A Saskatchewan company says it has created a new encryption solution that will withstand brute force attacks, including those from yet-to-be-seen hyper-fast quantum computers.
“What we are confident is that with small transmissions, like credit card purchases, it is quantum-proof,” company president Chad Wanless said in an interview this week. It could also be used for larger data transmissions over the Intenet, he added, as well as database encryption, secure internet data transmissions, password hashing, and even protecting encoded car fobs.
His announcement comes as governments and companies including IBM, Google and Microsoft, are spending hundreds of millions of dollars to create practical quantum computers that not only would be capable of running a new generation of fantastic applications but also of breaking currently encrypted data.
As a result developers are working on quantum-resistant solutions to better protect data today in case practical quantum computers become a reality. One expert believes some 50 companies have publicly announced what they say are tools allowing the creation of quantum-safe solutions, including ISARA Corp. of Waterloo, Ont.
Briefly, today’s online encryption systems work by scrambling data with an encryption key. For transmitting the sender encrypts data and includes a decryption key for the receiver. Keys are created by an algorithm that makes sure the keys are unpredictable. Encryption today relies on the difficulty conventional computers have with factoring large numbers. Quantum computers may eventually be able to factor large numbers relatively quickly,
Without giving away details, CEW says its solution works by using symmetrical keys that can be exchanged safely and can’t be intercepted in a man in the middle attack. Converted characters have no mathematical relation to each other. Users could log into an online server without actually transmitting a password and make online purchases without transmitting the credit card data. Without a mathematical relationship or a detectable encryption pattern, there is no means by which a quantum computer executing a brute force attack can detect a pattern to decrypt by, the company says.
CEW plans to sell its solution, which is programmed in C++ and C#. No pricing has been set yet, but Wanless expects it would depend on the size of the customer. The solution may have to be converted to programming languages used by customers, but that would only take “a few weeks,” said Wanless.
“It’s a very small program. I could even run on smartphones,” he said — for example, on a mobile bank app.
A graduate of the BC Institute of Technology (BCIT) with a degree in mechanical design and software programming, Wanless said his full-time job is as a mechanical engineer with a firm he wouldn’t name. CEW Systems is an effort of several people working on their own time.
Before starting CEW he owned and operated 3rd Day Software, which built a programming user interface toolset for AutoCAD programmers called ObjectDCL (www.objectdcl.com), which allowed programmers to easily create programming user interface tools for the original AutoCAD programming toolset called AutoLisp.
One problem CEW Systems faces is quantum computers today exist in laboratories, making it hard to substantiate any company’s quantum-resistant claims. The U.S. National Institute for Standards and Technology (NIST) has a Post-Quantum Cryptography Standardization contest to create quantum-resistant algorithms for public key encryption and digital signatures. But it will be several years before the winning standards are approved.
Wanless said an unnamed physicist has reviewed CEW’s work “and he was confident that we achieved brute force attack proof encryption.” But the solution hasn’t been run on a potential client’s system. CEW has been applying for patents on the solution. “Now that those have been filed we can begin knocking on doors.”
In an interview Dustin Moody, a NIST mathematician who does research into cryptography and quantum computing, said “in cryptography people are usually reluctant to jump on a new idea because you want to have some confidence in its security, and the best way is if experts have tested it for a number of years and tried to break it, and that takes time, publishing in a journal or conferences and let other see it.”
That can be a problem for companies that want to commercialize a solution and wants to keep some details private, he acknowledged. “On the other hand the crypto community is naturally a little suspicious of not being able to see the details and verify them. The crypto solutions we use today are designed so you can see all the details, and that doesn’t threaten the cryptosystem in any way.”