# Quantum Safe Cryptography and Security

http://www.etsi.org/images/files/ETSIWhitePapers/QuantumSafeWhitepaper.pdf

The current state-of-the-art cryptographic principles use well-studied methods that have been relied upon for more than 20 years. Amongst cryptographic experts, well-studied, proven and mature techniques are the most preferred for security reasons. However, such techniques were not designed to resist quantum attacks, because at the time of their invention, research into quantum computation was obscure and unknown to most cryptographic practitioners. New cryptographic techniques have emerged in recent decades that do provide protection against quantum threats. These techniques are termed “quantum safe” and consist of both techniques based on quantum properties of light that prevent interception of messages, as well as classic computational techniques, all of which were designed to resist quantum attacks emerging from the rapidly accelerating research field of quantum computation

# Security controls that are known to be highly vulnerable to quantum attack, and can be easily broken by a quantum computer, include:

# 1. Any cryptosystem that is built on top of the mathematical complexities of Integer Factoring and Discrete Logarithms. This includes RSA, DSA, DH, ECDH, ECDSA and other variants of these ciphers. It is important to point out that almost all public key cryptography in fielded security products and protocols today use these types of ciphers.

## 2. Any security protocols that derive security from the above public key ciphers.

## 3. Any products or security systems that derive security from the above protocols. Controls that are known to be somewhat vulnerable to quantum attack, but can be easily repaired include symmetric key algorithms like AES that can be broken faster by a quantum computer running Grover’s algorithm than by a classical computer. However, a quantum computer can be made to work just as hard as a conventional computer by doubling the cipher’s key length. This is to say that AES-128 is as difficult for a classical computer to break as AES-256 would be for a quantum computer.

AES is considered quantum-safe because the cipher can adapt to a quantum attack by increasing its key size to rectify a vulnerability introduced by quantum computing.

**Ciphers like RSA and ECC are not quantum safe because they are not able to adapt by increasing their key sizes to outpace the rate of development of quantum computing**. In order to attack a 3072-bit RSA key, for instance, a quantum computer must have a few thousand logical qubits. In general, the number of logical qubits needed scales in a linear fashion with the bit length of the RSA key. When such a quantum computer becomes available, moving to a larger RSA key size would thwart a quantum attack until a larger quantum computer is invented. However, doubling the size of an RSA or ECC key increases Quantum Safe Cryptography and Security 14 the running time of the cipher on a conventional computer by a factor of 8. That means that if the size of keys that a quantum computer can attack doubles every two years, then the running time of keys on a conventional computer increases by a factor of 8 every two years, outstripping Moore’s Law and rapidly becoming impractical both in terms of speed and in terms of channel size, i.e. the required bandwidth to transmit the key information.

http://www.etsi.org/images/files/ETSIWhitePapers/QuantumSafeWhitepaper.pdf

NOTE:

Read the cautions on AES written by Schneier. Schneier did increase the number of rounds to make AES safe, but that made it far too slow to use. AES should never have qualified.

AES using CBC (Cipher Blocks) can be broken. Any version of AES using CBC has been broken – using the Beast or Lucky 13 attacks.

The only form of AES not broken is GCM (Galois Counter Method), which requires specific dedicated hardware, and is not deployed in software versions of AES – they’re all the broken CBC type.