## MIT engineers design a system for IoT chips to do quantum-computer-proof encryption

By

Samuel K. MooreOne of the most frequently mentioned fears about future quantum computers is that they will someday crack our encryption codes and lay all our digital secrets bare. Despite it being a truly far-off possibility, cryptographers are already taking the threat very seriously.

The solution seems to be to develop one or more classes of encryption schemes that classical computers can use but quantum computers can’t crack. Less than two weeks ago, the U.S. National Institute of Standards and Technology reported that its search for quantum-proof algorithms had reached the semifinals stage. Following a year-long evaluation, the agency has narrowed the field down to 26 algorithms, most of which fall into three broad families.

Now, at the IEEE International Solid-State Circuits Conference on Monday in San Francisco, engineers from MIT have reported the creation of an encryption system that performs one of these schemes on a chip small enough and energy-efficient enough to guard battery-powered nodes on the Internet of Things from future quantum attack.

The MIT engineers focused on one family of post-quantum algorithms, called lattice-based cryptography. The name comes from a way to picture the problems that would need to be solved to crack this kind of encryption. Imagine a two-dimensional grid with points scattered around it. It might not seem too difficult to find the shortest vector between a random spot on the lattice and the nearest point, but expand the grid into three dimensions, and then 1,000, and then 10,000, and it becomes enough to occupy today’s computers for years.

“Lattice-based cryptography is a promising candidate because of its small public key and signature sizes,” MIT doctoral student Utsav Banerjee told engineers at the conference. The problem that computers must solve in order to crack the encryption is called the learning with error problem. Encryption using that problem requires the generation of matrices of numbers that each have certain characteristics. Banerjee says that generating those numbers was the biggest computational constraint, while storing the vectors for the key exchange computations took up the most area on the chip.

In order to reduce the computational load, the MIT group first implemented an efficient pseudo random number generator, using the SHA-3 hash function, that was two to three times as energy efficient as two other candidates. To fit the encryption algorithm, the random numbers must fit certain statistical properties. That required three different algorithms designed to reject numbers that didn’t fit. The team chose algorithms that produced significant energy savings when implemented in silicon. One proved to use merely 1/16th the energy of a competing algorithm. [READ MORE]