Several deadlines kept me from attending the RSA Conference last month in San Francisco. But having registered, I’ve been able to listen to recorded sessions, including ‘The Cryptographers’ Panel.’ Moderated as usual by Whitfield Diffie, co-founder of the Diffie-Hellman asymmetric key exchange, this year’s panel spent a lot of time on the threat of quantum computing.

AI, Cryptography, Quantum Scorecard

Offering historical context, panelist Adi Shamir – a regular at these annual talks – recalled that three promising technologies were emerging in the 1990s: artificial intelligence (AI), cryptography, and quantum computing. Shamir, who is the “S” in the RSA public-key cryptosystem, then asked how each has turned out. As for AI, he answered that it has “delivered beyond our wildest expectations.” About their shared field, he said that cryptographers have “mostly delivered” on their promises. “We have good primitives, we have TLS [Transport Layer Security], we know how to securely do all kinds of things.” But as for quantum computing, he was harsh, if apologetic: “I must say that the main things which have been delivered are more promises.”

“Not a single practical problem…has been shown to be solvable by one of the available quantum computers faster than on a classical computer,” Shamir said. Decoherence, which impacts the minuscule lifetime of a qubit in storage, has been one impediment. Yet there is the real threat of bad actors’ “harvesting now, decrypting later.” Therefore, he said the strongest possible encryption should protect any data with a very long lifecycle.

Radia Perlman, a famous computer programmer, network engineer and inventor, struck a balanced note. “There’s a lot of hype about quantum,” she admitted. “But it will have a significant impact on us, which is we’re all going to have to replace our current public key algorithms, whether or not quantum computers of any significant size ever exist.”

Sizing up the Threat

What is the current size? One leading metric is the number of qubits capable of executing a quantum algorithm. British mathematician Clifford Cocks shared some thoughts on recent developments. While working for the UK government in 1973, Cocks invented a secret algorithm equal to what four years later would become RSA. Last year, a team of Chinese scientists introduced an algorithm that would enable a quantum computer with only 372 qubits to challenge RSA-2042.

Controversy has surrounded the related paper. (See this article in the South China Morning Post). Cocks sides with those who are skeptical that it poses much of a real threat. “That paper essentially builds on Claus Schnorr’s factoring method, which uses closest vector in a lattice to create the pairs that you need to find smooth relations to factorize,” Cocks said. “That method works very well for small moduli, and it fails spectacularly badly on large moduli.”

Measuring quantum computers can be tricky. IBM Distinguished Scientist in Cryptographic Technology Anne Dames said that besides qubits, other factors are quantum volume and performance. Incidentally, IBM unveiled its Osprey 433 qubit quantum processor in November 2022.

The NIST Competition

Dames, who is also the IBM Z Cryptographic Security Architect, offered further comments on the U.S. National Institute of Standards and Technology (NIST) competition for quantum-resistant algorithms. Candidates selected last year include one for key encryption (Crystals-Kyber) and three for digital signatures (Crystals-Dilithium, Falcon, and Sphincs-plus). She also assessed these approaches.

Dilithium and Falcon are the most efficient but differ in other respects. “Falcon has smaller public keys, but requires floating points, so that’s a bit of a challenge,” she said. “And when you think about Sphincs-plus, (it) has smaller keys, but the signatures are quite large.” The upshot? “You have to consider what use cases you really have in order to determine which of those algorithms you need.” (Dames offered additional thoughts in a recent LinkedIn post.)

As NIST moves to the next round, Cocks noted that three algorithms use the same mathematical principle, i.e., structured lattices. Too many eggs in one basket? Cryptanalysts had broken two earlier candidates, Shamir reminded listeners, while also warning against unproven schemes. He said Sphincs-plus was his pick among new options, and then shared some old-school advice. “If you’re worried about a 50- or 100-year security, don’t use public key cryptography,” he said. “Use a classical cryptosystem and go through the hassle of manual exchange of keys.”