The capability to secure communication networks relies fundamentally on the availability of secure cryptographic primitives, which enable authentication, confidentiality, and integrity. The canonical starting point to establish secure communication channels is the execution of a protocol that authenticates all involved users/devices and establishes a common secret key among them. This task is referred to as authenticated group key establishment (AGKE).

Reflecting the importance of AGKE, there is a substantial body of literature discussing solutions of this task. Despite the differences among the cryptographic techniques that have been considered, there is a remarkable commonality. The security analysis usually assumes that a particular problem from computational number theory cannot be solved efficiently with existing tools. The dominating assumption is named after W. Diffie and M. Hellman and enables efficient AGKE solutions, even for large groups of users. However, the hardness assumptions in common use today—including the ubiquitous Diffie-Hellman assumption—fail in the presence of scalable quantum computing. Technological progress makes quantum computing a realistic possibility, and a search for quantum-safe cryptographic solutions has started. NSA already revised its Suite B of cryptographic algorithms and announced the need to pass to quantum-safe solutions, and NIST has initiated a new standardization process, focusing on basic cryptographic tasks.

Currently we lack a drop-in replacement for the original construction of Diffie and Hellman, and promising quantum-safe building blocks come with performance penalties such as larger memory requirements or additional communication rounds. Moreover, it is not fully clear to what extend the development of known or new quantum algorithms will impact this implementation requirements. In this project  we will design and implement solutions for quantum-safe authenticated group key establishment. More specifically, we will

  • Develop general techniques and concrete efficient protocols for quantum-safe AGKE. This includes a thorough cryptographic analysis to establish provable security guarantees and adequate modelling of adversaries with access to quantum technology. Note that even assuming that quantum computing is of no help in solving the mathematical problems on which  a cryptographic protocol is fundamented,  further analysis is needed to attest that this protocol is quantum-safe  (as classical security proofs do not always hold in extended models encompassing quantum computation).
  • Develop techniques for securely implementing quantum-safe AGKE protocols and provide actual secure implementations on different target platforms. Using techniques from runtime verification, we will defend against attacks on the implementation level during runtime.
  • Develop efficient hybrid solutions for AGKE. These remain secure as long as one of two hardness assumptions remains valid. This offers a pragmatic way to test quantum-safe candidate constructions, even before we can choose their parameters as confidently as for today’s schemes.

For the concrete instances, tailored to be efficient, we anticipate solutions using either lattice techniques or tools from code-based cryptography; we have experts for both areas in the project team. To ensure that the protocol implementations will not be weakened during protocol execution, e.g., through fault induction, we plan to implement techniques from runtime verification. Through consulting with subject experts and users from academia and industry, we will ensure that our security analyses and implementation-level security measures meet practical needs. It can be expected that a number of operations that we have to implement securely, occur in other cryptographic contexts as well, so that in particular the implementation practices and techniques can be leveraged to protect software implementations of cryptographic protocols for a broader spectrum of applications. The participating teams are chosen to have complementary experiences -- AGKE, quantum cryptanalysis, implementation on different platforms, and runtime verification. In particular, we plan to use this project to train young scientists from Malta in quantum-safe cryptography, and students from the participating NATO countries will learn about state-of-the art techniques for securing software through verification techniques at runtime.