Interview: 'Cyber wars' veteran Phil Zimmermann talks quantum-proof encryption and backdoors

'If the NSA tells you to get ready for quantum computers then you'd better get ready'

When is a backdoor not a backdoor? When a government says it's not. Australia's minister for law enforcement and cybersecurity Angus Taylor wants to "collaborate with the telcos and the tech service providers" so they will "give access, where that's possible, without creating new weaknesses". He rejects the claim that this amounts to a backdoor or a special key, which raises the question as to how encrypted communications could be made to be open to inspection.

For Phil Zimmermann it must feel like Groundhog Day. Or maybe Night of the Living Dead. No matter how many times they are seemingly killed off by people who actually know what they're talking about, zombie ideas about giving law enforcement special access into secure communications just keep lurching back to life.

In the 1990s Zimmermann drew the ire of the US authorities when he released his Pretty Good Privacy (PGP) public key encryption algorithm free of charge in an effort to fight government surveillance. As a result he promptly found himself indicted for violating the Arms Export Control Act, encryption software being viewed at that time as a weapon. The charge hung over him for three years before it was finally dropped.

He has no regrets: "It was actually a lot of fun, you know. It was the crypto wars, everyone was getting involved in that."

He has not lost any of his zeal for going after government and corporate surveillance either. Currently teaching cryptography at Delft University in the Netherlands he has just joined private search engine and email firm Startpage.com to help it develop its encrypted products and services. Startpage.com's search engine runs queries on Google but wraps them in a layer of encryption so the searcher remains private. This was the main attraction, he told Computing.

"We are so tracked by companies that prioritise customer data and we sell our privacy so readily. Facebook is probably the most egregious but Google does it too. So if there's something that can hide data from Google then that's a worthwhile thing. I found that attractive."

And it's not just companies, of course: "Intel agencies soak up vast amounts of data on all kinds of people. They don't just go after selected targets they scoop give up everything. So it's a good idea to encrypt your email."

Cryptographer Phil Zimmermann on encrypted email and defeating US export controls

But back to the zombies. Communications networks are under attack like never before from sophisticated criminal networks and nations states and yet governments are perpetually trying to weaken encryption for their own short-term or limited ends. Unfortunately, one group cannot have privileged access for long before others crack the secret - witness the sale of NSA zero-day exploits by Shadow Brokers, a hacking group suspected of having connections to the Russian state. This subject clearly animates Zimmermann's inner streetfighter and he's more than willing to man the barricades once again.

This is not the time for the local cops to tell us we shouldn't have locks on our doors

"We are under siege. Foreign intel agencies are getting into everything and sometimes those foreign intel agencies are run by criminals. Some countries literally run by crime families. You have incredibly sophisticated criminal organisations that are backed by governments and who have thousands of engineers working day and night. This is not the time for the local cops to tell us we shouldn't have locks on our doors."

It's understandable that the authorities dislike the barrier that encryption presents when tracking crooks, but to focus on that battle is to lose sight of the wider war, he said.

"It's impossible to keep out the real bad guys when there's a backdoor. The cops are saying 'hey we don't want you using strong locks any more'… Excuse me I'm trying to survive here! I'm leaning against the door with all my might and I can hear the sound of bullets hitting the door and you're telling me to relax and leave the door open for them? Forget that! You should be on my side. Don't help the bad guys. Whose side are you on?

"I think sometimes law enforcement lose sight of the big picture of national security because they focus too much on the immediate needs, they're trying to catch a bad guy and he's using encryption then they want everybody to stop using encryption. But if you put a backdoor in everyone is affected and national security suffers."

The quantum menace

Politicians and intelligence agencies aren't the only worry for those who think strong encryption is a good thing. There is a very real technological threat too, one which may arrive sooner than most people think: quantum computing.

"I used to think it wasn't feasible," said Zimmermann. "But now I do. Now you have the NSA and NIST [US National Institute of Standards and Technology] warning everyone to get ready for quantum computers. If the NSA tells you to get ready for quantum computers then you'd better get ready."

When (and it is when rather than if) they arrive, many areas will of course benefit from quantum computers. Their ability to perform calculations in parallel will mean that many currently intractable problems in the sciences and medicine can find solutions. However, the public key cryptography of which Zimmermann was an early populariser will be as effective as wet tissue paper against the might of the new computing paradigm.

All of the currently widely deployed public key algorithms can be broken by quantum computers

"A lot of cryptographers are worried about this," Zimmermann said. "It breaks all the public key algorithms that we use today. All of the currently widely deployed public key algorithms can be broken by quantum computers. And I mean really break them, break them fast."

In the face of this urgent problem, NIST is running a beauty contest to pick promising quantum resistant replacements for the algorithms that will soon be rendered useless. Whichever candidates they select, though, some serious work will be required before they are suitable for protecting everyday data and communications.

Most quantum-proof approaches involve some extremely complex mathematics. These days, Zimmermann confessed, he sometimes has to consult his students when assessing the most promising approaches.

"I can explain Diffie-Hellman to anyone but the math [of the new approaches] is really difficult to follow for me. There are some math students who I guess can do it but I'm not that good."

Some candidates submitted to NIST are old algorithms revisited in the light of the quantum threat while others are relatively new. Some are based on coding theory such as McEliece and others depend on lattice theory. In the latter class, Zimmermann mentions Kyber and NTRU.

Diffie-Hellman itself has been upgraded for the post-quantum world in the form of Supersingular isogeny key exchange, but that is still very new, said Zimmermann.

"I think it will have to wait behind the line for a little while before we choose to deploy it."

The main issue with most of the new approaches is creating manageable cryptographic keys, he explained.

"The keys are so large for some of these approaches that it's difficult to use them."