SAN FRANCISCO—Cryptographers said at the RSA Conference Tuesday they’re skeptical that advances in quantum computing and artificial intelligence will profoundly transform computer security.
“I’m skeptical there will be much of an impact,” Ron Rivest, a MIT professor and inventor of several symmetric key encryption algorithms, said early at the annual Cryptographers’ Panel here.
Susan Landau, a professor who specializes in cybersecurity policy and computer science at Worcester Polytechnic Institute, said that while artificial intelligence can be helpful when it comes to processing lots of data effectively, she doesn’t think it will be useful in fingering out series attacks or anomalous situations.
Adi Shamir, Borman Professor of Computer Science at the Weizmann Institute, said he was optimistic about AI’s potential when it comes to defense – anything that involves finding deviations in behavior – but said he doubts it can ever be used in offensive sense, such as in identifying zero days, something he said requires more ingenuity and originality.
The discussion was steered by a report recently released by the Global Risk Institute on the emergence of quantum computing technologies. In it, the organization postulated there was a 50 percent chance that fundamental public key cryptography tools could be broken by 2031.
Rivest said that in his experience it’s tough to get a grip on how fast the technology is evolving.
“You hear of the NSA adjusting its Suite B, but quantum crypto doesn’t seem to be moving as fast as quantum computation, 2031 sounds like it’s real far off, so it’s hard to tell,” Rivest said.
Shamir wouldn’t rule out the possibility that RSA could be broken one day but was markedly less concerned.
“Quantum computers are not at the top of my list of worries,” Shamir said, “There are so many possibilities and worries, thinking about what will happen in 20 or 30 years… I wouldn’t lose too much sleep over it.”
The cryptographers touched handful of issues, including their take on the integrity of elections, hacking back, last year’s FBI vs. Apple controversy, and a recent statement by US Attorney General Jeff Sessions (R-AL) that under lawful authority criminal investigators should be able to overcome encryption.
Rivest said the comments, which to him sound like the government wants a backdoor, could have a serious implications on President Trump’s policy.
In the wake of the comments both Rivest and Landau said they were comforted by a year-end report released by the Encryption Working Group, a joint project by the House Energy and Commerce and Judiciary Committee.
Rivest said the bipartisan report arrived at a strong conclusion. He praised some of its bullet points, like how any measure to weaken encryption goes against national interest, and that how in most instances, building a secure backdoor can be exceedingly difficult and impractical.
“Encryption is a tool, we have to preserve its strength, it’s a fundamental building block of a secure internet,” Rivest said.
The cryptographers ended the panel with a series of rants and raves.
Landau said she’s been heartened by something that’s not technical in nature – the efforts companies have made towards usable security. Landau commended Duo, which has helped bring two-factor authentication to small independent businesses such as auto repair shops and hair salons. She also applauded WhatsApp for how it handles key transparency. By letting naïve users understand what’s technically happened when a device has its key changed, Landau said the company is doing a great service.
Rivest told a story about colleague in Australia who, because of draconian laws regarding cybersecurity research – some on the book, some being considered – has to do work in a public chat room in fear of being persecuted.
“Cryptography is an international endeavor, putting restrictions on research is no help to anyone,” Rivest said.
Shamir, who said he’s going to present a paper in Oakland later this year on malware spread by smart light bulbs, said the government should keep its focus on IoT security.
“The government should do something about it. It should not allow devices that are not sufficiently secure to be allowed to connect to the Internet,” Shamir said.