Go Developers, Get Ready for Quantum-Safe TLS
Quantum-safe cryptography, also known as post-quantum or quantum-resistant cryptography, refers to cryptographic algorithms that are believed to be resilient to quantum computer-enabled attacks. Current public-key algorithms, such as RSA and ECC, depend on the difficulty of computing. When large-scale quantum computers become practical, they break classical public-key cryptosystems, compromising confidentiality and integrity.
More information about this imminent threat and why we should worry right now can be found in this fascinating post by Dr. Erez Waisbard.
Keep Calm and Safe Encrypting
So how should we protect ourselves against future decryption by quantum computers?
The National Institute of Standards and Technology (NIST) announced the following algorithms as quantum-safe:
- For general encryption: CRYSTALS-Kyber algorithm
- For digital signatures: CRYSTALS-Dilithium, FALCON, and SPHINCS+
So to protect ourselves, we need to use the quantum-safe encryption algorithms mentioned above within our code. In this post, we focus on TLS network traffic implementation and CRYSTALS-Kyber algorithm implementation.
X25519 Kyber768 Hybrid Algorithm
The Hybrid Post Quantum TLS implementation is based on the X25519 Kyber768 algorithm described in this RFC and here. The implementation generates a session key using both classical and post-quantum algorithms. The final key is a combination of one generated in a classical Diffie Hellman key agreement along with a key that is chosen by the client and passed to the server using Kyber encryption. An attacker cannot learn the session key from the communication without being able to break both the classical and post-quantum algorithms.
Quantum-Safe Encryption Implementations
As developers, we tend to use standard encryption implemented in libraries and in our frameworks rather than developing encryption ourselves. Several initiatives are already there, powered by Open Quantum Safe and Google, and will be described later.
This includes the exciting news on Golang providing quantum-safe TLS as part of the standard Go libraries.
Google Chrome
Chrome supports the X25519Kyber768 hybrid algorithm for establishing symmetric secrets in TLS, starting in Chrome version 116.
Liboqs and OpenSSL
Open Quantum Safa (OQS) is a project aimed at providing quantum-safe implementations.
OQS consists of two main lines of work: liboqs, an open-source C library for quantum-resistant cryptographic algorithms, and prototype integrations into protocols and applications, including a fork of the widely used OpenSSL library.
Nginx
Quantum-Safe Nginx (QSX) integrates post-quantum secure TLS in NGINX using a quantum-secure version of OpenSSL. It configures NGINX with necessary build parameters, enabling SSL via HTTPS with TLS 1.3. QSX also provides a test script for generating quantum-secure self-signed certificates. The tool is an extension of the Open Quantum Safe (OQS) project aiming to facilitate real-world deployment and testing of quantum-safe cryptography.
Exciting News on Quantum-Safe Golang
There is a Go fork by Cloudflare supporting Quantum Safe implementation X25519 Kyber512, X25519 Kyber768, and more. This fork should be taken with the author’s comments: “We recommend to take caution before using this library in production.”
Golang, upcoming version 1.23, will support quantum-safe TLS communication. It will provide X25519 Kyber 768 for establishing symmetric secrets in TLS. This hybrid mechanism combines the output of two cryptographic algorithms to create the session key used to encrypt the bulk of the TLS connection:
- X25519. An elliptic curve algorithm widely used for key agreement in TLS today
- Kyber-768. A quantum-resistant Key Encapsulation Method, and NIST’s PQC winner for general encryption
The Golang code is still under development. From the initial code review, we can identify that:
- The TLS Quantum safe algorithm will be available for TLS 1.3 only. It will be enabled by default.
- The Quantum safe implementation using the x25519Kyber768Draft00 curve will be selected if both client and server support TLS 1.3 and x25519Kyber768Draft00 curve. In Go, these parameters are set in the TLS Config as described here. (The curve ID is still not exposed in the Go 1.23 development code):
serverConfig := &Config{
Certificates: []Certificate{cert},
MinVersion: uint16(VersionTLS13),
MaxVersion: uint16(VersionTLS13),
}- The quantum-safe algorithm implementation will be using a new curve called ‘X25519Kyber768Draft00’. It is the equivalent curve provided by OQS OpenSSL 1.3 and Chrome.
- To disable X25519Kyber768Draft00 curve usage, set the GODEBUG environment variable to include ‘tlskyber=0’, otherwise It is enabled by default.
Watch Out For This in Quantum-Safe TLS
Post-quantum algorithms are already introduced in different tools and libraries and you can use them. The exciting news is the expected support in Go 1.23 coming soon (August 2024).
To support this version you need to use the Go 1.23 compiler or greater and set your code to use TLS version 1.3.
Code changes should be minor, so gophers (e.g., your programmers) can be quantum-safe shortly. I would like to thank Bas Westerbaan and the team from Cloudflare for promoting such an important matter, and Filipo Valsorda for pushing Quantum Safe to the mainstream Go for their help.
So, is your program getting ready to be quantum-safe?
References
