Solving the Quantum Decryption ‘Harvest Now, Decrypt Later’ Problem
There are two important problems for encryption: the keys and their distribution. Distribution is generally done via asymmetric encryption – but the distribution can be intercepted, and the asymmetric encryption cracked.
This problem exists today, but the cracking problem will get many times worse with the expected arrival of quantum computers and their vastly superior processing capabilities. Asymmetric encryption will be the first to fall – Shor’s quantum algorithm is proven to work. This has led to the new attacker concept of ‘harvest now, decrypt later’.
Quantum resiliency firm Qrypt has now released a product, Qrypt Key Generation, designed to take asymmetric encryption out of the equation by eliminating the need for traditional key distribution.
Bad actors, especially nation state attackers, are stealing encrypted data now with the expectation of being able to decrypt in the future. The timespan before this quantum decryption becomes possible is the only unknown.
Chris Schnabel was director of product management at IBM Quantum from 2018 to October 2021. He is now VP of Product at Qrypt – a firm focused on using quantum methods to protect encryption against future quantum computers. “Based on the current state of play,” he told SecurityWeek, “we’re not likely to see serious quantum computers for another 20 years.”
But there is a major rider to this statement. The power of a quantum computer is governed by the number of qubits that can be controlled. It may take a ratio of 1000 qubits to 1 controlled qubit because of their inherent instability. This leads to the 20-years estimate in achieving a quantum computer with enough qubits – but the unknown is a potential breakthrough in the number of qubits required to manage the ‘processing’ cubit. If this decreases, it could dramatically decrease the 20-years projection.
Nation states are adept at keeping their secret projects secret. “Consider Stuxnet,” suggested Schnabel. “Nobody had any idea that anything like Stuxnet was even possible – until it happened. And yet there must have been at least 1,000 developers working on it secretly.”
The implication is clear. We have no idea who or how close anybody might be to producing a serious quantum computer. And this means that the quantum decryption issue must be taken seriously today.
Qrypt is tackling this by removing the key distribution part of the equation, and producing more secure keys by using quantum methods to allow truly random number generation. Bad random numbers are already a problem, and are the key weakness in key generation today – successful cracking attacks are almost always focused on this imperfection in randomness.
The technology behind the Qrypt solution is complex; but the concept is simple. A symmetric encryption key is generated by Qrypt’s BLAST algorithm. This uses a quantum random number to generate the key simultaneously at both the source and destination of the encrypted data. All that is necessary is the integration of a Qrypt SDK into a company’s existing key management solutions.
The quantum random number is generated by Qrypt in the cloud and sent to both endpoints. On its own it is just a number. The BLAST algorithm, however, can use it to generate a secure key at both ends simultaneously. The user can then concentrate on encrypting the sensitive data with a strong quantum proof symmetric algorithm. Since there is no longer any need to send the key from A to B, key interception and possible decryption is no longer a threat.
The generation of the truly random number is where things get complex. Qrypt uses several different quantum mechanics-based random number generators. All are based on published technology with a roadmap of new quantum source types from research partners including ICFO, Los Alamos National Lab, Oak Ridge National Lab, and EPFL. Kevin Chalker (co-founder and CEO) explained perhaps the simplest.
“Imagine a laser,” he said. “A laser is a true quantum device, there’s no such thing as a classical laser. So, the moment a laser pulses one of its sine waves, the phase is absolute quantum-random ‒ meaning there is no way to predict the phase as it comes out. Now, if you combine that sine wave with a known pulse sine wave – a continuous wave laser, where you know exactly the phase of it 100% of the time ‒ and you now combine those 2 waves, you’ll generate a signal that’s a series of random valleys and peaks.
“Like two overlapping water waves, from 2 boats in the water, sometimes they constructively interfere, and sometimes they destructively interfere. It looks like it’s either a flat piece of water, or a very high piece of water, bigger than the two original waves. Each one of those, we would consider a random 0 or 1. It sounds in principle quite easy to do with lasers, but the engineering that goes into making that work and eliminating anything that’s electronic noise, is a very hard problem.” Nevertheless, it creates a genuinely random number.
This number is generated in the cloud and provides all the scalability of a cloud service. The symmetric encryption keys are generated using the random number on-site with source and destination endpoints. No keys need to be distributed from A to B. Instead, the locally generated keys can be used to produce and decrypt genuinely strong symmetric encryption which is all that is sent from A to B.
“As ‘harvest now, decrypt later’ threats continue to rise, companies need to be taking a hard look at their security infrastructure to ensure that they are protecting their sensitive data,” says Denis Mandich, Qrypt’s CTO and co-founder. “Qrypt’s new Key Generation technology enables today’s security-minded enterprises to make practical use of the most secure encryption in the world within a digital environment.”
The generally accepted alternative to such an approach would be the use of quantum key distribution via dark fiber. However, it is worth noting that in March 2020, the UK’s NCSC published a paper stating, “Given the specialized hardware requirements of QKD over classical cryptographic key agreement mechanisms and the requirement for authentication in all use cases, the NCSC does not endorse the use of QKD for any government or military applications, and cautions against sole reliance on QKD for business-critical networks, especially in Critical National Infrastructure sectors.”
New York-based Qrypt was founded by Denis Mandich (CTO), and Kevin Chalker (CEO) in February 2019. Both are ex-CIA officers.