Carnegie Mellon University

Digital code on a blue background

June 24, 2024

Preparing for Quantum Computing

By Giordana Verrengia

Krista Burns

While quantum computers are prototypical as of today, a security measure called post-quantum cryptography (PQC) is already in use — some notable examples being the Google Chrome browser and the internet giant Cloudflare.

Researchers from Carnegie Mellon University, Graz University of Technology in Austria, and Tallinn University of Technology in Estonia have collaborated to identify vulnerabilities in PQC. Their work — which looks at Dilithium, an electronic signature algorithm — is part of a concerted effort among industry professionals to beat the clock and develop a reliable PQC algorithm before quantum computers become readily available at least 10 years down the line.

Sam Pagliarini, a special professor of electrical and computer engineering, says there are key differences between applications of classical and quantum computers. The classical devices we use now, like laptops and desktops, will not be replaced. Quantum computers — which are designed to excel at complex calculations — will be used almost exclusively for research purposes in higher education and government settings to solve problems related to mathematics, physics, and chemistry.  

Given that quantum devices will be hard to access, why is post-quantum cryptography so important, and why is it currently in use?

Because of a tactic called “store now, decrypt later”: Hackers harvest encrypted data in hopes of acquiring the necessary decryption tools later. Data can be swiped from a classical device and decrypted later with a quantum computer, underscoring the need for industry and government figures to work ahead and introduce a standardized PQC algorithm well before the devices are built.

“PQC isn’t science fiction. It’s serious in the sense that the US government has a mandate in place for every federal agency to switch to a form of communication that is secure against quantum computers. For some, the deadline is as soon as 2025,” Pagliarini says. 

One way to test if PQC algorithms are up to the challenge involves ethical hacking. Pagliarini and his fellow researchers created an algorithm called REPQC to identify any security vulnerabilities when Dilithium is implemented as a computer chip. Dilithium’s lattice-based algorithm structure is important to probe because it was chosen by the National Institute of Standards and Technology for standardization as experts work to advance PQC. Using reverse engineering, the team inserted a hardware trojan horse (HTH) that used reverse engineering to locate where sensitive data was stored on the hardware accelerator. The team developed additional circuitry that leaked a secret key, which decrypts data and could be used to forge signatures.

“My entire motivation is to find weak spots and bring attention to them,” says Pagliarini. “This research is mostly about protection against a new class of devices, quantum computers, while not losing sight of threats that exist today, such as reverse engineering.”

The multi-university team’s paper, “REPQC: Reverse Engineering and Backdooring Hardware Accelerators for Post-quantum Cryptography,” was accepted to the prestigious 19th ACM ASIA Conference on Computer and Communications Security taking place in Singapore from July 1-5, 2024.