Interestingly, side channel or fault attacks are not mentioned in the blog post. For a messaging app, this makes sense, because hardware attacks are local, and local attacks won’t go after a communication protocol. However, there are other targets for which local attacks are relevant.
The Need and Challenges for PQC in Embedded Systems
Take, for instance, your average embedded SoC. It comes with a root of trust, which typically uses Elliptic Curve Cryptography (ECC) to authenticate its system code before running it. With quantum computers, the ECC private keys can be broken with only the knowledge of the public keys. This leads to breaking code authentication, allowing attackers to run arbitrary code on the system, and bypassing any local security controls.
Now consider the hypothesis we’ll have quantum computing in 5-10 years. Embedded systems, integral to a myriad of applications from automotive to IoT devices, are particularly at risk due to their long service life (e.g. up to 20 years in the automotive industry) and exposure to physical attacks.
Implementing PQC in embedded systems presents unique challenges. These systems often operate with limited processing power, memory, and energy, constraints that are magnified in ASIC and software implementations alike. Additionally, the potential for side-channel and fault attacks necessitates that PQC implementations are designed with these vulnerabilities in mind.
Current State of PQC in Embedded Systems
The non-updateable nature of many embedded systems, exemplified by non-modifiable ROM code implementing the root of trust, highlights the urgency of incorporating PQC today. However, the relative youth of PQC, illustrated by the breaking of the SIKE algorithm last year suggests caution. The “belts and suspenders” approach, combining ECC with PQC, as seen in Apple’s iMessage protocol, emerges as a pragmatic interim solution. It is not without risk: we know from experience that more code means more FI attack surface, and if ECC gets broken with QC we still need local attack resistance in PQC.
Yet, combining multiple algorithms may not always be feasible due to the functional and performance constraints of embedded devices. As the field evolves, requests for verifying SCA and FI resistance in PQC implementations are increasingly common among customers, especially when they are exploring the right balance between security and performance.
Best practices
As PQC continues to develop, adhering to the latest research on countermeasures, and avoiding blindly taking “vanilla” open-source implementations without SCA and FI protections is critical. The path forward involves preparing for the eventuality of some PQC algorithms being compromised, necessitating a strategy for crypto agility to migrate to alternative solutions or mitigate the impacts of compromised embedded systems. This approach will become integral as certification schemes evolve to phase out outdated or broken algorithms.
Conclusion
The integration of Side-Channel Attack and Fault Injection resistant Post-Quantum Cryptography in embedded systems is not just a technological necessity; it’s a strategic imperative to protect against the dual threats of quantum computing and physical attacks. Riscure has, and will be, developing analysis modules to ensure the resilience of PQC implementations in both pre-silicon simulation and post-silicon testing. A collective effort between researchers and engineers building (and breaking) countermeasures, balancing security and usability is required to address the challenges and secure the future of embedded systems.