Post-quantum cryptography: How secure are post-quantum algorithms really?

What sounded like science fiction a few years ago is now within reach: quantum computers with unprecedented computing power that jeopardise today's cryptography - and therefore the entire digital infrastructure.

Although it will probably be a few years before they are widely used, it is important for companies to prepare for the quantum age in terms of security now.

With the help of quantum computer-resistant encryption methods, it is already possible to guarantee the confidentiality and protection of information in the long term. Post-quantum cryptography uses cryptographic methods that are secure against both quantum computer attacks and conventional attacks.
 

Post-quantum algorithms in the competition for standardisation

In 2016, the US National Institute of Standards and Technology (NIST) initiated a standardisation process with the aim of testing and standardising several post-quantum algorithms for key exchange and digital signatures. Seven finalists entered the third and final round of the process last year. Among them was CRYSTALS-Kyber, a lattice-based algorithm that utilises the complexity of lattices and thus a difficult mathematical problem to encrypt information. But how secure is this potential post-quantum standard really? IT security experts from TÜV Informationstechnik GmbH (TÜVIT) asked themselves this question and took a closer look at CRYSTALS-Kyber - or rather the oscilloscope.
 

Post-quantum security using the example of CRYSTALS-Kyber

The project team, consisting of Hauke Malte Steffen, Lucie Johanna Kogelheide and Timo Bartkewitz, analysed a chip on which the post-quantum algorithm was implemented as intended by the developer. They based their testing of the chip on what is already known from classical cryptography: the fact that current cryptographic methods can be attacked by utilising side channels.

"The focus was on the question of whether we could access the chip's actual confidential data despite quantum-safe encryption," explains Hauke Malte Steffen, working student in the Hardware Evaluation department at TÜViT. "To do this, we measured the power consumed by the chip during message encryption in our hardware laboratory. The background to this is that different operations also lead to different power consumption, which in turn allows us to draw conclusions about the encrypted data." With success: the IT security experts were able to attack the reference implementation of CRYSTALS-Kyber and read the data accordingly.

In the next step, the project team therefore considered how the grid-based algorithm could be implemented securely. In this context, they developed four different implementations, each with a more complex level of countermeasures. These included, for example, the creation of a dummy or the randomisation of bits. The result: even the first stage significantly reduced the probability of a successful attack, while the fourth implementation prevented it completely.

"Our tests clearly show that it is not enough to simply implement post-quantum algorithms. That alone does not make products secure against attacks like the ones we can already carry out today," summarises Lucie Johanna Kogelheide, IT security expert at TÜViT. "If companies want to convert their existing encryption methods to post-quantum cryptography, this requires a great deal of expertise and experience in order to consider and successfully implement appropriate countermeasures."

Conclusion

Various well-researched post-quantum algorithms are currently in the standardisation process. However, in addition to a secure algorithm design, cryptographic security also requires a secure implementation. This was clearly demonstrated once again by the exemplary investigation of CRYSTALS-Kyber in the TÜViT hardware laboratory. Companies that want to get ready for the quantum age today should therefore rely on professional support. After all, this is the only way to ensure that trustworthy data is effectively protected in the long term.