Global Encryption Day: Cyber-securing your data with quantum-safe cryptography and confidential computing

Cyberattacks are on the rise, with cybercriminals getting ever smarter. But so are security researchers, always striving to be a step ahead of the most sophisticated hacker – to keep you, your data and your business safe.

With companies more and more under pressure from data protection regulations and the risk of fines if data is not properly protected, researchers are coming up with innovative ways to enhance data privacy.

October is Cybersecurity Awareness Month in Europe and the US, a month to remind us to be aware of the constantly evolving cyber threats and be prepared for them. With the latest milestones in artificial intelligence (AI) and cryptography, security researchers are pushing the limits of cyber defences.

They are on the front line of fighting cybercrime, along with the first incident responders – and must keep adapting to threats that spill more and more into our physical world from the digital one.

Today’s tech giants, among them IBM, are harnessing the power of AI to protect businesses, organizations and individuals against cyber criminals – even those that may want to use future quantum computers to crack modern encryption. That’s where quantum-safe cryptography comes in.

While even the ancient Greeks, Romans and Egyptians used symbol-replacement encryption, modern computer technology has brought cryptography to totally new heights. Data is routinely encrypted when deemed sensitive. The problem is, as cryptography keeps maturing, so is an emerging but incredibly promising type of computation – quantum computing.

First talked about in the early 1980s as a possible practical application of quantum mechanics, quantum computers are now a reality. They rely on nature's weird and wonderful properties when atoms and subatomic particles can be entangled and in multiple states simultaneously.

These properties enable quantum computers to perform many more computations than a traditional computer ever could. As they become more powerful, quantum computers soon should be able to crack modern encryption.

That’s why cryptographers have recently been busy developing a type of encryption based on the mathematical property of lattices that would keep data safe from a future quantum computer.

In July, the US National Institute of Standards and Technology (NIST) announced four schemes primed to pave the way to new quantum-safe crypto standards for the world to adopt.

IBM’s Security and Quantum research teams contributed to developing these schemes. But the journey to quantum-proof your data security doesn’t stop here; it’s just the beginning. Companies should be thinking about migrating their systems to quantum-safe cryptography already today.

That’s also the view of the US National Security Agency. It recently announced that its networks with classified data will switch to quantum-safe standards by 2025. And it doesn’t matter that quantum computers are not powerful enough to break modern encryption just yet. They will be sooner than you might think.

At this year’s Mobile World Congress, the GSM Association (GSMA), a body representing the interests of mobile network operators, announced the formation of the GSMA Post-Quantum Telco Network Taskforce, with IBM and Vodafone as initial members. The taskforce aims to help define policy, regulation and operator business processes to better protect telecoms from future quantum computers.

There are already offerings with quantum-safe encryption, such as IBM’s recently released z16 and LinuxONE Emperor 4 systems that protect against software and physical attacks. And we are not stopping there.

The recently-chosen standards cover only encryption and authentication, but all signs indicate that we will need much more advanced cryptography in the near future. With users and companies becoming more sensitive to protecting private data, bleeding-edge technologies like distributed ledgers and zero-knowledge proofs are being pushed into the real world.

The most efficient protocols underpinning the privacy of these constructs is currently not quantum-safe, and we are in the process of developing ones that are efficient and will remain secure in the quantum future.

Moving to quantum-safe standards will take the world a few years at least. And this will not be enough to make your sensitive data safe today, especially in the cloud. Enter confidential computing.

This technology aims to ensure that your data in rented cloud infrastructure stays encrypted not only in storage or in transit but also when it’s in active use – during, say, training machine learning models, indexing the data, or manipulating it in some other way.

Confidential computing isolates data within a protected central processing unit (CPU), ensuring the confidentiality of a workload thanks to hardware mechanisms giving protection to entire virtual machines (VMs), often called ‘secure’ VMs, and containers.

These secure virtual computer systems sport their own CPU, memory, storage and network interface, giving customers access to their own ‘computers’ in the cloud rather than through dedicated physical hardware.

A secure virtual machine is akin to a highly protected hotel room. Only the customer can use their key to enter the room, while the hotel staff can’t. Similarly, a secure virtual machine protects a user's workload from the cloud provider's personnel and software, and from other (potentially malicious) clients that may be running on the same infrastructure.

Recent years have seen huge leaps in confidential computing, with many tech giants betting on it, including Intel, Google, ARM, Microsoft and others. IBM Z, widely used in the financial industry, is a secure, reliable and scalable platform for confidential computing.

While confidential computing protects a program from external attacks, preventing an adversary from directly accessing information inside it, we’ve also recently developed ‘memory-safety protection’ to defend systems from internal threats.

Currently still a research project, this technology protects a program from internal attacks. It’s aimed at preventing an adversary from exploiting memory safety vulnerabilities within a program to steal information, as was the case in the HeartBleed attack, or from taking control of a program, as happened in Return Oriented Programming attacks.

While confidential computing relies on dedicated hardware and the robustness of the software stack running in the secure enclave to keep your data safe, researchers are also pursuing what’s known as fully homomorphic encryption (FHE).

Traditional encryption schemes secure data at rest and in transit but require it to be decrypted before any computations occur. However, with FHE, one can achieve complete end-to-end data security and privacy, with data never being decrypted at all.

This way, the technology provides cryptographical security at the data level regardless of the underlying infrastructure or environment where the processing is performed. It means that with fully homomorphic encryption, one can safely outsource computations to the cloud or to a third party, and even have multiple parties share and gain insights from data – all while preserving privacy.

Researchers have been tinkering with this mathematical concept since the 1970s. A major breakthrough came in 2009 when Craig Gentry, back then an IBMer, published his seminal work – A Fully Homomorphic Encryption Scheme. His paper provided the mathematical underpinning for the emergence of technologies enabling complex industry workloads to be run over encrypted data.

While the promise of FHE was transformational until recently, the computational overhead and the complexity of usage made it not very practical for the industry to apply. But researchers keep pushing the limits to develop more efficient, fully homomorphic encryption schemes – and we are getting there.

At IBM, we now offer a downloadable package, free for non-commercial use, to experiment and develop applications and machine learning models over encrypted data.

We are also busy working on a cloud-native infrastructure to give customers access to different services over encrypted data, with an initial focus on serving machine learning models.

Cyber criminals may be getting more sophisticated – but cybersecurity researchers will always be a step ahead.