NXP has been working with IBM on the post-quantum security algorithms announced this week by NIST in the US for embedded systems.
“From an embedded point of view for smart cards and automotive there are two main use cases to focus on which is secure boot and secure update,” said Joppe Bos, senior principal cryptographer at NXP and one of the team that submitted algorithms. These are intended to protect against quantum computers that can crack today’s RSA and ECC algorithms in the future.
“If you can secure boot with post quantum security then you can trust the device and with a secure update you can stay secure. These are the two main use cases we have been focussing on the S32G automotive platform,” said Bos.
Two of the four algorithms chosen, CRYSTALS-Kyber and CRYSTALS-Dilithium, were submitted to NIST by ARM’s Roberto Avanzi, Bos, CWI Amsterdam’s Léo Ducas, Ruhr University Bochum’s Eike Kiltz, SRI International’s Tancrède Lepoint, IBM Quantum’s Vadim Lyubashevsky and Gregor Seiler, University of Waterloo’s John Schanck, MPI-SP & Radboud University’s Peter Schwabe and ENS Lyon’s Damien Stehle.
Related post quantum encryption articles
- Algorithms agreed for post-quantum security standard
- Europe leads on post-quantum encryption technology
- Post-quantum smartcard tech for health data scheme
- NXP helps NIST with post-quantum cryptography standard
“The main challenge people think is performance but in practice this is not the case,” said Bos at NXP. “In PQ crypto you pay a price in performance, but it is key size and memory that are critical.”
“In terms of memory with Dilithium for example it will run but only with 50 to 160Kbytes of additional memory and that is out of the question for more embedded use cases. So we have been working on how to fit these PQ schemes to run on more constrained devices such as smartcards with 8 to 16K memory in total,” he said. “We can run Kyber and Dilithium in less than 8K but that comes at the price of performance.”
The performance issues will be addressed in designs for new accelerators, but the issue is the performance for existing devices already out in the field that are optimised for classical public key infrastructure using RSA and ECC.
“Public Key uses a large integer multiplier but for PQC the underlying math is different and the integers are very small. We have looked at reusing the RSA and ECC coprocessors – its not trivial how to reuse them but we have shown this is possible and how to do this efficiently. But for new generations building from the ground up will be more efficient and we have been working on those for the last year.”
“We are working closely with IBM on standardisation, on key serialisation and storage, to avoid the mayhem that occurred with ECC,” said Bos. “IBM is very concerned about incompatibility issues so we worked with them last year to try to create some order in all of this to allow the different implementations to talk to each other. We have a big preference for compressed keys and IBM is a customer of ours for smart cards, but they have other applications and they want to ensure everything works together.”
“Our security research team at IBM’s lab in Zurich has been working on quantum-safe cryptography for many years, and we are happy to see some of the cryptographic schemes we’ve co-developed with academic and industrial partners among those recognized by NIST,” said IBM.
Another of the algorithms chosen, SPHINCS+, is more similar to the existing RSA and ECC algorithms using hash functions (see Algorithms agreed for post-quantum security standard)
“With SPHINCS+ I think the big problem is the signature size which is multiple orders of magnitude larger than Dilithium, which is also larger than RSA,” said Bos. “That has advantages for embedded devices as we have hash based accelerators but these schemes are still slow. The biggest challenge is the size of the signatures, especially for smartcards.”
NXP has been working on security coprocessors and the implementation, and is now heading for verification and testing as well as certification ready for the launch of the standard in 2024.
“We don’t just want functional crypto implementations, we want to be protected against side channel attacks as well,” he said. The biggest problem is with the smallest devices. “Even for mobile for secure boot I think the biggest hit will be the secure memory and that is the biggest change. ECC only needs 32 bytes and now that needs to go up to over 4K to store a key so that is a significant increase but we knew that was coming.”
“Everything is tightly coupled to when the standard comes out in 2024 and that is also the timeline for products with hardware,” said Bos. “The hardware ill be available before that but it has to be certified with third parties.”
“However, the process of creating new quantum-safe standards is not yet over,” said IBM. “NIST, the teams involved in the proposals, and the overall cryptographic community will further scrutinize and improve the chosen algorithms and turn them into standards over the next couple of years.”
Other related articles
- Post-quantum chip has built-in hardware Trojan
- First trusted module with post quantum firmware update
Other articles on eeNews Europe
- TiVo moves into automotive streaming with $109m Norwegian buy
- Custom power integrity tool shows 3x productivity gain
- Newport chip foundry still possible says Nexperia
- €5.5m for 50 qubit photonic quantum computer
- Imperas teams for system level verification for RISC-V