30 3 月, 2023
EP 24 – Making the Leap to Post-Quantum Computing Encryption
Quantum computing is coming and it has the potential to be both exciting and terrifying… On today’s episode of Trust Issues, host David Puner speaks with cryptographer Dr. Erez Waisbard, CyberArk’s Technology and Research Lead, about quantum computing innovation and its cybersecurity implications – from data encryption to surveillance and privacy.
Dr. Waisbard breaks down how encryption works, why it’s so important for safeguarding our data, and how quantum computers will break the methods used today. This may sound ominous, but designs for quantum-resistant encryption algorithms are already well underway. Check out the episode to learn more about them and how your organization can start preparing now.
And, if you like this episode, be sure to check out Erez Waisbard’s blog post, “Quantum Computing Is Coming… Here are 4 Ways to Get Ready,” on the CyberArk Blog.
You’re listening to the Trust Issues podcast. I’m David Puner, a Senior Editorial Manager at CyberArk, the global leader in Identity Security.
[00:00:23.040] – David Puner
Quantum computing is coming, and it has the potential to be both exciting and terrifying. On today’s episode of Trust Issues, we’ll get into what it is and when we may start collectively experiencing its impact. One of technologist’s greatest concerns about post-quantum computing centers on encryption. Even though most people don’t think about it much, encryption is what keeps our data, bank accounts, medical records, email, and almost everything else safe as it moves through or is stored in cyberspace.
[00:00:54.580] – David Puner
But as soon as the first commercial quantum computer arrives, the encryption processes we take for granted today can be broken. When this happens, all the digital information transmitted over the internet today and in the future will be vulnerable. It’s why cryptographers, the folks who write and crack encryption code used for data security, are hard at work trying to design algorithms that will withstand the might of quantum computing.
[00:01:23.490] – David Puner
In fact, in July 2022, the US federal agency NIST, announced the first group of winners of a six-year competition to come up with encryption algorithms that will become part of its upcoming post-quantum cryptographic standard, which was reportedly two years out at the time of the announcement. These encryption methods are intended to have the capability to fort future quantum computing attacks, but that doesn’t mean businesses should wait for a new standard to get quantum-read.
[00:01:55.730] – David Puner
That brings us to today’s guest, Erez Waisbard, who’s a cryptographer and is a technology and research lead here at CyberArk. He holds a PhD in online privacy and reliability to give you a bit of an idea what direction he’s coming at quantum computing from. As you’ll hear, he seems pretty calm about all this. Here’s my conversation with Dr. Erez Waisbard.
[00:02:25.810] – David Puner
Dr. Erez Waisbard, who is a technology and research lead at CyberArk. You have a PhD in online privacy and reliability. Did you have any notion that you’d wind up working in cybersecurity when you’re pursuing your PhD?
[00:02:40.990] – Dr. Erez Waisbard
Yeah, I’ve been fascinated with cryptography and security for many years now. In the last 20 years, I’ve been pursuing that both in master’s degree and the PhD while also working in the industry as a security architect and cryptographer, researcher, and also diving into issues of privacy and trust during my PhD and later on.
[00:03:08.130] – David Puner
Cryptography, what is that?
[00:03:10.670] – Dr. Erez Waisbard
It’s a great question because most of us don’t really notice cryptography in the daily life, but it’s all around us. If you’re using your email, your instant messaging, you go online, usually there is cryptography behind it.
[00:03:27.400] – Dr. Erez Waisbard
It’s mostly about two things. The first thing is confidentiality. You want to protect your data. Whenever you’re transferring, let’s say, you go online, you want to buy something, then you put your credit card number, and you want this to be secure so nobody can get the card number. But more importantly, you also want to know that you’re dealing with a trusted site, so proving the identity of the site, having this trust is also part of cryptography.
[00:03:56.720] – Dr. Erez Waisbard
Whenever you look at the address bar in your browser and you see this padlock that tells you everything is secure, well, cryptographer is the guy that knows how to build this padlock, and also, many times, how to break earlier designs of these padlocks that are not really as secure as we thought they would be. As a cryptographer and also many years as a security architect, it was my job to make sure that this theoretical concept is also something that happens in practice.
[00:04:32.980] – David Puner
Beyond the education, what’s the career path that then takes you to being focused on cryptography as a job?
[00:04:40.410] – Dr. Erez Waisbard
First of all, it’s the most fascinating thing, really. Really a pure magic, not only something that… It’s interesting, but it’s cat and mouse game that you see both in cryptography and cybersecurity. You try to protect something, and then the hacker tries to break it, and then you put some additional layer, and then it tries to go around it and so on. This is a really amazing thing.
[00:05:05.940] – David Puner
There could be somebody listening to this conversation right now as we record it?
[00:05:10.410] – Dr. Erez Waisbard
Yeah. We always known it’s a possibility. We always suspected that that’s a possibility. A bout 10 years ago, Edward Snowden believed that the NSA has done so at a really large scale, listening to conversation, to communication all over the world, even to those that they didn’t suspect.
[00:05:30.140] – David Puner
Is this the lawful intercept that you’re referring to, or is it something else?
[00:05:34.320] – Dr. Erez Waisbard
It’s something else, because they’re not targeting you. They just do a mass surveillance, gathering as much data as they can. Right now, we also know about many ways of using this big data, and they are using it to deal with criminals and terrorists and so on. It’s a really delicate game of balancing the good and the bad, but we do know it’s being done.
[00:06:01.860] – David Puner
That’s endlessly fascinating. There’s a lot going on there. Today at CyberArk, you’re focused on technology and research. What does that mean and how does quantum computing come into play?
[00:06:14.430] – Dr. Erez Waisbard
Maybe I’ll start just by introducing the concept of a quantum computer. We’re used to a computer that works on bits that can be either in a state of zero or one, goes through some logical gates, Boolean circuits, and outputs a result. There you go, you have your PC or your cloud computing, but underneath, it’s all the same technology.
[00:06:41.120] – Dr. Erez Waisbard
Now, a quantum computer is doing things very differently. First of all, it uses something magical known as qubit. Now, a qubit is a quantum bit that can be in a superposition of states. It’s not that it’s either a zero or a one. It can be in both states at a certain probability, and it’s really hard to keep it in such a magical state because that’s like the quantum phenomenon. That’s something that exists in a very fragile state of nature.
[00:07:12.670] – Dr. Erez Waisbard
We can generate it, we can hold it for a while, but it’s very hard to generate many of these qubits and keep it in a stable state, especially if you want to do a computation. We want to use it, and we put it into a circuit that somehow manages to hold this state. If you start with a bunch of qubits and you run them through this quantum circuit, then it’s like you went through all possible states at once.
[00:07:39.580] – Dr. Erez Waisbard
Now that’s a huge speed up, right? Because you don’t need to go through every possible state one by one. You can go over all of them simultaneously.
[00:07:50.480] – David Puner
Is a quantum computer then like a regular computer that we know today but on steroids?
[00:07:57.300] – Dr. Erez Waisbard
Excellent question. Because sometimes people think like that and say… Just like I have an old computer, if I’m getting a new computer, everything all of a sudden runs much faster, and we say, “Oh, it’s great. It’s running just the way we wanted it to be.” No, that’s not the state for quantum computer.
[00:08:16.670] – Dr. Erez Waisbard
You need to generate these qubits, and you need to have a special quantum circuit to run those through, and the circuit would solve a particular problem. You can have an algorithm or quantum circuit that solve a particular problem. What we would like to use it for is to solve problem that we cannot solve efficiently on a classical computer.
[00:08:40.830] – Dr. Erez Waisbard
Now, one of those problems, as we will head soon into the crypto aspect of this quantum computer, is that there is a circuit, there is an algorithm that runs on a quantum computer that can break a number into its prime factors. Now, that’s something very important first, because we don’t know how to do it.
[00:09:03.020] – Dr. Erez Waisbard
There is another algorithm called the RSA. This algorithm, they rely on hardness assumption, like it’s hard to factor a number into its prime factors. It’s hard to compute the discrete log of a modular arithmetic. This algorithm, all of a sudden, it breaks this underlying assumption. It says, “Oh, just give me a quantum computer, and I can do that efficiently.”
[00:09:29.480] – David Puner
What does the rise of quantum computing mean for the world of cryptography and encryption?
[00:09:35.110] – Dr. Erez Waisbard
That’s a very good question because back in the 90s, everybody also talked about it. But then we didn’t have the computer to run these algorithms. As I said, quantum algorithms can break encryption. If there’s a quantum computer coming, we want to get a new cryptography, something that would be secured.
[00:09:58.610] – Dr. Erez Waisbard
Up until last July, we didn’t have anything. We had algorithms we believed to be secure. We tried developing new ones. But cryptography is something that’s worthwhile in the modern world only if it’s standardized.
[00:10:14.140] – Dr. Erez Waisbard
There’s a whole bunch of protocols that enable me to connect through my computer and your computer, and we have the servers, and maybe we can do things on the phone. It all works because of standards. Only last July, NIST announced the first four candidates for post-quantum algorithms, algorithms that would be secure against quantum computer. Right now, we see a lot of advances, and we also hear about a lot of investment.
[00:10:41.140] – David Puner
There’s all this money being poured into it, yet the computers don’t exist.
[00:10:46.080] – Dr. Erez Waisbard
Yeah, that’s an excellent point, because I’m been saying we don’t have a quantum computer, but in fact, we do have. We do have it at a very small scale, and it’s a matter of time until we get them at scale. That’s the big race.
[00:11:00.910] – David Puner
When do we think that’s going to be?
[00:11:02.440] – Dr. Erez Waisbard
Oh, that’s a million dollar question. It’s more than a million dollar question. Nobody knows. Honestly, nobody knows. But everybody agrees on two things: one, that it is getting closer. We are seeing progress. The other thing is that changing algorithms in the real world takes a lot of time. It will take us years.
[00:11:29.630] – Dr. Erez Waisbard
It’s not something that we can wait until such a computer exists. We have to prepare in advance.
[00:11:37.610] – David Puner
Is this why countries like here in the US in December, President Biden signed the Quantum Cybersecurity Preparedness Act into law? Is that why countries are really interested and proactively doing things like that?
[00:11:56.120] – Dr. Erez Waisbard
Exactly. I would add one more to that, which we briefly touched earlier. If our communication is being recorded today, then in many ways for some of our data, it’s already too late. Because if you can record our conversation now and maybe you cannot decrypt it today, but 10, 15 years from now, you will be able to, then that’s an issue.
[00:12:22.200] – David Puner
As far as the threat goes, what can organizations do now to start preparing for quantum and protecting their data beyond encryption?
[00:12:32.950] – Dr. Erez Waisbard
There are actually guidelines that are now being suggested, for example, by Department of Homeland Security and other organizations. First step is know your cryptography. That sounds pretty straightforward, right? “Okay, tell me the algorithms, and I’ll tell you if you’re safe or not.” It’s worthwhile mentioning that not all algorithms that we’re using today will be broken by a quantum computer.
[00:13:01.860] – David Puner
It’s a race to basically get to the next stage of encryption.
[00:13:05.530] – Dr. Erez Waisbard
As I said, first of all, know your algorithm. You have to know which one you’re using directly, maybe in your code, which one is being used by third-party libraries, which one is used underneath the TLS, maybe the SSH, maybe by your cloud provider and so on.
[00:13:25.150] – David Puner
TLS for the folks who don’t know what that is?
[00:13:28.490] – Dr. Erez Waisbard
That’s the transport layer security that’s underneath https and many other protocols that we’re using. That’s the thing that makes it secure, that make sure that nobody can eavesdrop, and you can also authenticate the other party that you’re talking with. You have to know what are the algorithms that are being used in order to assess which of them needs to be replaced.
[00:13:55.650] – Dr. Erez Waisbard
Now, for an organization, if you’re using TLS, and let’s say, you’re communicating with your browser to a cloud provider, so you understand you may need to change, but it’s not within your power to do so. You have to wait until the browser manufacturer switch to a new and secure TLS protocol. You need the cloud provider, the web server to do the same.
[00:14:26.020] – Dr. Erez Waisbard
Not everything is within your reach. But the first step is to really know all the areas. You mentioned Biden earlier, the presidential order is really to do this mapping at the first half of this year.Then once you know it, you can start planning your migration.
[00:14:47.730] – Dr. Erez Waisbard
Planning the migration doesn’t necessarily mean like dropping ciphers. First of all, it’s not an easy dropping. You take out the old one, you put the new one, and everything’s fine. There are legacy issue, backward compatibility, but they don’t match. It’s a new assumption. It’s a different algorithm, so key sizes are different. Ciphertext is different. Everything is different.
[00:15:11.650] – Dr. Erez Waisbard
Then as we were in the evaluation phase, all of a sudden, somebody came with some very clever way of how to break them. By breaking, I mean breaking them on a classical computer. Not only that you didn’t get this post quantum security, you didn’t get any security. We probably want to have them in some hybrid model when we don’t throw away the old one, but we add to it the new ones.
[00:15:38.960] – David Puner
How can organizations do this?
[00:15:41.800] – Dr. Erez Waisbard
The best suggestion is to follow the specification. We’ve all been waiting for NIST to come up with the first algorithm to be standardized. We want them to standardize the entire process. We want to follow other standardization organizations because whatever we do, we want it, one, to be coming from a trusted source, and second, we want it to be compatible with what others are doing. You want a protocol that will allow everybody to communicate with everybody just like we do today.
[00:16:17.040] – David Puner
What are post-quantum algorithms? I feel like we’ve covered that a little bit here, but I think it’s important to bring it up.
[00:16:24.600] – Dr. Erez Waisbard
A post-quantum algorithm, in a nutshell, is a cryptographic algorithms that’s going to stay secure even in the presence of a quantum computer. To be really accurate about it, that means that the underlying security assumptions that it is based on, we don’t know of a way that a quantum computer can break it.
[00:16:46.930] – Dr. Erez Waisbard
Maybe two years from now, we’ll find some way that it can. Maybe five years from now, we’ll find a way that a classical computer can. That’s always the case with cryptography. We have algorithms being suggested and being broken. But the post-quantum algorithms is one that currently we don’t know how to break using a quantum computer.
[00:17:06.550] – David Puner
Bringing this back to our wheelhouse and our focus, how might quantum computing impact identity security and cybersecurity for that matter?
[00:17:19.640] – Dr. Erez Waisbard
Proving your identity, traditionally, it’s been about some a secret, something that only you know, something that only you own. Now, if you have a secret and I can decrypt this secret, then maybe I can present myself as David. Now, that’s one thing.
[00:17:44.960] – Dr. Erez Waisbard
The other thing, there is another cryptographic tool that is often used to prove identity is the digital signature. For example, in the blockchain case, when I want to sign a transaction of giving you money, I’m signing on behalf of Erez that I’m giving David the money. Now, if somebody can forge that signature, they can transfer all the money I have. My identity really relies on cryptography, and therefore, it affects everything.
[00:18:21.580] – David Puner
I should point out that you wrote a blog post for our medium CyberArk Engineering blog. It’s called Quantum computing is going to kill classic cryptography, but we can still save it. I recommend folks check that out. It’s at medium.comcyberark-engineering.
[00:18:43.940] – David Puner
Dr. Erez Waisbard, thank you so much for joining us today.
[00:18:47.490] – Dr. Erez Waisbard
Thank you very much, first of all, for inviting me, being part of this great podcast. I’m trying to make this subject more accessible and help people really get the idea of where we stand today. I’m really grateful for the opportunity to present it here. Have a great day.
[00:19:14.780] – David Puner
Thanks for listening to today’s episode of Trust Issues. We’d love to hear from you. If you have a question, comment, constructive comment, preferably, but it’s up to you, or an episode suggestion, please drop us an email at [email protected]. Make sure you’re following us wherever you listen to podcasts.