人類(lèi)要如何面對(duì)數(shù)字安全的終極威脅者——量子計(jì)算機(jī)
Jeremy Khan
2020-09-16
在過(guò)去10年的很長(zhǎng)一段時(shí)間中,網(wǎng)絡(luò)安全專(zhuān)家一直在警告一個(gè)正在逼近的威脅:量子計(jì)算機(jī)的面世。
這些使用量子物理來(lái)編譯信息的機(jī)器在未來(lái)的某一天將變得足夠強(qiáng)大,繼而破解當(dāng)前使用最廣泛的編譯系統(tǒng),并導(dǎo)致幾乎所有的數(shù)字通訊手段失去其安全性。
人們一直在問(wèn),這一天什么時(shí)候才能到來(lái)。最常見(jiàn)的數(shù)字加密技術(shù)RSA誕生于1977年,它基于兩個(gè)大素?cái)?shù)之商。其中的一個(gè)破解辦法就是弄清楚這兩個(gè)大素?cái)?shù)到底是多少。1994年,數(shù)學(xué)家皮特?肖爾發(fā)明了一種算法,如果將其交由算力足夠強(qiáng)大的量子計(jì)算機(jī)來(lái)運(yùn)算,則可以輕易破譯這兩個(gè)素?cái)?shù)。然而在當(dāng)時(shí),量子計(jì)算機(jī)依然停留在純理論階段。
第一臺(tái)能夠工作的量子計(jì)算機(jī)誕生于十多年前。然而,大多數(shù)量子計(jì)算機(jī)要么在設(shè)計(jì)之初便并非用于運(yùn)行肖爾的算法,要么就是沒(méi)有足夠的算力來(lái)計(jì)算異常龐大的素?cái)?shù)對(duì)。網(wǎng)絡(luò)安全專(zhuān)家擔(dān)憂的量子計(jì)算機(jī)黑客時(shí)代還遠(yuǎn)未到來(lái),有人估計(jì)至少還得等25年,而且當(dāng)時(shí)還存在著更加緊迫的威脅。
然而好景不再。去年,谷歌稱(chēng)自己已經(jīng)實(shí)現(xiàn)了所謂的“量子霸權(quán)”里程碑,打造了一臺(tái)量子計(jì)算機(jī),它可以執(zhí)行傳統(tǒng)計(jì)算機(jī)無(wú)法開(kāi)展的計(jì)算,并運(yùn)行相當(dāng)長(zhǎng)的一段時(shí)間。
谷歌的這臺(tái)機(jī)器依然無(wú)法破解RSA。然而,量子硬件制造的快速進(jìn)步,再加上算法方面些許高明的調(diào)整,意味著肖爾的算法迫使RSA退出歷史舞臺(tái)的時(shí)代已經(jīng)大幅提前。專(zhuān)家稱(chēng),如果幸運(yùn)的話,我們可能還有十幾年的時(shí)間為數(shù)據(jù)隱私保護(hù)工作添磚加瓦。然而,一些人認(rèn)為最多還有五年的時(shí)間,甚至可能更短。
2016年,美國(guó)國(guó)家安全局(U.S. National Security Agency)發(fā)布了一則嚴(yán)重警告:政府機(jī)構(gòu)和公司必須“立即采取行動(dòng)”,開(kāi)始轉(zhuǎn)而使用能夠防范量子計(jì)算機(jī)攻擊的新加密標(biāo)準(zhǔn)。唯一的問(wèn)題?沒(méi)有人知道這個(gè)加密標(biāo)準(zhǔn)到底長(zhǎng)什么樣。
正是基于這個(gè)原因,全美標(biāo)準(zhǔn)與技術(shù)研究所(NIST)在大約三年前便開(kāi)始舉行比賽,以選出一種可以抵御量子計(jì)算機(jī)攻擊的新加密技術(shù)。該研究所隸屬于美國(guó)商務(wù)部(U.S. Department of Commerce),負(fù)責(zé)向政府和企業(yè)推薦其常用標(biāo)準(zhǔn)。
這些新“后量子”加密和數(shù)字簽名方法將有可能成為美國(guó)各政府部門(mén)以及眾多與政府做生意的企業(yè)必須強(qiáng)制采取的標(biāo)準(zhǔn),尤其是國(guó)防和情報(bào)部門(mén)。有鑒于美國(guó)市場(chǎng)的規(guī)模,它們很有可能成為一種新的全球安全標(biāo)準(zhǔn)。NIST如今很快將選出獲勝的加密算法,并借此邁入網(wǎng)絡(luò)安全新時(shí)代。
今年7月,這家負(fù)責(zé)標(biāo)準(zhǔn)的機(jī)構(gòu)宣布,經(jīng)篩選,候選者清單從最初的82個(gè)縮減至依然較長(zhǎng)的15個(gè),在主要決賽選手中,有4名來(lái)自于加密學(xué),3名來(lái)自于數(shù)字簽名領(lǐng)域,它們均使用密碼來(lái)驗(yàn)證電子信息和文件的真實(shí)性。(8名候補(bǔ)選手也將參加決賽輪。)NIST稱(chēng),它將在未來(lái)18個(gè)月之內(nèi)宣布最終獲勝者,并將其作為新加密標(biāo)準(zhǔn)。
因此,NIST的這個(gè)長(zhǎng)篇候選清單描述了一個(gè)什么樣的網(wǎng)絡(luò)安全未來(lái)?其實(shí),它很有可能涉及人們所稱(chēng)的基于格的密碼技術(shù)。競(jìng)賽中四分之三的決賽選手都采用了這個(gè)門(mén)類(lèi)的算法。
基于格的密碼技術(shù)依靠的是柵格化等間隔點(diǎn)的獨(dú)特?cái)?shù)學(xué)特性,又稱(chēng)格密碼。由于這些點(diǎn)的間隔相等,事實(shí)在于,人們只需要柵格的兩個(gè)坐標(biāo)便能夠計(jì)算出同一格子中所有的點(diǎn)。然而,如果格子存在數(shù)千個(gè)維度,而且如果格子中各點(diǎn)之間的角度與直角偏差過(guò)大,那么弄清楚任何特定點(diǎn)是否都處于格子中將是一件十分困難的事情。人們已經(jīng)制定了一系列加密機(jī)制,以利用這些特性來(lái)打造可以共同協(xié)作的公鑰和私鑰,因?yàn)樗鼈兌蓟谕瑯拥母褡印2贿^(guò)在這一領(lǐng)域,以公鑰為模板來(lái)制作私鑰是極其困難的事情。
然而,一些網(wǎng)絡(luò)安全專(zhuān)家對(duì)于NIST如此倚重這類(lèi)后量子加密技術(shù)的事實(shí)感到十分驚訝。這是因?yàn)椋M管這種基于格子的問(wèn)題在數(shù)學(xué)層面上十分難解,而且與RSA不同的是,它并不容易被肖爾的算法破解,但并沒(méi)有證據(jù)表明,這類(lèi)技術(shù)從數(shù)學(xué)層面來(lái)講就能夠徹底防范基于量子計(jì)算機(jī)的攻擊。英格蘭約克大學(xué)的網(wǎng)絡(luò)安全教授德拉拉姆?卡羅貝伊說(shuō):“雖說(shuō)現(xiàn)在的量子算法還無(wú)法破解它們,但說(shuō)不定明天就會(huì)有人拿出用于破解的量子算法。”
卡羅貝伊稱(chēng),令她感到失望的是,來(lái)自于其他門(mén)類(lèi)的潛在后量子算法并未進(jìn)入公鑰加密競(jìng)賽的決選名單。這其中包括多變量加密,它取決于解答復(fù)雜二次方程式系統(tǒng)的難度(還記得高中算術(shù)中那些方程式嗎?);以及卡羅貝伊自己的研究領(lǐng)域——基于群的密碼學(xué)。這種密碼學(xué)基于另一種數(shù)學(xué),涉及通過(guò)結(jié)合要素來(lái)轉(zhuǎn)化一組數(shù)字,通常按照精心制作的幾何樣式,例如編織形狀。一位來(lái)自于多變量加密門(mén)類(lèi)的候選者開(kāi)發(fā)了名為Rainbow的算法,而且的確進(jìn)入了競(jìng)賽數(shù)字簽名部分的決選名單,另一個(gè)名為GeMSS的算法在該競(jìng)賽中被選為候補(bǔ)算法。
NIST決選名單中唯一非格子后量子加密候選者來(lái)自于稱(chēng)之為基于代碼算法的密碼學(xué)門(mén)類(lèi)。這類(lèi)算法設(shè)計(jì)會(huì)在數(shù)據(jù)中添加某些錯(cuò)誤信息,例如在經(jīng)典的加密方式中人們會(huì)將字母向后移動(dòng)兩位進(jìn)行加密,也就是A變成C,B變成D,以此類(lèi)推。然后在解密這個(gè)信息的過(guò)程中會(huì)將這種錯(cuò)誤糾正過(guò)來(lái)。NIST選擇的后量子算法稱(chēng)之為Classic McEliece,它取名于上個(gè)世紀(jì)70年代末由數(shù)學(xué)家羅伯特?麥克阿里斯發(fā)明的糾錯(cuò)代碼算法。它會(huì)隨機(jī)向每一條加密信息添加錯(cuò)誤信息,從理論上來(lái)講,如果不知道秘鑰的話是無(wú)法破解的。
Post-Quantum Group的聯(lián)合創(chuàng)始人兼首席執(zhí)行官安德森?程說(shuō):“麥克阿里斯的系統(tǒng)已經(jīng)存在了41年,而且一直遭到密碼界的攻擊,但未發(fā)現(xiàn)任何漏洞。” Post-Quantum Group是一家總部位于倫敦的網(wǎng)絡(luò)安全公司,其合作方為芝加哥伊利諾伊大學(xué)的知名密碼學(xué)專(zhuān)家丹尼爾?伯恩斯坦領(lǐng)導(dǎo)的團(tuán)隊(duì)。在NIST的長(zhǎng)篇決選名單中,Classic McEliece算法便是二者合作的成果。
2019年,德國(guó)聯(lián)邦信息安全辦公室(German Federal Office for Information Security)擔(dān)心NIST在這個(gè)流程中花的時(shí)間過(guò)長(zhǎng),因此推薦Classic McEliece作為候選的兩個(gè)后量子加密標(biāo)準(zhǔn)之一。(另一個(gè)來(lái)自于NIST候補(bǔ)名單,采用的是格密碼方法。)安德森?程稱(chēng),他懷疑NIST與德國(guó)政府一樣,最終會(huì)批準(zhǔn)兩套標(biāo)準(zhǔn),即Classic McEliece和其中一種格密碼方法。
安德森說(shuō),McEliece算法唯一的缺點(diǎn)在于,該方法使用的秘鑰相對(duì)較長(zhǎng),而且算法計(jì)算十分復(fù)雜,意味著與其競(jìng)爭(zhēng)對(duì)手網(wǎng)格化方法相比,計(jì)算機(jī)需要更多的時(shí)間來(lái)加密、解密信息。安德森還說(shuō):“速度會(huì)慢幾毫秒。”但他說(shuō),在交換公鑰時(shí)(這也是算法的主要用途),這個(gè)方法實(shí)際上依然要比RSA快。
盡管像IBM、英特爾和芯片制造商ARM這樣的知名科技公司的研究人員也參加了比賽,尋找防范量子破解的加密算法,但值得一提的是,參加NIST競(jìng)賽的網(wǎng)絡(luò)安全公司相對(duì)來(lái)說(shuō)較少。Post-Quantum是參加競(jìng)賽的多家初創(chuàng)企業(yè)之一,這些初創(chuàng)公司將受益于邁向新一代加密技術(shù)的舉措。
卡羅貝伊稱(chēng),她預(yù)計(jì)市場(chǎng)上將涌現(xiàn)一大批新公司,幫助實(shí)現(xiàn)后量子加密的商業(yè)化,就像RSA成為過(guò)去30年網(wǎng)絡(luò)安全領(lǐng)域的主導(dǎo)者一樣。RSA成立于1982年,旨在實(shí)現(xiàn)RSA算法的商業(yè)化。
安德森說(shuō),Post-Quantum Group成立于2009年,曾幾何時(shí),要讓首要銀行和企業(yè)的首席信息安全官和首席信息官?lài)?yán)肅對(duì)待量子計(jì)算機(jī)的威脅對(duì)于公司來(lái)說(shuō)是一件很難的事情。然而他說(shuō),NIST競(jìng)賽引發(fā)了其遲來(lái)的關(guān)注。他說(shuō):“如今他們意識(shí)到自己得在18個(gè)月的時(shí)間內(nèi)采取行動(dòng),而且也開(kāi)始發(fā)出疑問(wèn):‘自己能做什么?’”(財(cái)富中文網(wǎng))
譯者:馮豐
審校:夏林
在過(guò)去10年的很長(zhǎng)一段時(shí)間中,網(wǎng)絡(luò)安全專(zhuān)家一直在警告一個(gè)正在逼近的威脅:量子計(jì)算機(jī)的面世。
這些使用量子物理來(lái)編譯信息的機(jī)器在未來(lái)的某一天將變得足夠強(qiáng)大,繼而破解當(dāng)前使用最廣泛的編譯系統(tǒng),并導(dǎo)致幾乎所有的數(shù)字通訊手段失去其安全性。
人們一直在問(wèn),這一天什么時(shí)候才能到來(lái)。最常見(jiàn)的數(shù)字加密技術(shù)RSA誕生于1977年,它基于兩個(gè)大素?cái)?shù)之商。其中的一個(gè)破解辦法就是弄清楚這兩個(gè)大素?cái)?shù)到底是多少。1994年,數(shù)學(xué)家皮特?肖爾發(fā)明了一種算法,如果將其交由算力足夠強(qiáng)大的量子計(jì)算機(jī)來(lái)運(yùn)算,則可以輕易破譯這兩個(gè)素?cái)?shù)。然而在當(dāng)時(shí),量子計(jì)算機(jī)依然停留在純理論階段。
第一臺(tái)能夠工作的量子計(jì)算機(jī)誕生于十多年前。然而,大多數(shù)量子計(jì)算機(jī)要么在設(shè)計(jì)之初便并非用于運(yùn)行肖爾的算法,要么就是沒(méi)有足夠的算力來(lái)計(jì)算異常龐大的素?cái)?shù)對(duì)。網(wǎng)絡(luò)安全專(zhuān)家擔(dān)憂的量子計(jì)算機(jī)黑客時(shí)代還遠(yuǎn)未到來(lái),有人估計(jì)至少還得等25年,而且當(dāng)時(shí)還存在著更加緊迫的威脅。
然而好景不再。去年,谷歌稱(chēng)自己已經(jīng)實(shí)現(xiàn)了所謂的“量子霸權(quán)”里程碑,打造了一臺(tái)量子計(jì)算機(jī),它可以執(zhí)行傳統(tǒng)計(jì)算機(jī)無(wú)法開(kāi)展的計(jì)算,并運(yùn)行相當(dāng)長(zhǎng)的一段時(shí)間。
谷歌的這臺(tái)機(jī)器依然無(wú)法破解RSA。然而,量子硬件制造的快速進(jìn)步,再加上算法方面些許高明的調(diào)整,意味著肖爾的算法迫使RSA退出歷史舞臺(tái)的時(shí)代已經(jīng)大幅提前。專(zhuān)家稱(chēng),如果幸運(yùn)的話,我們可能還有十幾年的時(shí)間為數(shù)據(jù)隱私保護(hù)工作添磚加瓦。然而,一些人認(rèn)為最多還有五年的時(shí)間,甚至可能更短。
2016年,美國(guó)國(guó)家安全局(U.S. National Security Agency)發(fā)布了一則嚴(yán)重警告:政府機(jī)構(gòu)和公司必須“立即采取行動(dòng)”,開(kāi)始轉(zhuǎn)而使用能夠防范量子計(jì)算機(jī)攻擊的新加密標(biāo)準(zhǔn)。唯一的問(wèn)題?沒(méi)有人知道這個(gè)加密標(biāo)準(zhǔn)到底長(zhǎng)什么樣。
正是基于這個(gè)原因,全美標(biāo)準(zhǔn)與技術(shù)研究所(NIST)在大約三年前便開(kāi)始舉行比賽,以選出一種可以抵御量子計(jì)算機(jī)攻擊的新加密技術(shù)。該研究所隸屬于美國(guó)商務(wù)部(U.S. Department of Commerce),負(fù)責(zé)向政府和企業(yè)推薦其常用標(biāo)準(zhǔn)。
這些新“后量子”加密和數(shù)字簽名方法將有可能成為美國(guó)各政府部門(mén)以及眾多與政府做生意的企業(yè)必須強(qiáng)制采取的標(biāo)準(zhǔn),尤其是國(guó)防和情報(bào)部門(mén)。有鑒于美國(guó)市場(chǎng)的規(guī)模,它們很有可能成為一種新的全球安全標(biāo)準(zhǔn)。NIST如今很快將選出獲勝的加密算法,并借此邁入網(wǎng)絡(luò)安全新時(shí)代。
今年7月,這家負(fù)責(zé)標(biāo)準(zhǔn)的機(jī)構(gòu)宣布,經(jīng)篩選,候選者清單從最初的82個(gè)縮減至依然較長(zhǎng)的15個(gè),在主要決賽選手中,有4名來(lái)自于加密學(xué),3名來(lái)自于數(shù)字簽名領(lǐng)域,它們均使用密碼來(lái)驗(yàn)證電子信息和文件的真實(shí)性。(8名候補(bǔ)選手也將參加決賽輪。)NIST稱(chēng),它將在未來(lái)18個(gè)月之內(nèi)宣布最終獲勝者,并將其作為新加密標(biāo)準(zhǔn)。
因此,NIST的這個(gè)長(zhǎng)篇候選清單描述了一個(gè)什么樣的網(wǎng)絡(luò)安全未來(lái)?其實(shí),它很有可能涉及人們所稱(chēng)的基于格的密碼技術(shù)。競(jìng)賽中四分之三的決賽選手都采用了這個(gè)門(mén)類(lèi)的算法。
基于格的密碼技術(shù)依靠的是柵格化等間隔點(diǎn)的獨(dú)特?cái)?shù)學(xué)特性,又稱(chēng)格密碼。由于這些點(diǎn)的間隔相等,事實(shí)在于,人們只需要柵格的兩個(gè)坐標(biāo)便能夠計(jì)算出同一格子中所有的點(diǎn)。然而,如果格子存在數(shù)千個(gè)維度,而且如果格子中各點(diǎn)之間的角度與直角偏差過(guò)大,那么弄清楚任何特定點(diǎn)是否都處于格子中將是一件十分困難的事情。人們已經(jīng)制定了一系列加密機(jī)制,以利用這些特性來(lái)打造可以共同協(xié)作的公鑰和私鑰,因?yàn)樗鼈兌蓟谕瑯拥母褡印2贿^(guò)在這一領(lǐng)域,以公鑰為模板來(lái)制作私鑰是極其困難的事情。
然而,一些網(wǎng)絡(luò)安全專(zhuān)家對(duì)于NIST如此倚重這類(lèi)后量子加密技術(shù)的事實(shí)感到十分驚訝。這是因?yàn)椋M管這種基于格子的問(wèn)題在數(shù)學(xué)層面上十分難解,而且與RSA不同的是,它并不容易被肖爾的算法破解,但并沒(méi)有證據(jù)表明,這類(lèi)技術(shù)從數(shù)學(xué)層面來(lái)講就能夠徹底防范基于量子計(jì)算機(jī)的攻擊。英格蘭約克大學(xué)的網(wǎng)絡(luò)安全教授德拉拉姆?卡羅貝伊說(shuō):“雖說(shuō)現(xiàn)在的量子算法還無(wú)法破解它們,但說(shuō)不定明天就會(huì)有人拿出用于破解的量子算法。”
卡羅貝伊稱(chēng),令她感到失望的是,來(lái)自于其他門(mén)類(lèi)的潛在后量子算法并未進(jìn)入公鑰加密競(jìng)賽的決選名單。這其中包括多變量加密,它取決于解答復(fù)雜二次方程式系統(tǒng)的難度(還記得高中算術(shù)中那些方程式嗎?);以及卡羅貝伊自己的研究領(lǐng)域——基于群的密碼學(xué)。這種密碼學(xué)基于另一種數(shù)學(xué),涉及通過(guò)結(jié)合要素來(lái)轉(zhuǎn)化一組數(shù)字,通常按照精心制作的幾何樣式,例如編織形狀。一位來(lái)自于多變量加密門(mén)類(lèi)的候選者開(kāi)發(fā)了名為Rainbow的算法,而且的確進(jìn)入了競(jìng)賽數(shù)字簽名部分的決選名單,另一個(gè)名為GeMSS的算法在該競(jìng)賽中被選為候補(bǔ)算法。
NIST決選名單中唯一非格子后量子加密候選者來(lái)自于稱(chēng)之為基于代碼算法的密碼學(xué)門(mén)類(lèi)。這類(lèi)算法設(shè)計(jì)會(huì)在數(shù)據(jù)中添加某些錯(cuò)誤信息,例如在經(jīng)典的加密方式中人們會(huì)將字母向后移動(dòng)兩位進(jìn)行加密,也就是A變成C,B變成D,以此類(lèi)推。然后在解密這個(gè)信息的過(guò)程中會(huì)將這種錯(cuò)誤糾正過(guò)來(lái)。NIST選擇的后量子算法稱(chēng)之為Classic McEliece,它取名于上個(gè)世紀(jì)70年代末由數(shù)學(xué)家羅伯特?麥克阿里斯發(fā)明的糾錯(cuò)代碼算法。它會(huì)隨機(jī)向每一條加密信息添加錯(cuò)誤信息,從理論上來(lái)講,如果不知道秘鑰的話是無(wú)法破解的。
Post-Quantum Group的聯(lián)合創(chuàng)始人兼首席執(zhí)行官安德森?程說(shuō):“麥克阿里斯的系統(tǒng)已經(jīng)存在了41年,而且一直遭到密碼界的攻擊,但未發(fā)現(xiàn)任何漏洞。” Post-Quantum Group是一家總部位于倫敦的網(wǎng)絡(luò)安全公司,其合作方為芝加哥伊利諾伊大學(xué)的知名密碼學(xué)專(zhuān)家丹尼爾?伯恩斯坦領(lǐng)導(dǎo)的團(tuán)隊(duì)。在NIST的長(zhǎng)篇決選名單中,Classic McEliece算法便是二者合作的成果。
2019年,德國(guó)聯(lián)邦信息安全辦公室(German Federal Office for Information Security)擔(dān)心NIST在這個(gè)流程中花的時(shí)間過(guò)長(zhǎng),因此推薦Classic McEliece作為候選的兩個(gè)后量子加密標(biāo)準(zhǔn)之一。(另一個(gè)來(lái)自于NIST候補(bǔ)名單,采用的是格密碼方法。)安德森?程稱(chēng),他懷疑NIST與德國(guó)政府一樣,最終會(huì)批準(zhǔn)兩套標(biāo)準(zhǔn),即Classic McEliece和其中一種格密碼方法。
安德森說(shuō),McEliece算法唯一的缺點(diǎn)在于,該方法使用的秘鑰相對(duì)較長(zhǎng),而且算法計(jì)算十分復(fù)雜,意味著與其競(jìng)爭(zhēng)對(duì)手網(wǎng)格化方法相比,計(jì)算機(jī)需要更多的時(shí)間來(lái)加密、解密信息。安德森還說(shuō):“速度會(huì)慢幾毫秒。”但他說(shuō),在交換公鑰時(shí)(這也是算法的主要用途),這個(gè)方法實(shí)際上依然要比RSA快。
盡管像IBM、英特爾和芯片制造商ARM這樣的知名科技公司的研究人員也參加了比賽,尋找防范量子破解的加密算法,但值得一提的是,參加NIST競(jìng)賽的網(wǎng)絡(luò)安全公司相對(duì)來(lái)說(shuō)較少。Post-Quantum是參加競(jìng)賽的多家初創(chuàng)企業(yè)之一,這些初創(chuàng)公司將受益于邁向新一代加密技術(shù)的舉措。
卡羅貝伊稱(chēng),她預(yù)計(jì)市場(chǎng)上將涌現(xiàn)一大批新公司,幫助實(shí)現(xiàn)后量子加密的商業(yè)化,就像RSA成為過(guò)去30年網(wǎng)絡(luò)安全領(lǐng)域的主導(dǎo)者一樣。RSA成立于1982年,旨在實(shí)現(xiàn)RSA算法的商業(yè)化。
安德森說(shuō),Post-Quantum Group成立于2009年,曾幾何時(shí),要讓首要銀行和企業(yè)的首席信息安全官和首席信息官?lài)?yán)肅對(duì)待量子計(jì)算機(jī)的威脅對(duì)于公司來(lái)說(shuō)是一件很難的事情。然而他說(shuō),NIST競(jìng)賽引發(fā)了其遲來(lái)的關(guān)注。他說(shuō):“如今他們意識(shí)到自己得在18個(gè)月的時(shí)間內(nèi)采取行動(dòng),而且也開(kāi)始發(fā)出疑問(wèn):‘自己能做什么?’”(財(cái)富中文網(wǎng))
譯者:馮豐
審校:夏林
For much of the past decade, cybersecurity experts have been warning of a looming threat: the advent of quantum computers.
These machines, which use principles of quantum physics to represent information, will one day be powerful enough to crack the most widely used encryption systems, rendering almost all digital communication insecure.
The question has always been exactly when that day would arrive. The most common digital encryption technique, RSA, which was invented in 1977, is based on multiplying two large prime numbers. One way to break it is to figure out what those two large primes were. In 1994, mathematician Peter Shor invented an algorithm, that if run on a sufficiently powerful quantum computer, would easily find these two primes. But at the time, quantum computers were still purely theoretical machines.
The first working quantum computers were built over a decade ago. But most were either not designed in a way that would allow them to run Shor’s algorithm. Others were simply not powerful enough to do so for a very large prime multiple. The moment when cybersecurity experts would have to worry about quantum computer-equipped hackers seemed a long way off—at least a quarter century by some estimates—and there were far more pressing threats.
But not anymore. Last year, Google claimed it had achieved a milestone known as “quantum supremacy,” having built a quantum computer capable of performing a calculation that could not be done on a traditional computer in a reasonable length of time.
Google’s machine is still unable to break RSA. But the rapid progress in building quantum hardware along with some clever advancements in algorithms mean the timeline for Shor’s algorithm rendering RSA obsolete have been moved up considerably. If lucky, we may have more than decade of data privacy protection left, experts say. But some think we have at best five years—maybe less.
In 2016, the U.S. National Security Agency issued a stark warning that government agencies and companies "must act now" to begin moving to a new encryption standard that is safe from quantum computer-based attacks. The only problem? No one was sure exactly what that encryption standard should be.
That’s why the National Institute of Standards and Technology (NIST), an agency with the U.S. Department of Commerce that is responsible for recommending standards that are often adopted by both government and business, began a competition almost three years ago to select new encryption techniques that would be resistant to attacks from quantum computers.
These new “post-quantum” encryption and digital signature methods will likely become mandatory for all U.S. government departments and for many companies that do business with the government, especially in defense and intelligence. Because of the size of the U.S. market, they are also likely to become the new global security standard. NIST is now on the verge of picking the winning encryption algorithms—and ushering in a new era in cybersecurity.
In July, the standards agency announced that it had winnowed an initial group of 82 candidates down to a long-list of 15, including four main finalists for encryption and three for digital signatures, which use cryptography to verify whether electronic messages and documents are authentic. (Eight alternates will advance to the final round as well.) NIST has said it will announce its final endorsements for a new encryption standard within the next 18 months.
So what does the NIST long-list tell us about the future of cybersecurity? Well, there’s a good chance that it will involve something called lattice-based cryptography. Three of the four encryption finalists come from this family of algorithms.
Lattice-based cryptography is based on the unique mathematical properties of grids of evenly-spaced points, or lattices. Because the points are evenly spaced, it turns out that from just two coordinates of the grid it is possible to compute all the points within the same lattice. But figuring out whether any given point is in the lattice can be difficult if the lattice is in many thousands of dimensions and if the angles between points in the grid are far from perpendicular. A number of encryption schemes have been created that use these properties to create a public key and a private key that work together—because they are calculated from the same lattice—but in which it is extremely difficult to derive the private key from the public key alone.
But some cybersecurity experts are surprised that NIST has leaned so heavily towards this kind of post-quantum encryption. That’s because while lattice-based problems are mathematically difficult and, unlike RSA, are not susceptible to Shor’s algorithm, they have not been mathematically proven to be impervious to a quantum computer-based attack. “We say that quantum algorithms cannot break them yet,” Delaram Kahrobaei, a professor of cybersecurity at the University of York, in England, says. “But tomorrow someone comes up with another quantum algorithm that might break them.”
Kahrobaei says she is disappointed to see that candidates from other families of potential post-quantum algorithms did not make it onto the final list for the public key encryption competition. This includes multivariate cryptography, which is based on the difficulty of solving systems of complex quadratic equations (remember those from high school algebra?), and group-based cryptography, which is the area that Kahrobaei herself works on. It is based on yet another area of mathematics involving transforming a set of numbers by combining elements, often according to elaborate geometric patterns, such as braids. One candidate from the multivariate cryptography family, an algorithm called Rainbow, did make onto the list of finalists in the digital signature portion of the competition, and another, called GeMSS, was selected as an alternate in that contest.
The only non-lattice post-quantum encryption candidate among the NIST finalists comes from a cryptographic family known as code-based algorithms. These all involve adding some sort of error to data—like a classic code where you shift the alphabet over two letters so that A is encoded as C and B as D, and so on. This error is then corrected to decrypt the message. The post-quantum algorithm NIST has chosen is called Classic McEliece, named for an error-correcting code algorithm invented by mathematician Robert McEliece in the late 1970s. It applies a different random error to each piece of information that’s encoded—which in theory makes it impossible to break without knowing the key.
“McEliece’s system has been around for 41 years and been attacked by the crypto community for all that time without finding a vulnerability,” Andersen Cheng, the co-founder and chief executive officer of Post-Quantum Group, a London-based cybersecurity company that joined forces with another team, led by Daniel Bernstein, a noted cryptographer at the University of Illinois in Chicago, to work on the Classic McEliece submission that made it to the long list of NIST finalists.
In 2019, the German Federal Office for Information Security (BSI), concerned that the NIST process was taking too long, recommended the Classic McEliece as one of its two recommended post-quantum encryption standards. (The other was a lattice-based method that is among NIST’s alternate candidates.) Cheng says he suspects that NIST, like the German government, will ultimately endorse two standards—Classic McEliece and one of the lattice methods.
The only drawback of the McEliece algorithm, Cheng says, is that the relatively lengthy keys the method uses, and the computational complexity of the algorithm, means it takes more time for a computer to encrypt and decrypt information than with its lattice-based competitors. “It’s slower by a few milliseconds,” Cheng says. But he says that for exchanging public encryption keys—which is mostly what the algorithm would be used for—the method is still actually faster than RSA.
While there are researchers from established tech companies, such as IBM, Intel, and the chipmaker ARM, involved in the race to find quantum-secure encryption algorithms, what’s notable is how relatively few established cybersecurity firms are contenders in the NIST contest. Post-Quantum is among several startups that entered the competition—and which are poised to profit from the move to a new generation of encryption.
Kahrobaei says she expects a host of new companies to spring up to help commercialize post-quantum encryption, just as RSA Security—the company that was founded in 1982 to commercialize the RSA algorithm—became a dominant player in the cybersecurity space for the past three decades.
Cheng says that Post-Quantum Group, which was founded in 2009, once struggled to get chief information security officers and chief information officers at major banks and corporations to take the threat of quantum computers seriously. But, he says, the NIST process has belatedly focused their attention. “Now they know they have to do something in 18 months-time and they are starting to ask questions, ‘what can they do?’ ” he says.
財(cái)富中文網(wǎng)所刊載內(nèi)容之知識(shí)產(chǎn)權(quán)為財(cái)富媒體知識(shí)產(chǎn)權(quán)有限公司及/或相關(guān)權(quán)利人專(zhuān)屬所有或持有。未經(jīng)許可,禁止進(jìn)行轉(zhuǎn)載、摘編、復(fù)制及建立鏡像等任何使用。
