Post-quantum cryptography and encryption composition

I am quite interested / curious about the consequences of post quantum cryptography on which tools should be used for protecting secrets. It is quite well documented that if one wants to consider protection for 10 / 15+ years, it may be necessary to use some post-quantum algorithms.

Google came up a few years ago with the interesting idea to ‘compose’ encryptions by applying a post-quantum algorithm on top of a rsa encryption:

If I understand well the idea is that:

  • 1 The post quantum algorithms are not as well discussed as the traditional ones yet, so they did not want to take the risk to use a purely post-quantum algorithm that may have weaknesses we do not know about yet.

  • 2 but at the same time, at least there is some hope that post quantum algorithms may prove robust to quantum computers, and there is nothing to loose and no security cost to encrypting twice in a row.

It looks nowadays like the Lattice class of algorithms is among the promising ones for being post-quantum safe:

And it looks like there are some reference implementations already available:

So my question is: do you think it would be possible to implement a ‘composition encryption’ with the combination GPG card for the RSA encryption, and microcontroller for the post-quantum algorithm since there is no dedicated hardware available yet? Do you think it would be possible to make it ‘transparent’ for the end-user, i.e. that automatically the micro controller is used for solving the outer shell of encryption (quantum secure), and the smartcard the inner rsa? Of course, this will require to use 2 keys (1 for RSA, 1 for the other method) instead of one, but that could be ‘bundled’ and abstracted from the end user.

If you think this is realistic, do you think it would be possible to add it to a long-term roadmap, and / or to start a detailed discussion to see if there is a possibility to implement this maybe from the community side as an extension to your firmware in a first time?

It looks like while promising there is not yet a mathematical proof of ‘impossibility to solve with a quantum computer’ for the Lattice methods, but at least 1) people seem to consider them as promising, 2) if the software infrastructure is in place, it would be quite easy to change the ‘quantum resistant’ encryption algorithm.

1 Like

A bit more resources in the same kind:

  • one more discussion of the strong / weak points of combining encryption methods:
  • The NTRUEncrypt location:

I am thinking a bit about this and wonder where it would be possible to discuss implementation strategies. Do you think I should open an issue somewhere on the Nitrokey pro firmware to start discussing this / other?