With the latest release of our operating system [frXOS-2.9.0] we prioritize the two hybrid Post-quantum cryptographic (PQC) algorithms (X25519MLKEM768 and SECP256R1MLKEM768) for TLS key exchange to make your data on transit quantum safe by default. Utilizing fragmentiX Secret Sharing technology, independent of the transport encryption, your data at rest is always protected against attacks, even those executed by future quantum computers.

Recently, post-quantum cryptography (PQC) algorithms have been standardized by the US National Institute of Standards and Technology NIST, and their integration into HTTPS/TLS has begun, with the goal of making data on transit quantum-safe. This development is in line with recommendations from the European Commission, as outlined in their coordinated implementation road-map for transitioning to post-quantum cryptography.

Pushing in the same direction, BSI issued a joint statement signed by partners of 21 European countries, including the Federal Chancellery of Austria and the French ANSSI among others.

How to use it with fragmentiX

We’ve supported state-of-the-art hybrid-PQC-algorithms, which combine classical elliptic-curve and post-quantum cryptography to provide long-term security, for some time. With our frXOS-2.9.0 update, we’re prioritizing them for all connections (both front-end and back-end). This means that using a fragmentiX Appliance you are ready to keep your data permanently quantum-safe throughout its entire life cycle.

Front-end (facing the user or your local services)

The S3 and WebDAV servers running on the fragmentiX Appliance support and prefer the hybrid-elliptic curve/PQC algorithms X25519MLKEM768 and SECP256R1MLKEM768. This means you need a client that supports one of these algorithms as well (e.g., applications that rely on OpenSSL-3.5 or later).

When connecting to the fragmentiX Appliance using the WebDAV protocol and an up-to-date web-browser, the key exchange will automatically be handled with X25519MLKEM768 and therefore your connection is quantum safe.

Other WebDAV and S3 clients lack behind in adopting the hybrid-PQC-algorithms or roll-out of OpenSSL 3.5 is too slow to support the new protocols.

Back-end (connections to the storage LOCATIONs)

The fragmentiX Appliance needs to open connections to the remote cloud services you configured as storage LOCATIONs of the fragments of your data. For these connections the key exchange algorithm X25519MLKEM768 is now preferred, while SECP256R1MLKEM768 is supported as alternative option. Whether this preference is matched by the remote server, depends on the provider and its infrastructure.

Sadly, we have not found a single S3 provider that currently fully supports hybrid-PQC-algorithms (Amazon AWS supports them only for certain security relevant services, but not for its S3 storage https://aws.amazon.com/blogs/security/ml-kem-post-quantum-tls-now-supported-in-aws-kms-acm-and-secrets-manager/).

You can use your web-browser to check which algorithm is used for the TLS key exchange, as described later in the technical background.

This, however, does not affect the security of your data at rest, provided by fragmentiX Secret Sharing.

Technical Background

Since there are a lot of resources available online, we summarize the most important technical aspects here and refer the interested reader to the links below for further details.

Why is PQC important (NOW)?

The current state of the practice in securing our digital infrastructure and communication is based on classical asymmetric cryptography. This relies on the (assumed) difficulty of a set of mathematical problems, including decomposing a natural number into its prime factors, the discrete logarithm problem or the elliptic-curve discrete logarithm problem. These problems result from mathematical one-way-functions which are easy to evaluate, but to this day, there is no efficient algorithm known for inverting them on a classical computer, given a certain “size” of the problem.

Therefore, it is deemed impossible to break public-key cryptography with classical computers. However, since the 1990s we have quantum algorithms that exponentially decrease the complexity of said problems. Therefore, once sufficiently potent quantum computers come into play, this changes drastically. Quantum computing experts expect the availability of quantum computers to arrive as soon as within the next decade!

It is important to plan ahead now, because

• first, it takes a lot of time to implement PQC in all services of day-to-day use,
• second, harvest now, decrypt later (HNDL) attacks that store the classically encrypted data and protocol sessions NOW and wait until quantum computers are available to break the encryption and learn the secrets are already now a relevant threat for sensitive information that needs protection for many years.

What is PQC?

To combat this seemingly inevitable threat, cryptographic methods must be used that are even hard to break on quantum computers. Only then, our data and secrets can remain intact in the long run. Post-quantum cryptography deals with cryptographic algorithms that run on classical hardware and that are assumed to fulfill the above-mentioned requirement.

Note, that cryptographic schemes that utilizes non-classical (quantum) effects and hardware and that should be hard or even unbreakable with quantum computers belong to quantum cryptography. This completely different approach will be discussed in a future article.

PQC Algorithms

Candidates for PQC algorithms rely on problems based on

• the difficulty of efficiently decoding general error-correcting codes (“code-based cryptography”)
• the difficulty of certain problems in mathematical lattices (“lattice-based cryptography”)
• security properties of cryptographic hash functions (“hash-based cryptography”).

For more details see this Wikipedia article.

What are the (hybrid) algorithms?

Since PQC algorithms are relatively new, a useful approach is to combine them with a proven classical algorithm into a so-called hybrid-PQC-algorithm. This enhances trust in the combined algorithm and provides an additional layer of security in case one of the PQC algorithms or its implementation turns out vulnerable.

Specifically, the combination of elliptic curve algorithms with the NIST standardized ML-KEM lattice based PQC algorithm is used in most implementations so far.

How to check if your connection is “quantum safe”

Using an up-to-date web-browser enables you to easily check if a server supports the hybrid-PQC-algorithm (example for Firefox and Chrome):

Chrome example

• Open the browser
• Press F12 to open the debug console
• Select Privacy and Security and then Overview in Chrome
• Open the website/server in question
• Look for Connection and X25519MLKEM768

Firefox example

• Open the browser
• Press F12 to open the debug console
• Select network
• Open the website/server in question
• Select one of the entries
• Maybe you need to reload the website if there are no entries in the list
• In the right section, select Security
• Look for Key Exchange Group: "mlkem768x25519"

If you want to check the TLS handshake for other applications, you can use tools like Wireshark for network traffic monitoring.

You can do this for your connection to the fragmentiX Appliance as well. Even though a web-browser does not send S3-request, the TLS handshake with our S3-server still takes place and shows the hybrid-PQC-algorithm!

Next steps to be quantum safe

• Check out our S3-provider comparison which is updated regularly to see who will be the first to support the new algorithms.
• Reach out, if your preferred S3 provider already supports PQC algorithms!
• Contact our team about making all of your data quantum safe!

Resources/further reading

• Wikipedia article on Post quantum cryptography
• BSI Recommendations regarding PQC
• NIST article: What Is Post-Quantum Cryptography?