Post-Quantum Payments: Is the Apocalypse Closer Than We Think?


Posted on by Slava Gomzin

This article was inspired by my recent experience at the Black Hat and Defcon cybersecurity conferences. Quantum computing and post-quantum cryptography emerged as major topics, more prominently than ever before. One can say that this is because of the anticipated release of the NIST standard for post-quantum cryptographic algorithms which officially happened immediately after the conferences concluded. However, this release might be just the tip of the iceberg, with significant developments likely hidden from public view. Now, let’s start from the beginning and define what quantum computing is and why we should pay attention to it when it comes to a conversation about payments. 

Unlike traditional computers, which use bits with value 0 or 1 as their elementary building blocks, quantum computing uses so-called qubits, which in addition to regular zeros and ones can enter a special state called superposition. There are special algorithms that use superposition to dramatically speed up calculations which can take forever for regular computers, even supercomputers. One such algorithm, Shor’s, claims the ability to crack public key encryption by solving the problems of factoring large integers and discrete logarithms, which are foundational to Rivest Shamir Adleman (RSA) and Elliptic Curve Cryptography (ECC). I say “claims” because Shor’s algorithm has been theoretically proven and experimentally demonstrated on small quantum systems, but it has not yet been fully realized on large-scale quantum hardware capable of challenging current classical cryptographic systems.

Unfortunately for mathematicians, and fortunately for all of us, quantum computers are not powerful enough yet to execute Shor’s on a full scale sufficient to crack real RSA or ECC keys. But the threat is that such a development could happen at any moment. Remember what happened just less than two years ago with the first release of ChatGPT by OpenAI? Everyone was talking about AI, but no one was expecting a real-life application that can do much more than just chatting. That moment was rather a revolution than evolution. Why should we assume that the same cannot happen with quantum computing?

There is one important difference however between quantum and AI. Companies such as OpenAI are motivated to do a fast release of their work to the public as this means more investment and revenue for them. Quantum computers, however, are not as directly tied to public engagement. National governments and their intelligence services may be even more interested in developing quantum computers than private corporations, and if they do such development and get good results, they will not necessarily publicize their achievements. Instead, they might try to exploit first and crack public communications, cryptocurrencies, and other technologies.

How Is This Applied to Digital Payments?

The first concern is cryptocurrencies, which rely entirely on public key encryption algorithms for security. If Elliptic Curves were cracked today, this would be an immediate crash of Bitcoin, Ethereum, Monero, and hundreds other crypto. All three aforementioned crypto networks, and their numerous forks and mimickers, are based on different flavors of the same ECC. The moment Shor’s algorithm is successfully executed on real keys, the value of most cryptocurrencies could plummet to zero. But if the crackers decide to not make the discovery available to the public, they might first benefit from the ability to crack particular crypto wallets with large amounts. 

But what about traditional payment technologies, like plastic cards, which still account for the majority of processed payments? The plastic payment card industry relatively recently made a full transition to EMV, also known as chip and pin, standard, which means that every payment card has a chip that is supposed to protect cardholder information and transactional data. Guess what is used to protect that data - correct, public key encryption. In EMV, public key encryption algorithms such as RSA and ECC are employed to secure the data exchange between the card and the payment terminal. This ensures that even if the data were intercepted, it would be virtually impossible to decipher without the corresponding private key. One might assume that old magnetic stripe payment cards, with unencrypted data, are safe from cryptographic attacks. While magnetic stripe cards lack encryption, many legacy payment applications and online payment systems still rely on Transport Layer Security (TLS) to secure communications. These applications would be inherently vulnerable to quantum attacks.

However, there is some good news too. Many modern payment systems use a technology called point-to-point encryption (P2PE), when the sensitive cardholder data is encrypted within the card reader device and decrypted only at the payment processor (bank). The most prevalent encryption scheme in P2PE is called DUKPT (Derived Unique Key Per Transaction) which uses symmetric ciphers such as AES (Advanced Encryption Standard). Symmetric algorithms are much more resilient to quantum attacks compared to public key encryption. There is an algorithm called Glover’s that speeds up the brute-forcing of AES ciphers and reduces its security by two times. So, if AES uses a key with 256-bit length, its actual security will be reduced to 128-bit, which is still considered fairly secure today.

In conclusion, the advent of quantum computing poses a looming threat to the security foundations of both modern and traditional payment systems. While we may not yet be at the precipice of a cryptographic apocalypse, the potential for a sudden quantum leap in computational power demands immediate attention and preparation. Cryptocurrencies, as well as the broader financial industry, must begin transitioning to quantum-resistant algorithms to ensure the continued security and trust of digital and traditional payment systems alike. The time to act is now, before the quantum future becomes our quantum present.


Contributors
Slava Gomzin

Director, Payments and Cybersecurity, Toshiba Global Commerce Solutions

Cryptography

Encryption quantum computing Artificial Intelligence / Machine Learning Secure Payments / Cryptocurrencies digital signatures

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community

Related Blogs