IBM Z and LinuxONE IBM Z

  • 1.  IBM z16 is a "quantum-safe system" system details

    Posted Thu May 19, 2022 09:59 AM
    What does it mean to be  "quantum-safe system"

    ------------------------------
    Ivan Portilla
    ------------------------------


  • 2.  RE: IBM z16 is a "quantum-safe system" system details

    Posted Thu May 19, 2022 04:15 PM

    At the risk of being a grump here I am going to say (a.) there is no such thing as a quantum-safe system and (b.) the assertion that there is is counter-productive.

     

    There is no such thing as a quantum-safe system. If I buy a z16 and use 2048-bit RSA key-pairs on it, then my system is not quantum-safe.

     

    And the assertion itself reinforces the myth that Brian Marshall and others have spoken about: the mainframe is not the most secure system in the world; the mainframe is the most securable system in the world. There is no box you can buy that will make you quantum-safe. I might have come up with the marketing claim that the z16 facilitated a quantum-safe environment.

     

    Charles A. Mills | Chief Development Officer

    Phone: 707-291-0908
    Toll Free: 877-245-4322
    Email: Charles.Mills@CloudCompiling.com
    www.CloudCompiling.com

     

     






  • 3.  RE: IBM z16 is a "quantum-safe system" system details

    Posted Fri May 20, 2022 02:20 PM
    IBM publish this detail: G5NNXDOA (ibm.com)
    Says this:
    Following three rounds of evaluation, NIST
    plans to select a small number of new quantum-safe algorithms this
    year and have new quantum-safe standards in place by 2024. As part of
    this program, IBM researchers have been involved in the development
    of three quantum-safe cryptographic algorithms based on lattice
    cryptography which are in the final round of consideration: CRYSTALSKyber, CRYSTALS-Dilithium and Falcon.
    Other discussion about adding Scanning in ADDI to identify Cprypto calls in applications etc.

    ------------------------------
    Graham Franklin
    ------------------------------



  • 4.  RE: IBM z16 is a "quantum-safe system" system details

    Posted Fri May 20, 2022 07:53 PM
    Ivan,

    That's an excellent question.

    The IBM z16 press release includes this explanation in a footnote: "IBM z16 with the Crypto Express 8S card provides quantum-safe APIs providing access to quantum-safe algorithms which have been selected as finalists during the PQC standardization process conducted by NIST. https://csrc.nist.gov/Projects/post-quantum-cryptography/round-3-submissions. Quantum-safe cryptography refers to efforts to identify algorithms that are resistant to attacks by both classical and quantum computers, to keep information assets secure even after a large-scale quantum computer has been built. Source: https://www.etsi.org/technologies/quantum-safe-cryptography. These algorithms are used to help ensure the integrity of a number of the firmware and boot processes. IBM z16 is the Industry-first system protected by quantum-safe technology across multiple layers of firmware."

    So a quantum-safe system is one that provides access to quantum-safe algorithms via APIs and uses those algorithms to protect its firmware and boot processes.

    I agree with Charles - these capabilities make the z16 securable rather than secure.

    IBM also enhanced Application Discovery and Delivery Intelligence (ADDI) to discover cryptographic API calls in your COBOL applications, so you can update them to use the new quantum-safe APIs. This blog "Start Your Quantum-Safe Journey with IBM Application Discovery and Delivery Intelligence" explains this and provides a link to a demo video.

    In addition to the document Graham shared, this blog "What Is Quantum-Safe Cryptography, and Why Do We Need It?" should also help.

    Thank you, 

    Mark Indermaur




    ------------------------------
    Mark Indermaur
    IBM
    Research Triangle Pa NC
    ------------------------------



  • 5.  RE: IBM z16 is a "quantum-safe system" system details

    Posted Mon May 23, 2022 04:34 PM
    In addition to what Mark shared, I'd like to also point out that z16 is the industry first system that leverages quantum-safe algorithms across multiple layers of firmware in its infrastructure and provides a foundation upon which other parts of the platform "can be made quantum-safe" over time. One of the key infrastructure enhancements is the introduction of quantum-safe secure boot. This feature helps protect system integrity by using quantum-safe and classical digital signatures to perform a hardware-protected verification of the IBM z16 firmware loaded while booting the machine. The dual signing scheme is designed to ensure only authentic firmware is launched, thereby helping to protect the system from the threat of fraudulent firmware attacks. As suggested, there are items that will be controlled directly my our clients and we will continue to enable their use cases.

    Anne Dames 


    ------------------------------
    Anne Dames
    DE, IBM zSystems
    Cryptographic Technology Dev.
    Charlotte, NC
    ------------------------------



  • 6.  RE: IBM z16 is a "quantum-safe system" system details

    Posted Tue May 24, 2022 01:45 PM

    Let me summarize, to make this (hopefully) clear.  The z16 provides quantum-safe cryptography in two distinct ways, and I can see that it is causing confusion.

    1. The z16 uses quantum-safe cryptography to protect ITS OWN integrity, so that you can be confident your applications are running on a secure platform.  What this means is that z16 uses quantum-safe crypto algorithms (in parallel with conventional algorithms) to implement a secure boot process.  It ensures that all layers of the z16 system firmware are correct - that none have been tampered with in any way.
    2. The Crypto Express HSM (Hardware Security Module) available in the z16 offers APIs that let YOUR APPLICATIONS use quantum-safe cryptography.  Your applications can code to the new APIs to do quantum-safe (or dual) digital signatures, and to perform a hybrid, quantum-safe key agreement protocol that is compliant with today's standards, even though it also integrates quantum-safe algorithms to protect you from future quantum computers.  These functions, of course, are in addition to the other quantum-safe algorithms that the HSM already provided - AES for symmetric cryptography, and SHA2/SHA3 for hashing.  This means that applications running on the z16 can be written today to be protected against future quantum computers.


    ------------------------------
    Todd Arnold
    ------------------------------