Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.
The big fear in the data encryption community is the advent of quantum computing. Computers are so powerful they can crack any algorithm. The National Institute of Standards and Technology is in the midst of choosing among algorithms, those its experts deem most resistant to quantum as it develops post-quantum cryptography standards. Here with some pointers for...
The big fear in the data encryption community is the advent of quantum computing. Computers are so powerful they can crack any algorithm. The National Institute of Standards and Technology is in the midst of choosing among algorithms, those its experts deem most resistant to quantum as it develops post-quantum cryptography standards. Here with some pointers for federal IT security practitioners who want to better understand the technology is the head of Quantum Cybersecurity at a company called Quantinuum, Duncan Jones. He spoke to the Federal Drive with Tom Temin.
Duncan Jones: Quantum and cybersecurity have a funny relationship. On the one hand, quantum will bring positives for cybersecurity. But what NIST is addressing is the fact that quantum computers will solve a lot of the mathematical problems that we rely upon to keep encryption safe today. So whether it’s in five years or 10 years, a sufficiently powerful quantum computer will break the algorithms that we use today. So as you said, things like the RSA algorithm that helps protect internet data will be completely broken by a quantum computer.
Tom Temin: And is there something inherent in quantum? Or is it simply that it’s so much faster and more powerful than current methods, that that alone can do the cracking?
Duncan Jones: Yeah, it’s that quantum computers are going to be very good at solving some types of problems. And it’s one of the reasons we’re excited about the field as a whole, because there’ll be able to help us discover new drugs or medicines and positive things. Unfortunately, it just so happens that we’ve chosen certain types of problems to protect us today with our encryption. And by sheer bad luck, quantum computers are going to be great at solving those problems. And so we need to move towards newer approaches that can’t be broken on a classical computer or a quantum computer.
Tom Temin: And just a detailed question that used to be said, maybe it still is, of supercomputers that they were oriented toward integer processing, or floating point processing. Is that the type of problem with quantum that it’s oriented toward a certain type of computing that is also used to create the algorithms?
Duncan Jones: Yeah, so if you look at the heart of something like RSA, which we use today, the problem that we rely upon there is that you take two very big numbers and you multiply them together. That’s quite easy to do. But if somebody gives you the result, and says, which two very large numbers were multiplied together to create that result, that’s just bizarrely difficult. That’s something that even supercomputers can’t solve. It would take them millions of years to be able to solve that kind of problem. And unfortunately, a quantum computer that may arrive in 10 years or so, will be able to solve that very quickly.
Tom Temin: So is it possible, then, I guess the theory that NIST has and that your company is advising people on is that you can create quantum-proof algorithms with conventional means? That is nonquantum means?
Duncan Jones: So we do a bit of both really. The process that NIST is orchestrating is about moving to these different algorithms, different mathematical problems. And it looks like those are going to be resistant to attack from today’s computers and tomorrow’s quantum computers. Very related to this, though, is that quantum allows us to also strengthen cybersecurity systems. So my group looks at how do we use today’s quantum computers to actually make stronger encryption keys? And the team worked very closely together.
Tom Temin: Right. So therefore, then, is the essential problem just adding to the complexity? You mentioned a large number: 32,652,512,615. What two numbers did I multiply to get that? Would it be a matter of what two numbers did I add up, then divide by four, then multiply, then divide by 16, then multiply again, to get that number? Or is it something more essential?
Duncan Jones: I think I would describe it as something more essential. So I think what academics have been doing is looking for completely different types of problem around which to base encryption. Generally, you want the sort of structure I described earlier, where it’s easy to solve in one direction and hard to solve in the other direction. But that’s quite a gentle constraint. There’s lots of different mathematical problems that could look like that. And academics have been exploring those and trying to find ones that appear to be quantum resistant, as well as classical resistant.
Tom Temin: We’re speaking with Duncan Jones. He’s the head of cybersecurity at Quantinuum. And can you maybe describe a couple of those potential problems that could be easy to create hard to crack, other than the mathematical multiplication issue?
Duncan Jones: Well, unfortunately, the RSA example that I gave you is quite intuitive. And the way that we’re going to approach this problem in the future is a lot less intuitive. One type of algorithm seems to be emerging as a popular choice here, which is something called lattice-based cryptography. That’s harder to wrap your head around, that involves things like multi-dimensional graphs and trying to figure out the shortest point between two vectors in a graph theory, stuff that puts people to sleep probably as soon as you start talking about it. So it’s not going to be quite as intuitive as RSA, but they’re going to have that same property of being easy to solve one way, hard to solve the other way.
Tom Temin: And they can be expressed in code?
Duncan Jones: Exactly. And that’s a very important aspect of the competition is that it’s no point coming up with new algorithms that we can’t use or that are so different from what we use today that we can’t plug them in to our existing systems. So one of the aspects through which these algorithms are being judged is, are they practical? Can we use them tomorrow? And it looks like we will be able to. The big challenge here, and the reason why I’ve been delighted to see so many national security memos coming out on this topic, is that people are beginning to recognize the size of the challenge involved in moving from what we have today to what we need to have in the future. That’s a huge amount of work. And it’s something that your audience needs to be thinking about now.
Tom Temin: Sure. And I guess maybe one of the challenges for this would be yes, you can create a lattice-based, multi-dimensional-type of hard-to-crack artifact. But creating it, as you mentioned, has to be easy. So I can envision a user creating one on a PC, but yet a super quantum computer could not crack it. Is that one of the dimensions of the problem?
Duncan Jones: Yes. So you and I are speaking at the moment, and our communication is encrypted and protected. And that all happened on the fly, it was very quick, we didn’t notice it. And that’s how it has to be in the future, this stuff has to be instantaneous, almost. And that’s what these new algorithms are promising. And when we couple those new algorithms with new approaches to generating keys, this sort of the positive part of quantum, then we end up with something that is future-proof, scalable, and really quite pragmatic.
Tom Temin: It strikes me that the traditional encryption, then, problem, classic problem that you described earlier, might have been known to people in the medieval era. Whereas what you’re describing in the future, you know, no medieval architecture and literature majors need apply.
Duncan Jones: I would say that, on the algorithm side, I think we just got unlucky. We picked a set of problems 30 years ago, not realizing that one day, something would come along that would break them. I would say on the generation side, on the how do you make those keys in the first place, the sort of things that we can now do with quantum – yes, that would not have occurred to our medieval ancestors. That needed Einstein and others to come along in the mid-20th century and start to figure out how the universe really works.
Want to stay up to date with the latest federal news and information from all your devices? Download the revamped Federal News Network app
Tom Temin: All right, so now Quantinuum now has a guide for chief information security officers and so forth, in which you point out things they ought to be aware of, as we work toward this future. What are the top things?
Duncan Jones: Well, we created this guide, because we sensed that people were flooded with information on this topic. But actually, the question most CISOs are wondering is what do I do next? What should I do about this? And so in this guide, after providing some background information on why we have this problem, I think the really valuable bit is a step-by-step approach to what do you do now? And where we focus, mostly there, is on understanding what you have today. So understanding where your sensitive data is, where do you rely on these quantum-vulnerable algorithms, and beginning to prioritize and creating a plan to move from those algorithms towards what we know we need to use in the future? So yeah, this guide is something that that’s freely available. And it’s supposed to just give a bit of help to CISOs, who have got quite a challenge here in migrating their entire company infrastructure to something fundamentally different over the space of only five or 10 years.
Tom Temin: And in the meantime, would you expect a quantum-resistant algorithm to come into the marketplace that could be used under FIPS, two standards and so forth, that could be deployable now, even though there is not so much quantum computing around the world to could hammer at it? But that could still be deployable with existing standards and requirements?
Duncan Jones: So the standardization process is still going to take a couple more years to finalize. There is already a standard out there for a very niche use case, which is the securing of IoT device firmware. But aside from that, these general purpose algorithms we’re talking about are still a couple of years away from being fully ratified and appearing in FIPS publication. However, there are many companies out there and mine included, who have started to add support for these algorithms now, so that companies and agencies can experiment with this stuff and understand what impact it will have on an organization. And in fact, the National Security memo advises that that sort of testing is worth doing. It advises against, you know, making purchases and implementing that stuff for real until it’s standardized. But in this intervening period, it’s exactly the right time to explore and understand how can we use these algorithms? And more broadly, how can we embrace quantum as a positive thing as well?
And just a final question, is it possible that someone could come up with what they think is a quantum-resistant algorithm and has all of these multiple vectors and takes us beyond the universe that we know now. And some five year old could do something and type three words and boom, it’s cracked! Kind of like a some sort of a fatal flaw that people overlooked?
Duncan Jones: Worryingly, yes. And this is the challenge that we have with relying upon complexity for security. You never know when somebody can have a brain wave and solve the problem. Until Peter Shor realized in 1994, how a quantum computer might one day break these problems, we thought we were home and dry. In fact, that’s one of the reasons why people are excited about using quantum positively in cybersecurity, because when you rely on quantum as a force for good, you’re not relying on things being safe, because nobody’s figured out how to break it yet. These things are safe, because that’s the way the universe works. And we’re slowly finding that we can strengthen bits of cybersecurity and move away from that thing that the five year old could break one day, to something that is going to stand the test of time.