Amazon and IBM are rapidly moving on NIST-selected post-quantum cryptographic algorithms

A month after the National Institute of Standards and Technology (NIST) revealed the first quantum algorithms, Amazon Web Services (AWS) and IBM moved quickly. Google was quick to lay out an aggressive implementation plan for its cloud service it launched a decade ago.

It helps that IBM researchers contributed to three of the four algorithms, while AWS contributed to two. Google contributed one of the submitted algorithms, SPHINCS+.

A lengthy process that began in 2016 with 69 original candidates culminates in the selection of four algorithms that will become NIST standards, which will play a critical role in protecting encrypted data against the high power of quantum computers.

NIST’s four choices include CRYSTALS-Kyber, a public-private key (KEM) encapsulation mechanism for general asymmetric encryption, such as when connecting websites. For digital signatures, NIST has selected CRYSTALS-Dilithium, FALCONand SPHINCS+. NIST will add a few more algorithms to the mix in two years.

Vadim Lyubashevsky, a cryptographer who works at IBM’s research labs in Zurich, helped develop CRYSTALS-Kyber, CRYSTALS-Dilithium and Falcon. Predictably, Lyubashevsky was happy with the selected algorithms, but he only anticipated that NIST would choose two digital signature candidates instead of three.

Ideally, NIST would have chosen a second key establishment algorithm, according to Lyubashevsky. “They could have picked one more straight away just to be safe,” he told Dark Reading. “I think some people were expecting McEliece be chosen, but maybe NIST decided to wait two years to see what Kyber’s backup should be.”

IBM’s new mainframe supports NIST-selected algorithms

After NIST identified the algorithms, IBM went ahead with specifying them in its recently launched z16 mainframe. IBM introduced the z16 in April, calling it “the first quantum-safe system,” enabled by its new CryptoExpress 8S card and APIs that provide access to NIST APIs.

IBM was championing three of the NIST-selected algorithms, so IBM had already included them in the z16. As IBM had unveiled the z16 before NIST’s decision, the company implemented the algorithms in the new system. IBM last week formalized that the z16 supports algorithms.

Anne Dames, a distinguished IBM engineer who works on the company’s z Systems team, explained that the Crypto Express 8S card could implement various cryptographic algorithms. Nevertheless, IBM was betting on CRYSTAL-Kyber and Dilithium, according to Dames.

“We are very lucky because it went in the direction we were hoping for,” she told Dark Reading. “And because we chose to implement CRYSTALS-Kyber and CRYSTALS-Dilithium in the hardware security module, which allows customers to access them, the firmware of this hardware security module can be updated. Thus, if other algorithms were selected, then we would add them to our roadmap for inclusion of these algorithms in the future.”

A software library on the system allows application and infrastructure developers to integrate APIs so customers can generate quantum-safe digital signatures for classical computing systems and quantum computers.

“We also have a CRYSTALS-Kyber interface in place so we can generate a key and provide it wrapped by a Kyber key so it can be used in a potential key exchange scheme,” Dames said. “And we also integrated some APIs that allow customers to have a key exchange system between two parties.”

Dames noted that customers could use Kyber to generate digital signatures on documents. “Think of code signing servers, things like that, or document signing services, where people would actually like to use the digital signature capability to ensure the authenticity of the document or the code being used,” he said. she declared.

AWS engineers turn algorithms into services

At Amazon’s AWS re:Inforce security conference last week in Boston, the cloud provider highlighted its post-quantum cryptography (PQC) efforts. According to Margaret Salter, Director of Applied Cryptography at AWS, Amazon already integrates NIST standards into its services.

During a breakout session on AWS’s cryptography efforts at the conference, Salter said that AWS has implemented an open-source hybrid post-quantum key exchange based on a specification called s2n-tls, which implements the Transport Layer Security (TLS) protocol on various AWS services. AWS has contributed it as a draft standard to the Internet Engineering Task Force (IETF).

Salter explained that hybrid key exchange brings together its traditional key exchanges while enabling post-quantum security. “We have regular key exchanges that we’ve been using for years and years to protect data,” she said. “We don’t want to get rid of them; we’re just going to improve them by adding an additional public key exchange. And by using both, you have traditional security, plus post-quantum security.”

Last week, Amazon announced that he deployed s2n-tls, the Hybrid post-quantum TLS with CRYSTALS-Kyberwhich connects to AWS Key Management Service (AWS KMS) and AWS Certificate Manager (ACM). In an update this week, Amazon documented its stated support for AWS Secrets Managera service for managing, rotating and retrieving database credentials and API keys.

Google’s decade-long PQC migration

Although Google didn’t make implementation announcements like AWS immediately after NIST’s selection, VP and CISO Phil Venables said Google has been focusing on PQC algorithms “beyond theoretical implementations” ever since. more than a decade. Venables was among several prominent researchers who co-authored a technical paper highlighting the urgency of adopting PQC strategies. The peer-reviewed article was published in May by Nature, a respected journal for the science and technology communities.

“At Google, we are well into a multi-year effort to migrate to post-quantum cryptography designed to address immediate and long-term risks to protect sensitive information,” Venables wrote: in a blog post published following the NIST announcement. “We have one goal: to make sure Google is ready for PQC.”

Venables recalled a 2016 experience with Chrome where a minimal number of connections from the web browser to Google servers used a post-quantum key exchange algorithm alongside the existing elliptic curve key exchange algorithm. “By adding a post-quantum hybrid-mode algorithm with the existing key exchange, we were able to test its implementation without affecting user security,” Venables noted.

Google and Cloudflare announced a “large-scale post-quantum experimentin 2019, implementing two post-quantum key exchanges, “integrated into Cloudflare’s TLS stack, and deployed on edge servers and in Chrome Canary clients.” The experience helped Google understand the implications of deploying of two post-quantum key agreements with TLS.

Venables noted that last year Google tested post-quantum privacy in TLS and found that various network products were not compatible with post-quantum TLS. “We were able to work with the vendor to have the issue resolved in future firmware updates,” he said. “By experimenting early, we solved this problem for future deployments.”

Other standardization efforts

The four algorithms announced by NIST are an important step in advancing the PQC, but there is still work to be done in addition to secure quantum encryption. The AWS TLS submission to the IETF is an example; others include efforts such as Hybrid PQ VPN.

“What you will see happen is that organizations that are working on TLS, or SSH, or VPN-like protocols will now come together and come up with proposals that they will evaluate in their communities to determine what is best and what protocols need to be updated, how certificates need to be set, and things like that,” IBM’s Dames said.

Dustin Moody, a mathematician at NIST who leads his PQC project, shared a similar view during a round table at the RSA conference in June. “There’s been a lot of global cooperation with our NIST process, rather than splitting the effort and coming up with lots of different algorithms,” Moody said. “We’ve seen most countries and standards bodies waiting to see what comes out of our great progress on this process, as well as participating. And we see that as a very good sign.”

Sharon D. Cole