Abstract
The legal framework of electronic signatures in the European Union is mainly based on the use of Public Key cryptography systems or asymmetric cryptography. This system, currently regulated by Regulation 910/2014 (eIDAS Regulation) appears to be quite safe under current technology but may be at huge risk with the developments of Quantum Computing. To better understand this we must start by considering digital signatures (and the characteristics of symmetric and asymmetric encryption) and further analyzing the threats of quantum computation for this system, the need of a post quantum cryptography and of long term validation preservation.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
“A traditional signature must be (1) a symbol; (2) executed or adopted; (3) by a party; (4) with present intention; (5) to authenticate; (6) a writing”, Fischer (1997), pp. 545–570. This statement can be adapted in view of the use of an electronic “signature” by a software agent? As for the use of token(s) and authentication there doesn’t seem to be any problem. Even if encryption mechanisms are used, there is a use of symbols that ensure a real authentication (even if this authentication concerns the electronic agent). As for execution by a party, there are no major issues either, as long as one understands the electronic agent as a real party (which is not problematic, even if one sees the software agent as a mere tool. As for writing, it is necessary to see what is understood by writing in digital environments, understood in the broad sense, as anything that can be represented in writing. A more debatable question is whether there is a real intention to authenticate (see below about the intentional states of software agents). In any case, Fischer (1997), op. cit., p. 567, goes beyond this issue by stating that if the agent “has exercised the principal’s present intention to perform the task”, then the intention, even if referred to the principal, will be present as the intention that the agent perform the authentication process. Cf. Fischer (1997), op. cit. But of course the issue is complicated when the electronic agent authenticates messages without the knowledge of the principal. In this case, two hypotheses arise: either we understand the agent as a mere “nuncio”, and the principal “really wanted” the electronic agent to process the message and, consequently, to authenticate it—which can be understood as part of the user’s instructions—or we should consider the agent as having a will of his own and, ultimately, as capable of acting autonomously on behalf of the principal. (See below on the issue of representation). In any case, John P. Fischer ends up considering that if a software agent authenticates (“signs”) a document, it must be presumed that it is acting the principal’s real intention. Cf. Fischer (1997), op. cited above, p. 569.
- 2.
“Важно обеспечить так называемый”функционально-эквивалентный” подход к бумажной и безбумажной документации”, Вершинин А П, “Электронный документ: правовая форма и доказательство в суде” Городец, Москва, 2000, стр. 31—(“It is thus important to ensure the so-called functional equivalence of paper and paperless documentation”, cf. Vershinin (2000), p. 31.
- 3.
Bensoussan (1992), p. 183.
- 4.
And also the integrity of the message. Vincent Gautrais « La formation des contrats en ligne », https://www.jurisint.org/pub/05/fr/guide_chap4.pdf (consulted on 2nd June 2022).
- 5.
Fuenzalida (1999), p. 81.
- 6.
Correia (2006), pp. 277–317.
- 7.
Correia (2006), idem.
- 8.
Correia (2006), idem.
- 9.
These techniques have the advantage that they can be used both in the case of inter-personal electronic contracting (digital signature used by natural persons—humans) and in the case of inter-systemic electronic contracting, namely in the case of contracting between software intelligent agents; in this case, “the identification of agents in VMs” (Virtual Worlds) “through the use of cryptographic tools, giving rise to identification schemes that are of extreme relevance for EC systems” (Electronic Commerce). “The identification of agents is made from the predicates Name, Code and Key, that is, “the agent’s name, the agent’s code that identifies it univocally in the community where it belongs, and a cryptographic key that serves as a reference for general identification schemes”, see Brito and Neves (2003). However, the use of digital signatures by software “agents”, which is technically possible, is not foreseen in our legal system. And the eIDAS Regulation (Reg. 910/2014) even expressly provides, in art. 3 no. 9, that only a natural person can be a signatory.
- 10.
The use of authenticated messages depends on the ability to determine, with absolute certainty, their origin; i.e., in closed network environments (typically with specific point-to-point connections) it is possible to determine the origin; on the other hand, in open environments, such as the Internet, the use of cryptographic tools is essential. Brito and Neves (2003), op. cit.
- 11.
On the difference between electronic signature and digital signature, see Barbagalo (2001).
- 12.
Sorge (2006), p. 13.
- 13.
Barbagalo (2001), referred, p. 42.
- 14.
Sorge (2006), referred, p. 13, footnote 7, says that: ““Beide Begriffe werden synonym verwendet; in der juristischen Literatur findet sich teilweise jedoch eine Unterscheidung, wonach der Begriff “elektronische Signatur” technologieneutral ist, der Begriff”digitale Signatur” hingegen ausschließlich im Kontext asymmetrischer Kryptographie verwendet wird” (Both concepts are used as synonyms; however, in legal literature there is sometimes a differentiation, according to which the concept “electronic signature” is technology-neutral and the concept “digital signature”, on the contrary, is only used in the context of asymmetric cryptography).
- 15.
Jos Dumortier and Sofie Van den Eynde, “De juridische erkenning van de elektronische handtekening” https://www.law.kuleuven.be/citip/en/archive/copy_of_publications/72eh-computerrecht-juli20012f90.pdf (consulted 2nd June 2022): “Het begrip elektronische handtekening” in juridische zin is technologieneutral (The notion of “electronic signature” in a legal sense is technologically neutral); also Vicente (2005), refers that “in the legal discipline … a principle of technological neutrality of Law must certainly be observed, which is essential to the opening of the legal system to technological innovation”.
- 16.
Reed (1990), p. 268: “as a stream of digital information”.
- 17.
Sloane (1994), p. 17.
- 18.
See https://ec.europa.eu/digital-building-blocks/wikis/display/DIGITAL/What+is+the+legislation+-+esignature (consulted 2nd June 2022).
- 19.
It is however important to distinguish between Quantum Cryptography and Post Quantum Cryptography: « “It is important to make a distinction between Post-Quantum Cryptography (PQC)and Quantum Cryptography. PQC is about designing cryptographic solutions that can be used by today’s [non-quantum] computers and that we believe are resistant to both conventional and quantum cryptanalysis. On the other hand, Quantum Cryptography is about cryptographic solutions that take advantage of quantum physics to provide certain security services. Quantum Key Distribution (QKD) is a good example of the latter.”, Post-Quantum Cryptography: current state and quantum mitigation”, ENISA—European Union Agency for Cybersecurity, May 2021, v. 2. It is predicted that “…the quantum computers of the future will be able (probably in the next decade) to break today’s most sophisticated encryption algorithms, entailing serious security problems”, i.e. “data that is securely encrypted today will be easy to decrypt with the quantum computing of the future”. https://www.digicert.com/resources/industry-report/2019-Post-Quantum-Crypto-Survey.pdf. Blockchain itself may be subject to obvious vulnerabilities. Cf. Haney (2020), p. 117.
- 20.
“The construction and operation of quantum computers involves high costs and expertise”. “They require ultrahigh vacuum and ultra low temperatures (at times as low as −273.15 °C)”. Jeutner (2021), pp. 52–59.
- 21.
Jeutner (2021), pp. 52–59.
- 22.
“Google has claimed that its quantum computer can resolve a mathematical problem which would take conventional computers around 10,000 years to complete in less than 4 minutes”, idem.
- 23.
“The USA and China are also fighting for dominance in the field with the help of ambitious funding programmes and in close cooperation with private companies such as Google, IBM, Alibaba and Baidu.”, idem.
- 24.
“This inequality can play out among individuals, between individuals and companies, among companies, between companies/individuals and states, and, on a geopolitical level, among states.”, idem.
- 25.
“Regulators must ensure that the potential of quantum communication is not used by states and/or non-state actors to undermine existing security infrastructures or data protection.”, idem.
- 26.
“The establishment of an authority licencing and supervising those entrusted with the development of quantum computers… regulate not (only) the developers but (also) their products by imposing registration requirements on hardware or software”, idem. In addition to the need to establish regulations regarding the export of quantum cryptographic products (““…lawmakers must reassess regulations for the exportation of cryptographic products for the quantum regime”, Rand and Rand (2021).. On the other hand, regulating the use of these technologies also has preventive features: The regulation of quantum computing software will become important in preventing bad actors from taking advantage of quantum computing’s capacity for decryption”, Vermeer and Peet (2020), pp. 36–37.
- 27.
“Encryption is, at its essence, the process of transforming readable information so that it is not immediately recognizable”, Kuhn et al. (2001).
- 28.
Advanced Encryption Standard (AES), NIST FIPS-197. https://doi.org/10.6028/NIST.FIPS.197.
- 29.
If the message is changed, it won’t be validated by the original fingerprint, and without knowing the key, the attacker won’t be able to generate a new fingerprint.
- 30.
“Strong evidence that it could have emanated only from one or other of the keyholders”. Cfr. Reed (1990), op. cit. p. 268.
- 31.
Diffie and Hellman (1996), pp. 644–654.
- 32.
Sorge (2006), op. citada, p. 15: “An eine kryptographische Hash-Funktion werden zusätzlich drei Anforderungen gestellt: Es muss sich um eine Einweg-Funktion handeln, d.h. es darf nicht effizient möglich sein, zu einem gegebenen Funktionswert (Hash-Wert) ein Urbild zu bestimmen. Es darf nicht effizient möglich sein, zu einer gegebenen Nachricht eine zweite zu finden, der der gleiche Hash-Wert zugeordnet wird (schwache Kollisionsresistenz). Es darf nicht effizient möglich sein, zwei Nachrichten zu konstruieren, die auf den gleichen Hash-Wert abgebildet werden (starke Kollisionsresitenz)”. [It must be a one-way function, i.e. it must not be possible to determine efficiently the original image of a given function value (Hash value). It must not be possible, in an efficient way, to find, for a given message, a second message that has the same Hash value (weak collision resistance). It may not be possible to efficiently construct two messages that are represented by the same Hash value (high collision resistance)].
- 33.
Incidentally, this was the application detailed in op. cit. Diffie and Hellman (1996).
- 34.
Rotger and Garau (1995), pp. 131–136. Which does not mean that with the expression “electronic notary” we are referring to a true notary public, but rather to the intervention of the so-called “certifying entities”. Regarding the issues related to the relations between notaries and telematic services, see the interesting work, Colegios Notariales de España (2000). Regulation 910/2014 (eIDAS Regulation) article 3 nr. 16: “trust service’ means an electronic service normally provided for remuneration which consists of:
-
(a)
the creation, verification, and validation of electronic signatures, electronic seals or electronic time stamps, electronic registered delivery services and certificates related to those services, or
-
(b)
the creation, verification and validation of certificates for website authentication; or
-
(c)
the preservation of electronic signatures, seals or certificates related to those services;”
-
(a)
- 35.
So named after the initials of its inventors: Rivest et al. (1978), pp. 120–126.
- 36.
PKCS #1: RSA Cryptography Specifications Version 2.2. IETF RFC-8017.
- 37.
Digital Signature Standard (DSS). NIST FIPS-186-4. https://csrc.nist.gov/publications/detail/fips/186/4/final (consulted 2nd June 2022).
- 38.
Shor (1994), pp. 124–134.
- 39.
However, with quantum computing there is a risk of such a reversal: “The first vulnerability stems from exposure of public keys after transactions occur. Once a public key is exposed, the private key counterpart is at risk of being stolen with quantum algorithms”, Haney (2020), p. 130.This is confirmed by a Royal Society Open Science Report (2018).
- 40.
Grover (1996), pp. 212–219.
- 41.
Bennett et al. (1997), pp. 1510–1523.
- 42.
Ball (2021), p. 542.
- 43.
Fowler et al. (2012), p. 032324.
- 44.
Gidney and Ekerå (2021).
- 45.
E.g., https://www.dwavesys.com (consulted 2nd June 2022).
- 46.
Wang et al. (2020), p. 7106.
- 47.
Such as the op. cit. The strengths and weaknesses of quantum computation.
- 48.
See https://csrc.nist.gov/projects/post-quantum-cryptography/post-quantum-cryptography-standardization (consulted 2nd June 2022).
- 49.
See https://pq-crystals.org/dilithium/ (consulted 2nd June 2022).
- 50.
See https://falcon-sign.info (consulted 2nd June 2022).
- 51.
See https://sphincs.org/ (consulted 2nd June 2022).
- 52.
European Telecommunications Standards Institute—ETSI (EU). ETSI TR 103616 V1.1.1 Quantum-Safe Signatures. https://www.etsi.org/deliver/etsi_tr/103600_103699/103616/01.01.01_60/tr_103616v010101p.pdf (consulted 2nd June 2022).
- 53.
European Euro Agency for Cybersecurity—ENISA (EU). Post-Quantum Cryptography: Current state and quantum mitigation. https://www.enisa.europa.eu/publications/post-quantum-cryptography-current-state-and-quantum-mitigation/ (consulted 2nd June 2022).
- 54.
Agence Nationale de la Sécurité des Systèmes d’Information—ANSSI (FR). ANSSI Views on the Post-Quantum Cryptography Transition. https://www.ssi.gouv.fr/en/publication/anssi-views-on-the-post-quantum-cryptography-transition/ (consulted 2nd June 2022).
- 55.
Bundesamt für Sicherheit in der Informationstechnik—BSI (DE). “Quantum-safe cryptography – fundamentals, current developments and recommendations”. https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Brochure/quantum-safe-cryptography.html (consulted 2nd June 2022).
- 56.
National Cyber-Security Center—NCSC (UK). “Preparing for Quantum-Safe Cryptography”. https://www.ncsc.gov.uk/whitepaper/preparing-for-quantum-safe-cryptography (consulted 2nd June 2022).
- 57.
… the maturity level of the post-quantum algorithms presented to the NIST process should not be overestimated. Many aspects lack cryptanalytical hindsight or are still research topics, e.g. analysis of the difficulty of the underlying problem in the classical and quantum computation models, dimensioning, integration of schemes in protocols and more importantly the design of secure implementations. This situation will probably last some time after the publication of NIST standards.”. In op. cit. “ANSSI Views on the Post-Quantum Cryptography Transition.
- 58.
E.g., European Telecommunications Standards Institute. ETSI—TR 103619—CYBER. Migration strategies and recommendations to Quantum Safe schemes. Jul. 2020. https://www.etsi.org/deliver/etsi_tr/103600_103699/103619/01.01.01_60/tr_103619v010101p.pdf (consulted 2nd June 2022).
- 59.
ANSSI, op. cit.
- 60.
ANSSI emphasizes that the role of hybridization and makes it mandatory in the early phases of the transition—c.f. “…ANSSI emphasizes that the role of hybridization in the cryptographic security is crucial and will be mandatory for phases 1 and 2 presented in the sequel.”, ANSII, op. cit. On the other hand, ETSI opens the prospect of using hybrid solutions, but without any explicit recommendation—c.f. “Are hybrid solutions quantum safe?—Hybrid solutions are a waypoint on the path to QSC and do not represent the end state (thus a system with hybrid solutions has not achieved FQSCS”). ETSI, op. cit. Annex B (FAQ).
- 61.
International Telecommunication Union (ITU). Recommendation ITU-T X509 (ISO/IEC 9594–8). “Public-key and attribute certificate frameworks”.
- 62.
The signer’s certificate is always sent alongside the signed document.
- 63.
Recall that a certificate is, itself, signed by the certification authority.
- 64.
A timestamp is a digital token, signed by a trusted third-party, that includes a fingerprint (cryptographic hash) of the signed document and the time collected from a reliable source. Regulation 910/2014 (eIDAS Regulation) article 3 nr. 33: “‘electronic time stamp’ means data in electronic form which binds other data in electronic form to a particular time establishing evidence that the latter data existed at that time”.
- 65.
Or “trust service”, Regulation 910/2014 (eIDAS Regulation) article 3 nr. 16.
- 66.
See https://www.eid.as (consulted 2nd June 2022).
- 67.
Detailed technical specifications are published by the Electronic Signatures and Infrastructures (ESI) technical committee of the ETSI—https://www.etsi.org/technologies/digital-signature (consulted 2nd June 2022).
References
Ball P (2021) First 100-qubit quantum computer enters crowded race. Nat News 599:542. https://doi.org/10.1038/d41586-021-03476-5
Barbagalo EB (2001) Contratos Eletrônicos. Editora Saraiva, São Paulo
Bennett CH, Bernstein E, Brassard G, Vazirani U (1997) The strengths and weaknesses of quantum computation. SIAM J Comput 26(5):1510–1523. https://doi.org/10.1137/s0097539796300933
Bensoussan A (1992) Les Telecommunications et le droit. Memento-Guide Alain Bensoussan. Hermés, Paris
Brito L, Neves J (2003) Uma abordagem multiagente à problemática do comércio electrónico. Grupo de Inteligência Artificial, Departamento de Informática, Universidade do Minho
Colegios Notariales de España (2000) Notariado y Contratación Electrónica. Consejo General del Notariado
Correia MP (2006) Assinatura electrónica e certificação digital. In: Direito da Sociedade da Informação, vol VI. Coimbra Editora, pp 277–317
Diffie W, Hellman M (1996) New directions in cryptography. IEEE Trans Inf Theory 22(6):644–654. https://doi.org/10.1109/TIT.1976.1055638
Dumortier J, Van den Eynde S. De juridische erkenning van de elektronische handtekening. https://www.law.kuleuven.be/citip/en/archive/copy_of_publications/72eh-computerrecht-juli20012f90.pdf
Fischer JP (1997) Computers as agents: a proposed approach to revised U.C.C. article 2. Indiana Law J 72(2):545–570
Fowler AG, Mariantoni M, Martinis JM, Cleland AN (2012) Surface codes: Towards practical large-scale quantum computation. Phys Rev A 86:032324. https://doi.org/10.1103/PhysRevA.86.032324
Fuenzalida CV (1999) En torno a los contratos electrónicos. In: Revista General de Legislación y Jurisprudência, vol 1. Enero-Febrero
Gautrais V. La formation des contrats en ligne. https://www.jurisint.org/pub/05/fr/guide_chap4.pdf
Gidney C, Ekerå M (2021) How to factor 2048 bit RSA integers in 8 hours using 20 million noisy qubits. Quantum 5:433. https://doi.org/10.22331/q-2021-04-15-433
Grover LK (1996) A fast quantum mechanical algorithm for database search. In: Proceedings of the twenty-eighth annual ACM symposium on theory of computing. STOC '96. Association for Computing Machinery, pp 212–219. https://doi.org/10.1145/237814.237866
Haney BS (2020) Blockchain: post-quantum security & legal economics. NC Bank Inst 24:117
Jeutner V (2021) The quantum imperative: addressing the legal dimension of quantum computers. Morals Mach 1(1):52–59
Kuhn DR et al (2001) Nat’l Inst. of Standards & Tech. Introduction to public key technology and the federal PKI infrastructure 9. Available at https://apps.dtic.mil/sti/pdfs/ADA394230.pdf
Rand L, Rand T (2021) The ‘prime factors’ of quantum cryptography regulation. In SSRN: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3904342
Reed C (1990) Computer law. Blackstone Press Limited
Rivest R, Shamir A, Adleman L (1978) A method for obtaining digital signatures and public-key cryptosystems. Commun ACM 21(2):120–126. https://doi.org/10.1145/359340.359342
Rotger LH, Garau GA (1995) Seguridad en la transmisión electrónica (EDI): validez jurídica. In: Encuentros sobre Informática y Derecho 1994–1995. Aranzadi Editorial
Royal Society Open Science Report (2018) According to a Royal Society Open Science Report: quantum computers are capable of deducing the private key from a formerly revealed public key with little effort. R Soc Open Sci. no. 6, at 3. https://doi.org/10.1098/rsos.180410 [https://perma.cc/U47R-5KZB]
Shor PW (1994) Algorithms for quantum computation: discrete logarithms and factoring. In: Proceedings 35th annual symposium on foundations of computer science. IEEE Computer Society Press, pp 124–134. https://doi.org/10.1109/sfcs.1994.365700
Sloane A (1994) Computer communications – principles and business applications. McGraw Hill Book Company
Sorge C (2006) Softwareagenten – Vertragsschluss, Vertragsstraffe, Reugeld. Universitätsverlag Karlsruhe
Vermeer MJD, Peet ED (2020) Securing communications in the quantum computing age: managing the risks to encryption. RAND CORP, pp 36–37. https://www.rand.org/pubs/research_reports/RR3102.html
Vershinin AP (2000) Electronic document: legal form and evidential force in court. Gorodiets, Moscow
Vicente DM (2005) Direito Internacional Privado - Problemática Internacional da Sociedade da Informação. Almedina, p 19
Wang B, Hu F, Yao H et al (2020) Prime factorization algorithm based on parameter optimization of Ising model. Sci Rep 10:7106. https://doi.org/10.1038/s41598-020-62802-5
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this chapter
Cite this chapter
Carneiro Pacheco de Andrade, F.A., Almeida, J.C.B. (2024). Digital Signatures and Quantum Computing. In: Carneiro Pacheco de Andrade, F.A., Fernandes Freitas, P.M., de Sousa Covelo de Abreu, J.R. (eds) Legal Developments on Cybersecurity and Related Fields. Law, Governance and Technology Series, vol 60. Springer, Cham. https://doi.org/10.1007/978-3-031-41820-4_12
Download citation
DOI: https://doi.org/10.1007/978-3-031-41820-4_12
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-41819-8
Online ISBN: 978-3-031-41820-4
eBook Packages: Law and CriminologyLaw and Criminology (R0)