Classifying Implementations of Cryptographic Primitives and Protocols that Use Post-Quantum Algorithms
Classification techniques can be used to analyze system behaviors, network protocols, and cryptographic primitives based on identifiable traits. While useful for defense, such classification can also be leveraged by attackers to infer system configurations, detect vulnerabilities, and tailor attacks such as denial-of-service, key recovery, or downgrade attacks. In this paper, we study the feasibility of classifying post-quantum (PQ) algorithms by analyzing implementations of key exchange and digital signatures, their use within secure protocols, and their integration into SNARK generation libraries. Unlike traditional cryptography, PQ algorithms have larger memory requirements and variable computational costs. Our research examines two post-quantum cryptography libraries, liboqs and CIRCL, evaluating TLS, SSH, QUIC, OpenVPN, and OpenID Connect (OIDC) across Windows, Ubuntu, and macOS. We also analyze pysnark and lattice_zksnark for SNARK generation and verification on Ubuntu. Experimental results show that (1) classical and PQ key exchange and signature algorithms can be distinguished with accuracies of 98% and 100%; (2) specific PQ algorithms can be identified with 97% accuracy for key exchange and 86% for signatures; (3) implementations of the same algorithm in liboqs and CIRCL are distinguishable with up to 100% accuracy; and (4) within CIRCL, PQ and hybrid key exchange implementations can be distinguished with 97% accuracy. For secure protocols, we can determine whether key exchange is classical or PQ and identify the PQ algorithm used. SNARK generation and verification in pysnark and lattice_zksnark are distinguishable with 100% accuracy. We demonstrate real-world applicability by identifying PQ-enabled TLS domains in the Tranco dataset and integrating our methods into QUARTZ, an open-source risk and threat analyzer by Cisco.