Cryptography has long attracted research into novel applications for secret messages between parties. For nearly 4,000 years, cryptographic methods have slowly advanced, with notable contributions from many ancient civilizations and modern nations.
Since the advent of the internet age, cryptographic applications have rapidly expanded. The ongoing evolution has continued this year, with recent breakthroughs that some experts say could fundamentally transform one of the oldest subfields of contemporary cybersecurity.
While many recent applications of traditional cryptography have improved encryption methods, quantum cryptography potentially represents a paradigm shift in a field historically steeped in complex mathematics to encrypt information. That’s because quantum encryption moves away from strictly mathematics-derived systems and instead uses quantum physical properties.
Traditional cryptography remains alive and well. The Electronic Frontier Foundation reported earlier this year that half of all traffic on the World Wide Web is now encrypted. Investment in research and development is yielding an array of new solutions available in the marketplace. Over the past four months, however, the series of distinct scientific breakthroughs have raised many questions about the future of cryptography.
For instance, can traditional mathematics-based cryptosystems withstand the exponential processing power of quantum computers and optimized quantum algorithms designed to break existing asymmetric encryption algorithms? Will emerging encryption methods, based on post-quantum mathematics, withstand brute-force quantum attacks better than traditional cryptosystems? And is quantum cryptography feasible at a federal and commercial scale?
For insights into these questions and others, Fifth Domain recently caught up with Dr. Lily Chen, the lead of the Cryptographic Technology Group in the Computer Security Division at the National Institute of Standards and Technology (NIST). Chen’s group researches and develops new cryptographic applications, as well as publishing standards for the federal government.
Which areas of cryptographic research and development would you recommend every cybersecurity professional — even generalists and specialists in other areas — be following closely right now, and why?
Cryptography is a science covering a very broad scope with numerous research areas. It has advanced at a very fast pace in the past 40 years. Some of the research areas are close to real-life applications, while the others have theoretical significance.
Even cybersecurity professionals can hardly follow closely unless they have a strong background in cryptography. However, most cryptography algorithms and schemes deployed for real-life applications are specified through international and industry standards organizations. Many cryptographers and researchers have been involved in the standards development effort. The most related research results will trigger updates to standards.
NIST has developed cryptography standards for government usage since the 1970s. As the lead of the Cryptographic Technology Group in the Computer Security Division, the most important task for the group is to make sure NIST cryptography standards reflect the state-of-art technologies for government applications. Cybersecurity professionals should follow security standards.
What are some of the most significant problems cryptographers are currently researching, and why will the solutions be so consequential?
Indeed, there are too many significant problems cryptographers are tackling to highlight them one by one. In layman’s terms, the research on cryptography can be categorized as design a new algorithm, attack an existing algorithm or develop theories in mathematics and/or computer science to support the tasks [of] designing or attacking.
One area is to explore cryptographic algorithms that can resist quantum attacks. Some research is to see how quantum algorithms can attack a cryptographic algorithm — that is, to assess how vulnerable an algorithm can be — while the other research is to prove why an algorithm is secure against quantum attack. Of course, many researchers are exploring quantum algorithms to support either designing or attacking.
The research in this area will certainly impact cybersecurity in the next few decades. NIST initiated a new project at the end of 2016 to spend five to seven years developing cryptographic standards that can resist quantum attacks.
In which areas within cryptographic research do you see the biggest opportunity for breakthrough innovation, and what are a few of the biggest implications should success be achieved in each area?
As I said, cryptography is a science with a very broad scope. There surely exist many opportunities. I can hardly tell which opportunity is the biggest.
This year is the 40-year anniversary of the invention of a cryptographic system called RSA. It is named for three cryptographers: Rivest, Shamir and Adleman. Its security is based on the difficulty of factoring large integers. RSA has been implemented in every server, computer and smartphone.
Quantum computers, once they appear, will make factoring large integers not hard. That is, the RSA cryptosystem will not be secure anymore. Therefore, looking for new mathematically hard problems to build new cryptosystems appears to be a great opportunity and fun research. Many researchers are devoted to this area. The research results certainly will impact the future cryptography used in cybersecurity.
In the next three questions, help readers understand recent events and the likely near-future of quantum cryptography. Over the past three months, Chinese scientists reported successfully beaming entangled photons from space to Earth and vice versa, setting new records in the process. These achievements have been widely reported, with various conclusions drawn. What are your major takeaways from the success of these experiments?
Quantum cryptography, in my understanding, is using the properties of quantum mechanics to perform cryptographic tasks; for example, quantum key distribution. Per the report, the Chinese scientists [communicated] from space to the Earth by beaming entangled photons. This is in the scope of quantum communications. I am not a quantum physicist and cannot tell the takeaways for its scientific research value.
In your estimation, how close are we to developing federal- and commercial-grade quantum cryptography applications, and what are the biggest remaining challenges?
Again, I am not a quantum physicist and have never been involved in developing quantum cryptography applications, federal or commercial.
Quantum key distribution is very useful for special needs because key distribution is always an issue for cryptographic applications. On the other hand, to deploy quantum key distribution in a large-scale network, do all the communication nodes need to have quantum mechanical capacity?
For the protection of today’s cyberspace, we need to develop a quantum-resistant counterpart to replace existing cryptosystems. In other words, we need quantum-resistant cryptography to be implemented in classical computing and communications devices without quantum mechanical capacity.
Is there any mathematics-based encryption — for instance, post-quantum cryptography — that will be able to withstand brute-force attacks from quantum computers and quantum algorithms, or will we eventually be forced to abandon mathematically derived keys in favor of quantum properties for federal-grade asymmetric cryptographic applications, such as quantum key distribution?
Yes. There are many mathematics-based cryptosystems that will be able to withstand attacks from quantum computers and quantum algorithms. Please notice that not all the attacks are brute-force.
These cryptosystems are based on different hard problems, which are considered remaining hard even under quantum computers. I think we will never be able to abandon mathematically derived keys and mathematical algorithms. Please notice that even with quantum key distribution, mathematical algorithms are still needed to apply encryption.
As I said, quantum key distribution relies on quantum mechanics. Not all the computing and communicating devices can facilitate quantum mechanics. Furthermore, it is not scalable for pairwise key distribution in today’s cyberspace. It is unclear how realistic it is to economically facilitate all the devices with quantum mechanics.
Having spent your career researching and developing cryptographic solutions, what do you think when you read a news story about a governmental or commercial organization that suffered a data breach and didn’t protect sensitive data with readily available, effective encryption techniques?
Well, so far most of what we’ve heard about data breaches are not due to the failure of encryption techniques. Attackers are rarely attacking the encryption directly. Almost all the attacks have been using the system weakness, either [to] bypass the encryption or introducing the system failure to access unencrypted data.
We certainly should always use effective encryption techniques. But most important is to improve system security to make sure there is no security hole for the attacker to poke. Besides cryptography standards, NIST’s Computer Security Division also develops security guidelines for applications, such as Transport Layer Security, Root of Trust in computing devices, etc. We also have the Cryptographic Module Validation Program to guide secure implementation of cryptographic algorithms.