In a truly forward-thinking move, Google is getting serious about the effort to future-proof internet security: user’s of the tech giant’s test-phase browser, Chrome Canary, can start testing a so-called post-quantum cryptographic technology aimed at making users immune from next-next-generation cryptographic attacks. It might not be necessary right now — though then again, it also might be. Even if it is just an attempt to head off the future, it’s an important attempt, with potentially big implications.
The issue here is key exchange. It’s very easy to design an algorithm that garbles a message beyond the point that even a quantum computer can decrypt it, but then you have a problem: nobody can open it. To have useful encryption that can be undone when needed, we have to build a weakness into our security system that allows some people through and not others, which is again not actually all that difficult from a mathematical perspective. Where it becomes tricky is in distributing the specifics of that weakness — you can encrypt the key itself, but then that needs a key, and so on.
The classical solution, which is to use a “public key” system in which keys don’t need to be exchanged, but are rather visible to all, worked well enough against conventional digital computers, but quantum computers will likely be able to blow through such barriers with ease. So, we need a new algorithms for key exchange, or a new way of getting around the requirement for key exchange. Enter, post-quantum cryptography and, in the case of this new experiment from Google, a software solution called CECPQ1.
If you’re a Chrome Canary user, you can check if you’re part of the post-quantum experiment by going to the Security panel and looking for CECPQ1, the post-quantum suite that allows Chrome browser to interact with specifically designed Google servers in a way that no quantum computer could eavesdrop upon.
That is, the update should do that if the algorithm works. The issue here is that it’s difficult to actually tests these defenses, in absence of a real quantum computer to do the attacking. There are mathematical thought experiments that “prove” certain algorithms ought to be impossible to compute, even for a quantum computer, but if the history of cryptography has taught us anything it’s that mathematical thought experiments are capable of overlook glaring real-world problems.
And so, tests of this nature are necessary to look into the feasibility of protecting ourselves from our next great invention. It’s a foregone conclusion that we’ll figure out a form of quantum security, but it’s not at all assured that we’ll come up with that security before we’ve already suffered quite a period of insecurity from government, corporate, and other uber-moneyed technological actors — actors like Google itself.
It speaks to the convenient alignment of incentives in Google’s business model, between service provider and consumer. From Google’s perspective, the losses from wide-ranging internet insecurity far outweigh any misconduct-born advantage they might get from having easy access to previously secured systems.
Google’s priority is to make a truly secure digital future; this experiment is terminal, with a maximum lifetime of two years and an explicit wish not to become the industry standard. Google openly acknowledges this is not a good enough solution, even if its testing is a complete success. Their plan is to replace CECPQ1 with a better, updated solution, and in all likelihood even that algorithm won’t be secure enough to use as the basis for next-gen encryption.
It could take many years of large-scale testing to really settle this question of whether and how we can protect privacy and security in the future; it’s a good thing Google’s looking to address that question now.
Now read: IBM makes quantum computer available for free via the cloud