NXP and IBM want to release quantum algorithms for smart cards

According to foreign media reports, a few days ago, the National Institute of Standards and Technology (NIST) announced a post-quantum security algorithm for embedded systems in the United States, and NXP Semiconductors (NXP Semiconductors) and IBM has been conducting collaborative research in this area.

Joppe Bos, Senior Principal Cryptographer at NXP and one of the occupants of the submission algorithm team, said: "From an embedded perspective in smart cards and automobiles, there are two main use cases to focus on, secure boot and secure updates, which can be Prevent quantum computers from cracking today's RSA and ECC algorithms in the future.

Bos also said: "If it can boot with post-quantum security protection, the user can trust the device and it will be secured with security updates. These are the two main use cases we have been focusing on for the S32G automotive platform."

Two of the four selection algorithms, CRYSTALS-Kyber and CRYSTALS-Dilithium, were developed by Roberto Avanzi at ARM, Bos, Léo Ducas at CWI Amsterdam, and Ruhr University Bochum ) of Eike Kiltz et al. submitted to NIST.

"People think the main challenge is performance, but that's not the case," Bos said. "In PQ encryption, performance is a big concern, but the key is key size and memory."

"For example, in terms of memory using Dilithium, the PQ encryption scheme works, but with only 50 to 160 KB of additional memory, which is not possible for many embedded use cases. So we've been looking at how to make these PQ Scenarios run on more constrained devices, such as smart cards with 8 to 16K total memory. We can run Kyber and Dilithium at sub-8K speeds, but at the cost of performance.”

Performance issues will be addressed in the design of the new accelerator, but the issue is the performance of existing equipment, which has been optimized for classic public key infrastructure using RSA and ECC.

"We're working closely with IBM on standardization, key serialization and storage to avoid confusion with ECC," Bos said. "We really like compressed keys, and IBM is our smart card customer. IBM has other applications as well. procedures and want to make sure everything works together.”

Another chosen algorithm, SPHINCS+, is more similar to the existing RSA and ECC algorithms using hash functions."For SPHINCS+, I think the biggest issue is that the signature size is orders of magnitude larger than Dilithium, which is also larger than RSA," Bos said. "This has advantages for embedded devices because we have hash-based accelerators, but these schemes are still very expensive. Slow. The biggest challenge is the size of the signature, especially with smart cards.”

NXP has been working on secure coprocessors and implementations, and is now preparing for validation and testing and certification, and is preparing to roll out the standard in 2024.Bos also said: "We want to not only implement functional encryption, but also want to protect against side-channel attacks, even for mobile devices for secure boot, I think the biggest hit will be secure memory, which is the biggest change. ."

"However, the process of creating a new quantum security standard is not over," IBM said. "NIST, the teams involved in the proposal, and the entire cryptographic community will further review and improve the selected algorithm and translate it into a standard over the next few years."