The specter of quantum-powered cyberattacks that can break even the most powerful encryption algorithms looms ever-larger and ever-darker. Chances are, nation-state attackers will be equipped with quantum computing long before the average enterprise has rolled it out. Future-thinking organizations wonder what to do now to defend themselves from that inevitability.
First step: Maintain order.
As JD Kilgallin, KeyFactor's senior integration engineer, recently wrote for Dark Reading, threats posed by quantum computing will demand that organizations can react quickly.
"At the very least, this requires knowing where your digital certificates are, what cryptographic algorithms their keys are using and what quantum computing means for them, and what systems need to trust those certificates and might experience an outage if the certificate and its chain suddenly change," he wrote. "It also requires the ability to quickly coordinate changes between entity certificates and the trust anchors of other endpoints that rely on those certificates. Administrators should keep a careful inventory of these keys and certificates and employ automated techniques to securely deploy updates en masse."
Companies like Thales, Fortanix, ManageEngine and HashiCorp, and IBM Security all have tools to aid with encryption key management. Further, cloud providers supply key management capabilities; for example, AWS Key Management Service, Microsoft Azure Key Vault, and Google Cloud Key Management Service.
Chaos, however, might also play a role in fighting quantum-powered attacks.
Researchers recently published a technique for encryption that promises to go beyond perfect secrecy to encryption that is unbreakable, even if quantum computing is brought into the picture. The technique, which takes advantage of chaos and the second law of thermodynamics mixed with the speed of optical chips, doesn't require quantum power to achieve quantum-proof results. Less-powerful or traditional-architecture devices could therefore, theoretically. protect their secure communications from attacks launched by quantum computers.
A. Di Falco, V. Mazzone, A. Cruz, and A. Fratalocchi, the inventors of the technique and authors of a paper in Nature, describing their findings, use correlated chaotic wavelengths as the basis of both the encryption key and the technique for not transmitting it between the two participants in the communication.
In the context of encryption, "perfect secrecy" is a description of a scheme, not a qualitative judgment. Invented back when the telegraph was the fastest form of communication, The Vernam cipher encrypts a message with a key that has three qualities:
- The key is as long as the message encrypted
- The key is never reused in whole or in part
- The key is kept secret.
Claude Shannon proved mathematically that a properly implemented Vernam cipher is, in fact, unbreakable. So why aren't we all using this "perfect" method?
The Vernam cipher isn't widely used because the key, of whatever length, still has to be shared. And anything that must be transmitted can be captured and used. That is the vulnerability addressed in the new technique.
So how do the two ends of an encrypted communication come up with the same key if one doesn't create the key and share it with the other? Here's where it gets a bit complicated (OK, the math is a lot complicated), but Cruz and Quelita Moreno of CUP Sciences walked Dark Reading through the process several times.
The sender and receiver of the encrypted message will communicate frequently, each time communicating a light pulse that will be unique in amplitude, frequency, and a variety of other qualities. Now, the pulses sent between the systems are never the same; in fact, physics tells us that, with randomization of the start conditions for the pulse, it would be impossible for them to be the same. Those differences are critical for the scheme to work.
Since the key is based on the difference in randomly generated light pulses, the second requirement for perfect secrecy is met. And because the key is never transmitted between the two ends of the conversation, the third quality required for perfect secrecy is satisfied.
From Theory to Practice
The researchers who developed the technique present mathematical proof that the encryption is resistant to both time-domain and spectral attacks. More attack resistance comes in the physical implementation of the encryption chip, which turns a fingerprint into a random number seed through a process involving, among many other things, reflective nanodisks, chaotic billiards, and a fully chaotic fingerprint resonator.
Researchers are engaging in exercises such as this because of the certainty among many in the cryptography community that the advent of widely available quantum computing marks the end of all currently useful encryption. At this time, the researchers who developed this technique are in the early stages of working with chip manufacturers to bring the chip to production and distribution.
The NSA has begun exploring "quantum-resistant" and "quantum-proof" encryption algorithms, and NIST is running a contest to solicit the best post-quantum cryptographic algorithms. Nevertheless, in a recent interview with NextGov Dr. Deborah Frincke, director of the NSA's research branch, warned against rushing into new "quantum-resistant" or "quantum-proof" algorithms too quickly, lest organizations open themselves up to even more vulnerabilities.