Quantum safe cryptography for the Internet of Things

We have entered the era of the Internet of Things (IoT). The IoT connects not only classical computing and communication devices, but all kinds of other gadgets that we use in our everyday lives: Cars, door locks, personal medical devices, washing machines, refrigerators, and light switches are often cited examples. These devices can then download software from, and upload data to, the Internet. Likewise, users on the Internet can query the devices for information, or issue commands for the device to perform specific actions. Thus the IoT provides a capacity for remote users to manipulate your physical environment. This manipulation is obviously a security risk, so clearly access to IoT devices must be allowed only for legitimate, authorized users. This requires the use of cryptographic techniques for proving identities of devices and users (=authentication), and for protecting the information during transmission. Most of the communication uses symmetric cryptography, where the users share a secret key. But in order first to share this key, and in order to create digital signatures for authentication, they make use of asymmetric cryptography. Current asymmetric cryptography is not secure against an attacker with access to a quantum computer. At present, full scale quantum computers are not publicly known to exist, and it is still considered a significant engineering challenge to construct one. However, there are strong ongoing efforts worldwide to build these computers, motivated by political and commercial interests. Smaller, experimental quantum computers have been built, but these are way too small to break current ciphers. Still, history should teach us that technology can progress much faster than anticipated. Therefore, it is recommended to design new cryptographic techniques that are not vulnerable to an attacker with access to a quantum computer. Experience suggests that deploying new technology is a slow process. Besides, it is important to protect vital information right now, so that (classically) encrypted data in transmission are not stored by an attacker now and broken later when a quantum computer is available. These new algorithms are described as quantum safe, or post-quantum, cryptography. During recent years, National Institute of Standardization (NIST) in the USA has conducted a (de facto international) standardization process of post-quantum algorithms, and in 2022 the set of candidates for new standards has been narrowed down to one for key agreement and three for digital signatures. Still, it remains important to develop more new algorithms for diversity and robustness. Known quantum safe techniques rely on heavy computations and very long cryptographic keys. This is particularly inconvenient in the IoT setting, where many devices may be strictly limited with respect to computation, storage, communication, and battery capacity. In this project we have addressed the design and analysis of lightweight quantum safe crypto primitives and IoT-compatible crypto communication protocols. Achieved results in qsIoT: Cryptanalysis, or breaking ciphers (or least attempting to do so), is of paramount importance to testing the security of these ciphers. In the first stages of the qsIoT we have focused on cryptanalysis of lightweight, supposedly quantum-safe ciphers. Several of these ciphers are based on the difficulty of solving arbitrary sets of nonlinear Boolean equations in many variables. One such cipher is EFlash, presented in SAC 2018. qsIoT research shows that EFlash equation sets have a structure that enables attacks; the results were presented at the prestigious conference CT-RSA 2020. This technique can be generalized to attack other lightweight algorithms like MIMC. This attack was published at AsiaCrypt 2020. Other attacks developed in qsIoT were published at PKC and at PQCrypto in 2021, and Morten Øygarden who is funded by qsIoT defended his PhD thesis on these topics in September of 2021. Lattice-based problems is another design basis for quantum safe cryptography. Known algorithms for solving such problems require an exponential time complexity. Two qsIoT papers point out a new technique for fast lattice enumeration which still requires exponential time for computation, but which reduces the exponent. This will not render the problem useless for cryptographic purposes but is likely to increase the recommended parameters. The qsIoT project also considers information theoretic approaches for lightweight IoT devices to establish cryptographic keys, by applying so called wiretap channels. These are techniques by which legitimate agents rely on the advantage of having a better communication channel than an adversary. By repeated application, this advantage may be amplified. Information theoretically secure systems cannot be attacked by a quantum computer. Lattice techniques are useful also on wiretap channels. We have published new results on wiretap communication in 2021 and 2022.

Virkninger for prosjektets deltagere PhD-student og postdoc-stipendiat ved Simula UiB startet prosjektet med bakgrunn i henholdsvis ren matematikk og algoritmeanalyse, og har gjennom prosjektet utviklet spesialkompetanse i henholdsvis algebraisk kryptoanalyse for postkvantesystemer og algoritmer for forenkling av lattice-representasjon. Dette er tema som trender i retning av å bli mer viktige i årene som kommer. PhD-studenten har det siste året gått over i postdoc-stilling og har utviklet et betydelig internasjonalt kontaktnett, samtidig som han har blitt en ressurs for norsk forvaltning. En PhD-student ved NTNU valgte dessverre å avbryte stipendperioden etter to år, og har gått over til en stilling i næringslivet. Vedkommende arbeidet med wiretapkanaler. Dette arbeidet har blitt tatt opp igjen ved Simula UiB og vil fortsette etter prosjektslutt, i samarbeid med NTNU. Også for seniorpersonell hos partnerne har prosjektet skapt ny kompetanse og nye problemstillinger som vil være gjenstand for fremtidig nasjonalt og internasjonalt samarbeid i tilknytning til rammene av qsIoT. Dette inkluderer også forskere som i utgangspunktet ikke var direkte koblet mot qsIoT. Virkninger for omgivelser (målgruppe, brukere) Postkvantekrypto vil være vesentlig for industriaktører som utvikler kryptoprodukter. I Norge gjelder dette spesielt Thales og Kongsberg-gruppen. qsIoT har hatt kontakt med disse aktørene gjennom prosjektperioden. Videre har vi hatt tett kontakt med NSM og FFI. Ved prosjektavslutning ble det arrangert en faglig workshop med 45 deltakere fra akademia, næringsliv og forvaltning. Norsk industri og forvaltning har et aktivt fokus på postkvantekryptografi, og qsIoT-partnerne har et faglig miljø med gode forutsetninger for å forsyne disse aktørene med den kompetansen de har behov for. Effekter Det er i nasjonal og internasjonal interesse å etablere løsninger som er robuste mot kvantedatamaskinbaserte angrep på kryptografiske protokoller. Hovedmekanismen for å oppnå dette er NIST-prosessen for å utvikle standard for kvantesikker kryptografi, gjennom en internasjonal forskningsinnsats. Deltakere tilknyttet qsIoT har deltatt aktivt på flere faser i denne prosessen som forhåpentligvis vil resultere i et effektivt forsvar mot kvanteangrep og som dermed vil tillate sikker kommunikasjon og lagring også i fremtiden.

We are entering the era of the Internet of Things (IoT). The IoT connects not only classical computing and communication devices, but all kinds of other gadgets that we use in our everyday lives: Door locks, personal medical devices, washing machines, refrigerators, and light switches are often cited examples. Hence, for IoT, security concerns go beyond traditional privacy or denial of service; also the immediate physical security of humans is at stake, and the cost of security failures becomes much more severe. Moreover, the IoT will be comprised of heterogeneous and lightweight devices, many of which may be unable to perform the complex computations required by modern security protocols. In this project we will address the design of lightweight quantum safe crypto primitives and IoT-compatible crypto protocols. We will develop primitives and protocols with respect to different methods to provide trust. The traditional approach in the Internet uses a public key infrastructure (PKI). This approach may be vulnerable, especially in the IoT setting. We will also study novel and robust authentication methods that do not rely on a trusted third party. This second method may be developed further depending on the outcome of the related trustIoT proposal for H2020. These tasks, and the interconnection of them, are essential for the safe and secure deployment of IoT.