Quantum computers pose a unique threat to many aspects of modern information technology. In particular, many cryptographic systems may be at risk of compromise in the event that a malicious actor comes into possession of a capable quantum computer.
Mastercard intends to stay ahead of the game in this regard. It has launched a new contactless credit card that it says is impervious to certain types of quantum attacks.
Hack-proof?
The card is based on new industry standards from EMVco, a technical body working in the secure payment space. Known as the EMV Contactless Kernel Specifications, they outline functionality for payment devices such as ATMs and point-of-sale terminals to process transactions. The specification includes a new “Secure Channel” method of communication between card and reader that aims to protect against common attacks such as eavesdropping, relay and man-in-the-middle attacks. The new cards are intended to be compatible with existing payment hardware out in the field.
However, the main highlight of the new cards is how they work, cryptographically speaking. Traditionally, payment card systems have relied on public key cryptography, using methods such as the ever-popular RSA algorithm. As explained in our public key encryption primer, the theory is simple. A private key is two prime numbers, and the public key is their product. Encrypt a message with the public key, and it can only be decrypted with the prime numbers in the private key. The problem for attackers is that even if they know the public key, it is very difficult to figure out the private key, simply because it is difficult to find two large prime factors of an even larger number.
That is, unless you have the help of a quantum computer. A quantum computer with a sufficient number of qubits can run Shor’s algorithm to quickly find prime factors of very large numbers. This can be used to reveal the private key for a wide variety of encryption algorithms. This would open up everything from the world’s financial systems to encrypted documents from governments and companies worldwide. The one advantage we currently have is that there is no quantum computer yet with enough entangled qubits to break our commonly used algorithms. However, experts believe that it is only a matter of time, and even the US government is quickly moving to alternative quantum-safe encryption methods.
Mastercard’s new plastic will thus shift to new algorithms that it says are “quantum resistant”, and thus not susceptible to these attacks. This will also involve the use of longer key lengths to further increase the robustness of the encryption method. However, ease of use is also important, so the new system will keep the authentication process under 0.5 seconds.
Interestingly, the documentation from EMVco indicates that the new cards will include Elliptic Curve Cryptography (ECC) for authentication purposes. Traditional ECC is not actually considered quantum secure. In fact, for the key lengths currently in common use, ECC is probably slightly easier to break than RSA with a quantum computer.
So it could just be marketing hype from Mastercard. It would seem foolhardy for one of the world’s largest payment processors to roll out new technology that was already known to be unable to solve the stated problem. Instead, it may be more likely that Mastercard uses a new variant of ECC that is potentially secure against typical quantum data attacks. Various ideas have sprouted in this area, although some have recently proven unconvincing. Maybe they focus on another algorithm but will also support ECC. But how to stop degraded attacks?
Overall, it’s a good thing that companies like Mastercard are already working on quantum security. After all, rolling out such infrastructure takes a lot of time. Additionally, once a quantum computer is up and running into the hands of a malicious actor, it will be far too late to act. But at the same time, new encryption methods must be thoroughly explored to ensure that they actually deliver the security we need them to have. We hope the new cards have been subject to such due diligence.
Header Image: “Credit Card with Money Ver3” from ccPix.com
