Post-Quantum Cryptography Challenges Big Keys Can Lead to Big Problems

The recent 114th meeting of the International Internet Engineering Task Force (IETF) in Philadelphia focused on the challenges of post-quantum or anti-quantum ciphers in transport layer security (TLS). A key conclusion was that big keys can lead to big problems.

Conference convenes in Philadelphia

Powerful quantum computers still have a ways to go, but cryptographers hope to develop robust protocols today, as quantum computers using methods such as Shor's algorithm will easily break many of today's common encryptions. A few years ago, the U.S. authority NIST launched a competition and, after three rounds of evaluation, recently selected a key exchange algorithm and three signature algorithms that it hopes will defend against future attacks. The signature algorithms include Dilithium-II, Falcon-512 and Sphincs+, and the key exchange algorithm was chosen to be Kyber.

However, it is questionable whether they will be as widely used as one might hope. All three signature algorithms and Kyber generate significantly larger packets compared to today's methods, exceeding the maximum packet size (MTU, maximum transmission unit) on many Internet routes.

At first glance, this may not seem like a big deal; if senders find oversized packets that exceed the MTU, they can split them. In practice, however, this can cause at least a considerable delay in the establishment of a TLS connection. Google's Martin Thomson says problems arise when oversized keys during the handshake force packet fragmentation, which requires an additional transport step (more round trips.) Sophia Celi of Cloudflare and Thom Wiggers of Radboud University in the Netherlands warn that using UDP-based datagram transport layer security simply does not enable additional round trips.

In addition, the super singular homologous encryption algorithm SIKE, selected for the fourth round of NIST evaluation, has a small key, but unfortunately the algorithm has just been cracked.

Key sizes for major post-quantum cryptographic algorithms

According to Mozilla CTO Eric Rescorla, the only good news is that powerful quantum computers are still a thing of the future. However, the fundamental problem with current TLS technology remains unsolved.

If you save all the packets of a TLS connection and attack them in a few years with a quantum computer, you can subsequently compromise today's confidential transmissions. the IETF wants to prevent this as much as possible, which is why it is working in many working groups on the quantum-resistant issue.