WIBU-SYSTEMS

Perfection in Protection, Licensing, and Security

{{ moduleLabel }}
{{ label }}

Crypto-Agility for Post-Quantum Security

MarketingWIBU-SYSTEMS AG on September 22, 2020 at 8:16 PM
wibu-systems Blog Image

There is concern by some that quantum computers present an imposing threat to current cryptographic methods designed to keep our critical infrastructure, systems, and data safe. This is particular true in the medical device industry. This concern is the main driver for the creation of the PQC4MED research project in 2019, funded by the German Ministry of Education and Research. The project is dedicated to equipping medical devices with post-quantum cryptography (PQC) capabilities through security-by-design. Their primary goal is to integrate “crypto-agility” in embedded systems early on in the manufacturing process.

What exactly is quantum computing? A classic definition is the use of quantum phenomena such as superposition and entanglement to perform computation. Quantum computing uses a combination of bits to perform specific computational tasks. All at a much higher efficiency than their classical counterparts. Quantum computers are believed to be able to solve certain computational problems, such as integer factorization (which underlies RSA encryption), substantially faster than classical computers. And, therein lies the fear that a quantum computer could break many of the cryptographic systems in use today, which would be particularly dangerous in the healthcare industry.

How acute is the threat to existing cryptographic methods? While it is difficult to predict, the National Institute of Standards (NIST) puts forth “Mosca’s Theorem” to make an estimate. They say that “If X + Y > Z, then worry.” With this theory, X is the time for which currently used cryptography has to remain safe. Y is the time needed to prepare infrastructure for switching its cryptographic paradigm, substituting the corresponding procedures, and re-protecting all data currently protected with previous procedures. Z is the time it takes until a quantum computer is available that is powerful enough to break current cryptographic procedures. According to NIST, this could be as soon as Z=15 years.

The PQC4MED project is working to implement post-quantum-secure methods before that time estimate becomes a reality. These methods are based on hard mathematical problems for which neither a conventional nor an efficient quantum algorithm has yet been found. Candidates for post-quantum secure methods are lattice-based methods, code-based methods, isogenies (mappings between elliptic curves), multivariate polynomials, and hash-based methods. All of these methods differ strongly with respect to their key size, security, and efficiency. Furthermore, there are strong differences in their suitability for encryption and signatures. PQC algorithms are often less well studied cryptanalytically than conventional cryptography. Especially for the security of embedded devices, which is dependent on efficient algorithms, this introduces a risk that already implemented methods might have to be replaced.

Medical technology is known for its reliance on embedded systems. It is critical that these systems meet the high level of security required in the healthcare industry while protecting both sensitive patient data and the Intellectual Property inherent in the software used in these devices. In order to achieve long-term security and be able to react with sufficient speed to new cryptanalytic results, a high degree of crypto-agility – even across different PQC classes – must be developed.

According to PQC4MED, in order to guarantee sustainable information security, "long-term security-by-design" must be achieved as early on as possible in the development of next generation devices. This means equipping embedded systems with hardware resources that integrate the latest cryptographic procedures. An updatable secure element forms the basis for any long-term guarantee of QC-resistant procedures and serves as an anchor of trust that enables "crypto-agility". This means that potential threats are fended off long before they take effect.

PQC4MED believes crypto-agility needs to be achieved by:

  • Developing and integrating powerful and flexible secure elements with upgradeable firmware.
  • Developing a backend infrastructure with protection, licensing, and key management tools secure enough against quantum computers and resources for automating and controlling the system.
  • Providing a process and user interface for on-site updates.

The PQC4MED project is supported by a number of collaborators from science and industry including Infineon Technologies, Schölly Fiberoptic GmbH, macio GmbH, the Institute for IT Security of the University of Luebeck, the German Research Center for Artificial Intelligence, the research group KASTEL, as part of the Institute for Theoretical Computer Science of the Karlsruhe Institute of Technology, and Wibu-Systems.

You can read more about the project in the article, Crypto-agility for Post-Quantum Security in Medical Devices, by Dr. Carmen Kempka, recently published by Silicon Trust in their Vault magazine.

Login or register now and enjoy all the benefits of a community!

To get the whole functionality of IndustryArena Forum you need to login or register. This process is absolutely free.

Password forgotten?
Contact request
Guest Photo
Your message
The controller within the meaning of Art. 4(7) GDPR is: IndustryArena GmbH, Katzbergstraße 3, 40764 Langenfeld, Germany.
You may reach our data protection officer under [email protected].

Purpose of processing
We process your personal data concerning the use of the contact form and the communication with the company of the newsroom as well as the transmission of your data to this company in accordance to Art. 6 (1a) GDPR. This constitutes a legitimate interest for us in accordance to Art. 6 (1f) GDPR.

Recipient of the data
Within our organization, those units gain access to your data, which are necessary to fulfil the above purposes.
Personal data will only be transmitted to third parties if this is necessary for the aforementioned purposes or if another legal basis exists. If necessary, we conclude the corresponding data protection agreements with third parties, in particular pursuant to Art. 28 GDPR.

Data storing
Your data will be transmitted to the company of the newsroom for further processing. The period of storing is the duration of the processing of your request by the respective company.

Select contact person

Newsroom Logo

Design options

  • Title text color:
  • Content background:
  • Content text color:
  • Navigation background:
  • Tab text color:
  • Active tab text color:
  • Link text color:
  • Active link text color:
  • Background image Background color:

    How do you want to position the background-image?

    Please note: Banners and skyscrapers are only saved for the current language. For other languages, change the language using the button at the top right.

    Set the link for the background image

  • Banner

    How do you like to align the banner?

    Please note: Banners and skyscrapers are only saved for the current language. For other languages, change the language using the button at the top right.

    Set the link for the banner

  • Skyscraper

    Set the link for the skyscraper

Please note:

Banners and skyscrapers are only saved for the current language. For other languages, change the language using the button at the top right.