Why Post-quantum Cryptography is Important Today
Table of contents
“Religious wars are basically people killing each other over who has the better imaginary friend” Napoleon once quipped, and no matter which God you worship, you should be able to find a bit of humor in that statement. Regardless of the reason for wars, they continue to be fought. Today’s wars not only take place on the battlefield, but also in cyberspace. The entire backbone of today’s digital world is constructed on the ability for communication to take place securely. Google now penalizes sites that don’t take proper measures to secure communication, and even the website you are reading this article on uses secure communication. We’ve written extensively about the growth of cybersecurity in an age where a single breach in security can have devastating consequences for a company.
Today, encryption is the most practical way to protect electronically stored, processed and transmitted data. Here’s an excerpt from a Report on Post-Quantum Cryptography, issued by the US National Institute of Standards and Technology (NIST) in 2016:
Many of our most crucial communication protocols rely principally on three core cryptographic functionalities: public key encryption, digital signatures, and key exchange. The security of these depends on the difficulty of certain number theoretic problems such as Integer Factorization or the
Discrete Log Problem over various groups.
Essentially, all secure communications today rely on theoretical problems that cannot be solved using today’s computing capabilities. All of that changes when quantum computing arrives.
Any data encrypted using today’s popular methods of cryptography “will not remain confidential once a nation-state adversary obtains a large-scale quantum computer” says the aforementioned report, though companies should have addressed the problem a long time ago. Even if quantum computing is 20 years away, any nation might be accumulating data today with the intent of harvesting it later when quantum computing arrives. This is referred to as “harvest and decrypt”.
The urgency isn’t just for corporations but also for nations. That’s because when we’re able to create a quantum computer, it may take billions of dollars which will likely be funded by government as opposed to private sector. A very compelling case can be made for both companies and government entities to begin taking steps today to protect themselves in anticipation of quantum supremacy. One company that’s working on this is Isara Corporation.
About Isara Corporation
Founded in 2015, Canadian startup Isara Corporation has taken in an undisclosed amount of funding to develop solutions to the problem which they refer to as “post-quantum cryptography” or “quantum resistant cryptography”. Isara’s strategy is not a one-size-fits-all solution, but rather to support as many post-quantum cryptosystems as possible so that, “in the unlikely event that a future theoretical breakthrough leads to an attack on one quantum-safe cryptosystem, other quantum-safe cryptosystems will be available to take up the slack.”
ISARA believes that they are the largest organization in the world focused solely on developing quantum-safe cryptographic solutions for integration into commercial products to protect against quantum attack. In the leftmost column below, you can see the five areas of math that make up the Isara Radiate cryptographic library:
The above drop-in algorithm replacements allow companies to easily implement security solutions for post-quantum cryptography. Astute readers might point out that since we don’t have a working quantum computer yet, we can’t be sure that these methods will prove resistant to attacks by quantum computers. Isara’s response to this concern is that they use “conservative parameter choices that leave us with a safety buffer in the event of unforeseen improvements on quantum attacks.” We can also judge how good the Isara security solution is based on who they are working with.
In April of this year, Isara announced a collaboration with Cisco (CSCO) to test digital certificates that operate in both classic and quantum-safe algorithm modes. (Cisco is responsible for building the network hardware that provides the backbone of today’s Internet.) Since companies have already committed significant investments over the past decades to develop their security infrastructure using classical cryptography methods, the answer isn’t to scrap everything and start over. Instead, Isara proposes that companies adopt a hybrid method that supports existing methods along with the addition of quantum-safe methods, a hybrid solution if you will:
To showcase how this backward-compatible dual-algorithm (hybrid) works, Cisco and ISARA have made available a public server that uses these certificates. (The demo server includes instructions and links to the code for researchers who want to download, test and review hybrid X.509 certificates.)
Conclusion
The need for companies and governments to prepare for quantum supremacy seems familiar to the urgency of Y2K, the non-event that companies rushed to accommodate. In this case, though, the problem is Y2Q, with an uncertain timeline and a certain problem that extends to even more industries and applications given how connected everything is these days. For example, cars being built today are susceptible to the Y2Q problem:
Given all the possible problem areas to be addressed, there is plenty of room for new startups to attack niche areas. In our next article on this topic, we’re going to take a look at some more companies playing in the “post-quantum cryptography” space. If you happen to be one of those companies, drop us a line and introduce yourselves, letting us know why your dog is most likely to win the race.
Share
