• Home
  

• WP1
  
• WP2
  
• WP3
  

• Deliverables, preprints and reprints
  
• Libraries
  
• NIST submissions
  
• Presentations
  
• Press releases
  
• Recommendations
  

• PQCRYPTO Mini-School and Workshop
  
• PQC event 2018
  
• PQCRYPTO school
  
• Miniworkshop 2016
  

• Partners
• Advisory board

• Whom to contact
• Disclaimer

WP2: Post-quantum cryptography for the Internet

For years 1024-bit RSA was the most popular cryptographic system for “secure” Internet connections. Efforts to force a switch to 2048-bit RSA were met with widespread objections. Ten years after academics and even the RSA company recommended the switch, HTTPS has finally moved to larger key sizes; but DNSSEC still uses 1024-bit RSA, and most Internet web sites do not even support HTTPS.

One part of the problem is that busy Internet servers are subject to tremendous performance pressures: often a single server is required to handle tens of thousands of clients every second. Another part of the problem is on the client side: 2048-bit RSA is acceptably fast on an idle laptop but is much more trouble for a low-power mobile phone. Yet another part of the problem is on the network: 2048-bit RSA keys consume twice as much space as 1024-bit RSA keys, often overflowing the limited packet space available in common Internet protocols such as DNS.

Elliptic Curve Cryptography (ECC) addresses the key-length problem and to some extent the performance problem (although signature verification with ECC is slower than RSA signature verification), but industry is only slowly migrating towards ECC, even though it supports extra features such as forward secrecy. In 2011 Google was the first major site to support forward secrecy, but only in 2013, in the wake of the Snowden revelations, did other major sites such as Facebook and Twitter start supporting it.

This history illustrates the difficulties, but also the feasibility, of switching the Inter net to new cryptographic systems. The remaining problem is that RSA and ECC will both be broken by quantum computers. “Perfect” forward secrecy protects against future server breakins but, despite its name, does not protect against future quantum computers; it is retroactively broken by discrete-logarithm computations and therefore by Shor’s algorithm.

WP2's goal is to integrate high-security post-quantum cryptography into the Internet. The work in WP2 is organized into three tasks that together cover the whole duration of the project.