Post-quantum cryptography in focus for latest “Science is here” podcast episode
Tanja Lange, self-declared post-quantum hipster, chats with host Barry Fitzgerald about protecting against attacks from quantum computers.
In the latest episode of TU/e podcast series “Science is here”, host Barry Fitzgerald speaks to Tanja Lange about the history of cryptography, cryptographic algorithms, and the emergence of post-quantum cryptography - a research field that Tanja is very much helping to advance. Tanja also discusses her own work, and what might happen in the future with regards to post-quantum cryptography.
You can listen to the full podcast episode here. To whet your appetite, we present some of the highlights in the text below.
Barry Fitzgerald [BF]: What is cryptography?
Tanja Lange [TL]: Cryptography is the science that keeps information secret. It takes messages or whatever you want to send to the other side, and scrambles them so that they are secure in transit. This means that nobody who sees the scrambled message can figure out what’s behind it. And the other end, at the receiver’s end, they understand what scrambling you’ve been doing, and they are able to undo it. Cryptography is the way to hide the contents of a message so that no attacker can get access to the contents.
BF: What is post-quantum cryptography?
TL: In the early 2000s, along with several of my research colleagues, we started to realize that physicists might actually build quantum computers. As a result, we would have to make some changes to the way that we were doing cryptography. We spoke about developing systems that could resist quantum computers. Eventually, you need to name the field that you’re working on - then Daniel Bernstein came up with the name “Post-Quantum Cryptography”.
Post-quantum cryptography (PQC) is cryptographic software that runs on conventional computers - normal hardware, normal mobile phones, or normal laptops - and the change here is that the attacker has a quantum computer. We are normally protecting against very powerful attackers who have a supercomputer or a cluster of supercomputers. But in post-quantum cryptography, we assume that the attacker has access to far greater computing power in the form of a quantum computer.
You could assume that the user also has a quantum computer, but we don’t actually end up designing many systems for that situation, as it is such a far-fetched future. We already have so much to do in our current situation, where we need to protect the users who are using cryptography now. So, you can call me a post-quantum hipster, because I was working on post-quantum cryptography before it was cool!
BF: In your research, what are you focusing on with regards to post-quantum cryptography?
TL: Post-quantum cryptography is field where we assume that the attacker has a quantum computer, but of course it still requires checking all bases, so we need to ensure that the systems we propose are secure against everyday attackers with normal computers. It wouldn’t be much good if it were only secure against a quantum computer. Therefore, we have to watch out for this.
We have to also make sure that they are implemented in a secure way, or that they are useable in our protocols, so that they can be used for Internet connections and secure messaging. There are several aspects to my work. So, it’s thinking about what problems are hard, and then going all the way down the chain through secure implementations, as well as looking at what quantum algorithms can do against these problems.
BF: How sure can we be about the capability of future quantum computers, and how does that then affect your work?
TL: We have several theoretical models of what a quantum computer can do. Richard Feynman came up with one definition, there are other definitions that are based on gates. All of these definitions are equivalent.
There’s the Copenhagen convention of what a quantum computer can do, and so based on that we can develop quantum algorithms. There are a handful of different approaches that physicists think they can use to realize a large, scalable quantum computer, and so these approaches differ in how expensive the different operations are. In some approaches, some things are cheaper, some other things are harder, but for all of these approaches, as soon as they build a universal quantum computer, these will give me a certain number of operations.
To analyze the security of my systems, I can take for granted that these operations exist, and I can build algorithms around these. Afterwards, it depends on how expensive these individual operations are.