Cracking encryption: Lessons from a homemade quantum emulator

A homemade quantum emulator - built as a PR exercise - may have valuable implications for the infosec industry.

Advancements in quantum computing are coming thick and fast. Last Autumn, Google's announcements in the space caused a great deal of discussion - some said it had achieved quantum supremacy, others argued it hadn't -  and the debate continues to rage as earlier this month Russian scientists claimed to break their algorithm.

This is often the way with quantum computing. Dispute centres on what really constitutes quantum, the value of the basic units of quantum information (qubits)  - these aren't necessarily made equal - and the relative merits of the different vendor breakthroughs. Yet the real question is: when will it arrive in a practical enough guise to crack RSA security? As when this eventually takes place, it will slice through security standards, expose all our data and effectively break the internet. This has perhaps never been more important than today, where the physical world is in lockdown, everything is online, and security threats are ramping up in tandem.  

Recently Dan Gleason, CTO of cybersecurity startup, Active Cypher [tagline: "quantum-resilient file security for cloud"], added his voice to the quantum noise by building a very simple password-cracking "quantum emulator". Called QUBY, it cost $600 in hardware parts, took a week a build and aimed to reveal just how close the cracking of conventional encryptions such as AES/RSA could be. 

A homemade quantum emulator that can break DES

QUBY in its current form is very basic and consists of just two graphic cards in a backpack. This gives it very limited capabilities, like defeating older encryptions standards, such as DES. And as this was only a demonstration, Gleason didn't build out the features like wifi-sniffers and RFID scanners, which would make it more useful to a cybercriminal.

Despite these limitations, however, this device does show what cybercriminals are capable of making - and expanding upon - at home. And Gleason wants to take the experiment further by testing new iterations, with larger cracking powers, to better demonstrate the threat to some of today's weaker encryption schemas. The aim is to come to a more precise date of "certain encryption sunsets," he explains.

Gleason believes quantum emulators, like QUBY, are going to become very important in the near future, because they run on classical computers, and therefore skip all the problems associated with quantum hardware. This allows software to better accommodate advancements in GPU technology and therefore deliver faster processing speeds in conjunction with AI.

Future benefits of GPU-based systems quantum emulators

Gleason suggests that the problems quantum technologies face is that they're all bound by the same physical restraints of classical Newtonian physics. "Emulation software can overcome these physical constraints by creating our own software-based ‘quantum-verse'. This could be a software and GPU-based quantum emulator - perhaps into the hundreds of qubits. I also see the variety of quantum technologies evolving because not all problems are best for all devices.

"It would not surprise me to see a whole new operating system become developed, based on a hypervisor, operating entirely in the GPU and GPU memory, across very highspeed interconnects, just like a modern-day supercomputer, but at a tiny fraction of the cost," says Gleason.

Cybercriminals have access to this technology now

For the time being, Gleason believes cybercriminals "probably" are running machines, like QUBY, to decrypt pre-bought hacked data, but it is impossible to know how advanced these are and in what way they're being used. "What keeps me up at night is that data stolen today that is supposedly uncrackable can be stored, traded, and sold until it is cracked," he says.

"I'm not aware of any [kits to make machines like this] being sold [on the dark web] yet, but it wouldn't surprise me if some opportunists started to. With so much cryptocurrency mining rigs hanging around, it will only be a matter of time until someone repurposes a few for malicious purposes." 

Active Cypher has released the parts list used to make QUBY to help white hat hackers and the cybersecurity industry build their own prototypes. "The Infosec community still focuses largely on threats it has faced before and doesn't think enough about the hackers next moves," he says.

Through the process of running this experiment, Gleason has been most surprised by the interest it has generated in academic circles, which he chalks up to them wanting to "think beyond the unfortunate quarterly-centric view of the Infosec industry". 

In practical terms, Gleason concludes that the first step for businesses to ensure quantum-resilience is to encrypt all data at the file level. "Organisations are wrongly trusting full-disk encryption to protect data and comply with GDPR/CCPA yet the vulnerabilities with full-disk encryption are numerous," he says. 

"Data is everywhere today and needs to be protected wherever it goes. IT decision-makers should start taking steps in making their infosec infrastructures crypto-versatile. Security frameworks should have the ability to quickly adopt new encryption algorithms and even layer them on top of each other.  It's the ‘unknown unknowns' that will cause havoc to our industry."