A Thing
The Green SheetGreen Sheet

The Green Sheet Online Edition

August 08, 2022 • Issue 22:08:01

Editing Paytech DNA - Part 2

By Dale S. Laszig

Everything about digital commerce is evolutionary, down to its most fundamental binary code. This series delves into the frameworks and building blocks of payment technologies that adapt and even mutate in response to emerging opportunities and threats. Part 1 explored algorithms and cryptographic key infrastructures. Part 2 will look at how innovative security experts are editing these technologies to create a new generation of post-quantum cryptography (PQC).

Quantum computers calculate at dizzying speeds, raising concerns among security professionals about the impenetrability of existing algorithms and cryptographic key infrastructures. The National Institute of Standards and Technology does not view quantum computing attacks as a near-term threat but is nevertheless reviewing proposals it requested for standardizing quantum-resistant algorithms. NIST disclosed fourth round finalists on July 5, 2022, setting an Oct. 1, 2022 deadline for modifications to those submissions.

"Some engineers [predict] that within the next twenty or so years sufficiently large quantum computers will be built to break essentially all public key schemes currently in use," NIST wrote. "Historically, it has taken almost two decades to deploy our modern public key cryptography infrastructure. Therefore, regardless of whether we can estimate the exact time of the arrival of the quantum computing era, we must begin now to prepare our information security systems to be able to resist quantum computing."

Cracking PKI

Andrew Deignan, global vice president of marketing at MagTek, agreed quantum computing threatens public key infrastructure (PKI), which uses public and private asymmetric keys. "PKI begins with two asymmetric keys, where one is private and the other is public," he said. "The public key can be easily shared with the world, almost like a telephone directory. The private key is kept secret by its owner; [both keys] are large prime numbers that work together with factoring."

Deignan went on to say factoring large prime numbers is difficult for today's PCs, but a quantum computer could rip through millions of possibilities in minutes. This technology, when available, will make data or keys that use PKI encryption schemes vulnerable, he said, because it would enable hackers who know a public key to quickly determine a private key and decrypt files, and secret keys exchanged by the PKI method would also become untrustable.

Deignan called NIST's prediction of large-scale PKI attacks a very real, spine-chilling threat to all the data and keys we think of as protected today that could be exposed tomorrow. "Hackers are stealing encrypted data now but they are not trying to decrypt it now," he said. "They are waiting for quantum computers to become available so they can expose the data later. 'Steal now, decrypt later' is an immediate threat, especially for, but not limited to, massive amounts of data stored in the cloud. These threats are most likely to be acted upon, first by foreign governments and then by well-funded international threat actors."

Standardizing PQC

The ultimate goal of post-quantum cryptography, also called quantum-resistant cryptography, is to develop "cryptographic systems that are secure against both quantum and classical computers, and can interoperate with existing communications protocols and networks," NIST representatives wrote when inviting candidates to enter the competition and help standardize PQC.

Marc Punzirudu, senior director, North America at SISA, has observed the NIST competition with interest, along with cryptographers, computer scientists, mathematicians and infosec stakeholders. "It has been like watching a boxing match, with FrodoKEM getting knocked out in the third round," he said, while pointing out that numerous submissions have merit and should not be disregarded simply for losing a NIST match.

Punzirudu further noted that NIST is evaluating three types of encryption schemas: code-based, multivariate based and lattice-based. NIST selection criteria, which includes security, cost/performance, and implementation, may disqualify algorithms with high computational costs or complex implementations that are viable in some environments and use cases, he said.

"This isn't a 'be-all, end-all' decision making process," Punzirudu said. "We'll see continual research into new methodologies to protect information, supplement existing encryption, and develop new code, lattice, or multivariate-based schemes for as long as there are advancements in computing."

Driving PQC compliance

Sam Pfanstiel, Ph.D., principal, industry solutions at Coalfire, expects the payments industry to continue its march toward PQC integration, standardization and compliance. He noted that for the past couple of years, before Ralph Poore's retirement as head of emerging standards and cryptography at the PCI Security Standards Council (PCI SSC), the organization's Encryption Task Force convened frequently "to discuss PQC, as well as other factors affecting cryptographic security." He offered the following additional observations:

  • Cardholder data: Cardholder data has a shorter lifespan than other sensitive data, thus where other industries must take precautions and be aware of risk associated with illicit capture of encrypted transmissions now and decryption by quantum computers later, this threat has less impact in general on cardholder data.

    "Having said that, while the PCI SSC has primarily concerned itself with the protection of cardholder data and sensitive authentication data, other values in our ecosystem, such as encryption keys themselves, PII, and ePHI have a longer shelf life and thus warrant consideration," Pfanstiel stated.

  • Symmetric key cryptography: Most PCI standard cryptography encrypts data with symmetric keys (TLS ciphers, DUKPT, Master/Session, Zone Control Keys). While symmetric encryption will lose about half its effective strength in a post-quantum world, current minimum key strengths should remain strong enough to provide minimum necessary protection. Initiatives are already underway to increase minimum key strengths.

    "Where asymmetric cryptography is used, e.g., for authentication certificates, application signing, remote key injection, limiting the cryptoperiod of these keys, monitoring the sensitivity protected data, and preparing to adopt post-quantum cryptography will be a topic of interest throughout the payments industry as this date approaches," Pfanstiel noted.

Unpacking quantum physics

As engineers and developers lean into post-quantum cryptography, it may be worth noting that quantum has disrupted the measurable realms of physics and technology, including Newton's and Maxwell's formerly unassailable laws of physics and electromagnetics, respectively. For many scientists and engineers, the idea that any technology can defeat PKI is hard to accept.

In his book, Quantum Reality, Nick Herbert explored the belief, advanced by some physicists, that quantum reality is shaped by the observer. This was an anathema to Einstein, he noted, who famously remarked that he couldn't believe God would play dice with the universe.

"Einstein objected to suggestions to observer-created reality in quantum theory by saying that he could not imagine that a mouse could change the universe simply by looking at it," Herbert wrote. He further noted physicist Hugh Everett III's rebuttal that the observer is affected by the system, not the other way around.

Prof. Gideon Samid, Ph.D., P.E., chief technology officer at BitMint, maintained that quantum physics formulas defy explanation; the scientific community has various theories, but the bottom line is they just work. "People accepted Newton's physics and Maxwell's electromagnetics as the theory of everything," he said. These assumptions were challenged, he noted, by Richard Feynman, a brilliant mathematician and 1965 Nobel Prize in Physics recipient and other physicists who introduced quantum formulas that could accurately predict outcomes.

"Before quantum, the world was looked upon as deterministic," Samid said. "Newton said, if you tell me the location, speed and acceleration of every part of the universe, I can predict how the world will look at any time in the future. But there's no formula that can predict what will happen in the future or what happened in the past – there is only probability."

To further elaborate, Samid said what we know about what happened or what will happen depends on whether we are observing or not observing. In essence, he noted, most of the books you read about quantum will leave you more confused than before you started reading.

Practical quantum applications

While quantum computing may appear to be years away, basic tenets of quantum physics can be seen in MagTek's Qwantum Private Messaging and Vality Corp.'s Keyless Authentication.

Deignan pointed out that MagTek's Qwantum Private Messaging is based on quantum physics, which he described as a new understanding of how light, energy and matter behave that is giving rise to a new generation of super-fast computers.

"Qwantum Private Messaging is the first application built on MagTek's Qwantum platform," he said. "It leverages unpredictable, non-repeatable, verifiable, one-time-use tokens, obtained from a Qwantum Card or a virtual derivative. In fact, the Qwantum Card mimics the physics of quantum mechanics: the output morphs with every use."

Peter Quadagno, co-founder, president and CEO at Vality, described Vality Keyless Authentication as a fraud deterrent solution that leverages quantum randomness to protect against quantum computing attacks, using a patented technology developed by BitMint.

"We use a software language and technology instead of big data analytics and AI, which in the final analysis boils down to probability theory and the manipulation of statistical data," Quadagno said.

Complexity versus randomness

Samid noticed the cryptography schemes presented by NIST's final four candidates attempt to protect public and private cryptography keys from quantum computing attacks by making them more complex. His solution, by contrast, uses software that randomly changes data in ways that are not obvious to users. For example, if a bank requests your name during authentication, you may type it in, and the bank would see it slightly differently than your written name, he noted.

During the pandemic, the BitMint team sought a different strategy to deter quantum computing attackers. According to Samid, they saw COVID defeating everything that humanity was throwing at it, even the most sophisticated vaccines, and they asked, how does this little virus do it? The answer, he said, is mutation: the virus mutates into something different, which the vaccine now has to chase, but by the time it catches up, the virus has mutated again into something entirely new.

"So, we thought, let's be humble and copy from nature," Samid said. "If COVID can do this, BitMint can do this, and we came up with a solution where instead of relying on a single algorithm that quantum computers can crack, we created a solution that keeps switching from one thing to another. In this way, we can stay two or three steps ahead of the competition." end of article

Dale S. Laszig, senior staff writer at the Green Sheet and managing director at DSL Direct LLC, is a payments industry journalist and content strategist. Connect via email dale@dsldirectllc.com, LinkedIn www.linkedin.com/in/dalelaszig/ and Twitter @DSLdirect.

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

Prev Next
A Thing