You probably don’t think much about what goes on underneath the hood when you see that little padlock symbol in your web browser when you use an e-commerce site, send and receive emails, or check your bank or credit card accounts.
But that tiny padlock is a neon sign the online provider is using HTTPS, a web protocol that encrypts the data we send from our browser, across the internet to the site in question — and the responses we receive.
Encryption protects all kinds of electronic communications, as well as things like passwords, digital signatures, and health records. Encryption is also one of the fundamental aspects of blockchain technology — so this stuff actually matters a lot to us here at 10XTS.
Quantum computer processors could potentially undermine the current state of cryptographic defenses. Computers aren’t powerful enough to do this today, but they are evolving fast.
That’s why researchers are racing to develop new approaches to cryptography that can withstand future attacks mounted by hackers using quantum devices.
While the risk of this is quite low at the consumer level for many years to come, it’s less of a leap to surmise a nation state actor working to crack traditional security — especially in finance and other core infrastructure systems.
How does encryption actually work?
There are two main types of encryption: symmetric and asymmetric.
Symmetric encryption requires a sender and a receiver to have identical digital keys to encrypt and decrypt data.
Asymmetric, or public-key encryption uses a publicly-available key to let people encrypt messages for a recipient who is the sole holder of the private key needed to unscramble them.
Sometimes these two approaches are combined. For example, underneath the hood of HTTPS, web browsers use public-key cryptography to check websites’ validity and then establish a symmetric key to encrypt communications.
The strategy is to stay ahead of hackers using massive amounts of computing power to use random combinations to guess the keys.
Popular cryptography methods, including one known as RSA and another called elliptical curve, use “trapdoor” functions — mathematical constructs that are relatively easy to compute in one direction to create keys, but are very hard for a hacker to reverse-engineer.
Hackers could use what is known as “brute force” to try to break a code by trying all possible variations of a key until one works. But defenders make life really hard for them by using very long key pairs—like the RSA 2048-bit implementation — which renders a key that is 617 decimal digits long.
With our current processor technology, trying all of the possible combinations to guess the private keys could take thousands of years with conventional computers.
How do quantum computers threaten encryption?
Quantum processing enables hackers to try all the algorithmic trapdoors a a mind-blowing rate of speed.
Unlike classical computers, which use bits that can be either 1s or 0s, quantum machines use “qubits” that can represent numerous possible states of 1 and 0 at the same time — also known as “superposition”.
They can also influence one another at a distance, thanks to a a physics attribute known as “entanglement”.
Thanks to these phenomena, adding just a few extra qubits can lead to exponential leaps in processing power. A quantum machine with 300 qubits could represent more values than there are atoms in the known, observable universe.
Assuming quantum computers can overcome some inherent limitations to their performance, they could eventually be used to quickly try all possible combinations of a cryptographic key.
Hackers are also likely to exploit quantum algorithms that optimize certain tasks.
One algorithm published by Lov Grover of AT&T’s Bell Labs in 1996, helps quantum computers search possible permutations much faster.
Another one published in 1994 by Peter Shor at Bell Labs helps quantum machines find the prime factors of integers incredibly fast.
Shor’s algorithm poses a risk to public-key encryption systems such as RSA, whose mathematical defenses rely in part on how difficult it is to reverse-engineer the result of multiplying very large prime numbers together.
A report on quantum computing published in 2018 by the US National Academies of Sciences, Engineering, and Medicine predicted that a powerful quantum computer running Shor’s algorithm would be capable of cracking a 1,024-bit implementation of RSA in less than a day.
When will all this happen?
Obviously it is a concern on the horizon. Fortunately, it is highly unlikely to be in the very near term — but we cannot sit around waiting for the day either.
The National Academies study says that to pose a real threat, quantum machines will need far more processing power than today’s best quantum machines have achieved.
Still, what some security researchers like to call “Y2Q”—the year in which quantum code-cracking becomes a major headache — may creep up wicked fast.
In 2015, researchers concluded that a quantum computer would need a billion qubits to be able to crack the 2,048-bit RSA system pretty comfortably; more recent work suggests that a computer with 20 million qubits could do the job in just eight hours.
That’s still way beyond the capabilities of today’s most powerful quantum machine, with 128 qubits. But advances in quantum computing are unpredictable.
Without “quantum-proof” cryptographic defenses in place, all kinds of things, from autonomous vehicles to military hardware—not to mention online financial transactions and communications—could be targeted by hackers with access to quantum computers.
Any decision-maker within any business or government planning to store data for decades should be considering the risks, because the encryption they use to protect it could later be compromised. It can take many years to go back and re-encode mountains of historical data with more robust defenses.
It is probably a good idea to get started on it now — which is precisely why there’s a big push to develop post-quantum cryptography.
It’s the development of new kinds of cryptographic approaches that can be implemented using today’s classical computers but will be impervious to attacks from tomorrow’s quantum ones.
One line of defense is to increase the size of digital keys so that the number of combinations needed using brute computing power significantly increases.
For instance, just doubling the size of a key from 128 bits to 256 bits effectively squares the number of possible permutations that a quantum machine using Grover’s algorithm would have to search through.
Another approach involves coming up with more complex trapdoor functions that even a very powerful quantum machine running an algorithm like Shor’s would struggle to crack.
Researchers are working on a wide range of approaches, including exotic-sounding ones like “lattice-based cryptography” and “supersingular isogeny key exchange”.
The aim is to zero in on one or a few methods that can be widely adopted.
NIST is working with the leading mathematicians and cryptography experts to produce new forms of algorithmic calculations so complex, even a quantum process can’t break them. It’s already narrowed down an initial set of 69 proposals to 26, but says it’s likely to be around 2022 before draft standards start to emerge.
The pressure is on because encryption technologies are deeply embedded in many different systems, so unraveling them and implementing new ones can take a great deal of time.
Last year’s National Academies study noted that it took more than a decade to completely retire one widely deployed cryptographic approach that was shown to be flawed.
Given the speed with which computing is evolving, we may not have that much time to tackle the threat.
But for the average person, a Russian hacker spinning protons in the basement isn’t going to get into your checking account anytime in the near future.
You’re more at risk of some company employee being the target of a social engineering effort to change your mailing address in the system to send your statement to a different address.