Quantum Cryptography 101
Why Post Quantum Cryptography and Machine Learning Matter in Information Security.
In a rapidly developing technological environment, the terms Quantum Computing (QC) and Machine Learning (ML)[1] are becoming more of a reality than an infant technology, with either promises of a utopian future or a dystopian reality where humans get dominated by Artificial Super Intelligence (ASI)[2]. Yet, the recent development of QC and the ML discipline under Artificial Intelligence (AI)[3], their duality as they feed into one another’s growth[4], and a legacy of significant leaps of technical prowess make heeding their current and future impact on Information Security (InfoSec) a top priority.
Post Quantum Cryptography (PQC) in particular, a series of cryptographic algorithms with the potential to resist cryptanalytic attacks by quantum computers, present a significant discussion in considering the repercussions of broken encryption, and the ramifications of Store-Now-Decrypt-Later (SNDL), a realistic scenario where threat actors with troves of stolen encrypted data, await patiently the instant RSA[5] encryption gives up to the application of the Shor’s algorithm[6] by capable quantum computers. PQC, therefore, seeks to establish and revamp existing information systems through the application of a selection of algorithms for general encryption and digital signatures. In July 2022, the National Institute of Standards and Technology (NIST) had chosen the first group of encryption tools that are designed to withstand the assault of a future quantum computer[7]. CRYSTALS-Kyber for general encryption, and CRYSTALS-Dilithium, FALCON, and SPHINCS+ for digital signatures[8]. Although theoretically feasible with no viable practical scenarios in the near future, except for some smaller moduli attempts[9], breaking RSA encryption must be considered a serious and high-priority risk to be mitigated for two reasons.
Exponential R&D:
It was only in 2016 that IBM made its first 5-qubit quantum system publicly available on the cloud[10]. Yet, during this passing IBM Quantum Summit 2022, it unveiled its 400 Qubit-Plus Quantum Processor and the Next-Generation IBM Quantum System Two[11]. In December 2022, IEEE Spectrum reported that IBM’S Condor, the world’s first universal quantum computer with more than 1,000 qubits, will be set to debut in 2023, in addition to launching IBM Heron, the first of a new wave of modular quantum processors that may help IBM produce quantum computers with more than 4,000 qubits by 2025[12]. This unimaginable rapid development proves that hardware limitations, though still challenging and impeding, are not impossible to address. Further algorithm research in unison with ML and new scalable solutions might also emerge, magnifying the hardware capacity and solving issues of noise and coherence. However, this benevolent trajectory spells major issues with information security if PQC algorithms and practices are not systematically implemented.
Data Perpetuity and National Security:
Stored troves of data obtained from numerous data breaches by threat actors through careful cyber espionage oddly remain relevant for many years to come. During the OPM hacks perpetrated by Chinese state actors in 2014, U.S. government databases holding personnel records and security-clearance files exposing sensitive information of at least 22.1 million people were exfiltrated[13]. The data did not only include federal employees and contractors but also their families and friends[14]. Considering the track record of Chinese APTs[15], from trade theft and economic espionage, to reverse engineering stolen blueprints and wooing US federal employees to extract classified intelligence, the ramifications of their agents leveraging such data, from assessing and exploiting victims’ behavior to blackmailing them into actions that can jeopardize national security become somewhat a self-fulfilling prophecy. Although I can’t imagine how technically advancing QC will solve the OPM hacks and similar breaches with relation to SNDL, observing the rapid QC R&D should raise a major red flag, at least on risk mitigation and containment of efforts by threat actors to exploit stolen data.
In light of the aforementioned developments in PQC and the risks associated with it on InfoSec, it is primordial to usher in a rapid adaptation and application of the available PQC capabilities. Risk mitigation and expecting the exploitation of SNDL methods should also be kept in mind concerning national security. This will establish an environment that is less prone to a widespread attack surface for cyber threat actors while remaining aware of exposed flaws and weaknesses.
References:
[1] Machine learning is a branch of artificial intelligence (AI) and computer science which focuses on the use of data and algorithms to imitate the way that humans learn, gradually improving its accuracy. (IBM)
[2] ASI remains a hypothetical futuristic AI agent that will possess an intelligence far surpassing that of the human minds, perhaps even developing consciousness.
[3] As defined by John McCarthy in his 2004 paper, AI is “the science and engineering of making intelligent machines, especially intelligent computer programs. It is related to the similar task of using computers to understand human intelligence, but AI does not have to confine itself to methods that are biologically observable”.
[4] QC can benefit from ML in terms of using the latter’s training models’ capability to fix decoherence, while ML models made on quantum computers may be dramatically more powerful with the potential to boast faster computation.
[5] RSA (Rivest–Shamir–Adleman) is a public-key cryptosystem that is widely used for secure data transmission. Though in theory Shor’s algorithm can break a 2048-bit RSA key, a quantum computer using millions of qubits is needed. For perspective, the most advanced quantum computer there might be to date (IBM’s Condor) touted as the first universal quantum computer, can only manage 1,000 qubits.
[6] Quantum computer algorithm for finding the prime factors of an integer, developed in 1994 by the American mathematician Peter Shor. Shor’s algorithm has the potential to break RSA encryption on a quantum computer, though such a capable machine doesn’t exist yet.
[7] “NIST Announces First Four Quantum-Resistant Cryptographic Algorithms: Federal agency reveals the first group of winners from its six-year competition”. NIST, July 2022.
[8] Ibid.
[9] In a paper untitled “Factoring integers with sublinear resources on a superconducting quantum processor”, Chinese researchers claimed to have been able to factor a 48-bit key on a 10-qubit quantum computer. However, Bruce Schneier, a computer cryptographer warned that “the researchers’ algorithm relies on a controversial paper by the German mathematician Peter Schnorr which, while proving an ability to factorize numbers on the scale of the 10-qubit computer used by the researchers, falls apart at larger sizes”. The Record by Recorded Future also noted that a “scientific breakthrough with such a significant security impact would be classified by the Chinese authorities”.
[10] “Five years ago today, we put the first quantum computer on the cloud. Here’s how we did it”. IBM Research.
[11] “IBM Unveils 400 Qubit-Plus Quantum Processor and Next-Generation IBM Quantum System Two”. IBM Newsroom. Nov 9th, 2022.
[12] “An IBM Quantum Computer Will Soon Pass the 1,000-Qubit Mark”. IEEE Spectrum. Dec 24th, 2022.
[13] “Hacks of OPM databases compromised 22.1 million people, federal authorities say”. The Washington Post.
July 9th, 2015.
[14] Ibid.
[15] Advanced Persistent Threat Actors (APTs) are either state sponsored or non-state groups, conducting cybercrime activities in large-scale campaigns with specific goals.
