The Future of Cryptographic Security in the Age of Quantum
Modern cryptography is still a relatively young scientific discipline, but its history shows a significant pattern. Most developments are based on research that took place years or even decades before. There’s a good reason for this glacial pace of movement. Just as drugs and vaccines undergo years of rigorous testing before they reach the market, cryptography applications must be based on proven and thoroughly analyzed methods.
Blockchain is one such example of the development cycle in action. Satoshi Nakamoto’s work on Bitcoin was the application of principles first described by David Chaum in the early 1980s. Similarly, recent deployments of multiparty computation (MPC) for securing private keys or sealed-bid auctions make use of ideas developed around the same time. Now, as the threat of quantum machines looms over modern computers, the need for newer and stronger forms of cryptography has never been greater.
Torben Pryds Pedersen is chief technology officer of Concordium and was previously head of Cryptomathic’s R&D division.
Nobody knows precisely when or if quantum computers will prove capable of cracking today’s encryption methods. However, the threat alone currently drives extensive work in developing alternatives that will prove robust enough to withstand a quantum attack.
A compressed timeline
Finding a replacement for existing encryption methods isn’t a trivial task. For the past three years, the National Institute of Standards and Technology (NIST) has worked to research and advance alternative algorithms, or the backbone of any cryptographic system. This July, it announced a shortlist of 15 proposals in an ongoing project looking for quantum-resistant encryption standards..
But many of these proposals are unattractive due to unworkable key sizes or overall efficiency. What’s more, these alternatives must undergo sufficient testing and scrutiny to ensure they withstand the test of time.
I’m sure we’ll see further developments in this area. However, the development of better cryptographic algorithms is only one piece of the puzzle. Once an alternative is defined, there’s a much bigger job in ensuring that all existing applications get updated to the new standard. The scope of this is massive, covering virtually every use case on the entire internet, across all of finance and in blockchains.
Given the scale of the task, plans and measures to migrate existing data must be in place long before the quantum threat becomes a reality.
Digital signatures for self-sovereign data
Governments and banking institutions are not naive. According to the 2020 UN E-Government Survey, 65% of member governments are thinking seriously about governance in the digital age, according to the agency’s own metrics. Personal data privacy is a growing concern, reflected by the inclusion of data protection mechanisms and methods for digital signatures on the development agenda for e-government applications.
The technology behind digital signatures is generally well-understood by governments. For example, in Europe, the eIDAS regulation puts a responsibility on organizations in member states to implement unified standards for electronic signatures, qualified digital certificates and other authentication mechanisms for electronic transactions. However, there’s also a recognition on the part of the European Union that updates will be required to protect against the quantum computer threat.
It seems likely that future methods for protecting personal data will be steered by the principle that users own their own data. In the banking world PSD2, a payments directive for how financial institutions treat data, has been a catalyst for this principle. Once users hold the rights to share their own data, it becomes easier to facilitate data sharing across multiple banking institutions.
Cryptography plays a significant role in the principle of self-sovereign data today, but I believe we will see this concept become more prevalent in Web 3.0 applications. Ideally, users will control their data across any Web 3.0 application, providing full interoperability and ease of use.
Enhancing security and trustlessness with multi-party computation
Similar to the rise of digital signatures, there will be more applications of multiparty computation. From being a purely theoretic construction 30 years ago, we now see MPC applied in more real-world use cases. For example, several institutional-grade asset security platforms, including Unbound Tech, Sepior, Curv and Fireblocks, are already using variations of MPC to keep private keys secure.
Blockchains have yet to fulfill their true potential, evidenced by the lack of compelling use cases.
Due to the vast security potential of MPC, we will continue to see improvements in this technology. It also fits well with the principles of decentralizing trust, given it removes single points of attack and reduces dependency on single trusted entities. In the future, a single individual’s private key could be stored in multiple decentralized locations, but still deployed instantly when the user demands.
Blockchains for individuals and enterprises
Blockchain technology is still in a low state of maturity. It theoretically offers significant promise to help individuals and enterprises gain control over their data. But the fact remains today’s blockchains and related distributed ledger technologies have yet to fulfill their true potential, evidenced by the lack of compelling use cases.
However, in light of the evolution of other usages of cryptography, such as digital signatures and multiparty computation, it’s reasonable to expect blockchain technology will improve significantly, become more efficient and accessible – and therefore gain more traction in the coming years.
The concept of blockchains is not in itself threatened by quantum computers. Blockchains are, first of all, used to securely register data (or digests of data) and we know already now how to secure the basic functionality of blockchains (immutability of registered data) with cryptographic primitives that are secure in the quantum era (hash functions and digital signature schemes).
But more work is required to handle more advanced protocols in an efficient way and more work is needed to continuously improve the security and efficiency of cryptographic primitives to make the blockchain more and more efficient.
In light of this, we will see a gradual improvement of distributed systems so that they remain secure. We will probably like to keep the smart and good properties of the current cryptographic algorithms and gradually update these as necessary. Planning of this process must be done very carefully as each update must be done well in advance before the current version becomes insecure.
Furthermore, blockchain-enabled payment systems, with robust post-quantum security, can play a significant role in the future of online retail.
Regardless of the use case for cryptography, the user experience will be a critical driver for adoption. A lack of usability has been a massive problem for most cryptography applications so far – and this is also true for blockchains. Most platforms are simply infrastructural solutions and, as such, involve a high degree of friction for end users.
Ultimately, blockchain applications need to become as usable as the internet and smartphone applications are today. Usability and quantum-proof security are essential for the future of government, commerce and Web 3.0.
https://www.coindesk.com/future-cryptographic-security