Quantum computing attacks may have already begun. Confidential data is being exchanged using algorithms that will eventually be broken by quantum computers. Even though attackers cannot break the communications today (for we lack sufficiently powerful quantum computers), they can patiently record them for future analysis.
Perhaps the most popular way to share confidential data between two remote parties is through a TLS connection. In a TLS handshake, asymmetric cryptography is used for two purposes. The first is to verify the authenticity of the party we are communicating with. The second is to securely agree a shared symmetric key, which will encrypt the rest of the communication.
This second purpose is more important for quantum attackers and defenders. Authentication is a temporal concern in TLS – provided you were happy with the identity of the other party when you complete the handshake, that’s all that matters. But confidentiality is a long-term concern. How many years or decades would need to pass before that confidential data doesn’t matter anymore?
Considering the above, when securing TLS handshakes against quantum attackers we should focus on the key exchange phase of the TLS handshake. We can keep using RSA or ECDSA certificates, but we need to replace (or enhance) the key exchange mechanisms that agree the symmetric keys.
Quantum-resistant algorithms are an active area of research. Compared to RSA or AES, most quantum-resistant candidate algorithms have received far less scrutiny from academia. Although NIST is helping to coordinate these efforts with its Post-Quantum Cryptography project, these algorithms should be regarded with some suspicion at this stage.
One approach to mitigate the risk is through a hybrid approach. On our Horizons research portal, we provide a TLS example that would involve generating (say) half the secret material using classic algorithms and half through quantum-resistant algorithms.
Our work in this area aims to foster further research and innovation. However, use of our projects in production environments is not recommended at this time.
For the full technical breakdown of our work to enable quantum-resistant key exchange in TLS 1.3 for Go applications, visit our Horizons research portal.