6 post-quantum cryptography (PQC) projects you can consider piloting now
Suggestions for post-quantum projects that you can already start working on
1. Create a CBOM for your project
A CBOM (Cryptographic Bill-of-Materials) is a manifest of all the cryptographic modules and components used within the project. Having such a list is useful since it allows for the project team to know where quantum-unsafe cryptography (e.g. RSA, ECC) is used, and therefore be able to scope the post-quantum migration effort when it happens.
One way to start generating a CBOM can be using CodeQL which is free for open-source projects. Github has an article describing the project.
| Category | Discovery |
| Benefits | Helps you know the scope (what and where) that needs to be migrated |
| Effort | Medium: Requires access to source codes in order to have a complete picture |
| Impact | Low: Isolated project without direct customer impact. Does not actually fix the problem |
2. Protect your web pages against HNDL attacks
The Harvest-Now-Decrypt-Later (HNDL) attack is a data security risk faced by organizations that use the Internet to transmit confidential or sensitive privacy information. To carry out the attack, eavesdroppers will start by finding easy-to-access public channels such as hotel or airport wifi to collect network communication packets transmitted with the target (This is the Harvest-Now step). Although the communication may be protected using Transport Layer Security (TLS), the eavesdroppers will simply wait for a number of years till a quantum computer is available to decrypt the communication (This is the Decrypt-Later step). Web pages are particularly targeted since it is a common channel for many sensitive applications such as Internet Banking, eCitizen services, online payments, etc.
Protecting web pages from HNDL attacks involves adding an extra layer of quantum-resistant encryption over-and-above the existing TLS connection. You can build your own post-quantum NGINX web server which implements X25519MLKEM768 or use HTML-level post-quantum encryption tools such as SafeQuard to protect your data.
| Category | Remediation |
| Benefits | Protects confidential and privacy data transmitted over the internet against exposure |
| Effort | Medium: Requires changes to the backend web server |
| Impact | High: The project ensures the data security of customer's data over the long term. |
3. Secure your VPN communications between your data centers
If you protect your data communications between your data centers using IPSEC Virtual Private Networks (VPN), then a possible way to make the data communications quantum-safe is to turn on the RFC8784 feature within the IPSEC VPN. When using RFC8784, the VPN will rely on a common Post-quantum Preshared Key (PPK) at each end to supplement the key establishment process when creating the encrypted tunnel between the two end-points of the VPN channel, and this process prevents a quantum adversary from being able to decrypt the tunnel. Most popular VPN models from vendors such as CISCO, Fortinet, Palo Alto already support RFC8784. The challenge is how to distribute the PPK to both ends of the VPN channel.
One quantum-safe way to distribute the PPK is using Quantum Key Distribution (QKD). If your data centers already have interconnected QKD nodes, then you will need to configure your IPSEC VPNs to connect to the QKD nodes to obtain the PPK. Connectivity to QKD nodes uses the ETSI QKD 014 REST API. Alternatively, you can use commercial products such as QKDLite which have built-in QKD connectivity.
| Category | Remediation |
| Benefits | Ensures that confidential data transmitted between your data centers is secure against quantum eavesdroppers |
| Effort | High: Requires changes to the infrastructure, including connectivity to QKD networks |
| Impact | Medium: This project ensures that site-to-site communications for the organization has an added layer of security |
4. Use stronger random numbers
Current random number generation is deterministic based on pseudo-random number generators. For applications that require true, unbiased random number generation that is secure against quantum attacks, Quantum Random Number Generators (QRNGs) can be used to obtain a sequence of random values which can be used to seed entropy sources for random number generation. Such applications may include sampling for sensitive applications such as voting, lottery and financial AI/ML applications.
Most applications rely on the inbuilt RAND function of the operating system to return a random value. This random in turn is obtained from the /dev/urandom device file which is seeded from multiple sources. Improving the random would simply be updating /dev/urandom with an additional quantum source of entropy. Some sample C code below demonstrate the module that you can already implement.
c
typedef struct{
int bit_count;
int byte_count;
unsigned char buf[RANDSIZE];
} QRandStruct;
...
int randfd,rc;
QRandStruct randpool;
randpool.bit_count = RANDSIZE*8;
randpool.byte_count = RANDSIZE;
memcpy(randpool.buf,/*randomn buffer*/,RANDSIZE);
...
randfd = open("/dev/urandom",O_WRONLY);
rc = ioctl(randfd, RNDADDENTROPY, &randpool);
close(randfd);
| Category | Remediation |
| Benefits | Prevents possible bias for applications that use random numbers |
| Effort | Low: Integration can happen without changes to the applications |
| Impact | Low: the project has unclear outcomes as the improved quality of randomness cannot be easily measured |
5. Create a quantum-safe SSH
Secure Shell (SSH) is a common protocol used by system and network administrators to securely connect to remote backend devices and servers to check for status of the system, look at applications logs, and/or to execute system management commands. Hence, it is important that the SSH connection is protected with strong encryption and authentication since any compromise will lead to undesirable circumstances. Having a quantum-safe SSH therefore ranks high up in any administrator's wish list.
The Open Quantum Safe (OQS) project has forked a version of OpenSSH and included various post-quantum algorithms from their liboqs suite for both encryption and authentication. It's open source, so go build it and contribute if you can.
| Category | Remediation |
| Benefits | Creates a general-purpose connection for secure remote access |
| Effort | High: Requires developer resources to build and maintain the solution |
| Impact | High: System and network administration can be protected against quantum attacks |
6. Network packet analysis
It can be expected that as quantum technology evolves, more and more vendors will start to announce that they have successfully incorporated post-quantum cryptography into their applications and protocols. But questions persist. Do you know for sure that it is implemented? Are there gaps in the implementation? What algorithms are they using? Are you using the correct post-quantum version of the software? Did you choose the correct configuration parameters? A good post-quantum migration tool to have is the ability to analyze the network communication packets for evidence of the post-quantum implementation
Wireshark is one of the most popular open source network packet analyzers that can be used to look at the communication packets. All you need to do is to use the software to capture the network packets, and look for the different algorithms used during the protocol negotiation phase. If that is too complicated, you can consider using PacketQC which does the analysis for you based on the pcap files you captured.
| Category | Validation |
| Benefits | Checks that the post-quantum migration was implemented correctly |
| Effort | Low: No change in infrastructure. Requires only to passively capture network traffic. |
| Impact | Medium: Validating the implementation is always good hygiene for any security project |