Expert Interview: RFC 8391 – a Milestone in the Protection from Quantum Computers

Collaborating on the research project squareUP, researchers from genua and the Technical University of Darmstadt have developed a post-quantum signature scheme. This procedure is technically mature and a so-called Internet draft had been written in cooperation with other universities during the project. This draft has now been released as RFC 8391 and is the first universally recognized standardized procedure for digital signatures which can withstand attacks based on quantum computers.

We talked to Stefan-Lukas Gazdag about this development. He is an engineer in genua’s research division and one of the authors of the RFC.

Why is it so exceptional that researchers from genua have worked on an RFC?

The process from an early draft evolving into an RFC is, as with many attempts to establish a standard, sometimes a cumbersome process. However, this process is unavoidable before a cryptographic scheme can be used in practice as developers have to have a reference available which they can rely on during their work. And there is more to be done than simple writing. There are numerous sometimes contrary opinions and requirements from various people and organizations to be considered in a draft. Many experts read and evaluate the document.

This is extremely helpful and also necessary, as it means that the scheme being described will receive a lot of attention and that any possible inconsistencies in the document will be found more easily. On the other hand, this process is time-consuming and therefore expensive. In our case the process lasted three years. Thankfully, part of our efforts was funded by the Bavarian Ministry of Economic Affairs, Energy and Technology (StMWi). The environment around the IETF/IRTF, the organizations behind RFCs, is particularly influenced by large companies and universities. Therefore, it’s not an everyday occurrence that a relatively small German IT security company contributes to an RFC to make a new technology generally usable.

genua now publishes quantum-resistant signatures for numerous products and in doing so belongs to the first IT security companies that use this procedure to secure their software updates. Could you say that we have the most secure software updates in the world?

Superlatives should be used with caution but it is also true that we send out our software updates with digital signatures that are secure according to the current state-of-the-art. Through the combination of these classical procedure with a quantum-resistant alternative that is available and ready to use today, we can look forward to the coming years with confidence.

This means that our customers can safely install software updates for products such as our genuscreen and genugate firewall systems even if a hostile secret service should possess a large quantum computer.

A number of organizations are working on powerful quantum computers and reporting a respectable degree of success. However, they do not yet appear to be ready to be used productively, so how can you be sure that the software updates are really quantum-resistant?

To elaborate this we need to clarify why the different cryptographic procedures are secure.

There are a number of different approaches to describe the security of cryptographic procedures, with one important characteristic being the best-known attacks. In addition, nowadays attempts are made to provide mathematical proofs for specific procedures but that is a very difficult undertaking. Even if a procedure is shown to be secure in a theoretical model, it is possible for attacks to occur that have not been considered as part of the model.

An aspect that is often used takes a more generic approach, focusing on a generic types of schemes and not just on specific algorithms. All the attacks on the procedure we use and known by the cryptographic community can be dealt with, in particular the generic ones. This applies for all classical attacks as well as those supported by quantum computers.

However, absolute security does not exist here: Some genius could wake up any day now and suddenly have an idea for a successful, non-generic attack. We should also emphasize here that this applies just as much for conventional attacks as for new quantum algorithms.

In addition, we only use a well understood and intensively examined primitive, a fundamental cryptographic building-block that is important for all practically relevant signatures. The whole security infrastructure will be faced with a huge problem if this is cracked.

Secure software updates are without doubt an important milestone but will we also be able to protect encrypted communication from attacks with quantum computers?

Securing our updates was only the first step. We are currently working on secure communication over the Internet using quantum-resistant procedures. However, this is a more complex subject which the whole post-quantum cryptographic community is currently working on.

Thank you for this conversation.

The TU Darmstadt was funded by the German Research Foundation (DFG) and genua by the Bavarian Ministry of Economic Affairs, Energy and Technology (StMWi). On genua's side, the project was supervised by the VDI/VDE Innovation + Technology GmbH.