2

Are there any cryptographic protocols available for HTTP such as TLS or QUIC with practical or near-practical quantum computer resistance?

Hat
  • 21
  • 2

1 Answers1

4

There have been tests performed using OpenSSL with PQC algorithms including the two winners of the NIST PQC competition CRYSTALS-Kyber and CRYSTALS-Dilithium, see for instance the page for the oqs provider. These tests were mainly performed to test how feasible PQC is, as there have not been any agreed upon standards to my knowledge; the referenced RFC are still in the draft stage.

If you're going to implement it you would need:

  • two sides that are using the same (currently unrecognized) standards, which in this early stage probably means that you need to use the same software configuration on both sides;
  • a PKI based on PQC, i.e. quantum safe certificates; these can be build using OpenSSL or EJBCA, but it means that you have to control and secure all of the PKI - sending a certificate with a PQC to a commercial CA is unlikely to succeed after all.

Now the main issue with quantum computers is store-and-decrypt, where an adversary stores your conversations to later attack the asymmetric key exchange. This is still possible even if forward security is being used.

So if you don't want to roll out your own you could use generic certificates and only quantum-protect the key establishment with CRYSTALS-Kyber. This would ignore the issue that an authentication private key may have been compromised, but that's less of an issue with the current state of quantum-computers.

So I'd say yes, you can create a practical HTTP connection over a secure protocol such as TLS, but:

  • it hasn't been officially standardized;
  • there is no existing PKI infrastructure;
  • you're relying on proof-of-concept code;
  • hardware support is in its infancy.

Other than that it is up to you what you call "practical". I'd call running code that provides confidentiality against quantum computers "practical", but beware of things like side channel attacks and practical security such as buffer overruns, key destruction etcetera.

If you decide to go this way it would probably be a good idea to use a TLS configuration that uses hybrid scheme (e.g. ECDHE + Kyber).

Note that I've referenced Open Source software for which I know that there is a lot of support and which have been fore-runners in practical PQC testing. This is however not a personal endorsement of said software nor it is likely to be the only software available that has protection against quantum-cryptanalysis.

Maarten Bodewes
  • 96,351
  • 14
  • 169
  • 323