datahacker Blog

Google Just Blew a Giant Hole in Cryptography. Your Privacy is Next.

One of the realities of massive corporate conglomerates such as Google is whether you like them or not, they are perfectly positioned to push forward the technological and ethical boundaries of society. Change is at times a necessary evil, if you will. Is it not? Where would we be without Henry Ford? Or Steve Jobs? Bill Gates. Elon Musk. Steve Case. Richard Branson, etc. challenging our societal norms. Yet there is no evolution without conflict. There's no free lunch.

While the world is grappling with data privacy regulations, who owns personal data, and what is "personal" to begin with, scientists are hard at work developing systems that could make those regulations obsolete in short order. Welcome to the age of quantum computing.

In case you haven't heard, Google published a paper in Nature (October 24, 2019) regarding an experimental quantum computer. The gist of the article and announcement is that Google has successfully built and tested a real quantum computer. This is a huge deal because it elevates the concept of quantum computing from theory to practice. Google proved quantum computers are not science fiction. They are real.

Naturally, the nay-sayers came out of the woodwork quickly. Notably, IBM was very quick to issue claims that look like canned-responses their product marketing department probably had laying in waiting for months. Damage control. Mind you that IBM's website is chock full of buzz words trying to convince you how great the company is and that it's on top of quantum computing like nobody's business. Yet, here Google has (literally) put its money where its mouth is and delivered an actual device that lives up to the hype.

What IBM is questioning is not whether or not Google succeeded in building a working quantum computer. Instead, IBM is attempting to poke holes in Google's claims of what it accomplished. However, the reality is it doesn't matter. The cat is out of the proverbial bag.

It doesn't matter whether Google's particular claim to fame is valid or not. What matters is the damn thing works! That is the real wake-up call here. Quantum computing has arrived.

Google's article in Nature makes it clear that Google's engineers have no illusions about this. They acknowledge this is simply the first step, but then again that is why their effort is truly groundbreaking. You can think of this as the evolution of the modern PC (Personal Computer). Compare the fastest PCs of today to the very first PCs in the early 1980's. There is no comparison. It's a startling difference in capabilities. Quantum computers are likely to replay that history.

What Do Quantum Computers Have to Do with Privacy?

Plenty.

The key differentiator of quantum computing is its ability to walk and chew gum at the same time. Quantum physics frees us from binary states. In a traditional computer, the smallest data point is a bit. A bit has two (2) states. It is either on (1) or off (0). A bit can have only one state at any given time. Like a light switch; it's either on or off. This means in a traditional computer, a calculation may test only one thing and produce only one outcome per operation. That's not so with quantum computing.

A quantum computer runs via qubits or quantum bits. A qubit is the smallest basic unit of data in a quantum computer. What's so special about qubits? They can have any of three (3) states: on, off, or both on and off. At first, this doesn't sound particularly earth-shattering and for small scale equations, it's not. However, when you begin to apply the math at large scales then something amazing happens. The time it takes to solve equations drops dramatically. Exponentially. More like exponents of exponents orders of magnitude faster. Why? Because of the ability of a qubit to hold simultaneous states. When you propogate this capability across many layers of qubits, it means the quantum computer is able to solve permutation problems incredibly quickly. This is due to its ability to solve multiple permutations in a single operation. By being able to evaluate multiple outcomes simultaneously, the time to solve a problem drops dramatically.

Throwing the Baby Out with the Bath Water

The net effect of this fact is disturbing from the standpoint of cryptographic ciphers. What this effectively means is the time to break a cipher closely approaches the time to create a cipher. If you applied the same logic and used a quantum computer to create a long, random cryptographic key, it would be only slightly faster than the process required by a similar quantum computer to break your key, simply by trying every possible permuation.

Quantum computing will herald in a new world for cryptography. It tips the scales in favor of the attacker - someone or some thing trying to break encryption. Quantum computing turns crypto on its head.

While there is no immediate threat (and in fact a real threat is at least years away), in order to attain the same level of confidentiality we are currently accustomed to, the industry will need to develop better systems of keeping secret the details of shared keys. At the moment, a number of key exchange algorithms function well in spite of the fact the key exchange parameters are shared in plain text and over unencrypted connections between remote network peers. This is feasible for now because even if a malicious actor learns the algorithm method, if the right algorithms are used it is virtually impossible for the malicious actor to crack the encryption before the network peers have moved on to a new key. However, if the key could be hacked in a consierably quicker timeframe, such as about the same amount of time it took to create the key in the first place, then obviously that key would be obsolete. This is the reality of quantum computing. Its dawn is a wake-up call for the IT Security industry. Over time, obfuscation will likely play a greater role in protecting anonymity and confidentiality compared to today where the focus is on encryption. But if one can crack encryption almost as quickly as the encryption key can be generated, then that is no longer a viable method of protection. I'm pointing out why quantum computers are a game changer.

Faster Quantum Computers = Weaker Privacy

Consider for a moment that in this day and age, the resources required to construct and operate a quantum computer are gigantic. Just as the cost and scale of PCs was dramatically reduced over time, in the future privacy may become a very one-sided equation. Those with quantum computers targeted toward cracking encryption will have the deck stacked and hold most of the cards.

Privacy enthusiasts will have to create more robust methods of protecting and disguising encryption keys. It's not just about computing power anymore. That is a losing battle unless you are the one controlling the quantum computer. There's no point in trying to defeat it. It is a fruitless path. The only way forward will be creating new methods of data protection.

Currently, the Internet is designed around a networking architecture model where data is split into chunks that can be forwarded in any order and recompiled in chronological order. However, with each packet marked as such, any actor intercepting the packets in transmission is able to piece them back together in the correct order. This means given sufficient quantum computing resources, it is conceivable a message could be captured in transit and reconstructed even without full knowledge of which encryption algorithm were used, and the original message could be discerned.

How can that be? Imagine there is a limited number of possible ciphers used in transmitting encrypted data across the Internet. If one is able to identify the network protocol enveloping data in transit (e.g. IPsec's ESP or a GRE tunnel), one can then discern the standard of encryption for that protocol. Now you know the type of data transmitted and the collection of possible ciphers. By knowing how each possible ciphers is constructed, it is conceivable a quantum computer could solve for every possible iteration using a brute force attack in a relatively short period of time. And were a malicious actor capable of such a feat, it would also likely be capable of storing any and all such intercepted transmissions for an indefinite period of time. For if one has the resources to operate a quantum computer, one likely has the resources to store vast amounts of data ad infinitum, until such time as the quantum computer analyzes the stored data.

Rent-a-Quantum Computer: A Hacker's Dream

Taking these concepts one step further, imagine a point in time where one could rent quantum computing services. This is already a reality in cloud computing and containerization. This same genre is where quantum computing is most likely to manifest itself in terms of mainstream use. First, we can expect state actors and very large corporations to have the resources to acquire and/or build their own quantum computing systems. Secondary to that, we will likely see a high demand from research institutes and eventually private citizens to utilize shared computing models of processing power, just as we see currently in "the cloud."

This evolution will make it feasible for anyone to become a hacker when it comes to breaking currrent cryptographic models. Indeed, the dawn of a new age is upon us for privacy controls, and it's not a bright one. It is downright scary.