This article is more than 1 year old

Why is IBM selling post-quantum crypto when it's still a pre-quantum company?

We answer today's burning question: should YOU buy an IBM z16?

Opinion IBM's most exciting mainframe yet, the  z16, is finally here.  Just three years after the z15, at this rate IBM has until 2212 to buy the z80 trademark from Zilog.

It's good for hybrid cloud, apparently, but the two main advances are real-time AI fraud detection, and "industry-first" quantum-safe cryptography,  the stuff that even pesky quantum computers can't crack.

Hold on a qubit. IBM is also pouring billions into exactly those quantum computers, also majoring on real-time fraud detection and cryptography, which means it's squaring off against itself. That might concern investors or customers making strategic decisions, but calm yourselves. Quantum computing doesn't do anything useful yet, nobody can give you a firm date when it will, and it's not as if IBM spaffing billions on a moonshot project  means you'll ever get to the moon. Wait and see. It might be a while. 

You only have to wait until the end of May to buy a z16, take it home, plug it in and start using it. (Just kidding. It's a mainframe. You can't do any of those things, especially not just buy one. Have you seen the forms? [PDF])

Hey crypto... it's the future

As an El Reg reader, you probably won't be swayed by the real-time AI fraud detection. The quantum-safe cryptography? That's more intriguing. 

Also known as post-quantum cryptography or PQC, it's something you need to know about. IBM's claim that this is an industry first is arguable – practical ways to use PQC have been around for a few years now.

The need for PQC is simple. Everyday cryptography relies on keys built from prime numbers that can't be reversed by brute force using conventional computers. The mathematics is clear.  But the math also says that QC can decompose numbers to their primes quickly enough to be useful. Maybe not today, maybe not tomorrow, but soon. When it does, the security that secures the entire Internet won't be safe. We need different math, and PQC is just that. 

The favorite flavor, and the one IBM is using, is called lattice-based cryptography or LBC and it involves having an enormous multidimensional haystack of points in which you hide your digital needles.

There is no quantum magnet to yank those needles out; you need a mathematical map (the actual math is a little more involved.)

This stuff works. So why aren't we using it yet, and why does IBM think we should? 

The first answer is simple: we should be using it. Even if it's years before QC breaks today's codes, there are plenty of people snooping on and storing transactions right now in preparation for that future. We're not using it for three reasons: there are no standards, there are no standards, and there are no standards. The US National Institute of Standards and Technology is on its third round of evaluation for PQC and is expected to pronounce the standard between 2022 and 2024. 

The winning standards for key and signature generation will have to be practical and proven secure, and these are hard targets. It's no good having proven secure systems that take too long, too much power or too much overhead to implement in mobile devices. And while there are candidates that look as good as, or even better than, the current non-PQC options, it's not certain they're safe. But we're almost there: LBC has been known since the 1990s, a very great deal of work has been done on efficiency, use of accelerators and software/hardware co-design. It will be here, and it will be before QC gets its act together. 

That's how. But why?

That's the easy bit. It's harder to know why IBM has chosen now to put it into its z16. If the mainframe is Alice, who's Bob? Cryptography that lives in only one place is only good for protecting data at rest, and the real need for PQC is data in flight.

If your encrypted data at rest is compromised, how safe are your keys? Data in flight doesn't have that issue. It could be that IBM is trying the traditional trick of putting an implementation of a non-standardised technology into the field in the hope of forcing the hand of the standards makers, but if that worked with mainframes we'd all be speaking EBCDIC.

So if it doesn't do much for you or just about anyone right now, why is it there? CFAAST - Cryptographic Fear As A Sales Technique. You've got to feel a little sorry for Big Blue: it puts in a very great deal of engineering work into maintaining its position as world leader of mainframes, but it's only competing in that category against itself.

What high performance system these days isn't a huge sea of cores, superfast interconnects, with lashings of screamingly swift memory and fat fast networking to fat fast storage?

IBM has to keep its z/OS customers on board and sell them new kit, even if it is hard to distinguish between carrots and sticks. Yes, oh mighty CEO, our hybrid cloud strategy is now post-quantum secure. You don't want it to be vulnerable to scary quantum computing, do you? 

Thus, dear reader, while you can and should be boning up on lattice PQC, I can confidently advise against buying a z16 for the job. Even if it is first. I know, I'm sad too. ®

More about

TIP US OFF

Send us news


Other stories you might like