Is your data radioactive?

There are two things I want you to take away from reading my post today:

  1. Post-quantum cryptography is something that developers should consider today, even if the impact is a number of years away
  2. We should consider the time-value of our data. Should we borrow the concept of a half-life and apply this to data classification?

Although I am familiar with both cryptography, and to a lesser extent quantum computing, I’d never heard the phrase “post-quantum cryptography” before. Having studied computing in the early 2000’s one of the hot topics at the time, albeit one that has taken some time to bear fruit, was quantum computing.

There is a burgeoning library of excellent material available on the topic of quantum and how it will affect our lives. The post-quantum phrase specifically refers to the fact that most, if not all, of the public-key cryptography methods that we rely upon to secure and authenticate our data every day, will become insecure.

I had naively assumed that we were still some decades away from the impact of these machines, however recent research points to them being available (no doubt at significant cost) within 5 to 10 years — going some way to explaining the interest in algorithms that aren’t succeptible to being broken by quantum computers.

There is good news and it’s two-fold; firstly algorithms are already in development that are resistant to being broken by quantum computers e.g. Ring Learning with Errors. Secondly common symmetric encryption algorithms, e.g. AES, are not significantly weakened by the same quantum algorithms that expose flaws in their asymmetric cousins.

So what has this got to do with radioactivity I hear you ask? Well thankfully not an awful lot, but the principle of a half-life can be useful when thinking of your data and how it’s value can change over time. It is common practice in corporations the world over to classify data and to use this classification to ensure that the data is handled and stored appropriately. Data ranges from that which is public and can be freely distributed to all and sundry, to data that is classified, or maybe even top secret, that must not leave an organisation, even in heavily encrypted form.

It strikes me that in this simple categorical form we are missing a key tenet of data security, how long does the data need to remain protected to a given level? Some data can be top secret, but only for a few hours or days, e.g. annual results of a company prior to public release where as others may need to be secure for years, decades or even possibly centuries. The concept of a half-life could be a valuable addition to the description of our data, suggesting the possible cost or consequences of not securing it adequately.

With every passing day we share data more freely and widely than ever before and with the explosion in big data and increasing adoption of Distributed Ledger (nee Blockchain) technology, that data now exists for longer, and in more places, than most end users realise. What level of encryption and algorithmic strength is required to protect your data when it needs to stay secure for years?

As I stated in the first paragraph above, post-quantum crypto is something that developers need to be considering today, particularly with respect to distributed ledger technology where public-key cryptography is key to almost all aspects of their functionality.