Four new defenses against quantum codebreakers

By Eric Geller

Presented by American Edge Project

With help from Derek Robertson

The Gaithersburg Campus of the National Institute of Standards and Technology, which is coordinating research on post-quantum cryptography. | Shutterstock

The ability to pay for something with a credit card online is something we now take for granted, but in the not-too-distant future, quantum computers might be able to crack the encryption that protects these payments from spies and cyber criminals.

The encryption-breaking power of these quantum computers, while likely still decades away, already has the National Security Agency worried about the United States’ enemies accessing classified secrets.

As we’ve reported in this newsletter, multiple arms of the federal government are trying to find fixes.

The House of Representatives today passed a bill aimed at accelerating the government’s use of encryption algorithms that quantum computers would struggle to break with currently known methods, in part out of fear that an adversary might “steal sensitive encrypted data today using classical computers, and wait until sufficiently powerful quantum systems are available to decrypt it.”

In May, President Joe Biden issued a national security memorandum declaring that a powerful quantum computer would “jeopardize civilian and military communications, undermine supervisory and control systems for critical infrastructure, and defeat security protocols for most Internet-based financial transactions.”

Nobody knows for sure if such a quantum computer is five years away, 20 years away or a dream that will never be realized. But the National Institute of Standards and Technology is coordinating efforts to develop new encryption algorithms so that the government will be ready. On July 5, NIST announced the selection of the first four of those algorithms.

“We're not waiting for something to be broken,” Matthew Scholl, the chief of NIST’s Computer Security Division, told me in an interview a few days before the announcement.

Quantum computers aren’t superior to classical ones in any general sense, but they can (in theory) quickly solve particular types of problems, including breaking large numbers into their prime factors. (It’s a lot easier to figure out that 101 * 167 = 16,867 than to reverse that calculation, and factoring quickly gets tougher as numbers grow larger.) Much of the so-called “public key” cryptography used today, which makes it easy for anyone to send a message which only the intended recipient can read, relies on the fact that it’s hard to factor large numbers.

NIST’s post-quantum cryptography project is an attempt to fix this vulnerability. The agency has been winnowing down 69 algorithm submissions over the past six years, all in the hope of finding an encryption standard that can stand up to quantum computers and work with a wide variety of equipment.

Of the four algorithms that NIST approved this month, one, CRYSTALS-KYBER (named for the minerals that power lightsabers in Star Wars ), is used to securely create and share encryption keys. The other three — CRYSTALS-Dilithium (named for the spaceship power source in Star Trek), FALCON and SPHINCS — are digital signature schemes, used to verify that the sender and recipient of a message are who they claim to be.

The idea is to create a basket of algorithms, both to provide for alternatives if a vulnerability is discovered in one of them and to accommodate systems that have limited computing capacity.

Other algorithms are still under review, and NIST plans to publish its post-quantum cryptographic standard, comprising the complete basket of algorithms, in 2024.

NIST is working with international partners to win global support for the eventual standard, which would increase the number of tech companies that use it — or perhaps slight variations on it — instead of waiting for other countries to develop competing standards.

This global upgrade is a daunting task.

The good news is that software updates from a handful of major tech companies, including Google, Microsoft and Apple, will ripple out to a colossal number of computers, web browsers and gadgets. The bad news is that many smaller vendors may not know or care about the transition. Also problematic: many companies still operate aging, specialized equipment beyond the reach of vendors’ remote patches.

NIST is developing guidance to help these companies understand their risks and prepare for the transition, and DHS’ Cybersecurity and Infrastructure Security Agency is using its relationships with key industries to assist hospitals, power plant operators and other organizations whose specialized functions require custom hardware.

Biden’s memorandum set a goal of “mitigating as much of the quantum risk as is feasible by 2035.” NIST believes it’s on track to do this.

“We are certainly preparing for it more so than any other cryptographic transition we've done before,” Scholl said.

A message from American Edge Project:

Voters Focused on Inflation – Not Breaking Up Tech 

Midterm voters’ top priorities for Congress are inflation (88%), national security (86%), and jobs (85%). 84 percent of voters agree “there are other, bigger problems facing the United States, we should not be focused on breaking up U.S. tech companies right now .” Read more from our poll in partnership with Ipsos.

Rep. Jake Auchincloss (D-Mass.) | Jonathan Wiggs/Boston Globe/Associated Press

As institutional Silicon Valley money flows to Web3 businesses, more legislators are paying attention to the nuts and bolts of crypto policy — and sketching out partisan positions accordingly.

Rep. Jake Auchincloss (D-Mass.) joined a Twitter discussion with Andreessen Horowitz partner Chris Dixon and general counsel Miles Jennings to discuss the regulatory landscape around stablecoins, the proposed Gillibrand-Lummis crypto bill, and the partisan valence of crypto policy ahead of a likely upcoming switch in control of the House.

"The GOP is pretty sympathetic to crypto,” Auchincloss said. “The center-left is figuring it out…unfortunately, and I think without a whole lot of justification, the progressive left has become quite hostile.”

When it comes to actual legislation, Auchincloss was open-minded about whether the broad approach of the Gillibrand-Lummis bill or more targeted legislation for issues like stablecoins (as in a bill introduced earlier this year by Sen. Bill Hagerty (R-Tenn.) would be more appropriate, saying he’d support both approaches as one of the small, but growing number of legislators focusing on crypto policy.

He also voiced skepticism about the idea that stablecoins could somehow supplant or weaken the dollar — arguing that “the myth of the decline of the dollar has been punctured” by the recent market downturn. — Derek Robertson

The European Union is taking its own close look at the metaverse, and finding that the dawn of a new technology might require revisiting some old policy solutions.

A recent report from the EU’s parliamentary research body warns of the “opportunities, risks, and policy implications” involved with the metaverse’s development. The main concerns include:

• Competition: Powerful incumbents might use metaverse “interoperability” — the ability for virtual goods and identities to be durably transported across different platforms — to entrench themselves, and the report recommends merger regulation or antitrust legislation as potential tools to combat interoperability’s manipulation as a means to consolidate corporate power.
  
• Data protection: As we’ve covered here at DFD, virtual reality devices create a vast new frontier of potential data collection. The report points out that the EU’s General Data Protection Regulation might need to eventually be revised to address VR.
  
• Health: “Addictions to social media and online gaming as a form of escapism already exist, but the metaverse can reinforce them,” the staffers for the European Parliament’s in-house think tank write, recommending close attention to content moderation.

The report also describes policy implications for liability, financial transactions, and cybersecurity — all as the EU prepares for another showdown with Facebook, the metaverse’s most public, and deep-pocketed, proponent. — Derek Robertson

A message from American Edge Project:

• SpaceX is fighting the FCC, and the telecom industry, over spectrum access for its Starlink satellites.
  
• A Chinese phone manufacturer is experimenting with glasses-based displays for its phones.
  
• The religious fervor of some Bitcoin enthusiasts can become… well, actually religious.
  
• Robots aren’t even close to being finished remaking manufacturing and logistics.
  
• Try a beach read that imagines a world where actually sentient AI has transformed society.

Stay in touch with the whole team: Ben Schreckinger (bschreckinger@politico.com); Derek Robertson (drobertson@politico.com); Konstantin Kakaes (kkakaes@politico.com);  and Heidi Vogt (hvogt@politico.com). Follow us on Twitter @DigitalFuture.

If you’ve had this newsletter forwarded to you, you can sign up here. And read our mission statement here.

A message from American Edge Project:

From our midterm voter poll in partnership with Ipsos:

74 percent of voters agree that “breaking up U.S. tech companies will only hurt America’s competitiveness on the global stage, at a time when our adversaries are becoming bolder.”

69 percent of voters agree that “breaking up U.S. tech companies threatens our national security by letting China gain a technological upper hand.”

Learn more.

Congressional Vision for Tech Across America – July 21 Event : How can innovation play a role in America’s global economic leadership? On July 21, Rep, Gerry Connolly (D-VA), Rep. Tom Emmer (R-MN), Rep. Trey Hollingsworth (R-IN), Rep. Ro Khanna (D-CA), Sen. Jacky Rosen (D-NV), Rep. Mikie Sherrill (D-NJ) are sharing Congress’ vision for the future of policy and technology surrounding workforce and education at MeriTalk’s MerITocracy 2022: American Innovation Forum. The forum will feature Hill and White House leadership and industry visionaries as they dig into the need for tangible outcomes and practical operational plans. Save your seat here.

Follow us on Twitter

Ben Schreckinger @SchreckReports Derek Robertson @afternoondelete Konstantin Kakaes @kkakaes Heidi Vogt @HeidiVogt

Follow us

To change your alert settings, please log in at https://www.politico.com/_login?base=https%3A%2F%2Fwww.politico.com/settings

This email was sent to by: POLITICO, LLC 1000 Wilson Blvd. Arlington, VA, 22209, USA

Please click here and follow the steps to .