Cisco backs test to help classical crypto outlive quantum computers

Borg helps Isara's post-quantum PKI cert test in the hope it future-proofs TLS

Cisco and quantum security outfit Isara reckon they've got at least as far as alpha stage in one problem of the future: securing public key certificates against quantum computers.

“Quantum computers will break cryptography” is a popular mass media trope, but the big brains of crypto have been aware of the risk for some time. Academics have therefore pondered quantum-safe crypto schemes for some time.

Deployments are less common at this stage, which is why the Cisco-Isara PQPKI test caught Vulture South's attention.

The PQPKI test acts as a TLS 1.2 server with post-quantum authentication certificates implemented as one of the ciphersuites available to sign the certificate.

Promotional still from Quantum Leap, the TV series

Boffins pull off quantum leap in true random number generation


As the partners explained at the test site, America's National Institute for Science and Technology has a post-quantum crypto project with around 70 submissions. However, “Most of these schemes have significantly larger public key and/or signature sizes than the ones used today. There are concerns about the effect their size and processing cost would have on technologies using X.509 certificates today, like TLS and IKEv2”.

The PQPKI test has adopted a hybrid approach to the problem, allowing certificates to be tested using post-quantum schemes if machines support them, but falling back to traditional certificate checks if not.

A hybrid scheme would also save certificate authorities and users from having to run duplicate systems, Isara explained.

Cisco's Panos Kampanakis said: “Once the quantum-safe algorithms are standardised, we may have a very short time frame in order to migrate our systems.”

Isara added that the test server used “Leighton Micali Scheme (LMS) stateful hash-based digital signatures” (described at the International Association for Cryptologic Research in this paper, co-authored by Isara's Edward Eaton).

Another scheme, SPHINCS+, is planned for a second phase of the test. ®

Broader topics

Narrower topics

Other stories you might like

  • Cisco execs pledge simpler, more integrated networks
    Is this the end of Switchzilla's dashboard creep?

    Cisco Live In his first in-person Cisco Live keynote in two years, CEO Chuck Robbins didn't make any lofty claims about how AI is taking over the network or how the company's latest products would turn networking on its head. Instead, the presentation was all about working with customers to make their lives easier.

    "We need to simplify the things that we do with you. If I think back to eight or ten years ago, I think we've made progress, but we still have more to do," he said, promising to address customers' biggest complaints with the networking giant's various platforms.

    "Everything we find that is inhibiting your experience from being the best that it can be, we're going to tackle," he declared, appealing to customers to share their pain points at the show.

    Continue reading
  • If you're using older, vulnerable Cisco small biz routers, throw them out
    Severe security flaw won't be fixed – as patches released this week for other bugs

    If you thought you were over the hump with Patch Tuesday then perhaps think again: Cisco has just released fixes for a bunch of flaws, two of which are not great.

    First on the priority list should be a critical vulnerability in its enterprise security appliances, and the second concerns another critical bug in some of its outdated small business routers that it's not going to fix. In other words, junk your kit or somehow mitigate the risk.

    Both of these received a CVSS score of 9.8 out of 10 in severity. The IT giant urged customers to patch affected security appliances ASAP if possible, and upgrade to newer hardware if you're still using an end-of-life, buggy router. We note that miscreants aren't actively exploiting either of these vulnerabilities — yet.

    Continue reading
  • McKinsey thinks quantum computing could create $80b in revenue ... eventually
    Figure is 'value at stake' but 'not the actual value' which itself is a quantum statement

    In the hype-tastic world of quantum computing, consulting giant McKinsey & Company claims that the still-nascent field has the potential to create $80 billion in new revenue for businesses across industries.

    It's a claim McKinsey has repeated nearly two dozen times on Twitter since March to promote its growing collection of research diving into various aspects of quantum computing, from startup and government funding to use cases and its potential impact on a range of industries.

    The consulting giant believes this $80 billion figure represents the "value at stake" for quantum computing players but not the actual value that use cases could create [PDF]. This includes companies working in all aspects of quantum computing, from component makers to service providers.

    Continue reading

Biting the hand that feeds IT © 1998–2022