The recent instance of China hacking India’s power grid underscores an unmissable fact: The neighbouring country’s ability to do cyber-harm. That leaves India’s industry and defence vulnerable to cyber attacks. The advent of quantum computing worsens the threat.
With fully functional quantum computers, our secrets are no longer secrets. The details of your invention, no matter how deeply encrypted, are accessible. The new buzzword in the industry is Y2Q, or years-to-quantum, an allusion to how close we are to the world of quantum computing. By some accounts, Y2Q is zero, because QC is already here. IBM, Rigetti and Google claim they already have quantum computers.
Quantum computers use the principles of quantum mechanics, the essence of which is that a particle (or energy) can exist in more than one state at the same time. For example, if you beam a photon onto a semi-reflecting mirror, it will begin to exist in two states — reflected and transmitted — until you look. But the moment you look, it will ‘collapse’ into one of the two states. Don’t ask how — that’s how it is. Quantum computers therefore have more options to play with than just the 0s and 1s of classical computers. Hence, they can do calculations that overwhelm today’s best — exascale — classical computers.
Such powerful monsters can cut open all your encrypted data — because today’s encryption technologies are based on ‘public key infrastructure’ (PKI), the mathematical principle behind which is the fact that it is very hard to factorise a very large (thousands of digits) prime number. (Just for fun, try to find two numbers whose product is 99991 — other than, of course, 1 and 99991.)
In the post-quantum world, today’s cryptography is a joke. It is against this backdrop that a fairly new area of expertise is gaining ground: ‘Post-quantum cryptography (PQC)’, sometimes called ‘quantum-resistant cryptography’. This is the science of protecting your data even from the all-powerful quantum computers.
Post-quantum cryptography is not to be confused with ‘quantum cryptography’, which uses quantum principles for encryption-decryption. Quantum key distribution (QKD) is the quantum cryptography tool that is used more often. QKD and PQC do the same function, explains Vivek Shenoy, Chief Technology Officer, QNu Labs, an IIT-Madras incubated, Bengaluru-based company offering quantum-based products and services. The difference is, PQC, like the existing PKI-based encryption technology, cannot be mathematically proved to be safe, even though in practice it is safe. In a way, PQC is a challenger to QKD — people got on to QKD first because PQC was still emerging.
PQC is getting global attention. Attacks from quantum computers are a real threat. The European Union Agency for Cybersecurity (Enisa) warns that the first fully functional quantum computers may not even be publicly announced — the owners will just use them. Secondly, experts warn of ‘harvest now, decrypt later using quantum computers’ approach, by hackers. Enisa stresses that securing data is an urgent need.
In February, there were two important reports from Enisa and Cloud Security Alliance (CSA).
There are many approaches to PQC. The Enisa report lists five most promising ones: Code-based, hash-based, multivariate-based, lattice-based and isogeny-based. The CSA report dug into existing research papers and found that most of the work for PQC is being done in lattice-based mathematics. A lattice, like the Eiffel tower, has several nodes (joints), each of which can be mathematically expressed in terms of others.
Shweta Agrawal , associate professor in the computer science and engineering department of IIT Madras, specialises in PQC. The recipient of the 2020 Swarna Jayanti Fellowship of the Department of Science and Technology, Government of India, Agrawal is developing quantum-resistant cryptosystems — something that is of critical importance to Indian industry and the armed forces. She says there is growing awareness of the importance of this field in academia and the government, but the country is still in the early stages. The industry, she told Quantum , needs to make itself quantum-safe.
Now, PQC has more uses than as a safety ring. For instance, people can vote from home using a computer or mobile phone. You can make the process hack-proof, while also ensuring secrecy of the ballot.
Another application is what is called ‘obfuscation’. You can encrypt your algorithm and put it out in the open so that anybody can use it but nobody can see it.
Furthermore, you can encrypt and store your data on the cloud without the fear of it being hacked. “Using post-quantum, lattice-based cryptography, we can design methods to encrypt genomic data, run medical research algorithms on them and decrypt the results to learn the efficacy of a certain medicine, or the connection between certain genomic patterns and diseases, while hiding any other information about the user’s data,” says Agrawal.
There is a clutch of start-ups in India engaged in quantum-related products and services, such as QuLabs, QNu Labs, QpiAI Tech, Automatski, Quantica Computacao, QRDLab, and Taqbit Labs — none of these is into post-quantum cryptography. Work in this area seems to be happening more in academia with little linkage with industry, although industry is the biggest potential consumer of PQC. The sooner awareness builds, the better would it be.