Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.
One of the biggest concerns among cybersecurity people is the advent of quantum computers. The theory is quantum will be so powerful it will easily crack encryption algorithms conventional computers would take thousands of years to crack. Now the National Institute of Standards and Technology has issued for cryptographic algorithms researchers believe are quantum resistant. Here with details, NIST mathematician Dustin Moody joined the Federal Drive with Tom Temin.
Tom Temin: Now these algorithms that NIST came out with, first of all, how were they developed? How do you develop a thing like this, when quantum computing itself is not really a jelled known quantity here?
Dustin Moody: Yeah, that’s a good question. What researchers in the field have been doing is they look at all the known quantum algorithms, those are algorithms that would work on a quantum computer, and would be very efficient very fast, faster than they would on our conventional computers. And they take all those known attacks, and they come up with new crypto systems. And they check that none of those attacks seem to work, they don’t provide any advantage over what we already know. And research in this field has been going on for a few decades. So there’s a few different areas where people have kind of tended to focus as to what type of structures you can use that you can make crypto out of that will not, a quantum computer won’t help you in attacking them.
Tom Temin: Right. So it’s almost like reverse engineering, in a sense, on what we know that quantum computing itself would be capable of them.
Dustin Moody: Yeah, it is a little bit. You’re trying to find the holes that a quantum computer won’t be able to help you with.
Tom Temin: And what do we know about the status of quantum computing? First of all, I mean, it’s you hear people saying they’re using quantum techniques. But are there actual practical quantum computers in the world that we know of yet?
Dustin Moody: Well if you look in the media, every so often, you’ll see headlines from big companies like Google and IBM, that are working on building these quantum computers. And they’re making progress, their chips and computers are getting larger and larger. They’re still small enough that you can’t do anything too impressive with them yet. They don’t come anywhere close to threatening cryptography, yet, there are some products that you can do with them. But in regards to cryptography, it’s still in the development stage of building these quantum computers. But progress is being made. And it’s estimated that it could be anywhere from 10 years, 15 years, 20 years, until a big enough quantum computer is built.
Tom Temin: Well, these things tend to either accelerate and come faster than people expected. Or they go the way of nuclear fusion, I guess.
Dustin Moody: Yeah, there are some people who think there will be some physical problem that we just can’t figure out how to engineer. So there are people who believe we’ll never have one. Most experts tend to think that it’s just a matter of time until we get one.
Tom Temin: And tell us exactly what NIST did come out with this month. And what say a cybersecurity practitioner can do with this information.
Dustin Moody: To prepare for this threat NIST has been aware of the threat for quite a while with regard to some of the cryptography that gets used around the world. So about six years ago, we started basically a big international competition to find and then select and standardize new crypto systems that would provide protection from these quantum attacks. And just a week ago, or so we announced the results of that competition, we announced the four algorithms that we have selected, that we will standardize. And that means that not too long, you’ll be able to start using these algorithms, putting them into your products. And they will provide the protection that you need in the future when quantum computers are available.
Tom Temin: Do these algorithms exist as a piece of code that people can simply take?
Dustin Moody: So as part of the contest, they had to give us complete design specifications that explained how the algorithm work. And they also yes, they did give us code, both reference code and optimized code. We don’t want people to take that code into start putting it into production. Yet, as we’re writing the standard, it’s possible, we might just make some very tiny tweaks. So we recommend that people start testing them, becoming aware, getting familiar with them. But wait until the final standard is published. And then you can start using it in production.
Tom Temin: But the primary users of this would be commercial companies that produce cryptographic products, using the algorithms embedded in some way.
Dustin Moody: So yeah, the companies that provide the cryptography, they definitely are aware of this, and they will transition to provide these new algorithms. But the larger audiences, everybody uses cryptography in some way, even if you don’t really know that you are. So organizations need to make sure that the products that they use, their vendors that they’re aware of the threat and that they have a plan for this upcoming transition.
Tom Temin: We’re speaking with Dustin moody, he’s a mathematician at the National Institute of Standards and Technology. When the final version comes out. And it’s kind of kosher, and people work to create cryptography based on these algorithms. Are they suitable for use on conventional computing platforms in the meantime, until quantum does come along?
Dustin Moody: Yes, these algorithms will be selected. They’re defined to run on our conventional computers when quantum computers are finally around, it’s going to be nation states or big companies that have them. They’re not going to be in your pocket and your phone, things like that. So these algorithms are designed to run on conventional computers, they just happen to protect against anyone who has a quantum computer and would try and attack you.
Tom Temin: Just what we need is a quantum iPhone to look at Snapchat or something. But what is the interaction between, say, a product based on these new algorithms and the FIPS standard [Federal Information Processing Standards] algorithms that are accepted in the national security community in the intelligence community? It sounds like it could up end the product and certifications in that whole world.
Dustin Moody: Yeah, eventually, people will need to transition to these new algorithms. There will be updated guidance from NIST and from national security levels where you have to transition to these algorithms is a way to get there, there has been a lot of interest in what’s called a hybrid mode. And that’s where you combine one of these new post quantum algorithms that provide protection along with one of the currently standardized algorithms that we have today, you’ll take a small performance hit for doing that, because you’ll be doing two different crypto algorithms. But security wise, you’re guaranteed that as long as one of those two algorithms is safe, you’ll also be protected. So people are interested in this is a way to transition just until we gain more experience with these new algorithms and get used to using them. That way, you’d be able to still get validated, get certified because you’re using a standardized algorithm. But you could get experience with the new quantum resistant algorithms and transition to them at some point in the future.
Tom Temin: And our these in the open source domain? That is to say, suppose Igor the hacker from Russia took the new quantum resistant algorithms, and somehow, could they engineer a way to get around them for future attacks in quantum?
Dustin Moody: Yes, they are open in that sense. That’s part of the beauty of modern cryptography is you assume that your enemy knows exactly the complete design specification. They don’t know your secret key that you have. But you assume they know what your cryptosystem is exactly how it works. So yeah, the specifications for how to implement it they’re online, they’re open, they’ve been on our website for the past six years. Same with the code. And that’s kind of the cool thing of modern cryptography. Is that even knowing that they still provide protection from Igor, as long as you’re implementing it, as described in the standard.
Tom Temin: And just out of curiosity, what does it take to develop these? Do you sit there in front of a giant chalkboard, like Manhattan Project? Or is this purely mathematical type of computational function to develop these algorithms? How do you go about this work?
Dustin Moody: It takes a team I would say. At their core, these new post quantum algorithms are based on mathematical structures. So there will typically be mathematicians involved. But you also need to know what the latest quantum attacks are. So there are people that deal with quantum algorithms, you also will code up these algorithms and want to optimize the performance. So you’ll have computer scientists and software engineers. So the submission teams for these algorithms often had 10 or so people on them often coming from a variety of backgrounds, math, computer science, physics, engineering, cryptography, coming together to design these algorithms.
Tom Temin: And they are coded in conventional computer code language?
Dustin Moody: Yep. And they were all in I want to say C or C++, I believe, when they turned them into us.
Tom Temin: Got it, and if someone is, say, majoring in mathematics, does this development that just came from this these four crypto resistant algorithms, does that still leave room for people that want to apply their mathematics skills in encryption and in cybersecurity? Is there still room here for doing this?
Dustin Moody: Oh, certainly. The work is not over once we’ve selected these four algorithms. Cryptography over time people find new attacks, they break things, and then you have to come up with new algorithms or computers get better, and you have to make them more efficient, and you need to design new parameter sets. So there definitely is room for people who are interested in the area to continue to work in this field. It’s actually one of the hottest research areas in mathematics right now. And I think it will continue to be for at least a decade or so.
Tom Temin: And you get these kinds of questions at barbecues?
Dustin Moody: No, the average person typically doesn’t know what kind of cryptography their computer or their phone is using, but they are usually pretty interested when they ask what I do, and I start telling them about it. It’s a pretty fascinating topic.
Tom Temin: All right. Well, as someone who struggled with algebra 50 years ago, I admire you. Dustin Moody, as a mathematician at the National Institute of Standards and Technology. Thanks so much for joining me.
Dustin Moody: Glad to have been able to talk with you, thanks.