Is our cryptography ready for the quantum leap?
In this episode, we talk about the resignation of Twitter CEO Jack Dorsey, and Apple’s new self-service repair announcement. Then we speak with Dustin Moody, a mathematician in the National Institute of Science and Technology’s Computer Security Division, about the looming threat of post-quantum cryptography.
Saron Yitbarek is the founder of Disco, host of the CodeNewbie podcast, and co-host of the base.cs podcast.
Josh Puetz is Principal Software Engineer at Forem.
Dustin Moody is a mathematician in the National Institute of Standards and Technology (NIST) Computer Security Division, where he leads the post-quantum cryptography project. He received his Ph.D. from the University of Washington in 2009. His area of research deals with elliptic curves and their applications in cryptography.
[00:00:10] SY: Welcome to DevNews, the news show for developers by developers, where we cover the latest in the world of tech. I’m Saron Yitbarek, Founder of Disco.
[00:00:19] JP: And I’m Josh Puetz, Principal Engineer at Forem.
[00:00:21] SY: This week, we’re talking about the resignation of Twitter CEO, Jack Dorsey, and Apple’s new self-service repair announcement.
[00:00:29] JP: Then we’ll speak with Dustin Moody, a Mathematician in the National Institute of Science and Technology’s Computer Security Division, about the looming threat of post-quantum cryptography.
[00:00:39] DM: It’s not just a theoretical threat. I’m quite positive that adversarial nation states are actively doing this or preparing to do this now.
[00:00:47] SY: So this week, there were rumors floating around that Jack Dorsey, the CEO of Twitter, will be stepping down from his position, and lo and behold, the rumors turned out to be true. So Dorsey, who is also the CEO of Square, wrote in a tweet that included an attachment of a screenshotted email to the Twitter team.
[00:01:08] JP: Classic.
[00:01:09] SY: Yeah, very. “I'm not sure anyone has heard, but I resigned from Twitter.”
[00:01:15] JP: Peace out.
[00:01:16] SY: Ciao! But I appreciate the fact that he did like send us the email that he sent his people. So I thought that was cool. So in the email, Dorsey writes, “I decided it’s finally time for me to leave. Why? There’s a lot of talk about the importance of a company being founder-led. Ultimately, I believe that’s severely limiting and a single point of failure. I’ve worked hard to ensure this company can break away from its founding and founders.” He then lists three reasons as to why he’s stepping down. One being that former CTO, Parag Agrawal, will take his place as CEO, two being that Brett Taylor, President and CEO of Salesforce, will become the board chair, and three being the “ambition and potential” of the team. He says, “Consider this. Parag started here as an engineer who cared deeply about our work, and now he’s our CEO. I also had a similar path. He did it better. This alone makes me proud. I know that Parag will be able to channel this energy best because he’s lived it and knows what it takes. All of you have the potential to change the course of this company for the better.” So upon this announcement, Twitter stocks went down understandably by 2.74% after the news. Dorsey plans to serve on the board through around May to aid in the transition. One direction that Agrawal might end up taking Twitter is to add more moderation on the platform. In an interview with the MIT Technology Review last year, he said, “Our role is not to be bound by the First Amendment, but our role is to serve a healthy public conversation.” So there is potential that Twitter will start taking a more hands-on approach when it comes to things like hate speech and bullying. So Josh, what was your reaction to this announcement?
[00:03:03] JP: Ugh, I mean…
[00:03:09] SY: What hasthat grown for?
[00:03:11] JP: It’s Jack Dorsey. Oh my God!
[00:03:14] SY: What do you mean?
[00:03:15] JP: He’s CEO of two companies.
[00:03:17] SY: That is incredible to me.
[00:03:17] JP: Like I always gloss over that.
[00:03:19] SY: I don’t understand how we convinced two boards that that was okay.
[00:03:23] JP: Like, is he half CEO-ing two companies? Is he a full-time CEO in two companies? I don’t know. It’s very strange to me. I think I don’t buy any of these reasons for resigning at all.
[00:03:32] SY: Oh!
[00:03:33] JP: I think he is bored and the job is hard.
[00:03:37] SY: Oh my God!
[00:03:40] JP: Here’s my hot take. And my hot take is completely outsourced from some reporting and opinions I’ve read in the New York Times, the excellent Kevin Roose had a great article this morning, kind of talking about how a lot of tech CEOs have resigned in the last year or scaled back their involvement. And he points out rightly so, it’s not fun to be a tech CEO anymore. When Jack Dorsey started, it was all investors and you got to meet Obama and you went on cleanses in Nepal and you were on the cover of People and it was great. And now you spend all your time managing managers and testifying in front of Congress.
[00:04:21] SY: That’s true.
[00:04:22] JP: And everyone’s mad at you because your product isn’t making enough money and yet it’s simultaneously bringing the downfall of western civilization and democracy. It’s not fun anymore.
[00:04:33] SY: That’s true.
[00:04:33] JP: Dorsey is a huge Bitcoin and cryptocurrency nut. I think he just wants to spend his time at crypto conferences.
[00:04:41] SY: Doing other things.
[00:04:42] JP: Yeah, doing other things.
[00:04:42] SY: Yeah, doing other things. That’s fair.
[00:04:44] JP: I really don’t think he cares about, I mean, I’m sure at some level he cares about hate speech and Twitter’s role in the public discourse, but you got to admit, it’s not super fun anymore. Right?
[00:04:53] SY: That’s fair. Yeah. I mean, I have no idea what’s inside his head. So I can’t really speculate, but I do see your point. I do see the idea that I think to me, what really struck me about this is it felt really random. Like was Twitter even in the news or spotlighted? Has anything really happened in the Twitter company since they removed or blocked Trump’s accounts? It’s like the last thing I remember hearing about Twitter, and then that was a year ago.
[00:05:21] JP: Right. Weirdly, Twitter has been like I guess the good one of the social media networks.
[00:05:24] SY: Yeah. They’ve tried. Like they’ve tried, they behaved, they have been innovating. That’s one thing that I thought was kind of interesting is with the Twitter Spaces, with that email, the Substack competitor that I think they’ve actively rolled out at this point. I know they talked about tipping. Like they’re trying to do stuff for creators. So I guess I didn’t see Twitter as kind of the same old Twitter doing the same stuff. I didn’t see them as being in maintenance mode. I saw them as really trying, right, trying to innovate and trying to support Twitter creators. It’s kind of weird. I don’t really think of Twitter as like a creator economy, but I guess technically it is. I don’t know. But I saw them as trying to move into their next chapter, which is trying to make a lot more money and also trying to support the people on their platform, making money as well. And I was interested, curious in seeing what the next version of Twitter looks like. And maybe that is the next version that Dorsey’s like, “Look, either I don’t want to do it or I’m just not the right person to do it.” And maybe for this next chapter, it’s best to bring on a new leader. I mean, it’s not really fresh blood since he’s been at Twitter for like a million years. But still, new leadership, at least. Maybe that was the moment. Maybe that moment was recognizing that we need a new version of Twitter. And for that new version, we needed a new person.
[00:06:51] JP: I don’t know. I guess I am pessimistic now that I think about what I’m going to say. I think it was way more, just like he’s not having fun. Think about how much money he must have.
[00:06:59] SY: I mean, he’s a billionaire. Yeah, he’s got a lot of money.
[00:07:01] JP: Right. So he doesn’t actually have to work at all.
[00:07:03] SY: Of course not, but that’s been true for years. When’s the last time Jack Dorsey had to work?
[00:07:08] JP: Right. So if you take that out of the equation, like you’re only working to have fun and things you’re interested in, like maybe just took him a little bit longer to realize, “You know, I don’t really care about Twitter audio spaces and supporting our creator economy. Back in the day, I was disrupting communication and I want to get back to disrupting stuff again.” It’s hard to disrupt anything with a 10-year-old product.
[00:07:31] SY: Yeah. I guess, again, the question goes back to if the answer is, “You know, I’m just not interested in doing the job anymore,” which is fine. We all get bored of jobs. I think the question is, “Why now?” You know what I mean? What happened? If it is an incident, what triggered the conclusion?” Because when you don’t have fun doing something, it’s not like you wake up and then all of a sudden it’s not fun. Right? Like usually it’s kind of growing or something happens and you’re like, “Oh, look, I’ve had enough of this.” So it kind of makes you wonder what’s happening now, especially, again, given that Twitter has been releasing new stuff in the last year. They have been doing stuff. They’ve been doing new things. It’s not like they’ve been just the same social media company they were previously. What makes it boring today that caused the resignation? That’s the question that I have.
[00:08:19] JP: I mean, maybe it was something as mundane as he got someone’s name and the Secret Santa that he doesn’t really care for.
[00:08:26] SY: You really don’t think much of Jack Dorsey. Do you?
[00:08:28] JP: “I'm Jack Dorsey. Why am I here at this company? I could just leave.” No. But seriously, maybe it was something as mundane as he was like, “You know what? Why am I here? I could just leave whenever I wanted.” It also could have been in the works for quite a while.
[00:08:41] SY: It must’ve been in the works for a while.
[00:08:43] JP: I am sure he did not just ring up Mr. Agarwal and say like, “Hey, want to be CEO tomorrow?” I’m sure this has been a process that’s been, I want to hope that there’s been a process in place to pass control of the company onto this new CEO and maybe this is just the way it lined up. Maybe there’s like leave coming up or they’re maybe announcing yearly results maybe, it’s because they are a public company.
[00:09:06] SY: Oh, maybe it’s because it’s the end of the year. Maybe it’s just a fiscal timing situation.
[00:09:11] JP: Yeah.
[00:09:11] SY: Yeah. That’s a good point. Yeah.
[00:09:13] JP: I’m sticking by my Secret Santa explanation though.
[00:09:15] SY: Your Secret Santa. What a terrible reason to leave a company, no matter what role you’re in.
[00:09:21] JP: I don’t know.
[00:09:22] SY: Forget seeing a multi-company.
[00:09:23] JP: You know, when you’re a multi…
[00:09:24] SY: Yeah.
[00:09:26] JP: I got carried in accounting at the Secret Santa. I’m not doing it.
[00:09:29] SY: You can’t deal with this. It just can’t deal with it. Twenty-five dollars? Oh my God. Not worth it. I think I’m just going to quit my job.
[00:09:56] JP: Well, speaking of company changes, Apple, surprisingly, announced that they’re going to be offering self-service repair. This is crazy.
[00:10:04] SY: That’s pretty cool.
[00:10:05] JP: It took everyone by surprise. So what’s it going to look like? Apple’s press release says the company will now make more device parts and repair tools more readily available to the common consumer. iPhone 12 and 13, and then M1 Max being some of the first devices whose parts will be more available as early as next year in the United States. Some of the first parts available will be iPhone displays, batteries and cameras, which are some of their most repaired parts. Interestingly, customers that return their used parts for recycling will receive a credit for the purchase of new parts.
[00:10:35] SY: That’s cool.
[00:10:35] JP: This is really surprising. This sounds like a great program. It sounds like an even better program when you consider it’s Apple who famously does not.
[00:10:45] SY: No.
[00:10:45] JP: Yeah. No.
[00:10:47] SY: No. They do not care. Frankly, you’re not really invested in you being able to repair your own devices. That’s just not been core or important to them at all over the years. And it’s very surprising that they have this program at all, but you are the big repairman, right? Like you have your own repair kit and your fixing things.
[00:11:07] JP: I have a repair kit. It’s real nerdy. Oh yeah.
[00:11:10] SY: Yeah. So how seriously do you take this, I guess? Do you think that this will replace your repair kit? Or do you feel like, “Yeah, this is nice, but I’m probably going to still need to do my own thing”?
[00:11:22] JP: Well, so what was really interesting about the announcement is not only are the parts going to be available, but Apple said the tools will be available.
[00:11:29] SY: Yeah. That’s cool.
[00:11:31] JP: There was a lot of joking online about like, “What is an Apple screwdriver going to look like? Is it going to be a Jony Ive design single piece of aluminum?”
[00:11:42] SY: Aluminum.
[00:11:43] JP: It’ll be a $90 screwdriver.
[00:11:45] SY: Nice.
[00:11:46] JP: I don’t know if this will replace the tools that I have. I could see in some special circumstances buying some of these tools. There’s things like if you have an iMac. Apple likes to use a lot of glue to glue down glass fronts and have it without seams. So the iPhones and the iMacs, you have to do things like point a blow dryer at them to heat up and loosen the adhesive.
[00:12:05] SY: That sounds so dangerous., when aiming a hot blow dryer at your computer.
[00:12:10] JP: Right. Or you could actually get a heat gun that’s even more dangerous because he could burn a hole in your device. So if they offer specialized tools to make that easier, I totally pick up one of those. And the Apple fan boy in me, yes, would totally buy a $90 aluminum screwdriver just to say I have one. I think the parts part is really exciting. There is a market right now for Apple parts, but none of them are authorized Apple parts. So for example, my daughter had an iPhone, she dropped it many times, cracked the screen, used the heck out of that iPhone. I think I replaced the screen like two or three times, the battery like two or three times. Every time I was looking for the parts, I’d have to go on Amazon and find like aftermarket third-party parts, things like the batteries aren’t as high capacity. You run into problems where when you replace the screen, sometimes different security things won’t work. So like if you replace a screen, sometimes the touch ID sensor on older phones wouldn’t work. You wouldn’t have any of those problems with official Apple parts. So that alone I think is really, really exciting.
[00:13:11] SY: Do you think that being able to repair these computers will require a specific skill? Like there’s the parts of the tools and then literally the ability to do the work. Right? Do you feel like that is going to be a problem for people or do you feel, I mean, just from doing the repairs yourselves, is that a pretty straightforward thing to do?
[00:13:32] JP: I think part of this leads into the question where some people were making the assumption because there’s going to be a self-service repair program. Will Apple make their phones and computers easier for the end consumer to repair? And I think that’s a heavy no. I do not anticipate you're going to have a battery that slides out of the back of your phone now or these devices are selling easier. So I think you will need to have skill. The press release specifically called out this is for hobbyists, enthusiasts, people that are already maybe doing repairs or interested in doing those repairs. Think about it. People are doing repairs on Apple devices right now. They’re Apple employees. They work at the back of the outlet store and they have these training materials, which Apple says they are going to make the training materials available. Those are videos, those are guides. So I think it’s all going to be there, but you’re going to have to have a skill level, like a car. In theory, I can go repair my car. I am not about to because I don’t know the first thing about repairing my car. I’m assuming it’s going to be something very similar.
[00:14:32] SY: So you think that repairing the iPhone will be as complicated as a car? I hope not.
[00:14:36] JP: I don’t think it’ll be as complicated, but I don’t think it’s going to be any easier than it is right now. It can be tricky. When you replace an iPhone screen, iFixit.com is a great site that has some of these repair steps and they’re working backwards. They’re making up the steps on their own. They don’t have the official Apple documentation. But if you take a look at something like an iPhone screen repair, it’ll say it’s like 30 steps and it takes an hour and there’ll be like 20 different screws that you have to keep track of. If you’ve done a repair before, it’s not that hard. But if this is your first repair, it can be really daunting. Do you have any interest in this at all?
[00:15:14] SY: No. Absolutely not. I go to the Genius Bar, if there’s any issues.
[00:15:19] JP: I think it’s fine.
[00:15:20] SY: Rob, my husband and I, we did something. I can’t remember, no, no, it wasn’t a MacBook. It was a different computer. We like exchanged it for a bigger hard drive or something because you can do that on other computers. But for our Mac, no. We had a camera issue and we had like a screen, which like it was glitching and having different colors and stuff. And we went to a third-party shop actually, got it fixed, and it was fine. But no, I will not be taking advantage of the self-repair program.
[00:15:47] JP: I think that’s fair. There are some people that still like to change their oil and their cars. They really get into it. That’s how I was to my car. I’m like, “I don’t want to know how it works on the inside. I just want you to fix it and give it back to me.”
[00:15:58] SY: Fix it and give it back. Exactly. I think the interesting or the big question with this is why. Why would Apple do this? Because it seems kind of random. I mean, it’s something that people have been asking for, for years. Right? People have been asking them, the whole right to repair is something that we’ve talked about on this podcast before. And so this has been an ongoing issue and I don’t know why Apple decided to give in or to play along at this point. Do you feel like they’re trying to get ahead of any legislation or anything like that?
[00:16:31] JP: Oh! That’s a good point.
[00:16:32] SY: Any legal drama? Yeah.
[00:16:34] JP: I mean this was a surprise to everyone. Nobody expected a self-repair program from Apple. It would be like if one day you woke up and Apple was like, “Hey, app store is open. Let’s do it. Everybody can list wherever you want.” I think one of the reasons they might be doing this is, I mentioned the app store, that’s the other big thing in the news that Apple’s battling with legislators all over the world about. And if you have to like pick and maybe do something nice, like having a self-repair program doesn’t really cost them a lot of money. Right?
[00:17:09] SY: That’s true. Yeah.
[00:17:10] JP: They have these parts. They have these tools. They’re just going to sell them to the end-user. I don’t think it’s going to be cheap. You asked what special skills users will have to have? I think money is the ultimate special skill you’ll have to have because they’re Apple parts. They’re not going to be cheap. They’re not going to be crazy affordable.
[00:17:23] SY: They’re not going to be cheap. Nope.
[00:17:24] JP: Yeah.
[00:17:25] SY: Yeah.
[00:17:25] JP: So Apple’s not losing any money on this. This is a lot cheaper for them and they get more goodwill. And the majority of consumers aren’t going to actually do this program. They’re going to think, “Oh, that’s great. That’s cool. I could replace it if I wanted to.”
[00:17:36] SY: That’s true. That’s true. They get the credit, the PR credit, they get the goodwill, as you said, the trust and all that, but without it costing money and without things really changing.
[00:17:48] JP: Apple’s really good at doing this. Remember when they announced that app store program where they were going to give back like 1% or 10% or something to the people that made less than a hundred thousand dollars on the app store and it turned out, somebody crunched the numbers and it turned out they were giving away a fraction of their app store revenue, but it made great headlines.
[00:18:06] SY: Yeah. Yeah.
[00:18:07] JP: I think this might be something similar.
[00:18:08] SY: I totally buy that. Coming up next, we talk about quantum computing and the real threat of post-quantum cryptography after this.
[00:18:37] SY: Here with us is Dustin Moody, a Mathematician in the National Institute of Science and Technology’s Computer Security Division. Thank you so much for joining us.
[00:18:46] DM: Happy to be here.
[00:18:47] SY: So tell us a bit about your research background.
[00:18:49] DM: My background, I have a PhD in mathematics and I very much have enjoyed math for a long time. And in graduate school, I learned about how mathematics underpins a lot of the cryptography that we use today. And that was fascinating to me and I specialized in that in an area dealing with what’s called elliptic curves. And a lot of the crypto that we use today uses elliptic curves under the scenes to implement that cryptography. And so that’s where my research is.
[00:19:19] JP: For those in our audience who might not be familiar with the National Institute of Science and Technology, can you explain a little bit about what this organization is and tell us about your role there?
[00:19:29] DM: So NIST is a federal agency. We sit inside the Department of Commerce, employs thousands of scientists in a variety of fields. And the main thing we do is we do research and we create standards. Standards are so that everyone will do things in the same way and that helps commerce. For example, the fact that in the US, we all have the same outlet that gives the same voltage, that makes selling products a lot easier. And my role is I’m in the Computer Security Division where we create standards for cryptography, so that when your phone or your computer is talking to your bank’s computer, you both are using the same cryptosystem and they know how to communicate with each other in a secure way.
[00:20:13] SY: So you wrote a post on the NIST blog last year titled, “The Future is Now: Spreading the Word About Post-Quantum Cryptography,” and the Department of Homeland Security recently put out a roadmap for dealing with post-quantum cryptography, which uses quantum computers. But before we get into quantum cryptography, tell us what exactly a quantum computer is and how is it different from just regular old computers.
[00:20:38] DM: Yeah. So I’m not a quantum physicist or anything, but the basic idea is that researchers have been working on building one of these what’s called a quantum computer for a few decades. And the idea behind them is that they operate on principles of quantum physics instead of kind of the classical Newtonian physics that most of us remember from high school. And there are some really peculiar properties that these quantum particles have that if you’re able to harness lead to a huge breakthrough in computational power. They’re able to put particles in superposition or they can hold quantum states. They can hold more than one state at the same time. So instead of like our current computers, a bit is either a zero or a one. A quantum bit and a quantum computer can hold the zero and the one at the same time. So if you’re able to design an algorithm to harness that, it’s almost like you’re able to do a bunch of computations in parallel all with the same one algorithm. Now, of course, that’s glossing over a lot of the details. Potentially it could do a lot of things way, way, way quicker than the computers that we have today.
[00:21:49] JP: Interesting. Okay. So now let me talk a little bit about quantum computers. Can you explain to us what is quantum cryptography?
[00:21:58] DM: So there’s kind of two different aspects of using quantum computers or quantum technology in dealing with cryptography. The first is to use quantum technologies to make crypto systems. There’s a fascinating theorem that was proved that you can build crypto systems that are guaranteed to be secure based on the laws of physics. It turns out it’s very expensive. It takes specialized hardware. So my project at NIST, that’s not what we’re focusing on, but that is related since it’s using quantum and it is using cryptography. What our project at NIST is focusing on is that it’s known that if you have a quantum computer that is big enough, it’s large-scale, we don’t yet have these computers today. Companies like Google and Microsoft are working on building them. If you had one, it’s known that it would break a lot of the crypto systems that we have today. And so our project is looking for creating and standardizing crypto systems that would be protected from attacks from a quantum computer. That part is usually called a post-quantum cryptography or quantum resistant cryptography.
[00:23:05] SY: So what is the danger of quantum cryptography?
[00:23:09] DM: So the danger is that if you had one of these big quantum computers that you would be able to get access to a lot of the information that we have protected on our devices, online. And so we need to make sure that we come up with new crypto systems to protect us from this attack well before these quantum computers are around.
[00:23:30] SY: And what makes the quantum cryptography, is it that it’s more dangerous or is it just a different type of threat than the cryptography that we currently have?
[00:23:41] DM: Yeah, it’s just that it’s a different threat. With today’s crypto, there’s attackers that are trying to break your crypto systems. It’ll be the same thing. They’ll just have a new tool.
[00:23:50] JP: Do we know of any nation states that are actively trying to collect information for the future? Or is this a hypothetical situation?
[00:24:01] DM: Well, I’m not privy to any national secrets, but I’m quite positive that China and many of our other enemies are actively trying to take advantage of this. They’re simply copying down encrypted data that they can find, and they can’t do anything with it right now. They’re just holding onto it. It’s encrypted. They can’t break that, but they’re also actively working on funding research to build a quantum computer. If they get a large enough one, well then yeah, they’d be able to break some of these crypto systems and potentially get access to your data. It’s not just a theoretical threat. I’m quite positive that adversarial nation states are actively doing this or preparing to do this now.
[00:24:43] SY: So I know your blog post is titled The Future is Now or has The Future is Now in its title. But how far away are we from quantum computers being a fully realized and accessible thing that could be used for nefarious purposes? Like how far have quantum computers come in general today?
[00:25:02] DM: So if you look at research, what various companies have put forth, there has been significant progress for the last decade. Google a year or two ago got a lot of media attention because they achieved what they called quantum supremacy that their quantum computer they were building and they said, “Did this experiment that no classical computer could ever do.” IBM disputed that a little bit. But nonetheless, we’re seeing progress in terms of these companies building them. It doesn’t stretch the imagination that various nations around the world are also trying to build them as well. If we look at how long until we have one that can break the crypto, of course, nobody knows for certain. It’s a research question that people are actively working on. There’s a lot of engineering challenges to solve, but experts in the field estimate that 10 to 15 years is a reasonable guess for when we could have a quantum computer that would break crypto.
[00:25:58] SY: That sounds like a decent amount of time. Is that a decent amount of time in the research world or is that really not enough?
[00:26:05] DM: Well, it depends on what you’re looking for. Quantum computers will have many great applications in science to help us design new medicines. So in that sense, we wish it could be sooner. If you’re worried about them breaking your crypto, you want them far in the future. So it just depends on your perspective on what you’re hoping to do with a quantum computer, I would say.
[00:26:27] JP: So NIST was in partnership with the Department of Homeland Security in creating a post-quantum cryptography roadmap. I was wondering, could you go through some of the most important ways in which we’re trying to combat this looming threat?
[00:26:41] DM: Yeah. So first off, NIST, our project that I’m in charge of here, we’ve been going on this for a number of years. We basically are doing a worldwide competition where academics and researchers send in crypto systems that are designed to provide protection against these quantum threats. And we had 82 algorithms sent in from around the world. And that was a lot of fun for cryptographers and us to analyze. Pretty quickly in the first month or so, about 15 of those were broken. And since then, we’ve had a total of three rounds where in each round we narrowed down the candidate pool and advanced on the ones that are most promising. So right now, we have 15 algorithms still in consideration. Seven of these are what we call finalists and eight are alternates, and they’re getting a lot of focus and intention from industry, from research, from academics. And we’re very close to naming which algorithms will be standardized so that we will have crypto systems to protect against the quantum threat that we can begin using. We expect to announce those algorithms pretty early in the 2022. So that’s the first thing is making sure we have crypto systems that we can transition to. Second thing is we can start preparing for this transition even before we have the algorithms. Historically, switching from one crypto system to another is a pretty painful process for organizations to do. They have to get new software. They have to come up with new plans, spend more money. And so we’re recommending that businesses and organizations be aware of this quantum threat, start looking at what vulnerable crypto you’re using, start being aware of what’s going on in terms of the new crypto systems and just preparing, start creating a plan, have somebody in charge of this. The project where we partnered with the Department of Homeland Security, that’s where this is exactly geared toward is to provide guidance and playbooks to organizations so that they can do exactly this. They can start preparing even before we have the crypto systems ready to go.
[00:28:49] JP: In evaluating algorithms for future use, what is it about the algorithms you’re looking at that makes them better able to protect us from quantum computing cryptography?
[00:29:05] DM: Good question. It’s especially it’s a difficult challenge because we don’t yet have quantum computers here to know how fast they will run.
[00:29:12] SY: Yeah. That sounds tricky.
[00:29:15] DM: We’re making some educated guesses here based on what research we have. What we’re relying on for security is that the crypto systems we use today are based on hard mathematical problems that researchers have looked at for a long time and they are able to kind of measure the best-known attacks against them. So that’s what traditionally we already do, but now we throw in, “Okay, what algorithms will run on a quantum computer?” So some of these algorithms, when we run them through all known attacks, especially the quantum attacks, some of them have no known quantum attacks. And so we can’t have complete a hundred percent knowledge, but the fact that there’ve been a lot of smart people looking at this and can’t find any quantum attacks gives us some assurance. So examples of these mathematical ideas are the most promising ones are based on what are called mathematical lattices. There’s also some based on error correcting codes, multi-varied algebra, some based on isogenies of elliptic curves. So ultimately, the security would say, “If you can crack our cryptosystem, then you can tackle this hard mathematical problem,” that seems really hard and researchers have looked at it and it doesn’t appear any known way to break that mathematical problem. So that’s kind of how we base our security confidence on.
[00:30:38] JP: We’re almost doing a little bit of like time travel here. We’re trying to protect against something that might happen in the future. I’m wondering if we have any historical examples that NIST has looked at of people today decrypting secrets from the past. Or have we seen this kind of activity in cryptography in the past?
[00:30:59] DM: I’d say yes and no. A quantum computer is completely new. We haven’t had anything like it in the past. We haven’t had a new, powerful computer like this to deal with. So in that aspect, this is a new challenge. On the other hand, we have had threats before. We have had new research results, which could break crypto systems and make vulnerable things that people had encrypted. We also have had to transition from one algorithm to another, and we’ve learned some lessons in doing that. So there are a few things we can look back on, like transitioning from RSA to elliptic curve cryptography or transitioning from SHA-1 to SHA-2. Those are hash functions that get used underneath the seams. But in many ways, there are a lot of challenges that are completely new with this threat.
[00:31:50] SY: So is there anything that regular folks or developers can do when it comes to the threat of post-quantum cryptography or is this kind of something we should leave up to the researchers and the professionals like you?
[00:32:02] DM: For regular people, hopefully just the average user doesn’t need to. If we take care of things properly, it’ll all happen behind the scenes. Your computer or your browser will start using these new crypto systems once they’re ready without you having to do anything. That’s the goal. For people who are a little bit more involved in actively managing software and crypto, I would say learn about this. Know what the threat of quantum computers is for cryptography. Look at some of the solutions that are being proposed. They efficiently, wisely should be just as fast. But one aspect that might be a little more difficult is that some of these algorithms we’re looking at have larger key sizes. So they might take a little bit more bandwidth than you’re used to. And so you look at your applications and you can look and say, “Will this fit? Are we going to need to tweak anything?” So just gaining some knowledge and knowing that this transition is coming would be what I would recommend for a little bit more advanced users to do.
[00:33:01] SY: Well, thank you so much for being here.
[00:33:02] DM: Thank you very much.
[00:33:14] SY: Thank you for listening to DevNews. This show is produced and mixed by Levi Sharpe. Editorial oversight is provided by Peter Frank, Ben Halpern, and Jess Lee. Our theme music is by Dan Powell. If you have any questions or comments, dial into our Google Voice at +1 (929) 500-1513 or email us at [email protected] Please rate and subscribe to this show wherever you get your podcasts.