Cryptography is omnipresent in our daily lives, securing our mobile and network communications and protecting transactions. Advances in quantum computing could threaten the security of at least some of this data in the next few years, so companies – and countries – need to be prepared for change.
Cybersecurity may soon be threatened by advances in quantum computing. We need to prepare for change.
Aline Gouget, a cryptography adviser at Thales, a technology company, spoke to BNP Paribas about post-quantum cybersecurity following a presentation she made to BNP Paribas' Women in Business club at the VivaTech innovation gathering in Paris in May.
Hello Aline and thanks for sparing the time to talk to us. First, could you tell us about your job?I'm in charge of advanced cryptography in the Digital Identity and Security business at Thales.
I act as a bridge between research and industry for advanced mechanisms that could be used in the future, for example in data protection. I look at the constraints associated with these mechanisms and how they could be integrated in real life.
My priority is to understand advances in cryptographic attacks and what impact they might have on products and solutions, both now and in the future. We need to understand how safe the cryptographic algorithms we use are, and for how long. Even data that already exists may require protecting for longer than the product in which they are contained remains secure. So we need to be prepared, to be able to change cryptographic mechanisms and become 'crypto-agile'.
I also work on new cryptographic mechanisms like homomorphic encryption, which allows calculations to be made on encrypted texts known as ciphertexts, and how these mechanisms can be used industrially.
What are the advantages of quantum over traditional calculation?Quantum computing can speed up calculation in certain cases, using what we call the superposition of states: the bits that make up a quantum computer, qubits, unlike their classical computing equivalents, can exist in two states at the same time.
Until recently, quantum computing was an idea, a dream. Now we have passed that stage and the problems that remain are in the realm of engineering. There is still some way to go, however. While several thousand qubits would be needed to endanger encryption, for the moment the biggest existing machine is a 72-qubit machine built by Google in 2018.
So when do you think quantum computing might become a threat?I'm a cryptography specialist rather than a quantum specialist and I don't like to make predictions. Also, after discussing this with specialists there doesn't seem to be a consensus. This is at least partly because there are different ways of constructing qubits. It also depends on how much is invested in research in this area. However, fewer and fewer people seem to think we will ever have a "universal" quantum computer – which we don't necessarily need, anyway. What might be more useful is quantic accelerators for computing.
From what I understand, any changes will come little by little and nobody is predicting there will be a 'big bang' immediately. I think we might need to migrate our systems within 10 years: this is when the US National Institute of Standards and Technology (NIST) has said that the risk of quantum attacks could become real. Crypto resilience and robustness are therefore vital.
Speaking of NIST, in 2016 it issued a call for proposals for standardised cryptographic algorithms that would be secure against both quantum and classical computers. Are you involved with this?Thales is working on a post-quantum signature algorithm named FALCON, which is based on mathematical objects called lattices. FALCON has been selected for the second round of the NIST post-quantum process for standardisation. In the "signature" category, only nine candidates are being studied in this second round whereas there were 19 in the first one. I was not personally involved in this initiative and my goal is rather to understand what impact the proposals that have been made might have. As part of this role, I carried out some analysis as is standard industry practice: we can contribute to projects by providing feedback on the suggested solutions.
A separate NIST project, as part of its post-quantum cryptography development effort, concerns stateful hash-based signatures (HBS). These signatures involve constructions of cryptographic 'primitives' – building blocks – based on the security of hash functions, which take data of arbitrary size and produce a fixed-size 'digest' as output. 'Stateful' means the state of interaction is tracked.
There is already consensus on the security of these signatures, so the standardisation process can already be started and the project is more short term. Thales is participating directly, and has provided comments on the limitations of specific HBS schemes.
It might seem strange to be sharing information with a national organisation from another country in such a sensitive area...NIST has global reach, enabling it to attract the attention of researchers worldwide. This is necessary in order to encourage as many vulnerability tests – attacks – as possible on encryption. The more attacks a primitive has resisted, the more likely it is to be secure. So trust and cooperation are necessary, and in everyone's interest.
" Until recently, quantum computing was an idea, a dream. Now we have passed that stage and the problems that remain are in the realm of engineering."Cryptographic systems are constructed using difficult mathematical problems. For example RSA, one of the first systems to come into use, relies on the fact that although multiplying two numbers together is easy, moving in the other direction and finding their factors is extremely difficult. Various teams have tried to crack this problem and have published their results, which has helped other parties in their appreciation of the security of the algorithm.
The NIST call for post-quantum projects is different, as it concerns new cryptography, which has received less attention and has been less tested. More attacks are needed to show how secure the proposed algorithms are.
The attacks on these algorithms are purely theoretical, as the solutions against which they are tested have not yet been deployed. The idea is to use them to gain confidence in the choice of the primitives used. So there is no industrial impact, and the results are discussed in forums and at conferences.
Does everyone have the same requirements regarding cryptographic security?Government agencies make recommendations on security – for example, on the size of the 'key' that is used to decode data – especially when a company wants to certify a product. Different companies can also set out different recommendations: for example, companies like Visa and MasterCard use a standard known as EMV. Companies also keep an eye on new developments in others' recommendations, which helps them see what might need updating.
The Senior Officials Group Information Systems Security (SOG-IS) makes security recommendations in Europe, which must be in line with recommendations from national agencies like France's ANSSI or Germany's BSI.
What about positive uses of quantum technology?There are projects looking into other quantum-related areas that are not included in NIST's scope, for example quantum key distribution. This technique, which provides a way to distribute and share secret keys that are necessary for cryptographic protocols, is not new – it has been commercially available for several years – but is increasingly being talked about today. Quantum sensors – quantum devices that respond to stimulus – are another.
The EU Quantum Flagship is a vast project that is complementary to the work done by the NIST and looks into the different uses of quantum technologies – unlike NIST, which is looking into what we need to do, assuming a quantum computer becomes available.