Cryptography Why McEliece is not widely used

There are already cryptosystems that would withstand quantum computers

content

Read on one side

Tanja Lange and her team are not the only ones who are now looking for a suitable replacement for the processes behind RSA and ECC, so that large parts of Internet traffic can also be securely encrypted in the coming decades. Microsoft and the Dutch chip manufacturer NXP are also trying to use new algorithms to prepare TLS transport encryption for the post-quantum age.

Such algorithms and processes already exist in principle, for example the McEliece system, invented in 1978. It uses so-called error-correcting codes in a nested representation. The sender builds errors into his message for encryption, and only those who know the hidden, efficient algorithm for error correction can recover the original message. This secret algorithm is the private key, the nested representation of the code is the public one.

But the methods that have been considered so far are not yet suitable for everyday use, says Lange - for two reasons: "Why don't we have post-quantum cryptography in our smartphones yet? Mainly because the keys are too big." This delays the encryption and decryption process or the establishment of an encrypted connection, and large keys do not fit into the currently accepted Internet protocols. The second obstacle: "For some systems, the calculation takes too long." Such computationally intensive algorithms cost energy, which becomes a problem in a smartphone with a correspondingly small battery at the latest. The Microsoft NXP team is currently struggling with this.

No solution for mass encryption yet

Anyone who is "sufficiently paranoid or security-sensitive", says Lange and is probably also referring to himself, could use post-quantum processes today as long as it is done on a small scale, for example for email encryption or for backup copies. Because in this case a key only has to be downloaded once. It doesn't matter if it's a few megabytes in size.

But research does not yet have a suitable solution for the global scale, for the encryption of large parts of daily Internet traffic. Not least because an optimal encryption system generates new keys every time a connection is established. This is called forward secrecy. If they are all many times larger than the ones used today, the Internet would be more or less unusable.

In addition, the future procedures should ideally also be protected against so-called side-channel attacks. This means that an attacker should not be able to infer the secret key from the electromagnetic radiation emitted by a computer, for example. There are fascinatingly creative approaches to such attacks, and the precautions against them are correspondingly difficult. Experts from the RU Nijmegen and the Ruhr University Bochum are therefore working on this within PQCRYPTO.

The first software modules should be available in 2018

The project is making progress. "We have a few candidates that we consider post-quantum-safe," says Lange. Today, Monday, she published a corresponding, albeit short, list. It contains references to encryption methods that are so secure that they have not been cracked for 30 years. But they are not yet suitable for the masses.

By 2018, when EU funding expires, the list should contain not just proposals, but ready-made libraries that can be implemented in encryption software. The project participants are also well networked with standardization institutions such as ISO, IETF and NIST, so that their solutions can also be declared standards at some point. However, it often takes years for these to become widespread. It cannot be ruled out that researchers will be able to develop a real, practically usable quantum computer beforehand.

Tanja Lange thinks the idea is "really great", after all, quantum computers can also be used for better weather forecasts, searching through large databases or for medical research purposes: "I definitely want quantum computers to exist. We just have to accept that im As a side effect, today's cryptography suffers. "