Has anyone watched Devs yet? It’s a new science fiction, thriller television mini-series written by Alex Garland, British writer of The Beach, 28 Days Later, Ex Machina and Annihilation. Devs is based around a fictional, bleeding edge Silicon Valley tech company called Amaya, who has achieved supremacy in the domain of quantum computing. The show is underpinned by a quantum computing ambience and has a dark, gritty storyline combined with a bit of determinism and sci-fi too.
However, what really drew me in to the show was the random sprinkling of physics, maths and cryptographic references. I like it when TV shows and their writers have done their research! Having studied electronic engineering back in the dim and distant past and working for Entrust Security, a data security company, for the last 13 years, gives me a glimmer of understanding of the underlying scientific principles and makes it feel more realistic.
To give you an example, the show kicks off with two of the characters discussing over breakfast the merits of elliptic curve over RSA algorithms in a post-quantum world – hold that thought. Later, in Episode 2, some of the developers from Amaya are huddled in the campus break-out space, referencing the Fibonacci sequence. For those that haven’t heard, this is a series of numbers in which each number is the sum of the two preceding ones e.g. 0, 1, 1, 2, 3, 5, 8. Cool I thought, I’ve used that in a work situation before! Next the dev team were noodling on the whiteboard and name dropped Shor’s algorithm. Whoa! I’ve heard the Entrust developers talking in the office about that. Shor’s algorithm, postulated in 1994 by American mathematician Peter Shor, is a polynomial-time quantum computer algorithm for integer factorization.
At Entrust our cryptographers are interested in Shor’s algorithm as it determines that a quantum computer with a sufficient number of qubits, could be used to break public key cryptography schemes. When that day comes, we are basically pressing the reset button on modern day cryptography and pretty much all communication on the internet. It really is that significant. In that same scene in Devs, the software engineers discuss the RNG. Too easy I thought, random number generator! I know from my time working as a product manager that the RNG is the fundamental building block of Entrust’s hardware security modules (HSMs). The RNG is what allows the HSM to serve up large prime numbers, often the starting point of modern day cryptographic algorithms.
After watching the final episode of Devs I decided to put in a call to our Chief Security Officer at Entrust , Pali Surdhar, not only to give him a heads-up on the TV show, but also to pick his brains on post-quantum. Pali reminded me that the US National Institute of Standards and Technology (NIST) are on the case. NIST is working to identify the best quantum-safe algorithms that are less likely to be broken by quantum techniques including new algorithms based on symmetric and hash-based schemes. NIST is accepting and reviewing submissions from the industry. Pali indicated we’re probably looking at another three to four years before that work is solidified and standardized.
The crux of the issue is with the advent of an available quantum computer, physical systems are vulnerable to attack. In this scenario the integrity of software can be compromised, breaking the code-signing signature and loading your own code onto the system.
Fortunately, time is on our hands. Estimates suggest we are anywhere from five to 20 years from a post-quantum world.
For now, organisations should be cognisant of this nascent, disruptive science and start developing a strategy for their post-quantum world. For those of us old enough to remember, think of it like Y2K. But this time it is more like Y2K4 since we know it will impact pretty much every aspect of web communication and transactions.
The good news is quantum computers with the capability of cracking modern day crypto are some way off. Indeed, the 2020 Global Encryption Trends Study indicates that enterprises project we are more than 8 years away from mainstream adoption of quantum resistant algorithms. But it’s important to start planning for its arrival now. Entrust has a strategy in place and we are closely monitoring developments in the industry and await the shortlisted algorithms to be announced by NIST.
To recap, in the post-quantum world:
- Shor’s algorithm, will impact all existing public key asymmetric algorithms including RSA and elliptic curves
- In addition, symmetric algorithms will be weakened as a result of Grover’s algorithm
- All sensitive data protected solely by asymmetric crypto algorithms or 128 bit symmetric algorithms should be considered at risk of compromise
Fortunately, post-quantum is still some way off and there is time to adopt some security best practises, steps that Entrust is following. These apply equally to any organisation to make sure they are best prepared:
- Ensure your organization has a post-quantum strategy in place. Lobby your CSO to make it happen.
- Keep abreast of the emerging post-quantum algorithms from NIST. Develop a plan to test and deploy them
- Develop a crypto-agile mind set. Where possible, don’t hard-wire specific pre-quantum algorithms into your certificates and code. Make sure you have the ability to upgrade when required, adopting new post-quantum algorithms as and when they become ratified
- Until post-quantum-safe algorithms are available, use a hybrid approach of currently available quantum resistant algorithms in conjunction with existing asymmetric algorithms.
- Use longer symmetric keys and algorithms
Finally, don’t get too stressed about post-quantum. As Forest, the enigmatic CEO of Amaya in Devs, says “Don’t worry. It’ll be ok.”