Quantum-resistant coding (QCRC) is still a topic of intense debate among experts. Professionals who define Internet traffic protection using the Transport Layer Security (TLS) protocol exchanged views on this topic at the 114th meeting of the Internet Engineering Task Force (IETF) in Philadelphia. The temporary conclusion is: big keys cause big concerns.
Powerful quantum computers are still somewhat out of reach, but cryptographic professionals want to develop robust protocols today, because quantum computers using methods like the Shor algorithm will easily crack many of today’s common ciphers. Years ago, the US authority invited NIST to compete and, after evaluating the candidates, recently selected one algorithm for exchanging keys and three for signatures. They should be able to withstand future decryption attacks. The winners of the signing competition are Dilithium-II, Falcon-512 and Sphincs+, and Kyber was chosen to exchange the keys.
questionable use
But it is doubtful whether it will be used on a large scale, as hoped. Because both of the three signature algorithms and Kyber generate much larger data packets compared to today’s methods, exceeding the maximum packet size on many Internet paths (MTU, Maximum Transmission Unit). At first glance, this doesn’t seem like a big deal, because senders can shred oversized packets if they find that they exceed the MTU.
In practice, however, this leads to at least significant delays in establishing TLS connections. According to Martin Thompson of Google, there is a problem when large keys during a handshake force fragmentation of packets, as this requires additional transmission steps (more round trips). And with Datagram Transport Layer Security, which relies on UDP, no additional round trips can be performed at all, warned Sophia Celi of Cloudflare and Thom Wiggers of Radboud University in the Netherlands.
According to Eric Riscorla, chief technology officer of Mozilla, the only good news is that powerful quantum computers are still a thing of the future. However, the basic problem of current TLS technology remains unresolved: if you save all TLS communication packets and attack them years later using a quantum computer, you can later deconstruct existing secret transmissions. The IETF also wants to prevent this as much as possible, which is why it has been working on several working groups on the topic of quantum computer resistance. Meanwhile, the National Institute of Standards and Technology (NIST) has announced another round of new, possibly “most economical” candidates.
(DZ)
