Dual-algorithm public key infrastructure helps reduce cost and risk as the transition to quantum computing approaches
SAN JOSE, Calif. and WATERLOO, Ontario – April 12, 2018 - Cisco Systems and ISARA Corp., the leading provider of security solutions for the quantum computing age, today announced the world’s first collaboration to test digital certificates that operate in both classic and quantum-safe algorithm modes.
“The incredible potential of quantum computers also presents the challenge of keeping data safe,” said ISARA Senior Product Manager Alexander Truskovsky. “This proof-of-concept project with Cisco demonstrates how a single digital certificate can accommodate multiple public-key algorithms, which will help to reduce the costs and risks during the migration process of the Public Key Infrastructure (PKI) and its dependent systems.”
Most personal and corporate computing environments depend on the PKIs to issue certificates that are essential to authenticating digital transactions. This ensures that each party to the transaction is, in fact, who they claim to be. Traditional certificates only use a single algorithm, and will require the issuance of duplicate certificates that use quantum-safe algorithms once systems start to be upgraded. With dual-algorithm certificates, a single certificate can be used both by systems relying on classic cryptography and upgraded systems using quantum-safe cryptography.
To showcase how this backward-compatible dual-algorithm (hybrid) works, Cisco and ISARA are making available a public server that uses these certificates to authenticate itself to transport-layer security (TLS) clients. Backward-compatible hybrid certificates that can also be issued to clients by using Enrollment over Secure Transport (EST) are designed to help smooth the transition from classic to quantum computing over the next several years while maintaining strong mission-critical encryption standards.
Quantum computers require new approaches to public-key cryptography because the way they process information makes them adept at breaking traditional cryptography based on the discrete logarithm problem. Particularly challenging in the multi-year transition period will be migrating systems that provide authentication credentials along with the systems that rely on these credentials.
“Once the quantum-safe algorithms are standardized, we may have a very short time frame in order to migrate our systems. Preparing a smoother migration to quantum-safe authentication is something we can do now, while the new algorithms are going through the selection process in NIST’s PQ Project,” said Cisco Technical Marketing Engineer Panos Kampanakis. “As shown in our draft, our intention with our co-authors is to standardize hybrid X.509 certificates in order to promote an interoperable and smoother transition to post-quantum PKI”.
The demo server is located at http://test-pqpki.com and includes instructions and links to the code for researchers who want to download, test and review hybrid X.509 certificates.
The first phase of the project successfully used Leighton Micali Scheme (LMS) stateful hash-based digital signatures. In phase two, SPHINCS+ stateless hash-based signatures will be implemented. More post-quantum signature algorithms will follow.
To learn more and begin integrating ISARA’s quantum-safe security solutions such as ISARA Radiate™ Security Solution Suite in commercial products today contact email@example.com
About ISARA Corporation
ISARA is a cyber-security company specializing in creating production-ready quantum-safe security solutions that can be embedded into commercial products today to secure data now and in the future. As a commercial solution provider within a rich academic and research ecosystem, ISARA is part of a collaborative effort to raise awareness of quantum threats, and design and implement quantum-safe solutions that will work globally.
Cisco (NASDAQ: CSCO) is the worldwide technology leader in IT and networking that helps companies seize the opportunities of tomorrow by proving that amazing things can happen when you connect the previously unconnected. Discover more at newsroom.cisco.com and follow us on Twitter at @Cisco.