If quantum encryption can be defeated, how will we cope with the arrival of quantum computers? I asked ChatGPT to explain.
ChatGPT has taken the Internet by storm, upending search engines, promising nearly-human responses, and writing its own essay responses. Now that the Quantum Computing Cybersecurity Preparedness Act is signed into law, how does ChatGPT measure up when asked for an analysis of quantum hacking? This is what it had to say:
Quantum encryption, also known as quantum key distribution (QKD), is a method of securely transmitting a cryptographic key over a distance using the principles of quantum mechanics. It is considered to be completely secure because any attempt to intercept or measure the key would disturb the quantum state of the key, making it easy to detect. However, there are still some potential vulnerabilities that researchers are working on. For example, it has been shown that it is possible to hack into a QKD system by using a device called a "quantum hacker." This device generates a fake key that is indistinguishable from the real key, allowing the hacker to gain access to the encrypted information. Another potential vulnerability is the use of "quantum repeaters," which can amplify the signal and potentially make it easier for an attacker to intercept the key.
Overall, while quantum encryption is considered to be very secure, it is important for researchers to continue to look for potential vulnerabilities and ways to improve the security of the technology.
I then tried it again and it added the following nuance:
For example, researchers have demonstrated attacks on quantum encryption systems that involve injecting carefully crafted pulses of light into the transmission line in an attempt to manipulate the quantum states of the particles being transmitted. These types of attacks are known as "photon number splitting attacks" and they can be difficult to detect because they do not necessarily alter the transmission rate or introduce noise into the transmission.
So then I asked ChatGPT about the specific vulnerability found as being reported:
https://www.securityweek.com/nist-post-quantum-algorithm-finalist-cracked-using-classical-pc
Castryck and Decru cracked SIKE parameters thought to meet NIST quantum security levels.
To this query, ChatGPT stated the following:
I'm sorry, but I do not have information about specific individuals or research groups that have claimed to have cracked the parameters of the Supersingular Isogeny Key Encapsulation (SIKE) algorithm.
SIKE is a quantum-resistant cryptographic algorithm that has been proposed as a candidate for the National Institute of Standards and Technology's (NIST) post-quantum cryptography standardization project. The NIST project is an ongoing effort to identify and standardize quantum-resistant cryptographic algorithms that can be used to secure sensitive data against the threat of quantum computers, which could potentially break many of the classical cryptographic algorithms currently in use.
As part of the NIST process, SIKE and other proposed algorithms are subjected to rigorous security analysis and testing to ensure that they meet the necessary security standards. It is possible that some researchers may have identified potential vulnerabilities in the SIKE parameters, but without more information, it is difficult to know for sure.
It is worth noting that the development of quantum-resistant cryptographic algorithms is an active area of research, and it is not uncommon for proposed algorithms to be modified or improved as a result of security analysis and testing.
Thanks ChatGPT, but now I will refer to my own experience and analysis!
Security Platform to a Holistic Trust Platform
We expect that today’s quest for a holistic trust platform that can secure a fragmented IoT landscape of technologies and connectivity will evolve into a quest for a trust platform that layers privacy controls and policies on top of a trust layer that authenticates everything and protects the personal data of consumers against increasing cyberthreats and the pervasive tracking of their lives by the Internet of Everything.
Network Security Behavioral Analytics is one defensive attempt but what is also being explored is not sending the encryption keys in the first place!
Not having harvest now and decrypt later!
Perhaps leveraging Blockchain’s DLT: Distributed Ledger Technology, Consensus Algorithms to establish holistic trust along with distributed computing at all endpoints, where you independently generate identical keys at multiple endpoints.
This may lead to a newer concept of IMoE: Identity Management of Everything!
Identity Management of Everything (IMoE) is a technology concept that will support identity and policy management for the emerging Internet of Everything of people, things, devices, places and content/data. This technology represents an integration of a number of security and privacy management functions that holistically delivers secure provisioning and authentication of entities. The technology will also administer the control and enforcement of digital rights for content, privacy rights for people and terms of agreement between business and private entities based on policies and transactional context. The key modules of an IMoE platform include the following:
• Identity Management – Administers and authenticates the identity of individuals and groups of people.
• Endpoint/Device Management & Security – Administers full-lifecycle management and authentication of devices and connected things provisioned in the Internet of Everything.
• Policy & Access Management – Administers entity access to resources and services on the network as well as the permissions and policies associated with access.
• Digital Rights Management (DRM) – Administers the rights associated with content and media as well as the management of policies for access and use.
• Contextual Services Management – Securely administers and brokers contextual information between entities (people, content/data, devices, things, places) in support of Internet of Everything applications with privacy policies enforced.
• Privacy Policy Management – Administers privacy policies and provides regulatory-compliant controls for managing an individual’s personal data and privacy. Over the next decade, the emergence of IMoE platform technology will be vital as business and consumers grapple with daunting regulatory compliance and control requirements as the EU and many other countries around the world have or are in the process of enacting laws and regulations such as GDPR to protect personal privacy and data.
Along with Network Security Analytics with AI/ML, doing behavioral analysis is recommended.
Bottom Line
As Enterprise CISOs, CTOs, and CIOs assess their Cybersecurity vendors, and the impact of quantum cryptography on upcoming RFI/RFPs, NIST standards, recommendations, guidelines and so on, an element of skepticism is needed, as no single solution to solve all will work. Concepts like ZTNA: zero trust network access applied holistically, distributed consensus algorithms, and distributed keying without transmission can be explored along with AI/ML Network Behavioral Analytics solutions.
- Akshay Sharma
Advisor at Lionfish Tech Advisors