Root Causes 35: Quantum Apocalypse  Mosca's Inequality, Mad Max, and Mohawks
Quantum computers have the potential to defeat the RSA and ECC encryption underlying our digital world. We must swap out these algorithms before quantum computers reach that stage of maturity. But how long to we have? Join our hosts Tim Callan and Jason Soroko as they explain how to calculate the ominously named "Z date," the possible consequences of missing that deadline, and potential hairstyles for a postapocalyptic world.
 Original Broadcast Date: August 28, 2019
Timeline
Timeline

Tim Callan
We are going to return to a topic we have discussed earlier. We actually did a pair of podcasts on this topic, discussing the subject of quantum computing and how quantum computing will to force us to transform the way we approach cryptography.
Episode 5 (Cryptographic Quantum Apocalypse) discussed the basic problem of quantum computing being able to potentially defeat our existing cryptographic approaches and the potential Quantum Cryptographic Apocalypse, and then Episode 6 (Quantum Resistant Cryptography) began to define what the parameters are for a new cryptographic standard that would be quantum resistant and still work for all the other requirements of our digital infrastructure.

Jason Soroko
Today we’re talking specifically about timing. There’s a singular message here that needs to be known by people cold because as time goes on, you’re probably going to hear more and more about this subject.
Obviously as a certificate authority we study these things very carefully because of the fact that they affect our industry very, very uniquely in that we don’t just issue certificates, we issue certificates using specific cryptographic algorithms. And those cryptographic algorithms are not static.

Tim Callan
Oh yeah, not at all. The stuff we were using in the 90’s and the 2000’s is not the stuff we’re using today.

Jason Soroko
That’s right. So therefore, after quantum computing becomes stable enough and powerful enough, the current methods of cryptographic algorithms that we use right now are probably going to become, again, if not deprecated at least less resistant. Therefore what is the timing of all this? How long will this take? Because, you know, terms like the Quantum Apocalypse are thrown around. It’s a good word because it really makes the point.
You and I were discussing just before this conversation about what is the level of importance to do this, even though it may not be imminent for ten years? You know, the solution for this might be a decade away.

Tim Callan
This is a problem that must be solved. If quantum computers have a fundamentally unfair advantage in cracking the current approaches to cryptography, which were put together before anybody had really thought about quantum computers in any serious fashion, then all of it must be swapped out. Otherwise literally your entire digital world would be potentially compromised. Everything you do, money, debt, commerce, communications, transportation, all of this stuff would be insecure.

Jason Soroko
Absolutely correct. Let’s talk about one thing first. Algorithms such as SHA256, used in hashing for example, to store passwords securely. And also AES, which is used to encrypt files and hard disks. Those are not vulnerable right now to Shor’s algorithm.

Tim Callan

Jason Soroko
We are talking about public key cryptography, things like secure authenticated web connections, anything that can be attacked with a quantum computer. We are talking about the timing of all of that.

Tim Callan
There’s a term that was invented by somebody at the University of Waterloo. Which is the Z date. And that is the date of what, Jay?

Jason Soroko
It’s known as the Mosca’s Inequality. What has been called the Z date could be called the Mosca’s Inequality. Let’s take a real simple equation.
Why might we have to worry? If we believe that X plus Y might be greater than Z, we should worry. So what is X? X is, the security shelf life. How long do you need your crypto keys to be secure? In other words, the RSA algorithm, if that needs to be valid or not deprecated for ten years. That’s what we refer to as X in this equation.

Tim Callan
X is the amount of time required for a widely deployed cryptographic algorithm to be live in production and be secure. Is that correct, Jay?

Jason Soroko
100% correct.

Tim Callan
And what’s Y?

Jason Soroko
Y is exactly what we were talking about before. How long does it take to retool? How long does it take to come up with a new algorithm? What is your migration time? Even if you had an algorithm, what’s the extra bit of time it might take to engineer a new certificate authority? Etcetera.

Tim Callan
So that’s the cryptographic work, which is to say the mathematicians sit down and do their egghead math stuff that they’re better at than I am and come back and say, “These are the algorithms that are going to work.” Then we add the time required for a gigantic diversified ubiquitous global interlocking, intercompatible digital ecosystem that needs to be switched over.

Jason Soroko
Correct. Today we quite often use elliptic curve cryptography. We take a look at these things very carefully. ECC took an awfully long time, and it wasn’t just “Can we come up with the math?” It wasn’t just, “Can we prove that it’s safe?” It wasn’t just, “Can we engineer a solution?”
There was also politics around it. When NIST finally released it, it turned out that some of the parameters around it were being messed around with. That’s a whole other story, but suffice to say, it took a long time for it to become mature, stable, and trusted. That’s what we would refer to as Y within this equation.

Tim Callan
And used. Even when it was mature and stable, there was a period of time where it didn’t matter because it wasn’t practical. I as an enterprise couldn’t purchase software that supported ECC. Or if I did purchase software that supported ECC, it wouldn’t work with my other things. So, there was that whole part of it. If you just think about the pragmatic, feetontheground people who have to get their jobs done, they need technology solutions that are operational. If they’re not operational, that’s great that we’re doing the science but it isn’t something that I can put on my floor.

Jason Soroko
Implementation is everything, right? Because a lot of this stuff we’re talking about right now is still in the extremely academic stages.

Tim Callan
Oh Lord, yeah. Absolutely.

Jason Soroko
So therefore, we just discussed X, how long does the current state of the art last? And Y, how long will it take to get to the next state of the art? Those two together need to be greater than what is known as Z or the Z date. Which is, how long will it take for a largescale quantum computer to be built? In other words, what’s the collapse time? When is this Quantum Apocalypse? And that is known as the Z date.

Tim Callan
Sure. So if X is eight years and Y is three years, then that’s eleven years. And if Z is twelve years we’re ok, but if Z is ten years we’re not. That’s the basic arithmetic, right Jay?

Jason Soroko
Right. Keep in mind though, one of the things that is being called for is for Y and X to be worked in parallel. In other words, we’re not going to wait until X is done before we work on Y. We have to start Y now.

Tim Callan
That’s a really good point because if we go back to our ECC example or some of the earlier things, at the time there was just much less cryptoagility than there is now. The idea of going and changing these systems, we didn’t have auto updates. We didn’t have ubiquitous high bandwidth. There are many things we didn’t have that we’ve built out in the last fifteen years. We’ve built out an infrastructure that is much more equipped to do this kind of changeover.
Now on the other hand, the number of systems, the number of devices, the range and variety of those devices have also expanded by orders of magnitude. So I think it’s easier but maybe I'm wrong.

Jason Soroko
I think one of the main points we want to make here, Tim, is what is the nature of the Z date?
It’s very important to keep in mind. When people say the quantum apocalypse, it almost implies, I mean, maybe even to your ears Tim, it might imply to you that we’re talking about just freeforall decryption. In other words, real time decryption of an SSL stream for example.

Tim Callan
Everything’s broken. Nothing is reliable. It’s Mad Max.

Jason Soroko
It’s Mad Max, but that in fact is not what we’re talking about, right?

Tim Callan
Although if it were Mad Max, I will say I think I would look awesome in a mohawk. So I do have that going for me. But I could just get a mohawk, so we don’t need that.

Jason Soroko
You know what? The PKI Mad Max version, I might actually get some popcorn and watch that.

Tim Callan
Mark your Bingo cards, kids. Mad Max, first time we’ve said that. But go on, Jay.

Jason Soroko
So, what are we talking about? We’re probably more or less talking about, not real time decryption of an SSL stream. We’re probably talking about a recorded SSL session that can be decrypted in some, let’s call it reasonable amount of time.

Tim Callan
But that’s still hugely bad. If someone sat and harvested all the bank logins they could get and if it took them a month before they could use them, so what? Those logins are still compromised. Or if someone harvested my confidential information, my industrial secrets going back and forth and it took them a month to decrypt them, so what? They just capitalize on it a month later.
I get your point that nobody is changing my online trade in real time, but there are still so many ways that this would just completely crush what we do that it’s still not acceptable.

Jason Soroko
You’re absolutely right, Tim. Therefore, we do consider it to be a collapse. I want talk about the nature of what that collapse looks like because people are used to leapsandbounds advances in technology. That’s something we’ve gotten used to.
You go to bed one night and the next day you’ve got an iPhone, right? The next day you’ve got something that just changes your life. It’s incredible. We’ve had that in our lifespans, and that’s just amazing. Things like people going to the moon. We’ve just celebrated that anniversary.
Instead I think quantum computing kind of creeps up on us. And it’s more of, I don’t want to say linear but it’s close to that. In other words, creating stability within quantum computing happens a little bit at a time. And as the days tick by, as the months and quarters and years tick by, large scale, stable quantum computing will eventually get to a point where there will be a Quantum Apocalypse. And it will actually continue to improve even past that point.
But it happens gradually. There probably will be some Eureka moments, mostly from the engineering field. Because as many of you might know if you’re studying this, a lot of stable quantum computers right now really depend on cooling down the apparatus to extremely low temperatures. Some quantum computers don’t require that. Well if some of the advances in the noncooled quantum computing start to develop, those are much easier to work with and engineer.
So therefore, there may be some Eureka moments from an engineering standpoint, but the trend that we’re being told by people who know this stuff way, way better than I do, Tim, is that it’s gradual movement forward.

Tim Callan
So does that mean that we have to have a definition of what the Z date is? And is there such a definition?

Jason Soroko
I don’t think Mosca, who originally used that equation—and it has now become Mosca’s Inequality—I don’t think he ever got so far as to say what is the commercial definition of Z because I think he’s leaving that to others to define.
However, here is what Mosca has said in the past, and he has repeated this a number of times at conference talks. In April 2015 he said there was a one in seven chance of breaking RSA2048 by 2026. He also said there’s a half chance by 2031.

Tim Callan
50% by 2031. Gotcha.

Jason Soroko
Now in May of 2017, because time had moved on since 2015, again he suggested that there’s a one in six chance there will be a largescale quantum computing machine within ten years so. Therefore it is, in his words, likely within ten to fifteen years.

Tim Callan
Ten to fifteen years. That’s still a lot of range.

Jason Soroko
It is. We also have a gentleman Simon Benjamin who at a conference in London back in September 2017, right around the same timeframe as Mosca’s second comment, said if somebody is willing to “go Manhattan Project,” then he’s saying, six to twelve years as of September 2017.

Tim Callan
Wow. So, if he’s right and if you take the lowest end of that, you go six years and then we’re two years into that already so that would be four more years to go. And going Manhattan Project isn’t out of the question. The Manhattan Project itself was a statefunded scientific research project, and there are plenty of states in the world with the motivation and the resourcing to do this.

Jason Soroko
Tim, that’s exactly it.
There has been a publication as well, a book called, Quantum Computing Progress and Prospectsfrom the National Academy of Science and Engineering in Medicine. They have some good news and bad news in their report, what they call their key findings. If you happen to get a copy of that book—and I recommend everybody get their hands on it because it’s very interesting—they’re saying the good news is that nothing will happen to threaten RSA2048. That’s key finding number one. Don’t panic.

Tim Callan
Good.

Jason Soroko
Simply don’t panic. Key finding number one and I’ll actually read this verbatim.
“Given the current state of quantum computing and recent rates of progress, it is highly unexpected that a quantum computer that can compromise RSA 2048 or comparable discrete logarithmbased public key cryptosystems will be built within the next decade.” That’s their key finding number one, Tim.

Tim Callan
And this book is very recent? This is from 2019?

Jason Soroko
Written 2018, published 2019. Within the last year.

Tim Callan
So through 2028 is what they’re talking about.

Jason Soroko
Correct. And their key finding number 10, I’ll skip over to 10. Don’t forget their first. I think whoever wrote this had a sense of humor because key finding number one was don’t panic. Key finding number ten is titled “Panic.”

Tim Callan
Ok, what’s that?

Jason Soroko
Again I’ll read it because it’s written very well. “Even if a quantum computer that can decrypt current cryptographic ciphers is more than a decade off, the hazard of such a machine is high enough—and the time frame for transitioning to a new security protocol is sufficiently long and uncertain—that prioritization of the development, standardization, and deployment of postquantum cryptography is critical for minimizing the chance of a potential security and privacy disaster.”
That simply means—and this is exactly what Mosca and others have said—everybody’s thinking it’s around 10 years from now, but it’s going to take us that long to get there.

Tim Callan
Yeah, so let’s make sure that X plus Y is less than Z.

Jason Soroko
That is the entire point. You got it.

Tim Callan
So, are they? It’s an interesting question and probably an unfair question and probably something nobody can answer, but what is our level of confidence that X plus Y is less than Z? Assuming we get on it and we work really hard and we really take this seriously.

Tune in to the next podcast where you get to hear an answer. I just wanted to have this one talk about the Z date.
But in the next podcast, just to wet everybody’s appetite, I'm going to get right into what NIST is doing now because there was a first round of quantum resistant algorithm submissions that have been battle tested and evaluated. There’s been a lot of merging. There’s been a lot of thinking. There’s been a lot of attacks. I guess what I'm trying to say is, the sheer amount of really hard, really wellorganized work that’s going into this right now is substantial.

That’s good news obviously, and I think the point that this needs to be taken seriously and if something in the ballpark of ten to fifteen years is probably the right ballpark, that is a pretty important data point. This is not a problem that’s thirty years away and fortunately it’s not a problem that’s three years away.
I'm still thinking about my mohawk and how cool I'm going to look. But hopefully it won’t come to that.