Social Icons

Showing posts with label cryptography. Show all posts
Showing posts with label cryptography. Show all posts

Sunday, March 30, 2025

STARLINK-JIO-AIRTEL Security issues to Ponder

The Quantum Threat Beyond Encryption: Why Even Deleted Data is at Risk

1.    As the world moves closer to the reality of quantum computing, we face an inevitable question: How secure is our data in a quantum-powered world? The focus so far has been on how quantum computers will break the cryptographic systems that we use to protect sensitive information. From emails to bank transactions, most of the digital security we rely on today is based on cryptographic algorithms that could soon be rendered obsolete by quantum algorithms like Shor’s algorithm.

2.    However, the threat posed by quantum computers extends beyond just encryption and data protection. It raises an important, often overlooked question: What happens to the data we've deleted? We might think that deleting a file, erasing it from our hard drives, or discarding old devices like phones, SSDs, or HDDs is enough to ensure privacy. But the truth is, even deleted data is at risk in a quantum world. In fact, it may be more vulnerable than we think.

Classical Data Deletion vs. Quantum Recovery

3.    In today's world, deleting a file typically means that it's no longer accessible in the usual ways. When you "delete" a file on your computer, most operating systems simply mark the data as available for overwriting. The actual data may remain on the drive until new data overwrites it, but in practice, it’s often considered gone. People use software tools to recover deleted files, and while it’s a bit of a hassle, it's generally not a huge risk.

4.    The issue, however, is that quantum computers—once they become powerful enough—may be able to recover deleted data that classical methods cannot. Why? Because of quantum superposition and quantum interference, quantum systems have the ability to "peek" into the quantum states of particles or systems in ways that classical systems cannot. This means that even after data is deleted, quantum techniques might allow an adversary to reconstruct it.

One paper, titled "Quantum Proofs of Deletion for Learning with Errors (LWE)" by Alexander Poremba, is about proving that data has been deleted in a secure and private way. The challenge addressed here is how to ensure that an untrusted party (like a cloud service) has actually deleted your sensitive data when you request them to do so. You don’t want them to just say they deleted it—you want a guarantee, and this proof needs to be verifiable by anyone, including you.

5.    When we dispose of old devices like phones, hard drives, or SSDs, or delete files from cloud storage, we often assume the data is gone for good. However, residual data can remain, and with the rise of quantum computing, even seemingly erased data might be recoverable. Traditional methods like disk wiping or cloud deletion tools are no longer foolproof. Quantum algorithms can expose vulnerabilities, allowing attackers to retrieve discarded data from both e-waste and cloud services. Without quantum-resistant deletion protocols, your data could remain at risk, putting your privacy in jeopardy long after disposal.

The Need for Quantum-Proof Deletion: Why LWE Matters

6.    This is where the concept of Quantum Proofs of Deletion becomes crucial. Traditional deletion methods are no longer enough in a world where quantum computers might one day be able to reverse what we thought was irretrievably lost. That’s why researchers are turning to quantum-resistant cryptographic models to address this issue—one of the key approaches is through Learning with Errors (LWE).

7.    LWE is a mathematical problem that, unlike classical encryption systems, is believed to be hard for both classical and quantum computers to solve. By using LWE-based encryption and deletion protocols, we can ensure that data deletion remains secure—even in the presence of quantum adversaries.

8.    Quantum-proof deletion protocols built on LWE can not only ensure that data is securely erased but also provide a proof that it has been deleted in a way that no quantum adversary can reverse. This can be crucial when you’re dealing with sensitive data that could otherwise be recovered by a quantum hacker.

The Quantum Future: Preparing for What’s to Come

9.    As quantum computing advances, we must rethink how we manage not just encryption but also data deletion. This isn’t just a theoretical concern for the far-off future; it’s a looming issue that we must address today in anticipation of the quantum age.

10.    What does this mean for individuals and businesses? Simply put: the data you delete today may come back to haunt you in the future unless we adopt quantum-resistant deletion protocols. Old phones, hard drives, and SSDs that you discard or sell might contain hidden risks if not properly erased. In the near future, we may need to adopt rigorous, quantum-proof methods for securely erasing data to safeguard against future threats.

Conclusion: Secure Data Deletion is a New Front in Cybersecurity

11.    As we continue to face the growing threats posed by quantum computing, it's crucial that we expand our thinking beyond traditional cryptographic systems. The focus has long been on encryption, but the security of deleted data is just as important.

12.    Quantum-proof deletion is not just a concept for cryptographers—it's something that will affect each of us. So just as we’ve worked to secure our data with encryption, we must now work to ensure that deleted data can never be resurrected by quantum computers. And for that, innovations like Quantum Proofs of Deletion based on Learning with Errors (LWE) are a crucial step toward a secure digital future.

Sunday, January 12, 2025

Why the NCSC (UK) is Cautious About Quantum Key Distribution (QKD) for Government and Military Use ?

1.    Quantum Key Distribution (QKD) is often hailed as a groundbreaking technology in the world of cybersecurity. By harnessing the principles of quantum mechanics, it promises secure key distribution between two parties, immune to eavesdropping. However, despite its potential, the UK’s National Cyber Security Centre (NCSC) had explicitly denied its endorsement for government and military applications  few years back. {Source: https://www.ncsc.gov.uk/whitepaper/quantum-security-technologies}. Here's why my opine:

  • Specialist Hardware Requirement: QKD relies on complex and expensive hardware, including photon detectors and optical fibers. This infrastructure is difficult to deploy and maintain, making it impractical for widespread use, especially in sensitive and large-scale applications like government and military communications.

  • Lack of Digital Signatures: Unlike traditional cryptographic systems, QKD doesn’t support digital signatures, which are crucial for verifying the authenticity of messages. Without this feature, QKD cannot fully replace current security systems that ensure data integrity and authentication.

    • Why doesn't QKD support digital signatures?

      • Nature of QKD: QKD’s purpose is to create a shared secret key between two parties. It does not provide the functionality of encrypting data or verifying identities, which is what digital signatures do.
      • Digital signatures require private keys to sign a message and verify it with a public key. While QKD can be used to securely exchange the private keys needed for traditional cryptographic schemes (e.g., for RSA or ECDSA), QKD itself is not designed to perform signing operations.

Source: https://www.ncsc.gov.uk/whitepaper/quantum-security-technologies

Integration with Traditional Systems

2.    While QKD doesn't support digital signatures directly, it can be used in conjunction with traditional cryptographic systems. For instance, after using QKD to securely share a key, the parties can use that key with a traditional system to perform tasks like encryption, decryption, or creating digital signatures.

  • Limited Range and Scalability: QKD's effectiveness is limited by the distance over which it can securely transmit keys. With current technology, it only works over relatively short distances and is not easily scalable, especially for large-scale, long-range communication networks.

  • Evolving Quantum Threats: While QKD is designed to withstand future quantum computer threats, quantum research is still advancing, and new vulnerabilities may emerge. Until these risks are fully understood, relying solely on QKD for critical infrastructure would be premature.

3.    In conclusion, while QKD holds promise for the future, its current limitations in hardware, functionality, and scalability make it an impractical solution for government and military use at this stage. For now, more established and reliable cryptographic methods are preferred to secure sensitive communications.

Sunday, October 27, 2024

Should Standards Bodies and Cryptographic Developers be Held Liable for Encryption Failures?

1.    In an age where data privacy and security are paramount, encryption has emerged as the bedrock of digital trust. It’s what keeps our financial transactions, sensitive personal data, and corporate secrets safe from unauthorized access. But what happens when encryption itself—the very framework that data protection laws and industries rely on—is compromised? Should standards bodies and cryptographic developers bear the weight of liability for such failures?

2.    As data breaches and cyber threats grow in sophistication, this question becomes more pressing. Here’s why attributing liability or penalties to standards organizations, certifying authorities, and cryptographic developers could enhance our digital security landscape.

 

The Importance of Encryption Standards

3.    Encryption protocols, such as AES, RSA, and newer algorithms resistant to quantum attacks, form the foundation of data protection frameworks. Global regulations like GDPR, CCPA, and India’s upcoming Digital Personal Data Protection (DPDP) Act rely on these protocols to ensure that personal and sensitive data remain inaccessible to unauthorized parties. If encryption fails, however, it’s not just individual companies or users at risk—entire sectors could suffer massive exposure, eroding trust in digital systems and putting critical information at risk.

Why Liability Should Extend to Standards Bodies and Developers

4.    While organizations implementing encryption bear the primary responsibility for data protection, the bodies that create and certify these protocols also play a critical role. 

5.    Here’s why penalties or liability should be considered:

  • Encouraging Rigorous Testing and Regular Audits
    Standards bodies like NIST, ISO, and IETF establish widely adopted encryption protocols. Liability would push these organizations to conduct more frequent and intensive audits, ensuring algorithms hold up against evolving cyber threats. Just as companies face penalties for data breaches, certifying authorities could face accountability if they fail to spot and address weaknesses in widely used protocols.

  • Improving Transparency and Response Times If a protocol vulnerability is discovered, standards bodies must respond swiftly to prevent widespread exploitation. Penalties could drive faster, more transparent communication, allowing organizations using the protocols to take proactive steps in addressing vulnerabilities.

  • Mandating Contingency and Update Plans Holding developers accountable would encourage them to prepare fallback protocols and quick-patch solutions in case of a breach. This might include keeping secure, verified backup protocols ready for deployment if a primary standard is compromised.

  • Creating a Secure Backup Ecosystem Implementing “backup” cryptographic protocols could add resilience to the security ecosystem. Standards bodies would regularly update these backup algorithms, running them through rigorous testing and ensuring they’re ready if a main protocol fails. This approach would offer organizations implementing these protocols a safety net, reducing their dependency on a single encryption standard and bolstering the security framework as a whole.

  • Enhanced Accountability in High-Stakes Industries Certain sectors—like healthcare, finance, and national defense—handle data so sensitive that any encryption breach could lead to catastrophic consequences. In these cases, stronger regulatory oversight could require standards bodies and certifiers to focus even more on high-stakes applications, tying liability to the industry impact and motivating specialized security measures for these areas.

 

Balancing Penalties and Incentives

6.    Alongside penalties, incentives for timely vulnerability reporting could encourage cryptographic researchers and developers to disclose potential weaknesses promptly. This combination of incentives and liabilities would cultivate a more open and responsive environment for cryptographic development, minimizing risk while promoting trust.

The Future of Encryption and Shared Responsibility

7.    The potential for encryption compromise, especially with advancements in quantum computing, necessitates a shift in how we approach responsibility in the data protection ecosystem. Attributing liability to standards bodies and cryptographic developers could reshape how encryption is developed, tested, and maintained, ensuring that digital security doesn’t hinge on blind trust alone.

Conclusion

8.    As digital reliance grows, so too must our accountability structures. A compromised encryption protocol impacts far more than just individual companies; it can shake entire sectors. By attributing liability to the creators and certifiers of encryption standards, we foster a collaborative, transparent, and robust approach to data security. In doing so, we not only protect sensitive information but also fortify trust in the very systems we rely on in our digital world.

Powered By Blogger