In the early days of World War I, planes were initially used only for reconnaissance. Enemy pilots flying past each other in 1914 often waved to each other, or if feeling salty or pugnacious, would shake their fists at one another. Of course, it didn’t take long before one pilot had the bright idea to fire his revolver at another, and within a year, the first fighter planes and bombers were born “ incontrovertibly changing the course of warfare for the next century.
Imagine what history would say about the country that foresaw the advent and impact of air warfare but, instead of investing in new weapons to ensure air superiority, opted to launch a massive effort to redesign unarmed reconnaissance aircraft to take better pictures.
That’s essentially the concept of what some are suggesting the United States should do with encryption technology today.
In February, the National Institute of Standards and Technology (NIST) issued a draft Report on Post-Quantum Cryptography, highlighting the threats to public key cryptography posed by quantum computing. It discussed Peter Shor’s theory that “quantum computers, a new technology leveraging the physical properties of matter and energy to perform calculations,” could, in theory, render “all public key cryptosystems impotent.” As the now-finalized report details, “a sufficiently powerful quantum computer will put many forms of modern communication “ from key exchange to encryption to digital authentication “ in peril.”
As the NIST report highlights, scientists now believe that Shor’s theory, introduced in 1994, is not just theory, but may soon be fact. Many of the technical barriers that made quantum computing impossible 22 years ago have been overcome; in fact, MIT in March announced the first scalable implementation of Shor’s algorithm. And last month brought news that scientists from the Joint Quantum Institute (JQI) at the University of Maryland have created the world’s first programmable and reconfigurable quantum computer.
While there are still plenty of technical challenges to address before a quantum machine can defeat public key cryptosystems, many scientists believe this kind of machine will exist by 2030. Given how long it takes the encryption community to design and vet new encryption algorithms and systems that are just new and improved versions of public key cryptography technology – most efforts take 3 to 6 years today and take a decade beyond that to get the algorithms in use commercially “ the notion that we are just 14 years from a post-quantum encryption world requiring an entirely new approach to cryptography is terrifying. NIST has rightly flagged this issue now, highlighting the need for the crypto community to start working today on radically new approaches to cryptography that may be relevant in a post-quantum era.
Against that backdrop, some policy makers have suggested that we need to force the technology industry to spend its time reengineering encryption systems to support backdoors or other forms of “extraordinary” access. For many reasons “ including the near term challenge we face with quantum computing “ I believe this notion of reengineering to support backdoors is shortsighted and would bring further harm than good.
The Chertoff Group examined this issue in a publication earlier this year entitled The Ground Truth about Encryption and the Consequences of Extraordinary Access – a paper that looked at the technical, policy, business, security and market implications of extraordinary access proposals and detailed their impact.
We concluded that while it might be theoretically feasible to construct a key escrow system – or other method offering extraordinary access for law enforcement – in practice, doing so would create a cluster of new risks. The reason is simple: given how cryptographic systems are constructed today, there is no way to escrow an encryption key without increasing the “attack surface” of the underlying encryption system by several orders of magnitude.
Every step in the process (to include safely exporting, transporting, storing and managing such keys) would create multiple opportunities for an adversary to attack and compromise the security model of the underling cryptographic system. Individually, each step creates a significant security challenge; requiring all steps creates a multitude of complexities that materially threatens the security of any cryptographic system.
Given how much industry has struggled to securely implement even simple cryptographic systems, a solution this complicated would be certain to create significant risks and degrade our overall security. Beyond the technical and security challenges, the practical impact of this would be to break current best practices for secure key generation and storage. Most cryptographic systems used today would require complete redesign. Given that these systems are embedded in most desktops, laptops, and mobile devices, the software used to manage cryptographic systems in billions of devices would have to be re-engineered, and in some cases the devices themselves would have to be replaced. In theory, this would be technically feasible, though it would take 10 to15 years; in practice, it is highly unrealistic.
More to the point: Imagine the impact if we diverted billions of dollars and millions of hours over the next 10 to 15 years to completely redesign pubic key crypto systems to support back doors, only to see all of the work become irrelevant as we enter the quantum age. Its strategic equivalent is if the U.S. decided to re-engineer its reconnaissance planes during World War I rather than prepare for the age of air warfare.
We made the right decision 100 years ago. It is imperative that we look ahead, invest our resources wisely and do the same today.
