The world of information security really looks the historical challenge between weapons vs. armors in the military sector. As a new form of apparently unbreachable defense is developed, a new weapon gets invented to pierce through even the thickest armor.
No matter how ideally secure your cybersecurity strategy may look, new hacking strategies will find a way to get over, around, or through it in due time.
As the quantum technologies start to become a reality, this cybersecurity quandary has become a true cat vs. mouse game. Since it’s still too early to predict how this hack (pun intended) & slash story will unfold, let’s trace it back to its origins to know what happened so far and what's happening now.
Chapter One: Quantum Hacking
In the beginning, there was cryptography. Even today, public key cryptography is most basic yet effective encryption technique to protect your data from malicious actors and keep it away from prying eyes. Schemes like the popular RSA one, are based upon a relatively simple assumption: even the most potent computer currently available does not have the computing power to decrypt these keys.
So far, so good. However, there’s an issue, that at least for now, is largely theoretical. There’s a way to break the code.
The so-called Shor’s algorithm is a one-of-a-kind algorithm for integer factorization that can break the RSA scheme. The issue is that it only works on quantum computers since they can exist in multiple states and solve a large number of problems at the same time with the same processing power. And while this technology still doesn’t exist, it’s only a matter of time before it will.
In other words, when quantum computers will start to see the light, quantum hacking will become a serious threat since it will be able to defeat all current encryption schemes. And while the cybersecurity experts are busy moving to quantum-resistant cryptography before the quantum hacking apocalypse occurs, there are some who claim that the day of the dreaded quantum crypto break may have already happened.
Chapter Two: Post-Quantum Cryptography
To staunch the risk of quantum hacking, someone thought about developing quantum cryptography because, well, it makes sense to fight fire with fire, doesn't it? Lo and behold, here it comes post-quantum cryptography, also known as quantum encryption.
Post-quantum cryptography is an umbrella term that encompasses several different approaches, all aimed at making much harder (when not impossible) for quantum computers to break the encryption schemes. All these approaches are currently theoretic, so it’s hard to tell which one will become the new security standard when quantum computing becomes mainstream.
The first idea is pretty straightforward — creating longer encryption keys so that even quantum computers can’ break them. The cons of this approach are quite self-explanatory, however. To stay ahead of quantum computers, key length will have to increase substantially, making encryption slower and significantly more expensive.
Longer symmetric keys can also be used since quantum computers have no real edge over traditional ones in decrypting systems like SNOW 3G or AES. A somewhat half-way approach could be to use symmetric encryption for the messages, and asymmetric encryption only for the keys.
Since symmetric key management systems such as Kerberos and the 3GPP Mobile Network Authentication Structure are already available, expanding them can be much more feasible than developing something new from scratch.
Lattice-based cryptography is another potential solution and currently the leading candidate for post-quantum security since it’s the most practical to implement. For years, schemes like NTRU encryption or the ring-LWE algorithms have been repeatedly tested and proved to be resistant enough.
Quantum key distribution (QKD) currently is the most promising method to create completely secured encryption keys by sending subatomic particles through a fiberoptic line. China is particularly ahead with this technology, and may have found a way to address some of the current limitations of QKD. Instead of utilizing specifically-enhanced high-speed fiber optics communication equipment, scientists found a way to leveraging existing fiber networks.
However, QKD still require the use of relays and repeaters, as well as routers and hubs when messages travel long distances. All of them represent a potentially weak point that hackers could use to break into the network and steal the encryption code.
Chapter Three: Defeating Post-Quantum Cryptography
As the story unfolds, things become even more complicated and the hacking cat may catch the cybersecurity mouse once again. As it always happens in the cybersecurity landscape, once a technology to secure data is discovered, hackers will find a technology to break it again. So here you go: let me present you injection locking, a laser technique to go "pew-pew" on quantum cryptography.
As we explained in the previous paragraph, QKD uses photons to encode information, which are measured by the receiver to decrypt it. Anyone who tries eavesdropping the communication between sender and receiver will change the message.
In fact, the mere action of measuring the quantum properties of each photon unavoidably alters the information exchanged. This is the basic assumption of QKD: whenever the key to decrypt the information sent is changed before it reaches the receiver, the transmission is stopped to prevent anyone from overhearing it.
What has been found, however, is that quantum communication can be attacked by changing the frequency of a laser. Photons with a different seed frequency are injected into the cavity so that the laser can resonate with it, effectively altering the output frequency. However, the frequency of the outgoing photons can be altered only if the polarization of the injected photon matches the outgoing ones.
This means that the code can be revealed with a 60% success rate by measuring the photons injected rather than the outgoing ones, leaving these ones completely unaltered.
Here you go, all your plans for security destroyed.
Will the cat eventually catch the mouse, or is the rodent going to escape the feline’s claw forever (just like in a Tom & Jerry cartoon?) Right now, it’s way too early to know since quantum computers aren’t even realized, yet.
So, why are we talking about it at all? Because cybersecurity is a field where it's critical to know the answer to a problem before that problem becomes just that.