or remain ignorant.
states. This change will be discovered by legitimate users,
who can then discard the exchange. A brief introduction to All things considered, one advantage of QKD is that it has to
QKD is presented in a previous white paper from the QSS- fight only against existing technology. If you cannot intercept
WG [MHHWK15]. Secrecy is not based on any mathematical the key with existing technology, you will not be able to use
assumption or result, but has been theoretically proven from superior technology in the future to gain further knowledge.
the tenets of quantum mechanics. This key can later be used In contrast, algorithmic systems have the much more
for any cryptographic purpose. So far, the main application is difficult task of having to plan for both current and future
for encryption, especially in conjunction with symmetric key threats. Indeed, descriptions of harvesting attacks outlined
encryption. Information theoretically secure encryption can in Sections 2 and 5 can be used for data, but also for keys.
also be achieved with QKD and a one-time pad. As QKD is not It’s anyone’s guess which technological and mathematical
based on computations, it is intrinsically quantum safe: the advances will be available in 20 or 30 years. However, one
quantum computer has no influence on its security. example may be useful to consider as a cautionary tale: In
1977, when the RSA algorithm was first introduced, an article
8.2 Need for a physical link in Scientific American estimated it would take 40 quadrillion
As explained above, QKD requires transmission of physical years to decrypt a message encrypted with the then-current
particles over a so-called quantum channel. Due to key size. In fact, that key was cracked less than 20 years later.
unavoidable loss in the channel, this brings up a limitation in
the length of a QKD link. Commercial implementations of QKD 8.4 Authentication and signature
utilizes the widely available optical fiber infrastructure used QKD only addresses one specific issue in the wide spectrum
in telecommunication. The typical length of a QKD channel of security tasks: namely, the key distribution. In order to
is tens of kilometers (with a maximum of approximately 100 provide a complete solution, it requires the addition of
kilometers). However, up to 300 kilometers has been achieved conventional cryptographic tools. In particular, quantum
in an academic proof of principle. Free space implementations, secure authentication and signature—as well as quantum
which may lower the cost of a solution and/or increase secure encryption—are needed. Fortunately, the QRAs
the maximum length, are in research stages. The length described in Section 7.3.3 can provide the required tools.
of a QKD network can be increased by means of a trusted
node infrastructure, where several QKD links are connected 8.5 Quantum hacking and certification
through safe locations (such as telecom exchanges). For A significant advantage of QKD is that it has been
example, a QKD backbone linking Beijing to Shanghai is under proven to be theoretically secure. Any eavesdropper
construction. A worldwide QKD network can be envisaged with attempt to extract information from the exchange
improved technology (see Section 8.6) will be discovered. However, this does not preclude
possible flaws in its implementation. The security proofs
8.3 Real-time eavesdropping apply to an eavesdropper who only has access to the
The fact QKD requires a physical link is rightly seen as transmission channel. More advanced strategies, where
a hindrance. However, in some aspects, it is also an the eavesdropper gains access to users through a so-called

Applied Quantum-Safe Security: Quantum-Resistant Algorithms and Quantum Key Distribution © Copyright 2017, Cloud Security Alliance. All rights reserved 10
“side-channel attack,” have been successfully designed the next 10 to 15 years, should also generate solutions for
[BP12]. This is the domain of quantum hacking. QKD shortcomings. A worldwide QKD network is definitely
a possibility. This system could utilize satellites as trusted
Side-channel attacks are not restricted to QKD, or to physically- nodes, which would safely exchange secret keys with the
based cryptography. At the end of the day, any cryptographic ground, securely store the secret keys, and finally carry
implementation is based on some physical system, such the keys to another location. In fact, the first QKD satellite
as a computer churning out numbers. Indeed, acoustic was recently launched by the Chinese Academy of Science
cryptanalysis—a side-channel attack based on the noise emitted [X16]. The Academy’s aim is to provide a proof-of-principle
by the computer performing cryptographic operations—was for QKD in space. The trusted nodes can later be replaced
shown to be able to break RSA encryption. Other attacks are by untrusted ones through the use of quantum repeaters,
based on electromagnetic emissions. Once the attack is known, which will remove the distance limitation on a quantum
it is relatively simple to implement a counter measure. However, link. With quantum memories—where qubits (the quantum
these types of attacks bring to light the fact that any proof counterpart of the usual bit) can be stored and later used in
of security relies on a given set of assumptions that a clever computations—the keys will not be distilled at all, but kept in
eavesdropper will always try to find her way around. In order to a quantum state until they are used.
attain confidence in a cryptographic scheme, implementations
of the scheme have to be thoroughly scrutinized and subjected These new components—which will be built for the
to various types of attacks. Implementation guidelines can then quantum computer—can be used to design a complete QKD
be written by the proper certification bodies. infrastructure, capable of distributing secret keys everywhere.
This QKD network might be expensive, and may not be
Quantum hacking is in no way different from the side-channel used for low-level encryption. However, it would allow for
attacks on conventional cryptography. The quantum world truly long-term confidentiality and privacy, independent of
only adds a new facet to the ongoing struggle between future progress (or lack thereof) in computation (classical or
cryptographers and hackers. As for existing implementations quantum) that may be required for other types of data.
of conventional cryptography, proper certification ensures
that various attacks have been taken into consideration, and If we look a bit deeper in our crystal ball, we can also
that the implementation follows a set of rules. Developing a envisage a full quantum Internet. Once we can distribute,
proper certification structure is a must in order to provide store and manipulate qubits, we can also build an extra
trust in a QKD infrastructure. layer at the quantum level. This quantum layer will then
be integrated into the structure and become transparent.
8.6 A future worldwide QKD network This scenario exactly describes the optical layer we have
The most significant restraint to widespread use of QKD is today. Internet does rely on the transmission of physical
the distance limitation for a QKD link. However, this is not objects, specifically optical pulses, between different points.
a fundamental restriction. This same technology, which However, the optical layer is entirely integrated, and people
should usher in the arrival of the quantum computer in using it do not even realize what lies below.

9. Re-tooling to quantum safety

One of the aims of the QSS-WG is to provide the industry our cryptographic toolbox and find new ways to protect
with practical suggestions for achieving quantum-safe information. Reflecting on the three major cryptographic
security. The threats posed by the development of the functions defined in Section 6.1, Section 9 will present
quantum computer—which is both credible enough to methods to ensure current and future quantum safety for
warrant action and far enough away from reality to give each function that could be implemented immediately.
us time to react—might be a good opportunity to open

Applied Quantum-Safe Security: Quantum-Resistant Algorithms and Quantum Key Distribution © Copyright 2017, Cloud Security Alliance. All rights reserved 11
9.1 Quantum-safe signatures and authentication As a practical example of a hybrid system, examine how QSH
Quantum-resistant signature and authentication schemes permits TLS (transport layer security) to use any of its current
were introduced in Section 7.3. Among them are schemes cryptographic algorithms together with a quantum-resistant
which are practical and already well-accepted in the algorithm, an interaction that occurs during the negotiation
cryptographic community. While a great deal of new work of the TLS symmetric session key. The TLS session key is a
is expected in these areas, effective quantum-resistant shared symmetric key which is negotiated using asymmetric
signature algorithms already exist today which will allow cryptographic algorithms. The additional post-quantum
us to start the journey to post-quantum signing and algorithm is used to transport a quantum-safe component
authentication. Note that signature and authentication are between the two parties negotiating the communications
absolutely fundamental to information security. The Internet session. Below are some of the highlights of QSH.
may survive as a commercial tool with lower privacy, but it •• Implementers are allowed to continue using approved
cannot survive against the quantum computing threat if its algorithms in their TLS session key negotiation with
authentication and integrity are compromised. the added benefit of making them quantum-safe. If the
original implementation is FIPS 140-2 compliant, the FIPS
9.2 Quantum-safe data encryption 140-2 compliance can be preserved when implementing
Data encryption is, comparatively, the “easy” part because the addition of the quantum-safe component.
it mainly relies on symmetric cryptography, which is not •• The additional necessary quantum-safe component is
threatened dramatically by the quantum computer. AES added to the TLS key generation function. Each party in
with 256 bit keys is considered as safe against both classical the TLS communication session uses their key derivation
and quantum attacks. If new threats occur, key length may function (KDF) to generate the shared symmetric session
be increased in the future. key needed for private communications.
•• Today, using only current cryptographic algorithms
9.3 Quantum-safe key exchange for the negotiation of the TLS session key, a quantum
9.3.1 Hybrid systems computer would be able to expose the session’s
Currently, there are several quantum-resistant public symmetric key as clear text. The addition of the
key algorithms for key exchange and asymmetric quantum-resistant cryptographic algorithm and the
encryption available. Some have been extensively vetted, quantum-safe component stops the exposure of the TLS
and one has undergone standardization. In addition to session key by a quantum computer. The confidentiality
standardization, many implementers prefer to—or are of today’s data against harvesting attacks (see Sections
required to—use cryptographic algorithms which are 2 and 5) can be maintained going forward into the post-
approved by governments (e.g., NIST SP800-131a, NSA quantum era.
Suite B, ISO standards, etc.). However, governments have
not yet updated their approved algorithms lists to include
quantum-resistant algorithms. Fortunately, we do not have
to wait to start making today’s communications quantum-
safe. There is a solution, and it’s called the “Quantum-Safe
Hybrid Technique” (QSH), which mixes a standard, approved
method and a quantum-resistant algorithm. QSH can even be
implemented to be FIPS 140-2 compliant, and is not specific
to any particular quantum-resistant cryptographic algorithm.
It has been published as an Internet Engineering Task Force
(IETF) draft [SWZ02], and is currently in the process of being
advanced to an IETF request for comments (RFC) document.

Applied Quantum-Safe Security: Quantum-Resistant Algorithms and Quantum Key Distribution © Copyright 2017, Cloud Security Alliance. All rights reserved 12
The following figure provides a detailed flow of how QSH works:

Three Steps In TLS Negotiation with QSH

(Quantum Safe Hybrid)

Alice Bob
Step #1 TLS Initial Handshake:
•• Alice sends Quantum Resistant (QR) public key for the chosen QR
algorithm to Bob and indicates she has QSH support when sending
"HelloClient" to start negotiation.
q •• If Bob selects QSH, he creates a random number, q, encrypts is with
q
that QR public key and sends it back to Alice who decrypts it with the
QR private key.

Step #2 Pre-Master Secret:

•• Alice and Bob run a standard Diffie-Hellman, RSA, ECC, etc... TLS
handshake protocol creating/sharing the same pre-master secret, S,
S on each endpoint.
S

Step #3 Secret Keys:

•• Alice and Bob generate QS Secret Keys

Alice's Symmetric Key Bob's Symmetric Key

KA = KDF(S,q) KB = KDF(S,q)

KA = KB !

Figure 1: Flow of QSH negotiation for TLS protocol

(KDF stands for Key Derivation Function)

The QSH technique can be extended beyond TLS for a

variety of key establishment/key exchange environments.

Applied Quantum-Safe Security: Quantum-Resistant Algorithms and Quantum Key Distribution © Copyright 2017, Cloud Security Alliance. All rights reserved 13
 9.3.2 QKD as an add-on for high-value links specifically one that can use any asymmetric cryptographic
As discussed in section 8.3, a fundamental advantage of system (including the above QSH) while adding the QKD
QKD is the fact that the only attack which can be attempted layer—will ensure the highest security level, especially for
by an eavesdropper must be in real-time. If eavesdroppers links requiring long-term security. It should be used in
do not attempt to steal information about the key during conjunction with quantum-safe signature and authentication
its transmission, downloading and storing the whole protocols described in Section 7 . This system will not be
transaction between legitimate users will not achieve threatened by new technological advances such as the
anything. Furthermore, because of the very nature of QKD, quantum computer, or by new mathematical progress.
any such attempt will be discovered by legitimate users. At However, due to its current length limitations and higher
the end of the transmission, users know if the key is secure, cost, it cannot be applied everywhere. It should be used for
or if it should be discarded. Therefore, for high-value links, specific links (for example between data centers), and for all
adding QKD provides an extra layer of safety (which is links where long-term privacy is a requirement.
known to be quantum-safe). A new type of hybrid system—

Critical backup

Data Disaster recovery

center center

Use QKD for

link encryption
Use QRA for and QRA for
encryption here authentication here

Digitally sign
with QRA

Figure 2: Use case of QRA and QKD

The links between the data center and the users are protected by QRA for encryption and signature.
The more crucial links between the data center and the backup or recovery center are protected by
QKD. This is exemplified in Figure 2, which shows a use case for a QKD and QRA application. High-value
links require long-term protection, which is obtained with QKD. Foreseeable developments in quantum
technologies should lift the distance limitation and enable a worldwide QKD network.

Applied Quantum-Safe Security: Quantum-Resistant Algorithms and Quantum Key Distribution © Copyright 2017, Cloud Security Alliance. All rights reserved 14
 10. Conclusion

That famous quote from Niels Bohr computing becomes a real threat. Being prepared means
“Prediction is very difficult, seems to apply well to the current they must be completely re-tooled for quantum-safety,
especially if it is about the situation regarding cyber security. which is a noteworthy undertaking. If they gamble and
future.” It is very difficult to predict the quantum computers arrive before they predict, the result
—Niels Bohr direction of cyber security in the could be catastrophic. Confidential data being transmitted
long-term. However, what does today over the Internet may already be compromised
seem certain is that our current toolkit must be completely since much of it is required to remain confidential after the
modified to answer the potential threat of the quantum quantum computing threat has arrived.
computer. Until about one year ago, the feasibility of a
quantum computer was still a largely unresolved issue, but Today, a significant portion of the security community is
recent statements by the NSA and NIST have changed this not familiar with quantum-safe cryptography and QKD. It is
equation. Most in the cyber security community now believe important that the IT industry begins to develop “quantum
that having a cryptographically relevant quantum computer risk-management plans” (a term from the Institute for
is only a question of time and investment. The positive news Quantum Computing) for an orderly transition to a fully
is that we have meaningful information which can help us quantum-resistant security infrastructure. We all need
set timeframes for addressing the post-quantum threat. In to start understanding and employing quantum-safe
Section 2, we laid out the timeline for the arrival of general cybersecurity measures and technologies. The truth is, a
purpose quantum computers that can do crypto breaking. great deal of work is yet to be done with governments and
The probability of its development increases rapidly starting standards organizations in regard to certain important
at the beginning of the next decade. For industries with aspects of the post-quantum threat. However, there are
very high security requirements (such the healthcare and numerous areas where we can begin to plan for quantum-
financial sectors), preparation must occur before quantum safe cybersecurity and, in some cases, take action now.

Applied Quantum-Safe Security: Quantum-Resistant Algorithms and Quantum Key Distribution © Copyright 2017, Cloud Security Alliance. All rights reserved 15
 ANNEXES

11. Glossary of Terms

•• quantum technology: Technology that relies on specific aspects of quantum mechanics, namely coherent
superposition and entanglement. QKD and quantum computers are two examples of these technologies,
which are relevant to the field of cyber security.
•• post-quantum cryptography: A broad term typically used to refer to cryptographic schemes which offer
resistance to computers capable of running quantum algorithms. This includes physics-based cryptosystems
that rely on quantum technology, such as QKD, as well as algorithmic cryptosystems (potentially, lattice-based,
multivariate quadratic-based, hash-based, and isogeny-based cryptosystems, etc.).
•• quantum-safe: This term is used interchangeably with post-quantum to describe cryptographic schemes and
security protocols, which should withstand the arrival of the quantum computer and the implementation of
quantum algorithms. It has been used by ETSI and the CSA Quantum-Safe working group.
•• quantum-resistant algorithms: Refers to algorithm-based cryptosystems which achieve quantum-safe
security in conventional computer ecosystems. This is the terminology used consistently by the NSA in
their announcement regarding their, ''preliminary plans for transitioning to quantum-resistant algorithms.''
Quantum resistant may be used to describe a cryptographic algorithm that is not susceptible to attack by a
quantum computer, or to describe a security solution that implements security protocols that use quantum-
resistant algorithms.
•• quantum attack: An attack on a security system, which rely on quantum algorithms running on a quantum
computer, to break security.
•• quantum key distribution (QKD): A cryptographic primitive, which relies on quantum technology to provide
quantum-safe security.
•• cryptographic primitives: Low-level cryptographic algorithms and systems that can be used to build security
protocols and cryptosystems.
•• practical quantum computer: A computer capable of running one or more of Shor’s or Grover’s
algorithms to break conventional public-key cryptography; also called a cryptographically relevant or
universal quantum computer.

Applied Quantum-Safe Security: Quantum-Resistant Algorithms and Quantum Key Distribution © Copyright 2017, Cloud Security Alliance. All rights reserved 16
 References

[BFP13] Bettale, L., Faugère, J.-C.,& Perret, L. (2013). Cryptanalysis of HFE, Multi-HFE and Variants for Odd and
Even Characteristic. Designs, Codes and Cryptography, 69 (1), pp. 1–52

[SPHINCS15] Bernstein, D.J., Hopwood, D., Hülsing, A., Lange, T., Niederhagen, R., Papachristodoulou, L.,
Schneider, M., Schwabe, P., & Wilcox-O’Hearn, Z. (2015). SPHINCS: Practical Stateless Hash-Based Signatures. In:
Oswald, E. & Fischlin, M. (Eds.) Advances in Cryptology—EUROCRYPT 2015 (pp. 368-397). Lecture Notes in Computer
Science, Vol. 9056. Springer Berlin Heidelberg

[BP12] Braunstein, S. L., & Pirandola, S. (2012). Side-Channel-Free Quantum Key Distribution. Physical Review
Letters 108 (13).

[BDH11, XMSS] Buchmann, J., Dahmen, E., & Hülsing, A. (2011). XMSS: A Practical Forward Secure Signature
Scheme Based on Minimal Security Assumptions. In: Yang, B.-Y. (Ed.) Post-Quantum Cryptography (pp. 117-129)
Lecture Notes in Computer Science, Vol. 7071. Springer Berlin Heidelberg

[CCDDFGZ15] Campagna, M., Chen, L., Dagdelen, Ö., Ding, J., Fernick, J.K., Gisin, N., … Zhang, Z. (2015).
Quantum Safe Cryptography and Security. [White Paper]. No. 8, June 2015. European Telecommunications
Standards Institute. Retrieved January 17, 2017, http://www.etsi.org/images/files/ETSIWhitePapers/
QuantumSafeWhitepaper.pdf

[CHH15] Carter, G., Hayford, D. & Huttner, B. (2015). What is Post-Quantum Cryptography? [White Paper]. Cloud
Security Alliance.

[CJLMPPS16] Chen, L., Jordan, S., Liu, Y.-K., Moody, D., Peralta, R., Perlner, R., & Smith-Tone, D. (2016). NISTIR 8105
DRAFT: Report on Post-Quantum Cryptography. National Institute of Standards and Technology Internal Report 8105
(February 2016). Gaithersburg, MD: U.S. Department of Commerce. Retrieved January 17, 2017, from http://csrc.
nist.gov/publications/drafts/nistir-8105/nistir_8105_draft.pdf

[CFS01] Courtois, N.T., Finiasz, M., & Sendrier, N. (2001). How to Achieve a McEliece-Based Digital Signature
Scheme. In: Boyd, C. (Ed.), Advances in Cryptology—ASIACRYPT 2001 (pp. 157-174). Lecture Notes in Computer
Science, Vol. 2248. Springer Berlin Heidelberg

[DFSS] Dubois, V., Fouque, P-A., Shamir, A., & Stern, J. (2007). Practical Cryptanalysis of SFLASH. In: Menezes, A. (Ed.),
Advances in Cryptology—CRYPTO 2007 (pp. 1-12). Lecture Notes in Computer Science, Vol. 4622. Springer Berlin Heidelberg

[ETSI16] ETSI Industry Specification Group (ISG) Quantum-Safe Cryptography (QSC). (July 2016) Quantum-Safe
Cryptography (QSC); Quantum-safe algorithmic framework. [Group Report]. Retrieved from ETSI http://www.etsi.
org/deliver/etsi_gr/QSC/001_099/001/01.01.01_60/gr_QSC001v010101p.pdf

[FJ03] Faugère, J-C., & Joux, A. (2003). Algebraic Cryptanalysis of Hidden Field Equation (HFE) Cryptosystems
Using Gröbner Bases. In: Boneh, D. (Ed.), Advances in Cryptology—CRYPTO 2003 (pp. 44-60). Lecture Notes in
Computer Science, Vol. 2729. Springer Berlin Heidelberg

Applied Quantum-Safe Security: Quantum-Resistant Algorithms and Quantum Key Distribution © Copyright 2017, Cloud Security Alliance. All rights reserved 17
 [FOPT10] Faugère, J-C., Otmani, A., Perret, L. & Tillich, J-P. (2010). Algebraic Cryptanalysis of McEliece Variants
with Compact Keys. In: Gilbert, H. (Ed.), Advances in Cryptology—EUROCRYPT 2010 (pp. 279-298). Lecture Notes in
Computer Science, Vol. 6110. Springer Berlin Heidelberg

[FOPPT15] Faugère, J.-C., Otmani, A., Perret, L., Portzamparc, F., & Tillich, J-P. (2016). Structural cryptanalysis of
McEliece schemes with compact keys. Designs, Codes and Cryptography, 79 (1), pp. 87-112

[G09] Gentry, C. (2009). Fully homomorphic encryption using ideal lattices. STOC ’09 Proceedings of the forty-first
annual ACM symposium on Theory of computing (pp. 169-178). New York, NY: ACM Publications.

[GRTZ02] Gisin, N., Ribordy, G., Tittel, W., & Zbinden, H. (2002) Quantum Cryptraphy. Reviews of Modern
Physics, 74 (1), pp. 145-195. Retrieved January 17, 2017, from https://d22izw7byeupn1.cloudfront.net/files/
RevModPhys.74.145.pdf

[Grover96] Grover, L. K. (1996). A fast quantum mechanical algorithm for database search. STOC '96
Proceedings of the twenty-eighth annual ACM symposium on Theory of computing (pp 212-219). New York, NY: ACM
Publications.

[G16] Greenberg, A. (2016, July 7) Google Tests New Crypto in Chrome to Fend Off Quantum Attacks. Wired.
Retrieved January 17, 2017, from https://www.wired.com/2016/07/google-tests-new-crypto-chrome-fend-off-
quantum-attacks

[JSG16] Guo, Q., Johansson, T., & Stankovski, P. (2016). A Key Recovery Attack on MDPC with CCA Security Using
Decoding Errors. In: Cheon, J.H. & Takagi, T. (Eds.), Advances in Cryptology—ASIACRYPT 2016 (pp. 789-815). Lecture
Notes in Computer Science, Vol. 10031. Springer Berlin Heidelberg

[HPS98] Hoffstein, J., Pipher, J., & Silverman, J.H. (1998). NTRU: A ring-based public key cryptosystem. In: Buhler,
J.P. (Ed.), Algorithmic Number Theory (pp. 267-288). Lecture Notes in Computer Science, Vol. 1423. Springer Berlin
Heidelberg

[K14] Klarreich, E. (2014, February 3) Cryptography Breakthrough Could Make Software Unhackable. Quanta
Magazine. Retrieved January 17, 2017, from https://www.wired.com/2014/02/cryptography-breakthrough

[KPG99] Kipnis, A., Patarin, J., & Goubin, L. (1999). Unbalanced Oil and Vinegar Signature Schemes. In: Stern,
J. (Ed.), Advances in Cryptology—EUROCRYPT ‘99 (pp. 206-222). Lecture Notes in Computer Science, Vol. 1592.
Springer Berlin Heidelberg

[RLWE13] Lyubashevsky, V., Peikert, C., & Regev, O. (2013). On Ideal Lattices and Learning with Errors over
Rings. Journal of the ACM (JACM), 60 (6), Article No. 43

[MHHWK15] Melia, J., Huttner, B., Hayford, D., Walenta, N., & Kerling, F. (2015). What is Quantum Key
Distribution? [White Paper]. Cloud Security Alliance.

[MHMW15] Melia, J., Huttner, B., Moulds, R., Walenta, N., & Fuller, A. (2016). Quantum-Safe Security Working
Group: Quantum Random Number Generators. [White Paper]. Cloud Security Alliance.

Applied Quantum-Safe Security: Quantum-Resistant Algorithms and Quantum Key Distribution © Copyright 2017, Cloud Security Alliance. All rights reserved 18
 [MB09] Misoczki, R., & Barreto, P.S.L.M. (2009). Compact McEliece Keys from Goppa Codes. In: Jacobson, M. J.,
Riimen, V., & Safavi-Naini, R. (Eds.), Selected Areas in Cryptology (pp. 376-392). Lecture Notes in Computer Science,
Vol. 5867. Springer Berlin Heidelberg

[MTSB13] Misoczki, R., Tillich, J.-P., Sendrier, N., & Barreto, P. S. L. M. (2013). MDPC-McEliece: New McEliece
Variants from Moderate Density Parity-Check Codes. 2013 IEEE International Symposium on Information Theory
(pp 2069-2073). Istanbul, Turkey: IEEE

[McE78] R.-J. McEliece (1978). A Public-Key Cryptosystem Based on Algebraic Coding Theory. The Deep Space
Network Progress Report (No. 42-44, pp 114-116). Pasadena, CA: National Aeronautics and Space Administration.

[NTRU09] NTRU Cryptosystems, Inc. (2009, February 18) NTRU Announces That IEEE Has Approved the
Standardization of NTRUEncrypt [Press Release]. Acton, Mass.: BusinessWire.

[NTRU11] NTRU Cryptosystems, Inc. (2011, April 11) Security Innovation’s NTRUEncrypt Adopted as X9
Standard for Data Protection [Press Release]. Wilmington, Mass.: BusinessWire.

[Reg05] Regev, O. (2005). On Lattices, Learning with Errors, Random Linear Codes, and Cryptography. STOC
'05 Proceedings of the thirty-seventh annual ACM symposium on Theory of computing (pp 84-93). New York, NY: ACM
Publications.

[MI88] Matsumoto, T. & Imai, H. (1998). Public Quadratic Polynomial-Tuples for Efficient Signature-Verification
and Message-Encryption. In: Barstow, D., Brauer, W., Hansen, P.B., Gries, D., Luckham, D., Moler, C., Pnueli, A.,
Seegmüller, G., Stoer, J., Wirth, N, & Günther, C.G.(Eds.), Advances in Cryptology—EUROCRYPT ‘88 (pp. 419-453).
Lecture Notes in Computer Science, Vol. 330. Springer Berlin Heidelberg

[M2016] Moody, D. (2016, February). Post-Quantum Cryptography: NIST’s Plan for the Future. Presented at The
Seventh International Conference on Post-Quantum Cryptography, Fukuoka, Japan. Retrieved January 17, 2017,
from http://csrc.nist.gov/groups/ST/post-quantum-crypto/documents/pqcrypto-2016-presentation.pdf

[HFE96] Patarin, J. (1996). Hidden Fields Equations (HFE) and Isomorphisms of Polynomials (IP): Two New
Families of Asymmetric Algorithms. In: Maurer, U. (Ed.), Advances in Cryptology—EUROCRYPT ‘96 (pp. 33-48).
Lecture Notes in Computer Science, Vol. 1070. Springer Berlin Heidelberg

[Shor97] Shor, P.W. (1997). Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a
Quantum Computer. SIAM Journal on Computing., 26 (5), pp. 1484–1509

[SWZ02] Schanck, J.M., Whyte, W., Zhang, Z. (2015). Quantum-Safe Hybrid (QSH) Ciphersuite for Transport Layer
Security (TLS) version 1.3.(Internet Engineering Task Force Draft). Retrieved January 17, 2017, from https://datatracker.
ietf.org/doc/draft-whyte-qsh-tls13/.https://datatracker.ietf.org/doc/draft-whyte-qsh-tls13/

[X16] Xinhua (2016, August 16) China Launches First-Ever Quantum Communication Satellite. Xinhua. Retrieved
January 17, 2017, from http://news.xinhuanet.com/english/2016-08/16/c_135601026.htm

Applied Quantum-Safe Security: Quantum-Resistant Algorithms and Quantum Key Distribution © Copyright 2017, Cloud Security Alliance. All rights reserved 19