Are you Y2Q ready?

Y2Q, acronym referring to concerns quantum computers could break current encryption techniques. Here's re-introduction to a Nordic free of charge "Data Encryption" servitization sprint for improving your encryption services and capabilities - with a quantum twist.

Nordic pro bono catalog, which you can find in article form here and video form here, offers free of charge servitization projects for independent xSPs to refine their offerings. One of them is for data encryption, simply called "Data Encryption". Here's the context and how the sprint could help you mitigate Y2Q, or Year To Quantum, with your services.

While end customers might benefit from some of the sprint deliverables, best suited for them are briefings on quantum, FHE and generally available technology. Replacing traditional HSMs could be common to both xSPs and customers within the financial services.

The long encryption story short

Things that come with digitalization are new to humanity. There simply aren’t analog representations, and that may be the profound underlying reason why organizations struggle to adopt them. For one underlying aspect of digitalization, data economy and cloud, long cultural history exists - encryption. See video on history of encryption here.

It dates back to ancient Egypt where solving encrypted texts is assumed to have been leisure time sport. Arab mathematicians like al-Khalil and al-Kindi wrote down the principles already in the 8th and 9th century. Contrary to computing, encryption advanced much during the Middle Ages and Renaissance with works of Alberti, Vigenere and other polymaths.

A fascinating story in the history of encryption is the Voynich Manuscript. Carbon dated to early 15th century, even nation state backed researchers have been unable to decipher what the manuscript is about. What we do know it is not just random words and that is written in an unknown script. It has a lot of strange pictures and diagrams. There is a consensus it is an encrypted document, so secrets therein have been protected for 600 years.

Part of Voynich Manuscript. The original is stored in Yale University.

And secrets we need. Companies have fundamental unfair advantages such as expertise on process, product or clientele. If they are exposed, the damage can’t be repaired, milk has already spilled as someone else can learn them. Governments have secrets as well, their reputation and prestige to protect and wars have been waged because of them. This applies even, or probably especially, if data is in the cloud. Or in several clouds.

The Y2Q dilemma

With Y2Q, observers most commonly mean adoption of quantum computers and algorithms therein could break the existing cybersecurity infrastructure. It relies on encryption technology which protects you with so complex calculations that the typical adversary isn't capable to solving in required time and thus not be able break into your systems.

If adversary has a quantum computer million times or more powerful, those assumptions of current existing cryptographic protections are no longer valid. You might have been told so-and-so algorithm takes million years to break with contemporary computers, that could be only a year with a quantum one, or 30 days with 10 quantum computers.

It is quite a challenge someone could possess such capability that any data or secret for accessing data could be deciphered with quantum computers. Here's three:

1. You need quantum safeties way earlier than quantum computing adoption, and that's what some customers are doing. This is because when/if quantum computers come widely available, the adversaries also get access to them, probably instantly.
2. It's not only some distant future problem you could consider fixing. The adversary might have already stolen your encrypted data, and waits for access to quantum systems and algorithms to then break today's encryption. You might not care what happens to data 10 years old - well, social security numbers don't change. Or the receipt how Coca-Cola is made.
3. Y2Q is not about a mere patch or upgrade, since it involves most what we use currently - it's a systemic phenomena just like Y2K (Year Two Thousand) was - hence the acronym Y2Q.

A corollary is that even if you witness now or in the future access to cloud based quantum computing, quantum technology might not be that freely available in the same fashion than traditional computing. There are nation state control interests, for both fighting cybercrime and for geopolitical reasons.

So, when is it? Cloud Security Alliance has actually set the deadline to April 14, 2030 when a quantum computer can break present-day cybersecurity infrastructure. However, Y2Q should not be understood as a definite timeline like Y2K was. A reference point for urgency is White House's National Security Memorandum from January this year, insisting an assessment and plans for quantum compliance, with timeline almost immediately.

Y2Q as a campaign, program priority elevation headline

There is an article in Wikipedia describing the several approaches to post-quantum cryptography. There is hope, at least against the back drop of foreseen quantum computing technology, mere increasing key size seems to be a good choice. However, the article ends in stating the obvious - how are the additional protections applied to current existing systems?

Providing the quantum patches fixes, even just patching all the systems providing encryption, would be a significant and costly task, let alone if we interpreted Cloud Security Alliance's deadline of April 14th, 2030 as "everything must go before that date".

While trying to justify technology refreshes with just scares might not work in most organization cultures, take Y2Q as a compelling event. Encryption comprehension such as key management, certificates and their lifecycle and algorithms compliance are development areas for many customers. Y2Q could be a soft and effective means to elevate the priority on encryption, to drive upgrades or to sell budget.

Obviously, there are other encryption developments set in motion at the same time. Nation states such as the U.S. via DARPA is investing into FHE, or fully homomorphic encryption, where the objective is to make possible processing of encrypted data without decrypting it. You may want to address that and other crypto developments as well.

"Data Encryption" servitization sprint

We offer in small scale a collaborative servitization project for data encryption services. Priority is given to Nordic organizations, with an alignment necessary before entering into the exercise. The accent is on formal document creation, so that the classic marketing mix 4Ps/7Ps are addressed and that a simple service catalog can be presented to stakeholders. Deliverables include:

• a requirements specification
• service or service catalogue description
• value proposition summary, presentation for sales and video out of the value proposition
• GTM Go To Market plan
• visual theme suggestion
• agreed work on demand generation (see next chapter)

Services suggested and defined in the sprint would be ceremonially approved afterwards by you. They would likely include (your) non-recurring consultative offering to end customers to draw a roadmap and to provide training. Someone needs to lay out customer's encryption and Y2Q journey, that would be you.

An ongoing key management service and a key storage capacity service would be there. Your key management service would probably extend to public cloud virtual HSMs such as Azure Key Vault. Service-on-service arrangements where you offer services on top of others' services, for example from the public cloud are possible and even likely topics.

For a halo product, multiparty analytics environments where several customers could come with their data or their models to collaboratively enrich and get to results otherwise not attainable are also possible targets, and Intel would have experience on them. Check out our SGX technology for the data in use piece which is used in i.e. federated learning systems. Your SGX based service could also be used as an off-chain execution asset in blockchain applications.

Your value proposition could include that your services or the co-operation between you and the end customer then mitigate the effects of Y2Q, or you might just offer manpower, project management or QA for Y2Q projects.

To boldly go where no encryption service has gone before

Most of this sprint goes to reviewing your quite technical service description(s) and review the details around it. Second item would to discuss the go to market, as in to whom the services are sold, which are the beachhead customers and what promotion looks like.

For demand generation aspects are creation of a flyer (if required), sales presentation and video out of it. If you have comms department or external party already providing video content, we can leave that effort to creating a storyboard. Finally, we can draft a customer survey or interview a small number of potential customers (interviews are preferred).

The storytelling, striking visuals and universe building is getting more and more important, and bolder. Typically keys and locks are visual choices for data security solution area, how about using Japanese manga or anime for a change?

Intel's Project Amber (which is now available and renamed Intel Trust Authority Service) has direct relevance on encryption services, more about it here. For signup and other inquires, drop me a line here in InMail or business email. Have an amazing rest of the weekend!