Return to site

Quantum-Computing resistant signatures.

The likely development of quantum computers (QCs) in the next one or two decades would compromise all widely used public-key cryptosystems (PKCSs). This includes RSA, ECC, DHM, DSA, and various implementations thereof, and any other system based on the difficulty of factoring or discrete logarithms. The development of quantum computers might occur rapidly (less than ten years). Such rapid development could occur in secret, with little or no warning to the public or other interested parties.

As a consequence of the foregoing, NIST should begin a competition as soon as practicable to establish a QC-resistant PKCS standard. A Google search shows a great deal of activity in this area.

As NIST has not started a competition to establish a QC-resistant PKCS standard, and as the time required to complete such a competition is long, and as the time to adopt such a standard worldwide is long, and as the time to deploy such a standard, even after it has been adopted, is long; it may already be too late to deploy a QC-resistant PKCS standard throughout the world before quantum computers become available.

Because we might not finalize and deploy an acceptable QC-resistant PKCS standard in time, NIST should begin immediate development of a suite of conventional cryptographic protocols that do not use PKCSs to replace today's widely used public-key based protocols. AES, SHA-2 and SHA-3 could be used. Conventional key distribution protocols using key distribution centers are well known. NIST might serve as a national key distribution center. A QC-resistant digital signature standard based on SHA-2 and SHA-3 could be adopted relatively rapidly (though any standardization effort will require significant effort). Should a QC-resistant PKCS not be adopted in time, widespread deployment of the conventional cryptographic protocols could proceed.

These conventional cryptographic protocols should be deployed by organizations with high security needs as soon as practicable, as (a) the time-frame in which quantum computers will actually be implemented is uncertain and might be more rapid than widely thought, and (b) existing users with high security needs are already at risk because attackers who record user traffic will be able to cryptanalyze it when quantum computers become available. Systems that protect long-lived secrets should already be QC-resistant. Similarly, long-lived digital signatures should already be QC-resistant as such signatures will become invalid unless they are time-stamped by QC-resistant systems prior to the development of quantum computers. The developers of a quantum computer are likely to keep its existence secret for some time, during which time they could freely forge signatures for any system that was not QC-resistant: signatures that most would find hard to dispute. 

All Posts

Almost done…

We just sent you an email. Please click the link in the email to confirm your subscription!

OKSubscriptions powered by Strikingly