Solving the Key Puzzle For Encryption's Future
Advanced processing capabilities could outpace innovative data security solutions.
State-of-the-art encryption continues to defy all but the most elite codebreakers, but even exponential improvements may never catch up with rapid advances in computing. In some cases, the very technologies that enable innovative encryption solutions also could provide the key to breaking the most complex codes applied to datasets.
Even with this caveat, the state of encryption today is strong, says Gregory Shannon, chief scientist for the CERT Division at Carnegie Mellon University’s Software Engineering Institute. Many different threads of encryption are being developed by researchers with positive results, and some of these have found their way into the commercial sector. For example, blockchain—which is used with cryptocurrencies such as bitcoin—provides a way to secure and verify data throughout the global supply chain. It applies a computationally hard problem to notions of trust and accountability. The technical innovation grew out of the encryption community, notes Shannon, who has a Ph.D. in computer science and recently completed a stint as assistant director for cybersecurity strategy in the White House Office of Science and Technology Policy.
“There is a lot of very exciting work, and it will continue to provide both the technical community as well as society with some interesting options on how to manage secrets and privacy and how to enhance security,” he observes.
The future of encryption is both evolutionary and revolutionary, Shannon states. It is evolutionary in the sense of understanding good encryption and how to achieve it more efficiently. It is revolutionary in that, as encryption becomes more efficient, its applications multiply. Steady progress will lead to more innovation.
Technological advances already have boosted the financial community’s trust in encryption. These advances in turn could improve the efficiency of economic systems as well as the medical industry, Shannon offers. “Encryption technologies have the opportunity to be disruptive in application,” he says.
One revolutionary technology that would affect encryption is quantum computing. It has many facets, Shannon notes, and its use in encryption may hinge on how efficiently it can encrypt and decrypt—and how well it can resist an adversary.
Yet quantum computing could change the balance of security by allowing an adversary to break encryption. Its processing power, which would help adversaries figure out encryption keys, would diminish the advantage of encryption. Ultimately, the tool that could provide a major leap in encryption technologies could be its undoing, although Shannon says he believes it threatens legacy encryption technologies the most. But this threat is several technology generations in the future, and researchers already are working on quantum-resistant encryption protocols.
They also are making headway with other advanced techniques. The Defense Advanced Research Projects Agency (DARPA) is developing a way to encrypt multiparty communications that would enable secure conference calls, for example, by mixing the audio signals as an encrypted computation. This removes the need for an intermediary point that actually is a risk node for decryption, Shannon allows.
Another potentially revolutionary development—perhaps the most revolutionary, he suggests—is related to this work. Encrypted computation, also known as homomorphic encryption, needs no additional security measures (see When Confidentiality and Security Collide). These computations could be carried out in the cloud, for example, without decrypting the data and causing any trust issues. Currently, computing in a cloud mandates costs of 10 to 12 orders of magnitude more than common encryption. However, researchers are peeling off some of those orders of magnitude with the new algorithms they are generating, Shannon says.
New encryption methods would also transform decryption. Large datasets stored for some time could be decrypted as new techniques emerge. Extremely old data that has held its value could be decrypted in ways the original users did not anticipate, Shannon points out.
The more value inherent in a dataset, the harder adversaries will work to access the information and the harder the data owner will try to protect it. Adversaries tend to determine the value of data and how to access the information before users understand how to safeguard it, Shannon states. “People assume, Why would anyone care about various sources of data about me or my enterprise? How would they ever get that [data], and what would they do with that? Well, adversaries are answering that question for them every day,” he declares.
Members of the public are beginning to expect that anyone holding their data should be encrypting it, but it is not realistic to think that individuals en masse will take responsibility for their own encryption, Shannon offers. Meanwhile, more organizations are seeing the need to encrypt the data they hold, and small organizations will rely on their vendors for data encryption.
To ward off threats successfully, encryption must be applied properly, and this can prove to be difficult, Shannon allows. Sophistication alone is not enough. “The protocol is part of it, the math is part of it, and it must be implemented and operated correctly,” he points out. “Even if in principle things look very robust, in practice it is quite challenging to do it well.”
Not all of this difficulty can be ascribed to the common accusation of manufacturer sloppiness in racing to get products to market. “At the end of the day, the notion of writing code that does what you say it does or creating engineered social-technical systems is still artisan. It is difficult to verify that it actually does what you think it does,” Shannon says. Research on self-proving systems has been ongoing, but the concept has yet to demonstrate the level of efficiency required for technical systems that need assurance.
Despite any shortcomings, encryption is likely to factor into future cybersecurity policy. The U.S. government still is working to formulate a national cybersecurity policy, and encryption is a standard security tool, Shannon notes. Although encryption is likely to be part of any risk management framework, it probably will not be mandatory in a blanket approach. “It will certainly be seen as a best practice, but it always will be context-dependent on the threat,” he says.
Technology governance is increasing in significance, he continues. “Governing technology evolution, whether it’s standards or something else, is important,” Shannon posits. Seemingly small issues such as standards and procedures can affect commercial investments significantly. “We are going to see more technology governance, and encryption is one of the technologies that is driving that type of conversation,” he maintains.
And encryption’s reach is long. “Encryption brings into relief issues that society has to deal with in terms of privacy, law enforcement and how nation-states interact with each other,” Shannon states. “Encryption is a key enabler in that mix.” Different societies will experiment with how they deal with the process.
“Things like encryption allow us to keep our trust focused,” Shannon offers. “If you can rely on communication being encrypted, you only have to trust the person on the end. You don’t have to trust people in the middle, who may see the information as it passes through their hands.”
Encryption has an important role to play in making economies and interactions more efficient and more productive, which has taken root only in the past century. For the foreseeable future, it never will be unbreakable, especially as humans stay in the loop, he says.