Think Quantum Computing is Hype? Mastercard Begs to Disagree

Just got an opportunity to write a blog on PQShield, and I’m delighted for several reasons. Happy to work with a company based in Oxford and happy to work on a quantum computing-related topic, which you’ll find I will be getting into more deeply over coming months. (Need a little relief from a constant stream of AI topics.) Also important, I enjoy connecting technology to real world needs, things everyday people care about. Mastercard has something to say here.

Security is visceral when it comes to our money

I find in talking about and writing about security in tech that, while we all understand the importance of security, our understanding is primarily intellectual. Yes, security is important, but we don’t know how to monetize it. We do what we can, but we don’t need to get ahead of the game if end-user concern remains relatively low. As an end-user I share that view – until I’m hacked. As happened to my credit card a few weeks ago – I saw a charge at a Panda Express in San Francisco – a 3-hour drive from where I live. The card company removed the charge and sent me new card. Happily it’s been years since I was last hacked. But what if hacks could happen every year, or month, or week?

In their paper Mastercard talk about malicious actors using a “Harvest Now, Decrypt Later” attack paradigm. Building a giant pool of encrypted communications and keeping it in storage until strong enough decryption mechanisms become available. We’re not aware that data we care about is in the hands of bad actors because nothing bad has happened – yet. This is not a theoretical idea. The possibility already exists for systems using DES, RSA-1024 or weaker mechanisms, which is why most though maybe not all weak systems have been upgraded.

The stronger threat comes from quantum computing (QC). You might think that QCs are just toys. Small qubit counts can’t handle real jobs. Your view may be outdated. IBM already have a one-thousand usable qubit computer, Google is planning for a one-million qubit system and who knows what governments around the world can now reach, especially in hacking hotbeds.

OK you counter, but these are very specialized systems. Governments don’t want to hack my credit cards (though I’m not sure I’d trust that assertion). But it doesn’t matter. To build demand, QC centers provide free or moderate-cost access to their systems. All you have to do is download an algorithm, maybe from the dark Web, to factor large integers. Then you can break RSA-encrypted messages using Shor’s or similar algorithms.

In fairness, recent estimates suggest that RSA-2048 may not be broken before 2031. But improvements in quantum error correction are already pushing down that limit. We really can’t be certain when that barrier will be breached. Once it is, the flood gates will open thanks to all that harvested encrypted data. That breach will affect not only credit cards but all electronic payment systems and more generally finance systems. Our intellectual concern will very rapidly become a visceral concern if we are not prepared.

PQShield and quantum-resistant encryption

Mastercard mentions two major mechanisms to defend against quantum attacks: post-quantum cryptography (PQC) and quantum key distribution (QKD). QKD offers theoretically strong guarantees but is viewed currently as a future solution, not yet ready for mass deployment. The Mastercard paper reinforces this position, citing views from multiple defense agencies and the NSA. More immediate defenses are based on QKC, for which PQShield offers solutions today.

Several algorithms have been proposed which NIST is supporting with draft standards. Importantly, National Security System owners, operators and vendors will be required to replace legacy security mechanisms with CNSA 2.0 for encryption in classified and mission-critical networks. CNSA 2.0 defines suite of standards for encryption, hashing and other objectives.

The NIST transition plan projects urgency. New software, firmware and public-facing systems should be upgraded in 2025. Starting 2027 all new NSS acquisitions must be CNSA 2.0 compliant by default. By 2030 all deployed software and firmware must use CNSA 2.0 signatures and any networking equipment that cannot be upgraded with PQC must be phased out. The Mastercard paper talks about plans in other regions which seem not quite as far ahead, though I expect EU enthusiasm for tech regulation will quickly address that shortfall.

PQShield is already well established in PQC. This is a field where customer deals are unlikely to be announced, but other indicators are promising. Their PQCCryptoLib-Core is in “Implementation Under Test” testing at NIST. They are in the EU-funded Fortress project. They have partnered with Carahsoft Technologies to make quantum-safe technology available to US public sector companies. And they have published multiple research papers, so you can dig into their technology claims in detail.

Fascinating company. You can learn more HERE.