Unpredictability in cybersecurity

From emails to communication on our mobiles, from secure access online to digital cash, cryptography plays an essential role in all parts of our connected lives. To assure no data ends up in the wrong hands, you need three ingredients to secure your information. First, you need an algorithm that converts your message into a string of apparently meaningless characters. However, given that all our browsers and applications use the same algorithms, we need a second ingredient to make security possible: a way to generate secrets in form of unpredictable random numbers. The goal of these random numbers is to get them mixed with the algorithm in such a unique way that nobody else can recover the information, unless they have the exact same random numbers. Thus, this quickly brings us to the third ingredient: a mechanism to share these random numbers with just the intended recipients, and nobody else.

When is random truly unpredictable?

This is a tough one. The truth is that, unfortunately, most of the sources of random numbers that we have been using for decades aren’t truly random. For example, there are the so-called pseudo-random number generators. These are based on the use of algorithms to produce sequences of numbers that look random. However, an algorithm is just a sequence of deterministic steps, strictly executed one after the other. This means that the random bits that are produced are completely predictable once we know the algorithm that is being used.

Another (better) way to generate random numbers is by measuring physical processes, like tossing a coin or measuring the interference of radio communications on an electric receiver. One problem with this approach is that if the process is ruled by the laws of classical physics, then the measurements that we obtain might look random, but, strictly speaking, these aren’t totally unpredictable either. Classical physics is deterministic, which means that we can predict what a given physical system will do with proper modelling and computation.

In most cases, predicting the random numbers from these classical measurements may take some doing to reverse, but in cybersecurity applications we must assume that somebody will eventually find a way to do so.

While these approaches of using pseudo-randomness and classical randomness have been broadly used so far, with new technologies on the horizon and with the massive value of data in our society today, better ways to producing random numbers are emerging, improving the guarantees we have in the process. Achieving this will help us to obtain stronger secure connectivity across our digital assets.

The answer lies in quantum phenomena 

What’s needed then is a source of true randomness that is both sufficiently scalable for today’s increasingly meshed network architectures, and fast enough for today’s increasingly high data bandwidths.

By their nature, subatomic particles like electrons and photons behave in ways that can’t be predicted. If you take two photons emitted by the same atom under the same conditions but at different times, they may exhibit different behaviors, and there’s no way to predict those behaviors ahead of time. That’s not to say any behavior is possible, but of the outcomes that are possible, we can’t predict which one we’ll get. That unpredictability is crucial for developing a truly random number generator.

Harnessing this quantum behavior of particles gives us access to true random numbers, which will not only contribute to improving today’s encryption methods, but also will enable the development of next generation encryption technologies. With higher quality and higher speed in generating random numbers there is less need to rely on the mathematical complexity of the crypto algorithms, which is a dream for many system and product developers.

Quality is key

Guaranteeing that the next generation of random number generators are truly unpredictable is essential. At Quside, we developed a methodology that we named randomness metrology. It aims exactly at measuring how unpredictable the random numbers are, in alignment with the new standards that are being developed in the field.

To put it in a nutshell, randomness is essential in any cryptographic system, and the quality and speed of these random number generators are important in a global effort to deploy quantum-safe communication networks. Quantum technologies offer a fantastic platform to meet these requirements!

For details on quantum random numbers and the future of cybersecurity read further on IEEE Spectrum.