Page 26 - GS220801
P. 26
CoverStory
Co v er St o r y
of data stored in the cloud. These threats are most likely to data and sensitive authentication data, other
be acted upon, first by foreign governments and then by values in our ecosystem, such as encryption keys
well-funded international threat actors." themselves, PII, and ePHI have a longer shelf life
and thus warrant consideration," Pfanstiel stated.
Standardizing PQC
The ultimate goal of post-quantum cryptography, also • Symmetric key cryptography: Most PCI standard
called quantum-resistant cryptography, is to develop cryptography encrypts data with symmetric keys
"cryptographic systems that are secure against both (TLS ciphers, DUKPT, Master/Session, Zone Control
quantum and classical computers, and can interoperate Keys). While symmetric encryption will lose about
with existing communications protocols and networks," half its effective strength in a post-quantum world,
NIST representatives wrote when inviting candidates to current minimum key strengths should remain
enter the competition and help standardize PQC. strong enough to provide minimum necessary
protection. Initiatives are already underway to
Marc Punzirudu, senior director, North America at SISA, increase minimum key strengths.
has observed the NIST competition with interest, along "Where asymmetric cryptography is used, e.g., for
with cryptographers, computer scientists, mathematicians authentication certificates, application signing,
and infosec stakeholders. "It has been like watching a remote key injection, limiting the cryptoperiod of
boxing match, with FrodoKEM getting knocked out in the these keys, monitoring the sensitivity protected data,
third round," he said, while pointing out that numerous and preparing to adopt post-quantum cryptography
submissions have merit and should not be disregarded will be a topic of interest throughout the payments
simply for losing a NIST match. industry as this date approaches," Pfanstiel noted.
Punzirudu further noted that NIST is evaluating three Unpacking quantum physics
types of encryption schemas: code-based, multivariate
based and lattice-based. NIST selection criteria, which As engineers and developers lean into post-quantum
includes security, cost/performance, and implementation, cryptography, it may be worth noting that quantum
may disqualify algorithms with high computational has disrupted the measurable realms of physics and
costs or complex implementations that are viable in some technology, including Newton's and Maxwell's formerly
environments and use cases, he said. unassailable laws of physics and electromagnetics,
respectively. For many scientists and engineers, the idea
"This isn't a 'be-all, end-all' decision making process," that any technology can defeat PKI is hard to accept.
Punzirudu said. "We'll see continual research into new
methodologies to protect information, supplement existing In his book, Quantum Reality, Nick Herbert explored
encryption, and develop new code, lattice, or multivariate- the belief, advanced by some physicists, that quantum
based schemes for as long as there are advancements in reality is shaped by the observer. This was an anathema
computing." to Einstein, he noted, who famously remarked that he
couldn't believe God would play dice with the universe.
Driving PQC compliance
"Einstein objected to suggestions to observer-created
Sam Pfanstiel, Ph.D., principal, industry solutions at reality in quantum theory by saying that he could not
Coalfire, expects the payments industry to continue its imagine that a mouse could change the universe simply
march toward PQC integration, standardization and by looking at it," Herbert wrote. He further noted physicist
compliance. He noted that for the past couple of years, Hugh Everett III's rebuttal that the observer is affected by
before Ralph Poore's retirement as head of emerging the system, not the other way around.
standards and cryptography at the PCI Security Standards
Council (PCI SSC), the organization's Encryption Task Prof. Gideon Samid, Ph.D., P.E., chief technology officer at
Force convened frequently "to discuss PQC, as well as BitMint, maintained that quantum physics formulas defy
other factors affecting cryptographic security." He offered explanation; the scientific community has various theories,
the following additional observations: but the bottom line is they just work. "People accepted
• Cardholder data: Cardholder data has a shorter Newton's physics and Maxwell's electromagnetics as the
lifespan than other sensitive data, thus where theory of everything," he said. These assumptions were
other industries must take precautions and be challenged, he noted, by Richard Feynman, a brilliant
aware of risk associated with illicit capture of mathematician and 1965 Nobel Prize in Physics recipient
encrypted transmissions now and decryption and other physicists who introduced quantum formulas
by quantum computers later, this threat has less that could accurately predict outcomes.
impact in general on cardholder data.
"Before quantum, the world was looked upon as
Having said that, while the PCI SSC has primarily deterministic," Samid said. "Newton said, if you tell me
concerned itself with the protection of cardholder the location, speed and acceleration of every part of the
26
