28 Jul 2022
Bulletproof TLS Newsletter is a free periodic newsletter bringing you commentary and news surrounding SSL/TLS and Internet PKI, designed to keep you informed about the latest developments in this space. Received monthly by more than 50,000 subscribers. Maintained by Hanno Böck.
The US National Institute of Standards and Technology (NIST) has announced the first winners of a several-years-long competition for post-quantum encryption and signature algorithms. For encryption, NIST recommends the use of CRYSTALS-Kyber, although that recommendation may still change. For signatures, NIST has selected CRYSTALS-Dilithium as the primary algorithm, plus two additional algorithms, Falcon and SPHINCS+.
The decision was long awaited, having been delayed multiple times. The background is that future quantum computers could break practically all public key cryptography in use today. Algorithms like RSA or ones based on elliptic curves could be broken by an attacker using a powerful quantum computer. No such quantum computer exists today, but research on them is progressing.
Due to this thread, researchers started investigating possible algorithms that would be safe from such quantum attacks. These algorithms are called post-quantum cryptography. In 2016, NIST announced that it wanted to standardize such post-quantum algorithms and asked for proposals.
This competition now comes to a preliminary end, though NIST has mentioned that it plans to investigate some algorithms further that may be standardized in the future. Also, particularly for signatures, NIST announced that it will ask for additional proposals to diversify the class of algorithms.
The announcement of the winners comes with a significant catch. In a footnote in the detailed report NIST published, NIST mentions that it is seeking patent agreements with several holders of potentially relevant patents: “If the agreements are not executed by the end of 2022, NIST may consider selecting NTRU instead of Kyber.” NTRU is an algorithm that has been around for a while, and patents affecting it have expired by now. Both Kyber and NTRU are part of what is called lattice-based cryptography.
For signatures, the decision to select three algorithms shows some of the uncertainty in this space. The three selected algorithms balance security aspects against the practicality of implementing these in everyday protocols like TLS. Both Falcon and Dilithium are lattice-based algorithms, while SPHINCS+ is a hash-based algorithm.
Falcon has the smallest signature size of the three, but its small signatures come at a price: Falcon needs constant-time floating-point arithmetic, and if this isn’t done correctly, it may lead to side-channel attacks that could compromise the private key.
SPHINCS+ is the algorithm with the highest level of security assurance. It’s a hash-based algorithm and its security relies on the underlying hash function. And hash functions are a well-known cryptographic construction. But the signature sizes are challenging: depending on the variant and safety level, they range from around 8 to 50 kilobytes.
Although the preliminary winners have been chosen, it still isn’t time to start implementing these algorithms in protocols like TLS. The exact standards have to be specified and will likely reduce the variations and fix some parameters for the algorithms.
It’s expected that post-quantum encryption algorithms initially often will be used in a hybrid mode, combined with a traditional elliptic curve key exchange. In case of unexpected cryptographic breakthroughs against the new post-quantum schemes, the approach would still fall back to the security of the better-known elliptic curve cryptography. A draft specifying such a hybrid mode is available and is expected soon to be published as an RFC by the IETF.
This subscription is just for the newsletter; we won't send you anything else.
Here are some things that caught our attention since the previous newsletter:
Here are some interesting jobs we've come across in the last month:
If you know of similar jobs that our readers might be interested in, for example cryptography, TLS, or PKI, let us know and we may add them to future newsletters.
Designed by Ivan Ristić, the author of SSL Labs, Bulletproof TLS and PKI, and Hardenize, our course covers everything you need to know to deploy secure servers and encrypted web applications.
Remote and trainer-led, with small classes and a choice of timezones.
Join over 1,500 students who have benefited from more than a decade of deep TLS and PKI expertise.