QUBIP is all about Transition to PQC

Last week we celebrated the Kick-Off-Meeting of the QUBIP project. QUBIP addresses the transition to post-quantum cryptography (PQC) of protocols, networks, and systems to counter quantum threats well in advance.
As cryptographers around the world work on new post-quantum asymmetric encryption algorithms, QUBIP addresses the engineering problem of embedding this new and evolving PQC into the digital systems we use today.
QUBIP’s main objective is to define a standard and replicable transition process, maximising the return on experience from practical transition exercises involving the adoption of PQC in the Hardware (HW, for constrained IoT), cryptographic libraries (i.e., OpenSSL, NSS, Mbed TLS), operating system (Fedora), communication protocols (TLS and IPSec) and applications (Firefox Browser and Digital Identity).
Starting from the transitions of these five building blocks, QUBIP addresses their integration into three real-world systems (i.e., IoT-based digital manufacturing, Internet browsing and Telco operator software network environments) to address the transition at the system level, considering all possible cascading dependencies.

The consortium started immediately to address the key points of this transition, and this is the result of the first technical discussion:

• It is of paramount importance to start the transition process immediately, because the development of the quantum computer is no longer purely a matter of research; moreover, the “store now decrypt later” attack model is already a threat.
• PQC algorithms (KEM and digital signatures) are evolving; NIST has already selected four algorithms for standardisation (CRYSTALS-KYBER, CRYSTALS-Dilithium, FALCON and SPHINCS+) and has received 40 new proposals for additional digital signature schemes; at the time of writing this article, eight of these proposals have already been proven to be insecure (i.e., feasible attacks have been discovered) and the final selection is not expected for years.
• The selected PQC algorithms are considered secure by the experts, but these algorithms have yet to stand the test of time.
• Transition to PQC is delicate and takes time because it impacts many functions and protocols in a-priori unknown cascade of dependencies; moreover, the reasonable uncertainties about PQC standardization and the possibility of someone finding vulnerabilities in the future make the transition even harder.
• The solution for a standard and replicable transition process lies in Cryptographic Agility, that is the ability to reconfigure software by plugging PQC algorithms without intensive code refactor. In principle, HW agility implies the use of certain design methodologies (e.g., IP reusability) but, in practice, it is not easy to achieve in real systems.
• The challenges for QUBIP’s first months are (i) transitioning the IoT through the implementation of a secure element that provides a set of PQC implementations in HW, (ii) transitioning cryptographic libraries through loadable modules to make PQC implementations available as part of the libraries’ capabilities, and to enable PQ/T hybrid schemes for TLS 1.3; several cascades of dependencies must then be resolved to make PQ/T hybrid TLS available at higher levels (OS and applications such as browsers and digital identity frameworks) and (iii) the hybridisation of PQC and Quantum Key Distribution (QKD) for key exchange in IPSec, often used to secure communications in telco operators’ software environments.
• Finally, the QUBIP reference and replicable transition process must consider another important property called Pliability; the transition must adapt to network management best practices, support established network services, and be integrated through standardised approaches.

This is only the beginning and, if you are interested in QUBIP topics and results, stay tuned!