Google Enables Quantum-Resistant Codes, White House Issues Latest Statement

On November 19, Google announced [1] that Google Cloud has enabled anti-quantum cryptography (or PQC) on its internal ALTS protocol.

01Google's internal encryption transport protocol, Application Layer Transport Security (ALTS): enabling quantum-resistant ciphers

When visiting a website with a URL that begins with HTTPS, users rely on a secure public key cryptography protocol to protect the information they share with the website from eavesdropping. Public key ciphers, including protocols used internally at Google, are the basis for the most secure communication protocols available as part of the task of protecting assets and user data from threats.

Google's own internal encrypted transport protocol, Application Layer Transport Security (ALTS), uses public-key cryptographic algorithms to ensure that Google's internal infrastructure components communicate with each other and that communications are authenticated and encrypted.

Widely deployed and vetted public-key cryptographic algorithms such as RSA and elliptic curve ciphers are efficient and secure against today's adversaries. However, as Google Cloud CISO Phil Venables wrote in July [2], Google expects that future large-scale quantum computers will completely break these algorithms. The cryptographic community has developed several alternatives to these algorithms, often called anti-quantum ciphers, which Google says it expects will be able to withstand quantum computer-driven attacks.

For now, Google Cloud has enabled one of these algorithms on its internal ALTS protocol.

02PQC threat model

While current quantum computers are unable to break widely used cryptographic schemes like RSA in practice, we still need to start planning for defense for two reasons.

1) attackers may store encrypted data today and decrypt it when they access a quantum computer (also known as a store now decrypt later attack).

2) With the arrival of quantum computers, the lifetimes of products may overlap and it may be difficult to update systems.

The first threat applies to in-transit encryption, which uses asymmetric key protocols vulnerable to quantum attacks; the second threat applies to hardware devices with longer lifetimes, for example, certain secure boot applications that rely on digital signatures.

03Why did Google choose NTRU-HRSS internally?

Since the National Institute of Standards and Technology (NIST) PQC standard is still pending, the rollout of quantum-resistant cryptography can currently only be done briefly and, moreover, the exchanged data is only used once.

Google's internal transport encryption protocol, ALTS, is an ideal candidate for such a rollout, as using the protocol to control all endpoints would make it relatively easy to switch to a different algorithm if NIST were to adopt a different standard. Controlling all endpoints provides the confidence to defeat a "steal now, decrypt later" type of attack without having to worry about having to maintain a non-standard solution.

Deploying a new encryption technology is risky because it has not been field tested. In fact, several candidates in the NIST process have suffered devastating attacks, even without the need for quantum computers. This deployment by Google avoids a situation where it tries to protect the infrastructure from theoretical computing architectures, by adding anti-quantum algorithms as an additional layer, making it impossible to defend against laptops subsequently recovering private keys.

This strategy helps ensure that the security of currently deployed, vetted and tested cryptography remains in place.

Note that future adversaries that can forge signatures will not affect past sessions of the protocol. Current practitioners only need to address "store now, decrypt later" types of attacks that could affect our data today. Since signature algorithm threats are not immediate, we are able to simplify the review process in two ways.

1) it only requires adding PQC to the critical protocol parts of the protocol.

2) It allows us to change only the parts that depend on temporary keys. For authenticity, we still rely on classical cryptography, which will probably only be affected in the presence of large-scale quantum computers.

04On quantum-resistant ciphers, the US government's attitude

On November 18, the White House Office of Management and Budget (OMB) released a new memo [4] outlining the need for federal agencies to begin the migration to quantum-resistant cryptography before quantum computers become operational.

The OMB recommends that federal entities take preparatory steps to strengthen the U.S. cyber defense posture, following the example of President Biden's earlier executive order. The new memo requires federal agencies to inventory their current cryptographic hardware and software systems, highlighting high-value assets and high-impact systems that require additional cybersecurity protocols.

Agency leadership will then be tasked with compiling this information into a report containing a summary of the Office of the National Cyber Director and the Cybersecurity and Infrastructure Security Agency's respective high-risk information assets and systems to help budget, plan and execute the transition from standard to effective quantum-resistant cryptography.

OMB officials noted that the high-risk systems submitted by the agencies will primarily handle sensitive data that could be exploited by any quantum hacking attempt. "The Biden-Harris administration is working to ensure U.S. leadership in the emerging field of quantum computing," Chris DeRusha, chief federal information security officer, told in a statement, "This global technology race holds both great promise and great threat. We are prioritizing efforts to protect the federal government's sensitive data from the potential hazards of future quantum computers; this action marks the beginning of a major undertaking to prepare our nation for the risks posed by this new technology."

The migration to quantum cryptography-resistant standards will be the most significant to date and will take several years to complete, according to the latest OMB statement.OMB recommends that in taking inventory of information systems, federal agencies work with software vendors to identify post-operative testing opportunities for quantum cryptography in their networks and promote public-private sector collaboration to the Biden administration.

Several federal agencies have been working in concert to promote quantum-resistant migration in government digital networks. nist previously released four quantum-resistant algorithms to facilitate and accelerate updates to current codes. These will be part of NIST's ongoing anti-quantum cryptography program, which is expected to be completed within two years.

Among the more promising anti-quantum options, NIST favors lattice-based algorithms, and NIST recently announced [3] the selection of Kyber as the first NIST-approved anti-quantum cryptographic key encapsulation mechanism (KEM). Kyber offers high performance (its latency cost is more balanced than its alternative lattice-based counterpart when considering operation), but NIST still lacks some clarity on its intellectual property status clarification.

As a result, Google says that quantum-resistant cryptomigration poses unprecedented challenges in terms of scale, scope and technical complexity and requires extra care. That is why they are deploying NTRU-HRS at ALTS using a hybrid approach: combining the two schemes into a single mechanism, so that an adversary intending to disrupt the mechanism would need to disrupt both base schemes. The choices for this setup are: NTRU-HRSS and X25519, thus matching the CECPQ2 experimental choice for Google Chrome 2018 and allowing Google to reuse BoringSL's CECPQ 2 implementation.

Reference link:

[1]https://cloud.google.com/blog/products/identity-security/why-google-now-uses-post-quantum-cryptography-for-internal-comms?utm_source=substack&utm_medium=email

[2]https://cloud.google.com/blog/products/identity-security/how-google-is-preparing-for-a-post-quantum-world/

[3]https://csrc.nist.gov/News/2022/pqc-candidates-to-be-standardized-and-round-4

[4]https://www.nextgov.com/cybersecurity/2022/11/white-house-begins-push-federal-post-quantum-cryptography-migration/379936/