Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

8/26/2019
10:00 AM
Yehuda Lindell
Yehuda Lindell
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Cryptography & the Hype Over Quantum Computing

It's not time to move to post-quantum cryptography yet -- too many things are still up in the air. But you can start to become prepared by making sure your infrastructure is agile.

If you believe the quantum computing hype, within a few years we will have achieved "quantum supremacy" — meaning that quantum computers will be able to carry out computations not possible with classic computing infrastructure — and within 10 years all cryptography will be broken as a result. This hype is fed by researchers vying for grant money, companies selling post-quantum secure encryption, and the fact that no one can say that they are actually wrong.

Personally, I'm a semi-skeptic. On the one hand, I'm not convinced that quantum computers at scale (at least at a scale large enough to break cryptography) will ever be built. On the other hand, they are possible, but I don't think they will happen anytime soon.

What about those who tell us that quantum supremacy is around the corner and all cryptography is about to be broken? I think they're fearmongers. First, quantum supremacy doesn't mean that computers will be strong enough to break cryptography. Second, reliable researchers that I have listened to and spoken with say that there are still very significant problems to be solved in quantum computing. But if they continue to use the word "possible" when describing quantum computing, I can't actually say that they're wrong.

So, what should we be doing now about the potential "quantum threat"? First, the cryptography research community should be focused on post-quantum secure cryptography. The good news is that this effort has been going on for years and is ongoing. The role of this research community is to make sure that we have the cryptography we need in the decades to come, and they are taking the issue seriously. (As a side note, symmetric encryption and message authentication codes are not broken by quantum computers, to the best of our knowledge.) Second, the cryptography research community should start thinking about standardization so that businesses are ready if the quantum threat does prove real. Once again, the good news is that NIST has already begun the process.

But all of this is about what the "community" should do. What should you — as someone who uses cryptography to secure your business — do? Let's start with what you shouldn't be doing. You shouldn't buy post-quantum encryption and the like before standardization is complete. What if you need to encrypt something that has to remain secret for 20 years? In my opinion, you should still hold off. However, if you are very concerned, you can encrypt using a method that combines post-quantum and classical schemes. Such a method requires an attacker to break both schemes in order to learn anything.

This is the proposed method since although we have confidence in post-quantum secure schemes that have been proposed, they are less well-studied than RSA and ECC. Among other things, this affects our understanding of the required key sizes. If you do insist on moving forward now, I recommend using an academically validated post-quantum scheme combined with a classical scheme, as explained above.

While I don't think most organizations should deploy post-quantum secure cryptography now, there is one thing that everyone should do: transition your cryptographic infrastructure to one that is "agile" — that is, one that makes it possible to relatively easily switch algorithms, key lengths, and so on. When the algorithm and lengths are hard-wired into the code, the cost and complexity of changing can be overwhelming. This is why people continued using MD5 and SHA1 years after they were broken.

Cryptographic agility is an important property even aside from the issue of quantum computing because algorithms are sometimes broken, and key and other lengths sometimes need to be updated. You will therefore be doing yourself a favor even if quantum computing never happens. But if it does, you'll be ready, and you'll be able to replace your existing schemes with the best known at that time. This is my recommendation to everyone.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: Haas Formula 1 CIO Builds Security at 230 Miles per Hour

Yehuda Lindell is the CEO and Co-Founder of Unbound Tech (previously, Dyadic Security) as well as professor in the Department of Computer Science at Bar-Ilan University. Prior to Bar-Ilan in 2004, he was a Raviv Postdoctoral fellow in the Cryptographic Research Group at the ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
azhuk
100%
0%
azhuk,
User Rank: Apprentice
8/29/2019 | 5:03:14 PM
Effects on Quantum Computing on Cryptography
Since several commentators suggested that the article and its readers could benefit from further research references, I invite everyone to look at a recent report published by the National Academy of Sciences "Quantum Computing Progress and Prospects." There is a dedicated section on Cryptography: https://www.nap.edu/catalog/25196/quantum-computing-progress-and-prospects Thank you for the article!
tdsan
50%
50%
tdsan,
User Rank: Ninja
8/27/2019 | 10:47:33 AM
Re: Good for the public, but not for nation-states
Sir,

It is funny that someone who is considered a writer or journalist provides information that they have not done their research or provide opinions but they only look at one source of information to try and make an argument about QC and its various use cases.

But I think you see the facts in front of you, have a great day.

T
yehudalindell
50%
50%
yehudalindell,
User Rank: Author
8/27/2019 | 10:43:12 AM
Re: Good for the public, but not for nation-states
@tdsan - I will not dignify your response with any further comments. I will let the readers decide what they wish.
tdsan
50%
50%
tdsan,
User Rank: Ninja
8/27/2019 | 10:37:35 AM
Re: Good for the public, but not for nation-states
This is funny.

Ok, lets address your points:
  • I have provided evidence that they have numerous patents and historical knowledge that their solution is actually a working model, again, this was an example and based on your opinion, you stated that this was not a real Quantum Computer (by all accounts, it is and based on evidence, this is the case). Instead of just offering statements of opinion, there needs to be evidence that this is not a QC, I am not sure if you provided any evidence to support assertion, so again, your statements are based on opinion and not fact (Patents and copyrights that I provided, are based on fact, next point).
  • No, I have not missed the point, earlier I gave an example, you stated that this does not address all the use cases associated with Quantum computing or to your point, the argument was not based on "Quantum Computers Breaking Classical Cryptography", this was nothing more but an example given of what organizations or nation-states are doing in regards to Quantum technology (negating the fact that it is just hype), you felt (your opinion) that this was not a valid use case. I was only giving you an idea of what other countries are in the process of doing, thus the whole point to the "Cryptography & the Hype over Quantum Computing", basically saying that there are other organizations who have catapulted beyond what we have accomplished (now it may be more than just hype, my opinion).

So the point does apply because "Quantum Cryptography" was nothing more than an example and QKD was a use case of how to do this but it is not the only method for doing this and someone (other than the US) is looking to implement this in their satellite communication program.

Seems to me that your emotions have gotten involved instead of fact (opinion as you state it), but again, we are just chatting.

Have a great day.

T
yehudalindell
100%
0%
yehudalindell,
User Rank: Author
8/27/2019 | 10:27:50 AM
Re: Getting Quantum Ready
I fully agree; thanks. In these cases, as you point out, I suggest using a cominbation of classical and post-quantum schemes, as described in the article. In most cases, it isn't needed, but satellite is a good example of where one may consider working differently.
yehudalindell
50%
50%
yehudalindell,
User Rank: Author
8/27/2019 | 10:00:29 AM
Re: Good for the public, but not for nation-states
Saying "period" doesn't make what you are saying facts. The fact that D-wave is being used means that it is a good and powerful computer. It doesn't mean that it's a "real quantum computer" in the sense that it can run Shor's algorithm or Grover's algorithm. Were this the case, I would have expected a proof by factoring a large number faster than conventional computing, or something to that affect. This has not been done. You can believe what you want; that is fine.

Regarding QKD, you have completely missed the main point. Whether or not QKD is useful is a question, and I made it very clear that my statement regarding usefulness is an opinion and not fact. However, what is fact is that QKD has nothing to do with quantum computers that can break classical cryptography. This is the main point that is relevant to my article, since my article talks about classical cryptographic schemes and whether or not quantum computing is an imminent risk. So, all of this discussion about QKD is really just not relevant.

I hope that this clarifies my arguments.
IBM_Research
100%
0%
IBM_Research,
User Rank: Apprentice
8/27/2019 | 9:15:21 AM
Getting Quantum Ready
Many good points. IBM Research believes a system larger enough to break encryption is 10-30 years out.

But there is one point you should also point out to hedge your bets.

If your company is making a product which has a lifespan of 20,30+ years you need to start thinking about quantum safe cryptography today. Why? Well, if you are launching a satellite into space or building a new powerplant you will want them to be quantum safe today, for tomorrow, because updating the crypto on anything which has been in the field for a few decades will be challenging. So why not prepare today?

The same applies to secrets. If you have secrets which need to remain secret decades from now, you'll want to look at quantum safe crpyto today. This is also why we recently demonstrated that we are making tape drives quantum safe since they store data for many decades https://www.ibm.com/blogs/research/2019/08/crystals/

We have also donated our quantum safe cryptography called CRYSTALS to open source.
tdsan
50%
50%
tdsan,
User Rank: Ninja
8/27/2019 | 9:12:18 AM
Re: Good for the public, but not for nation-states
Interesting points, let me address your points one at a time:
    • D-Wave is not a real-quantum computer
  • "D-Wave's systems are being used by some of the world's most advanced organizations, including Lockheed Martin, Google, NASA Ames, Volkswagen, DENSO, USRA, USC, Los Alamos National Laboratory, and Oak Ridge National Laboratory. D-Wave has been granted over 160 U.S. patents and has published over 100 peer-reviewed papers in leading scientific journals."
  • D-Wave's Patent  - Qubit junction between S-Wave and D-Wave Superconductors
  • Systems and Methods for Achieving Orthogonol Control

 Ok, I think enough said and the patents can be reviewed for clarity to validate that D-Wave is a Quantum computer (period).

 Quantum Key Distribution
  • In my opinion, it's solving the wrong problem for the vast majority of use cases
  • "From this standpoint, we are not looking at all the use cases, this was an example that our news reporters presented (not theirs, ours). In the statement, I brought up earlier today, this was one example of what they are doing with Quantum computing, because in order to develop a "Quantum Key Distribution" System (one must have a Quantum Computer or "QC" for short) in order to perform the calculations necessary to ensure communication across vast distances, from 2012, the chinese were able to communicate across short distances (12-15 Kilometers), now they have developed in 2016 a way to communicate with a satellite that is traveling in space (to your point, you don't have to agree, but they have a working use case that involves space flight and travel) - Enough said"
  •  Article - QKD - Does not address large parts of the security problem
    • I think you may be looking into this more than what was mentioned earlier, they are not looking to address all security issues, they are looking to address a communication encryption problem using their own form of cryptographic communication methods in which we don't have a working model and they have one going to outer space
  • QKD has a number of practical limitations
    • They expressed distance, from a distance standpoint, it seems going to outer-space, seems to address the issue
  • QKD with classical network devices
    • Nowhere in their design does it say "Classical Network Devices"
  • QKD is extremely expensive
    • In order to push the envelope, the technology will be expensive
  •  QKD must not introduce new vulnerabilities (systems using old hardware)
    • Again, who says they are using old hardware or methods that we are currently using now
  • QKD - "the best practical approach to quantum security is to evolve current security applications and packet-based communication protocols towards adopting post-quantum public-key cryptography."
    • Currently, they are testing out this solution for communication purposes but they have a working use case where they have been using this from 2016 with a satellite that is orbiting the world (you might want to repeat that just to make sure you take it all in), by the way, who said they are not using this method or have invented a method of communication that is beyond the scope of this article

Seems to me there are a lot of assumptions made about Quantum computing, remember this is a use case, however, you slice and dice it, this is one use case, they are not trying to save the world but what they are doing is taking concepts and ideas from around the world to create a solution that could change the way communication across the Internet and even in out-space to another level, and now they are making it a reality (they are game-changers to me, again, that is just me).

 And this has all to do with Quantum Computing because this involves one use case. From the statements you made earlier you said D-wave was not a real QC, ok, that has been broken down. Then you say, QKD is not a real-use case, well if communication is not, then your whole argument just fell to the ground.

T

 
yehudalindell
50%
50%
yehudalindell,
User Rank: Author
8/26/2019 | 4:41:41 PM
Re: Good for the public, but not for nation-states
D-wave is not a real quantum computer. In any case, what you are referring to is quantum cryptography and not quantum computation to break (standard) cryptography. Quantum key distribution (QKD) can be done, but in my opinion it's solving the wrong problem for the vast majority of use cases. This is not just my opinion, and I recommend reading GCHQ's report on QKD; see https://www.ncsc.gov.uk/whitepaper/quantum-key-distribution. Even if you don't agree with this (and that's your prerogative of course), this has nothing to do with where quantum computing is today, which was the focus of my article.
tdsan
50%
50%
tdsan,
User Rank: Ninja
8/26/2019 | 11:11:28 AM
Good for the public, but not for nation-states

"What about those who tell us that quantum supremacy is around the corner and all cryptography is about to be broken? I think they're fearmongers. First, quantum supremacy doesn't mean that computers will be strong enough to break cryptography. Second, reliable researchers that I have listened to and spoken with say that there are still very significant problems to be solved in quantum computing. But if they continue to use the word "possible" when describing quantum computing, I can't actually say that they're wrong."

 I do think the Chinese are the leaders in quantum supremacy, I use to think D-wave was in the forefront (along with the help of Google and NASA) but now it seems they have working applications:

Micius, formally named the QUantum Experiments at Space Scale (QUESS) project, will have three initial stages of research. As the satellite is being calibrated, it will begin to implement a Quantum Key Distribution (QKD) scheme, the means by which secure communication can be established. It also has the potential for testing Bell entanglement (when two photons are linked together) and photonic teleportation (when a photon is transferred from one place to another).

 What this says to me, is that they have a working production use case where they have a repeatable solution that is functioning and they have been using this since 2016.

Not sure about you, but the future of QC is now.

T
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
SOC 2s & Third-Party Assessments: How to Prevent Them from Being Used in a Data Breach Lawsuit
Beth Burgin Waller, Chair, Cybersecurity & Data Privacy Practice , Woods Rogers PLC,  12/5/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19645
PUBLISHED: 2019-12-09
alter.c in SQLite through 3.30.1 allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements.
CVE-2019-19678
PUBLISHED: 2019-12-09
In "Xray Test Management for Jira" prior to version 3.5.5, remote authenticated attackers can cause XSS in the generic field entry point via the Generic Test Definition field of a new Generic Test issue.
CVE-2019-19679
PUBLISHED: 2019-12-09
In "Xray Test Management for Jira" prior to version 3.5.5, remote authenticated attackers can cause XSS in the Pre-Condition Summary entry point via the summary field of a Create Pre-Condition action for a new Test Issue.
CVE-2019-19647
PUBLISHED: 2019-12-09
radare2 through 4.0.0 lacks validation of the content variable in the function r_asm_pseudo_incbin at libr/asm/asm.c, ultimately leading to an arbitrary write. This allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via crafted input.
CVE-2019-19648
PUBLISHED: 2019-12-09
In the macho_parse_file functionality in macho/macho.c of YARA 3.11.0, command_size may be inconsistent with the real size. A specially crafted MachO file can cause an out-of-bounds memory access, resulting in Denial of Service (application crash) or potential code execution.