Cryptography in the quantum computing era
For decades, organizations used cryptographic algorithms to protect their most sensitive data and communications in computer systems, networks, and storage devices. Imagine if an adversary or cybercriminal can break those cryptographic algorithms that you relied on for many years. What are the potential impacts on your business?
Once considered impossible, attacks that can compromise today’s cryptographic algorithms can become possible with a powerful quantum computer. Your protected data can be stolen, exposed, altered, disabled, or destroyed through new attack vectors that increased in the quantum computing era.
Although quantum computers are still in their early stages of adoption, their use soon will be more widespread. A single quantum computer can be capable of performing millions of computations simultaneously.
Because quantum computers deal with probabilities, the problems they are good at solving are exponential in nature. That is, today’s cryptographic algorithms might be threatened by quantum computers, potentially exposing sensitive data.
Attackers are already harvesting protected data in anticipation of cracking the protection algorithms sometime in the future. Therefore, it is important to take action now: assess the cryptography methods that are used today to protect your data, applications, and systems; understand the vulnerabilities in the quantum computing era; and evaluate the quantum-safe capabilities that are offered with the IBM Z platform.
This chapter includes the following topics:
1.1 When will quantum computers break cryptography
The question of when quantum computers might break cryptography is often asked, but unfortunately presents the threat as being in the future. Consider the following point from the World Economic Forum, which was held in May 2021[]:
For data that will require protection for decades, the threat is today. The impact is in the future.
Many IT decision-makers plan to retain their data 11+ years into the quantum era as per the IBM MD&I survey. Their data includes personal identifiable information (PII), trade secrets, intellectual property, and other sensitive digital assets. This information already is at risk because they need to store it and keep it confidential for decades.
Although cybercriminals cannot easily break most encrypted data today, they might be able to decrypt that data in the future by using a large quantum computer, also known as a cryptographically relevant quantum computer (CRQC). Because it is unknown when YQK will happen, it is best to start looking at ways to protect your data now:
Act now—it will be less expensive, less disruptive, and less likely to have mistakes caused by rushing and scrambling.
1.1.1 Business risks
The cost of data breaches continues to increase, with strong encryption being the top mitigating cost factor. The global average total cost of a data breach is $4.24 million per the
Ponemon Cost of a Data Breach 2021 Study.
Organizations that use strong encryption (such as AES with 256-bit keys) for data at-rest and in-flight, had an average total cost of a breach of $3.62 million, compared to $4.87 million for organizations that use weak or no encryption, which results in a difference of $1.25 million or 29.4%.
Most businesses expressed shared concerns for data, system integrity, and software verification at risk with the potential threats of CRQC attacks. They recognized CRQC attacks as a cybersecurity risk. However, organizations are just beginning the cryptographic inventory phase of a quantum-safe journey.
Additionally, many organizations operate within highly regulated industries and must comply with standards. The National Institute of Standards and Technology (NIST) has a post-quantum cryptography standardization process to identify algorithms that are resistant to attacks that might be started from quantum and conventional computers. BSI, a German federal agency, requires the use of hybrid schemes in which both classical and quantum-safe algorithms are used for protection in high-security applications.
The post-quantum cryptography standards and work groups are to be the business driver for security policy changes and crypto migration planning.
IT executives can proactively mitigate the risk of business disruptions that are caused by CRQC attacks. Currently, some organizations decentralized small-size crypto groups that are scattered across the IT business units, which causes disconnection and inertia against cryptographic agility. Many IT organizations still do not have a comprehensive view of the cryptography in use in their institution because they lack cryptographic inventory tools and skills for the broad cryptography landscape.
A few cryptographic services groups implemented proprietary crypto libraries and abstraction layers that simplified managing the crypto updates and prepared them for cryptographic agility. Businesses, such as banks, expressed concerns about the effect of quantum-safe algorithms on system performance and latency.
Organizations, such as automobile manufacturers, must deal with programming resource constraints, such as key length size and RAM, to accommodate the use of public key quantum-safe algorithms and schemes in their new application development process.
Organizations also are interested in quantum-safe encryption to protect their long-lasting sensitive data and future-proof it. Quantum-safe readiness is on most organizations’ roadmap. Some already benchmarked quantum-safe algorithms and explored cryptographic inventory tools for application modernization.
1.1.2 Quantum threats and implications on data and identity
What will a cybercriminal be able to do with a quantum computer? Why do organizations need to act now? Why is the data at risk today?
A cybercriminal who uses a powerful quantum computer to break the current cryptography features the following the threats and implications:
•Passive attacks on confidentiality
Cybercriminals might harvest data communications, recover session keys from encrypted channel negotiation, and decrypt communication transmissions. They can steal snapshots of encrypted cloud data, extract keys that are protected by using public keys, and conduct retrospective decryption.
Cybercriminals might decrypt lost or harvest historical data through cracking encryption keys. An organization’s sensitive data that is protected by using today’s cryptography might be vulnerable in the future. Encrypted data that is stolen during a data breach and encrypted media that is improperly disposed or stolen are both at risk.
•Impersonation attacks on identities
Cybercriminals might create fraudulent code updates, insert malware, change configuration settings, and create damage. They might transfer assets on a blockchain or manipulate updates and forge transactions through fraudulent authentication. With quantum threats, identity over the internet and software authenticity cannot be guaranteed.
Cybercriminals might impersonate a remote system or user and authenticate access, and control systems. They can remotely control critical business infrastructure or transport infrastructure. Systems that organizations are building today are at risk.
•Manipulate legal history by forging digital signatures
Cybercriminals might carry out fraudulent authentication by deriving private keys from public keys. The legal underpinnings of digitalization are vulnerable because documents can be forged by using a derived private key. Also, a guarantee of proof of authorship or integrity no longer exists.
1.2 Why are quantum computers a threat
Cryptographic algorithms are based on mathematics, and with enough time and computing resources they can be broken. Improvements in cryptographic algorithms always were needed over time, as computers and digital circuits increase in speed and capacity.
However, the nature of the mathematical algorithms that can be used on quantum computers is fundamentally different from what can run on conventional computers. Unfortunately for cryptography, specific algorithms that run on quantum computers can be efficient at breaking some current cryptographic algorithms.
To help understand how quantum computers are relevant to breaking current cryptography, we first need to recognize the different types of computers and how they work. These computers are sorted into the following categories:
•Conventional computers
These computers are the computers that we use every day. Their circuits operate on binary values (bits) that can have only two states: a zero (off) or a one (on). Algorithms are implemented as sequences of computer instructions that operate on these binary values.
•Supercomputers
A supercomputer is essentially a large and tightly coupled set of conventional computers, with high-speed communications between them. They reduced or offloaded input/output (I/O) routines by design to free up CPU cycles. Supercomputers are often used to solve problems that can be deconstructed into many separate computations, which are carried out in parallel on their computing nodes.
•Quantum computers
Quantum computers process data by using an entirely different mechanism than conventional computers and supercomputers. Rather than representing data as binary values (bits) that can have only two states, the property of superposition conceptually lets quantum computers have an exponentially large number of possible compute states as more of their quantum bits (or qubits) are entangled. Hence, the more qubits a quantum computer has available, the faster it can crack cryptographic algorithms.
The computational power of quantum computers is growing rapidly. In 2021, IBM launched the 127 qubit Quantum Eagle processor with novel packaging and controls. In 2023, IBM is to debut the 1,121 qubit Quantum Condor processor to explore potential Quantum Advantages–problems that we solve more efficiently on a quantum computer than on the world’s best supercomputers.
Figure 1-1 shows the development roadmap of IBM Quantum.
Figure 1-1 Roadmap for scaling IBM quantum technology
For a report on estimates of quantum resilience for current cryptosystems, see
Quantum Computing’s Implications for Cryptography.
1.2.1 Cryptography overview
Various methods were used for thousands of years to protect information when it is stored or sent to other people. Early methods were simple, like the Caesar Cipher, but they increased dramatically over time, particularly as the attackers improved their ability to break the codes. The fundamental feature of all cryptographic algorithms is the use of functions that are easy to compute if you know the cryptographic key, but difficult if you do not know the key.
The cryptographic algorithms are used for the following types of protection:
•Confidentiality: This process keeps data secret from people who are not authorized to see it. The unencrypted data is called plain text, and the encrypted data is called ciphertext.
•Integrity: This ability is used to prove that data was not modified.
•Authentication: This ability is used to prove who someone is, or who created a piece of data.
•Nonrepudiation: This ability is used to prevent someone from claiming they did not create a particular specific piece of data.
The cryptographic algorithms fall into the following categories, which are described next:
•Symmetric cryptography
•Asymmetric cryptography
•Hashing algorithms
Symmetric cryptography
Symmetric cryptography is used to encrypt and decrypt data. It is called symmetric because the same key is used for encryption and decryption. Symmetric algorithms are generally fast, and are used for everything from encrypting communications links to protecting banking transactions.
In addition to encryption of data, the symmetric algorithms are used to construct methods of providing integrity, authentication, and other operations that are important to security. For integrity, these functions are called Message Authentication Codes (MACs).
The following symmetric cryptographic algorithms are most commonly used today:
•Triple-DES (TDES, 3DES, or TDEA)
TDES is an older algorithm, which is gradually being phased out and replaced with the newer and stronger AES. TDES uses a key that is 112 bits or 192 bits long, and encrypts data in 64-bit blocks.
•Advanced Encryption Standard (AES)
AES use keys that are 128 bits, 192 bits, or 256 bits, and it encrypts data in 128-bit blocks. The larger key lengths and encryption block sizes make AES stronger than TDES. AES also eliminates some design issues in TDES that make TDES susceptible to specific classes of attacks.
The symmetric algorithms use complex mathematical and logical operations to combine the data and the key in such a way that the ciphertext appears to be random values. With a strong algorithm, the ciphertext cannot be examined and anything about the plain text or the key cannot be determined.
Therefore, the only way to break the algorithm is to try all possible keys until you find the one that works. On the average, this effort often means trying half of the possible keys. For example, with AES using a 256-bit key, you must try an average of half of the 2256 possible keys, which is a huge number.
Asymmetric cryptography
In asymmetric cryptography, which is also known as public key cryptography, two keys are used in combination. This configuration contrasts with symmetric key cryptography, where the same key is used for all operations. The asymmetric keys come in pairs that are known as the public key and private key, which are mathematically related.
As the names imply, the public key can be seen by anyone, while the private key is kept secret. The owner of the key generates the public and private keys together; then, it keeps the private key secret while distributing the public key to anyone who needs it. It is impossible to determine the value of the private key from the public key.
Several asymmetric cryptographic algorithms are commonly used. The two most common are Elliptic Curve Cryptography (ECC), and RSA, which is named for its inventors Rivest, Shamir, and Adleman. Unlike symmetric algorithms, differences exist in what the distinct asymmetric algorithms can do.
ECC is based on the mathematics of elliptic curves. The curves are defined by polynomials, and the ECC algorithm is based on multiplication of points on the curve. When a point is multiplied by itself, the result is another point on the curve. When this multiplication occurs many times, it is difficult to look at the final point that results from the multiplications and determine anything about the original point.
The Elliptic Curve Digital Signature Algorithm (ECDSA) is used to compute and verify digital signatures by using ECC mathematics.
The Elliptic Curve Diffie Hellman (ECDH) algorithm is used to negotiate shared symmetric encryption keys between two parties. It is notable that mathematics of ECC do not provide a way to encrypt and decrypt data. This creation is possible only by using ECC if you first create a shared encryption key by using ECDH or a similar method and then, encrypt the data by using that shared key with a symmetric algorithm, such as AES.
The security of RSA is based on the difficulty of factoring large numbers. The public key and private key are each consist of a modulus and an exponent, where the modulus is the same for each, but the public exponent and private exponent are different. The modulus is the product of two large prime numbers, and security is based on the fact that it is infeasible to factor the modulus to find those two large primes.
RSA encryption and decryption are based on modular exponentiation, where the value to be encrypted is raised to the public or private exponent, but that computation is done by using modular arithmetic that constrains the result to be less than the value of the modulus.
Whenever a value is raised to an exponent and then truncated according to the modulus, information is lost, which makes the process difficult to reverse. RSA can be used to directly encrypt data, and it is used for digital signatures by encrypting a hash of the data you want to sign. It is also frequently used to encrypt keys to transport them to other parties.
Hashing algorithms
A hash algorithm does not “encrypt” data; instead, it creates a fixed-length digital “fingerprint” (called a hash) from input data of any length. If even one bit of the input data is modified, the computed hash is entirely different.
Cryptographic hash functions meet two criteria: First, if you know the hash value, you cannot use it to learn anything about the content of the data that was hashed. Secondly, it is infeasible to find a different set of data that produces the same hash value.
Recommended hash functions today are the SHA-2 and SHA-3 families, which offer versions that create hashes 224 bits - 512 bits. The older hash functions SHA-1 and MD5 are no longer considered secure, although they are still in use in some applications.
1.3 Impact of Shor’s and Grover’s algorithms
When available, a sufficiently strong quantum computer can perform specific mathematical computations exponentially faster than a conventional computer or supercomputer. The most powerful conventional computer can take millions of years to solve the integer factorization problem to find prime factors for a 2048-bit composite integer.
The use of a quantum computer with Shor’s and Grover’s algorithms can break or weaken some current cryptographic algorithms. Shor's and Grover's are cryptanalysis algorithms when run on quantum computers.
Asymmetric algorithms derive security strength from one of three complex mathematical problems:
•Integer factorization
•Discrete logarithm
•Elliptic curve discrete logarithm
Examples of asymmetric algorithms and protocols are RSA, ECC, DH, ECDH, and ECDSA. Consider RSA, which derives its strength from the difficulty in solving the integer factorization problem. It is easy to multiply primes but difficult to take a composite integer and reduce it back to the prime factors. The difficulty in factoring rises exponentially (not linearly) as the number of bits in the key increases. The typical RSA key is 2048 bits. It is not possible with today’s conventional computers to factor an integer with 2048 bits.
A sufficiently strong quantum computer can solve the factoring problems within hours with Shor's algorithm because it provides an exponentially faster method for solving integer factorization, discrete logarithm, and elliptic curve discrete logarithm problems.
Shor’s algorithm has the potential to completely break the RSA and Diffie-Hellman cryptosystems and their elliptic curve-based analogs, but it cannot be used to attack symmetric encryption or hashing algorithms. Therefore, asymmetric crypto algorithms are most vulnerable to compromise.
Armed with Shor’s algorithm, an adversary or cybercriminal can take a public key and derive the private key to enable impersonation and fraud attacks. Therefore, we need new algorithms that are on different math problems for conventional computers to address a CRQC attack by using Shor's algorithm.
Symmetric algorithms derive security strength from the difficulty in mounting a brute force attack or exhaustive search exploration of all possible inputs to find the answer. For cryptography, this trial-and-error technique is used to guess the correct value or key.
Examples of symmetric or hashing algorithms include AES, TDES, SHA-2, and CMAC. Brute force attacks on symmetric and hashing algorithms take a long time to search the message digest or key space to find the message digest that maps to data or correct encryption key. For example, when found, the correct key can be used to decrypt encrypted data. For a key with 256 bits, 2256 options exist to try in a worst case scenario.
A quantum computer can cut the symmetric algorithm strength in half by using Grover’s algorithm. Grover’s algorithm does not break all symmetric algorithms, but it can be used to speed up a brute force search for symmetric keys or reverse engineer a cryptographic hash. The risks to symmetric and hashing algorithms can be mitigated by switching algorithms or increasing key or hashing digest sizes because Grover’s algorithm are ineffective if the search space is too large.
Grover’s quantum algorithm can affect hash-based password systems because only a few passwords must be searched, and the low security level of TDEA and SHA-1 means they are both at risk.
Table 1-1 lists the current security strength of specific symmetric and hash algorithms versus post-quantum cryptography security levels. The security level and post-quantum cryptography level values are a measure of the strength that is expressed in bits.
Table 1-1 Quantum computer consequences for current cryptographic algorithms
Security level
|
Post-quantum level
|
Symmetric
|
Hash
|
<= 80
|
<= 40
|
2TDEA
|
SHA-1
|
112
|
56
|
3TDEA
|
SHA-224
|
128
|
64
|
AES-128
|
SHA-256
|
192
|
96
|
AES-192
|
SHA-384
|
256
|
128
|
AES-256
|
SHA-512
|
1.4 Cryptographic vulnerabilities possible with quantum computers
All of today’s approved cryptographic algorithms are strongly secure against conventional computers, including supercomputers. For example, consider AES with a 128-bit key. On the average, it takes 2127 guesses to find the right key. If we assume that a conventional computer can try one key every microsecond, it takes about 5.4 X 1024 years to find the key, which is not feasible. Even the fastest supercomputers can reduce this time only slightly.
However, the problem with quantum computers is that they do not have to take this approach for some of today’s algorithms. In particular, the asymmetric algorithms can be broken almost instantaneously by using Shor's algorithm, even for the longest keys in use.
The advent of quantum computers makes it possible to attack algorithms by using methods that did not exist when attackers used conventional computers. Shor’s algorithm with a sufficiently large quantum computer can easily break RSA or ECC algorithms. For this reason, new asymmetric algorithms are being developed that use different mathematical principles that are not subject to attack with Shor’s algorithm or any other known process on quantum computers.
The risk to symmetric and hashing algorithms is significantly lower. Shor's algorithm cannot be used against these, but another algorithm that runs on quantum computers that can reduce their security.
Grover’s algorithm can be used to reduce search times, and it can be used to improve brute force attacks to find a cryptographic key. When searching for something in a space of N total items, Grover’s algorithm reduces the effort to √N. For example, a 256-bit AES key can be found with difficulty of only 2128. However, this key is still considered unbreakable, and NIST and other organizations believe that AES, SHA-2, and SHA-3 provide entirely adequate security in the age of quantum computers.
Table 1-2 lists the security effect of various algorithms and protocols when a sufficiently strong quantum computer is available.
Table 1-2 Effect of quantum computing on cryptographic schemes
14
Cryptographic algorithm
|
Type
|
Purpose
|
Quantum computer impact
|
AES-256
|
Symmetric key
|
Encryption
|
Secure
|
SHA-256, SHA-3
|
Hash algorithm
|
Hash functions
|
Secure
|
RSA
|
Public key
|
Signatures, key establishment
|
Broken
|
ECDSA, ECDH (Elliptical Curve Cryptography)
|
Public key
|
Signatures, key exchange
|
Broken
|
DSA (Finite Field Cryptography)
|
Public key
|
Signatures, key exchange
|
Broken
|
Organizations must consider integrating quantum-safe protection into their digital transformation strategy and application modernization plans to mitigate these two vulnerabilities with current cryptography. Consider the following points:
•Public key algorithms are broken by a large-scale quantum computer by using Shor’s algorithm. Organizations can mitigate this vulnerability by migrating to quantum-safe algorithms and schemes.
•Symmetric key and hashing algorithms are affected by a large-scale quantum computer. Grover’s algorithm cuts in half the security strengths of symmetric and hashing algorithms. Organizations can mitigate this vulnerability by increasing the key or message digest sizes.
Secure processes rely on protocols that employ public key cryptography, including those protocols that are used to secure websites for banking transactions, secure email, and signing software. It will take 5 - 15 or more years to replace most public key cryptosystems that are used now.
1.5 New algorithms to counter CRQC attacks
As data value grows and the required protection increases exponentially, a sense of urgency exists to protect long-lasting data from potential CRQC attacks. Organizations must safeguard data today with new cryptographic algorithms that protect against potential future CRQC attacks that might affect system integrity and core business infrastructures.
Researchers and standards bodies are moving to address the threat of CRQC attacks. They are identifying quantum-safe algorithms to protect conventional computer workloads and data.
But what makes an algorithm quantum-safe? Algorithms are based on mathematical problems with no known quantum computer speedup. Five categories of cryptographic schemes are believed to be quantum-safe (see
Table 1-3). Current quantum-safe algorithm candidates are based on these schemes.
Table 1-3 Categories and examples of quantum-safe algorithm candidates
Category
|
Description
|
Lattice-based crypto
|
Crypto schemes from a field of mathematics that is called the geometry of numbers. The security of these schemes is based on the difficulty of solving mathematical problems over lattices; for example, the Shortest Vector Problem (SVP) and the Closest Vector Problem (CVP), such as Examples include IBM CRYSTALS-Kyber and CRYSTALS-Dilithium, Falcon.
|
Multi-variate crypto
|
A group of cryptosystems that is based on the difficulty of solving nonlinear (usually quadratic) equations over finite fields. The idea is that solving systems of equations in many variables is difficult under constraints depending on the scheme. Examples include Rainbow and GeMSS.
|
Code-based crypto
|
This cryptography uses error-correcting codes to build public key cryptography. Examples include Classic McEliece and BIKE.
|
Hash-based crypto
|
This cryptography includes digital signature schemes that are based on cryptographic hashes; for example, SPHINCS+.
|
Isogeny crypto
|
Super singular elliptic-curve isogeny cryptography is based on the isogenies or mappings between two elliptic curves; for example: SIKE.
|
Note: Quantum-safe algorithms run on conventional computers to protect data; the new algorithms that can break some conventional cryptography run on quantum computers. That is, quantum-safe algorithms do not run on quantum computers; instead, they run on conventional computers.
|
1.5.1 Quantum-safe algorithms
Currently, new cryptographic algorithms are being developed to safeguard against attacks from conventional or quantum computers. This effort is happening through a competition that is sponsored by NIST, where worldwide cryptographic experts submit candidate algorithms and analyze each other’s submissions.
The algorithms are separated into the following categories:
•Digital signature algorithms
•Key encapsulation mechanisms and key-establishment algorithms
NIST indicated that after careful consideration during the third round of the NIST Post Quantum Cryptography Standardization Process, it identified four candidate algorithms for standardization. The primary algorithms NIST recommends to be implemented for most use cases are CRYSTALS-Kyber (key-establishment) and CRYSTALS-Dilithium (digital signatures). In addition, the signature schemes Falcon and SPHINCS+ also are to be standardized.
Algorithms to be standardized
For public-key encryption and key encapsulation mechanism (KEM), CRYSTALS-Kyber is to be standardized.
For digital signatures, the following algorithms are to be standardized:
•CRYSTALS-Dilithium
•Falcon
•SPHINCS+
CRYSTALS-Kyber (key-establishment) and CRYSTALS-Dilithium (digital signatures) were selected for their strong security and excellent performance, and NIST expects them to work well in most applications.
Falcon also is be standardized by NIST because use cases might exist for which CRYSTALS-Dilithium signatures are too large. Also, SPHINCS+ is to be standardized to avoid only relying on the security of lattices for signatures.
Also, the following candidate KEM algorithms are to advance to the fourth round:
•BIKE
•Classic McEliece
•HQC
•SIKE
IBM Research® scientists were involved in the development of CRYSTALS-Kyber, CRYSTALS-Dilithium, and Falcon. They also made contributions to the development of SPHINCS+ and SIKE.
IBM implemented two of the leading finalists in this competition: CRYSTALS-Dilithium for digital signatures and CRYSTALS-Kyber as a key encapsulation mechanism. By using these algorithms, you can ensure that your data is still protected in the future when large-scale quantum computers are available. Neither of these algorithms is subject to attack by using Shor’s algorithm or any other known quantum computer algorithm.
For information about these quantum-safe algorithms, see the following web pages:
The security of these two algorithms is based on the difficulty of solving the learning-with-errors (LWE) problem over module lattices. The LWE problem involves solving a system of linear equations, where an error of ±1 was intentionally introduced. Because of the errors, the usual methods of solving a system of linear equations do not work, which makes it infeasible to solve for the secret value.
Note: IBM Crypto Express8S (CEX8S) for IBM z16 includes implementations of the CRYSTALS-Dilithium and CRYSTALS-Kyber algorithms; the IBM Crypto Express7S (CEX7S) for IBM z16 and IBM z15™ includes CRYSTALS-Dilithium support.
|
For more information about the IBM Z cryptographic stack, see
4.1, “IBM Z cryptographic components overview” on page 48.
1.6 Quantum-safe capabilities with IBM Z
IBM z16 supports quantum-safe cryptography in the following ways:
•Infrastructure that protects the integrity of the system
•API functions that can be used by application programs
These methods are described next.
1.6.1 Quantum-safe infrastructure in IBM z16
IBM z16 adds features to protect the system from attacks, including threats that might use quantum computers. In particular, the system includes a secure boot feature in which it is protected with quantum-safe technology through the many firmware layers that are loaded during the boot process. Only authentic, IBM-approved firmware is accepted.
This hardware-protected verification of the firmware uses a dual-signature scheme, which uses a combination of quantum-safe and classical digital signatures. The protection is anchored in the IBM Z Root of Trust .
Quantum-safe mechanisms also were added to the IBM Z cryptographic infrastructure. The Crypto Express Hardware Security Module (HSM) now uses a quantum-safe dual-signature scheme similar to the one described for the IBM Z server boot process.
Changes were made to the TKE feature to use quantum-safe cryptography when authenticating Crypto Express8S (CEX8S) coprocessors, verifying replies from the CEX8S coprocessors, and protecting key parts in flight for the Common Cryptographic Architecture (CCA). Finally, the IBM Z pervasive encryption functions were updated to use quantum-safe mechanisms for key management.
Other IBM z16 enhancements include the following examples:
•IBM z/VM® guest support for quantum-safe APIs on virtualized Crypto Express features for IBM z/OS, Linux on IBM Z, and IBM VSE
•IBM RACF® quantum-safe encrypted VSAM database support, and other base infrastructure crypto-related enhancements
1.6.2 Quantum-safe API functions available to application programs
Integrated Cryptographic Services Facility (ICSF) provides APIs. ICSF is a software element of z/OS. ICSF works with the hardware cryptographic features to provide secure, high-speed cryptographic services in the z/OS environment. ICSF provides the application programming interfaces by which applications request the cryptographic services. These services include (but are not limited to) encrypting data by using software and Crypto Express HSM or CP assist for cryptographic (CPACF) functions.
ICSF offers two different cryptographic APIs for use by application programs:
•Common Cryptographic Architecture (CCA): An IBM proprietary API that includes general-purpose cryptographic functions and the special functions that are required by the payments industry.
•Enterprise PKCS#11: A standardized API that is widely used on many systems for many applications.
CCA and PKCS#11 provide API functions to support quantum-safe digital signatures by using CRYSTALS-Dilithium, and to support key agreements by using a hybrid CRYSTALS-Kyber method. You can generate the public and private keys, generate and verify digital signatures, and negotiate a shared symmetric key by using the key agreement protocol.
Although the new algorithms are needed to provide quantum-safe asymmetric cryptography, the CCA and PKCS#11 APIs contain the functions you need to implement quantum-safe symmetric cryptography and hashing.
You can encrypt data by using AES, with key sizes ranging 128 - 256 bits. You can use the SHA-2 or SHA-3 hash functions, with hash lengths up to 512 bits. In combination with the new digital signature and key agreement algorithms, this configuration gives a complete suite of quantum-safe cryptographic algorithms.
For digital signatures, one common approach today is to implement dual signatures where data is signed by using the older algorithms, such as Elliptic Curve, and the new quantum-safe algorithms. By doing so, you can meet standards that require the older algorithms, while also providing the higher level of protection that is offered by the quantum-safe algorithms. Meting those standards is easy by using CCA or Enterprise PKCS#11 on IBM z16 because the digital signature APIs now offer both classes of signature algorithms.
Finally, the Enterprise Key Management Foundations (EKMF) key management system now supports the management of CRYSTALS-Dilithium and CRYSTALS-Kyber keys. This support allows you to manage these new key types with the same tool that was available to manage other types of cryptographic keys.