What is Quantum Cryptography?
(Quantum Science and Technology)
Quantum Physicist and Brain Scientist
Visiting Professor of Quantum Physics, California Institute of Technology
IEEE-USA Fellow
Ph.D. & Dr. Kazusho Kamuro
AERI:Artificial EvolutionResearch Institute
Pasadena, California
HP: https://www.aeri-japan.com/
Quantum cryptography is a science that applies quantum mechanics principles to data encryption and data transmission so that data cannot be accessed by hackers – even by those malicious actors that have quantum computing of their own. The broader application of quantum cryptography also includes the creation and execution of various cryptographic tasks using the unique capabilities and power of quantum computers. Theoretically, this type of computer can aid the development of new, stronger, more efficient encryption systems that are impossible using existing, traditional computing and communication architectures.
While many areas of this science are conceptual rather than a reality today, several important applications where encryption systems intersect with quantum computing are essential to the immediate future of cybersecurity. Two popular, yet distinctly different cryptographic applications that are under development using quantum properties include:
⦁ Quantum-safe cryptography: The development of cryptographic algorithms, also known as post-quantum cryptography, that are secure against an attack by a quantum computer and used in generating quantum-safe certificates.
⦁ Quantum key distribution: The process of using quantum communication to establish a shared key between two trusted parties so that an untrusted eavesdropper cannot learn anything about that key.
⦁ This article focuses on post-quantum cryptography, quantum-safe certificates, and how enterprises can protect themselves as these risks become a reality.
Quantum information science, which harnesses the properties of quantum mechanics to create new technologies, has the potential to change how we think about encryption in two main ways.
Post-quantum cryptography
Post-quantum cryptography, also known as quantum-proof cryptography, aims to create encryption methods that cannot be broken by algorithms, or calculations, that run on future quantum computers. Today's encryption methods will not necessarily remain secure if and when quantum computers become a reality.
Take RSA cryptography: RSA is a widely used secure data-transmission system on which things like internet browsers and digital signature software are built. It creates sets of public and private codes, or keys. The process happens in the background when you use an internet browser or sign a document using a digital signature, for example. In RSA, the private key, which is kept secret, consists of two large prime numbers generated by an algorithm. The product of those two numbers then is used, along with an exponent, to create the public key, also using an algorithm. Anyone can encrypt information using the public key, but once they have, the information can only be decrypted using the private key.
The encryption system relies on the fact that it is prohibitively time consuming and computationally intensive to factor the large integer in the public key to determine the two prime numbers that make up the private key. However, Shor's algorithm, published in 1994 by mathematician and Caltech alumnus Peter Shor (BS '81), describes how, in theory, quantum computers could factor incredibly large numbers efficiently. This means that Shor's algorithm could be the downfall of RSA cryptography.
As a result, "most likely, people will switch to new public key cryptography systems based on problems that we don't think quantum computers can solve efficiently," says John Preskill, Caltech's Richard P. Feynman Professor of Theoretical Physics, Allen V. C. Davis and Lenabelle Davis Leadership Chair, and director of the Institute for Quantum Information and Matter. Identifying such problems is an active area of research in mathematics and cryptography.
Quantum cryptography
Quantum cryptography uses the laws of quantum physics to transmit private information in a way that makes undetected eavesdropping impossible. Quantum key distribution (QKD), the most widely studied and viable method of quantum cryptography, uses a series of photons to transmit a secret, random sequence, known as the key. By comparing measurements taken at either end of the transmission, users will know if the key has been compromised. If someone wiretapped a phone, they could intercept a secret code without the callers knowing. In contrast, there is no way to "listen in" on or observe a quantum encrypted key without disturbing the photons and changing the outcomes of the measurements at each end. This is due to a law in quantum mechanics called the uncertainty principle, which says that the act of measuring a property of a quantum system may alter some of the other properties of the quantum object (in this case, a photon).
Everlasting Security
According to Thomas Vidick, a Caltech professor of computing and mathematical sciences who teaches courses on quantum cryptography, QKD only makes sense to use for data that needs to stay private far into the future.
"If you encrypt your data today using standard techniques, it will likely be kept private for a decade. It's hard to know what the status of current cryptosystems will be beyond that time," says Vidick. "Today's cryptography is based on math that is hard to solve today, but in 50 years, maybe it won't be so hard to solve. For credit card transactions, that's fine. For medical records or government information that is meant to stay secret for longer, it may not be."
Why Is This Science Needed?
The rapid development of quantum computers promises to deliver powerful computer science capabilities that solve a wide range of critical, even lifesaving, computing problems that traditional computers simply cannot. Unfortunately, they are also capable of generating new threats at unprecedented speed and scale. For example, complex mathematical equations that take traditional computers months or even years to solve can be broken in moments by quantum computers running quantum algorithms like Shor’s algorithm. As a result, systems capable of breaking traditional math-based cryptographic algorithms are predicted to arrive within the next 5-10 years.
Hackers who apply this type of computing to their arsenal of attacks will be able to quickly break encryption algorithms widely used today. Specifically, the RSA and ECC encryption algorithms, which are fundamental to public-key cryptography and symmetric key cryptography, are mathematical equations that can be solved quickly by these computers. This compromises most modern cybersecurity, communication, and digital identities.
Ensuring PKI solutions can provide adequate protection for these systems and data against quantum computing attacks is essential. This means that new quantum-safe algorithms must be developed and that businesses must migrate to new, quantum-safe certificates. The task of migrating to new digital certificates requires a well-planned effort to upgrade PKI systems and the applications using these certificates.
Development of and migration to quantum-safe certificates must take place as soon as possible and cannot wait until RSA and ECC algorithms are broken. Hackers today can steal sensitive data that is encrypted using current algorithms and then decrypt it later when the quantum computers are available. Businesses need to address this threat now so that their organizations’ data, applications, and IT infrastructures remain protected for many years into the future.
Is quantum cryptography used today?
Scientists have demonstrated that QKD works, but it is not widely used due to significant technological limitations. To send a quantum key, a single-photon laser beams a signal, one photon at a time, via a fiber optic cable. This method is slower than current telecommunication technologies and requires a dedicated fiber optic cable between the two parties. For example, Amazon could not secure customer transactions using quantum encryption because it would require cables between its servers and individual devices that make purchases. Distance is also a factor. When fiber optic cables are used to transmit data, as in your home internet and cable systems, they use repeaters to send the data over longer distances. However, those repeaters disturb the delicate quantum state that is crucial to QKD.
Researchers in China have demonstrated QKD over long distances using a combination of fiber optic cables with "trusted relay nodes" as repeaters and a satellite that transmits photons through the air. However, more research is needed to create a system that transmits keys reliably and efficiently.
In theory, quantum cryptography is unhackable, because eavesdropping would always be detected, but its practical uses are limited. "If you build a house, it's only going to be as strong as the weakest pillar," says Vidick. "To have a truly usable system, you may need to combine quantum cryptography with elements that are not quantum, and those other elements could be vulnerable to attacks that theorists have not envisioned."
How Does Quantum-Safe Cryptography Work?
Academic, technology, and public sector organizations worldwide have accelerated efforts to discover, develop, and implement new quantum-safe cryptographic algorithms. The objective is to create one or more algorithms that can be reliably resistant to quantum computing. The task is technically difficult, but not impossible.
Good cryptosystems require a tough problem to solve. Quantum encryption comes from choosing a mathematical approach that is difficult for any computer to solve. Current RSA and ECC cryptographic algorithms are based on algebraic problems using very long random numbers. These are then applied to both public keys and private keys in a way that the private key, which is the secret key, cannot be derived from the public key through brute force attacks in a reasonable amount of time using traditional computing. Attacks are rendered ineffective because they are too computationally expensive. With quantum computing, these fundamental underlying assumptions, upon which our entire security architecture is built, are no longer true. The new computers can derive the private key from a public key in a reasonable amount of time.
Quantum cryptography works by solving entirely different problems. For example, lattice-based cryptography is based on a geometric approach rather than an algebraic one, rendering a quantum computer’s special properties less effective at breaking quantum encryption systems. This type of cryptography is tough for both classical computers and quantum ones to solve, making it a good candidate to be the basis of approach for a post-quantum cryptographic algorithm. Quantum-safe algorithms have been proposed and are currently undergoing a selection process by the National Institute of Standards and Technology (NIST), the U.S. federal agency that supports the development of new standards, with plans to release the initial standard for quantum-resistant cryptography in 2022.
How Is Quantum Key Distribution Different?
Quantum key distribution (QKD) uses the principles of quantum mechanics to send secure communications by allowing users to safely distribute keys to each other and enabling encrypted communication that cannot be decrypted by eavesdropping malicious actors. QKD secures communications but does not encrypt the data being communicated like quantum-safe certificates do.
QKD systems establish a shared private key between two connected parties and use a series of photons (light particles) to transmit the data and key over optical fiber cable. The key exchange works based on the Heisenberg uncertainty principle, namely, that photons are generated randomly in one of two polarized quantum states and that the quantum property of a photon cannot be measured without altering the quantum information itself.
In this way the two connected endpoints of a communication can verify the shared private key and that the key is safe to use, as long as the photons are unaltered. If a malicious actor accesses or intercepts a message, the act of trying to learn about the key information alters the quantum property of the photons. The changed state of even a single photon is detected, and the parties know the message has been compromised and is not to be trusted.
Types of Quantum-Safe Certificates
As quantum-safe cryptography develops, enterprises must now consider what certificates they will implement.Traditional PKI certificates are today’s gold standard for the authentication and encryption of digital identities. These certificates are referred to as “traditional” because they utilize existing ECC or RSA encryption algorithms. The majority of PKI systems will continue to use traditional PKI certificates for some time to come. They provide effective protection against existing computing attacks, but in the future, they will be made obsolete by quantum computers and attacks on ECC and RSA encryption.
There are three types of digital certificates that are relevant when looking for quantum-safe options. Each type is still adherent to X.509 digital certificate standards that are fundamental to public key cryptography. These types vary distinctly according to their purpose and the encryption algorithm used to create the certificate.
(1)QUANTUM-SAFE CERTIFICATES
Quantum-safe certificates are X.509 certificates that use quantum-safe encryption algorithms. While NIST is still in the process of standardizing the encryption algorithms, it has identified a number of candidate algorithms, and implementations of these algorithms are currently available.
(2)HYBRID CERTIFICATES
Hybrid certificates are cross-signed certificates containing both a traditional (RSA or ECC) key and signature, and a quantum-safe key and signature. Hybrid certificates enable a migration path for systems with multiple components that cannot all be upgraded or replaced at the same time. This type enables a gradual migration of systems, but eventually all systems using ECC or RSA encryption must migrate to new, quantum-safe cryptographic algorithms.
Organizations will need to update the main pieces of their IT infrastructure to utilize quantum-safe cryptosystems and hybrid certificates. As other systems and devices access the newly updated system, they can continue to utilize classic encryption algorithms. The quantum-safe key and signature are stored as an alternative signature algorithm and alternative key. Applications that do not utilize the quantum-safe fields in the hybrid certificates will ignore these additional fields. Over time, security teams can update applications and systems to use the new algorithms. Once the transition is complete, they can deprecate hybrid certificates, and replace them with pure quantum-safe certificates.
(3)COMPOSITE QUANTUM-SAFE CERTIFICATES
Composite certificates are similar to hybrid certificates in that they contain multiple keys and signatures, but differ in that they use a combination of existing and quantum-safe encryption algorithms. Composite certificates are analogous to having a single door with multiple locks. A person must have all of the keys to all of the locks in order to open the door. The goal of composite keys is to address the concern that any single encryption algorithm, whether currently available or in the future, may be broken using quantum computers. If one of the encryption algorithms proves to have an exploitable vulnerability, the entire system is still secure.
While NIST is coordinating a process to vet and select quantum-safe cryptographic algorithms, these new ones have not yet been thoroughly battle hardened. It is possible that security researchers or hackers could discover vulnerabilities in one or more of these proposed algorithms at some point. Composite certificates provide a strong defense against that risk, making them ideal for protecting environments with high security requirements. However, creating multiple encryption keys and then combining them to issue a composite certificate requires exceptional computational power.
How to Migrate to Quantum-Safe Certificates
Organizations must plan now to take preventative measures against the threats posed by quantum computing. Migrating certificates requires extensive updates to multiple systems, including internal applications, servers, and systems within direct organizational control, as well as connections to external, third-party systems. For enterprises of any size, these measures require significant IT resources, human capital, and time.
The objective is to move all systems to pure quantum-safe certificates as soon as possible. While moving directly to this in one large project may achieve this goal more quickly in theory, direct migration introduces risk. If any single system is not properly updated, it will no longer be able to communicate with other systems and could cause disruption to critical business applications. Additionally, all systems and environments may not be ready from a technical perspective to use quantum cryptographic algorithms at the same time. In that situation, an organization must wait to start their migration process until its entire environment is ready and is exposed to quantum computing attacks in the meantime.
In reality, all systems do not have to be updated simultaneously. A phased approach using hybrid certificates allows organizations to undertake a gradual migration that can start today and requires less risky processes while environments remain safe. Hybrid certificates allow systems that do not yet support quantum-safe cryptography to simultaneously work with new systems that do. Once all systems can support quantum-safe cryptography, the hybrid certificates can be dropped in favor of entirely quantum-safe certificates.
There are six steps required for an organization to successfully migrate, whether upgrading directly or using hybrid certificates.
Step 1: Migrate to quantum-safe PKI infrastructure - The first step to migrating is to upgrade an organization’s PKI infrastructure, including the certificate authority (CA), to support quantum-safe algorithms. Rather than trying to upgrade internal PKI systems by themselves, IT security teams may look to a commercial CA, such as Sectigo, which can provide commercial support for issuing and managing certificates. Once an organization upgrades its existing CA, or selects a new CA, the certificate authority must issue a new quantum-safe root and intermediate certificate.
Step 2: Update server cryptographic algorithms - Next, cryptographic libraries used by server applications must be updated to support both the new cryptographic algorithms and the new quantum-safe certificate formats. If hybrid certificates are used, server applications must recognize and process both traditional RSA or ECC certificates and hybrid certificates containing quantum-safe cryptographic keys. This requires the server applications to distinguish between the two different certificate types and properly use both types with the correct algorithmic method for the associated certificate type.
Step 3: Update client cryptographic algorithms - Teams then can update client applications. Be aware that a client application may communicate with multiple server applications, including external environments, and one or more of those server applications may have not been upgraded yet. In this case, hybrid certificates allow the client to work with servers supporting traditional RSA and ECC algorithms, while using quantum-safe algorithms with servers that support these newer algorithms.
Step 4: Install quantum-safe roots on all systems - Each system utilizing PKI has a trusted root store. This root store contains the certificates for the root and intermediate CAs that issue certificates within the PKI system. Once both client and server systems have been updated to support quantum-safe algorithms, these root stores must be updated to add the new root and intermediate certificates.
Step 5: Issue and install quantum-safe certs for all devices/applications - After IT teams have updated all of a company’s systems to support quantum-safe cryptography, they must issue new certificates and install them on all the endpoints. Once completed, each device is protected by the new certificates.
Step 6: Deprecate traditional encryption algorithms and revoke RSA/ECC-based certificates - The final migration step is to deprecate the traditional RSA and ECC encryption algorithms. This can be done gradually on applications and systems as they are migrated to the new algorithms. After all systems have been migrated, the root RSA and ECC certificates should be revoked, ensuring they are not used by any systems.
Automate Quantum-Safe Certificate Management
Migrating to new cryptographic algorithms and PKI systems requires configuration and issuance of large numbers of new certificates and revoking old certificates for every application, device, and server in an organization. Plus, IT teams must continue to manage all the certificates on an ongoing basis to ensure systems do not fail due to expired certificates. Using manual processes to discover, install, monitor, and renew all the PKI certificates in an organization is labor-intensive and technically demanding.
An automated approach to certificate management also ensures organizations can maintain cryptographic agility to adjust to evolving quantum-safe cryptographic techniques. Automation tools available today, like Sectigo Certificate Manager, allow organizations to quickly update cryptographic algorithms and to revoke and replace at-risk certificates with quantum-safe certificates, and to automate certificate discovery and future certificate renewals.
--------------------------------------------
Prof. PhD.Dr. Kamuro
Quantum Physicist and Brain Scientist involved in AERI Assosiate Professor and Brain Scientistficial Evolution Research Institute(AERI: https://www.aeri-japan.com/)
IEEE-USA Fellow
email: info@aeri-japan.com
--------------------------------------------
Keywords Artificial EvolutionResearch Institute:AERI
HP: https://www.aeri-japan.com/
#artificialbrain #artificialintelligence #quantumsemiconductor #quantumphysics #biocomputer #brainscience #quantumcomputer #AI #neuralconnectiondevice #quantuminterference #quantumartificialintelligence #geothermalpower #missiledefense #missileintercept #nucleardeterrence #quantumbrain #domesticresiliency #quantumphysics #biologyphysics #brain-machineinterface #BMI #nanosizesemiconductors #ultraLSI #nextgenerationsemiconductors #opticalsemiconductors #nondestructivetesting #lifeprediction #ultrashortpulselasers #ultrahighpowerlasers #satelliteoptoelectronics #remotesensing #geothermalpower #regenerativeenergy #globalglobalwarming #climatechange #greenhousegases #defense #enemystrikecapability #quantumbrain #quantumbrain #quantumartificialintelligence #artificialbrain #quantuminterference #cerebralnerves #nextgenerationdefense #defenseelectronics #defense #renewableenergy #longerinfrastructurelife #MEGAearthquakeprediction #terroristdeterrence #nondestructivetesting #lifespanprediction #explosivedetection #terroristdetection #explosivedetection #volcaniceruptionprediction #enemybaseattackcapability #ICBMinterception #remotesensingforplantandbioresourcegrowthenvironmentassessment #volcanictremordetection #volcaniceruptiongasdetection #greenhousegasdetection #Globalwarmingprevention #artificialintelligence #brainscience #AI #missiledefense #missileinterception #nuclearweaponsdisablement #nuclearbaseattack #defensiveweapons #eruptionprediction #earthquakeprediction