Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.
Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.
Chaos & Order: The Keys to Quantum-Proof Encryption
The implications of chaos form the basis of a new approach to encryption that promises quantum-proof perfect secrecy. But first, your current crypto needs some tidying up.
Curtis Franklin, Principal Analyst, Omdia
February 12, 2020
5 Min Read
(image by wigglestick, via Adobe Stock)
The specter of quantum-powered cyberattacks that can break even the most powerful encryption algorithms looms ever-larger and ever-darker. Chances are, nation-state attackers will be equipped with quantum computing long before the average enterprise has rolled it out. Future-thinking organizations wonder what to do now to defend themselves from that inevitability.
First step: Maintain order.
As JD Kilgallin, KeyFactor's senior integration engineer, recently wrote for Dark Reading, threats posed by quantum computing will demand that organizations can react quickly.
"At the very least, this requires knowing where your digital certificates are, what cryptographic algorithms their keys are using and what quantum computing means for them, and what systems need to trust those certificates and might experience an outage if the certificate and its chain suddenly change," he wrote. "It also requires the ability to quickly coordinate changes between entity certificates and the trust anchors of other endpoints that rely on those certificates. Administrators should keep a careful inventory of these keys and certificates and employ automated techniques to securely deploy updates en masse."
Companies like Thales, Fortanix, ManageEngine and HashiCorp, and IBM Security all have tools to aid with encryption key management. Further, cloud providers supply key management capabilities; for example, AWS Key Management Service, Microsoft Azure Key Vault, and Google Cloud Key Management Service.
Chaos, however, might also play a role in fighting quantum-powered attacks.
Researchers recently published a technique for encryption that promises to go beyond perfect secrecy to encryption that is unbreakable, even if quantum computing is brought into the picture. The technique, which takes advantage of chaos and the second law of thermodynamics mixed with the speed of optical chips, doesn't require quantum power to achieve quantum-proof results. Less-powerful or traditional-architecture devices could therefore, theoretically. protect their secure communications from attacks launched by quantum computers.
A. Di Falco, V. Mazzone, A. Cruz, and A. Fratalocchi, the inventors of the technique and authors of a paper in Nature, describing their findings, use correlated chaotic wavelengths as the basis of both the encryption key and the technique for not transmitting it between the two participants in the communication.
In the context of encryption, "perfect secrecy" is a description of a scheme, not a qualitative judgment. Invented back when the telegraph was the fastest form of communication, The Vernam cipher encrypts a message with a key that has three qualities:
The key is as long as the message encrypted
The key is never reused in whole or in part
The key is kept secret.
Claude Shannon proved mathematically that a properly implemented Vernam cipher is, in fact, unbreakable. So why aren't we all using this "perfect" method?
The Vernam cipher isn't widely used because the key, of whatever length, still has to be shared. And anything that must be transmitted can be captured and used. That is the vulnerability addressed in the new technique.
So how do the two ends of an encrypted communication come up with the same key if one doesn't create the key and share it with the other? Here's where it gets a bit complicated (OK, the math is a lot complicated), but Cruz and Quelita Moreno of CUP Sciences walked Dark Reading through the process several times.
The sender and receiver of the encrypted message will communicate frequently, each time communicating a light pulse that will be unique in amplitude, frequency, and a variety of other qualities. Now, the pulses sent between the systems are never the same; in fact, physics tells us that, with randomization of the start conditions for the pulse, it would be impossible for them to be the same. Those differences are critical for the scheme to work.
The optical chips within the receiving and sending devices build a difference matrix that records the qualities of these light pulses. Those difference matrices will be essentially the same on each end of the transaction, and will be the basis for an encryption key of an arbitrary length. Even if someone could intercept the pulses used to fill the difference matrices, their system would not contain all the starting conditions used to seed the matrix, so illicit decryption would be impossible.
Since the key is based on the difference in randomly generated light pulses, the second requirement for perfect secrecy is met. And because the key is never transmitted between the two ends of the conversation, the third quality required for perfect secrecy is satisfied.
From Theory to Practice
The researchers who developed the technique present mathematical proof that the encryption is resistant to both time-domain and spectral attacks. More attack resistance comes in the physical implementation of the encryption chip, which turns a fingerprint into a random number seed through a process involving, among many other things, reflective nanodisks, chaotic billiards, and a fully chaotic fingerprint resonator.
Researchers are engaging in exercises such as this because of the certainty among many in the cryptography community that the advent of widely available quantum computing marks the end of all currently useful encryption. At this time, the researchers who developed this technique are in the early stages of working with chip manufacturers to bring the chip to production and distribution.
The NSA has begun exploring "quantum-resistant" and "quantum-proof" encryption algorithms, and NIST is running a contest to solicit the best post-quantum cryptographic algorithms. Nevertheless, in a recent interview with NextGov Dr. Deborah Frincke, director of the NSA's research branch, warned against rushing into new "quantum-resistant" or "quantum-proof" algorithms too quickly, lest organizations open themselves up to even more vulnerabilities.
About the Author(s)
Curtis Franklin Jr. is Principal Analyst at Omdia, focusing on enterprise security management. Previously, he was senior editor of Dark Reading, editor of Light Reading's Security Now, and executive editor, technology, at InformationWeek, where he was also executive producer of InformationWeek's online radio and podcast episodes
Curtis has been writing about technologies and products in computing and networking since the early 1980s. He has been on staff and contributed to technology-industry publications including BYTE, ComputerWorld, CEO, Enterprise Efficiency, ChannelWeb, Network Computing, InfoWorld, PCWorld, Dark Reading, and ITWorld.com on subjects ranging from mobile enterprise computing to enterprise security and wireless networking.
Curtis is the author of thousands of articles, the co-author of five books, and has been a frequent speaker at computer and networking industry conferences across North America and Europe. His most recent books, Cloud Computing: Technologies and Strategies of the Ubiquitous Data Center, and Securing the Cloud: Security Strategies for the Ubiquitous Data Center, with co-author Brian Chee, are published by Taylor and Francis.
When he's not writing, Curtis is a painter, photographer, cook, and multi-instrumentalist musician. He is active in running, amateur radio (KG4GWA), the MakerFX maker space in Orlando, FL, and is a certified Florida Master Naturalist.
You May Also Like
Your Everywhere Security guide: Four steps to stop cyberattacksFeb 27, 2024
Your Everywhere Security Guide: 4 Steps to Stop CyberattacksFeb 27, 2024
API Security: Protecting Your Application's Attack SurfaceFeb 29, 2024
API Security: Protecting Your Application's Attack SurfaceFeb 29, 2024
Securing the Software Development Life Cycle from Start to FinishMar 06, 2024
Latest Articles in The Edge
Redesigning the Network to Fend Off Living-Off-the-Land TacticsFeb 23, 2024|7 Min Read
Privacy Beats Ransomware as Top Insurance ConcernFeb 23, 2024|5 Min Read
Library Cyber Defenses Are Falling DownFeb 20, 2024|3 Min Read
Enterprises Worry End Users Will Be the Cause of Next Major BreachFeb 16, 2024|2 Min Read