Quantum Leaps: The Race to Build Post Quantum Cryptography

// April 29, 2024

Cryptographic security is the base matter of our modern digital economy. Without cryptography, there is no internet as we know it today. You can’t pay for a burger or hail a taxi on an app if your card details are public as they travel along the fiber optics.  

Why Cryptography Is Fundamental to Society

Cryptography is more than just about keeping secrets, or storing data, or sending information privately - all of which is of course utterly essential. It’s about having uncompromised communication that can’t be hijacked, altered, or censored by third party agents. It’s about having your digital interactions accurately communicated to the service you are trying to access, and the receipt of their service in line with your request.

Without cryptography, any online activity could be recorded, changed or exposed by hackers. Without cryptographic encryption of our messaging, payment details and server requests, we could never even access a website without our computers exposed to attacks. We couldn’t message our mother or brother or friend ever being certain the message was either delivered correctly or received appropriately. Private health records? No chance. A working banking account? - nope (although to many true believers we may be shortly moving on from that anyway).

The Cataclysmic Threat of Quantum Computing

For enterprises, corporate espionage is a very real threat. Their data, and the data of their customers, the data behind their operations - it all has monetary value. It’s all proprietary knowledge. Knowledge is power, power is money. In the information age, whole companies’ market cap is essentially a valuation of the importance of the data they have encrypted on their servers. If de-encrypted, whole tranches of the S&P 500 would vanish into naught but air.

All this to say, the “cataclysmic” threat posed by vulnerabilities in asymmetric cryptography brought on by quantum computing is real. Research towards Quantum Computing won’t stop, nor should it. The potential breakthroughs in processing power and with it development of AI models that quantum computing brings could, without even a hint of exaggeration, change the course of human history. As such, all major tech corporations - indeed anyone working in computer science, AI, data analytics or software in general - is cognizant of the upcoming threat of quantum computing, and wonder what cybersecurity measures can be put in place to achieve it. 

Early Solutions

Apple, for example, recently announced their hybrid approach to post-quantum (PQ) cryptography in a recent blog post, explaining how they are moving away from traditional classic public key cryptography (RSA, Elliptic Curve, Diffie-Hellman exchange) to a hybrid state-progressive approach that uses previous messages in a conversation to further reencrypt later ones (like how a blockchain derives proofs from the previous block), and starts each new iMessage chat using Kyber PQ keys which have been broadly peer-reviewed by the global cryptographic community. Similar to Source Network’s approach to Secret Rings, Apple’s PQ3 uses key rotation and rekeying to ensure that time-based decay to security is negligible.

Kyber keys have already been selected by government agency NIST as the Module Lattice-based Key Encapsulation Mechanism (ML-KEM). A lattice is a mathematical construct that demonstrates resistance to Shorr or quantum computing attacks through its distribution of information in geometric lattices that have infinite continuation and inherently multi-dimensional, and thus are more resistant to brute force computing. 

The Need to Act Now

Why such effort now? Simple future-proofing? Not at all. It’s absolutely about now-proofing. The biggest fear for most in cybersecurity currently is the ‘harvest now, decrypt later’ (HNDL) attack. In short, just because you can’t decrypt the data, doesn’t mean you can’t gather and store it until you can. 

Today, right now, in data centers all over the world, the world’s data is being stored and indexed whether it’s decryptable or not. By some, it’s in the maleficent hope that once we arrive at quantum computing, it can all be decrypted, with destructive effects on global security as a whole. 

Considering most in the cryptographic community seem to expect quantum computing strong enough to decrypt today’s traffic in roughly a decade, the urgency to act now is clear with the described store and decrypt attacks the main impulse for companies like Meta, Apple, Signal and more to work on their end-to-end encryption protocols. 

Small Beginnings, Big Problems

Yet the problem is nowhere near solved, even if posts like Apple’s make it seem so. Already, vulnerabilities have already been found in Kyber PQ, Apple’s use of a hybrid system that incorporates elliptic curve cryptography seems to acknowledge that PQ keys are an unsolved problem and that redundant protections are needed. SandboxAQ recently found a vulnerability in the whole general construction of KEMs, and that the Kyber PQ keys aren’t as infallible as first expected.

Indeed, even the theoretical basis for PQ-secure cryptography is under question. A recent peer-reviewed paper even suggested that the lattices that are the cornerstone of PQ encryption do not provide protection, although the authors later reviewed their work and retracted. Still, it’s worrying that such early flaws are being identified in the theory when the route to a PQ world is so certain to happen, and the need to build protections for it is so essential. 

Even if the theory does hold, the real task is still in how to engineer these defenses: the actual application of PQ security in a world where quantum computers already exist. Active key rotation with ever changing software. Aggressive retirement of vulnerable keys. The fact that it’s perfectly possible to create a PQ algorithm that is LESS secure than the current ones we use, and is probably why many are opting for hybrid approaches now, to avoid the possibility that new implementations of cybersecurity are not worse than those that already exist.

Decrypting History

Quantum computing may change history, but we must be careful it doesn’t destroy society in the process. Building encryption for a PQ world is, of course, central to Source Network’s mission of data ownership and data privacy. Decentralized access control mediated by crypto tokens depends on, well, cryptography. The clue is in the name. 

Cryptography is not some dry obsession with puzzles and secrets, but the cornerstone of how we function digitally. Quantum computing is coming. It matters how ready we are for the threat now, and the work to protect ourselves must start gathering pace. Within five years, expect all major tech companies, individuals, and indeed Source Network to have shored its defences against quantum ruin. If they don’t, what they build will no longer be fit for purpose.

Dive Deeper

// July 08, 2024

Access Denied: How Source Network’s ACPs Make Data Management Easy

Source Team
// June 26, 2024

Reservoir Dogfight: Control Your Datastream

Source Team

Stay up to date with latest from Source.

Unsubscribe any time. Privacy Policy