Encryption will break, so it’s important to mix and layer different encryption methods.
Quantum computers may one day break encryption. So might stochastic magnetic tunnel junction machines, also known as spintronics. But we don’t need next-generation computing power to break encryption. It’s successfully happening right here and now.
Why Does Encryption Fail?
There are many factors that contribute to encryption weaknesses and create vulnerabilities ready for exploitation by cybercriminals or state-sponsored actors. Chief among them is poorly implemented cryptography – in terms of both the crypto libraries themselves and the way they are used. Bugs such as Heartbleed or the recent implementation error of the Elliptic Curve Digital Signature (ECDS) algorithm in Java versions 15 and above undermine all programs based on them. The incorrect use of a library, insufficient entropy, or use of weak ciphers is a daily occurrence that impacts specific applications, making bugs even harder to find. Other encryption failings include weak passwords and certificates taken from compromised machines. Combine these techniques with “harvest-now-decrypt-later” attacks, and encryption technology is no longer what it used to be.
Mathematics, the Cornerstone of Encryption
Extremely difficult mathematics underlies our encryption. RSA, the gold standard for public-key encryption, is based on the complexity of breaking down a large number into its constituent primes. The forward problem is easy and quick to solve: Take some primes and multiply. But the reverse problem is much harder: Given an integer, which primes were multiplied to make it? Attempts to solve the problem of prime factorization date back centuries, with Euclid of Alexandria working on specific properties of prime numbers more than 2,000 years ago.
Although no solutions have been found that work on conventional binary computers, that does not mean none exist. After more than 2,000 years of work, most mathematicians agree a prime-factorization algorithm used by a classic computer won’t be here anytime soon. Peter Shor proposed an algorithm that could do composite number decomposition in polynomial time on a quantum computer – breaking RSA and Diffie-Hellman ciphers – but a quantum computer of this kind has not been publicly demonstrated at sufficient scale.
To prepare for the day when Shor’s algorithm is in play, the National Institute for Standards and Technology (NIST) has sponsored a post-quantum cryptography (PQC) competition. Now in its sixth year, the competition that began with 82 submissions is expected to announce its four finalists this year.
The remaining candidates are asymmetric-key algorithms (similar in concept to RSA) believed to be capable of withstanding the computational power of a stochastic algorithm that might run on a scalable quantum computer. The mathematical problems upon which these newer algorithms are based are much younger and have not been studied extensively.
In the field of complex mathematics, centuries are common time frames. For example, Fermat’s last theorem took 358 years to be proven. By that logic, it’s no wonder we have already seen a previously unknown or unforeseen weakness revealed in Rainbow – what had been the most peer-reviewed quantum-resistant algorithm is now deemed unsuitable for use by NIST. It’s only a matter of time, then, before new encryption standards are weakened or outright broken. This is why NIST is encouraging organizations to embrace crypto agility in their post-quantum preparedness planning.
What complicates this matter further is that we don’t — and won’t — know which methods are bearing fruit and which techniques are being used, and by whom, to break the encryption we rely on to secure our digital universe. For all we know, large-scale quantum computers are already in use. If you were a nation-state or criminal mastermind and had the ability to factor large numbers into their primes, would you tell the world? This is the fundamental problem with modern encryption: We often don’t know which, when, or how ciphers are compromised. However, we can say with certainty that encryption is being broken – and will be broken.
Look to Wall Street and Diversify
To harden IT environments and digital assets in the face of such uncertainty, we can look to Wall Street for strategic advice. To combat the uncertainties and risks associated with loans and stocks going bad, financial institutions embrace diversification. By diversifying investments across multiple asset classes, geographies, and industries, the risks of an entire portfolio imploding are minimized.
Read more: https://bit.ly/3w1ku0x
You can also read this: Big banks seek solace in quantum-proof encryption