Quantum computers won’t put PKE in peril imminently, but its potential has altered the course of crypto development, says a panel of experts including Whitfield Diffie, Adi Shamir, Radia Perlman, Anne Dames, and Clifford Cocks.
By John E. Dunn
General quantum computers don’t yet exist as usable tools and yet the mere possibility that they will in future is already transforming how people understand encryption security, a panel of some of the world’s best-known cryptographers has agreed during a session at the RSA Conference in San Francisco.
The panel included famous cryptographers Adi Shamir (RSA co-inventor), Whitfield Diffie (of Diffie-Hellman key exchange fame), Anne Dames (IBM distinguished engineer and crypto expert), Clifford Cocks, (former chief mathematician, GCHQ), and Radia Perlman (inventor of the STP network protocol).
Shamir, Borman Professor of Computer Science at the Weizmann Institute, contrasted the achievement of quantum computing unfavorably with more tangible advances in areas such as post-quantum cryptography (PQC) and artificial intelligence (AI).
“The main things which have been delivered are more promises. Today, not a single practical problem has been shown to be solvable by quantum computers any faster than classical computers,” said Shamir.
Dell Technologies Fellow Perlman agreed. “There’s a lot of hype about quantum computing…it reminds me of the hype around blockchain. But it will have a significant impact on us, which is that we’re going to have to replace our current public key algorithms,” she said.
Clifford Cocks believed that even advances such as the recent Chinese claimed undermining of RSA with a quantum computer were less of a problem than they appeared.
“People might be concerned about the Chinese paper…but there’s really no evidence whatsoever that that’s going to make any impact at all on what’s required for large cryptographic moduli.”
Anne Dames made the point that it’s not just about qubits; quantum computers also have to solve problems on a practical timescale. Just because they are orders of magnitude faster than classical computers at breaking public key doesn’t automatically mean that such an approach would scale well.
“The public key systems are the most vulnerable but because of Grover’s algorithm, and we have to consider symmetric key and hashing functions as well, but there we might only need to increase the size of the message digest.”
Harvest now, decrypt later attacks
Another concern for Shamir was the way that the theoretical threat of quantum computers was affecting security years in advance of their confirmed existence. He used the example of harvest now, decrypt later attacks in which intelligence agencies across the world might collect today’s encrypted data in the expectation that they could decrypt it in future, most likely without anyone knowing this had happened.
“If you decide to switch to PQC today, go for the highest-security algorithm because if your secrets require 50-year secure life, don’t skimp on security,” he said, recommending SPHINCS+ as the PQC candidate that offered the greatest long-term security.
“If you’re worried about 50 or 100 year security, don’t use public key cryptography. Public key has inherent risks and for anyone who wants the highest level of security I don’t see any public key system that will give strong assurance.”
To this, Diffie offered the interesting if ironic observation that despite the usefulness of quantum attacks on public key to the NSA, they had been among those pushing for the development of PQC, currently being whittled down to a likely shortlist by NIST.
10 years after Snowden
Despite the anxiety about quantum computers, security was still more likely to be broken by traditional means, argued Diffie, reminding the audience that it was 10 years since Edward Snowden made public his NSA cache of top-secret data. Seemingly, nothing much has changed on this front, noted Perlman.
“He exposed that a low-level IT person could get access to all of this. So, we’ve learned our lesson. There’s no way a low-level IT person these days could get access,” she quipped, humorously alluding to the alleged recent leaking of U.S. military intelligence by Jack Teixeira.
On the other hand, Shamir pointed out that Snowden had potentially done damage even if that wasn’t obvious from the outside.
“I personally believe that Snowden caused a catastrophe in the short term and a big problem in the long term. The U.S. lost a big portion of its sources and methods which are considered the crown jewels of spy craft."
Insights into Developing Workforce Strategy
Also taking place at the RSA Conference, (ISC)2 participated in a panel discussion debating a number of perspectives on cybersecurity workforce strategy.
The catalyst for the session was the U.S. National Cyber Workforce and Education Strategy, a paper focused on four main areas: the U.S. federal cybersecurity workforce, the national cybersecurity workforce, cybersecurity education and training, and digital awareness.
Speaking at the event, Tara Wisniewski, executive vice president for Advocacy, Global Markets and Member Engagement at (ISC)2 said that “one of the things that is so important about this strategy is that it calls the ecosystem to task. By doing so, it means the federal government needs to take a leadership role. Also, everyone needs to come to the table. We need to find innovative strategies for workforce development in a way that we have not in the past, because what has happened in the past hasn’t worked.”
Wisniewski discussed the importance of training and professional development, along with the need to improve diversity in the profession to expand the talent pool, attracting more people from more varied backgrounds who can move forward and enter the workforce, helping to address the U.S. workforce skills gap. Later at a reception for (ISC)2 members, Wisniewski also discussed the launch of a report by (ISC)2 and the Royal United Services Institute for Defence and Security Studies (RUSI). The report examines different approaches to cybersecurity policy, regulation and legislation with a focus on the policy priorities of the U.K., U.S., Canada, Japan, and Singapore, as well as the E.U.