Quantum Computer Resistant Cryptographic Methods and Their Suitability for Long-Term Preservation of Evidential Value

In the areas of electronic identification and electronic trust services, the Regulation No. 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (eIDAS) creates uniform regulations for electronic signatures, seals, time stamps, registered mail and website certificates in the European single market. All developments that affect the security of signature procedures have an impact. In this study, we consider the candidates for quantum computer-resistant asymmetric cryptographic (PQC) methods currently under investigation in international research and standardization and evaluate their suitability for PKI systems with a focus on long-term preservation of evidential value, as is the case in particular with eIDAS-compliant signature solutions. Based on an evaluation system proposed by us an adaptation of the system from [2] we compare the application requirements with the properties of the candidates and recommend suitable methods. 482 34TH BLED ECONFERENCE DIGITAL SUPPORT FROM CRISIS TO PROGRESSIVE CHANGE


Introduction
This study focuses on quantum computer-resistant crypto methods, also called postquantum cryptography (PQC) after J.D. Bernstein (in particular in asymmetric methods). It is not comprehensive and does not list every quantum computerresistant asymmetric method ever proposed. Instead, it lists a representative sample (as of End 2020) of cryptographic techniques that are being discussed in academia, are supported by currently active research teams, may be viable for real-world applications, and are therefore suitable candidates for consideration by various standardization organizations for standardization. Beyond NIST's PQC standardization, we also consider extensions of classical algorithms as well as quantum-assisted algorithms (i.e., the use of quantum technology to augment classical systems, see also [10]) with respect to the possibility of providing sufficient quantum computing resistance.

Overview of the procedures
In this study, we define PQC methods as cryptographic methods (in particular asymmetric cryptographic methods) which, according to the current state of research, can possibly provide sufficient security against attacks that use the capabilities and properties of quantum computers, i.e. are "quantum computer resistant". In this context, the procedures themselves do not use any support from quantum computers for preparation and execution.
The underlying principle of continuing to use the previously employed public-key methods such as RSA and ECDSA (Elliptic Curve Digital Signature Algorithm) with significantly larger keys than is currently customary in the post-quantum era is obvious at first glance. On the one hand, the approach of increasing the key sizes of RSA and ECDSA to cope with ever-improving cryptanalysis and newly discovered attacks is already a tradition (see, e.g., evolution of NIST's SP 800-57 Part 1[11]). In the context of quantum computers, this principle would very quickly lead to large and unwieldy key sizes that corresponding keys might not be usable in practice: T.  Quantum computers are based on the concept of qubits (quantum bit), where each qubit exists simultaneously as a superposition (superposition or also called coherence) of the states 1 and 0 and all those in between. The number of qubits needed on a quantum computer to break RSA 1 is estimated to be 2n+3 [12] and 2n+2 [13], which means that a quantum computer with about 4,000 qubits is needed to break an RSA-2048 signature (further algorithm optimizations are expected, so the actual number of qubits needed is expected to be lower). Shor's QFT algorithm can also be adapted to solve the discrete logarithm problem. The number of qubits to break ECDSA is "approximately" 6n [6]. This means that a quantum computer with about 1,500 qubits can break an ECC-P256 signature. Following the assumption of Neven's law [14] (the quantum equivalent of Moore's law), one can estimate that the computational power of quantum computers increases at a "double exponential rate" compared to classical computers.
If we start with 100 qubits in a given year and double the qubits every 18 months, 9 years later we will probably have computers with over 6000 qubits and in 32 years we will be able to break a 1-million-bit RSA key. Post-qubit RSA (i.e., RSA with such large key lengths) was studied by Bernstein [15], who showed the technical feasibility of implementing a terabit key using 231 4096-bit primes as factors. At these key sizes, each RSA operation amounted to tens or hundreds of hours. In practice, such a system can thus probably be ruled out. It should be noted, incidentally, that postquantum RSA was in Round 1 of the NIST PQC competition but was not selected for Round 2.
Currently, it is unclear how many qubits the most powerful quantum computers have at the time of writing. The company IQM FINLAND OY is to build a quantum computer which is to have 50-qubits by the end of the third phase in 2024 ([36] If IBM's development speed remains the same, we could expect the abovementioned 6000 qubits to be reached around 2026 to 2027. Even with somewhat slower developments, one must assume that this will be the case from the year 2030. Although attacks against symmetric cryptosystems using quantum computers and algorithms by Grover or Simon (see [3] and [4]) are more effective than attacks using conventional computers, it is currently assumed that doubling the effective key length cancels out this advantage of quantum computers. Thus, for example, AES256 would be about as secure against a quantum computer as AES128 is against conventional computers.
Assuming the availability of sufficiently powerful quantum computers in the near future, it is obvious to use them not only as a tool to attack classical crypto methods, but also to investigate how quantum computer-resistant crypto methods could be realized with their help. The use of quantum computers to perform certain cryptographic operations is called quantum cryptography. Corresponding operations typically exploit the quantum properties of superposition, interference, and entanglement, which are not reproducible by classical computers. Quantumenhanced security [17] is then understood to be the extension of classical nonquantum systems that make use of or are augmented by quantum technology to improve their ability to secure their data and transactions against adversaries that may be fully quantum capable.
While quantum key distribution (QKD) (see [18], [19]) is often equated with (general) quantum cryptography, QKD is based on the Vernam one-time pad and is therefore more suitable only for key exchange and encryption. Quantum researchers have introduced several quantum digital signature schemes (see [20] -[22]), but since they typically refer to QKD, they would be better referred to as data authentication schemes. As of this writing, we are unable to identify any quantum digital signature schemes in the literature that actually have the necessary constructs of a digital signature scheme and are EUF-CMA secure (existentially unforgeable under chosen message attack), let alone post-quantum secure.
Based on the above considerations classic cryptographic methods such as RSA and ECDSA with very large keys are ruled out (in the medium term) and can at best be used for a short transition phase (i.e., for the next 9 years at most). Signatures generally have a rather short lifetime and in principle only need to be secure up to the time of their verification. If a signature procedure can be broken by a quantum computer in the future, today's signature certificates will probably already have expired. Only in the case of very long validity periods for signature keys should caution already be exercised. According to the current state of research, quantumenhanced processes do not (yet) play a role specifically for electronic signatures. In the medium and long term, therefore, the focus should be on PQC processes.

Parameterized evaluation of PQC methods and applications
The objective of this study is not to replicate NIST's research in the NIST PQC competition (see [23], [24])., but to build on it and make it more concrete in order to find a basis for assessing the concrete practical applicability of a procedure in building blocks of e-business applications. In doing so, we extend the evaluation scheme from [2]. We define the three value ranges Small (S), Medium (M), and Large (L) for different parameters of the procedures, respectively. Specifically, we consider the following parameters.

 Key Generation Resources (KeyGen() Resources)
 Key sizes of the public and private keys  Key Lifetime: Certain signature processes only allow the private signature key to be used for a limited number of signature creations. We record this using the "key lifetime".  Resources for signature creation (Sign() resources) or encryption (Crypt() resources).  Size of a signature (Signature Size) or size of a ciphertext (Cipher Size)  Time for the creation of a signature (Signature Time) or the creation of a ciphertext (Crypt Time)  Resources for signature verification (Ver() resources) or decryption (Decrypt() resources).
The parameters are categorized as follows in  In order to evaluate the suitability of different PQC methods for concrete applications, we first look at the applications from the ETSI (see [26]) and now use the parameters described above as the requirements of the applications for a PQC procedure to be deployed (the parameters are therefore no longer descriptive in nature but have a requirement character). Of course, there are other use cases for asymmetric (signature) procedures, but the selection considered covers common scenarios from the areas of finance (for business), infrastructure (for people and devices), cloud & Internet (for business-to-business, business-to-consumer, peer-topeer, and Internet-of-Things interactions), and enterprise (for companies). Based on [2] and [26], the following picture emerges in Table 3.  A special feature are so-called stateful hash-based signatures, a special class of signature schemes with certain restrictions, from which currently XMSS (eXtended Merkle Signature Scheme) [8] and LMS (Leighton-Micali Signatures) [9] are in the process of standardization at the Internet Engineering Task Force (IETF) and at NIST, so that standards can be expected earlier than in the above-mentioned PQC process at NIST. The use cases mentioned are code signing and issuing PKI root certificates from certification authorities.
The standardization organizations ETSI and ISO are also involved in PQC standardization with their own working groups. At present, however, it looks as if ETSI and ISO will rely on NIST for the initial selection of procedures. At the moment it seems rather unlikely that other fundamentally new procedures not yet considered by NIST will emerge as part of the (international) standardization effort. In this study, we therefore restrict ourselves to the above mentioned candidates and go on to investigate their suitability for e-business applications.

Evaluation of the procedures
We apply the parameter description introduced in Section 3 to the procedures listed above. According to [2], we obtain the following parameter profiles for the current favorites of the NIST and IETF standardization of PQC signature methods in Table  4: For encryption methods and key exchange or key transport (KEM) methods, we combine the results from [38, Table 3] with the evaluation method from [2] and obtain the following parameter profiles for the current favorites of NIST's standardization in Table 5: If we contrast the parameterization of the procedures with the parameterization of the applications from Table 3, we can derive an evaluation scheme as in [2] based on a point assignment for the suitability of the procedures for the respective application. The basis of scoring is as follows: If the procedure provides a score for a single parameter that is equal to or better than what the application provides, then the score remains unchanged. If the procedure for a parameter is worse by a range (e.g. M instead of S) than what the application allows, then 1 is subtracted from the score for each such parameter 7 . If there is a parameter for which the procedure is two ranges worse (e.g., L instead of S) than what the application allows, then we consider the procedure to be not fit (NF = not fit). For quantitative purposes, we assign a score of -100 for each NF. Then the individual ratings of the parameters are summed up. The most suitable procedures can now be found for each application. A score of zero means that no changes are required and the process can most likely be used for the application. A negative score means that the procedure is not completely suitable, but that optimizations for the procedure may need to be found. After zero, the algorithm with the highest score (i.e., with the lowest negative score) 490 34 TH BLED ECONFERENCE DIGITAL SUPPORT FROM CRISIS TO PROGRESSIVE CHANGE is the next most suitable, as it requires the least number of changes to be used by the application.  As a result no PQC method currently considered is suitable for all mentioned use cases in Table 3 (in particular for replacing RSA and EC in all use cases). For various use cases, such as for root CA keys, for code signing or for applications where signature creation and verification are performed on a powerful PC, the PQC procedures currently considered in the NIST standardization can be used. This also applies, with minor restrictions, to the use of tokens that are more powerful than "usual" smart cards such as signature cards. However, it becomes critical if the procedure is to be executed on hardware with limited computing power, such as a smart card. Thus, there are at least approaches for a first solution in the eIDAS context if not a completely satisfactory answer to the upcoming developments. 8 when using a document server with HSM for signing documents 9 when using a signature creation device such as a smartcard or USB token

Recommendations
Post-quantum cryptography will become the standard in the long term [1]. Consideration should be given at an early stage, as part of a measured risk management process, as to whether and when a switch to quantum computing resistant methods should be made (depending on the application) [1]. Especially in connection with signatures with a medium validity period of the certificates (3-5 years), there is no need to rush. For cryptographic applications that process information with long secrecy periods and high protection requirements, however, there may already be a need for action now [1]. The danger here is that messages for key negotiation and the data encrypted with the negotiated keys are collected in advance and decrypted in the future with the aid of a quantum computer ("store now, decrypt later"). Caution is also required with very long validity periods for signature keys. It is therefore already necessary to discuss how a migration to postquantum cryptography to a Fully Quantum Safe Cryptographic State (FQSCS) for e-business applications can be initiated today.