In 2019 a research team from Google’s quantum computing lab published a paper entitled “Quantum supremacy using a programmable superconducting processor” (Arute et al., 2019). The ripples this sent through the scientific community, however, were not limited to the domain of Physics, but rather were felt across numerous fields, including, notably, cryptography.
This is because the arrival of industry-capable quantum computers threatens to undermine many of the principles and assumptions that we rely on to keep our data secure using public-key infrastructure (PKI).
Then, in the face of emergent technology that could compromise much of the cybersecurity that the automotive industry has worked hard in recent years to achieve, how should it respond? More generally, what action can automotive developers take in preparation for disruptive changes and paradigm shifts in the cybersecurity sphere?
Quantum computing as the bogeyman of modern cryptography
First, a word on why quantum computing promises to be such a dangerous prospect.
Modern asymmetric cryptography, which we rely on for the PKI that secures much of the Internet or, in the automotive context, often for the authentication of embedded software updates, is based on certain math problems being infeasibly hard to solve. For a common example, RSA, a scheme that has been ubiquitous for the past 25 years, relies on the hardness of factoring large numbers. If a malicious individual could find a way to factor numbers as large as RSA public keys (at least 2048 bits) they would be able to trivially recover the corresponding private keys, totally undermining the security of the system.
This is where quantum computers come in: in 1994, Dr. Peter Shor, a researcher at Bell labs in the US, discovered an algorithm that could factor large numbers quickly (Shor, 1999), with the caveat that it would run on a quantum computer, meaning that rather than being composed of transistor gates and semiconductors that work to implement a form of Boolean logic, it would run on an architecture composed of quantum systems, whose mind-bending properties facilitate a modified logic capable of solving problems in totally novel ways. Then, if it is possible for an attacker with a quantum computer to attack PKI so effectively, how worried should we be?
Building an industry-scale quantum computer
In theory, Shor’s algorithm provides a powerful and unsettling threat to modern cryptography. In practice, the story is (as ever) more complicated. As over 20 years of pain-staking progress have proved, building a quantum computer is no easy feat.
Seven years after Shor published his algorithm, a team at IBM constructed a quantum computer with 7 qubits. Qubits are the basic quantum systems that compose a quantum computer, analogous to a single classical ‘bit’. These 7 qubits could factor the number 15 into 5 and 3 (Vandersypen et al., 2001) – an important scientific milestone, but a long way off from threatening an RSA private key. 20 years on, teams at IBM, Google and beyond have constructed systems that now contain hundreds of qubits, with IBM aiming to construct a 1000-qubit system by the end of 2023, and systems with a million qubits by the end of the decade (IBM, 2023).
Where would this leave efforts to realistically attack RSA? A common estimate is that to factor an RSA public key, a quantum computer would need to have about 20 million qubits. So, if IBM and their competitors manage to keep to their roadmap, then we could potentially see cryptographically relevant quantum computing by the mid-2030s; we could see quantum computers capable of factoring a 2048-bit RSA public key in a day or so – and hence breaking the encryption scheme, totally undermining the pillars of modern cybersecurity. To make matters worse, most other modern public key schemes like elliptic and Edwards curve cryptography, as well as Diffie-Hellman key exchange, would all be susceptible to attack using the same algorithms, with only slight modification. Of course, this relies on an incredible rate of technological and scientific innovation, but as any risk manager’s favourite mantra goes, expect the best, prepare for the worst.
Preparing for the singularity
Several strategies present themselves in response to the quantum supremacy singularity. Each varies in the action it encourages; when that action should be implemented; and how drastic those measures are.
Transitioning to post-quantum cryptography
One abstract way to view cryptography is as the walls of the fortress that protects our valuable information. What quantum computing threatens to do is help attackers jump over these walls, so the obvious solution in the analogy is to build higher walls. This is what post-quantum cryptography (PQC) aims to prevent: by basing cryptographic schemes on more recently studied and much harder problems, the quantum attacker is no longer able to leverage his technology to scale the walls of our fortress. For several years, NIST has run a competition to search for viable post-quantum cryptographic candidates (NIST, 2017), with a select few such as CRYSTALS Kyber and Dilithium making it through to final rounds, and potentially soon to be standardised. Then, should we start to adopt these schemes for our PKI?
Potentially not, at least just yet. Although the afore mentioned schemes have seen considerable success, others, such as Isogeny-based Diffie-Helman (Castryck and Decru, 2022) and the Rainbow signature scheme (Beullens, 2022), were recently broken by attacks that could run on commercial laptops, let alone state of the art supercomputers. In effect, although these schemes build the walls around our fortress higher, they left holes around the sides which an attacker could simply walk through.
The truth is, all cryptography is really difficult, and schemes that we rely on to secure out data need to be secure against all attacks, not just some. Although schemes we use today, like RSA, don’t have walls that will be high enough forever, 25 or more years use both commercially and in academia have meant that the most brilliant minds have plugged the holes in these schemes, giving them considerably reliability for use, today. Although transitioning to PQC is something the automotive industry needs to do, it doesn’t need to do it in 2023; the better course of action is to let other industries pick apart these schemes for a while longer first, and then, when they have been reasonably worn-in by extended commercial use, they can be more ubiquitously adopted.
Becoming cryptographically agile
Regarding NIST’s PQC competition, Bruce Schneier, a fellow and lecturer at Harvard’s Kennedy School and an EEF board member, blogged that “We can’t stop the development of quantum computing. Maybe the engineering challenges will turn out to be impossible, but it’s not the way to bet. In the face of all that uncertainty, agility is the only way to maintain security.” (Schneier, 2022).
Cryptographic agility means being adaptable in response to emerging cybersecurity challenges. To achieve robust security that won’t be compromised as novel threats emerge, it is essential to be in a position where these threats trigger positive action rather than product recalls or drastic action. For example, if the cryptographic primitives we place in ECUs in the next 10 years are hard-coded, then when quantum supremacy arrives, we will be in trouble; if we keep these primitives updateable, we can roll out timely updates and avoid a commercial disaster. This goes hand in hand with having an effective cybersecurity management system: when we are in a position to monitor threats effectively and respond to them as they emerge, then we remain cryptographically agile and able to combat the challenges that are presented by the rapidly developing industry
Lessons for the automotive industry from the quantum fable
Predicting when quantum supremacy will arrive is a difficult task that requires both an in-depth knowledge of the state of the art, as well as an understanding of just how difficult the task ahead for quantum scientists and developers is. Responding to the emerging threat is also tricky: as discussed, no one wants to jump ship to PQC too early, and yet as the advent of quantum supremacy draws closer, action is required.
However, this action is not limited to the scope of the quantum threat; rather, cryptographic agility is something that enables good cybersecurity in response to any emerging challenges, and therefore provides invaluable learning for the automotive industry.
In the rapidly developing technological landscape we inhabit, peppered with headlines about AI, room-temperature superconduction, and, of course, quantum computing, cybersecurity threats lie behind every innovation. The solution is not to attempt to combat each individually. Rather, by maintaining this agile approach, developers can establish a position of adaptability where threats can be tackled as they emerge. Moreover, a key takeaway from our quantum case study is to get the basics right: to design cybersecurity controls based on risk assessments and threat models, not the trends of a fickle industry.
Time and time again, the most reliable solutions are based in robust applications of proven cryptography, adapted for the specific use case to minimise the risk to identified assets. To conclude with a final example, we could consider the case of the diagnostic services for a product line, secured with a single symmetric key for the whole car fleet. Although that symmetric protocol might be secure today, quantum computers could one day threaten the security of that key, albeit at great cost, and hence the security of the whole car line. If the development process had instead opted to make keys ECU-specific, then the effort that would be expended to crack the key would come with a greatly reduced reward, and hence the security of the whole fleet would be better maintained. It is not hard to see how this example abstracts to other emerging threats: regardless of whether it is quantum technology or another vector that threatens to undermine security assumptions, the industry remains far more resilient against them when it implements measures like having single-purpose and ECU-specific keys, today. By implementing good cryptography, which remains timeless in an ever-changing field, we can ensure that our cybersecurity remains effective and relevant when pitted against the attack vectors of tomorrow.
Learn about the application of cryptography in vehicle system security with the video course:
Arute, F., Arya, K., Babbush, R., Bacon, D., Bardin, J.C., Barends, R., Biswas, R., Boixo, S., Brandao, F.G.S.L., Buell, D.A., Burkett, B., Chen, Y., Chen, Z., Chiaro, B., Collins, R., Courtney, W., Dunsworth, A., Farhi, E., Foxen, B. and Fowler, A. (2019). Quantum supremacy using a programmable superconducting processor. Nature, [online] 574(7779), pp.505–510. doi:https://doi.org/10.1038/s41586-019-1666-5.
Shor, P.W. (1999). Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer. SIAM Review, [online] 41(2), pp.303–332. doi:https://doi.org/10.1137/s0036144598347011.
Vandersypen, L.M.K., Steffen, M., Breyta, G., Yannoni, C.S., Sherwood, M.H. and Chuang, I.L. (2001). Experimental realization of Shor’s quantum factoring algorithm using nuclear magnetic resonance. Nature, [online] 414(6866), pp.883–887. doi:https://doi.org/10.1038/414883a.
IBM (2023). IBM Quantum Computing | Roadmap. [online] www.ibm.com. Available at: https://www.ibm.com/quantum/roadmap.
NIST (2017). Post-Quantum Cryptography | CSRC | CSRC. [online] CSRC | NIST. Available at: https://csrc.nist.gov/projects/post-quantum-cryptography.
Castryck, W. and Decru, T. (2022). An efficient key recovery attack on SIDH (preliminary version). Cryptology ePrint Archive. [online] Available at: https://eprint.iacr.org/2022/975.
Beullens, W. (2022). Breaking Rainbow Takes a Weekend on a Laptop. Cryptology ePrint Archive. [online] Available at: https://eprint.iacr.org/2022/214.
Schneier, B. (2022). NIST’s Post-Quantum Cryptography Standards – Schneier on Security. [online] Available at: https://www.schneier.com/blog/archives/2022/08/nists-post-quantum-cryptography-standards.html.