On July 27, IBM announced that it has adopted the National Institute of Standards and Technology (NIST) recommended post-quantum cryptography standard algorithm for real business [1]. With the IBM z16 mainframe, application developers can implement a dual-signature scheme and guarantee the future integrity of critical documents using the NIST choice for a standardized, lattice-based encryption algorithm, CRYSTALS-Dilithium.
01IBM is involved in the development of three NIST-recommended algorithms
Quantum computers will be very powerful: they will even make traditional cryptography exposed in seconds. To compromise data and provide data security, NIST launched the Post-Quantum Cryptography Project in 2017 - to develop ciphers that can be used with classical computers and withstand decryption by quantum computers. In July, NIST announced the selection of four algorithms as standards, which are expected to be completed in about two years.
These algorithms are designed for the two main tasks of public-key ciphers - public-key encapsulation (for public-key encryption, key establishment) and digital signatures (for authentication and nonrepudiation).
(a) For public key encryption and key establishment, the key encapsulation mechanism (KEM) chosen by NIST is the CRYSTALS-Kyber algorithm - which is also the primary algorithm in the KEM category.
For digital signatures, NIST has chosen three algorithms: CRYSTALS-Dilithium, Falcon, and SPHINCS+. CRYSTALS-Dilithium is the primary algorithm in the signature category.
The announcement marks an important milestone in the field of data security, as IBM revealed that it has been involved "with partners from industry and academia" in the development of three of the four algorithms selected by NIST: CRYSTALS-Kyber, CRYSTALS-Dilithium, and Falcon. Dilithium, and Falcon [2].
02What is a digital signature?
Signatures can take many forms, from a wax seal on an envelope to an autograph on a souvenir. Electronic signatures use a computer to verify the identity of the signer and certify the integrity of the document, and in most countries, they are as legally binding as handwritten-based signatures. Laws such as the Electronic Signatures Act and the Uniform Electronic Transactions Act (UETA) in the United States, and the Electronic Identification and Trust Services Regulation (eIDAS) in Europe have designated electronic signatures as legal, trustworthy and enforceable documents.
The significance of digital signatures goes far beyond what is imagined. A digital signature is an electronic signature with advanced features that uses cryptography to make it compliant and secure. At a high level, when creating a digital signature, the sender first generates a public-private key pair and shares the public key with others. The public and private keys are different, but mathematically related. Then, the sender uses the private key to generate a digital signature for the message. When the recipient receives the message and the digital signature, the recipient uses the sender's public key to verify the sender's signature to verify the integrity of the message. Because the signature relies on the sender's private key, only the sender can create this digital signature. The verification of the digital signature can be done by anyone because the sender's public key is used for verification and it is not a secret.
During the New Crown pandemic, the possibility of using pen and paper for signatures became almost impossible as countries around the world went into lockdown. This "pandemic" has driven the use of digital technologies such as electronic signatures, enhanced authentication and smart digital forms to facilitate the growth of digital government and business. Digital signatures have become the new normal, and the rate of adoption is unlikely to slow. According to a recent report by Markets and Markets [3], the global market for digital signatures is expected to grow at a compound annual growth rate (CAGR) of more than 33%: from $4 billion in 2021 to $16.8 billion in 2026.
Attractive global market potential for digital signatures
Digital signatures offer many advantages over handwritten signatures when it comes to efficient workflows because they use sophisticated algorithms, Certificate Authorities (CAs) and Trust Service Providers (TSPs). However, one consideration for digital signatures is that they rely on a public key cryptographic infrastructure (PKI), and if any weaknesses are found in this infrastructure, digital signatures will become invalid.
Such weaknesses in future PKI may come from quantum computers, which have the potential to solve many challenging problems that today's classical computers cannot solve. While fault-tolerant quantum computers are estimated to be decades away, they could be used to collect and crack today's data or manipulate legal history by forging digital signatures. This means that new quantum security algorithms are needed today.
03Using IBM z16 to generate CRYSTALS-Dilithium digital signatures
Back in March, IBM z15 announced the introduction of lattice-based digital signatures in systems for digitally signing audit records in z/OS. IBM z15 also provided application developers with the ability to begin experimenting with quantum-secure lattice-based digital signatures, which helped IBM and customers understand the impact of migrating to the new algorithm.
While large-scale adoption of quantum-secure cryptography will be a decades-long process, new lattice-based solutions are entering the market for different products and services offered by IBM and other companies. Today, with IBM z16, developers can implement a dual-signature scheme using CRYSTALS-Dilithium, the lattice-based encryption algorithm chosen by NIST for standardization, thereby maintaining the future integrity of critical documents.
IBM z16 with Crypto Express 8S card provides quantum security API for accessing PQC algorithms proposed at NIST [4]. Developer productivity is increased by 20-30%, providing more time for innovation.
Trusted hardware platforms will play a key role in the adoption of quantum-secure cryptography, and the IBM zSystems development team has already begun the modernization process. As the industry's first quantum security system, IBM z16 is based on lattice-based cryptography across multiple layers of firmware that can help protect an enterprise's business-critical infrastructure and data from quantum attacks.
A key feature of the z16 platform, the Crypto Express 8S Hardware Security Module (HSM), allows application developers to use new quantum security algorithms, as well as many other cryptographic services, through two available application programming interfaces. Specifically, the Crypto Express 8S for IBM z16 provides three key functions required for the digital signature process.
The ability to generate public and private keys.
The ability to generate a digital signature for the message/digital document to be signed using the private key
The ability to verify the digital signature using the public key.
Reference links:
[1]https://www.ibm.com/cloud/blog/announcements/available-on-ibm-z16-future-proof-digital-signatures-with-a-quantum-safe-algorithm-selected-by-nist[2]https://www.ibm.com/cloud/blog/what-is-quantum-safe-cryptography-and-why-do-we-need-it[3]https://www.marketsandmarkets.com/Market-Reports/digital-signature-market-177504698.html[4]https://www.ibm.com/downloads/cas/QV58YJDK
