Crypto Security Solution: Things You Need To Know

Unless you’re living under a rock you will have heard about the rising cyber threat. And, I mean it’s no wonder when you consider the fact that more and more people have adopted cloud infrastructure, remote working due to Covid-19 is still prevalent and people that feel a bit desperate or vulnerable because of said pandemic are more likely to fall for phishing scams. 

In fact, 106 security breaches were recorded in June 2021 in the UK alone. That’s without considering all of the potential unrecorded ones too… 

But if that’s not enough to worry about, tech industry moguls like Google, Microsoft and IBM are now saying that quantum computing is just on the horizon. Think in the next 5-10 years – possibly even sooner! Whilst that might sound exciting, it also means that we’ll be facing the reality of a crypto-security threat. In the wrong hands, quantum technology could give cybercriminals the power to break encryption as easy as snapping a twig. Scary stuff. 

This is especially worrying for those invested in blockchain-based cryptocurrencies that rely on ECC (Elliptic Curve Cryptography) for authentication, like Bitcoin and Ethereum, since this could easily be hacked by a criminal with access to quantum technology. How? Let’s take Bitcoin as an example. 

Unlike banks, Bitcoin is a decentralized peer-to-peer system, meaning the processes and transactions are mediated by the users themselves. Bitcoin users calculate random private keys and public addresses using complex algorithms to perform transactions and keep them secure. Currently, cryptographically secure private keys are the ONLY thing standing in the way of cybercriminals and users’ funds. If quantum supremacy makes it possible to crack these encryptions, then it’s game over for cryptocurrency as we know it. 

According to Jaya Baloo, the vice-chair of the Quantum Flagship initiative, quantum computing has the potential to be even bigger than the computing revolution. This is why, we need to be acting now to roll out quantum secure encryption, such as quantum key distribution, to avoid any adverse effects and protect the cryptocurrency world. 

Then there are some who think that crypto security has only become a hot topic because those that wish to profit from selling quantum solutions are using scaremongering tactics to overhype the threat. 

But, what even is quantum key distribution? 

Using properties found in quantum physics, quantum key distribution (QKD) is a secure communication method for exchanging encryption keys only known between shared parties. It’s done in such a way that is provable and guarantees security. 

The great thing about QKD is that it enables two parties to produce and share a key that is then used to encrypt and decrypt messages. It’s worth remembering that QKD is just the method for getting the key from A to B, it’s not the key itself OR the messages it can enable users to send. 

What makes QKD different is that it uses a quantum system that relies on basic and fundamental laws of nature to protect the data, rather than on mathematics – which is different from conventional key distribution. For example, it’s impossible to create identical copies of an unknown quantum state, which prevents attackers from simply copying the data in the same manner that they can do today. If an attacker disturbs or even looks at the system, the system will change in a way that only the intended parties involved will know. 

So, now that we know what QKD is, how do you make sure you don’t slip up on some snake oil?

It’s all in the implementation. A company may have perfected quantum protocol, but if someone can do memory analysis on any given system then the QKD could be compromised. Unfortunately, this is something that companies producing this tech are not taking on board. Currently, there’s a gap between ideal QKD implementation and a real system. You can’t put theory into practice without making compromises.

Then we also need to consider the hardware limitations which some QKD systems try to get around by sending single photons down low-loss fibers. Although photons can travel quite far before being absorbed, it’s not far enough before the data exchange rate falls off. Interestingly, Terra Quantum claims it has found a way to do up to distances of 40,000 kilometers (yes, that is the circumference of the Earth) – but technically this makes it no longer quantum, not secure and it’s not even practical. 

All signals require amplification devices which not only implies a ubiquitous global change to the telecoms network, but these devices are all trusted nodes – we can’t practically relay or switch quantum channels without trusting the nodes. Electronic switches are as vulnerable as any digital device. And these fiber cables are trusted nodes themselves which means they would have to be measured in every spur of the network. So, not only does this render the architecture pointless because there’s no security proof, it also implies a 100% change to all of the fiber and switching infrastructure in the world. Which, I don’t know about you, but that sounds very expensive and time-consuming to me. 

Some companies, like Cambridge Quantum Computing, are even suggesting using post-quantum algorithms for signatures but this is also incredibly insecure. Any mathematical algorithm will eventually be compromised by a quantum attack. It’s not a matter of if, but when. As government and banking users know, the only way to be secure is to use the globally standardized AES-256 algorithm and find a way to distribute the keys securely. 

So, what do you do in the face of the looming quantum computing cyber threat? 

Whilst it might seem like there’s a barrage of crypto security companies ready to sell you snake oil solutions by the gallon, the best way to avoid falling victim to bogus claims is to do your research! Approach crypto-security solutions logically and you’re likely to uncover loopholes within them should there be any. The last thing you want is to onboard a solution that cannot effectively protect you against the crypto security threat.