The security of digital infrastructures relies heavily on cryptographic algorithms and protocols. Common encryption methods such as the Diffie-Hellman key exchange used in many internet protocols such as Transport Layer Security (TLS) and Internet Key Exchange (IKE) assume that certain mathematical problems are practically unsolvable due to limited computing capacities. Digital signatures based on the RSA method, which are used e.g. for authentication in web browsers, are considered secure as long as there is no efficient algorithm for factorisation.

This could be relied on for decades. But when experts discussed the first concepts for quantum computers several years ago, it quickly became clear that the days of conventional cryptography are numbered. It will probably still take some time before the new type of computer can pose a threat to conventional algorithms. So far, quantum computers exist only as room-filling experimental setups in research labs, and their performance is currently limited to solving simple computational tasks. But it is expected that in just a few years, advanced quantum computers will be clearly superior to classical computers in many areas. This includes solving mathematical problems that serve as the basis for conventional cryptography.

Computing with qubits

Quantum computers are based on a completely different technology than conventional systems. Instead of being limited to binary arithmetic with zeros and ones, their fundamental information units, the qubits, can also work with gradations in between. This is because the qubits are based on quantum mechanical states and therefore do not have to assume exactly one of the values zero or one. Rather, the two values can overlap, with varying probabilities then applying to them. If numerous qubits are connected, logical operations can be carried out, which, however, are more similar to the processes in neuronal networks than to serial computing in classical computers. Quantum computers do not proceed step by step, but take many possible solution paths at the same time and may also find several solutions. In this case, algorithms have to limit the computing operations in a sensible way so that usable results emerge.

As soon as it was foreseeable that the new type of computer would threaten conventional cryptography, the search began for alternative crypto methods that are resistant to quantum computers. For it is not only because of the rapid development of the new technology that haste is required. The challenge is also that attackers can already record and store encrypted data today in order to decrypt it later, when sufficiently powerful quantum computers are available. This is a very serious scenario, because particularly sensitive data, for example with the classification SECRET, should often remain protected not only for years, but for decades. Thus, even before its development has reached the required level of maturity, quantum computers are already a significant threat to the information security of states and international organisations.

PQC in use

To counter this threat, the US National Institute of Standards and Technology (NIST) is currently conducting a process to standardise PQC and recently selected the first algorithms to be standardised by 2024. However, since possible attacks along the lines of "record now and decrypt later" require immediate preventive measures, secunet has decided, in consultation with the BSI, to implement PQC even before standardisation by NIST.

As an IT security partner of the Federal Republic of Germany, secunet produces technology that protects highly classified data up to the classification level GEHEIM (SECRET) and is used, among others, by the German Federal Armed Forces and federal ministries with special security requirements, such as the Federal Ministry of Defence. Since 2002, a total of around 30,000 SINA encryption devices approved for GEHEIM or SECRET have been delivered in Germany and other EU and NATO countries. In Germany, SINA represents the de facto standard for encryption at this high security level. secunet has already equipped three key products in this portfolio with PQC elements: the SINA Communicator H, which offers tap-proof voice communication as well as many other modern communication features, the highly secure VPN gateway SINA L3 Box H and the SINA Workstation H Client V, which delivers a unique combination of high-performance cryptography and high computing power.

The BSI has approved these three SINA components as the first encryption products with PQC in Germany for the GEHEIM (SECRET) level. In a European comparison, Germany is thus a pioneer in crypto devices that already work with PQC. And with the SINA Workstation H R RW14, the latest generation of hardened laptops designed for use under extreme conditions is already waiting in the wings to enter the PQC era.

Hybrid methods

In the three SINA components with PQC so far, the key exchange is implemented in a quantum-resistant manner. What does this mean? In order to guarantee the confidentiality of data during transmission against quantum computers, both the encryption algorithm and the key exchange procedure used to derive the key must be quantum resistant. Usually, the encryption algorithm is already quantum resistant if it is used with sufficiently large keys. Yet the conventional key exchange methods are potentially vulnerable to quantum computers. Since the PQC algorithms are still in the final stages of standardisation, the BSI recommends the use of so-called hybrid methods: By combining conventional cryptography and PQC, an attacker would have to break each algorithm to break the hybrid solution. The three SINA products with PQC support a hybrid quantum-resistant key exchange with the BSI-recommended algorithm FrodoKEM. In the course of the next few years, secunet will implement all critical functionalities of the entire SINA portfolio for the GEHEIM/SECRET level, but also for lower classification levels such as VS-NUR FÜR DEN DIENSTGEBRAUCH (RESTRICTED), with PQC.

In this context, hybrid modes can serve not only as a temporary migration strategy towards PQC, but as a contribution to long-term security and agility with regard to encryption methods. In general, the use of PQC marks the beginning of a new cryptographic era, characterised not only by resistance to quantum computing, but also by increased cryptographic agility. In response to the threat, cryptography is thus reinventing itself - and gaining strength.