Quantum computers are poised to be the next big evolution in computing as they will be able to solve calculations that would take today’s supercomputers thousands of years to do. The point at which a quantum computer is able to outperform today’s traditional computers is known as quantum supremacy and this term was first coined by Caltech professor John Preskill.
Recently Google announced that it has reached quantum supremacy and this has many wondering about the potential implications that quantum computing will have on cybersecurity, especially when it comes to encryption. To learn more about how quantum computing will affect security, TechRadar Pro spoke with the CTO and co-founder of Secret Double Octopus, Shimrit Tzur-David.
Quantum computing is still in its infancy but when do you think businesses and academic institutions will be able to try it out for themselves?
Quantum computing breaking past the labs of tech giants is not imminent. That moment probably won’t come in the next ten years, but that’s a frightfully short time considering its security implications.
Encryption will be vulnerable in the face of quantum computing. This is especially true for data encrypted by older asymmetric keys, which are shorter (256 bits, 1024 bits, etc) than today’s standard 2048-bit encryption keys. Lots of data was encrypted with these relatively short keys, so anyone who saves this data today may be able to reveal it rather easily in a few years. We already know of specific institutions and even countries storing massive amounts of such encrypted data with the intent of revealing it at some point in the future.
What are your thoughts on Google’s recent quantum supremacy announcement and what will it mean for the industry?
Encryption is based on the difficulty of solving mathematical equations. These problems are theoretically solvable, but practically they are complex enough to buy plenty of time. Until recently, our ability to imagine complex math problems was greater than computing’s ability to solve these problems quickly. Google’s announcement has demonstrated that this may be changing.
From a problem-solving point of view, Google’s announcement is tremendous. From an enterprise security point of view, it raises very serious questions.
How will quantum computing render traditional encryption obsolete?
Consider RSA’s (Rivest–Shamir–Adleman) solution, which is based on finding the prime multipliers of a very large number. Fortunately for security purposes, the amount of computing power needed to determine these multipliers in a short amount of time remains theoretical. Quantum computing, with processing speeds that leave binary computers in the dust, will render this solution obsolete, as hackers will have almost unlimited computing power to solve these problems.
Should businesses begin moving away from public key encryption and if so are there any alternatives available today?
Not necessarily. Until public key encryptions are made to be quantum-safe, we should invest in finding alternative solutions as we transition to a new age. The common approach to improving encryption strength has been to increase the length of keys, but this is insufficient. A disruptive non-linear approach is required. We need to be preparing for a future of hacking that does not rely on limited computing power. I researched this specific subject during my postdoc.
Can you tell us a bit more about your company’s passwordless authentication technology that uses secret sharing algorithms?
In any PKI-based encryption, a client and server use an asymmetric protocol to eventually share a symmetric key. Most attacks happen during this key-exchange. Our passwordless authentication technology is designed to deny hackers enough critical information to carry out an attack during the key exchange phase.
Instead of taking data and encrypting it, we split it into multiple shares (pieces of random data). We deliver these shares via three channels, and one needs all three at the same time to reveal the secret data. Imagine that secret is the number ‘3,’ and imagine it is planted on the Y-axis of a graph. In order to locate that secret, having a point anywhere on the graph would not be enough to reveal the secret. Add a second point, and you can imagine a straight line hitting both points and your secret on the Y-axis. The line is the algorithm connecting the dots, thus divulging the secret.
How are you using mobile devices as secure authenticators and what are the benefits to this strategy?
The advantage of turning mobile devices into secure authenticators is that everybody has one. It is a much more secure factor than a browser, can identify a user through a biometric factor, and has a built-in secure memory. In our solution, the mobile device stores one of the shares that constructs the secret, meaning that only two out of the three shares are sent over the network for each authentication session. This means that the authentication notification we send can only go to the intended user and the intended mobile device.
What current cyber threat concerns you the most and what future threats on your radar?
Looking ahead, I would say that communication between processes is where we see the most vulnerability in organizational architecture, so hacks against service-to-service authentication systems concern me greatly. At the Secret Double Octopus innovation lab, we are already working on ways to secure these future threats.