=Paper=
{{Paper
|id=Vol-3829/short9
|storemode=property
|title=Classical and post-quantum encryption for GDPR (short paper)
|pdfUrl=https://ceur-ws.org/Vol-3829/short9.pdf
|volume=Vol-3829
|authors=Maksim Iavich,Oksana Kovalchuk,Sergiy Gnatyuk,Yuliia Khavikova,Volodymyr Sokolov
|dblpUrl=https://dblp.org/rec/conf/cqpc/IavichKGKS24
}}
==Classical and post-quantum encryption for GDPR (short paper)==
https://ceur-ws.org/Vol-3829/short9.pdf
Classical and post-quantum encryption for GDPR⋆
Maksim Iavich1,†, Oksana Kovalchuk2,†, Sergiy Gnatyuk3,†, Yuliia Khavikova4,†
and Volodymyr Sokolov5,∗,†
1
Caucasus University, 1 Paata Saakadze str., 0102 Tbilisi, Georgia
2
Sokhumi State University, 61 Politkovskaya str., 0186 Tbilisi, Georgia
3
National Aviation University, 1 Liubomyra Huzara ave., 03058 Kyiv, Ukraine
4
State University of Trade and Economics, 19 Kyoto str., 02156 Kyiv, Ukraine
5
Borys Grinchenko Kyiv Metropolitan University, 18/2, Bulvarno-Kudriavska str., 04053 Kyiv, Ukraine
Abstract
In the dynamic digital landscape, the General Data Protection Regulation (GDPR) stands as a transformative
force, which aims to secure individual privacy and redefine organizational practices in personal data
handling. This paper analyzes the multifaceted layers of GDPR in detail, it elucidates its principles, rights
for data subjects, and obligations for data controllers and processors. The main attention is paid to
encryption standards, with specific recommendations for data protection in both classical and post-
quantum epochs. In the classical setting, the paper aims to employ AES-128 in data storage, striking a
balance between security and performance. For communication, the SSL protocol is used, with a caveat to
transition to TLS for contemporary applications. In the post-quantum epoch, where there will be fully-
fledged quantum computers, the paper proposes a shift to AES-256 for data storage and introduces
CRYSTALS-Kyber, an asymmetric cryptography algorithm secure against quantum attacks, for secure
communication. The recommendations emphasize the need for creating precise cryptographical
recommendations, particularly in the face of evolving threats. Compliance with GDPR and other data
protection regulations remains very important, ensuring the security and integrity of data in the 21st
century.
Keywords
GDPR, AES-256, encryption, post-quantum cryptography, cryptographical application1
1. Introduction As we study GDPR, it becomes evident that this
regulation is not a legal framework but a catalyst for an
Because of the rapid evolution of digital technologies, important organizational shift towards a more privacy-
the security of data has become very important [1, 2]. As oriented approach. By understanding the nuances and
people have to share their personal information online, implications of the GDPR, businesses, policymakers, and
concerns about data privacy and security have become individuals can actively contribute to the responsible
impor-tant. In response to these concerns, the Euro-pean and ethical use of personal data in the digital era [6–8].
Union (EU) has elaborated the General Data Protection This paper studies the multifaceted layers of the
Regulation (GDPR), a land-mark legislation designed to GDPR, providing a comprehensive of these layers.
secure the rights and privacy of individuals in the digital Through this exploration, we aim to foster a deeper
realm. understanding of the GDPR’s significance, its impact on
The GDPR, which came into effect on May 25, 2018, various stakeholders, and the evolving landscape of data
represents a paradigm shift in data protection, protection in the 21st century. The main aim of the paper
emphasizing transparency, accountability, and is to analyze the encryption standards for data
individual empowerment. Its main goal is to provide protection. Based on the analysis the goal of the paper is
individuals with greater control over their data while to offer a detailed recommendation for data encryption
imposing strict rules on organizations that process such in ongoing and post-quantum epochs.
information. Because of the importance of GDPR, this
paper aims to analyze the regulatory framework, 2. GDPR layers
exploring its fundamental principles, the rights it affords
to data subjects and the obligations it places upon data Let’s mention analyze the various layers of the GDPR
controllers and processors [3–5]. and their implications:
CQPC-2024: Classic, Quantum, and Post-Quantum Cryptography, August 0000-0002-3109-7971 (M. Iavich); 0000-0002-2354-6545
6, 2024, Kyiv, Ukraine (O. Kovalchuk); 0000-0003-4992-0564 (S. Gnatyuk); 0000-0003-1017-3602
∗ Corresponding author. (Y. Khavikova); 0000-0002-9349-7946 (V. Sokolov)
†
These authors contributed equally.
© 2024 Copyright for this paper by its authors. Use permitted under
miavich@cu.edu.ge (M. Iavich); oksana.kovalchuk@gmail.com Creative Commons License Attribution 4.0 International (CC BY 4.0).
(O. Kovalchuk); s.gnatyuk@nau.edu.ua (S. Gnatyuk);
pirogova0303@gmail.com (Y. Khavikova); v.sokolov@kubg.edu.ua
(V. Sokolov)
CEUR
Workshop
ceur-ws.org
ISSN 1613-0073
70
Proceedings
�2.1. Principles 2.6. Data processing records
Lawfulness, Fairness, and Transparency: This principle Maintaining records of data processing activities
ensures that organizations process personal data legally promotes transparency and accountability. It helps
and transparently. It emphasizes the importance of organizations keep track of their data processing
informing individuals about the processing activities practices and facilitates cooperation with data
and the reasons behind them, fostering trust and protection authorities during audits.
accountability.
Purpose Limitation and Data Minimization: These 2.7. Data protection impact assessments
principles emphasize the need for organizations to clearly
Data Protection Impact Assessments (DPIAs) are a
define the purposes for which they collect data and to
proactive tool for identifying and mitigating potential
collect only the minimum necessary data for those
risks associated with data processing activities. This
purposes. This helps prevent the indiscriminate collection
encourages organizations to assess and address privacy
and processing of personal information.
risks before initiating certain processing operations,
Accuracy and Storage Limitation: These principles
aligning with a risk-based approach to data protection.
highlight the importance of maintaining accurate and
up-to-date data and ensuring that personal data is not 2.8. Cross-border data transfers
stored longer than necessary. This promotes data quality
and relevance. The restrictions on cross-border data transfers ensure
Integrity and Confidentiality: Organizations must that personal data leaving the EU enjoys an adequate
implement security measures to protect personal data level of protection. This protects the privacy rights of
from unauthorized access, disclosure, alteration, and individuals, even when their data is transferred
destruction, ensuring the integrity and confidentiality of internationally.
the data.
2.9. Data breach notification
2.2. Data subject rights The mandatory reporting of data breaches within 72
The recognition of robust data subject rights empowers hours enhances transparency and enables swift action to
individuals to have control over their data. This includes mitigate potential harm. This requirement emphasizes
the right to access their information, rectify inaccuracies, the importance of timely and effective responses to
and even request the deletion of their data under certain security incidents.
circumstances. These rights enhance individual
autonomy and privacy. 2.10. Accountability and governance
The principles of accountability and governance require
2.3. 3. Lawful basis for processing organizations to take responsibility for their data
Requiring a lawful basis for processing ensures that processing activities. This involves adopting internal
organizations have a legitimate reason for collecting and policies, conducting training, and maintaining
processing personal data. This prevents arbitrary or documentation, fostering a culture of compliance and
unjustified processing and encourages responsible data transparency.
management. As we can see, the layers of GDPR collectively create
an interesting and important framework that prioritizes
2.4. Consent the rights and privacy of individuals, fosters
transparency, and promotes responsible data
The GDPR introduces a higher standard for obtaining
governance across organizations. Compliance with
and managing consent. It ensures that individuals are
these layers not only ensures legal adherence but also
fully informed and have given clear affirmative action,
contributes to a more ethical and trustworthy data
fostering a more transparent and ethically grounded
ecosystem.
approach to data processing.
2.5. Data protection officer 3. Encryption in GDPR
The appointment of a Data Protection Officer (DPO) is a The GDPR does not explicitly mandate the use of
proactive step toward ensuring that organizations have specific security technologies like data encryption.
a designated person responsible for overseeing data However, GDPR does require organizations to
protection compliance. This demonstrates a implement appropriate technical and organizational
commitment to accountability and effective governance. measures to ensure a level of security appropriate to the
risk. Encryption is recognized as one of the security
71
�measures that can help protect personal data, and it is algorithm that plays a crucial role in securing data,
explicitly mentioned in several articles of the regulation. including its storage. AES was established as a standard
Here are the four most relevant aspects of GDPR related by the National Institute of Standards and Technology
to data encryption: (NIST) in 2001, replacing the Data Encryption Standard
1. Security of Processing (Article 32): (DES). AES is known for its efficiency, security, and
Article 32 of the GDPR outlines the security of versatility, making it a popular choice for encrypting
processing requirements. It states that controllers and sensitive information.
processors must implement appropriate technical and Here are key aspects of using AES as a method for
organizational measures to ensure a level of security storing data [9]:
appropriate to the risk. This includes the AES is a symmetric encryption algorithm, meaning
pseudonymization and encryption of personal data. the same key is used for both encryption and decryption.
2. Pseudonymization (Recital 78): This simplicity in key management makes AES efficient
Recital 78 of the GDPR specifically mentions for storing and retrieving encrypted data. AES supports
pseudonymization as a security measure. key lengths of 128, 192, and 256 bits. Longer key lengths
Pseudonymization is a process that involves replacing or generally provide stronger security, but they may
encrypting personal data in a way that prevents require more computational resources. The choice of
attributing it to a specific data subject without additional key length depends on the desired level of security and
information. the specific implementation.
3. Notification of a Personal Data Breach to the AES operates as a block cipher, encrypting data in
Supervisory Authority (Article 33): fixed-size blocks. The standard block size for AES is 128
In the event of a personal data breach, Article 33 bits. Each block undergoes multiple rounds of
requires the data controller to notify the supervisory encryption and transformation, contributing to the
authority without undue delay, unless the breach is algorithm’s security.
unlikely to result in a risk to the rights and freedoms of AES can be used in various modes of operation, such
individuals. Encryption is mentioned as a measure to as Electronic Codebook (ECB), Cipher Block Chaining
mitigate the risks associated with a data breach. (CBC), Counter (CTR), and others. The mode of
4. Communication of a Personal Data Breach to the operation determines how the algorithm encrypts data
Data Subject (Article 34): blocks and adds a layer of complexity and security.
Article 34 states that, in certain cases, the data The cryptosystem is commonly employed for data-
controller is required to communicate the personal data at-rest encryption, securing data stored on devices such
breach to the data subject without undue delay. as hard drives, SSDs, and other storage media.
However, this communication is not necessary if the Encrypting data at rest helps protect sensitive
data is unintelligible due to encryption or other security information from unauthorized access, especially in the
measures. event of physical theft or data breaches.
In summary, while GDPR doesn’t explicitly mandate AES is often used to meet various security and
data encryption, it strongly encourages its use as part of compliance standards, including those related to data
a broader set of security measures. The implementation protection and privacy. Its acceptance as a secure
of encryption, especially when combined with other encryption algorithm by international organizations and
security practices like pseudo-nymization, helps regulatory bodies makes it a suitable choice for
organizations meet the GDPR’s requirements for organizations handling sensitive data.
securing personal data and mitigating the risks AES encryption can be also integrated into various
associated with data breaches. Organizations should storage systems, including databases and file systems.
assess the risks associated with their data processing This integration allows organizations to encrypt data at
activities and implement security measures, including the storage level, providing an additional layer of
encryption, based on the principle of proportionality. protection beyond application-level encryption.
The cryptosystem is designed to be computationally
4. Problem statement and solution efficient, but the performance impact of encryption can
vary based on factors such as key length, mode of
As we can see GDPR does not explicitly mandate data operation, and the hardware used. Modern processors
encryption. Without the recommendation of concrete often include hardware acceleration for AES, optimizing
encryption standards, it is complicated for organizations performance.
to choose the needed standards. It can lead to security IT must be mentioned, that effective key
breaches. For the local data storage, we can use management is crucial when using AES. Safeguarding
symmetric encryption. encryption keys is essential to maintaining the security
AES, which stands for Advanced Encryption
Standard, is a widely used symmetric encryption
72
�of encrypted data. Organizations should implement practice to ensure the secure transmission of data, and it
secure key storage and distribution practices. aligns well with GDPR requirements for protecting
Choosing Advanced Encryption Standard (AES) for personal data during transit [10]. Here’s an overview of
GDPR Compliance in the realm of General Data how SSL/TLS can be considered as an encryption
Protection Regulation (GDPR) compliance, the selection standard for GDPR compliance:
of a robust encryption standard is obligatory for SSL/TLS protocols are designed to provide a secure
securing personal data. As we mentioned above it stands channel for data transmission over the internet. This is
out as a highly secure and good choice that aligns with achieved through encryption, which protects the
GDPR principles. AES, a symmetric encryption confidentiality and integrity of the data being
algorithm, has earned its reputation for security through transferred between a user’s browser and a web server.
rigorous cryptographic analysis. Its implementation GDPR emphasizes the principles of data protection,
provides sufficient protection for sensitive information, including the need to process personal data securely.
addressing the GDPR’s mandate for robust data Using SSL/TLS for data transfer helps organizations
protection. Especially well-suited for encrypting stored comply with these principles by ensuring that sensitive
information, AES’s symmetric nature ensures efficient information is encrypted during transmission,
and effective encryption, meeting GDPR’s emphasis on preventing unauthorized access or interception.
securing data at rest. This approach guarantees that SSL/TLS protocols use strong encryption algorithms
personal data remains confidential and protected from to secure data. The choice of encryption algorithms and
unauthorized access. The cryptosystem aligns key lengths in the configuration of SSL/TLS can be
seamlessly with GDPR principles, including data aligned with GDPR’s emphasis on adopting appropriate
minimization, integrity, and confidentiality. By technical measures to protect personal data.
employing AES for data encryption, organizations GDPR grants individuals the right to have their data
adhere to GDPR’s mandate to store and manage only processed securely. By implementing SSL/TLS,
necessary information while maintaining data integrity organizations contribute to the protection of data
and confidentiality through encryption. In the subject rights, especially during data transfer processes
unfortunate event of a data breach, GDPR necessitates where the risk of interception is higher.
prompt notification to the supervisory authority and, in SSL/TLS contributes to secure communication
certain cases, to data subjects. The cryptosystem plays between data subjects and data controllers. When
an important role in breach mitigation by rendering the obtaining consent or communicating with individuals
encrypted data unreadable without the proper regarding their data, the use of encrypted channels helps
decryption key, reducing the risk of harm to individuals. maintain the confidentiality and integrity of the
GDPR encourages the use of pseudonymization as an information exchanged.
additional security measure. AES, integrated into a The protocol not only encrypts data but also
broader pseudonymization strategy, adds an extra layer provides a mechanism for server authentication.
of complexity, making it challenging to associate Verifying the identity of the server helps prevent man-
encrypted data with specific individuals without the in-the-middle attacks, ensuring that data is transmitted
requisite decryption keys. Widely adopted across to and from legitimate sources.
industries, AES’s versatility allows for seamless In the event of a personal data breach, GDPR
integration into various systems, databases, and storage mandates timely notification. The use of SSL/TLS can
solutions. Its international recognition contributes to a mitigate the risk of data breaches during transmission,
consistent and effective approach to data encryption, reducing the likelihood of unauthorized access and the
aligning with GDPR’s emphasis on protecting personal need for such notifications.
data regardless of geographical boundaries. The protocol is considered a standard and best
Therefore, selecting AES as the encryption standard practice for securing data in transit. Its widespread
for GDPR compliance reflects a commitment to the adoption across the internet and acceptance as a secure
secure processing and storage of personal data. While communication protocol contribute to its alignment
encryption is a crucial aspect of GDPR compliance, with industry standards, reinforcing its suitability for
organizations should adopt a holistic approach, GDPR compliance.
considering additional technical and organizational It’s important to note that while SSL/TLS is crucial
measures to ensure comprehensive data protection. The for securing data in transit, a comprehensive GDPR
key size can be chosen as a 128-bit length. compliance strategy should encompass other security
For communication encryption, we offer to use measures, including encryption at rest, access controls,
asymmetric encryption. Using SSL (Secure Sockets and secure data processing practices. Additionally,
Layer) or its successor, TLS (Transport Layer Security), organizations should stay informed about evolving
for data transfer is a common and recommended
73
�encryption standards and vulnerabilities to ensure the 6. Solution for post-quantum
ongoing effectiveness of their security measures.
epoch
5. Secure encryption under GDPR Grover’s algorithm is a quantum algorithm that
addresses the problem of unstructured search, and it has
5.1. Encryption as a security measure implications for symmetric-key cryptography, including
Article 32 of the GDPR explicitly mentions encryption algorithms like AES. Grover’s algorithm offers a
as a security measure that organizations should consider quadratic speedup for unstructured search problems
to protect personal data. Encryption helps ensure the [11].
confidentiality, integrity, and availability of data by In the context of symmetric-key cryptography,
making it unreadable to unauthorized parties. Grover’s algorithm can be used to search an unsorted
While encryption is not mandatory, it is strongly database or find the key for a symmetric encryption
recommended, especially for protecting sensitive data. algorithm. Grover’s algorithm implies that the time
The GDPR promotes a risk-based approach, where complexity of a brute-force search is reduced from O(2n)
encryption is one of the methods to mitigate risks to to O(2n/2), where “n” is the key length. This means that
personal data. the security strength provided by a key length of “n” bits
against a brute-force search is halved when subjected to
5.2. Data breach notification Grover’s algorithm.
For example, if you have a symmetric key with a
Under Article 34, if a data breach occurs and the personal
length of 128 bits, classically it would take an exhaustive
data is encrypted, the breach is less likely to pose a high
search of 2128 operations to find the key. With Grover’s
risk to the rights and freedoms of individuals. As a
algorithm, the time complexity is reduced to the square
result, if the data is properly encrypted, organizations
root of 2128, which is 264 operations. Therefore, the
might not need to notify the affected individuals,
effective security strength is reduced to 64 bits against a
provided the encryption is robust and the decryption
quantum search. To maintain a certain level of security
key has not been compromised.
against quantum attacks, it’s generally recommended to
use longer key lengths with symmetric key algorithms.
5.3. Data protection by design and by For instance, if you were aiming for 128-bit security
default against a quantum attack, you might use a key length of
Article 25 encourages organizations to implement 256 bits with a symmetric algorithm like AES.
appropriate technical and organizational measures, such Therefore, we offer to use the key length of 256 bits
as encryption, from the outset of data processing for AES to securely store data.
activities. This concept, known as “data protection by For communication asymmetric cryptography must
design and by default”, aims to integrate privacy be involved. Quantum computers can break the existing
features directly into the processing systems and asymmetric cryptography using Shor’s algorithm [12].
services. Shor’s algorithm is a quantum algorithm designed to
efficiently factorize large numbers and compute discrete
5.4. Pseudonymization logarithms, which poses a significant risk to widely used
encryption methods like RSA and ECC. In particular,
Encryption is often used as a tool for pseudonymization,
RSA’s security, dependent on the difficulty of factoring
a process mentioned in GDPR that reduces the risks to
large numbers, and ECC, relying on the elliptic curve
data subjects. Pseudonymization involves processing
discrete logarithm problem, are compromised by Shor’s
personal data in such a manner that it cannot be
algorithm on a sufficiently powerful quantum computer
attributed to a specific individual without additional
[13, 14].
information, which must be kept separately and
On a different front, Grover’s algorithm, a quantum
securely.
search algorithm, has implications for symmetric
encryption and impacts the effective key length. While
5.5. Impact on data processing not directly breaking public-key cryptography, Grover’s
When data is encrypted, it may affect how it can be algorithm provides a quadratic speedup for unstructured
processed. For instance, encrypted data typically cannot search problems, effectively halving the security
be searched or analyzed in its encrypted form, which provided by symmetric encryption key lengths. This
may necessitate the development of secure and efficient prompts the need for longer key lengths in symmetric
decryption processes within an organization. encryption to maintain equivalent security levels in the
face of quantum threats [15–17].
74
�To counter these quantum risks, ongoing efforts in post- conventional computers, quantum computers could
quantum cryptography are focused on developing rapidly solve math problems currently deemed
encryption algorithms resistant to quantum attacks. intractable, rendering existing encryption systems
Researchers are exploring alternative mathematical vulnerable. The selected quantum-resistant algorithms,
problems and cryptographic techniques to ensure the designed for general encryption and digital signatures,
continued security of digital communication in a rely on math problems that both conventional and
quantum computing era. quantum computers should find challenging to solve.
Therefore, for asymmetric encryption, we offer to The chosen algorithm for general encryption is
use already existing NIST standards. GAITHERSBURG, CRYSTALS-Kyber, recognized for its smaller encryption
Md.—The National Institute of Standards and keys facilitating easy exchange between parties and
Technology (NIST), part of the U.S. Department of operational speed [19–24].
Commerce, has taken a significant step in addressing the Therefore, we offer to use CRYSTALS-Kyber as
potential threat posed by future quantum computers to asymmetric encryption.
digital security. NIST has unveiled the initial group of
encryption tools designed to withstand quantum 7. Final recommendations for
computer attacks, which could jeopardize the privacy of
information crucial to daily digital activities such as
NIST encryption standards
online banking and email communication. These Classical setting:
selected encryption algorithms are anticipated to be part 1. Data Storage (AES-128):
of NIST’s forthcoming post-quantum cryptographic Using AES-128 for data storage is a common and
standard, expected to be finalized within approximately secure practice. It provides a good balance between
two years. security and performance in most scenarios.
Gina M. Raimondo, the Secretary of Commerce, 2. Communication (SSL Protocol):
emphasized the importance of this announcement as a SSL (Secure Sockets Layer) has been widely used for
milestone in fortifying sensitive data against potential securing communication over the internet. Note that the
cyber threats from quantum computers. NIST has played latest version of SSL is TLS (Transport Layer Security),
a crucial role in managing a six-year effort that began in and it’s recommended to use TLS instead for modern
2016, urging cryptographers globally to create and vet applications [24–26].
encryption methods capable of resisting attacks from Post-Quantum Epoch:
more powerful quantum computers. The unveiling of Data Storage (AES-256):
these encryption algorithms marks a pivotal stage in In a post-quantum epoch, where quantum
NIST’s post-quantum cryptography [18] standardization computers may pose a threat to certain cryptographic
project. algorithms, it’s prudent to use a higher key size for
Under Secretary of Commerce for Standards and encryption. AES-256 provides stronger security
Technology and NIST Director Laurie E. Locascio compared to AES-128 and is considered more resilient to
highlighted NIST’s forward-looking approach to potential quantum attacks.
anticipate the needs of U.S. industry and society. The Communication (Asymmetric Cryptography—
agency’s post-quantum cryptography program, drawing CRYSTALS-Kyber):
on top cryptography experts worldwide, has produced In a post-quantum era, asymmetric algorithms may
the first set of quantum-resistant algorithms aimed at become vulnerable to attacks by quantum computers. As
establishing a standard to significantly enhance digital a result, using asymmetric cryptography that is
information security. This initial selection includes four considered quantum-resistant becomes essential.
encryption algorithms designed to resist quantum CRYSTALS-Kyber is a post-quantum key exchange
attacks. Four additional algorithms are currently under algorithm, and choosing it for communication aligns
consideration, with the finalists expected to be with the goal of future-proofing against quantum
announced in the future. The decision to reveal choices threats.
in two stages is driven by the necessity for a diverse It’s important to stay informed about the latest
range of defense tools. Different systems and tasks developments in cryptography and regularly update
utilizing encryption demand tailored solutions, diverse cryptographic protocols and algorithms to maintain the
approaches, and multiple algorithms to address potential security of data in changing threat landscapes.
vulnerabilities. Additionally, compliance with relevant data protection
It must be mentioned that encryption is a regulations, such as GDPR, should always be considered
fundamental mechanism that employs mathematical in cryptographic decisions [27–30].
principles to safeguard electronic information and faces The pseudo-code for the usage of the offered
a potential challenge from quantum computers. Unlike technologies can look as follows:
75
�# Import necessary cryptographic libraries encryptor = cipher.encryptor()
from cryptography.hazmat.primitives.ciphers import encrypted_data = encryptor.update(data) +
Cipher, algorithms, and modes encryptor.finalize()
from cryptography.hazmat.backends import return encrypted_data
default_backend
from crystals_kyber import kyber # Function to perform secure communication in a
classical setting
# Function to generate AES key based on epoch def secure_communication_classical(data):
def generate_aes_key(epoch): # Implement TLS/SSL with RSA or ECC
if epoch == "classical": pass
return generate_aes_key_classical()
elif epoch == "post_quantum": # Function to perform secure communication with post-
return generate_aes_key_post_quantum() quantum epoch
else: def secure_communication_post_quantum(data):
raise ValueError("Invalid epoch specified") # Implement CRYSTALS-Kyber for key exchange
pass
# Function to generate AES-256 key for classical setting
def generate_aes_key_classical(): # Example usage:
# Implement the key generation for the classical plaintext_data = "Sensitive data to be encrypted."
setting epoch = "post_quantum" # Change this to "classical" for
pass the classical setting
usage = "communication" # Change this to "storage" for
# Function to generate AES-256 key for post-quantum data storage
epoch
def generate_aes_key_post_quantum(): # Encryption based on the specified epoch and usage
# Implement the key generation for the post-quantum encrypted_data = encrypt_data(plaintext_data, epoch,
epoch usage)
pass
# Now, encrypted_data can be stored or transmitted
# Function to encrypt data based on epoch and usage securely.
def encrypt_data(data, epoch, usage):
if epoch == "classical": 8. Conclusions and future plans
if usage == "storage": Cryptography is an essential tool for GDPR compliance,
return encrypt_data_aes(data, providing the means to protect personal data effectively.
generate_aes_key_classical()) By implementing strong cryptographic measures,
elif usage == "communication": organizations can significantly reduce the risk of data
return secure_communication_classical(data) breaches and ensure that they meet the stringent
else: requirements of the GDPR. The best practices for Using
raise ValueError("Invalid usage specified") Cryptography under GDPR are the following:
elif epoch == "post_quantum":
if usage == "storage": Key Management: Proper management of
return encrypt_data_aes(data, encryption keys is critical to ensuring that
generate_aes_key_post_quantum()) encrypted data remains secure. Keys must be
elif usage == "communication": stored and managed securely to prevent
return unauthorized access.
secure_communication_post_quantum(data) Regular Audits and Updates: Cryptographic
else: algorithms and their implementations should
raise ValueError("Invalid usage specified") be regularly audited and updated to protect
else: against emerging threats.
raise ValueError("Invalid epoch specified") Compliance with Standards: Use cryptographic
methods that comply with recognized
# Function to encrypt data using AES-256 standards, such as those from the NIST or the
def encrypt_data_aes(data, key): European Telecommunications Standards
cipher = Cipher(algorithms.AES(key), modes.ECB(), Institute (ETSI).
backend=default_backend())
76
�In conclusion, our cryptographic recommendations aim Systems of Situational Center, in: Emerging
to establish a robust and adaptable security foundation Technology Trends on the Smart Industry and the
for our system. For data storage in the classical epoch, Internet of Things, vol. 3149 (2022) 107–117.
we offer to use of AES-128, a widely recognized and [6] H. Li, Yu L., H. Wu, The Impact of GDPR on Global
efficient symmetric encryption algorithm. This choice Technology Development, J. Global Inf. Technol.
strikes a balance between security and computational Manag. 22(1) (2019) 1–6. doi: 10.1080/
efficiency, making it suitable for protecting stored data 1097198X.2019.156 9186.
in various scenarios. [7] C. Tankard, What the GDPR Means for Businesses,
For secure communication, we recommend the use Netw. Secur. 2016(6) (2016) 5–8. doi:
of SSL/TLS protocols, incorporating modern cipher 10.1016/S1353-4858(16)300 56-3.
suites such as those based on AES in combination with [8] G. Johnson, S. Shriver, S. Goldberg, Privacy and
RSA or ECC for key exchange. SSL ensures the Market Concentration: Intended and Unintended
confidentiality and integrity of data during Consequences of the GDPR, Manag. Sci. 69(10)
transmission, and our approach aligns with current best (2023) 5695–6415. doi: 10.1287/mnsc.2023. 4709.
practices for secure communication. [9] J. Daemen, V. Rijmen, AES Proposal: Rijndael
In anticipation of future challenges posed by quantum (1999).
computing, our transition to post-quantum algorithms is [10] D. Wagner, B. Schneier, Analysis of the SSL 3.0
exemplified by the adoption of CRYSTALS-Kyber for Protocol, The Second USENIX Workshop on
secure communication. This step reflects our commitment Electronic Commerce Proceedings 1(1) (1996).
to staying ahead of emerging threats and safeguarding [11] R. Jozsa, Searching in Grover’s Algorithm (1999).
sensitive information. doi: 10.48550/arXiv.quant-ph/9901021.
In our future research, we think of offering the post- [12] T. Monz, et al., Realization of a Scalable Shor
quantum model for SSL. Algorithm, Science 351(6277) (2016) 1068–1070.
doi: 10.1126/scien ce.aad9480.
Acknowledgment [13] H. Wong, Shor’s Algorithm, Introduction to
Quantum Computing: From a Layperson to a
This work was funded by the Shota Rustaveli National Programmer in 30 Steps. Cham: Springer
Foundation of Georgia (SRNSFG) (NFR-22-14060). International Publishing (2023) 289–298.
[14] A. M. Patoary, et al., Chaotic Roots of the Modular
References Multiplication Dynamical System in Shor’s
[1] F. Kipchuk, et al., Assessing Approaches of IT Algorithm (2023). doi: 10.48550/arXiv.2306.16446.
Infrastructure Audit, in: IEEE 8th International [15] Z. Hu, et al., High-Speed and Secure PRNG for
Conference on Problems of Infocommunications, Cryptographic Applications, Int. J. Comput.
Science and Technology (2021) 213–217. doi: Network Inf. Secur. 12(3) (2020) 1–10. doi:
10.1109/picst54195.2021.9772181. 10.5815/ijcnis.2020. 03.01.
[2] V. Buriachok, V. Sokolov, P. Skladannyi, Security [16] M. Iavich, et al., Lattice based Merkle, in:
Rating Metrics for Distributed Wireless Systems, International Conference on Information
in: 8th International Conference on “Mathematics. Technologies, vol. 2470 (2019) 13–16.
Informa-tion Technologies. Education:” Modern [17] S. Tynymbayev, et al., Modular Reduction Based
Machine Learning Technologies and Data Science, on the Divider by Blocking Negative Remainders,
vol. 2386 (2019) 222–233. News of the National Academy of Sciences of the
[3] P. Anakhov, et al., Protecting Objects of Critical Republic of Kazakhstan, Series of Geology and
Information Infrastructure from Wartime Cyber Technical Sciences 2(434) (2019) 238–248. doi:
Attacks by Decentralizing the Telecom- 10.32014/2019.2518-170x.60.
munications Network, in: Cybersecurity Providing [18] A. Bessalov, et al., Multifunctional CRS Encryption
in Information and Telecommunication Systems, Scheme on Isogenies of Non-Supersingular
vol. 3550 (2023) 240–245. Edwards Curves, in: Workshop on Classic,
[4] P. Anakhov, et al., Increasing the Functional Quantum, and Post-Quantum Cryptography, vol.
Network Stability in the Depression Zone of the 3504 (2023) 12–25.
Hydroelectric Power Station Reservoir, in: [19] M. Iavich, T. Kuchukhidze, R. Bocu, A Post-
Emerging Technology Trends on the Smart Quantum Digital Signature Using Verkle Trees
Industry and the Internet of Things, vol. 3149 and Lattices, Symmetry 15(12) (2023) 2165.
(2022) 169–176. [20] M. Iavich, T. Kuchukhidze, Digital Signature
[5] V. Grechaninov, et al., Formation of Dependability Design Using Verkle Tree (2023).
and Cyber Protection Model in Information
77
�[21] E. Dubrova, et al., Breaking a Fifth-order Masked
Implementation of Crystals-kyber by Copy-paste,
Proceedings of the 10th ACM Asia Public-Key
Cryptography Workshop (2023).
[22] R. Avanzi, et al., CRYSTALS-Kyber Algorithm
Specifications and Supporting Documentation,
NIST PQC Round 2(4) (2019) 1–43.
[23] M. Moraitis, et al., Securing CRYSTALS-Kyber in
FPGA Using Duplication and Clock
Randomization, IEEE Design & Test (2023).
[24] S. Gnatyuk, et al., New Secure Block Cipher for
Critical Applications: Design, Implementation,
Speed and Security Analysis, Advances in
Intelligent Systems and Computing (2020) 93–104.
[25] A. Bessalov, et al., Modeling CSIKE Algorithm on
Non-Cyclic Edwards Curves, in: Cybersecurity
Providing in Information and Telecommunication
Systems, vol. 3288 (2022) 1–10.
[26] S. Gnatyuk, et al., Method of Algorithm Building
for Modular Reducing by Irreducible Polynomial,
16th International Conference on Control,
Automation and Systems (2016) 1476–1479. doi:
10.1109/iccas.2016.7832498.
[27] A. Bessalov, et al., Implementation of the CSIDH
Algorithm Model on Supersingular Twisted and
Quadratic Edwards Curves, in: Workshop on
Cybersecurity Providing in Information and
Telecommunication Systems, vol. 3187(1) (2022)
302–309.
[28] C. Papamanthou, et al., Streaming Authenticated
Data Structures, Advances in Cryptology—
EUROCRYPT (2013) 353–370. doi: 10.1007/978-3-
642-38348-9_22.
[29] A. Bessalov, et al., CSIKE-ENC Combined
Encryption Scheme with Optimized Degrees of
Isogeny Distribution, in: Workshop on
Cybersecurity Providing in Information and
Telecommunication Systems, vol. 3421 (2023) 36–
45.
[30] I. Khaburzaniya, et al., Aggregating and
Thresholdizing Hash-Based Signatures Using
STARKs, ACM Asia Conf. Comput. Commun.
Secur. (2022) 393–407. doi: 10.1145/
3488932.3524128.
78
�