Written by Bracing for a Quantum Leap: Unveiling the Future of Identity Protection
In an era of unprecedented technological advancements, quantum computers stand as the harbinger of a revolutionary paradigm shift. As these powerful machines inch closer to reality, the impact they’ll have on our digital world, especially in the realm of identity protection, cannot be understated. To delve into this pressing topic, we gathered a panel of esteemed experts for a roundtable discussion on quantum computers, post-quantum cryptography, and their profound effect on the identity market. In this gripping blog post, we present the compelling transcript of this enlightening conversation, as our experts shed light on the potential threats, opportunities, and transformative solutions that will shape the future of identity protection in a quantum-powered world. Join us on this journey of exploration as we navigate through the uncharted territories of quantum computing and its implications for safeguarding our most valuable asset: our identities.
The following conversation was recorded between Steve Atkins, Program Director of the Silicon Trust and Infineon’s’ Robert Bach and Frank Ferrandino at Identity Week, Amsterdam on the 14th June 2023, during an expert’s roundtable on ‘Post Quantum Cryptography for Identity.’ This article is a transcript of the conversation that took place. Some parts have been edited for clarity and reader continuation.
Steve Atkins
First question. What is a quantum computer and what is driving its arrival?
Robert Bach
Basically, a quantum computer is based on the principles of quantum physics. It was just recently that a couple of quantum computers came to the market. What is a quantum computer? A quantum computer does not work with classical bits but with quantum bits. With classical bits, you have one or zero, but with quantum bits, you have different kinds of situations. I would say a quantum computer can run certain algorithms in a very, very fast way. It cannot completely replace a classical computer. It is not suited to calculate large numbers. But for certain problems, a quantum computer can be used for optimization problems, like finding a way through Amsterdam from one area to the other and incorporating the traffic. A classical computer takes ages, but with a quantum computer, that would be much faster. You can use it for chemistry processes and optimization.
However, there is also the possibility for hackers to use them for cryptanalysis. So with the right algorithms, you can start cracking cryptography. That’s basically a quantum computer. You can do a lot of good things with them, but in the future, as soon as the quantum computer is powerful enough, you can do bad things as well.
Steve Atkins
What’s the driving force for them to be here and keep moving forward?
Robert Bach
I would say one of the driving forces is certainly data-thirsty companies like, for instance, Uber. They need to deal with a huge amount of data located all around the world, everywhere, in some areas. And again, huge databases. Since we are in a time where everything is accelerated, we want to have instant information. We cannot accept that it sometimes takes too long to get some information. For instance, on your GPS, looking for your direction, you need to pick the service that is the fastest possible. When you need to achieve this performance, this drives the need for faster computing processing. It’s of strong benefit for individuals and users and so on. But it also comes along with threats, such as the capability to decrypt this type of secret information. We’re not talking about ID or payment. It’s even beyond that scope. It could be secret information that States need to keep confidential. It could be communication between countries. It could be digitally signed documents.
Post quantum cryptography should not be confused with quantum cryptography. This is the cryptography you run on a quantum computer. Post quantum cryptography is supposed to run on a document, on an ID card, with limited resources. It’s not a server farm which is running, but it’s in a standard ID card or healthcare card, whatever.
Robert Bach, Infineon Technologies
Steve Atkins
Let’s move on from there. What is post quantum cryptography?
Robert Bach
I think it was the American NIST a couple of years ago, five, six years ago, in 2016, when they really thought quantum computers are a big threat, they started a competition to find cryptography that is safe and resistant against attacks by a quantum computer. So quantum-resistant cryptography. There was a competition, and hundreds of algorithms were started with the investigations. Last year, the first final round of candidates has been published after years of work on the algorithms. Please correct me if I tell something wrong, but the standardization of the algorithms itself is not yet finished. It takes time. I expect it is more or less the end of next year that the algorithms are more or less clear, which are safe against quantum computers. But then the trouble starts, at least for ID documents. Because the major problem with an ID document is, as a government, you take it, you bring it to the market, and it’s out there for 10 years. So even if the quantum computer, which is powerful enough to crack such a document, comes in eight years, the government has a problem because the documents are out in the field, and nobody wants to withdraw the documents, usually.
So that’s the reason why NIST started very early to develop this post-quantum cryptography. By the way, it should not be confused with quantum cryptography. This is the cryptography you run on a quantum computer. Post-quantum cryptography is supposed to run on a document, on an ID card, with limited resources. It’s not a server farm that is running, but it’s in a standard ID card or healthcare card, whatever.
Frank Ferrandino
Maybe two quick remarks on the standardization process. First off, an interesting observation. The German Federal Institute for Information Security decided to standardize their own choice of algorithms in 2019 already, way before the process at NIST has been finished because they already anticipated that it might take some time, and they just wanted to be prepared. They chose two candidates, one of which is now just an optional one from the risk perspective, I believe. So there is some movement in government entities that are way much more for the group. The second observation is one made by theoretical computer scientists. We all know that asymmetric cryptography is not perfect in the sense that we can guarantee it’s secure. But we have so much evidence for classical asymmetric cryptography like RSA and ECC that the consequence would be enormous for a lot of things, especially mathematics. That’s not true for most of the candidates in this process. And as a consequence, maybe some of them have already been broken. So it’s much more difficult to assess and decide if one of these new protocols or toolkit mechanisms is actually secure. It’s a big challenge.
Steve Atkins
One of the elements that appears to have a great deal of relevance is time frame. How long before something was broken? How long before something is standardized? How long before quantum computers actually arrived? Let’s talk a little bit about the time frame for all of this.
Frank Ferrandino
Yes, you’re right. New technology takes time to be adapted.
On that subject, I think as Robert mentioned, we expect, we hope, but we don’t have any control over the timeframe. But at least we will come up with standardization by the end of next year. For the moment, they have selected eight candidates, and four are optional. With the four that have been selected, you have two that are related to the key exchange, and two are related to digital sign up. But the adventure will only start, I would say, once the standard has arrived.
We need to analyze, design, and develop a new solution in the roadmap. And at the same time, I would say that the entire ecosystem will need to adopt this movement. Once the standard is published, we would expect to have some movement at the ICO level, for instance, because it’s not that you have a standard that is going to be deployed at the ICO level. If they need to be, let’s say, somehow more sustainable, more-or-less future-proof against quantum computer attacks, they need to work with 140 countries all together, deciding which one will need to be used for biometric passports.
And it’s not only related to our small portion of the big system – which is the security chip – that goes inside the biometric passport, but it goes into the readers also. If you go with your brand new quantum cryptographic ready passport and you want to cross certain borders, are their systems ready? Can they talk together? Can they communicate? Can they exchange keys and can they perform authentication? That’s a new topic and a different story. And this is what will take a lot of time. What could accelerate the technology adoption is the threat and proven attacks on existing security. And for this, I think Robert and I agree that it’s hard to foresee. Some are saying the first attack on quantum computers will be in 2025, some are saying 2030, some 2033. I don’t know how they define these dates, but you need a crystal ball at this moment.
Steve Atkins
Actually, you told me something interesting yesterday; The German government doesn’t think it’s going to happen…
Robert Bach
Currently, the BSI is a little bit more careful. Other experts say it might happen next year because it all depends on the evolution of how fast these quantum computers evolve. If there’s one guy with a technical solution on how to build a quantum computer, perhaps a tiny bit better, then it could happen next year already. But we might even have five years. Maybe we have 10 years or maybe 15 years. Nobody knows. It’s really all about scalability.
There are very different physical approaches on how to actually make a good quantum computer. And some of them might be easily scalable, others not so much. It really depends on which technology works for us.
The knowledge has been there for a while. I was reading that there was an algorithm that was already created and invented in 1996. This is the algorithm that can potentially be used for hacking cryptography and is currently in use. What you can do, as a hacker, is just go to Microsoft, Amazon, Google, IBM, and rent a quantum computer. You can already do it today.
Steve Atkins
Coming back to standardization. I can’t imagine people like RSA really jumping into this subject quickly. Are there going to be different standardization bodies because this is a different area? Who are the standardization bodies that you think are going to be out there?
Frank Ferrandino
It’s a good question. First, I will say NIST, the US National Institute of Standardization and Technology. This is one of them. Maybe they are at the forefront of this selection of algorithms. We, as a security chip provider, also work a lot with the common criteria, with external labs like ViVA, among others, and we use neutral external labs where we are proving that our products are secure. So it’s beyond standardization. It’s the common criteria that needs to think about the new challenges. So this is a challenge for each and every player in this security ecosystem. At the same time, it’s offering opportunities for adapting to this new situation.
We need to pay attention to the new attacks, but also bearing in mind that our product need to resist the old attacks. So you need some crypto agility.
Frank Ferrandino, Infineon Technologies
But you’re still going to have physical things to do. You’re still going to have physical attacks. It has to encompass everything.
We need to pay attention to the new attacks, but also bear in mind that our product needs to resist the old attacks. So you need some crypto agility. We talked about this concept. It’s fantastic. You are implementing a Dilithium or Kyber or Lattice-based crypto with your chip and can also sustain all existing attacks that are already known in the new environment. This is a challenge for the production and the designer. From an evaluation point of view, I would guess that the algorithms have to be safe.
Steve Atkins
Do you see from an implementation perspective, new risks related to (for example) side channel analysis, because of this new complexity? That the actual implementation could be more vulnerable?
Frank Ferrandino
The answer is unfortunately a clear ‘yes.’ That would be a challenge because it took us 20 years to really work on the RSA or the curve implementations to really make them secure and then have them tested against all attacks. The new post-quantum algorithms might be good against quantum computers, but against classical attacks, this will be a real learning cycle that we need to adapt to. And not only side channel attacks. We will see attacks on the new algorithms, and nobody really knows how much time it takes to really get that clean. Because it doesn’t work if the algorithm helps against the quantum computer, but you can take a standard computer and crack it in a standard attack or maybe even combine the text where you have the partial knowledge about the case and then leverage the side-channel text.
At our level, what I can say is that we also need to adhere to our boundary conditions in this very specific identity application – primarily, we are limited by power. The amount of power we are getting to in the chips is extremely limited. So we are working on a low-power device. We are also limited by space. In terms of memory, let’s say RAM computing and CPU, we are using and implementing more. This, in turn, will require more resources and security in terms of RAM and memory consumption.
Robert Bach
I’d just like to circle back a little bit. Really, in terms of physical components, quantum computing is a threat, but it’s a real threat to things like digital signatures.
Let’s give you two examples. If you have a passport or an ID card, there are a couple of protocols inside which should protect and ensure that no hacker can listen to the conversation between the card and the reader. There’s a pace protocol, partial protocol, which of course, as a hacker, you can try to attack and that’s a risk to the user, definitely. But that’s not the biggest catastrophe that can happen. What happens if you have an ID card with a signature? You can track that signature without even having the document in hand, and then you can re-use the identity of a person in the digital space. The quantum computer does not do a physical attack on the chip. It’s okay if you just have the public key and try to retrieve the secret key with a quantum computer. That’s one of the main risks in the documents. Consequently, the hacker can use this new identity to create physical damage. They can create a fake ID and use it to contract a loan, cross a border, or whatever.
Steve Atkins
So, then the growth of digital identity wallets could be a significant area for attack? Do you see them being threatened by quantum computing attacks?
Frank Ferrandino
I think one difference is that they are at least easily updated compared to physical documents in the field. Of course, technically it can be done. It might be just a nightmare to do so. It might be cheaper to just recollect the documents and reuse them on a mobile phone that tends to be online. At least, you can more easily update or exchange the two of them.
What we see is that it brings convenience. Digital identity wallet, ID in the cloud, virtual ID – the capabilities to prove your identity without using physical ID cards. But we see more, ideally, the complementarity of usage. So you need an ID document which is issued by a government where security is effectively secured. And for, let’s say, the digital identity wallet and so on, we need to adapt to because they are becoming part of this ecosystem. So they will need to adapt to the new situation. And of course, updateability is a question mark and security is a question mark. So how it is, let’s say, about design. It’s anticipated that it is inbuilt and updateable to circumvent future attacks. But it’s also a question for us. We talk a lot at this moment about the in-field update because we know once the security chip is released in the field, you cannot modify anything.
And now you are opening the door to the question of risk. About having the possibility to change the security, the possibility to deinstall and reinstall certain data? And there is also the topics of standardization at the moment. I know there are proprietary solutions here and there, but we need to offer this to our customers to solve their problems in a more standardized way.
Steve Atkins
What would an organization have to do to take their operations to this higher level of security? To guard against this kind of attack?
Robert Bach
I think a lot of governments have started to become aware of the topic. As you said, some of the security institutions like BSI or RNSSI in France are quite aware. Governments hear more and more about this subject. But knowing a topic and starting to act on it, that is really a huge step. Currently, governments do not react or act on the topic; they’re not yet in the preparation phase. What we believe, even if standardization is finished and your ICO protocols are defined, how do they roll out a new ID card? You cannot say, “Tomorrow, I will switch on quantum secure to post-quantum cryptography.” It doesn’t work if you take your passport and then go to another country, say from the Netherlands (where they perhaps have used post-quantum cryptography in their documents) to France, where perhaps it’s not accepted because they don’t understand the new security updates. The same goes for national projects, national ID cards or so, where you first have to update the infrastructure as well. And in the worst-case scenario, because these cross-quantum algorithms are so new, you have to run it in a hybrid way that you bring out documents, integrate the classical cryptography as of today, implement the new version, and then at a later stage, decide to switch on the new security level.
This needs preparation in terms of when the next tender is coming out, what is my upgrade cycle in the infrastructure, what are my time plans, and so on. If you don’t start preparing now, it might then be too late.
Indeed, this hybrid approach is one of the most discussed ones, especially in terms of the client’s structure of issuing certificates that can be based on classical algorithms as well as the cost of timing. You can run into a lot of different problems. So let’s say one of these mechanisms is broken, do you go through the complete certification, how do you embed it, and if governments only use one of these solutions, then it’s not a fully secured solution. There is no easy complete solution, so finally you end up with a hybrid solution.
Steve Atkins
I still can’t decide whether quantum computing should be seen as a revolution or simply an evolution. And I sometimes wonder if some of these companies and governments can’t decide either. So if it’s an evolution, they will just add to their current security process. For a revolution, they have to think completely differently. That is then a completely new level of standardization, a completely new set of protocols and procedures that they have to develop. It took years before we went from criteria 4 to 6, and if we look at something like that again, it’s going to take a long time.
Robert Bach
To complement what you are saying, technology is moving faster than government decisions. Governments together take a long time to decide. There is a political time which is much longer, and there is a technology time which is much faster. To add to that, what we are observing now is Europe, where they are completely behind when it comes to artificial intelligence. So instead of having companies or people that are generating AI and working actively on it, we are more tempted to regulate things that are coming from elsewhere
Frank Ferrandino
Yeah, Europe is much better at regulating other continents. So regulation, by putting rules in place, instead of embracing the technological movement and contributing to and benefiting from it. It will take a while before common sense sees there is a need for a better arrangement. What I foresee is that for political, soft power reasons, you will have early adopters that will want to showcase that they are the first. It’s a different behavior. It’s more human and emotional. It’s not rational. It’s not about technological implementation or a conservative approach to analyze, define the process, and then engineer the stuff. Rather it will be, “Okay, we want to be the first to launch post-quantum cryptography identity documents.” This is what I’ve seen in my discussions with some governments, having this vision from the top.
Steve Atkins
These days, the financial sector would appear to have more push in terms of innovation than in governmental sectors. They have both the financial resources and the need to innovate as quickly as possible. They are the new risk takers. What are your thoughts?
Robert Bach
It’s a good point. What I saw is that there is a payment card association that published a white paper on this topic. Surprisingly, they have a conservative approach, and they suggest a step-by-step implementation, and their recommendation is to go to AES first. Then once things are getting more mature, jump to the next step. But their recommendation is to jump to a higher security with what is currently existing today.
Frank Ferrandino
They are in a lucky situation that payment cards are out there for three years, and then they’re out of the field. That’s a complete difference from government documents. The payment industry works on a far shorter time frame. They are on a shorter time frame and also in terms of transactions, the transaction is very fast. There’s a certain threshold to meet. When it comes to contactless payments, we’re talking about 300 milliseconds.
In the payment industry, when you look at fraud and you have an attacker, it’s the single cards or transactions. It’s not so interesting. What is interesting is something on a larger scale. What you observe, for instance, in France with the payment card, the Carte Bleu, is that it is not fraud – it’s more identity theft. This identity theft then generates illegal payment transactions. I think the banks there need to pay very close attention to their KYC (Know Your Customer). Some of them are not so vigilant, like new online banks, who want to generate business very quickly. So they’ve been somewhat less careful with the KYC, meaning there have been significant transactions that were not legal. And they’re generating losses for the bank.
Robert Bach
Maybe this is something I think governments underestimate. There’s another point in ID; it’s not just the practical danger of the hack, but the theoretical as well. What do I mean by that? Every ID document given out is certified. The hardware is certified, the operating system is certified, everything is certified. But if you now find an attack, just going to one tiny little piece, the algorithm, the RSA, then the whole product loses the certification. So what do you do as a government then, to give out new ID cards? You cannot give out the existing product. It’s not certified anymore. It wouldn’t work.
This agility and flexibility are very challenging because you can have a certificate against certain attacks, but there is no 100% proven security. Even if we go for the best of the best we can, there is no system that is 100 % secure against quantum attacks.
Robert Bach, Infineon Technologies
So you try to reduce uncertainty. So okay, you pass certain tests and you receive a certificate. Once you achieve that, you’re, of course, very proud that your product is secure as well. But it is secure against a certain list of predefined attacks – named in the certification profile. And with this certificate profile, you try to reduce uncertainty and pre-anticipate the list. But over time, new attacks are coming out, and it’s not necessarily anticipated and ready in the security profile. This agility and flexibility are very challenging because you can have a certificate against certain attacks, but there is no 100% proven security. Even if we go for the best of the best we can, there is no system that is 100 % secure against quantum attacks.
Frank Ferrandino
It’s not related to identity documents or identity solutions. There is no required monitoring on the product. It’s a national regulation that requires monitoring. I think in France, there is monitoring on a manual basis for ID documents. But for other countries, it’s a checkbox requirement. That’s true. Other countries, there are a couple that are monitored or regularly reassessed, such as France and Germany and others. But there is no pan-European regulation for ID document monitoring.
There are, however, different qualities of certification. Obviously, in France, there are NHSI, NSSI, Agence Nationale, etc. They are extremely strong and demanding. BSI in Germany is the same. But if you certify in another country, maybe you get a little bit of tiny difference that makes you pass with your product. But if it would be in a more demanding environment, it does not pass. But at least with quantum computers, it’s quite easy.
We do not know when the quantum computer is powerful enough and has enough stable qubits, but we know once it’s there, then it’s very clear the algorithms are hacked and cannot be used anymore. But then it’s not evolutionary like with the old algorithms; then it’s really revolutionary. Yeah, to answer your question, Steve, it will be more revolution. Yes, governments are used to this evolutionary step. Each year they need to go from 1K to 1.5K. Now 2K RSA, 4K RSA. But with the quantum computer, there will be a switch at a certain point in time.
Steve Atkins
Looking at ID from a tangent – what about the Internet of Things? This ecosystem needs to be secured, and an attack here can be far more personally invasive. But it always seems to be a battle between convenience and security on very separate devices. Do you have any thoughts on this as we begin to see ID offered on different devices too?
Frank Ferrandino
Frank Ferrandino It’s not related to identity documents or identity solutions. There is no required monitoring on the product. It’s a national regulation that requires monitoring. I think in France, there is monitoring on a manual basis for ID documents. But for other countries, it’s a checkbox requirement. That’s true. Other countries, there are a couple that are monitored or regularly reassessed, such as France and Germany and others. But there is no pan-European regulation for ID document monitoring.
There are, however, different qualities of certification. Obviously, in France, there are NHSI, they are NSSI, Agence Nationale, etc. They are extremely strong and demanding. BSI in Germany is the same. But if you certify in another country, maybe you get a little bit of tiny difference that makes you pass with your product. But if it would be in a more demanding environment, it does not pass. But at least with quantum computers, it’s quite easy.
We do not know when the quantum computer is powerful enough and has enough stable qubits, but we know once it’s there, then it’s very clear the algorithms are hacked and cannot be used anymore. But then it’s not evolutionary like with the old algorithms; then it’s really revolutionary. Yeah, to answer your question, Steve, it will be more revolution. Yes, governments are used to this evolutionary step. Each year they need to go from 1K to 1.5K. Now 2K RSA, 4K RSA. But with the quantum computer, there will be a switch at a certain point in time.
Steve Atkins
Looking at ID from a tangent – what about the Internet of Things? This ecosystem needs to be secured, and an attack here can be far more personally invasive. But it always seems to be a battle between convenience and security on very separate devices. Do you have any thoughts on this as we begin to see ID offered on different devices too?
Frank Ferrandino
Oh, good question! We don’t always consider IoT security. In IoT, you have connected objects that communicate together. When you have providers, with new usage, the developers offer a use case that brings a benefit that is based on convenience first. Then they think later about security. This is exactly what happened in the Internet of Things. You connect objects together; it brings some benefits. You have your “Hey Google“ at home. You have, let’s say, baby phones that you put in the room of the kids, but then hackers can use them to spy on you and so on. These are connected. So you think about the user bringing this service to individuals, but you don’t think at the beginning of the development process about security. Security comes after, later, and it’s not pre-embedded in the design of the new application right from the beginning.
This is it because it’s not actually in the entire process. Everybody has their own little bit of hardware, little bit of software, etc. And then you try to add security by software. And then they have to work together to make it. There is a certain level of security, but it’s more the convenience usage that is the main benefit offering in the application.
Robert Bach
Which gets us back to implementing those quantum-secure algorithms on different devices. Again, I’d say it’s maybe easier on a mobile phone just because you have more resources available. But then again, if you look at a high Evaluation Assurance Level, it mostly requires secure hardware again, and we are back to a smartwatch or an ID document type of environment. And there it’s much harder to implement the current candidates for quantum crypto. Very simply, if you take any look at any document outside in the world, there’s no chip outside today that would be capable of running post-quantum cryptography.
Not a single chip. The reason is quite simple. The resourcefulness of the chip is not big enough. Yes, you can run the post-quantum cryptography, but then a transaction at the border will take 30 seconds and not three seconds. And you don’t want 30 seconds at the border. So there needs to be a change in the hardware. And this also applies to the IRIS wallet implementations, at least if you look at the higher security assurance because then you need to have some secure hardware and not only rely on the phone, and then you have the same constraints.
We have developed a first product, but it’s more on the TPM side. It’s just a platform module that goes into a computer. It’s called OPTICA, and we have implemented a post-quantum security for camera update, which relies on XMSS. This is already available, but that’s only for a few more updates in case administrators want to update.
Technically, it’s possible to develop a chip running post-quantum cryptography. The products or the silicon would be there to implement, but there’s nothing out yet in the market. Technical demonstrations? Yes. Rollout or even just a pilot? Not yet. It’s still very far out.
Steve Atkins
What I’ve taken away from this so far, if that’s correct, is that quantum cryptography is coming. When, no one is sure, but it is coming. And the current system approach is not going to be sustainable for that. Secondly, quantum computing will affect things beyond documents. It’s going to be digital signatures. It’s going to be identity at the data level, not necessarily just the actual hardware level. Thirdly, the transition is going to take time and adoption, so start thinking now, and plan on how to take preparations. Anybody like to add anything else?
Robert Bach
It’s a pretty good summary.
You can see and hear Robert Bach explain Quantum Computing and expand on Post Quantum Cryptography by watching the video on the subject, right here on this site. Follow the link to find out more.
For further information on Post Quantum Cryptography and Infineon’s part in this new technology, please visit: https://www.infineon.com/cms/en/product/promopages/post-quantum-cryptography/