Preparing today for a post-quantum cryptographic future

{"value":"\n\nPost-quantum cryptography aims to develop new standards for public-key cryptography that quantum computers can't crack.\n\nRecently, the National Institute of Standards and Technology (NIST) ++[completed the third round](https://csrc.nist.gov/publications/detail/nistir/8413/final)++ of its post-quantum-cryptography standardization process. It is still early days for quantum computing, but the technology holds great promise for benefiting society with a deeper understanding of fundamental physics and faster solutions to difficult computational problems. Like many powerful new technologies, it is also subject to unintended consequences, and some have speculated that if a large enough quantum computer were built in the future, it could break the public-key cryptographic algorithms used to protect our data today.\n\nFor some time, NIST, Amazon, and the broader scientific community have been working on new public-key algorithms that can withstand the post-quantum future. Historically, it takes about 20 years to replace dependencies on widely deployed high-assurance cryptographic algorithms. At Amazon, we know the value of long-term thinking, and we routinely make big long-term investments in availability and security based upon our belief about where the world is going.\n\nFor example, several years ago we made the decision to invest in designing our own chips, at significant cost and effort, which had the effect of giving AWS customers meaningfully improved security and performance, while also giving users of Alexa snappier responses to their questions. Post-quantum cryptography is another example of an area where we are investing for our customers’ future.\n\n\n\nAmazon contributed to the proposal for SPHINCS+, a \ncryptographic-signature scheme that involves hash functions, one-time signatures (OTS), and few-time signatures (FTS). Figure adapted from \"++[The SPHINCS+ signature framework](https://sphincs.org/data/sphincs+-paper.pdf)++\".\n\nAs part of its most recent findings, NIST announced that it had selected a finalist for a key establishment algorithm (Crystals Kyber) and three finalists for digital-signature algorithms — including SPHINCS+, to which Amazon contributed. This paves the way for the forthcoming standardization of these technologies.\n\nNIST also indicated that it would evaluate additional algorithms for key establishment in its fourth round, including SIKE and BIKE, which Amazon team members contributed to. Amazon is also involved with industry peers in projects and standardization efforts like the ++[ETSI QSC](https://www.etsi.org/technologies/quantum-safe-cryptography)++ Technical Committee, the ++[IETF](https://www.ietf.org/)++, the ++[Open Quantum Safe](https://openquantumsafe.org/)++ initiative, and ++[NIST NCCoE PQ Migration]()++, which is taking important steps toward broad adoption of post-quantum cryptography.\n\n#### **Post-quantum crypto on AWS**\n\nAs the newer approaches make their way through the standards process, Amazon is also evolving AWS to give customers the option of evaluating post-quantum algorithms alongside traditional algorithms, so we can optimize the performance of these algorithms on AWS. We have already contributed to a ++[draft standard](https://datatracker.ietf.org/doc/html/draft-ietf-tls-hybrid-design)++ on post-quantum hybrid key exchange and implemented and deployed that community-developed specification in ++[s2n-tls](https://github.com/aws/s2n-tls)++, which implements the Transport Layer Security (TLS) protocol across AWS.\n\nWe have also deployed post-quantum s2n-tls with ++[AWS Key Management Service (KMS) and AWS Certificate Manager (ACM)](https://aws.amazon.com/about-aws/whats-new/2022/03/aws-kms-acm-support-latest-hybrid-post-quantum-tls-ciphers/)++ and ++[AWS Secrets Manager](https://docs.aws.amazon.com/secretsmanager/latest/userguide/data-protection.html)++ TLS endpoints — bringing the benefits of post-quantum cryptography to customers who enable hybrid post-quantum TLS in their AWS SDK to connect to those services. All told, we are working toward our goal of providing customers post-quantum technologies in multiple AWS services by 2024, so our customers can experiment with them and prepare for a post-quantum future.\n\nThe security of our customers’ data is job zero at Amazon. To us this means anticipating what the future might hold and preparing our customers for potentially disruptive technologies. As we look forward to the huge potential breakthroughs heralded by quantum computing, our customers can also rest assured that we are peering around corners on their behalf and preparing to keep their data safe for as long as they need it.\n\nYou can read more about our research and standardization work in the links below:\n- ++[ETSI CYBER; Quantum-safe Hybrid Key Exchanges](https://www.etsi.org/deliver/etsi_ts/103700_103799/103744/01.01.01_60/ts_103744v010101p.pdf)++\n- ++[Hybrid key exchange in TLS 1.3](https://datatracker.ietf.org/doc/html/draft-ietf-tls-hybrid-design)++\n- ++[Use of Post-Quantum KEM in the Cryptographic Message Syntax (CMS)](https://datatracker.ietf.org/doc/html/draft-turner-lamps-nist-pqc-kem-certificates)++\n- ++[Algorithms and Identifiers for Post-Quantum Algorithms in the Internet X.509 Public Key Infrastructure](https://datatracker.ietf.org/doc/html/draft-massimo-lamps-pq-sig-certificates)++\n- ++[Post-quantum Hybrid Key Exchange in SSH](https://raw.githubusercontent.com/csosto-pk/pq-ssh/master/draft-kampanakis-ssh-pq-ke.txt)++\n- ++[Suppressing CA Certificates in TLS 1.3](https://datatracker.ietf.org/doc/html/draft-kampanakis-tls-scas-latest)++\n- ++[On constant-time QC-MDPC decoding with negligible failure rate](https://eprint.iacr.org/2019/1289)++\n- ++[QC-MDPC decoders with several shades of gray](https://eprint.iacr.org/2019/1423)++\n- ++[Fast polynomial inversion for post quantum QC-MDPC cryptography](https://eprint.iacr.org/2020/298)++\n- ++[On the Applicability of the Fujisaki-Okamoto Transformation to the BIKE KEM](https://eprint.iacr.org/2020/510)++\n- ++[Prototyping post-quantum and hybrid key exchange and authentication in TLS and SSH](https://eprint.iacr.org/2019/858)++\n- ++[Security of hybrid key encapsulation](https://www.amazon.science/publications/security-of-hybrid-key-encapsulation)++\n- ++[Faster post-quantum TLS handshakes without intermediate CA certificates](https://www.amazon.science/publications/faster-post-quantum-tls-handshakes-without-intermediate-ca-certificates)++\n- ++[PQ-HPKE: Post-Quantum Hybrid Public Key Encryption](https://eprint.iacr.org/2022/414)++\n\nABOUT THE AUTHOR\n#### **[Matthew Campagna](https://www.amazon.science/author/matthew-campagna)**\nMatthew Campagna is a senior principal security engineer with Amazon Web Services.\n","render":"<p><img src=\\"https://dev-media.amazoncloud.cn/dd676e8f1556447c98f3dba3037d9f0b_%E4%B8%8B%E8%BD%BD%20%281%29.jpg\\" alt=\\"下载 1.jpg\\" /></p>\n<p>Post-quantum cryptography aims to develop new standards for public-key cryptography that quantum computers can’t crack.</p>\n<p>Recently, the National Institute of Standards and Technology (NIST) <ins><a href=\\"https://csrc.nist.gov/publications/detail/nistir/8413/final\\" target=\\"_blank\\">completed the third round</a></ins> of its post-quantum-cryptography standardization process. It is still early days for quantum computing, but the technology holds great promise for benefiting society with a deeper understanding of fundamental physics and faster solutions to difficult computational problems. Like many powerful new technologies, it is also subject to unintended consequences, and some have speculated that if a large enough quantum computer were built in the future, it could break the public-key cryptographic algorithms used to protect our data today.</p>\n<p>For some time, NIST, Amazon, and the broader scientific community have been working on new public-key algorithms that can withstand the post-quantum future. Historically, it takes about 20 years to replace dependencies on widely deployed high-assurance cryptographic algorithms. At Amazon, we know the value of long-term thinking, and we routinely make big long-term investments in availability and security based upon our belief about where the world is going.</p>\n<p>For example, several years ago we made the decision to invest in designing our own chips, at significant cost and effort, which had the effect of giving AWS customers meaningfully improved security and performance, while also giving users of Alexa snappier responses to their questions. Post-quantum cryptography is another example of an area where we are investing for our customers’ future.</p>\n<p><img src=\\"https://dev-media.amazoncloud.cn/5c72690ad3f34fc2b3d598e599f6bc15_%E4%B8%8B%E8%BD%BD.jpg\\" alt=\\"下载.jpg\\" /></p>\n<p>Amazon contributed to the proposal for SPHINCS+, a<br />\\ncryptographic-signature scheme that involves hash functions, one-time signatures (OTS), and few-time signatures (FTS). Figure adapted from “<ins><a href=\\"https://sphincs.org/data/sphincs+-paper.pdf\\" target=\\"_blank\\">The SPHINCS+ signature framework</a></ins>”.</p>\n<p>As part of its most recent findings, NIST announced that it had selected a finalist for a key establishment algorithm (Crystals Kyber) and three finalists for digital-signature algorithms — including SPHINCS+, to which Amazon contributed. This paves the way for the forthcoming standardization of these technologies.</p>\n<p>NIST also indicated that it would evaluate additional algorithms for key establishment in its fourth round, including SIKE and BIKE, which Amazon team members contributed to. Amazon is also involved with industry peers in projects and standardization efforts like the <ins><a href=\\"https://www.etsi.org/technologies/quantum-safe-cryptography\\" target=\\"_blank\\">ETSI QSC</a></ins> Technical Committee, the <ins><a href=\\"https://www.ietf.org/\\" target=\\"_blank\\">IETF</a></ins>, the <ins><a href=\\"https://openquantumsafe.org/\\" target=\\"_blank\\">Open Quantum Safe</a></ins> initiative, and <ins><a href=\\"\\" target=\\"_blank\\">NIST NCCoE PQ Migration</a></ins>, which is taking important steps toward broad adoption of post-quantum cryptography.</p>\n<h4><a id=\\"Postquantum_crypto_on_AWS_19\\"></a><strong>Post-quantum crypto on AWS</strong></h4>\\n<p>As the newer approaches make their way through the standards process, Amazon is also evolving AWS to give customers the option of evaluating post-quantum algorithms alongside traditional algorithms, so we can optimize the performance of these algorithms on AWS. We have already contributed to a <ins><a href=\\"https://datatracker.ietf.org/doc/html/draft-ietf-tls-hybrid-design\\" target=\\"_blank\\">draft standard</a></ins> on post-quantum hybrid key exchange and implemented and deployed that community-developed specification in <ins><a href=\\"https://github.com/aws/s2n-tls\\" target=\\"_blank\\">s2n-tls</a></ins>, which implements the Transport Layer Security (TLS) protocol across AWS.</p>\n<p>We have also deployed post-quantum s2n-tls with <ins><a href=\\"https://aws.amazon.com/about-aws/whats-new/2022/03/aws-kms-acm-support-latest-hybrid-post-quantum-tls-ciphers/\\" target=\\"_blank\\">AWS Key Management Service (KMS) and AWS Certificate Manager (ACM)</a></ins> and <ins><a href=\\"https://docs.aws.amazon.com/secretsmanager/latest/userguide/data-protection.html\\" target=\\"_blank\\">AWS Secrets Manager</a></ins> TLS endpoints — bringing the benefits of post-quantum cryptography to customers who enable hybrid post-quantum TLS in their AWS SDK to connect to those services. All told, we are working toward our goal of providing customers post-quantum technologies in multiple AWS services by 2024, so our customers can experiment with them and prepare for a post-quantum future.</p>\n<p>The security of our customers’ data is job zero at Amazon. To us this means anticipating what the future might hold and preparing our customers for potentially disruptive technologies. As we look forward to the huge potential breakthroughs heralded by quantum computing, our customers can also rest assured that we are peering around corners on their behalf and preparing to keep their data safe for as long as they need it.</p>\n<p>You can read more about our research and standardization work in the links below:</p>\n<ul>\\n<li><ins><a href=\\"https://www.etsi.org/deliver/etsi_ts/103700_103799/103744/01.01.01_60/ts_103744v010101p.pdf\\" target=\\"_blank\\">ETSI CYBER; Quantum-safe Hybrid Key Exchanges</a></ins></li>\n<li><ins><a href=\\"https://datatracker.ietf.org/doc/html/draft-ietf-tls-hybrid-design\\" target=\\"_blank\\">Hybrid key exchange in TLS 1.3</a></ins></li>\n<li><ins><a href=\\"https://datatracker.ietf.org/doc/html/draft-turner-lamps-nist-pqc-kem-certificates\\" target=\\"_blank\\">Use of Post-Quantum KEM in the Cryptographic Message Syntax (CMS)</a></ins></li>\n<li><ins><a href=\\"https://datatracker.ietf.org/doc/html/draft-massimo-lamps-pq-sig-certificates\\" target=\\"_blank\\">Algorithms and Identifiers for Post-Quantum Algorithms in the Internet X.509 Public Key Infrastructure</a></ins></li>\n<li><ins><a href=\\"https://raw.githubusercontent.com/csosto-pk/pq-ssh/master/draft-kampanakis-ssh-pq-ke.txt\\" target=\\"_blank\\">Post-quantum Hybrid Key Exchange in SSH</a></ins></li>\n<li><ins><a href=\\"https://datatracker.ietf.org/doc/html/draft-kampanakis-tls-scas-latest\\" target=\\"_blank\\">Suppressing CA Certificates in TLS 1.3</a></ins></li>\n<li><ins><a href=\\"https://eprint.iacr.org/2019/1289\\" target=\\"_blank\\">On constant-time QC-MDPC decoding with negligible failure rate</a></ins></li>\n<li><ins><a href=\\"https://eprint.iacr.org/2019/1423\\" target=\\"_blank\\">QC-MDPC decoders with several shades of gray</a></ins></li>\n<li><ins><a href=\\"https://eprint.iacr.org/2020/298\\" target=\\"_blank\\">Fast polynomial inversion for post quantum QC-MDPC cryptography</a></ins></li>\n<li><ins><a href=\\"https://eprint.iacr.org/2020/510\\" target=\\"_blank\\">On the Applicability of the Fujisaki-Okamoto Transformation to the BIKE KEM</a></ins></li>\n<li><ins><a href=\\"https://eprint.iacr.org/2019/858\\" target=\\"_blank\\">Prototyping post-quantum and hybrid key exchange and authentication in TLS and SSH</a></ins></li>\n<li><ins><a href=\\"https://www.amazon.science/publications/security-of-hybrid-key-encapsulation\\" target=\\"_blank\\">Security of hybrid key encapsulation</a></ins></li>\n<li><ins><a href=\\"https://www.amazon.science/publications/faster-post-quantum-tls-handshakes-without-intermediate-ca-certificates\\" target=\\"_blank\\">Faster post-quantum TLS handshakes without intermediate CA certificates</a></ins></li>\n<li><ins><a href=\\"https://eprint.iacr.org/2022/414\\" target=\\"_blank\\">PQ-HPKE: Post-Quantum Hybrid Public Key Encryption</a></ins></li>\n</ul>\\n<p>ABOUT THE AUTHOR</p>\n<h4><a id=\\"Matthew_Campagnahttpswwwamazonscienceauthormatthewcampagna_44\\"></a><strong><a href=\\"https://www.amazon.science/author/matthew-campagna\\" target=\\"_blank\\">Matthew Campagna</a></strong></h4>\n<p>Matthew Campagna is a senior principal security engineer with Amazon Web Services.</p>\n"}