We met with Professor Roland van Rijswijk-Deij from the University of Twente, who will present the keynote ‘Moving the goal to post quantum’ at GÉANT’s Security Days conference that will take place in Prague on 9-11 April 2024.
Professor van Rijswijk-Deij’s keynote will officially kick off the conference in the opening plenary on Wednesday 10 April. From the complexities presented by the transition of the internet to post-quantum cryptography, to the role of academia in the development of quantum-safe algorithms, the insightful conversation also highlights the specific challenges for R&E networking in the context of post-quantum internet and the urgent need to standardise post-quantum cryptographic algorithms.
Roland, in your keynote, you’ll discuss the challenges of transitioning the entire internet to post-quantum cryptography. Could you elaborate on the basic need for post-quantum cryptography and how it differs from classical cryptographic methods? What are the key challenges we’ll face during this transition?
We need post-quantum cryptography to keep the internet secure in a future where quantum computers can crack all public key cryptography in a matter of hours. “Post-quantum” is a bit of a misnomer in that sense, as the “post” refers to “the time after powerful quantum computers become a reality”. In actual fact, we need to transition to these algorithms well before quantum computers become available; this is because we need to protect data that is stored long-term, think years or decades, including data that may be collected without consent (e.g., intelligence services storing encrypted internet traffic). Experts therefore also refer to PQC as “quantum-safe” or “quantum-resistant”.
The biggest challenges we will face are likely due to the different nature of PQC algorithms. They may, for example, require significantly more memory, have much larger keys or signatures, or require more computational power. Combine that with the ubiquitous use of public key cryptography in anything from mainstream internet protocols, such as the Web, to the internet of Things and, e.g., Industrial Control Systems and you quickly realise this is a daunting task. On top of all this, as with many security improvements on the internet, it is likely that the incentives for deploying PQC may be misaligned, with those bearing the cost not reaping the immediate benefits.
Quantum computers pose a significant threat to current public key cryptography. How close are we to practical quantum computers, and what impact could they have on our existing security infrastructure? What role can academia play in developing quantum-safe cryptographic algorithms?
The “when” in “when will we have a practical quantum computer” really is the million-euro question. Nobody really knows, and this includes the physicists that are developing the circuits for quantum computers. At the same time, experts increasingly agree that, yes, there will be a practical quantum computer in the future, and maybe even more importantly, the time horizon when they think this will happen is shrinking. Michele Mosca, a well-known expert in the field of quantum computing, conducts a survey among experts on a regular basis. In the most recent edition, from 2023, more than half the experts say that they put the likelihood of a practical quantum computer at 70% or more within the next 20 years.
To answer the other question: academia plays a major role in developing quantum-safe cryptography. Academics both develop new algorithms and perform cryptanalysis to test the strength of candidate algorithms. So, I would say the role of academia in developing quantum-safe algorithms is vital. A number of European academics are at the forefront of these developments, so we also have a significant European finger in this pie.
You’ll be using examples from R&E networking to highlight challenges. Could you share specific instances where R&E networks face unique security concerns? How can we address these challenges effectively?
R&E networks have a number of key challenges: they are very open, in the sense that there is lightweight control over who does what on the network. This is vital for research and for students and staff to be able to explore and experiment. At the same time, this can pose risks. One key challenge with post-quantum cryptography is that it might be abused in denial-of-service attacks, for example because keys and signatures are much larger and can be abused in so-called amplification attacks. Similarly, higher computational requirements may be abused for resource-exhaustion attacks.
Another thing that R&E networks do very well is federated identity. For network access we have eduroam, which relies on public key cryptography during the authentication phase. This will obviously have to be migrated to quantum-safe cryptography, which may pose challenges in the constrained environments in which such authentications take place. Similarly, web identity federations such as eduGAIN are a powerful tool for collaboration. Yet they too rely extensively on public key cryptography and will need to be migrated to quantum-safe alternatives. Given the number of transactions these federations process, especially at the start of academic terms, we will need to pay special attention to the performance of the algorithms we choose.
Given the global nature of the internet, collaboration and standardisation are crucial. How can international cooperation help accelerate the adoption of post-quantum cryptographic algorithms? What efforts are underway to standardise these algorithms?
The US currently plays a key role in standardising algorithms. The US National Institute for Standards and Technology (NIST) has been running a competition for PQC algorithms for a number of years now, and the rest of the world seems happy to follow. I would argue that we could exercise a bit more independence as Europe here. At the same time, the global nature of the internet requires us to pick standards globally. The internet Engineering Task Force is also exploring PQC algorithms for the use in internet protocols. I personally still miss a sense of urgency among many people in the IETF. We know from experience – and research – that transitioning to new cryptographic algorithms can easily take a decade or more. Given that we still need to start standardisation for most internet protocols, I think it’s high time we get going.
As we transition to new cryptographic methods, how do we strike a balance between security and usability? What considerations should organisations keep in mind when implementing post-quantum cryptography?
That is a tricky question. One thing I would say is: design for cryptographic agility. What I mean by that is that many systems we use today are intimately tied to a single choice of cryptographic algorithm. Then, if you need to migrate to some other algorithm this may be a major task as replacing entire systems is not trivial. What we will likely see with PQC is that sometimes new algorithms turn out to not be as secure as we had hoped, and we will need to replace them in a hurry. If your applications are more agile, this is then an easy job.
Prestigious Vidi funding
Roland van Rijswijk-Deij is one of the 2023 recipients of the prestigious Vidi funding from the Dutch Research Council. Vidi is part of the Council’s Talent Programme and is aimed at experienced researchers with an already established and successful research career since obtaining their PhD. This grant will help Roland and his team to develop a systematic approach for transitioning to a quantum‐safe internet.
For more information on the Security Days conference, visit security.geant.org/geant-security-days-2024/
Read or download the full magazine here
