Provider of digital identity and trust Trust Stamp has published a white paper detailing the peril of quantum computing to biometric systems and offering suggestions to reduce the risks.
Quantum computers will present opportunities to address issues in biometrics, drug production, financial modeling, and weather prediction, among other fields, as per Trust Stamp. However, they will also have the ability to decode most of the encryption systems utilized to safeguard the internet and secure data today.
According to the white paper, while experts anticipate that quantum computers will not have the capability to overcome such systems for at least another decade, entities should proactively deal with “harvest now, decrypt later” (HNDL) attacks.
An assailant could potentially capture encrypted data through an HNDL approach while waiting for quantum computing-enabled decryption to become available. It’s important to note that this cyber threat would require significant resources to execute. This type of attack would probably only be feasible by a nation-state and would target data that will remain extremely valuable for many years to come.
Still, HDNL is a particularly worrisome threat for biometric PII, due to its relative permanence.
Certain data encryption methods are especially susceptible. Asymmetric, or public-key cryptography, uses a public and private key to encrypt and decrypt information. One of the keys can be stored in the public domain, which allows for rapid establishment of connections between “strangers.”
Since the keys are mathematically related, it is theoretically possible to calculate a private key from a public key. While traditional computers are unable to perform these calculations, quantum computers can solve problems such as factoring integers via Shor’s algorithm, making all public key cryptography (PKC) systems insecure.
Passkeys, digital signatures, and digital certificates could potentially be decrypted once quantum computing becomes capable of doing so, posing a risk to biometric systems that use them for verification.
Symmetric or secret key encryptions and hash functions are expected to maintain their security, as per the white paper. Symmetric encryptions employ one key for both encryption and decryption and are commonly used for communications and banking links between two parties with a well-established relationship.
Hash functions produce unique outputs from any given input. Changing the input even slightly will result in a completely different hash value. Hash functions are also irreversible and are often used to verify data integrity. For example, Wicket’s biometric ticketing system stores and compares hash functions taken from biometrics to authenticate attendees instead of the raw data itself. Other biometric providers that use hashing include Keyless and ZeroBiometrics.
Specifically, the white paper states that AES symmetric encryption with larger keys and SHA-2 and SHA-3 hash functions with larger hashes will “generally remain secure.”
Quantum-resistant algorithms will prevent vulnerabilities such as using a key size that is too small or an algorithm that can be represented by a finite group.
NIST has been conducting a competition to assess and standardize new quantum-resistant public-key algorithms. Google has also put forth its own quantum-resilient algorithm.
The U.S. government has already taken measures to mitigate HNDL risks. In May 2022, the national government mandated that all federal agencies with sensitive data implement symmetric encryption systems to protect quantum vulnerable systems by the end of 2023.
Trust Stamp recommends safeguarding biometrics from quantum computing decryption by converting biometric templates into a token that can be invalidated and updated, and not storing raw biometric features.
Notably, Trust Stamp’s Irreversibly Transformed Identity Token IT2 is a secure biometric that can be revoked. It cannot be recreated, and most of the original information is discarded.
Dr. Niel Kempson, executive advisor on technical capability at Trust Stamp, stated that IT2’s algorithm “is quantum-proof by design. If an organization or NGO is implementing or reviewing a biometric system today, they should actively consider the HNDL risk. It is not wise to adopt or maintain technology that will likely be unusable within the next decade, and rely on future solutions with unknown complexity and cost.”
Trust Stamp has also announced that ManTech, a provider of intelligence platforms for the federal government, will integrate Trust Stamp’s identity authentication as part of a teaming agreement.
biometrics | data security | quantum computing | R&D | Trust Stamp