Classifying Implementations of Cryptographic Primitives and Protocols that Use Post-Quantum Algorithms
Tushin Mallick, Cristina Nita-Rotaru, Ashish Kundu, Ramana Kompella
TL;DR
The paper tackles the urgent problem of quantum threats to cryptography by evaluating whether post-quantum cryptographic implementations can be fingerprinted across libraries, secure protocols, and SNARKs. It combines data collection from liboqs and CIRCL on multiple operating systems with ensemble classifiers (notably XGBoost) to differentiate classical and PQ algorithms, identify specific PQ schemes, and distinguish library implementations. The study extends to secure protocols (TLS, SSH, QUIC, OIDC, VPN) and SNARK libraries, achieving high accuracy (up to 100%) in several tasks, and demonstrates real-world applicability through Tranco-domain analysis and Quartz integration. The results inform risk assessment and migration planning, highlighting practical considerations such as memory footprints, handshake fragmentation, and protocol-filtering challenges while underscoring the value of fingerprinting for quantum-readiness assessments.
Abstract
Classification techniques can be used to analyze system behaviors, network protocols, and cryptographic primitives based on identifiable traits. While useful for defense, such classification can also be leveraged by attackers to infer system configurations, detect vulnerabilities, and tailor attacks such as denial-of-service, key recovery, or downgrade attacks. In this paper, we study the feasibility of classifying post-quantum (PQ) algorithms by analyzing implementations of key exchange and digital signatures, their use within secure protocols, and their integration into SNARK generation libraries. Unlike traditional cryptography, PQ algorithms have larger memory requirements and variable computational costs. Our research examines two post-quantum cryptography libraries, liboqs and CIRCL, evaluating TLS, SSH, QUIC, OpenVPN, and OpenID Connect (OIDC) across Windows, Ubuntu, and macOS. We also analyze pysnark and lattice_zksnark for SNARK generation and verification on Ubuntu. Experimental results show that (1) classical and PQ key exchange and signature algorithms can be distinguished with accuracies of 98% and 100%; (2) specific PQ algorithms can be identified with 97% accuracy for key exchange and 86% for signatures; (3) implementations of the same algorithm in liboqs and CIRCL are distinguishable with up to 100% accuracy; and (4) within CIRCL, PQ and hybrid key exchange implementations can be distinguished with 97% accuracy. For secure protocols, we can determine whether key exchange is classical or PQ and identify the PQ algorithm used. SNARK generation and verification in pysnark and lattice_zksnark are distinguishable with 100% accuracy. We demonstrate real-world applicability by identifying PQ-enabled TLS domains in the Tranco dataset and integrating our methods into QUARTZ, an open-source risk and threat analyzer by Cisco.