Sandbox AQ CEO Jack Hidary on the migration to quantum-secure encryption
Jack Hidary, CEO of Sandbox AQ, will be delivering a special keynote presentation on AI and quantum at next month’s IQT Quantum Enterprise event in San Diego. Hidary recently spoke with IQT News Contributing Editor Dan O’Shea about post-quantum cryptography and the role of Sandbox AQ, which recently was spun off from Alphabet, in that emerging space.
What follows is an edited portion of that conversation.
IQT: Sandbox AQ was part of Alphabet for many years, before being spun off last month with an initial focus on quantum-safe encryption. What about this moment in the evolution of quantum computing made it a good time to do that?
Jack Hidary: The fact is that the world of quantum technology is far greater and broader than just quantum computing, and many technologies will have more near term impact in quantum than a commercial quantum computer. I’m very excited about quantum computing, so excited I wrote a book about it [Quantum Computing: An Applied Approach]. But the fact is that we need to look more broadly, quantum secure communications is an area that we’ll see a lot of growth in near term that will impact both telecom providers and the B2B users of telecom, and ultimately, it’ll impact mobile apps and other things that consumers use as well.
Attackers are going after encrypted data and storing it on the adversary servers, and waiting until they have sufficient computing power to decrypt it. And when you think about the intellectual property, the trillions of dollars of intellectual property that is in the servers of the Global 1000, this is obviously a great concern. If you’re a pharma company, you have a lot of intellectual property in terms of the compounds and formulas in the case of a pharma company. The same thing for a chemicals company, where obviously you have a lot of proprietary data that drives your business, and then for banks, who have proprietary trading models, risk models, not to mention, of course, terabytes of customer data that need protected under the compliance under regimes that banks operates in
We need to protect all this for years to come. We’re here now to help make this all happen. So what we need to do now is move on from RSA, which is today’s standard, to a post-RSA environment. RSA served us well. It began in 1978, and has served us well for 40 plus years. But now it’s time for global migration to post RSA protocols. The good news is that many governments around the world recognized this years ago, and specifically six years ago kicked off a coordinated global multi-country, multi-stakeholder, open process that has been a really good, deep examination of more than 60 initial accepted submissions. And three rounds of culling has now produced a set of final protocols, the first few of which we’ll see in the next few weeks.
IQT: These are the standards due to be announced by the National Institute of Standards and Technology (NIST), right?
JH: Literally, in the next two or three weeks, NIST is expected to come out with stamped specs that came out of this six year process. That’s exciting because that gives us in the private sector the tools we need to protect the world’s data to re-encrypt data sets that were encrypted in RSA or elliptic curve or other now vulnerable protocols, and also start putting in place these new protocols. These are not only for data at rest, but also for data in motion. So if you think about payment hubs, think about transaction hubs, and think about what telecom providers offer in terms of connectivity for transactions, that is data in motion that also has to be protected now. That includes telco products, such as VPLS and VPN. The ‘P’ there is the privacy offered by RSA. Now we’ve got to upgrade that to a post RSA protocol because otherwise any traffic in motion over that VPN is vulnerable to eavesdropping.
IQT: There have been reports about a research paper that demonstrated how one of the specs under consideration by NIST was broken in just over 50 hours. Is that a concern?
JH: I think this final list from NIST will focus on some of the other protocols. To be clear, there was not a final standard that came out of NIST that was broken; that did not happen. These protocols were coming down through this process [which started with 69 candidate algorithms], and during that process concern was raised about one of them. Rainbow is the one you’re referring to. And it’s not just the recent paper, but actually previous papers as well that suggested there was a problem with it.
You could fix Rainbow by adjusting some parameters, and so in a future spec output, we could see Rainbow come back. But for now, we believe that NIST will leave Rainbow aside for the moment. The other thing to remember is we’re going to have multiple protocols now. We’re moving data protection from the single protocol world of RSA to a multi-protocol world.
IQT: So what happens next?
JH: The migration from RSA to post RSA is a software migration. There is no hardware upgrade involved, but 20 billion devices around the world will need software upgrades. About 7 billion mobile phones will need to be upgraded because right now they operate on the basis having RSA encryption. Then you think about all the apps on those phones. When you’re on a mobile banking app, or you’re on any secure app, all that is RSA encrypted, and that all has to be upgraded. So that’s 7 billion phones, billions of laptops, servers, and other PCs and of course, billions of IoT devices need upgrade as well. So that’s a software upgrade of hardware devices as well as the networks, the infrastructure, payment hubs and other software layers. That process is already underway and is going to be continuing.
IQT: How is Sandbox AQ helping companies get started with this process?
JH: One of the products we have is a set of machine learning-driven discovery tools that companies can use to crawl the network, and find all the places in the network that are using encryption protocols. It will visualize where in the network RSA is being used or elliptic curve cryptography is being used. With these discovery tools, a typical discovery process for a telco or another type of company will take about six to nine months. These discovery tools will help you produce reports that can be filed as you upgrade to make sure you’re in compliance with the requirements of various agencies that are going to require encryption to be upgraded. We also offer a set of products for telcos to be bundled into their VPNs or SDNs to allow them to level-up security in their various telco products. And then finally, we offer the actual encryption modules themselves that will be based on the NIST standards.
Dan O’Shea has covered telecommunications and related topics including semiconductors, sensors, retail systems, digital payments and quantum computing/technology for over 25 years.