Quantum computers are poised to revolutionize many areas of society — but there is an important security challenge ahead.
We predict that fault-tolerant quantum computers will be able to break modern encryption. That’s why, as we’ve been developing quantum computers, IBM has also been investing in securing cryptography against future threats, developing so-called quantum-safe cryptography algorithms. Earlier this year, the U.S. National Institute of Standards and Technology (NIST) chose the future quantum-safe standards — with three out of four developed with the help of IBM researchers.
In 2015, even before IBM put its first quantum computer on the cloud and way before NIST chose its new standards, our Zurich-based cryptography team began researching how to quantum-proof the IBM zSystems platform.
We began testing on real systems, focusing on the IBM zSystems high-assurance stack, as this has been specifically developed to guarantee long-term security for IBM zSystems. The stack includes the Hardware Security Modules (HSM) — dedicated crypto processors that protect the entire crypto key lifecycle. This way, the compute and storage resources within the HSM are limited. We wanted to find issues as early as possible while deploying new quantum-safe schemes. The key sizes were never as large before, and we expected a latency impact with some schemes due to their higher computational demand.
At the end of 2016, the idea of creating new, quantum-safe standards had spilled beyond just a few teams of cryptographers. NIST called for proposals on quantum-safe replacements for the current digital signatures and key establishment schemes, kicking off the process to develop new cryptography standards.
By 2018, our team widened the real system tests using NIST’s first-round candidates as they were announced. In the first risk assessment based on our proof-of-concept and test results, we also proposed to the IBM zSystems team a way to migrate to quantum-safe algorithms.
Our own systems were the first to be tested, and trials were a success. We showed how to migrate the root-certificate and the firmware signatures of the HSM for the IBM z15 system, using CRYSTALS-Dilithium as the signature scheme. We picked this scheme based on our earlier experiments, as the lattice-based algorithms had excelled in performance and key size. The results of those tests were described by Lyubashevsky and his team in their 2017 paper1 submitted to the NIST competition.
The z15 migration guaranteed safety and forgery-proof updates of the system throughout its lifetime. IBM controls the full application stack and does not depend on any third-party components, so the decision to migrate meant that the full infrastructure for the certification process had to be migrated as well. The effort was worth it, though, because migrating the HSM ensured that the most secure element in IBM z15 would be protected by quantum-safe algorithms.
This is crucial, given the trust our clients have in the IBM zSystems platform. Making the HSM quantum-safe meant that it could be trusted and updated in subsequent generations and be protected from future risk made possible by quantum computing. So while z15 was not yet fully quantum-safe like the next-generation platform, IBM z16, it already had Dilithium operations enabled in its HSM and the IBM zSystems logging trail was also signed by a Dil-signature.
Due to the early implementation of the CRYSTALS-Dilithium scheme to assess the risk, we had to come up with a mitigation strategy for the implementation maturity of such schemes — typically, new schemes are not necessarily secure at first. This dates back to 1985, when Neal I. Koblitz and Victor Miller came up with the Eliptic Curve Cryptography2 (ECC) — a type of cryptography where the design and analysis of public-key cryptographic schemes can be implemented using elliptic curves. Since then, the security community had to learn that the implementation maturity was a crucial security factor for any crypto scheme. An incorrect implementation could lead to ECC private key leaks, which could then be exploited with so-called side-channel attacks that typically happen during measurements on the physical implementation of a cryptosystem.
So combining an implementation-mature signature scheme with a quantum-safe one allows for securely updating it after the deployment — when, for example, a new side-channel is discovered, without putting the entire system at risk. That’s why early in the game, our team decided to implement the HSM’s certificate in a hybrid scheme to protect it from implementation weaknesses or side-channel attacks.
With the success of the first implementation of a quantum-safe algorithm in a real-life product, the IBM zSystems business decided to fully secure IBM z16 from potential quantum attacks in the future. The first step was to compile a cryptographic inventory of the entire IBM zSystems stack. To do so, our research and IBM zSystems teams developed a questionnaire and sent it to all the firmware and product owners. The answers provided the first complete view of the cryptographic usage within the IBM zSystems stack, helping us to start defining the overall company’s migration strategy. Our team created cryptographic libraries and consulted the development teams on their migration to quantum-safe algorithms.
During the process, we also improved the HSM for the IBM z16 in its quantum-safe algorithm capabilities. The HSM provided a number of quantum-safe cryptographic services, but also the algorithms themselves were accelerated with a dedicated hardware engine, developed, and implemented by our team. The new IBM z16 was launched in April 2022, just weeks before NIST announced the winners — including CRYSTALS — of its six-year-long crypto challenge.
Those companies that already have IBM z16 — or plan to buy it — are securing their quantum-safe future, today. This is still the early days of crypto migration, and we did it successfully with our own products. We urge the world to follow — and move their data to quantum-safe algorithms today. We can help you do it, and you can take your first step by engaging our IBM Quantum Safe experts to assess your quantum risks and security priorities. It’s important to act now — because powerful, fault-tolerant quantum computers will be here much sooner than you think.
Date11 Oct 2022
Ducas, L., Kiltz, E., Lepoint, T., Lyubashevsky, V., Schwabe, P., Seiler, G., Stehle, D. CRYSTALS-Dilithium: A Lattice-Based Digital Signature Scheme. CHES 2018(1), 238--268" https://eprint.iacr.org/2017/633 ↩
Hankerson, D., Menezes, A. (2011). Elliptic Curve Cryptography. In: van Tilborg, H.C.A., Jajodia, S. (eds) Encyclopedia of Cryptography and Security. Springer, Boston, MA. https://doi.org/10.1007/978-1-4419-5906-5_245 ↩