Large quantum computers have the potential to break many cryptographic systems, e.g., Rivest–Shamir–Adleman, Diffie–Hellman key exchange, and the elliptical curve cryptosystem. The Department of Defense (DoD) is aware of this threat, and the National Institute of Standards and Technology is preparing a set of approved encryption and signature schemes that are not susceptible to these attacks by quantum computers, the so-called Post-Quantum Cryptography (PQC). The task of substituting older encryption and signature schemes raises a number of questions, to which there are not yet clear answers. In this research, we investigate the transition to PQC on existing networks, explain the approved PQC schemes, describe the likely path to an adaptation of PQC, and offer forward guidance on challenges and threats that may be encountered in the process of transition to PQC. This paper discusses the impacts of the new PQC schemes on network performance and speculates on possible side-channel attacks on the new encryption scheme. This paper offers hardware/software solutions based on the Split-protocol.
I. INTRODUCTION
This paper reviews the impacts of post-quantum cryptosystems on the network. Cryptography refers to a range of techniques used to secure information at rest or in transit that existed even before computers were invented. It applies to symmetric keys, which are those that are used to both encrypt and decode communications. Public/private key pairs, sometimes known as asymmetric keys, have been described. Public/private key pairs can take the form of secret/public key pairs, in which the private key is kept secret and the public key can be known to all parties with whom they have a chance to communicate and exchange information.1 There is a jungle of private and public key cryptography. However, we will directly jump to the most popular and widely used public or private cryptography techniques recommended by the National Institute of Standards and Technology (NIST).2–4 NIST recommends Federal Information Processing Standards (FIPS) approved algorithms.4 These cryptographic methods must go through extensive security testing and analysis to achieve acceptable security. Using larger keys is frequently an option when higher security is required.
Our contributions are as follows:
Simplifying PQC: This paper aims to demystify post-quantum cryptography (PQC) for a broader audience.
Network and Security Impact: We survey the effects of PQC on existing network and security configurations.
Performance Analysis: Providing an in-depth performance analysis of PQC techniques.
Challenges in Aerial Mobile Networks: Identifying challenges specific to aerial mobile networks.
Quantum-Safe Enhancement: Proposing an approach to enhance the current widely used public key cryptographic systems to be quantum-safe.
The rest of this paper is organized as follows: Sec. II provides the related work. Section III presents several types of cryptography schemes. Section IV discusses motivations for the community to consider post-quantum cryptography. Section V presents the current widely used cryptosystems. Section VI describes the post-quantum cryptosystem recommended by NIST. Section VII introduces our approach for PQC. Section VIII presents the impact of PQC on network and vehicular communications. Section IX presents a security challenge with PQC. Section X presents software/hardware solutions with Split-protocol. Section XI finally concludes the paper.
II. RELATED WORK
Quantum computing holds the potential to perform tasks that are infeasible using classical computers. At the present time, the range of quantum applications is expanding from a few specific fields to every aspect of our lives. However, we still need to determine how diverse the applications of massively parallel computing will be. The generalized swap test serves as the quantum component of the hybrid quantum–classical framework for measuring them presented by Zeng et al.5 Rawal et al. highlighted several quantum safe cryptosystems and suggested high-performance integration of the central processing unit (CPU), graphics processing unit (GPU), and quantum processing unit (QPU) cloud.6,7
Current research has focused on quantum cloud architectures that support multitenant as current classical cloud architectures do while still maintaining a quantum state between quantum processors8 and leveraging machine learning to optimize routing.9,10 This cloud architecture will, by necessity, require both physical cloud quantum infrastructure and associated quantum simulators.11 As such, there will need to be a way to benchmark these platforms’ ability to execute quantum algorithms.12 The authors reported Ring-LWE in Refs. 13 and 14 for a ring with rank n = 1024. Some have questioned the capacity of dimension 512 to guarantee post-quantum security. In other words, overall efforts to maximize error recovery and its analysis have led to improved security while simultaneously increasing efficiency. Although significant obstacles are preventing the extension of similar attacks to Ring-LWE at this time, it appears prudent to take this precaution until lattice cryptanalysis stabilizes.15 With two data processing units (DPUs) connected, Aguilera et al.16 introduced the first quantum robust, secure end-to-end communication link based on PQC algorithms. In order to handle the computationally demanding cryptographic building blocks—in this example, CRYSTALS-Kyber for key encapsulation and CRYSTALS-Dilithium for a digital signature scheme combined with an advanced encryption standard using a 256-bit key—both data processing units use on-board ARM processors.
III. TYPES OF CRYPTOGRAPHY
NIST has worked on a list of modern cryptography that includes block ciphers, cryptographic hash algorithms, key establishment, post-quantum cryptography, lightweight cryptography, privacy-enhancing encrypted communication, digital signatures, and random bit generators. Digital signatures are digital prints that ensure that the supposedly authorized signatory really signed and that data were not altered after the signature was obtained.17
A. Symmetric cryptography schemes
Figure 1 shows the pictorial representation of symmetric encryption techniques.
AES is a widely used symmetric encryption algorithm that comes in three key sizes: AES-128, AES-192, and AES-256.
Triple Data Encryption Algorithm (TDEA/Triple DES): The Data Encryption Standard (DES) algorithm is used three times in a row with distinct keys in a symmetric encryption process.
Safe Hash Algorithm (SHA): The cryptographic hash algorithms SHA-1, SHA-128, SHA-256, SHA-384, and SHA-512 are part of the family.
The Message Digest (MD) algorithm is a family of cryptographic hash functions that includes the MD2, MD4, and MD5 hash functions (however, MD5 is regarded as weak and is not advised for new applications).
Keyed-hash-based message authentication codes (HMACs): A technique that enables message integrity and authentication through the integration of a cryptographic hash function (such as SHA) with a secret key.
A symmetric block cipher called the National Data Encryption Algorithm (IDEA) was created to take the place of the Data Encryption Standard (DES).
Skipjack: A symmetric block cipher created for the government’s key escrow mechanism, the Clipper chip.
Hash-based functions (HMACs) are symmetric cryptosystems.
B. Asymmetric cryptography schemes18
An asymmetric cryptosystem is considered more secure because we do not have to share our private key or reveal it to a third party. Figure 2 shows the asymmetric cryptography scheme.
C. Digital signature algorithm (DSA)
Elliptic curve digital signature algorithm (ECDSA) is a digital signature algorithm.
Rivest–Shamir–Adleman (RSA) is a public-key cryptosystem.
Menezes–Qu–Vanstone (MQV) is an authentication scheme for key agreements based on the Diffie–Hellman scheme.
D. Hash-based digital signature schemes
Hash-based cryptosystems depend solely on cryptographic hash functions rather than additional cryptographic assumptions such as number-theory-based hardness. As a result, the opportunity for cryptanalysis is limited. This lessens the system’s overall complexity. In order to attain the desired performance, the hash-based scheme must be flexible in the hash function it chooses because it is intrinsically dependent on the application-specific environment. This technique protects the application from numerous assaults thanks to the collision resistance, pre-image resistance, and second-pre-image resistance properties of hash functions.19,20 Numerous characteristics of the hash-based scheme that are advantageous to the IoT environment are identified by Bernstein et al.21 There are lightweight hash function variants that give IoT applications the choice of appropriate device parameters for resource-constrained devices, which improves network performance. Since the hash functions in hash-based schemes only work in one direction, they are secure with both backward and forward secrecy.22 Buchmann, Dahmen, and Szydlo introduced various hash-based signature schemes.23 The following are the hash-based algorithms: XMSS, Leighton–Micali Signature (LMS), SPHINCS, and BPQS schemes. In this category, NIST selected only SPHINCS+ as the signature scheme.24
Key length matters for cybersecurity; the longer the key, the more secure it is. In a similar way, the longer the process cycle, the more secure it is. However, due to both cases’ extreme ends, they hinder speed and performance. As shown in Fig. 3, SPHINCS+ schemes suffer from large signature and verification cycles (4.67 × 109 cycles).
E. Code-based cryptography
In this system, the one-way function employs error-correcting C code and computes a condition related to the parity check matrix of C.25 A Goppa code is an error-correcting code built around modular algebra, which is the process that occurs when a series of integers increases to a given number and then returns to zero once attained.26 The classic McEliece cryptosystem is one of the cryptosystems that were successful until the third round of NIST’ PQC selection—Matrix Equivalence Digital Signature (MEDS). McEliece’s original PKE was not designed to resist chosen-ciphertext attacks, but the KEM Classic McEliece possesses IND-CCA2 security, which is believed to provide the strongest security for PKI. Figures 4 and 5 show code-based cryptography at NIST levels 1 and 5, respectively. At NIST level-1, we can notice that the public key sizes for the classic McEliece and Wave schemes are 29.5 and 8 MB, respectively. The signature and verification cycles for Wave are 8.1 × 109 and 7.5 × 109, respectively. At NIST level-5 for Wave, the public key size is 109 MB, signature cycles are 7 × 109, and verification cycles are 8.1 × 109.
Figures 6 and 7 show lattice based cryptosystems at NIST levels 1 and 5, respectively. We can see that the public key size is the lowest at 987 bytes for Falcon and the highest at 1 059 000 bytes for the HuFu scheme. The security of the HuFu digital signature technique is predicated on the difficulty of typical worst-case situations on generic lattices.
In comparison with CRYSTALS-Dilithium, HuFu has a somewhat different architecture in addition to not using structured lattices. At NIST level-1, lattice based cryptosystems, the EHTv3/EHTv4 have a large signature cycle of 89.5 × 106 and verification of 2.5 × 106, respectively. On the other hand, at NIST level-5, Raccoon has a large signature cycle of 135 × 106 and verification of 4.5 × 106, respectively.
F. Lattice-based cryptography
A lattice is a set of points in n-dimensional space with a cyclic arrangement. Figure 8 shows a two-dimensional lattice.
Formally, given n-linearly independent vectors b1, …, bn, C Rn, the lattice generated by them is a set of vectors.23 L (b1, …, bn) = {Σxibi(i = 1, n) : xi ϵ Z}.
The LWE-based cryptosystem: It is considered the most efficient lattice-based cryptosystem to date, supported by a theoretical proof of security.13,26
Below is a simplified example of a GGH lattice-based cryptosystem.
Transpose VT = SV = .
Let the message vector be M = (3, −7) and the small error vector be (1, 0).
Encryption:
The ciphertext can be expressed as C = MST +e = (−104, −79).
Decryption:
To decrypt, we can compute CS − 1 = (−104/7, −79/3) = (−15.285 71, −26.333 33); lattice values are integers; after rounding, we get (−15, −26). M = (−15, −26) V − 1 = (3, −7).
It has a security-based, worst-case scenario connection. Lattice-based cryptosystems provide lower computational costs for encryption and decryption than common integer-based cryptosystems. The random key generation process requires hard problems.23
IV. WHY DO WE NEED TO CONSIDER PQC NOW?
For different applications, different block cipher modes are utilized. Depending on the type of application, security levels may vary and can be divided into high, medium, and low.27,28 National security communication requires high security; chatrooms and social networking software may work with medium security. For low security priority applications, the speed of data is more important. We can increase security simply by increasing block size, key size, or the number of rounds. In addition, by compressing data, we can minimize data loss.27 Data compression is handled before the encryption process.
Shor discovered quantum algorithm factoring and discrete log functions in 1994. This algorithm has the capability of damaging the most widely used public key exchange cryptosystems. The development of the Grover method demonstrated that quantum computers outperform conventional computers in exploring databases by a square root factor.29 If quantum computers become widely available, there will be a requirement to protect information recorded before the quantum era.30 Grover’s algorithm reduces the time required quadratically. Doubling the key size restores the security level.
Shor’s algorithms can break the following cryptosystems: RSA, Diffie–Hellman key exchange, elliptical curve cryptosystem, Buchmann–William’s key exchange, and algebraic homomorphic encryption.
When are we expecting the availability of large quantum computers? 10, 15, or 20 years, depending on the speed of technological advancements.
Why do we have to act now?
Development and standardization take time.
Improvement also takes time.
It takes time to build confidence in PQC.
It takes time to improve the usability of PQC.
In 2022, NIST announced the list of PQC.
The following cryptography algorithms have not been broken by quantum computing techniques yet: Advanced Encryption Scheme (AES), the recent version of SHA, McEliece public key-encryption, NTRU public key-encryption, and lattice-based public key-encryption.
In addition, there are some additional recently developed cryptosystems and less popularly used cryptosystems.
V. CURRENT WIDELY USED CRYPTOSYSTEMS
Here, we give a brief overview of two popular asymmetric cryptosystems: AES and RSA.
The AES encryption steps are shown in Fig. 9. Initiate the process by generating a random secret key, add it to the plaintext, and perform nine rounds of the following steps: (1) substitute byte, (2) shift rows, (3) mix columns, and (4) add round key. In the final tenth round, we only execute the following three steps: (1) substitute byte, (2) shift rows, and (4) add round key.
The steps of the RSA algorithm are as follows:
Selection of two fairly large prime numbers α and β (p ≠ q), for example, 300 digits.
Calculate n = p * q.
Calculate φ(n) = (p − 1) * (q − 1).
Select e such that e is a co-prime to φ(η), i.e., (e, φ(n)) = 1 and 1 < e < φ(n).
Calculate ed = 1 mod φ(n) or d = e−1 mod φ(n).
Public key (e, n) and private key (d, n) (e is the encryption key, n is the block size, and d is the decryption key).
Find out the ciphertext (C) using the following formula:
C = αe mod (n).
The plaintext (A) can be obtained using the following formula:
A = C mod(n).
This algorithm works based on the assumption of a hard problem: if n is large enough, up to 300–400 digits, a regular computer will take years to factor out p and q from n.
RSA is good when you are sharing keys with a small number of users. While sharing a symmetric key with a large group, the possibility of exposure to an unauthorized user is higher. RSA is mainly used to share encryption keys, not for encrypting large data. One can use the key for symmetric encryption for large data. RSA is slower compared to a symmetric cryptosystem. Some implantation challenges are discussed in the following blogs to be reviewed.1,31
A. Diffie–Hellman key exchange
In 1976, Whitfield Diffie and Martin Hellman published their work on practical public key exchange for encrypting and decrypting, and now, it is in widespread use.32,33 Diffie–Hellman key exchange steps are reproduced as following Refs. 32 and 34. Figures 10 and 11 show a simple illustration of the key generation and decryption processes.
Select prime number q and α (α is the primitive root for q).
Alice’s key generation:
Select XA, XA < q.
Derive public YA.
YA = αXA mod q.
YA is shared with user B.
Bob’s key generation:
Select XB, XB < q.
Derive public YB.
YB = αXB mod q.
YB is shared with user A.
Derivation of the secret key by user A:
K = (YB)XA mod q.
Derivation of the secret key by user B:
K = (YA)XB mod q.
VI. POST-QUANTUM CRYPTOGRAPHY
Recently, NIST has selected four cryptosystems: CRYSTALS-Kyber, CRYSTALS-Dilithium, CRYSTALS-Falcon, and SPHINCS+. CRYSTALS-Kyber is for use in general encryption. It offers several benefits, including the fact that two parties can exchange relatively modest encryption keys and maintain the required speed of operation. It is faster among cross-platforms, and it is designed for efficient constant time implementation with the same optimized routines across all parameter sets.
The term was introduced to describe Kyber resilience in post-quantum cryptography (PQC) (as disgusted in Ref. 35). This resilience ensures that it is impossible to create ciphertext and lawfully decrypt it using two different private keys. Fortunately,36 proof exists that a robust hybrid Public Key Encryption (PKE) scheme can be built by combining hyper-Khem with a suitable robust digital elevation model (DEM), as stated in Ref. 37. In other words, combining hyper-Khem with one strong suit, a random and resilient DEM can yield the post-quantum strongly anonymous and robust PKE.38
A. CRYSTALS-Kyber
The advance of Kyber originated from the seminal LWE-based crypto scheme of Regev. It is designed to provide secure encryption operations that are resistant to attacks from quantum computers. Here is an overview of how CRYSTALS-Kyber works:35,39
CRYSTALS-Kyber uses a set of parameters to define the security level and efficiency of the scheme. The parameters include the dimension of the underlying lattice, the number of rounds for the encryption algorithm, and the number of bits used for public keys, secret keys, and ciphertexts. The specific values of these parameters can be chosen based on the desired security level.
For a more detailed understanding, you can refer to the specific research papers or documentation related to CRYSTALS-Kyber.35
CRYSTALS-Kyber = [A: public key] [s; secrete key] + [e: (α, β, θ) small error terms] = [t; public key].
V = tα + β + m.
U = Aα + θ.
D = V − sU.
Table I provides the different flavors of CRYSTALS-Kyber and the level of security.
Name . | n (degree of polynomial) . | k (size of vector) . | q (coefficient mod) . | Security level . |
---|---|---|---|---|
Kyber512 | 256 | 2 | 3329 | AES-128 |
Kyber768 | 256 | 3 | 3329 | AES-192 |
Kyber1024 | 256 | 4 | 3329 | AES-256 |
Name . | n (degree of polynomial) . | k (size of vector) . | q (coefficient mod) . | Security level . |
---|---|---|---|---|
Kyber512 | 256 | 2 | 3329 | AES-128 |
Kyber768 | 256 | 3 | 3329 | AES-192 |
Kyber1024 | 256 | 4 | 3329 | AES-256 |
Figure 12 shows the comparison of the byte size of private key, public key, and ciphertext of Curve25519, RSA 3072, and Kyber 512.
The elliptic curve Diffie–Hellman (ECDH) key agreement mechanism is intended to be used with curve 25 519 (ECC), which provides 128 bits of security (256-bit key size). Having no known pattern, it is one of the ECC curves that moves the fastest.41
Figure 13 shows byte sizes for the highest security level. We can notice that BrainpoolIP12r1 outperforms RSA 5360 and Kyber 1024.
Figure 14 shows the speed comparison among Curve25519, RSA 5360, and Kyber 1024. We can clearly see that Kyber 1024 outperforms the other two by many folds in terms of speed.
Figure 15 illustrates the comparison of the size of a private key, a public key, and a ciphertext. We can notice that Kyber families have exceptionally large sizes.
The security provided by Kyber is designed to correspond to that of AES. However, there is some disagreement in the security community about the actual level of security provided. We expect that these discussions will determine actual security levels.37
B. CRYSTAL-Falcon
Fernandez-Carames and Fraga-Lamas introduced the GPV framework in 2008.42 Falcon makes use of two major mathematical frameworks (NTRU lattices and fast Fourier sampling). Falcon is an abbreviation for fast Fourier lattice-based compact over NTRU.
The high-level GPV framework is reproduced here.42 The public key is a long basis of a q-array lattice.
The private key is (essentially) a short basis of the same lattice.
In the signing procedure, the signer does the following:
Generates a random value salt.
Computes a target c = H(msg||salt), where H is a hash function sending input to a random-looking point (on the grid).
Uses his knowledge of a short basis to compute a lattice point v close to the target c.
Outputs (salt, s), where s = c − v.
The verifier accepts the signature (salt, s) if and only if the following holds:
The vector s is short.
H(msg||salt) − s is a point on the lattice generated by his public key.
Falcon offers the following features:
Falcon employs a Gaussian sampler, which ensures that information leakage is minimal and signatures are far shorter than in any lattice-based signature technique. It is five to ten times quicker on standard PCs since it employs Fourier sampling. The discrete wavelet transform is also less computationally complex, taking O(N) time as compared to O(N log N) for an n degree polynomial. Falcon employs 30 kbytes of RAM, resulting in better RAM economy and speed. In terms of traditional security, Falcon-512 is basically equal to RSA-2048, whose signatures and public keys each occupy 256 bytes.43
Figure 16 shows a lattice over the cyclotomic ring R, which is used for Falcon’s parameter calculations.
The snapshot of the Falcon cryptosystem is reproduced here following Ref. 44.
Falcon works over the cyclotomic ring R = Z q[x]/(xn + 1).
Keygen (): Generate matrices A and B with coefficients in R such that
→ BA = 0
→ B has small coefficients
pk ← A
sk ← B
Sign (m, sk) (performed using FFT)
Compute c such that cA = H(m)
v ← “a vector in the lattice Λ(B), close to c”
s ← c − v
The signature sig is s = (s1, s2)
Verify (m, pk, sig)
Accept if:
s is short
sA = H(m)
The main design goal is compactness: to minimize |pk| + |sig|.
Falcon, too, has its limitations. These are implementation-related requirements that, strangely, only apply to the signer. Implementation is difficult. Falcon’s underlying challenge is that Fourier sampling is both difficult to understand and difficult to implement. When considering implementation on limited hardware, particularly those without a floating-point unit, a key limitation is arithmetic with floating points. It is uncertain how to defend against a side-channel assault. Falcon uses discrete Gaussian sampling over integers extensively.44
C. CRYSTALS-Dilithium
The CRYSTALS (Cryptographic Suite for Algebraic Lattices) family of algorithms contains the CRYSTALS-Dilithium digital signature technique, and its difficulty in discovering short vectors inside lattices is dependent on how difficult it is to detect short vectors within lattices.4 It makes use of the complexity of the (LWE) issue.39 When compared to other digital-signature algorithms, its key creation, signature generation, and signature verification are all evenly distributed. As a result, optimizing CRYSTALS-Dilithium’s NTT-based polynomial multiplication algorithm45 is critical.
The template for the CRYSTALS-Dilithium signature scheme is reproduced here.33
Gen
A ← Rq(k × l)
(s1, s2) ← Slη × Skη
t ≔ As1 + s2
return (pk = (A, t), sk = (A, t, s1, s2))
Sign(sk, M)
z ≔ ⊥
While z = ⊥ do
y ← Slγ1 − 1
w1 ≔ HighBits(Ay, 2γ2)
c ∈ B60 ≔ H(M‖w1)
z ≔ y + cs1
return σ = (z, c)
Verify (pk, M, σ = (z, c))
w′1 ≔ HighBits(Az − ct, 2γ2)
if return [‖z‖∞ < γ1 − β] and [c = H(M‖w′1)]
D. SPHINCS+
SPHINCS+ cryptography, which utilizes FTS schemes. This method uses a so-called hyper-tree to authenticate a large number of key pairs with few-time signatures. Signature schemes known as “few-time signatures” enable a key pair to generate a limited quantity of signatures. For every new communication, a pseudo-random FTS key pair is chosen to sign it. The FTS signature and the authentication data for that FTS key pair make up the signature. A hyper-tree signature, or a signature using the certification tree of a Merkle tree signature, represents the authentication information. Figure 17 shows the comparison of key size with Falcon for security level 1.
VII. PROPOSED APPROACHES FOR PQC
A. No-sum (NS) sequence
In addition, α is the value of the first element in this sequence, and α > 2. When α = 1, 2 are the special cases, it is straightforward to form the sequence with the formulas below, respectively.
Period: Its period is defined as the number of elements over which it leaps once.
Amplitude: Its amplitude measures how intensively it leaps, which is defined as given in the following equation:
First node: The value of the first node is obtained as per the following equation:
B. N-th order Recursive Exponent (NRE) sequence28,41
C. Augmenting current RSA
From Sec. VII B, the public key is (e, n) and the private key is (d, n) (e is the encryption key, n is the block size, and d is the decryption key).
We will hide the public key using NS sequences.
Let us assume that the original public key is (3, 17).
The new public key is (7.609 880 231 320 6 × 10158, 12 028). When we start the NS sequence with 3, we get the value 1336, and in our case, we will get as the 17th element 12 028. In practice, RSA e = 65 537 is a fixed value.
NRE sequence {33, 333, 3333, 33333}.
First element: 33, second: 333, and third: 3333.
3333 = 7.609 880 231 320 6 × 10158.
In this process, the NRE sequence will be used to identify the starting point of the NS sequence, and from the value of the NS sequence (12 028), the position of the element in the NS sequence will be determined. In this case, value (12 028) is the 17th element of the NS sequence, whose starting value is 3. The starting value of the NS sequence is always the base of the NRE sequence (Table II).
1 | 3 |
2 | 4 |
3 | 5 |
4 | 6 |
5 | 16 |
6 | 17 |
7 | 49 |
8 | 50 |
9 | 148 |
10 | 149 |
11 | 445 |
12 | 446 |
13 | 1336 |
14 | 1337 |
15 | 4009 |
16 | 4010 |
17 | 12 028 |
18 | 12 029 |
19 | 36 085 |
20 | 36 086 |
1 | 3 |
2 | 4 |
3 | 5 |
4 | 6 |
5 | 16 |
6 | 17 |
7 | 49 |
8 | 50 |
9 | 148 |
10 | 149 |
11 | 445 |
12 | 446 |
13 | 1336 |
14 | 1337 |
15 | 4009 |
16 | 4010 |
17 | 12 028 |
18 | 12 029 |
19 | 36 085 |
20 | 36 086 |
(The first one million elements of the sequence can be shared with the source code upon request.)
VIII. IMPACT OF PQC ON NETWORK AND VEHICULAR COMMUNICATIONS
PQC has a larger key size and less mature hardware than classical cryptography methods. This is what can cause latency issues. In addition, as we noticed in the performance section, PQC needs billions of cycles for encryption and verification. The encryption and decryption of PQC will impact vehicles moving at a higher speed and connecting with different communication towers. For example, if the handshake process is initiated with one tower and the vehicle moves out to the range of another tower due to a delay in the encryption and decryption, i.e., before the protocol handshake is completed, the original connection will be terminated. Current public key cryptography might be replaced with CRYSTALS-Kyber, which offers robust, standardized security at the expense of larger keys. Larger key sizes, used, in particular, in authentication, could create higher traffic and high storage needs.50 Some challenges were mentioned in earlier sections of this paper.
Initial planning: It takes time to migrate to PQC successfully. It is recommended that organizations get ready right now.
Cybercriminals might target data that have to be protected in the future, so early action is necessary.51
Updating legacy cryptographic products: A large number of cryptographic protocols, products, and services (including RSA, ECDH, and ECDSA) rely on public key algorithms. It will be necessary to update, swap out, or modify these in order to use quantum resistant PQC algorithms.52
The PQC transition goes beyond generic networks.
Legacy systems and critical national infrastructure (CNI) are also impacted. Using cryptography on devices with limited resources is one challenge.53
To resolve this problem in such a scenario, each communicating tower has to broadcast neighboring tower TCB records along with the routing information.54 Figures 18–20 illustrate four instances where a delay in communication with aerial vehicles, such as satellites, might lead to calamity.9
The ground network is severely congested, as depicted in Fig. 19, and the only communication options are high-seep aerial vehicles such as jet planes. The loss of connectivity can be brought on by errors in encryption and decryption.
In addition, in situations such as the big mountain depicted in Fig. 20, vehicles connecting with the ground may take longer than expected to give the proper direction to people on the ground.
IX. SECURITY CHALLENGES WITH PQC
IoT networks use a security protocol that uses considerably smaller key sizes (normally 128–4096 bits), while PQC key sizes range from a couple of thousand KB to MB, which will demand a higher computing power. It will be challenging to process on resource-constrained devices, such as IoT devices.
There is a possibility of implementation error by the software developer due to the complex mathematical algorithm involved.
There exist challenges for real time computing services to synchronize communication with software and hardware.
There is a need to redesign the QoS standard for resource constrained devices.
Since quantum algorithms consume resources and energy and add delays, there is a possibility of challenge in optimizing real time communication systems, which require high accuracy and faster key exchange, whether public-key or digital signature.
There is a need for new agreed-upon distributed network architectures that help loop optimization and register optimization techniques.
A. Side channel attacks (invasive attacks and non-invasive attacks)
Figure 21 presents the types of side channel attacks. Side channel attacks can be divided into two major classes: invasive and non-invasive.
Non-invasive attacks could be logical, remote, and physical proximity. A non-invasive side-channel attack does not physically meddle with the device in question but instead causes harm via employing timing assaults, power analysis, electromagnetic attacks, and other techniques. In this attack, the attacker exploits weaknesses in implementation or environment rather than mathematical structures.55–57
According to Kocher, timing attacks are carried out on RSA, DSS, Deffie–Hellman, and other cryptosystems. In addition, Burmuley and Bonech state that timing attacks are still in practice. In addition, the researchers mentioned key recovery timing attacks on post-quantum primitives.58
X. RECOMMENDED SOLUTION WITH SPLIT PROTOCOL
Figure 22 shows an architecture for splitting tasks into two clone servers. The technical details are explained in the published paper.54
Figure 22 presents the high level dual NIC card architecture, where the C port handles only cryptographic functions and the D port handles the data part. Cryptominers are specialized in hashing functions and can offer 8.3 Exa hashes/s.59 Since both NIC cards are connected to the same devices, there will be a negligible delay in communication (Fig. 23).
Figure 24 shows the registration process for receivers and senders.
Figure 25 shows the uploading ciphertext and downloading plaintext wrapped within quantum safe crypto with the help of the PQCShare system.
Figure 26 shows the NRES deciphering process at the receiver’s end.
XI. CONCLUSION
It is too early to draw a conclusion since we are in the preliminary stages of exploration and standardization, but we observed in PQC that great security comes with an increase in key length, which could delay the handshake process and have an impact on the performance of the system. In addition, we expect the hardware to scale in performance and speed. We can see that several solutions exist to overcome the large key sizes, software and hardware faults, and malfunctions due to the complex implementation of PQC.
We proposed other cryptographic primitives to make the most popular cryptosystems quantum safe. We suggest adding additional security for smaller lattice based PQC systems so that our current network system can handle them without significant delays.
ACKNOWLEDGMENTS
We thank Lodewijk Brand and David Bate for the helpful discussion on various topics of high-performance computing and quantum cryptography and for the detailed reviews and proofreading of the paper. This work was supported by NIWC and ONR’s summer fellowship program.
AUTHOR DECLARATIONS
Conflict of Interest
The authors have no conflicts to disclose.
Author Contributions
Bharat S. Rawal: Conceptualization (equal); Formal analysis (equal); Investigation (equal); Validation (equal); Writing – original draft (equal); Writing – review & editing (equal). Peter J. Curry: Formal analysis (equal); Investigation (equal); Supervision (equal); Writing – original draft (equal); Writing – review & editing (equal).
DATA AVAILABILITY
The data that support the findings of this study are available within the article.