QuSecure’s co-founders discuss the Crystals-Kyber controversy
Dan O’Shea / Inside Quantum Technology / 1 March 2023
QuSecure’s co-founders discuss the Crystals-Kyber controversy A recent research paper explained a possible side..channel method for breaking a “fifth-order masked implementation” of the Crystals-Kyber post-quantum cryptography algorithm, which last year was selected for standardization by the National Institute of Standards and Technology. Initial media reports and social media commentary on the paper raised concerns about the future of Crystals-Kyber as a standard, though NIST has since confirmed there will be no negative effect on the standard’s progress. However, the appearance of the paper and the initial panicked response to it have shown that the quantum cybersecurity sector remains a chaotic arena in which confusion reigns, news of “broken'” algorithms can easily be misinterpreted, and standards are still a work in progress.
Executives from quantum security company QuSecure spoke with IQT Pro about why the attack described in the paper does not represent a realistic scalable threat to PQC, how it could affect future PQC standardization. and whether or not it will usher more uncertainty into the market for PQC solutions. Here is what Rebecca Krauthamer, co~founder, Chief Product Officer, QuSecure, and Skip Sanzeri, co-founder, Chief Operating Officer, QuSecure, had to say on the topic:
IQT PRO: Does the Crystals-Kyber attack in the recently published paper from Swedish researchers present a realistic threat to an algorithm that is supposed to become a finalized standard next year?
Rebecca Krauthamer: These scientists have conducted important research. That being said. it does not represent an exploitable threat at scale. This is a “side channel” (read: in a lab setting) attack that requires the attacker to have intimate physical access to the CPU performing the encryption. Thus, Crystals-Kyber has not been broken in a way that threatens its ability to protect data in transit at scale. If a bad actor has physical access to the CPU of the server you are attempting to protect. you likely have bigger problems to be worried about. Many algorithms, including~ and~ (AES is currently thought to be quantum-resistant) are also vulnerable to this type of attack.
IQT Pro: Some reports have pointed out the use of Al technology in carrying out this attack. Even if this method does not present a realistic threat, do you think we have given enough thought to how big a role Al could play in trying to break security standards?
RK: Novel classical Al attacks on cryptography will continue to emerge. Similarly, novel quantum computing AJ attacks on cryptography will emerge. This is why a shift toward true cryptographic agility is so important when we talk about the future of cryptography management PQC is not an end in itself. Those in charge of their organization’s cyber measures need to be able to swap in algorithms that use a different type of math to provide quantum~safe and future-safe cryptosystems, and rotate symmetric keys making any type of attack much more difficult to pull off.
Skip Sanzeri: Al is certainly a threat to any cryptography. As it advances and combines with quantum computing, it could pose a very real threat. In fact, NIST has developed an entire Al risk management framework – https://www.nist.gov/itl/ai-risk-management-framework which is designed to help organizations and individuals consider Al risks. So this is also considering how Al can affect security and privacy. It seems with how rapidly we are advancing across quantum and Al, that this will be a continuous process of finding ways to protect our data and communications protocols from both.
IQT PRO: Does the challenge presented in this paper, as well as evidence of other successful attack methods against standard candidates like Rainbow and SIKE, reinforce the need for more algorithms to become standardized? SS: Yes, we believe that NIST will have a continual process of evaluating new algorithms as we expect that more of these will get broken over time. We’ve never seen anything as powerful as quantum computers due to the way they use subatomic properties for calculation and programming. So, this is new territory for humanity – that’s why we expect an ongoing evaluation of ways to ensure that our data communications remain private and secure.
RK: The current standard, Kyber, and the other finalists in the KEM category have been getting beaten up by some of the smartest cryptanalysts in the world for over 5 years and are the ones that have so far been able to stand firm under such serious scrutiny. We should always look for adaptable and crypto-agile ways to protect our data as Al rapidly advances and quantum computing matures.
IQT PRO: So, quantum security experts are saying this paper does not present a realistic threat, and NIST has said Crystals-Kyber standardization wilt not be affected, but could the initial confusion and media misinterpretations of this paper still have negative effects on your ability to sell PQC into the market?
SS: In fact, we expect the opposite. Quantum computing advances are happening on a daily basis. You may have seen that Google recently announced that they have found a way to increase coherence and error correction using more qubits versus less. AU estimates until this point were the opposite, that more qubits require greater error correction efforts. Also you may have noticed advances with photons, ions and neutral atoms that are showing that the ongoing investment in quantum computing has increasing potential to pay off. So quantum computing development advances, whether or not NIST comes up with the right algorithms to protect our systems and data.
The whole key here is cryptographic agility, meaning the ability to change out cryptography on the fly. Without crypto-agility, your statement above could be correct and many would weigh the risk and wait until the perfect algorithm was available. Of course, by then it could be too late. However, with crypto-agility, any enterprise or government agency could deploy existing algorithms knowing that if one got broken, they can switch cryptography very quickly to another. This way we can make advancements towards privacy and security with post-quantum cybersecurity without the risk of having to lock in on a single, standard set of cryptographic algorithms.
RK: There will always be some level of fear, uncertainty, and doubt surrounding quantum technologies and protection from them. Cybersecurity professionals must understand that this particular threat is not a systematic threat to adoption, any more than previous power-analysis exploits of RSA and AES are to our current encryption. If anything. this underscores the need to migrate to crypto-agile PQC protection sooner. As an industry, it is imperative that we move into an era where we aren’t bound t0 one algorithm or single point of failure. When adopting PQC, leaders need to make sure they’re not implementing Kyber as their only solution, but rather crypto-agile solutions that currently default to Kyber, likely in combination with RSA or ECDH to ensure a smooth transition into the post-quantum era.
Read the full article from Inside Quantum Technology News here.