Fintech looks to quantum-proof its assets
VeroWay is working to make its public key infrastructure and communications safe from the threat of quantum computers
No one knows when the first quantum computer capable of cracking today's commonly used encryption algorithms will arrive, but it could be sooner rather than later.
Back in 2020, Google CEO Sundar Pinchai estimated that a device able to break current asymmetric cryptosystems in minutes will likely be realised in five or ten years. If he was right, then the window for action has narrowed to a possible three years. But no-one really knows.
The real worry is that a device that could break the RSA and elliptic curve-based encryption that protects almost all traffic across the web today will be achieved out of sight, in the secret laboratories of a nation state. Once that happens all bets are off.
Last November, the US Office of Management and Budget, released a memo detailing plans to "prioritise the timely and equitable transition of cryptographic systems to quantum-resistant cryptography."
Moving towards quantum-proof alternatives to RSA and elliptic curve became a little easier after the US National Institute of Science and Technology (NIST) finally announced the winners of its post-quantum (PQ) cryptography competition last summer. But these are not drop-in replacements, meaning that old and new will have to live side by side until the time comes to switch over, or PQ cryptography will be built on top of the existing infrastructure.
The perceived complexity, together with the unknown timescale, is leading some organisations to put off the day of reckoning.
However, there are those whose size, sector or risk profile tilts the balance towards acting now. One such company is Swiss-based fintech firm VeroWay, which provides what it describes as "dynamic alternative core banking and digital fulfilment software solution," meaning a digital wallet platform for fiat and cryptocurrencies.
"As a leader for secure wallet technology and digital fulfilment, we recognise the urgent need to maximise security of digital asset storage and transactions," said CTO Sean Prescott.
VeroWay is working with California-based quantum security company QuSecure to enhance the algorithms used in its public key infrastructure (PKI). "Specifically, we're using QuSecure's post-quantum resilient keys for quantum entropy while generating additional public/private-pairs to protect our user's digital-asset vaults," Prescott told Computing. "With QuSecure's solution, we can ensure that the randomness has an unprecedented entropy that ensures that we adhere to the standards of RSA, but feed the system with the appropriate key strength and quantum safety."
VeroWay claims 15 million registered users, each with a digital vault that allows them to manage their digital assets from anywhere in the world. These vaults are protected using RSA cryptography, enhanced to increase the key size, and the company is using a quantum random number generator from QuSecure to "layer another PKI over the existing one".
It is also moving to quantum-proof the traffic between user devices and vaults by implementing a quantum-proof VPN based on QuSecure's quantum-resistant encryption software QuProtect.
"On the human-to-machine side, QuProtect allows for every connection—desktop, mobile, etc—and session to be wrapped into an additional post-quantum protected Q-VPN session, which is further protecting any and every transaction and interaction with our infrastructure from any potential attackers," said Prescott.
"Over the next weeks, VeroWay and QuSecure will be generating millions of new and additional keys to further shield our segregated and self-custody digital asset vault system. This will essentially build a ‘quantum shield' around our entire infrastructure.
"We're doing it in a way that doesn't replace or break our currently established and patent-protected VeroWay platform infrastructure, but instead enhances it to being the first and only neo-banking infrastructure platform with post-quantum protection and security."