Hybrid Crypto: Anticipating the Break of Asymmetric Crypto
Beatrice Peirani, Chair of the Crypto Sub-Task Force, GlobalPlatform
In this blog, Beatrice explains why ‘hybrid crypto’ is a necessity to protect our digital lives in a post-quantum world and provides an update on various initiatives from GlobalPlatform and other Standards Development Organisations (SDOs).
Back in 2019, I wrote a blog discussing why “crypto agility” would provide the flexibility that was needed to meet the changing security needs of a post-quantum world. By developing cryptographic protocols at a sufficiently high level, it is possible to switch the underlying cryptography when the threat becomes effective.
This is what “crypto agility” means.
How is GlobalPlatform helping to enable crypto agility?
In 2021, the GlobalPlatform Crypto Sub-Task Force published a revision of its ‘Cryptographic Algorithm Recommendations’ technical note. In this current version, GlobalPlatform is still recommending the use of AES-128 and SHA-256 (and also AES-192, SM4, and SM3) in a post-quantum era, estimating that Grover’s algorithm, which could theoretically be used to weaken the security of block ciphers and hash functions, will provide little or no advantage for attacking symmetric cryptography or hash functions.
The SE Committee has also worked to develop a new Secure Channel Protocol (SCP04), which is more resilient to the quantum computing threat. This new SCP is the Card Specification v2.3 Amendment K (SCP04) and will be soon published. This protocol, based on symmetric cryptography, is a generalization of the SCP03 secure channel protocol, and has been designed with crypto agility in mind. The building blocks of the cryptography protocol (Key derivation, Message Authentication Code calculation, Rekeying, Block Cipher, Sensitive Data Encryption, and Random Number Generation) are now configurable.
In parallel, GlobalPlatform’s TEE Committee is amending the TEE Internal Core specification to include a new PQC support API. They are releasing an updated Sockets Interface, which should enable the PQC extensions in TLS 1.3 with compatible endpoints or future standardisation in TLS. In addition, they are analysing the different solutions to make GlobalPlatform TEE Trusted Management Framework (TMF) quantum safe. All should be ready in H1 2023.
And finally, the Crypto Sub-Task Force is also working with GlobalPlatform’s SE, TEE and TPS Committees to review the relevance of the current candidate (or alternate) algorithms of the NIST PQC Project, to provide recommendations for GlobalPlatform’s technical specifications.
Quantum computing: are we there yet?
A recent report, based on the opinions of 47 international leaders in the field of quantum computing, tried to evaluate the quantum threat timeline and find an answer to the question of “when will it happen?”
Even if it is impossible to predict when such a quantum computer will work, it is quite clear from the experts that the quantum threat will become non-negligible relatively quicker and sooner than expected. For example, 15 out of 46 respondents felt it was “about 50% or more” likely within a 10-year timeframe. Compared to previous reports from the last three years, the likelihood has become higher and higher.
In addition, because of the possibility to “store now, decrypt later”, and because GlobalPlatform technology is used to protect long life data, we need to take the threat into account as soon as possible and be ready to ensure this kind of attack has low value.
Hybrid cryptography is the new buzz word
Hybrid cryptography, sometimes called composite cryptography, is a combination using one algorithm from the pre-quantum era such as RSA, and another algorithm from the post-quantum era, for e.g., one of the signature PQC algorithms from the NIST PQC project. With this combination, security is guaranteed thanks to the security of each algorithm in its proper attack model.
IETF, ETSI, ISO and other organizations have already started working on how to combine algorithms, especially for key exchange since signature case is more straightforward. NIST has already given some hints in SP 800-56c and ANSSI plans to release recommendations.
What are the advances from the standardization world?
So much work has been done since 2019!
The National Institute of Standards and Technology (NIST) will very soon announce which Round 3 finalists of the PQC Standardization Project will be selected to become the new standard. The current envisaged algorithms for signature are Dilithium or Falcon* (and maybe SPHINCS+), while the ones for KEM are Classic McEliece and one among Saber, Kyber or NTRU.
A recent study presents several improvements to the dual lattice attack, lowering the security estimation for Kyber, Saber and Dilithium. In parallel, NIST will very soon make a new call for signature algorithms, to diversify the portfolio and then last but not least, Round 4 will start once the new standard is available.
Elsewhere, ISO/IEC JTC1 SC27 finalized its Post-Quantum Cryptography Standing Document (SD8) in May 2020. This document is a collection of post-quantum cryptographic algorithms based on the different underlying mathematical hard problems, such as hash-based signatures, lattice-based mechanisms, code-based cryptography, multi-variate cryptography and isogeny-based cryptography. It includes algorithms from NIST PQC Project Round 2 and Round 3 (finalists and alternates), but also some others, that may fit different needs.
ETSI CYBER has also developed some guidelines on hybrid cryptography. This needs more investigation, especially considering the recommendations from French ANSSI to not move straight to NIST PQC algorithms, but rather start by implementing hybrid algorithms and let the future standard mature until at least 2030. This is a conservative approach shared by German BSI. They also both recommend FrodoKEM (based on unstructured lattices) as their preferred KEM algorithm in the NIST competition (even if it has not been selected for the Round 3).
What’s next for GlobalPlatform?
GlobalPlatform and its Security Task Force will wait for NIST to announce PQC Round 3 candidates, and provide a technical note including performance results, together with a plan for integrating them into the GlobalPlatform SE and TEE technical specifications. GlobalPlatform is also examining hybrid crypto approaches starting with TLS, to be able to recommend a version in the near future that is acceptable with SE (and TEE) constraints.
*Cryptanalytic results during the third round have created some concerns about the security of Rainbow. More recently, Beullens posted a new attack on Rainbow. It is unlikely Rainbow will be selected for the future standard.