In case someone manages to make a general purpose quantum computer one day, a group of IETF authors have put forward a proposal to harden Internet key exchange.
It's a handy reminder that in spite of a stream of headlines telling us that quantum computers will break cryptography, there's a substantial amount of research going into “post quantum” crypto – and also a sign that standards authors think there's enough work out there to justify an Internet Draft.
The work-in-progress suggests an optional IKEv2 payload “used in conjunction with the existing Diffie-Hellman key exchange to establish a quantum-safe shared secret between an initiator and a responder,” and it supports a number of suitable key exchange schemes.
One way keys can be quantum-safe, the draft explains, is for them to be randomly generated and ephemeral – in other words, it's an attempt to blend two cryptographic concepts, asymmetric public/private key encryption and something akin to a one-time pad.
The brief explanation of such a key encapsulation mechanism (KEM) is: “the initiator randomly generates a random, ephemeral public and private key pair, and sends the public key to the responder in QSKEi payload. The responder generates a random entity, encrypts it using the received public key, and sends the encrypted quantity to the initiator in QSKEr payload. The initiator decrypts the encrypted payload using the private key. After this point of the exchange, both initiator and responder have the same random entity from which the quantum-safe shared secret (QSSS) is derived.”
Naturally, a quantum-safe key exchange can only take place if both ends of the conversation support it; if not, the draft says, the transaction has to fall back to an ordinary IKEv2 exchange.
We don't yet have a general purpose quantum computer, so why bother? – Because if we do reach a point where Shor's algorithm is solvable by general purpose quantum computers, there'll be a lot of stored traffic it could be applied to.
Research into quantum-safe ciphers has yielded a couple of schemes the paper's authors consider serious enough to be name-checked in the paper: two variants of what's called Ring Learning With Errors; and two approaches to NTRU Lattices. ®
Bootnote: This article originally referenced the original IKEv2 RFC, RFC 5996. Our thanks to co-author of the standard, Graham Bartlett, who contacted us to note that the RFC's been updated via RFC 7296. ®