The advent of hyper-capable quantum computers would render the internet, as we know it, highly susceptible. Current encryption methods could be breached overnight. Researchers at Darmstadt University are currently hard at work examining post-quantum cryptography and ways in which existing IT-architecture can be adapted to become resistant to quantum computer cryptography styles. Their project ‘Agile and Easy-to-use Integration of PQC Schemes’ is aligned with the national ‘Athene Research Centre for Cyber Security’.

By Astrid Ludwig, 27.7.2021

Andreas Heinemann and Alexander Wiesmaier are busily preparing for Judgement Day, for whilst no concrete evidence of a high-performance quantum computer has emerged, to date, worldwide, one that could breach all known cryptographic processes, they are fully aware that this is only a matter of time, not chance. As the professors specialising in IT security at the Computer Science faculty at the h_da note: if the event horizon appears sooner than expected “we’ve got a problem – I, for one, wouldn’t touch online-banking”, says professor Heinemann. “Everything we take for granted online suddenly becomes unsafe.” Online-shopping, booking holidays or normal tickets, online methods of payment, tax returns, e-mails or innocent chats via social media – in other words, each and every single form of online communication, the safety and privacy of which has, to date, been based on encrypted data transfer.

Andreas Heinemann offers an example: “surfers are presented with the https address of the site they have selected, whereby 'the ‘s’ stands for security', and 'Hypertext Transfer Protocol Secure' is a collective abbreviation for the key protocol HTTP plus TLS, or ‘Transport Layer Security’”. Essentially, whilst ‘http’ carries a website’s content, TLS is busily encrypting these content signals in the background. Employing such transport encryption methods has ensured internet transactions have remained relatively secure since the mid-90s. However, the danger lurks that a forceful quantum computer could soon be able to crack ‘s’ encryptions. The research team Heinemann and Wiesmaier have gathered together are determined to prevent this. One challenge is to accomplish this whilst retaining the current network infrastructure, unmodulated computers – and the software, so prevalent – by integrating fresh encryptions that are immune to quantum-device interference. Research into post-quantum cryptography currently has a primary goal: to shield normal IT users from attacks by quantum computer baddies.

Heinemann is currently collaborating with professor Alexander Wiesmaier, scientific assistants Nouri Alnahawi and Nicolai Schmitt along with several students to research for the project ‘Agile and Easy-to-use Integration of PQC Schemes’. This h_da project (https://fbi.h-da.de/pqc) is one of three currently being run by the cryptology research department at the ‘National Athene Research Centre for Applied Cyber Security’ in Darmstadt. Over a period of four years it will be jointly sponsored with about 560.000 Euros by the Federal Ministry for Education and Research, as well as the Hessian Ministry for Sciences and Arts.

Whilst the other two cryptography projects at the Athene Centre conduct research into the analysis, development and implementation of new security algorithms designed to encrypt, the h_da team is concerned with the question as to how this new process – which is already being worked on – will be able to be easily integrated into current IT systems in order that it can work effectively. Experts are referring to a migration towards post-quantum cryptography. As Alexander Wiesmaier explains the team’s focus: “we evaluate the practical applicability of new, conceivable security algorithms in existing software products”. A variety of aspects need to be heeded, for programmers who compile applications are not trained cryptographers. They have no need to be aware of the mathematical structures working away in the background, however, the interfaces must be designed so that software programmers can easily and correctly apply them. “Ideally programmers should only need to indicate that an aspect needs to be made secure for the algorithms along with the requisite parameters to be automatically selected in the background” explains assistant Nouri Alnahawi. Another important point is that this new procedure must be able to function using widely varying hardware. Another decisive aspect is speed of application. As Andreas Heinemann knows “people tend to become impatient and lose interest when loading a homepage takes any longer than two seconds”. Quantum computer resistant processes require a larger volume of data than was previously the case, yet the transfer needs to be very rapid “there are only a few milliseconds left to provide security”.  

To date the migration, the change from traditional to post-quantum encryption processes is causing problems. It isn’t possible to exchange existing infrastructure in a short space of time. As Alexander Wiesmaier points out “I can’t simply shut down my online-shop, my service portal or my production line for weeks at a time. There’s bound to be some kind of transition period for which we will need to find solutions in order that hardware equipped with differing types of cryptography can still communicate with each-other”.

Digital security on the internet is largely based on public-key cryptography. According to Wiesmaier such processes are based on mathematics, or rather, mathematical puzzles. For instance, the security level of the well known RSA process is based on the difficulty of dividing large numbers into their primary numbers. As Professor Heinemann explains, in public-key cryptography each user possesses a key pair, one public, the other private. For decryption to occur, both elements need to be fit together. As the Federal Ministry for IT Security (BSI) states as a recommendation for migration to post-quantum cryptography “standard public-key processes cannot be broken using current technology”. However, the advent of quantum computers will change everything. Such powerful computers only need the public key in order to work out the private key. Expressed in terms of time, this means that if conventional computers would need millions of years in order to compute every possible component and permutation of the key, a quantum computer could manage this in a few hours or days. As Andreas Heinemann warns “this presents a fundamental threat to IT security”.

A threat that the NSA, the US National Security Agency, had already warned about in 2015 as they began a migration towards quantum computer resistant encryption processes. Not only does the NSA collect data worldwide, it also employs more mathematicians than any other agency on Earth. Accordingly, the National Institute for Standards and Technology (NIST), which is the American Ministry for the standardising of processes, initiated a worldwide competition to find a selection of post-quantum encryption processes by 2022/23. The Darmstadt Athene Research Centre and its cryptography researchers are also taking part. As Heinemann points out “science is still in the starting blocks in this field”.

It is a race between the fields of physics which researches into creating quantum computers and mathematics which is trying to find new encryption methods to protect future IT applications. As both Heinemann and Wiesmaier are aware “such a fundamental turnaround in technology will often take years, if not decades to implement”. It could be compared to the change from internet protocol IP from version 4 to version 6. The IP protocol is the core aspect of internet traffic. IP version 4 was implemented in 1981, IPv6 first became standard in 1998. As Heinemann points out “the migration from IPv4 to IPv6 took 20 years”, it’s all an incredibly long process – which hasn’t even been completed yet”.

The entire issue is only gradually appearing in practice, the mid-sized sector and the industrial sector. As Heinemann points out “most people have no idea what post-quantum cryptography even refers to”. His colleague Wiesmaier is aware that for most firms, trade and commerce, IT security is not a technical but also a financial issue. Generally, security solutions tend to be reduced to a relatively inexpensive level. Most firms’ software is still based on conventional implementations, which have no defence whatsoever against quantum computers. As Wiesmaier emphasises “however, in the long term everyone will need to change to post-quantum cryptography”. When this will actually happen is anyone’s guess. The Federal Ministry for IT Security has yet to issue a concrete prognosis, whilst the h_da scientists predict it will take between ten and fifteen years. What is being developed in secret, or what certain countries are researching, is utterly unknown. Global concerns such as Google or IBM already possess quantum computers, although the h_da scientists doubt that these are powerful enough to be able to crack current encryptions. The research team at the university nonetheless warns people to prepare for the day, or, as IT expert Heinemann casually puts it “when such a powerful machine suddenly rounds the corner”.

Before this day arrives the Darmstadt team seek to attract as many scientists as possible to help them in their research. They’ve set up a community website, open to all, devoted to the issues of migration and the agility of post-quantum encryption processes. It’s intended to function as a gathering place for everyone researching into the issue. As Alexander Wiesmaier emphasises “it’s intended to be a knowledge pool available to everyone, where all are invited to browse around or actively participate”.     

Translation: Paul Comley                       

Project ‘Agile and Easy-to-use Integration of PQC Schemes’: https://fbi.h-da.de/pqc
Link to the community website: https://fbi.h-da.de/cma