Post-Quantum and the Impact on Blockchain

- Solutions
  - Strong Identities
    1. Identity Verification
      Enable high assurance identities that empower citizens.
    2. ID Issuance
      Issue safe, secure digital and physical IDs in high volumes or instantly.
    3. User Identity
      Elevate trust by protecting identities with a broad range of authenticators.
    4. Machine Identity
      Issue and manage strong machine identities to enable secure IoT and digital transformation.
    5. Digital Signature
      Use secure, verifiable signatures and seals for digital documents.
  - Secure Payments
    1. Financial Issuance
      Issue digital and physical financial identities and credentials instantly or at scale.
    2. Digital Card Solution
      Issue digital payment credentials directly to cardholders from your bank's mobile app.
  - Trusted Infrastructure
    1. Post-Quantum Cryptography
      Find, assess, and prepare your cryptographic assets for a post-quantum world.
    2. Database Security
      Secure databases with encryption, key management, and strong policy and access control.
    3. Multi-cloud Security
      Keys, data, and workload protection and compliance across hybrid and multi-cloud environments.
- Industry
- Compliance
  - 1. PSD2
    2. HIPAA
    3. GDPR
    4. Swift
  - 1. CMMC
    2. eIDAS
    3. NITES
- Featured Products
  - As a Service Products
    1. Identity Verification as a Service
      Citizen verification for immigration, border management, or eGov service delivery.
    2. Identity as a Service (IDaaS)
      Cloud-based Identity and Access Management solution.
    3. Digital Signing as a Service
      Cloud-based digital signing solutions.
    4. Instant ID as a Service
      Issue physical and mobile IDs with one secure platform.
  - 1. Digital Card Solution
      Instantly provision digital payment credentials directly to cardholder’s mobile wallet.
    2. PKI as a Service
      A highly secure PKI that’s quick to deploy, scales on-demand, and runs where you do business.
    3. nShield as a Service
      Subscription-based access to dedicated nShield HSMs for cloud-based cryptographic services.
    4. Seamless Travel as a Service
      Remote identity verification, digital travel credentials, and touchless border processes.
  - 1. Instant Financial Issuance
      In-branch and self-service kiosk issuance of debit and credit cards.
    2. Central Financial Issuance
      High volume financial card issuance with delivery and insertion options.
    3. Instant ID Issuance
      Secure issuance of employee badges, student IDs, membership cards and more.
    4. Central ID Issuance
      Passports, national IDs and driver licenses.
    5. nShield HSMs
      Securely generate encryption and signing keys, create digital signatures, encrypting data and more.
  - 1. Cloud Security, Encryption and Key Management
      Powerful encryption, policy, and access control for virtual and public, private, and hybrid cloud environments.
    2. Digital Certificates
      TLS/SSL, digital signing, and qualified certificates plus services and tools for certificate lifecycle management.
    3. Identity and Access Management (IAM)
      One Identity portfolio for all your users — workforce, consumers, and citizens.
    4. Machine Identity Management
      Centralized visibility, control, and management of machine identities.
    5. Post-Quantum
      Learn what steps to take to migrate to quantum-resistant cryptography.
- Enterprise ID & Issuance
  - Instant ID as a Service
    Issue physical and mobile IDs with one secure platform.
    Learn More
  - Instant Issuance
    1. Sigma Direct-to-Card System
    2. Artista Retransfer System
    3. System Software
      Personalization, encoding and activation.
    4. Supplies
    5. Services
- Financial ID & Issuance
  - Digital Card Solution
    Instantly provision digital payment credentials directly to cardholder’s mobile wallet.
    Learn More
  - Digital Banking
    1. Digital Account Opening
    2. Digital Card Solution
  - Instant Issuance
    1. Sigma Direct-to-Card System
    2. Artista Retransfer System
    3. System Software
      Personalization, encoding and activation.
    4. Supplies
    5. Services
  - Central Issuance
    1. Card Issuance Systems
    2. Inline Card Delivery Systems
    3. Inline Envelope Insertion Systems
    4. Standalone Card Affixing/Envelope Insertion Systems
    5. Standalone Envelope Insertion Systems
    6. System Software
      Personalization, encoding, delivery and analytics.
    7. Supplies
    8. Services
- Government ID & Issuance
  - Digital Citizen
    1. eGovernment service delivery
    2. Identity Verification as a Service
    3. Seamless Travel as a Service
    4. ePassport as a Service
  - Central Issuance
    1. Passports, national IDs and driver licenses.
    2. Passport Issuance Systems
    3. National ID and Driver License Systems
    4. Inline Delivery & Insertion
    5. Standalone Delivery & Insertion
    6. System Software
      ID Personalization, encoding and delivery.
    7. Supplies
    8. Services
  - Instant Issuance
    1. Other citizen IDs and licenses.
    2. Sigma Direct-to-Card System
    3. Artista Retransfer System
    4. System Software
      Personalization, encoding, delivery and analytics.
    5. Supplies
    6. Services
  - Identity Verification as a Service
    Our IDVaaS solution allows remote verification of an individual’s claimed identity for immigration, border management, or digital services delivery.
    Learn More
- Cloud Security Posture Management
  - 1. CloudControl Enterprise for AWS
      Secure and ensure compliance for AWS configurations across multiple accounts, regions and availability zones.
    2. CloudControl Enterprise for Containers
      Security compliance and environmental hardening solution for contains and Kubernetes using VMware Tanzu and RedHat OpenShift platforms.
    3. CloudControl Enterprise for Swift
      Meet the compliance requirements for Swift’s Customer Security Program while protecting virtual infrastructure and data.
    4. CloudControl Enterprise for vSphere and NSX
      Comprehensive compliance, multi-factor authentication, secondary approval, RBAC for VMware vSphere NSX-T and VCF.
    5. CloudControl Foundation for vSphere
      Comprehensive compliance for VMware vSphere, NSX-T and SDDC and associated workload and management domains
  - CloudControl 30-Day Free Trial
    Entrust CloudControl offers comprehensive security and automated compliance across virtualization, public cloud, and container platforms while increasing visibility and decreasing risks that can lead to unintended downtime or security exposure.
    Start Free Trial
- Key Management and Encryption
  - 1. KeyControl for KMIP and Secrets
      Manage all your secrets and encryption keys, including how often you rotate and share them, securely at scale.
    2. KeyControl BYOK
      Create and manage encryption keys on premises and in the cloud. Manage your key lifecycle while keeping control of your cryptographic keys.
    3. KeyControl for Database Encryption
      Integrates with your database for secure lifecycle management of your TDE encryption keys.
    4. KeyControl for Backup and Recovery
      Integrates with your backup and recovery solution for secure lifecycle management of your encryption keys.
  - 1. DataControl for Azure
      Data encryption, multi-cloud key management, and workload security for Azure.
    2. DataControl for AWS
      Data encryption, multi-cloud key management, and workload security for AWS.
    3. DataControl for IBM Cloud
      Data encryption, multi-cloud key management, and workload security for IBM Cloud.
  - KeyControl 30-Day Free Trial
    VMware vSphere and vSAN encryption require an external key manager, and KeyControl is VMware Ready certified and recommended. KeyControl enables enterprises to easily manage all their encryption keys at scale, including how often keys are rotated, and how they are shared securely.
    Start Free Trial
- Hardware Security Modules (HSM)
  - nShield as a Service
    1. Subscription-based access to dedicated nShield Cloud HSMs.
  - nShield HSMs
    1. nShield Connect
      Networked appliances that deliver cryptographic key services to distributed applications.
    2. nShield Solo
      PCI-Express card-based HSMs.
    3. nShield Edge
      Personal, USB-connected desktop HSMs.
  - Management and Monitoring
    1. nShield Monitor
    2. nShield Remote Administration
  - CodeSafe
    1. SDK for securing sensitive code within a FIPS 140-2 Level 3 certified nShield HSM.
    2. Post-Quantum SDK
  - Software Option Packs
  - Compliance and Certification
    1. FIPS 140-2/140-3
    2. Common Criteria
    3. eIDAS
    4. NIST 800-53
    5. GDPR
    6. PSD2
    7. HIPAA
    8. PCI-DSS
    9. NITES
  - Why you need an HSM
    1. Learn about all the details related to what hardware security modules offer you in security and cost savings...
    2. Learn More
  - Use Cases
- TLS/SSL Certificates
  - BUY NOW
    1. Buy Certificates
    2. Renew Certificates
  - TLS/SSL Certificates
  - Qualified Certificates
  - Sales and Services
- Identity and Access Management (IAM)
  - Products
    1. Identity as a Service
      Cloud-Based IAM
    2. Identity Enterprise
      On-prem IAM
    3. Identity Essentials
      On-prem MFA solution for Windows users
    4. APIs and SDKs
  - Integrations
  - Testimonials
  - Workforce
  - Consumer and Citizen
  - Get Entrust Identity as a Service Free for 60 Days
    Explore the Identity as a Service platform that gives you access to best-in-class MFA, SSO, adaptive risk-based authentication, and a multitude of advanced features that not only keep users secure, but also contribute to an optimal experience.
    Start Free Trial
- Electronic and Digital Signing
  - EU Qualified Trust Services
    In addition to our long-standing Adobe Approved Trust List (AATL) membership, we are a European Qualified Trust Service Provider for the issuance of eIDAS qualified certificates for qualified signatures and advanced seals, for PSD2 certificates and for QWACs
    Learn More
  - Digital Signing as a Service
  - Digital Signing Certificates
  - Digital Signing Infrastructure
- Public Trust Certificates
  - Verified Mark Certificates (VMCs) for BIMI
    Show your official logo on email communications. Download our white paper to learn all you need to know about VMCs and the BIMI standard.
    Learn More
  - Buy and Renew TLS/SSL Certificates
    1. Buy Certificates
    2. Renew Certificates
  - Signing Certificates
  - Qualified Certificates
    1. PSD2 Qualified Electronic Seal Certificates
  - Sales and Services
- Public Key Infrastructure (PKI)
  - PKI as a Service
    1. Use Cases
    2. Post-Quantum PKIaaS
  - PKI Products
  - Managed Services
  - Certificate Lifecycle Management
  - Cryptographic Center of Excellence
    1. PKI Health Check
    2. Cryptographic Health Check
  - Try Post-Quantum PKI as a Service Now
    Get PQ Ready. PKIaaS PQ provides customers with composite and pure quantum Certificate Authority hierarchies.
    Try Now
- Internet of Things (IoT) Security
  - Credentialing and Provisioning
  - Machine Identity Management
  - Global PKI IoT Trends Study
    Find out how organizations are using PKI and if they’re prepared for the possibilities of a more secure, connected world.
    Learn More
- Machine Identity Management
  - Lifecycle Management
  - Credentialing and Provisioning
  - The State of Machine Identity Management
    A recent survey by IDG uncovered the complexities around machine identities and the capabilities that IT leaders are seeking from a management solution.
    Get the White Paper
- Post-Quantum
  - Issuance and Provisioning
    1. PKI as a Service PQ
    2. PQ Standards and Research
  - Cryptographic Center of Excellence
    1. Crypto Health Check
    2. PKI Health Check
  - Are you ready for the threat of post-quantum computing?
    Know where your path to post-quantum readiness begins by taking our assessment.
    Begin Assessment
- Partners
  - Become an Entrust Partner
    Our partner programs can help you differentiate your business from the competition, increase revenues, and drive customer loyalty. Consider joining one or more of our Entrust partner programs and strategically position your company and brand in front of as many potential customers as possible.
    Learn More
  - Partner Directory
    Search for partners based on location, offerings, channel or technology.
    Search for a Partner
  - Programs
  - Partner Logins
- Support & Services
  - Contact Support
  - TrustedCare
    Product downloads, technical support, marketing development funds.
    Learn More
  - Digital Security Knowledge Base
    Guides, white papers, installation help, FAQs and certificate services tools.
    Learn More
  - Issuance Systems Knowledge Base
    Technotes, product bulletins, user guides, product registration, error codes and more.
    Learn More
  - PKI Professional Services
  - Cryptographic Center of Excellence
    Construct best practices and define strategies that work across your unique IT environment.
    Learn More
  - Custom Cryptographic Solutions
    1. Code Signing
    2. HSM Application Integration
  - Product Deployment Services
  - Packaged Services
  - Training
- Resources
  - Issuance Systems Knowledge Base
    Technotes, product bulletins, user guides, product registration, error codes and more.
    Learn More
  - Digital Security Knowledge Base
    Guides, white papers, installation help, FAQs and certificate services tools.
    Learn More
  - Cybersecurity Institute
    Get critical insights and education on security concepts from our Trust Matters newsletter, explainer videos, and the Cybersecurity Institute Podcast.
    Learn More
- About Entrust
  - Securing a World in Motion Since 1969
    We’ve established secure connections across the planet and even into outer space. We’ve enabled reliable debit and credit card purchases with our card printing and issuance technologies. Protected international travel with our border control solutions. Created secure experiences on the internet with our SSL technologies. And safeguarded networks and devices with our suite of authentication products.
    Explore Our History
  - 1. Leadership
    2. Blog
    3. Careers
    4. Events
    5. Webinars
    6. Podcasts
    7. News Articles
    8. Press Releases
  - Cybersecurity Institute
    Get critical insights and education on security concepts from our Trust Matters newsletter, explainer videos, and the Cybersecurity Institute Podcast.
    Learn More
- Shop
  - Entrust Certificate Services Portal
    Existing Entrust Certificate Services customers can login to issue and manage certificates or buy additional services.
    Learn More
  - Entrust Certificate Services Retail
    Shop for new single certificate purchases.
    Learn More
  - Entrust Certificate Services Partner Portal
    Existing partners can provision new customers and manage inventory.
    Learn More
  - Instant Financial Card Issuance Supplies
    1. Registered Customer Login
    2. Request Access
- Search Entrust
  - Search:

In this episode, blockchain expert Jon Geater, Chief Product & Technology Officer at RKVST (formerly Jitsuin), and Pali Surdhar, Director of Product Security at Entrust, break down the migration of today's distributed ledger technology to one that is quantum-resistant and address how blockchain technology will be affected in a post-quantum world.

Transcript

Samantha Mabey: Welcome to Entrust Engage an open forum for the most innovative leaders in security technology. I'm Samantha Mabey. And on today's episode, we're going to dig into the topic of post-quantum, and its impact on blockchain. I've got two guests joining me today. I'm joined by my colleague Pali Surdhar, director of product Security here at Entrust.

Pali Surdhar: I am.

Samantha Mabey: And I'm also excited to introduce Jon Geater, who's joining us today as well, the Chief Technology officer and co-founder of Jitsuin. Welcome to both of you.

Jon Geater: Thanks, Sam.

Samantha Mabey: Appreciate you taking the time to join me today. On our previous podcast, we took a look at quantum computing, the threats associated with it, and what organization should be doing to prepare for a post-quantum world. But today, we're going to continue the conversation, but more specifically looking at its impact as it relates to blockchain. So to get started, I think what would probably be great is to do a quick level set with our listeners. And perhaps, Jon, if you don't mind, can you provide a quick overview of blockchain, what it is, what it's good for, where the technology's going?

Jon Geater: Yeah, sure. It's one of those topics that could take three minutes or three hours, but I think with the important linkage to the topic of post-quantum, what we can think of as the collection of technologies that all claim to be blockchain or something like it, are always Ledger-based, meaning you're keeping records of stuff. They're based on high integrity crypto. So you're trying to make sure that the stuff you're keeping records of has high integrity and has a long lifespan. And they're decentralized, meaning that you've got many stakeholders having different access and control of that computer system.

So one of the best ways to think about blockchain in standard architectures is that it takes that heavy centralization from the old Web 2 world. So that's where all of your messages have to go through Facebook, or all of your emails go through one email server under the control of one company, under the maintenance and control of one CIS admin, and it moves and spreads that around. And that gives you two different of great properties there.

It gives you a spreading around of control, as I've mentioned. So there's not one person with a big red button or a back door who can turn off your service or modify records, or somehow interfere with your operations. But it also brings a shared and decentralized accountability. So everybody who's doing things on the platform and recording this long term high integrity data to that record of what happened or who did what, they're also held to account for what they did. Because once it's there, you can't hide it.

So don't get too hung up on specific types of blockchain. Don't get too hung up on Bitcoins or Ethereums, or anything like that. Or certainly not hash graphs and some of the new technologies. The basic fundamentals of anything in the blockchain stable is that it uses cryptography, and it uses fair access principles to make sure that everybody who relies on data, and generates and uses data in their operations, has fair access, good control, and a good understanding of how trustworthy that data is.

Samantha Mabey: That's awesome. Yeah, I think a lot of people when they think of blockchain, they associate it with something like cryptocurrency, but that eliminates the actual understanding of that airline technology. So really appreciate you going through that. I think that was a great overview. So blockchain, we hear it talked about as buzz word and same with quantum computing. So bringing the two of those worlds together, what does quantum computing have to do with blockchain, and what threat do advances in quantum technology pose to blockchain?

Pali Surdhar: Should I take that, Sam?

Samantha Mabey: Yeah, sure.

Pali Surdhar: So thanks, Jon, for the really great overview or for what blockchain is. That was very succinct. You mentioned two things, or actually three. You talked about accountability and integrity, and actually, and control. So the whole thing around blockchain is that it relies heavily, very heavily, on cryptography to do a couple of things. One is for the transaction mechanisms where actors have to authenticate themselves and the data to be transacted to the system.

And the actual other side of it, probably not so relevant in some blockchains, but consensus protocols. You see more of those in cryptocurrencies, where transactions are validated by a group of notes. So they all reach consensus before you can actually add them to a block. So yeah, to my mind, I think blockchain is essentially constructed from crypto.

Jon Geater: Yeah, if I can come in, that's an interesting place to draw the threat. So I guess we are in a space, Entrust lives in a space. And what we find time and time again is that cryptography and its application are almost always misunderstood. By the time the thing is in an application or it has a name, people forget why they did it or what the purpose of the mathematics was. So I think it's really important, first and foremost, to work out what we are trying to do with the cryptography in blockchain, and how it's different to some of the sensational post-quantum stories that are coming out at the moment.

I was listening, curiously in Switzerland, I was listening to the BBC just last week, and they had a senior member of GCHQ, I think it was, on the Today program, talking about this threat. And even that explanation wasn't particularly great, in my view, which is a bit worrying. But it compounds the misunderstandings that are out there because some people, quite rightly, are worried about this sort of pre-caching, pre-decryption attack that's going on, which I'm sure you've spoken about in other episodes, where right now nobody can decrypt all our traffic. But they're just collecting and collecting and collecting so that in the future when a sufficiently capable quantum computer comes along, it can crack the key exchange. The key exchange then gives up the symmetric keys, and symmetric keys can decrypt all your secrets. And that is scary to some people for some reasons.

That's not as relevant to blockchains because, although there is a confidentiality angle to it, and yeah, it's obviously important to have confidentiality, the key fundamental thing that blockchains are trying to do in computing architectures isn't that. It's an integrity thing.

Pali Surdhar: Correct.

Jon Geater: So what we're trying to do is to make sure that if something is written on the chain, that's what was always written on the chain. If it's got an identity attributed to it, that is the identity that was used, and so on and so forth. And so where the quantum threat comes in is much more about threatening the integrity of historic Ledger records. Because if you could forge something, you can backdate. And if you can backdate, you can effectively change history. And if everybody's built their applications to believe that their history is infallible or immutable in blockchain jargon, that's where your problems come in. So the threat is not one of compromising state secrets and decryption, because decryption is relatively safe already, it's one of ensuring the truthfulness of things that you're reading from the past.

Samantha Mabey: The ability to rewrite history seems like a big deal there. So based on that threat, what can be done or is being done to help mitigate this?

Pali Surdhar: So blockchain's quite interesting in the sense that to some degree it's already quantum-resistant. So there's two types of attacks that people are worried about with quantum computing. One is actually breaking public key crypto. That shore's algorithm will allow you to break public key crypto. And the other is actually Grover's search, which will allow you to do faster searching on hashes and even symmetric.

So the latter, so a Grover's attack will presumably be targeting consensus type protocols. And even NIST has been saying that it's very difficult to perform such attacks, and even to compete with the ASICS and the way at the rate they're actually being produced and how fast they're going. So we can probably put that attack to one side. So attacks on consensus out of the window, maybe. The attacks to signature schemes, and that's based on the discrete log problem, are perhaps where you might have to worry a little more.

And there's maybe three areas. One is where you could reuse addresses, reveal the public key, and, again, that's more relevant where you're trying to steal money on cryptocurrencies. One on where the transactions have already been processed, so they're on the Ledger. Those are a little more difficult to attack because they're embedded in a layer of hashes already, and you'd have to out-hash the Ledger to actually attack that. And then there's the bit where you have unprocessed transactions. That's where it gets a little more tricky. And, say, if you had a very fast quantum computer, transactions that are broadcast to the network. And before being placed on the chain, those are potentially vulnerable.

But this is all, to my mind, it feels a bit farfetched, but are the vulnerable areas that I see. Jon, do you see any others?

Jon Geater: Well, that's fundamentally the thing. So for folks who are familiar with the blockchain architecture side, and a bit less comfortable on the crypto, what you've described is essentially the wallet layer, the client layer, and the network layer, which is the three main bits. And obviously, there's crucial cryptography in each of those layers that protects things. So it's worth just quickly going over all three of them. So you talk about compromising addresses, you're absolutely right.

I think the thing that people need to worry about, though, on compromising addresses is that effectively that's your digital identity in the state of the art today. Your wallet private key is the keys in the famous meme, not your keys, not your crypto. So just because it's blockchain doesn't mean it's any way special in that way. And folks familiar with Entrust will definitely know the value of having hardware tokens or HSMs for keeping their keys safe. Twas ever thus. And I think most people would do much better to buy a Ledger or something, or a Trezor, than worry about quantum attacks on their wallets right now. But for sure, that's interesting.

The conversation about consensus is much more interesting, you see, because exactly the issue of compromising anything, whether it's a code bug, a crypto bug, or an advancing quantum crypto, can only happen at any point in time in one place, on one computer, in one piece of memory. And that computer then has to convince all of the others who are participating in consensus and laying down the transactions and blocks to actually apply that, and to then believe that that's the main chain. And so the decentralized nature of these networks actually already has built in resistance. Because they know already that building on the basis of zero trust architectures, and trust no one and being resilient, as opposed to trying to be bulletproof, was always the right kind of architect to design.

So even if someone were able to go back and magically find a working pre-image attack against something mid-chain and rewrite history, they would then have to convince all of the other computers that this is the right answer. And then convince all of the clients that this new version of history is the right version of history to accept. And this is what's the shortcut version to this, is to look up what a fork is. This is another thing that's often quite misunderstood, or quite poorly understood, is exactly what a fork is when you talk about blockchains.

But essentially, it's just a different agreement on history. And you have to get through all of those other barriers that have nothing to do with crypto in order to get one of these things to stick. So there are lots and lots of layers of resilience which offer the opportunity to spot and to highlight and to stop these kinds of attacks from being applied, even when they're mathematically possible.

Pali Surdhar: So that's an interesting view, Jon. So what you've just said there is actually it's much harder to perform a 51% attack, even if you have computing resource to do it, mainly because of the distributed nature of blockchain.

Jon Geater: Assuming it's properly done. I'm not claiming that this is the truth today. Because actually, if you look at the survey of technologies here, Bitcoin has exactly one client. So there's one code base to compromise. And if you could find a way of convincing them all to do one thing wrong, there's actually 100% attack is really trivial in certain cases. So there's a way to go on the engineering, but the design of the thing is, as I said, and as people put more layers in and more clients and more interoperability, you get more of that robustness and heterogeneity in the layers.

Pali Surdhar: And I guess, moving on with the question of mitigations. We are well aware of the developments in NIST and the NIST competition to find quantum-resistant crypto. So I think there's a place where you're saying, "Okay, at one point we have to start worrying about transitioning crypto and whether that's possible or not."

So we've already said that, "Hey, by the way, there's already some resistance in blockchain as it is to post-quantum or quantum attacks."

Jon Geater: Yeah.

Pali Surdhar: Is there any urgency, then, to start worrying about quantum safe techniques or-

Jon Geater: Probably. It really depends on the application. So my business uses Ledgers to provide a layer of accountability to what's otherwise a relatively standard SaaS doing operational information. So we provide continuous assurance for connected operations. It means rather than of checking every year to find out why there was a fire in your IOT factory, you can actually look in real time, see what's going on, and stop the fire from happening.

And clearly, you need to be able to trust the information that you are getting from all of these various web servers and applications, if you're going to act on it in any meaningful way. So there's an accountability there, which means that the urgency really is on the identities, the provenance data, in our case. Now there are other cases where the confidentiality is a bit more interesting. So if you've got supply chain type use cases, which are popular, you have antitrust concerns, meaning that you can't have competing companies on the same chain being able to see each other's pricing or yield and things like that.

So it really depends on the use case where the urgency is. But I think, just to bring out some thoughts, if there is a confidentiality requirement, there are key exchanges and things going on. And you have basically the same issue that the general internet does. So think about that. May or may not be important. What I would say is that in proper architectures, you don't need to be as vulnerable and as basic as the internet. So that should be fine with the reig.

The other thing to think about is going to be with the data inside the blocks themselves.

Pali Surdhar: Yeah.

Jon Geater: Because quite often you don't actually write the full data. You write some chain reference or some digest or whatever. So you need to make sure that those can't be somehow faked. And in that case, it's useful to have resistant algorithms somewhere in the mix, either in the layer itself or in the blocks, so that you've got dual protection. Because obviously if you can have a traditional algorithm in one place, but then it's wrapped in another one, then you've got two places to check. And if you check both, then they've both got to be hacked in the same way, which is essentially infeasible.

So it really is use case dependent. But I guess the good news is that there's nothing new to learn, really, other than understanding what the crypto is for at each point in the blockchain. You then just fall back to the standard question of, am I worried now or am I worried in the future? So does pre-decryption capture matter? Maybe, maybe not. Probably doesn't. But it might do. Do these identities matter into the future? Probably they do. So you need to worry about the crypto being used for the identities. And I think the one that people never think about, that I actually think is the most important, is are we ever going to have to recover this thing from an archive or a backup?

Pali Surdhar: Yeah.

Jon Geater: Because that's really the point at which you start to accrue a big legacy that gets around all of those questions of decentralization and the different layer checks. And if I'm live, I can always roll over my crypto. And I can check it before it's broken, and then I double sign it for a bit. And then I roll it over, and I'm okay. But backups, I think, are the place where we have the most interesting question over preparing for changes. So if your architecture deploys any of that, or you have any big forks or rollbacks that you do, that's a place where you've got to be really careful, I think, right from today.

Pali Surdhar: Yeah, that's quite an important practical concern. And I guess if you start thinking about some of the other aspects in terms of, I suppose, standards and, dare I say the word, regulation, so I suppose that could that be a contentious area? Because the whole very nature of this is that it's supposed to be decentralized, maybe less deregulated. Again, I'm trying hard not to drag myself into the cryptocurrency land, but I guess it's just saying, "Okay, are there any barriers to mitigating in time? Are we going to be chasing our tails?"

Jon Geater: Yeah, that's an interesting one, isn't it?

I wonder if it isn't worth just bringing that question up a layer, and saying that computers are computers and data is data. It's unusual to regulate specific computing technology. Things that are regulated are business operations of one kind or another. And so if we look at the US Executive Order 14028, or last week's related missive on federal systems and zero trust architectures. If you look at the NIS from Europe from a couple years ago, all of those point very heavily towards critical computer systems being well-protected, being prepared for the future, being built on zero trust. There's a very significant overlap between the requirements of those important regulations and the capabilities of blockchain based architectures.

So there's lots and lots of implied regulation and detail in there. But actually, all that they're saying is that if you build bridges or run power stations, you have always been responsible for your bridges and power stations being safe. And just because you're using computers doesn't make you any less responsible for your bridges and power stations being safe. So you'd better understand what those computer systems are doing, and what the importance of the data that you are bringing into your data-driven or digital transformation is going to have on your safety stance and your security.

So I think, actually, what we are looking at is getting regulations to say what are we trying to achieve? And then making sure that the crypto that we deploy underneath it is well enough understood by the practitioners, the people who actually hold the keys, the people who commission the systems, that they can confidently keep those regulations and those compliance standards together.

Pali Surdhar: That makes a whole bunch of sense. It is a tough question, but I completely agree that if it's your business to look after assets, you need to be doing everything, covering all bases to make sure that they are kept safe and perhaps trying to understand things a little more deeply now. Because attacks are getting more sophisticated and hackers are getting more determined. So yeah, you can't leave any rocks unturned, can you?

Jon Geater: Exactly. And I think, even taking that a bit further since you mentioned the regulation side, obviously there are legal disclosure requirements and things that go on. So something else which is really important to raise is that post-quantum crypto or not, and attacks or not, it is perfectly possible to have a secure ledger, which has all of the promise of decentralization and joint accountability and long-term immutability. All of the providence, governance, and immutability guarantees that everybody wants from a high assurance shared system. You can have all of those, and also still have access rights for law enforcement and lawful intercept, if those are part of your business operations and your regulations standpoint.

So I think it's an important question to talk about the regulation, but I think regulating this technology specifically, or making regulations and compliance specifically for post-quantum readiness, I think that would be a bit of a mistake. Because this, in all honesty, is no different to 2010 when we had the SHA sunset.

Samantha Mabey: The last podcast, we discussed migration, how difficult it will be to migrate with SHA-1 to AHA-2. That transition was much longer than expected. And for our business, we know that quantum safe algorithms, the transition, will take several years. So I'm just wondering, does something like that apply to blockchain? Is there going to be a migration from classical crypto to post-quantum crypto?

Jon Geater: Yes.

Samantha Mabey: And how difficult will that be?

Jon Geater: It really depends. There are a lot of changes happening in the blockchain space for all kinds of reasons. So Ethereum, the world computer, is updating to have things like SHA, and it's updating for roll ups. And it's updating for having different consensus mechanisms, all in pursuit of speed and scale everything else. And so those changes can come with changing keys and can come with changing algorithms. And those challenges are fairly well understood.

The place, again, where the challenge is going to start to get difficult is that some chain technologies are thinking about archiving. And so you only have a year's worth of agreed state online. And other things are pointed at through various layers of archive. And again, in that case, if you're not keeping those up to date, if you're not transitioning the crypto, if you're not keeping dual signatures, that thing could get tricky. But it's such a fluid space. The details are tricky to pin down right now.

Samantha Mabey: And when we've talked to our customers, one of the first recommendations we make is to do a crypto inventory of what algorithms and mechanisms are being used and where. So again, applying this to blockchain, is there a similar recommendation you'd suggest or actions for our listeners to be doing now?

Jon Geater: Well, I guess the good news is that you're not alone. The whole point of blockchain... If you are the only person using it, you don't need a blockchain. So again, just to outline why I use Ledgers in my business, is because you'll have two, or actually probably 20, busy and important businesses who are working together to achieve some safety aim. And unfortunately, no matter how trustworthy your IT admin is and how good they are at keeping their systems patched and safe, I can't bet my insurance policy on that. I've got to trust my IT admin.

And so what the blockchain does is create an accountability for that shared infrastructure that allows everybody to zero trust each other. So if you're on your own, you don't need a blockchain. You need a better IT department. And what that means is that you can work in that community with a large body of technical experts, with all of the node operators to agree on the updates and the protection you're getting. And pull on all of those resources and expertise to make those upgrades.

So yes, I would say to your customers that they need to be looking at this stuff and update their crypto and transition their algorithms for sure, as they always ever did. And they need to make sure their wallet keys are not compromised. Otherwise, you got to transition your addresses just the same way you ever did. But the thing that's easier about this this time around is that you are in a community, and you can come to an agreement, dare I say consensus, about how you jointly protect all of your assets and agree your joint history, rather than having to do it in a panic on your own.

Samantha Mabey: I think that's great. I think that's a good takeaway. You're not alone.

Pali Surdhar: Yeah, it's brilliant.

I guess, so it is interesting for me is to people like Michele Mosca saying, "Hey, 15 years and things are going to be broken." But I suppose maybe adding to the crypto inventory, I'd suggest looking at some risk assessment, or maybe thinking of a recovery plan and saying, "Okay, what is it you need to do based on," I suppose, looking at the crystal ball. But yeah, that's probably my two pence to this piece.

Jon Geater: Yeah, well, so be prepared. It's a great point, Pali. Be prepared. So if you haven't prepared for these things to be broken and updated, yeah, you will be very sad in 15 years time.

Samantha Mabey: Yeah. If you prepare, and the time to prepare is now. Should definitely be thinking about this.

Jon Geater: Yeah.

Pali Surdhar: Yeah, it's a good one.

Samantha Mabey: Awesome. All right. Well, I would like to thank you both, Pali and Jon, for joining us today. That was a very insightful conversation. I really appreciate it. And I know I certainly learned a lot. I'm sure our listeners learned a lot, so I'd like to thank you so much for taking the time and having this conversation today.

Jon Geater: Wonderful. Thanks so much.

Pali Surdhar: Yeah, thank you. Yeah.

Samantha Mabey: And that's it for today's podcast. Keep up with us and new episodes by following us on LinkedIn and Twitter using the links in the episode description. And thank you so much for listening to Entrust Engage.