Migration towards Quantum-Safe payments
Kalpana Singh PhD- 9 Min To Read
- 27 Mar, 2024
Introduction
Today’s payment systems are heavily dependent on traditional cryptographic security protocols such as RSA 2048 (asymmetric) and AES 256 (symmetric) to secure data and communications. The NIST also recommends [1] RSA 2048 key size is the most used in the industry such as EMV 3DS specification recommends such key size [2] or above. The usefulness of the asymmetric cryptographic primitives RSA, Elliptic curve based, and symmetric cryptographic primitive AES are huge in payments, refer to our previous blog post to find in detail, you can find a description of where these RSA, Eliptic curve or AES cryptographic primitives are used for payments and how the asymmetric ones (RSA, EC) are absolutely threatened by quantum computers. And even if quantum computing does not pose a fatal threat to symmetric cryptography such as AES, you need to double the key length to guarantee the same level of security against a quantum computer attack.
As we deliberate, some years from now, quantum processors could expose the financial system to new forms of cyber-attacks. Meaning that the current payment system will no longer be guaranteed. In the most recent global risks report, the World Economic Forum listed the cyber threat of quantum computing as one of the major emerging global technological risks [3]. This situation has called for collective action, including the development of new encryption standards capable of protecting financial services IT systems. Therefore, we need to start migrating towards future-proof security against quantum threats.
Quantum computing threats triggered post-quantum cryptography (PQC) research to design and develop post-quantum algorithms that can withstand quantum computing attacks.
The NIST recommended algorithms have their practical problems:
- Overview of size, memory, calculation challenges
- And as these are new algorithms not certain to remain secured vs future traditional or quantum computing attacks
The Challenges of using NIST recommended PQC solutions
As mentioned in the previous blog post the NIST has submitted drafts standards of three PQC solutions ML-KEM (FIPS203), ML-DSA (FIPS 204), LH-DSA (FIPS 205). NIST is also expected to release a standard draft for FALCON, a new standard in PQC, later in 2024. However, PQC cryptographic primitives require big key sizes, and signature sizes, and consume considerably more memory and processing time in comparison with classical cryptographic schemes. This analysis has been delineated in Table 1.
Table 1. Performance comparative analysis of PQC and classical primitives RSA/ECC
| PQ algorithm category | PQ algorithm name | Memory vs RSA/ECC | Public key (bits) vs RSA/ECC | Ciphertext (bits) | Signature (bits) |
|---|---|---|---|---|---|
| Signature | Falcon & Dilithium | x5 to x8 | x4 to x37 | - | x2 to x63 |
| Key exchange /Encryption | Kyber | x4 to x6 | X3 to X28 | X3 to X25 | - |
In Table 1, we have identified that the submitted PQC standards ML-KEM (FIPS203) (a.k.a Kyber), ML-DSA (FIPS 204) (a.k.a Dilithium), are quite expensive in comparison with the classical RSA/ECC schemes. Falcon & Dilithium identified as 5 to 8 times more memory needed in comparison with RSA/ECC. Kyber needs 4 to 6 times more memory in comparison with RSA/ECC. The sizes of PQC primitives’ public keys, ciphertexts, and signatures could be quite expensive in comparison with the RSA/ECC classical asymmetric primitives.
Based on Table 1 analysis, we identified the challenges of PQC implementation with current infrastructure. We summarize these challenges and their status in Table 2.
Table 2. Challenges and the status of recommended solutions of PQC
| Challenges in PQC | Current status |
|---|---|
| Demand on memory & computation | Hardware with more RAM & power |
| Manage lack of confidence in PQC | Hybridation |
| Achieve quick transition | Crypto agility |
As you see, PQC solutions still have their challenges. They need highly costly resources to implement in the current infrastructure. The sizes of signatures and key sizes, memory need, and runtime processing can be far higher than in today’s systems.
An additional risk is imposed by the fact that these proposed PQC algorithms are relatively new, which means that chances are that they are broken when the full crypto community continues using and attacking them. For example, several PQC primitives have suffered from classical attacks in the past years, e.g. [4], [5]. This position is aligned with the European cybersecurity agencies like ANSSI [6], and BSI in Germany [7]. BSI has even re-stated the need for hybridation in their recent updated technical guideline on cryptographic mechanisms [5, Section 4].
ANSSI France and BSI Germany recommended the use of hybrid post-quantum cryptography primitives especially for security products aimed at offering long-lasting protection of information (until after 2030) or that will potentially be used after 2030 without updates [6].
Recommended approach by European organisms (ANSSI and BSI)
ANSSI France and BSI Germany strongly emphasize the necessity of the migration phase using crypto agility and Hybridation wherever post-quantum mitigation is needed both in the short and medium term. Recently in December 2023, ANSSI has focused on a Hybridation approach for the migration phase towards quantum-resistant solutions.
Figure. Migration towards PQC solutions defined by ANSSI [Source: ANSII [8]]
An increasing standardization effort on hybrid post-quantum protocols is noticeable [9]. Several companies report having now experimented with hybrid protocols for a large variety of hardware and software products [10]. This hybridation concept solves the plaintext size limitation and optimizes the computational cost of securing data with asymmetric algorithms.
Hybridation
The hybridation consists of combining two (or more) cryptographic schemes achieving the same functionality in a robust way. In other words, the combination should be secure in the classical/quantum computation model as long as one underlying scheme is secure in that model. We refer to [8] for more details about the definition.
We consider here ‘simple Hybridation approach’:
We consider two signature schemes; one is from a classical cryptography signature such as ECDSA denoted as $\sigma_{c}$ and another is from another category of PQC primitives such as CRYSTALS-Dilithium, and denoted as $\sigma_{q}$.The combination of these two signature schemes called as hybrid signature scheme and secure from both classical and quantum threats as they both have security properties from classical and quantum cryptographic primitives.
The key generation of the hybrid signature scheme will simply be the concatenation of the two schemes’ keys.
Figure1: Simple Hybridation
Note: msg: message to get signed using both classical and PQC primitives, $\sum_{c}Sign (, )$ and $\sum_{q}Sign (, )$ signing operations for both classical and PQC primitives respectively. c: denotes classical cryptographic primitives, $\sigma_{c}$ denotes classical cryptography signature primitive, $sk_{c}$ denotes classical cryptographic secret key. _ q_: denotes PQC cryptographic primitives, $\sigma_{q}$ denotes PQC cryptography signature primitive, $sk_{q}$ denotes PQC cryptographic secret key.
Simple Hybridation Steps: Firstly, we can generate a public key (or called a verifying key) and secret key for both classical and quantum signature schemes such as:
$\left( sk_{c}, vk_{c} \right)$ <– $\sum_{c}KeyGen()$ and $\left( sk_{q}, vk_{q} \right)$ <– $\sum_{q}KeyGen()$ respectively.
Where, KeyGen() is a function to generate keys: secret keys sk, and verifying keys vk.
The key generations steps of Hybrid using both classical and PQC cryptographic primitives are as follows: $$c\left(\sum_{c}, \sum_{q} \right).KeyGen:$$ $$\left( sk_{c}, vk_{c} \right) \leftarrow \sum_{c}KeyGen(),$$ $$\left( sk_{q}, vk_{q} \right) \leftarrow \sum_{q}KeyGen(),$$ $$Return: sk_{Hybrid} \leftarrow \left( sk_{c}, sk_{q} \right),$$ $$ vk*{Hybrid} \leftarrow \left( vk*{c}, vk_{q} \right).$$
Then, concatenate secret and verifying keys respectively $c\left(\sum_{c}, \sum_{q} \right).KeyGen$ and returns
$$ sk*{Hybrid} \leftarrow \left( sk*{c}, sk*{q} \right)$$,$$ and $$ $$ vk*{Hybrid} \leftarrow \left( vk*{c}, vk*{q} \right).$$
Now, we have keys for each cryptography: classical and PQC primitives, and we can generate and verify digital signature. We now explore several methods of using two signature schemes $\sigma_{c}$ and $\sigma_{q}$ to produce hybrid signatures $\sigma_{Hybrid}$.
Notation: $c_{\parallel}$ denoted as concatenation function. $\sigma_{Hybrid}$ denotes hybridation of signatures classical $\sigma_{c}$ and PQC primitives $\sigma_{q}$ respectively. We concatenate signatures and gets $\sigma_{Hybrid}$ using the below steps: $$c_{\parallel}\left(\sum_{c}, \sum_{q} \right).Sign\left(sk_{Hybrid},msg \right):$$ $$\sigma_{c} \leftarrow \sum_{c}sign(msg, sk_{c}),$$ $$\sigma_{q} \leftarrow \sum_{q}sign(msg, sk_{q}),$$ $$Return: \sigma_{Hybrid} \leftarrow \left( \sigma_{c}, \sigma_{q} \right).$$
This is called as simple hybridation process.
Hybridation for KEMs and Signatures: post-quantum mechanisms constructed over a recognized pre-quantum scheme. This method provides the needed features:
- Preservation of the pre-quantum security
- Extra protection against the quantum threat
- Low-performance penalty over drop-in replacement
ANSSI considers that such research efforts and practical developments are very positive and continues to encourage designers of security products to start experimenting and prototyping hybrid post-quantum and pre-quantum solutions, especially for products aiming at confidentiality protection that will last beyond 2030 or products that are likely to be still used after 2030.
BSI aligned with ANSII This position is aligned with the one of other European cybersecurity agencies like BSI in Germany. BSI has even re-stated the need for hybridation in their recent updated technical guideline on cryptographic mechanisms [5].
Is hybridation available in existing protocols?
There are some work to include post-quantum cryptography as an option in TLS with an hybridation mode using concatenation and Key Derivation Function (KDF) [11]. The protocol Internet Key Exchange Protocol Version 2 (IKEV2) [12] is also evolving to include hybrid post-quantum cryptography. The recent work of IKEV2 is published in May 2023 [13]. Recently, Apple has published an article on end-to-end secure messaging with a quantum-resistant feature protocol [14].
This progress is real and the world, including standardization, organisms, and regulators, are moving with a positive flow. Hence, Worldline could start as well.
There is essential need to explore the best hybridation quantum-resistant primitives, by achieving a Proof of Concept, Implementing the appropriate algorithm to assess impacts of hybrid approach. Significantly, there is a lot of work to do for a cryptographer. Our next blog is focusing on this proposition.
References:
[1] NIST Available at https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57Pt3r1.pdf
[2] EMV 3DS 2.2.0 core specification. Available at https://docs.3dsecure.io/3dsv2/_downloads/1810d5fa627b67a20136e12f8bde32b2/EMVCo_3DS_SDKSpec_v220.pdf
[3] World Economic Forum (WEF) (2022): The Global Risks Report 2022, 17th edition. Available at https://www3.weforum.org/docs/WEF_The_Global_Risks_Report_2022.pdf
[4] W. Beullens. Breaking rainbow takes a weekend on a laptop. In Y. Dodis and T. Shrimpton, editors, Advances in Cryptology - CRYPTO 2022, pages 464-479, Cham, 2022. Springer Nature Switzerland.
[5] BSI. Technical guideline on cryptographic mechanisms: Recommendations and key lengths, 2023. Available at https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TG02102/BSI-TR-02102-1.pdf?__blob=publicationFile .
[6] ANSSI views on the Post-Quantum Cryptography transition (2023 follow-up). Available at https://cyber.gouv.fr/en/publications/follow-position-paper-post-quantum-cryptography .
[7] BSI. Migration to post quantum cryptography. Available at https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Brochure/quantum-safe-cryptography.html .
[8] ANSSI. ANSSI views on the post-quantum cryptography transition. Available at https://cyber.gouv.fr/en/publications/anssi-views-post-quantum-cryptography-transition .
[9] IETF. Terminology for Post-Quantum Traditional Hybrid Schemes. Available at https://www.ietf.org/archive/id/draft-driscoll-pqt-hybrid-terminology-02.html
[10] AWS. Using hybrid post-quantum TLS with AWS KMS. Available at https://docs.aws.amazon.com/kms/latest/developerguide/pqtls.html
[11] D. Stebila, S. Fluhrer, and S. Gueron. Hybrid key exchange in TLS 1.3 (draft IETF). Available at https://datatracker.ietf.org/doc/draft-ietf-tls-hybrid-design/ .
[12] C. Tjhai , M. Tomlinson, G. Bartlett, S. Fluhrer , D. Van Geest , O. Garcia-Morchon , V. Smyslov. Framework to Integrate Post-quantum Key Exchanges into Internet Key Exchange Protocol Version 2 (IKEv2) (draft IETF). Available at https://datatracker.ietf.org/doc/html/draft-tjhai-ipsecme-hybrid-qske-ikev2-04 .
[13] C. Tjhai, M. Tomlinson, G. Bartlett, S. Fluhrer, D. Van-Geest, O. Garcia-Morchon, and V. Smyslov. Multiple Key Exchanges in IKEv2 (IETF). Available at https://datatracker.ietf.org/doc/html/rfc9370 .
[14] Apple security research. iMessage with PQ3: The new state of the art in quantum-secure messaging at scale. Available at https://security.apple.com/blog/imessage-pq3/