Apple’s February 2024 announcement regarding the integration of post-quantum cryptography (PQC) into iMessage underscores the urgency and importance of adopting quantum-resistant encryption methods. We are moving to an era where quantum computing threatens the confidentiality of current cryptographic protocols, specifically around “harvest now, decrypt later” attacks: the ability to store communications and crack the keys once we have a functional quantum computer. With embedded systems that can be susceptible to physical attacks, we need to move a step further by implementing hardware attack-resistant PQC. Apple’s announcement presents an opportunity to discuss the challenges in implementing post-quantum cryptography algorithms.
Interestingly, Apple’s blog post did not mention side channel or fault attacks. This makes sense for a messaging app because hardware attacks are local, and local attacks won’t go after a communication protocol. However, there are other targets for which local attacks are relevant.
Needs and challenges of PQC in embedded systems
Take, for instance, your average embedded system-on-chip (SoC). It comes with a root of trust, which typically uses elliptic curve cryptography (ECC) to authenticate its system code before running it. With quantum computers, attackers can break the ECC private keys with only the knowledge of the public keys. This leads to breaking code authentication, allowing attackers to run arbitrary code on the system and bypass any local security controls.
Now consider the hypothesis that we’ll have quantum computing in 5-10 years. Embedded systems, which are integral to a myriad of applications from automotive to internet of things (IoT) devices, are particularly at risk due to their long service life (for example, up to 20 years in the automotive industry) and exposure to physical attacks.
Implementing PQC in embedded systems presents unique challenges. These systems often operate with limited processing power, memory, and energy, constraints that are magnified in ASIC and software implementations. Additionally, the potential for side-channel and fault attacks necessitates that PQC designers create implementations with these vulnerabilities in mind.
Current state of PQC in embedded systems
By nature, many embedded systems are impossible to update, exemplified by non-modifiable read-only memory (ROM) code implementing the root of trust. This underscores the urgency of incorporating PQC today. However, the relative youth of PQC — illustrated by the breaking of the supersingular isogeny key exchange (SIKE) algorithm in 2023 — suggests caution. Apple’s iMessage approach of combining ECC with PQC emerges as a pragmatic interim solution. It is not without risk: we know from experience that more code means more fault injection (FI) attack surface, and if ECC gets broken with QC we still need local attack resistance in PQC.
Yet, it may not always be feasible to combine multiple algorithms due to the functional and performance constraints of embedded devices. As the field evolves, customers are increasingly requesting verification of side channel attack (SCA) and FI resistance in PQC implementations, especially when they are exploring the right balance between security and performance.
Best practices
As PQC continues to develop, it becomes critical to adhere to the latest research on countermeasures and avoid blindly taking “vanilla” open-source implementations without SCA and FI protections. The path forward involves preparing for the eventuality of the compromise of some PQC algorithms, necessitating a strategy for crypto agility to migrate to alternative solutions or mitigate the impacts of compromised embedded systems. This approach will become integral as certification schemes evolve to phase out outdated or broken algorithms.
Conclusion
The integration of side channel attack and fault injection resistant post-quantum cryptography in embedded systems is not just a technological necessity; it’s a strategic imperative to protect against the dual threats of quantum computing and physical attacks. Riscure, now part of Keysight, continues to develop analysis modules to ensure the resilience of PQC implementations in both pre-silicon simulation and post-silicon testing. Researchers and engineers must collectively build (and break) countermeasures while balancing security and usability to address the challenges and secure the future of embedded systems.