In a recent article, Dr. Mathias Kohler, research manager at SAP Security Research, called cryptography the “last line of defense” and quantum computers will be able to break cryptography currently in use. SAP, one of the biggest software companies in the world, is extensively researching quantum cryptography, to be prepared for a future of quantum computing. We had the chance to speak with Dr. Kohler on the challenges of quantum computing.
Cybersecurity Magazine: Dr. Kohler, there are already cryptographic algorithms out there, which cannot easily be broken by quantum computers (symmetric keys): Why shouldn’t companies use those algorithms today instead of waiting for quantum research to develop further?
Dr. Mathias Kohler: It is currently assumed that symmetric key encryption such as AES will also be secure after quantum computers are available. However, this requires that the used key length be adjusted accordingly – at least doubled in length. At the same time, this seems a rather minor challenge and companies indeed should and will continue to use symmetric key cryptography.
However, many use cases today use asymmetric encryption such as the RSA public key cryptography system. For instance, digital signatures employ asymmetric cryptography to verify the authenticity of software updates from a trusted vendor to the receiver. These types of conventional cryptography systems will become increasingly vulnerable once more powerful quantum computers become available.
For instance, with a quantum computer, an attacker could analyze the public key and generate false signatures, impersonating the original private key holder. This scenario shows that companies need to prepare for the adoption and usage of quantum computers and start exploring alternative encryption systems.
Cybersecurity Magazine: Regarding those new algorithms, there have been experiments with IoT devices and different algorithms. Could you give an estimate (or a guess) which type of algorithm will be the “winning” algorithm when it comes to post quantum cryptography? Or could it even be the case that there will be different algorithms for different use cases and/or devices?
Dr. Mathias Kohler: New encryption algorithms are currently under investigation by the National Institute of Standards and Technology (NIST). However, it’s too early to predict at this stage which will be the “winning” algorithms.
In the Internet of Things (IoT) environment, the challenge is that post-quantum safe cryptography seems to have higher demand of resources due to larger key sizes or computational effort while there are usually only limited resources available (limited computational power, limited memory, limited energy capacity). For example, lattice-based cryptography has highly demanding computational operations/calculations, and hash-based signatures are significantly larger and require more memory space.
For IoT uses cases and in general, it is unlikely that there will be only one candidate for encryption operations. It will probably be required to select the optimal encryption scheme on a case-to-case basis. At SAP Security Research we are looking into the different options currently investigated by NIST to broaden our experience on the potential impact of the new post-quantum-safe encryption schemes.
Cybersecurity Magazine: As blockchain cryptography (currently) is not quantum safe – what would the impact be, taking Bitcoin as an example. To phrase the question a bit provocative: will all my bitcoin be worthless once quantum computing is there?
Dr. Mathias Kohler: Blockchain is a sequence of blocks, with each block linking to the previous one. Therefore, data residing in blockchains cannot be mutated or removed. This link is created using unique digital signatures based on the above-mentioned asymmetric encryption schemes. One key mechanism of a blockchain is that the longest chain is regarded as the chain with valid transactions.
Should this mechanism of creating a chain with digital signatures be broken by sufficiently powerful quantum computers, the blockchain would lose its immutability and new blocks can be created easily. Potentially, miners could create a second version of the blockchain with an entirely different set of transactions and designate it as the true version of the blockchain, even though it is fraudulent. Hence, the miner would define his own reality of valid transactions.
It is likely that as and when quantum computers become more mature, the signature scheme used within a blockchain such as Bitcoin needs to be changed for it to remain a trusted mechanism for transactions.
Cybersecurity Magazine: In its product portfolio, SAP has some experience with changing cryptographic algorithms – i.e. the ABAP NetWeaver Stack used BCODE first, then Hash, and finally salted hash, which is – at least for now – considered secure. Relating back to the first question: will SAP wait until quantum computers are there or will we see a quantum safe cryptographic algorithm in one of SAPs products sooner?
Dr. Mathias Kohler: We’re always looking for ways to integrate innovative solutions into our solution portfolio to remain competitive and sustainable. Moreover, waiting until quantum computers are fully mature comes with the risk that unchanged cryptographic schemes would insufficiently protect our customer’s and SAP’s data. This means, all required (cryptographic) security measures should already be in place long before powerful quantum computers become available. As there are no standards on post-quantum secure encryption schemes defined, yet, at SAP Security Research we already prepare ourselves for the time to come. We currently analyze possible post-quantum encryption schemes for SAP’s products and consider several possibilities to future-proof SAP for the quantum computing era. We recently had a first project together with the TU Darmstadt where we investigated hash-based signatures for our software distribution processes (link). The goal was to collaborate and get a first-hand experience on the new types of encryption schemes submitted to NIST. We remain active in broadening our experience on evaluating the impact of post-quantum-safe encryption schemes and will continue to run such projects with an increased scope.
Cybersecurity Magazine: Cryptographic agility refers to the ability to quickly change the cryptographic algorithm in a software (or hardware). Looking at SAP systems and their relation to security, quite a few customers face the challenge that they cannot even implement all security patches, as some of those patches require a restart of the SAP system – which would cost some customers literally millions of dollars (e.g. in the manufacturing industry). With that in mind, will we see cryptographic agility in SAP products, especially in core products like S/4HANA? And how will SAP support customers which rely on current cryptography and cannot change to a new solution quickly?
Dr. Mathias Kohler: Customers are at the heart of all that we do. We have strong experience in introducing new encryption schemes into products and migrating data as needed without large scale disruption to customer operations. Right now, it is still unclear which candidates will be recommended by NIST, thus we’re evaluating multiple options so that we’re ready to roll-out when NIST provides its recommendation.