Overview

Besides our research in the area of mathematical foundations for quantum-safe cryptography and the related algorithms with libraries for key exchange and signatures, we are also actively pursuing various application scenarios for quantum-safe cryptography. This notably includes their application in the areas of systems and cloud. In addition, our research targets to gain insights in how to strengthen Zero-Trust applications in a quantum-safe manner, which includes further hardening Block-Chain against threats from quantum computers.

We have successfully demonstrated quantum-safe access to clusters deployed in IBM Cloud and were instrumental in enabling crypto cards, also known as Hardware Security Modules (HSMs), of IBM's latest z16 systems with the latest quantum-safe and zero-trust capabilities.

 

Quantum-Safe Systems

Quantum-Safe Systems

Learn more

Quantum-Safe Cloud

Quantum-Safe Cloud

Learn more

Quantum-Safe Systems

The question “if” and “when” a quantum computer will exist that is powerful enough to break current asymmetric cryptographic schemes is not relevant. Quantum-safe cryptography will become the standard in the long-term. An early migration of the underlaying security foundation is therefore desirable, as the basis of the entire security during the lifetime of the system is based on it.

By designing a portfolio of high-security quantum-safe cryptographic services we enable systems to become a secure root of trust.

For embedded systems with high cryptographic performance requirements, such as Hardware Security Modules (HSM), we are designing accelerators that meet today's level of performance demands.

Crypto Express 7S (4769)

Crypto Express 7S (4769)

Projects

Quantum-safe Root of Trust for IBM Z Systems


The goal is to enable a smooth transition from current environments, based on existing widely used and standardized cryptographic techniques, to systems providing enhanced security through quantum-safe cryptographic functions. By designing a portfolio of high-security quantum-safe crypto services, we will fill the gaps that currently threaten its long-term security properties. This will enable systems to generate a secure root of trust that can be used for interacting with cloud services, accessing corporate services, performing banking and eCommerce transactions, along with a wide range of other services.

A focus is the migration of high-assurance devices such as the Hardware Security Module (HSM). The next generation of IBM’s HSM will already incorporate a quantum-safe root of trust, which was provided by our team.

As a consequence, IBM z16 (released in May 2022) is the industry’s first system which leverages quantum-safe protection across multiple layers of firmware.

Lattice-based Cryptography Accelerator


The emerging of lattice-based cryptography is being accompanied and supported by a widespread effort against the key challenges of performance and flexibility. Cryptographic algorithms often require a time heavy and repeated collaboration between processing units with very different characteristics that often only have in common the need for programmability and expandability of their specialized functions.

In this project we work on a modular hardware processing unit capable of off-loading most of the CRYSTALS’ algorithms required processing with a high level of efficiency and programmability. The processing unit consists of a cluster of highly independent processing elements that maximize internal and cross elements pipelining without support of any type of centralized control. The key focus is on the development of a highly efficient, pipelined and yet programmable polynomial math processing element and its capability to efficiently communicate with a Keccak unit equipped with few additional capabilities and a routing element acting as interface towards the rest of the system.

Hardware Security Module Orchestration


Today, even the traditional customers have started to move towards a private / public (hybrid) cloud infrastructure, and the security awareness of the new public cloud users is constantly increasing. All of them are looking for a high-end security solution that can scale from on-prem installations to hyperscale cloud environments. Hence, we have to provide scalable, cloud enabled HSM solutions.

Team

Profile
Silvio Dragone

Profile
Tamas Visegrady

Profile
Vincenzo Condorelli

Quantum-Safe Cloud

A vast range of valuable services is provided from applications deployed in Kubernetes and/or Open-shift clusters running in cloud instances. To prepare such cloud-based service delivery for future threats, which could evolve with advances in quantum computing, we enhance the TLS connections from clients to cloud-based services and clusters with quantum-safe cryptography.

As quantum computing continues to evolve and advance, a large quantum computer will be able to run a Shor's algorithm that can break the current TLS communication algorithms (RSA/ECC) in a matter of minutes. While large quantum computers are not available today, any TLS data-in-transit that has been snooped and stored can be breached when these large quantum computers are made available. Therefore, it is already today crucial to protect network connections from such future threats.

Quantum-Safe Cloud

Access to service delivery clusters in the cloud, quantum-safe!

Projects

Quantum-safe access to Kubernetes- and/or Open-Shift-Clusters in the IBM Cloud


We use open standards and open-source technology to enable clients to transmit data between enterprise and clusters deployed in the IBM Cloud, helping to secure data by using a quantum-safe algorithm.

We implemented a custom ingress controller for the IBM Cloud Kubernetes Service (IKS) and a custom router for Red Hat OpenShift on IBM Cloud (managed OpenShift), which both enable QSC access to the related clusters in the IBM Cloud. With that, clients can access their clusters, benefitting from QSC protected TLS session key establishment, while not having to change anything for the services inside their clusters.

The custom ingress controller for k8s and custom router for ROKS, respectively, are terminating TLSv1.3 connections from the internet and feature full backward compatibility for non-QSC operation, enable network connections to use QSC KEM algorithms for session key establishment, and also offer the possibility to use hybrid QSC/non-QSC session key establishment for staged transition to QSC operation during the time when the NIST standardization is not yet complete.

In addition, a QSC-enabled version of a cURL client was implemented such that HTTP requests can be issued to the clusters using a TLSv1.3 connection with legacy curves, QSC KEM algorithms, and hybrid legacy/QSC curve/KEM combinations for the TLS session key establishment.

Learn more:

Quantum-safe access to IBM Key-Protect KMS Service


To demonstrate quantum-safe access from the enterprise to individual services deployed in the IBM Cloud, we enabled the widely deployed HAproxy router with quantum-safe TLS capabilities. This router serves as Internet-facing TLS connection endpoint to terminate the quantum-safe connections, and forwards requests to the cloud deployed service using legacy TLS.

This was achieved by building HAproxy with a quantum-safe enhanced version of OpenSSL from the Open Quantum Safe project. While maintaining the outstanding routing performance and a wide range of traffic control features of HAproxy, this transparently adds the ability to open quantum-safe TLS connections, both from up-stream (= Internet-facing) as well as to down-stream (= intra-cloud), with quantum-safe key exchange capabilities.

While the standardization of quantum-safe algorithms is not complete for several years to come, clients can use hybrid key exchange mechanisms to leverage the standardized algorithms of today (i.e. ECC and/or RSA) in combination with quantum-safe algorithms like KYBER.

Learn more:

Team

Profile
Patricia Sagmeister

Profile
Basil Hess

Contact

Michael Osborne
Michael Osborne
Manager, Foundational Cryptography and Quantum-safe Cloud & Systems