Qrypt strengthens data defenses against quantum attacks
Getting your Trinity Audio player ready...
|
Post-quantum cryptography (PQC) developers are busy working on ways to head off the threat of quantum computers capable of breaking the encryption keys that keep today’s digital data safe from prying eyes. Announcements from quantum computing pioneers such as DWave, IBM, Google, and others, highlight the progress that’s being made in scaling up the number of logical qubits that are available. But the consensus among experts is that none of today’s machines pose a threat to data security. As we’ve reported on TechHQ, most agencies put 2030 as the tipping point from a risk perspective, and NIST has been coordinating Post-quantum-cryptography standardization efforts since 2016. The pressing concern is that while no sufficiently powerful quantum computer may exist today, it’s still possible for optimistic adversaries to store as much encrypted information as they can get their hands on in anticipation of a future breakthrough. And to protect against such harvest now decrypt later attacks, a number of companies are offering PQC solutions, including US-based firm Qrypt.
The story so far will be familiar to Chief Information Security Officers (CISOs) tasked with ensuring the confidentiality, integrity, and availability of their organization’s mission-critical data. And one approach is to bundle PQC solutions on top of today’s internet encryption standards. The PQC element protects against the threat of future quantum computers. And keeping today’s security measures in the loop –such as Diffie-Hellman key exchange and AES symmetric encryption – guards against unforeseen holes in the PQC layer, at least in the short term.
Experts worried about the capabilities of future quantum computers to quickly factorize large numbers – a task that would take classical machines many thousands of years, and provides the security barrier protecting much of today’s data – have been testing what they believe to be quantum-proof alternatives for a number of years. But these PQC algorithms, whittled down through the NIST competition, are still relatively immature by cryptography standards and could turn out to be vulnerable to attack. There are other issues, too, when it comes to bundling multiple encryption methods.
Constrained devices
Additional encryption layers demand more compute, which can slow things down for less powerful devices, drain batteries, or simply cause crashes. And considering a world preparing for billions of IoT nodes, that could be a problem. But problems can be a good thing if they provoke a rethink and inspire experts to consider other options. “If you’re wondering how to securely transmit an encryption key, you’re asking the wrong question,” Chris Schnabel, VP of Product at Qrypt told TechHQ.
Qrypt has a different way of doing things using a protocol that it dubs BLAST [PDF], which involves endpoints sampling true quantum random numbers in the cloud and then building their encryption keys locally. Extraction recipes are used to purify the bits, and keys are of a sufficient length to allow a large amount of communication without exhausting their randomness.
“Qrypt never sees the extraction parameters,” explains Schnabel. “And the protocol allows devices to generate identical keys independently.” It’s an interesting proposition, and firms can put Qrypt’s PQC solution to the test using a downloadable SDK. The quantum entropy is gathered via a REST API call, and example code allows developers to integrate the protocol into their applications and infrastructure.
Having spent 20 years at IBM working as part of the computing giant’s quantum product team before joining Qrypt in October 2021, Schnabel is well-placed to judge what qubits can and cannot do. And he wants to make sure that firms are prepared for future developments. “Your encryption key is like a needle in a haystack. Classical computers have to pick through each piece of hay,” he writes in a recent blog post. “Quantum computers will be more like a magnet that pulls the needle right out.”
Maintaining a competitive edge
As VP of Product, it’s no surprise that Schnabel makes a compelling case for Qrypt’s services. But he’s not alone in cautioning against the risk of future data theft. Governments are already worried about losing intellectual property (IP) to overseas competitors. And the risk posed by harvest now decrypt later attacks add to that concern. Qrypt’s founders Kevin Chalker and Denis Mandich are former CIA officers and joined forces with Yevgeniy Dodis – a Fellow of the International Association for Cryptologic Research (IACR) – to democratize encryption.
A big part of Qrypt’s success rests with its access to true quantum random number generators, which were developed in partnership with the US Department of Energy’s Oak Ridge National Laboratory. If adversaries can spot patterns in the seeds used to generate encryption keys then this information potentially takes threat actors a step closer to reading out the data hidden in the ciphertext. “There are all kinds of ways to attack something based on bad random,” adds Schnabel. And his comment emphasizes why it’s important to have a source of truly random seeds, as opposed to pseudo-randomly generated information.
It could turn out that quantum provides both the threat, making available more efficient computing algorithms capable of breaking today’s encryption keys, and contributes to the solution. For example, by using quantum characteristics to generate large and truly random numbers capable of protecting data through protocols such as Qrypt’s BLAST approach.