在過去10年的很長一段時間中,網(wǎng)絡(luò)安全專家一直在警告一個正在逼近的威脅:量子計算機(jī)的面世。
這些使用量子物理來編譯信息的機(jī)器在未來的某一天將變得足夠強(qiáng)大,繼而破解當(dāng)前使用最廣泛的編譯系統(tǒng),并導(dǎo)致幾乎所有的數(shù)字通訊手段失去其安全性。
人們一直在問,這一天什么時候才能到來。最常見的數(shù)字加密技術(shù)RSA誕生于1977年,它基于兩個大素數(shù)之商。其中的一個破解辦法就是弄清楚這兩個大素數(shù)到底是多少。1994年,數(shù)學(xué)家皮特?肖爾發(fā)明了一種算法,如果將其交由算力足夠強(qiáng)大的量子計算機(jī)來運(yùn)算,則可以輕易破譯這兩個素數(shù)。然而在當(dāng)時,量子計算機(jī)依然停留在純理論階段。
第一臺能夠工作的量子計算機(jī)誕生于十多年前。然而,大多數(shù)量子計算機(jī)要么在設(shè)計之初便并非用于運(yùn)行肖爾的算法,要么就是沒有足夠的算力來計算異常龐大的素數(shù)對。網(wǎng)絡(luò)安全專家擔(dān)憂的量子計算機(jī)黑客時代還遠(yuǎn)未到來,有人估計至少還得等25年,而且當(dāng)時還存在著更加緊迫的威脅。
然而好景不再。去年,谷歌稱自己已經(jīng)實(shí)現(xiàn)了所謂的“量子霸權(quán)”里程碑,打造了一臺量子計算機(jī),它可以執(zhí)行傳統(tǒng)計算機(jī)無法開展的計算,并運(yùn)行相當(dāng)長的一段時間。
谷歌的這臺機(jī)器依然無法破解RSA。然而,量子硬件制造的快速進(jìn)步,再加上算法方面些許高明的調(diào)整,意味著肖爾的算法迫使RSA退出歷史舞臺的時代已經(jīng)大幅提前。專家稱,如果幸運(yùn)的話,我們可能還有十幾年的時間為數(shù)據(jù)隱私保護(hù)工作添磚加瓦。然而,一些人認(rèn)為最多還有五年的時間,甚至可能更短。
2016年,美國國家安全局(U.S. National Security Agency)發(fā)布了一則嚴(yán)重警告:政府機(jī)構(gòu)和公司必須“立即采取行動”,開始轉(zhuǎn)而使用能夠防范量子計算機(jī)攻擊的新加密標(biāo)準(zhǔn)。唯一的問題?沒有人知道這個加密標(biāo)準(zhǔn)到底長什么樣。
正是基于這個原因,全美標(biāo)準(zhǔn)與技術(shù)研究所(NIST)在大約三年前便開始舉行比賽,以選出一種可以抵御量子計算機(jī)攻擊的新加密技術(shù)。該研究所隸屬于美國商務(wù)部(U.S. Department of Commerce),負(fù)責(zé)向政府和企業(yè)推薦其常用標(biāo)準(zhǔn)。
這些新“后量子”加密和數(shù)字簽名方法將有可能成為美國各政府部門以及眾多與政府做生意的企業(yè)必須強(qiáng)制采取的標(biāo)準(zhǔn),尤其是國防和情報部門。有鑒于美國市場的規(guī)模,它們很有可能成為一種新的全球安全標(biāo)準(zhǔn)。NIST如今很快將選出獲勝的加密算法,并借此邁入網(wǎng)絡(luò)安全新時代。
今年7月,這家負(fù)責(zé)標(biāo)準(zhǔn)的機(jī)構(gòu)宣布,經(jīng)篩選,候選者清單從最初的82個縮減至依然較長的15個,在主要決賽選手中,有4名來自于加密學(xué),3名來自于數(shù)字簽名領(lǐng)域,它們均使用密碼來驗(yàn)證電子信息和文件的真實(shí)性。(8名候補(bǔ)選手也將參加決賽輪。)NIST稱,它將在未來18個月之內(nèi)宣布最終獲勝者,并將其作為新加密標(biāo)準(zhǔn)。
因此,NIST的這個長篇候選清單描述了一個什么樣的網(wǎng)絡(luò)安全未來?其實(shí),它很有可能涉及人們所稱的基于格的密碼技術(shù)。競賽中四分之三的決賽選手都采用了這個門類的算法。
基于格的密碼技術(shù)依靠的是柵格化等間隔點(diǎn)的獨(dú)特數(shù)學(xué)特性,又稱格密碼。由于這些點(diǎn)的間隔相等,事實(shí)在于,人們只需要柵格的兩個坐標(biāo)便能夠計算出同一格子中所有的點(diǎn)。然而,如果格子存在數(shù)千個維度,而且如果格子中各點(diǎn)之間的角度與直角偏差過大,那么弄清楚任何特定點(diǎn)是否都處于格子中將是一件十分困難的事情。人們已經(jīng)制定了一系列加密機(jī)制,以利用這些特性來打造可以共同協(xié)作的公鑰和私鑰,因?yàn)樗鼈兌蓟谕瑯拥母褡?。不過在這一領(lǐng)域,以公鑰為模板來制作私鑰是極其困難的事情。
然而,一些網(wǎng)絡(luò)安全專家對于NIST如此倚重這類后量子加密技術(shù)的事實(shí)感到十分驚訝。這是因?yàn)?,盡管這種基于格子的問題在數(shù)學(xué)層面上十分難解,而且與RSA不同的是,它并不容易被肖爾的算法破解,但并沒有證據(jù)表明,這類技術(shù)從數(shù)學(xué)層面來講就能夠徹底防范基于量子計算機(jī)的攻擊。英格蘭約克大學(xué)的網(wǎng)絡(luò)安全教授德拉拉姆?卡羅貝伊說:“雖說現(xiàn)在的量子算法還無法破解它們,但說不定明天就會有人拿出用于破解的量子算法?!?/p>
卡羅貝伊稱,令她感到失望的是,來自于其他門類的潛在后量子算法并未進(jìn)入公鑰加密競賽的決選名單。這其中包括多變量加密,它取決于解答復(fù)雜二次方程式系統(tǒng)的難度(還記得高中算術(shù)中那些方程式嗎?);以及卡羅貝伊自己的研究領(lǐng)域——基于群的密碼學(xué)。這種密碼學(xué)基于另一種數(shù)學(xué),涉及通過結(jié)合要素來轉(zhuǎn)化一組數(shù)字,通常按照精心制作的幾何樣式,例如編織形狀。一位來自于多變量加密門類的候選者開發(fā)了名為Rainbow的算法,而且的確進(jìn)入了競賽數(shù)字簽名部分的決選名單,另一個名為GeMSS的算法在該競賽中被選為候補(bǔ)算法。
NIST決選名單中唯一非格子后量子加密候選者來自于稱之為基于代碼算法的密碼學(xué)門類。這類算法設(shè)計會在數(shù)據(jù)中添加某些錯誤信息,例如在經(jīng)典的加密方式中人們會將字母向后移動兩位進(jìn)行加密,也就是A變成C,B變成D,以此類推。然后在解密這個信息的過程中會將這種錯誤糾正過來。NIST選擇的后量子算法稱之為Classic McEliece,它取名于上個世紀(jì)70年代末由數(shù)學(xué)家羅伯特?麥克阿里斯發(fā)明的糾錯代碼算法。它會隨機(jī)向每一條加密信息添加錯誤信息,從理論上來講,如果不知道秘鑰的話是無法破解的。
Post-Quantum Group的聯(lián)合創(chuàng)始人兼首席執(zhí)行官安德森?程說:“麥克阿里斯的系統(tǒng)已經(jīng)存在了41年,而且一直遭到密碼界的攻擊,但未發(fā)現(xiàn)任何漏洞?!?Post-Quantum Group是一家總部位于倫敦的網(wǎng)絡(luò)安全公司,其合作方為芝加哥伊利諾伊大學(xué)的知名密碼學(xué)專家丹尼爾?伯恩斯坦領(lǐng)導(dǎo)的團(tuán)隊(duì)。在NIST的長篇決選名單中,Classic McEliece算法便是二者合作的成果。
2019年,德國聯(lián)邦信息安全辦公室(German Federal Office for Information Security)擔(dān)心NIST在這個流程中花的時間過長,因此推薦Classic McEliece作為候選的兩個后量子加密標(biāo)準(zhǔn)之一。(另一個來自于NIST候補(bǔ)名單,采用的是格密碼方法。)安德森?程稱,他懷疑NIST與德國政府一樣,最終會批準(zhǔn)兩套標(biāo)準(zhǔn),即Classic McEliece和其中一種格密碼方法。
安德森說,McEliece算法唯一的缺點(diǎn)在于,該方法使用的秘鑰相對較長,而且算法計算十分復(fù)雜,意味著與其競爭對手網(wǎng)格化方法相比,計算機(jī)需要更多的時間來加密、解密信息。安德森還說:“速度會慢幾毫秒。”但他說,在交換公鑰時(這也是算法的主要用途),這個方法實(shí)際上依然要比RSA快。
盡管像IBM、英特爾和芯片制造商ARM這樣的知名科技公司的研究人員也參加了比賽,尋找防范量子破解的加密算法,但值得一提的是,參加NIST競賽的網(wǎng)絡(luò)安全公司相對來說較少。Post-Quantum是參加競賽的多家初創(chuàng)企業(yè)之一,這些初創(chuàng)公司將受益于邁向新一代加密技術(shù)的舉措。
卡羅貝伊稱,她預(yù)計市場上將涌現(xiàn)一大批新公司,幫助實(shí)現(xiàn)后量子加密的商業(yè)化,就像RSA成為過去30年網(wǎng)絡(luò)安全領(lǐng)域的主導(dǎo)者一樣。RSA成立于1982年,旨在實(shí)現(xiàn)RSA算法的商業(yè)化。
安德森說,Post-Quantum Group成立于2009年,曾幾何時,要讓首要銀行和企業(yè)的首席信息安全官和首席信息官嚴(yán)肅對待量子計算機(jī)的威脅對于公司來說是一件很難的事情。然而他說,NIST競賽引發(fā)了其遲來的關(guān)注。他說:“如今他們意識到自己得在18個月的時間內(nèi)采取行動,而且也開始發(fā)出疑問:‘自己能做什么?’”(財富中文網(wǎng))
譯者:馮豐
審校:夏林
在過去10年的很長一段時間中,網(wǎng)絡(luò)安全專家一直在警告一個正在逼近的威脅:量子計算機(jī)的面世。
這些使用量子物理來編譯信息的機(jī)器在未來的某一天將變得足夠強(qiáng)大,繼而破解當(dāng)前使用最廣泛的編譯系統(tǒng),并導(dǎo)致幾乎所有的數(shù)字通訊手段失去其安全性。
人們一直在問,這一天什么時候才能到來。最常見的數(shù)字加密技術(shù)RSA誕生于1977年,它基于兩個大素數(shù)之商。其中的一個破解辦法就是弄清楚這兩個大素數(shù)到底是多少。1994年,數(shù)學(xué)家皮特?肖爾發(fā)明了一種算法,如果將其交由算力足夠強(qiáng)大的量子計算機(jī)來運(yùn)算,則可以輕易破譯這兩個素數(shù)。然而在當(dāng)時,量子計算機(jī)依然停留在純理論階段。
第一臺能夠工作的量子計算機(jī)誕生于十多年前。然而,大多數(shù)量子計算機(jī)要么在設(shè)計之初便并非用于運(yùn)行肖爾的算法,要么就是沒有足夠的算力來計算異常龐大的素數(shù)對。網(wǎng)絡(luò)安全專家擔(dān)憂的量子計算機(jī)黑客時代還遠(yuǎn)未到來,有人估計至少還得等25年,而且當(dāng)時還存在著更加緊迫的威脅。
然而好景不再。去年,谷歌稱自己已經(jīng)實(shí)現(xiàn)了所謂的“量子霸權(quán)”里程碑,打造了一臺量子計算機(jī),它可以執(zhí)行傳統(tǒng)計算機(jī)無法開展的計算,并運(yùn)行相當(dāng)長的一段時間。
谷歌的這臺機(jī)器依然無法破解RSA。然而,量子硬件制造的快速進(jìn)步,再加上算法方面些許高明的調(diào)整,意味著肖爾的算法迫使RSA退出歷史舞臺的時代已經(jīng)大幅提前。專家稱,如果幸運(yùn)的話,我們可能還有十幾年的時間為數(shù)據(jù)隱私保護(hù)工作添磚加瓦。然而,一些人認(rèn)為最多還有五年的時間,甚至可能更短。
2016年,美國國家安全局(U.S. National Security Agency)發(fā)布了一則嚴(yán)重警告:政府機(jī)構(gòu)和公司必須“立即采取行動”,開始轉(zhuǎn)而使用能夠防范量子計算機(jī)攻擊的新加密標(biāo)準(zhǔn)。唯一的問題?沒有人知道這個加密標(biāo)準(zhǔn)到底長什么樣。
正是基于這個原因,全美標(biāo)準(zhǔn)與技術(shù)研究所(NIST)在大約三年前便開始舉行比賽,以選出一種可以抵御量子計算機(jī)攻擊的新加密技術(shù)。該研究所隸屬于美國商務(wù)部(U.S. Department of Commerce),負(fù)責(zé)向政府和企業(yè)推薦其常用標(biāo)準(zhǔn)。
這些新“后量子”加密和數(shù)字簽名方法將有可能成為美國各政府部門以及眾多與政府做生意的企業(yè)必須強(qiáng)制采取的標(biāo)準(zhǔn),尤其是國防和情報部門。有鑒于美國市場的規(guī)模,它們很有可能成為一種新的全球安全標(biāo)準(zhǔn)。NIST如今很快將選出獲勝的加密算法,并借此邁入網(wǎng)絡(luò)安全新時代。
今年7月,這家負(fù)責(zé)標(biāo)準(zhǔn)的機(jī)構(gòu)宣布,經(jīng)篩選,候選者清單從最初的82個縮減至依然較長的15個,在主要決賽選手中,有4名來自于加密學(xué),3名來自于數(shù)字簽名領(lǐng)域,它們均使用密碼來驗(yàn)證電子信息和文件的真實(shí)性。(8名候補(bǔ)選手也將參加決賽輪。)NIST稱,它將在未來18個月之內(nèi)宣布最終獲勝者,并將其作為新加密標(biāo)準(zhǔn)。
因此,NIST的這個長篇候選清單描述了一個什么樣的網(wǎng)絡(luò)安全未來?其實(shí),它很有可能涉及人們所稱的基于格的密碼技術(shù)。競賽中四分之三的決賽選手都采用了這個門類的算法。
基于格的密碼技術(shù)依靠的是柵格化等間隔點(diǎn)的獨(dú)特數(shù)學(xué)特性,又稱格密碼。由于這些點(diǎn)的間隔相等,事實(shí)在于,人們只需要柵格的兩個坐標(biāo)便能夠計算出同一格子中所有的點(diǎn)。然而,如果格子存在數(shù)千個維度,而且如果格子中各點(diǎn)之間的角度與直角偏差過大,那么弄清楚任何特定點(diǎn)是否都處于格子中將是一件十分困難的事情。人們已經(jīng)制定了一系列加密機(jī)制,以利用這些特性來打造可以共同協(xié)作的公鑰和私鑰,因?yàn)樗鼈兌蓟谕瑯拥母褡?。不過在這一領(lǐng)域,以公鑰為模板來制作私鑰是極其困難的事情。
然而,一些網(wǎng)絡(luò)安全專家對于NIST如此倚重這類后量子加密技術(shù)的事實(shí)感到十分驚訝。這是因?yàn)?,盡管這種基于格子的問題在數(shù)學(xué)層面上十分難解,而且與RSA不同的是,它并不容易被肖爾的算法破解,但并沒有證據(jù)表明,這類技術(shù)從數(shù)學(xué)層面來講就能夠徹底防范基于量子計算機(jī)的攻擊。英格蘭約克大學(xué)的網(wǎng)絡(luò)安全教授德拉拉姆?卡羅貝伊說:“雖說現(xiàn)在的量子算法還無法破解它們,但說不定明天就會有人拿出用于破解的量子算法?!?/p>
卡羅貝伊稱,令她感到失望的是,來自于其他門類的潛在后量子算法并未進(jìn)入公鑰加密競賽的決選名單。這其中包括多變量加密,它取決于解答復(fù)雜二次方程式系統(tǒng)的難度(還記得高中算術(shù)中那些方程式嗎?);以及卡羅貝伊自己的研究領(lǐng)域——基于群的密碼學(xué)。這種密碼學(xué)基于另一種數(shù)學(xué),涉及通過結(jié)合要素來轉(zhuǎn)化一組數(shù)字,通常按照精心制作的幾何樣式,例如編織形狀。一位來自于多變量加密門類的候選者開發(fā)了名為Rainbow的算法,而且的確進(jìn)入了競賽數(shù)字簽名部分的決選名單,另一個名為GeMSS的算法在該競賽中被選為候補(bǔ)算法。
NIST決選名單中唯一非格子后量子加密候選者來自于稱之為基于代碼算法的密碼學(xué)門類。這類算法設(shè)計會在數(shù)據(jù)中添加某些錯誤信息,例如在經(jīng)典的加密方式中人們會將字母向后移動兩位進(jìn)行加密,也就是A變成C,B變成D,以此類推。然后在解密這個信息的過程中會將這種錯誤糾正過來。NIST選擇的后量子算法稱之為Classic McEliece,它取名于上個世紀(jì)70年代末由數(shù)學(xué)家羅伯特?麥克阿里斯發(fā)明的糾錯代碼算法。它會隨機(jī)向每一條加密信息添加錯誤信息,從理論上來講,如果不知道秘鑰的話是無法破解的。
Post-Quantum Group的聯(lián)合創(chuàng)始人兼首席執(zhí)行官安德森?程說:“麥克阿里斯的系統(tǒng)已經(jīng)存在了41年,而且一直遭到密碼界的攻擊,但未發(fā)現(xiàn)任何漏洞?!?Post-Quantum Group是一家總部位于倫敦的網(wǎng)絡(luò)安全公司,其合作方為芝加哥伊利諾伊大學(xué)的知名密碼學(xué)專家丹尼爾?伯恩斯坦領(lǐng)導(dǎo)的團(tuán)隊(duì)。在NIST的長篇決選名單中,Classic McEliece算法便是二者合作的成果。
2019年,德國聯(lián)邦信息安全辦公室(German Federal Office for Information Security)擔(dān)心NIST在這個流程中花的時間過長,因此推薦Classic McEliece作為候選的兩個后量子加密標(biāo)準(zhǔn)之一。(另一個來自于NIST候補(bǔ)名單,采用的是格密碼方法。)安德森?程稱,他懷疑NIST與德國政府一樣,最終會批準(zhǔn)兩套標(biāo)準(zhǔn),即Classic McEliece和其中一種格密碼方法。
安德森說,McEliece算法唯一的缺點(diǎn)在于,該方法使用的秘鑰相對較長,而且算法計算十分復(fù)雜,意味著與其競爭對手網(wǎng)格化方法相比,計算機(jī)需要更多的時間來加密、解密信息。安德森還說:“速度會慢幾毫秒?!钡f,在交換公鑰時(這也是算法的主要用途),這個方法實(shí)際上依然要比RSA快。
盡管像IBM、英特爾和芯片制造商ARM這樣的知名科技公司的研究人員也參加了比賽,尋找防范量子破解的加密算法,但值得一提的是,參加NIST競賽的網(wǎng)絡(luò)安全公司相對來說較少。Post-Quantum是參加競賽的多家初創(chuàng)企業(yè)之一,這些初創(chuàng)公司將受益于邁向新一代加密技術(shù)的舉措。
卡羅貝伊稱,她預(yù)計市場上將涌現(xiàn)一大批新公司,幫助實(shí)現(xiàn)后量子加密的商業(yè)化,就像RSA成為過去30年網(wǎng)絡(luò)安全領(lǐng)域的主導(dǎo)者一樣。RSA成立于1982年,旨在實(shí)現(xiàn)RSA算法的商業(yè)化。
安德森說,Post-Quantum Group成立于2009年,曾幾何時,要讓首要銀行和企業(yè)的首席信息安全官和首席信息官嚴(yán)肅對待量子計算機(jī)的威脅對于公司來說是一件很難的事情。然而他說,NIST競賽引發(fā)了其遲來的關(guān)注。他說:“如今他們意識到自己得在18個月的時間內(nèi)采取行動,而且也開始發(fā)出疑問:‘自己能做什么?’”(財富中文網(wǎng))
譯者:馮豐
審校:夏林
For much of the past decade, cybersecurity experts have been warning of a looming threat: the advent of quantum computers.
These machines, which use principles of quantum physics to represent information, will one day be powerful enough to crack the most widely used encryption systems, rendering almost all digital communication insecure.
The question has always been exactly when that day would arrive. The most common digital encryption technique, RSA, which was invented in 1977, is based on multiplying two large prime numbers. One way to break it is to figure out what those two large primes were. In 1994, mathematician Peter Shor invented an algorithm, that if run on a sufficiently powerful quantum computer, would easily find these two primes. But at the time, quantum computers were still purely theoretical machines.
The first working quantum computers were built over a decade ago. But most were either not designed in a way that would allow them to run Shor’s algorithm. Others were simply not powerful enough to do so for a very large prime multiple. The moment when cybersecurity experts would have to worry about quantum computer-equipped hackers seemed a long way off—at least a quarter century by some estimates—and there were far more pressing threats.
But not anymore. Last year, Google claimed it had achieved a milestone known as “quantum supremacy,” having built a quantum computer capable of performing a calculation that could not be done on a traditional computer in a reasonable length of time.
Google’s machine is still unable to break RSA. But the rapid progress in building quantum hardware along with some clever advancements in algorithms mean the timeline for Shor’s algorithm rendering RSA obsolete have been moved up considerably. If lucky, we may have more than decade of data privacy protection left, experts say. But some think we have at best five years—maybe less.
In 2016, the U.S. National Security Agency issued a stark warning that government agencies and companies "must act now" to begin moving to a new encryption standard that is safe from quantum computer-based attacks. The only problem? No one was sure exactly what that encryption standard should be.
That’s why the National Institute of Standards and Technology (NIST), an agency with the U.S. Department of Commerce that is responsible for recommending standards that are often adopted by both government and business, began a competition almost three years ago to select new encryption techniques that would be resistant to attacks from quantum computers.
These new “post-quantum” encryption and digital signature methods will likely become mandatory for all U.S. government departments and for many companies that do business with the government, especially in defense and intelligence. Because of the size of the U.S. market, they are also likely to become the new global security standard. NIST is now on the verge of picking the winning encryption algorithms—and ushering in a new era in cybersecurity.
In July, the standards agency announced that it had winnowed an initial group of 82 candidates down to a long-list of 15, including four main finalists for encryption and three for digital signatures, which use cryptography to verify whether electronic messages and documents are authentic. (Eight alternates will advance to the final round as well.) NIST has said it will announce its final endorsements for a new encryption standard within the next 18 months.
So what does the NIST long-list tell us about the future of cybersecurity? Well, there’s a good chance that it will involve something called lattice-based cryptography. Three of the four encryption finalists come from this family of algorithms.
Lattice-based cryptography is based on the unique mathematical properties of grids of evenly-spaced points, or lattices. Because the points are evenly spaced, it turns out that from just two coordinates of the grid it is possible to compute all the points within the same lattice. But figuring out whether any given point is in the lattice can be difficult if the lattice is in many thousands of dimensions and if the angles between points in the grid are far from perpendicular. A number of encryption schemes have been created that use these properties to create a public key and a private key that work together—because they are calculated from the same lattice—but in which it is extremely difficult to derive the private key from the public key alone.
But some cybersecurity experts are surprised that NIST has leaned so heavily towards this kind of post-quantum encryption. That’s because while lattice-based problems are mathematically difficult and, unlike RSA, are not susceptible to Shor’s algorithm, they have not been mathematically proven to be impervious to a quantum computer-based attack. “We say that quantum algorithms cannot break them yet,” Delaram Kahrobaei, a professor of cybersecurity at the University of York, in England, says. “But tomorrow someone comes up with another quantum algorithm that might break them.”
Kahrobaei says she is disappointed to see that candidates from other families of potential post-quantum algorithms did not make it onto the final list for the public key encryption competition. This includes multivariate cryptography, which is based on the difficulty of solving systems of complex quadratic equations (remember those from high school algebra?), and group-based cryptography, which is the area that Kahrobaei herself works on. It is based on yet another area of mathematics involving transforming a set of numbers by combining elements, often according to elaborate geometric patterns, such as braids. One candidate from the multivariate cryptography family, an algorithm called Rainbow, did make onto the list of finalists in the digital signature portion of the competition, and another, called GeMSS, was selected as an alternate in that contest.
The only non-lattice post-quantum encryption candidate among the NIST finalists comes from a cryptographic family known as code-based algorithms. These all involve adding some sort of error to data—like a classic code where you shift the alphabet over two letters so that A is encoded as C and B as D, and so on. This error is then corrected to decrypt the message. The post-quantum algorithm NIST has chosen is called Classic McEliece, named for an error-correcting code algorithm invented by mathematician Robert McEliece in the late 1970s. It applies a different random error to each piece of information that’s encoded—which in theory makes it impossible to break without knowing the key.
“McEliece’s system has been around for 41 years and been attacked by the crypto community for all that time without finding a vulnerability,” Andersen Cheng, the co-founder and chief executive officer of Post-Quantum Group, a London-based cybersecurity company that joined forces with another team, led by Daniel Bernstein, a noted cryptographer at the University of Illinois in Chicago, to work on the Classic McEliece submission that made it to the long list of NIST finalists.
In 2019, the German Federal Office for Information Security (BSI), concerned that the NIST process was taking too long, recommended the Classic McEliece as one of its two recommended post-quantum encryption standards. (The other was a lattice-based method that is among NIST’s alternate candidates.) Cheng says he suspects that NIST, like the German government, will ultimately endorse two standards—Classic McEliece and one of the lattice methods.
The only drawback of the McEliece algorithm, Cheng says, is that the relatively lengthy keys the method uses, and the computational complexity of the algorithm, means it takes more time for a computer to encrypt and decrypt information than with its lattice-based competitors. “It’s slower by a few milliseconds,” Cheng says. But he says that for exchanging public encryption keys—which is mostly what the algorithm would be used for—the method is still actually faster than RSA.
While there are researchers from established tech companies, such as IBM, Intel, and the chipmaker ARM, involved in the race to find quantum-secure encryption algorithms, what’s notable is how relatively few established cybersecurity firms are contenders in the NIST contest. Post-Quantum is among several startups that entered the competition—and which are poised to profit from the move to a new generation of encryption.
Kahrobaei says she expects a host of new companies to spring up to help commercialize post-quantum encryption, just as RSA Security—the company that was founded in 1982 to commercialize the RSA algorithm—became a dominant player in the cybersecurity space for the past three decades.
Cheng says that Post-Quantum Group, which was founded in 2009, once struggled to get chief information security officers and chief information officers at major banks and corporations to take the threat of quantum computers seriously. But, he says, the NIST process has belatedly focused their attention. “Now they know they have to do something in 18 months-time and they are starting to ask questions, ‘what can they do?’ ” he says.