Post-quantum security
Objective: Make the IC secure against quantum-capable attackers.
Discussion leads: Jens Groth, Andrea Cerulli
Background: In the future attackers may be aided by quantum computers. Quantum algorithms can break some of the cryptographic assumptions the Internet Computer relies on, specifically the hardness of computing discrete logarithms. A quantum-capable adversary could thus forge signatures used in the IC. Predictions of when quantum computers will be powerful enough to break the discrete logarithm problem vary, with a small minority of experts believing it could be within the next 5 years. Hardening the IC against quantum-capable adversaries is a significant effort and already now attackers are known to harvest ciphertexts to later be decrypted with quantum computers, so it makes sense to start early on making the IC post-quantum secure.
Open research questions, topics and key milestones:
- Determine versatility, efficiency and cryptanalytic resilience of primitives to be believed to be post-quantum secure and select appropriate security parameters. Existing symmetric key primitives such as AES and SHA are believed to be post-quantum secure. For public-key encryption the current front-runner is lattice-based cryptography. For signatures there are both lattice-based and hash-based candidates, however, lattice-based signatures may be more versatile in building more sophisticated signatures e.g. threshold signatures
- Evaluate the quantum computing landscape annually and continuously monitor the cryptanalytic landscape to inform choices of primitives we rely on and determine appropriate security parameters
- Invent appropriate post-quantum schemes, when there is no existing solution. Some of the schemes in the IC are non-trivial to translate to the post-quantum world, e.g., threshold relay or non-interactive DKG. An alternative when no such scheme exists is to modify the IC protocol so that it relies on a different type of cryptographic scheme.
- Prove all schemes are secure under appropriate cryptographic assumptions. There are pitfalls to avoid here, a common mistake is to assume a cryptographic scheme is secure as long as it is based on post-quantum secure primitives. This is not always the case, so the IC must rely on schemes that have security reductions testifying to post-quantum robustness. There are also schemes where classical definitions of security fail, the classical binding property of commitment schemes does for instance not suffice against quantum-capable attackers.
- Develop, implement and deploy alternatives to the current cryptographic suite. Some of the schemes the IC uses are already believed to be post-quantum secure or likely to be provided by the cryptographic community, e.g., hash functions and TLS. Others, such as the multi-signatures and threshold signatures are likely to require new implementations
- Work with the community to specify requirements for post-quantum security on the user side. How to provide PQ-safe wallets, user authentication, libraries to verify PQ-safe communication from the IC.
- Transition to post-quantum security: how to protect dormant users with staked ICP, how to protect confidentiality of encrypted data, assess whether quantum computers will come as an evolution or a revolution, and how to prepare for the latter scenario
Skills and expertise: Cryptographers versed in post-quantum cryptography, with lattice-based cryptography as the current front runner. The Research Team and the Crypto Library team will work jointly on the initiative.
How to work with the community: On the research side, the project is suitable for collaboration with researchers in and outside of academia. The developer community can contribute to the creation of tools that make canister smart contracts post-quantum secure. Community discussions can guide the requirements for post-quantum security and settle on standards and best practices for the IC.
What we are asking the community:
- Review comments, ask questions, give feedback
- Vote accept or reject on NNS Motion
- Participate in technical discussions as the motion moves forward