Everything ends online

After my stint managing the branch networks at a Canadian bank during Y2K, I transitioned into a new job at a large software vendor leading nationwide sales of their e-commerce solution. Selling e-commerce in the early 2000s was an interesting career choice just after the so-called dot-com bust in 2000 and 2001.

One of the most common objections I encountered in my sales efforts was that retail management felt their consumers would be uncomfortable making online payments by credit card. There was some merit to this objection amid all the hype and inflated expectations at the time. This was, after all, in the time before chip and pin technology and additional security codes. However, it always struck me as odd that a consumer would willingly hand over their credit card to a complete stranger in a restaurant or gas station who would then take the card away out of sight in order to complete the transaction. Why would the same consumer hesitate or even refuse to enter their credit card number into a website protected by end-to-end digital encryption?

Internet security is enabled by the Secure Sockets Layer (SSL), also known in an updated form as Transport Layer Security (TLS). This is a form of encryption that allows two parties unknown to each other to communicate via code that is impenetrable to a third-party observer. A consumer shopping online via a browser or phone app and a retailer operating an e-commerce web site make a good example. As does a customer doing online banking or investment with a financial institution. Hackers are constantly looking for ways to break into these online transactions and harvest sensitive data.

How does SSL protect your online transactions? It’s an example of asymmetric encryption, also known as public-key encryption. A cryptographic key is typically a piece of information such as a very large integer that can be combined with the source data via an algorithm to encode or decode it. In public-key encryption, the two parties to a transaction agree on a shared public key that works in conjunction with each party’s own private key to encrypt and decrypt the data being transferred. Look up the very good Wikipedia article on “Diffie-Hellman Key Exchange” for an explanation of how this works.

Where asymmetric encryption protects data in transit, symmetric encryption usually protects static data—stored documents, databases or other repositories. In symmetric encryption, the same key is used to encode the data into its encrypted form, and later to decode it. Often, multiple rounds of encryption with keys will be used to ensure that the encrypted data looks as random as possible. Otherwise, data encoded with symmetric encryption might be vulnerable to brute force attacks that would, for example, try to use pattern recognition based on the frequency of common letters to derive back the underlying plain text. Symmetric encryption also usually protects internet certificates that guarantee the authenticity of a data source, as well as blockchain records.

In both types of encryption, the trick is to generate a key that is sufficiently complicated to prevent a brute-force attack from easily reverse-engineering it. This is usually done by designing key generation algorithms based on computationally intense mathematical problems. These problems usually start with the difficulty of finding the prime factors of very large integers and then performing further calculations. RSA-2048 is a current asymmetric encryption standard based on 2,048-bit integer key values that would take millions of years to solve on a classical computer. Other logarithmic algorithms are also used, and all have proven very effective in protecting data and internet traffic until now.

What’s going on now? As I previewed earlier, the threat posed by quantum computing.

Doom scroll
Quantum computers are particularly good at solving complex mathematical problems. In 1994, the American mathematician Peter Shor proved that a quantum computer would be able to solve prime factorization in polynomial time instead of exponential time, meaning simply that what would take a classical computer thousands of years could be accomplished in minutes on a quantum computer. Dr. Shor got an algorithm named after him, and Shor’s Algorithm has become a shorthand way of referring to the Y2Q problem. The implication of Shor’s Algorithm is that a quantum computer in the hands of a cyber-criminal could use a brute-force computational attack to access any data protected by public-key or asymmetric encryption. In 1996, another algorithm—Grover’s Algorithm, named after the computer scientist Lov Grover—achieved similar but less drastic results for symmetric encryption. It’s prudent to assume that any encryption key is theoretically susceptible to a quantum attack.

The euphemistic cliché ‘break the internet’ has become popular in social media to describe the publication of content, often a photo, that generates a huge spike in reaction and traffic sharing. I suggest we now take this phrase literally and consider what it would mean for the potential of malicious use of quantum computing.

1. All SSL traffic becomes insecure. HTTPS sessions that safeguard e-commerce and online financial transactions would all become vulnerable to being decrypted and read by hackers looking to perform identity theft—stealing credit card numbers, social insurance numbers and bank account information. Online banking and commerce, as well as government transactions, would come to a halt.
2. Data theft. Think Wikileaks, but on a much larger scale. With quantum decryption, massive amounts of classified government records, personal medical profiles, financial histories and other data would suddenly be in the public domain.
3. Loss of trust. Digital signatures (made possible by asymmetric encryption) could be duplicated so that there is no longer any way to verify the authenticity of signed documents such as SSL certificates, electronic contracts or even blockchain ledgers.
   It’s hard to quantify the economic impact of the above three points but a worst-case scenario would be a near-total loss of confidence in all online commercial transactions and private data storage. Y2Q would truly break the internet.

Next, we’ll look at the possible ways to remediate the Y2Q problem and the race against time to protect ourselves.