Prepare now for when quantum computers break biometric encryption: Trust Stamp

Digital identity and trust provider Trust Stamp has released a white paper explaining the threat of quantum computing to biometric systems and making recommendations to minimize the risks.

Quantum computers will open opportunities to solve problems in biometrics, drug synthesis, financial modeling, and weather forecasting, among other areas, according to Trust Stamp. But they will also be able to decrypt most of the encryption systems used to secure the internet and protect data today.

While experts expect quantum computers will not be able to scale to defeat such systems for at least another ten years, the white paper claims, entities should address “harvest now, decrypt later” (HNDL) attacks proactively.

Through an HNDL approach, an attacker could capture encrypted data pending the availability of quantum computing-enabled decryption. It is worth noting that this cyber threat would be heavily resource-intensive to perform. Such an attack would most likely only be feasible by a nation-state and would target information that would remain extremely valuable for decades in the future.

Still, HDNL is an especially concerning threat for biometric PII, due to its relative permanence.

Certain data encryption methods are particularly vulnerable. Asymmetric, or public-key cryptography, uses a public and private key to encrypt and decrypt information. One of the keys can be stored in the public domain, which enables connections between “strangers” to be established quickly.

Because the keys are mathematically related, it is theoretically possible to calculate a private key from a public key. While conventional computers are not able to perform these calculations, quantum computers can solve problems such as factoring integers through Shor’s algorithm, rendering all public key cryptography (PKC) systems insecure.

Passkeys, digital signatures and digital certificates could potentially be decrypted after quantum computing scales, posing a risk to biometric systems that use them for verification.

Symmetric or secret key encryptions and hash functions will generally maintain their security, the white paper says. Symmetric encryptions use one key to encrypt and decrypt information and are often used between two parties with a well-established relationship, such as mobile communications and banking links.

Hash functions produce unique outputs from any given input. Changing the input at all will result in a completely different hash value. Hash functions are also irreversible. Hashes are often used to verify that data has not been altered or to check digital credentials. Wicket‘s biometric ticketing system, for instance, stores and compares hash functions taken from biometrics to authenticate attendees instead of the raw data itself. Other biometrics providers working with hashing include Keyless and ZeroBiometrics.

Specifically, AES symmetric encryption with larger keys and SHA-2 and SHA-3 hash functions with larger hashes will “generally remain secure,” the white paper reads.

Quantum-resistant algorithms will avoid vulnerabilities like using a key size that is too small or an algorithm that can be represented by a finite group.

NIST has been running a competition to evaluate and standardize new quantum-resistant public-key algorithms. Google has also proposed a quantum-resilient algorithm of its own.

The U.S. government has also already taken steps to mitigate HNDL risks. In May 2022, the national government issued a mandate to all federal agencies with sensitive data to deploy symmetric encryption systems to protect quantum vulnerable systems by deploying symmetric encryption systems by the end of 2023.

Trust Stamp suggests that biometrics can be protected from quantum computing decryption by converting biometric templates to a token that can be canceled and updated. Raw biometric features should not be stored.

Not coincidentally, Trust Stamp’s Irreversibly Transformed Identity Token IT2 is a protected biometric that can be revoked. There is no function that can recreate it and most of the original information is discarded.

Dr. Niel Kempson, Trust Stamp’s executive advisor on technical capability said that IT2’s algorithm “is quantum-proof by design. If an enterprise or NGO is implementing or reviewing a biometric system today, it should actively look into the HNDL risk. It makes no sense to implement or maintain technology that will probably be unusable within the next decade, implicitly gambling on future solutions with unknown complexity and cost.”

Trust Stamp has also announced that ManTech, an intelligence platform provider for the federal government, will integrate Trust Stamp’s identity authentication as part of a teaming agreement.

Article Topics

biometrics  |  encryption  |  post-quantum cryptography  |  quantum computing  |  research and development  |  Trust Stamp