Digital payments: Supercomputers may not be able to guard your money

By Andy Mukherjee

As your credit card is scanned one final time this holiday season, say thanks to prime numbers for keeping the checkout queues short and your money safe. Well, most of the time anyway.

Much of the cryptography that goes into beating credit-card fraud comes down to 3,5,7 … 197, integers that can only be divided into themselves and 1. Banks randomly generate two very large primes — say, 150 digits long — and use their product to encrypt the payment authorization from the microchip of your card to the point-of-sale terminal.

Even supercomputers can’t easily decipher the original numbers because the time required to run any of the known algorithms increases exponentially with their length. A 250-digit number that was part of a 1991 factorization challenge was finally broken down into a product of two primes in 2020. On a single advanced computer running nonstop, the calculations would take 2700 years.

The Rivest–Shamir–Adleman — or RSA — private keys generated with the help of large numbers allow issuing banks to affix a unique, tamper-proof digital signature via the microchip embedded in most cards nowadays. With EMV chips replacing magnetic strips, the menace of counterfeiting has gone down appreciably. Payment scams are now more likely in e-commerce where cards don’t have to be physically present.

However, a new challenge is emerging that could begin to erode the protection offered by prime numbers, perhaps as soon as by the end of this decade.

The first hint of trouble came at the start of the millennium. A team of scientists at International Business Machines Corp. exploited the mysterious interplay of subatomic matter and energy to run calculations that would be impossible on a classical computer. Their primitive quantum computer figured out that 15 was a product of 3 and 5. A subsequent experiment in 2012 split 21 into 3 and 7.

While every middle-schooler knows how to break down small integers like 15 and 21, these were the first demonstrations of “Shor’s algorithm,” a method of quantum factorization that does not get exponentially more time-consuming as the number gets bigger. In August, Oded Regev of New York University proposed what to many mathematicians is the first substantial improvement to Peter Shor’s landmark 1994 technique. If it works, the time taken to decode complex ciphers may compress significantly.

By 2030, a $1 billion quantum computer may be able to break RSA Laboratories’ widely used 2048 bit encryption by factoring a 617-digit number in a few hours, according to a 2016 estimate by the National Institute of Standards and Technology in Maryland. NIST has come up with new protocols that will be resistant to quantum computers, but what if the threat arrives before the weaponry to ward it off has been distributed around the world?

Retail losses may be kept to manageable levels, at least for a while. But a wholesale quantum heist would be catastrophic. The security of worldwide interbank payments may be compromised if the digital signatures authorizing release of funds lose their sanctity. As for the actual stealing, scammers have a blueprint in the $81 million theft from Bangladesh’s accounts with the Federal Reserve Bank of New York in 2016.

It isn’t just the security of existing financial products that’s at stake; innovative new payment instruments will be affected, too.

Monetary authorities around the world are experimenting with paperless cash. The Bank for International Settlements estimates that by 2030 there may be 15 central bank digital currencies, or CBDCs, in retail circulation.

Tourbillon, a recent BIS project, has demonstrated that the cash-like privacy that users, particularly in the West, will expect from these instruments may be realizable. The so-called blind signature protocol, invented by privacy pioneer David Chaum in 1982, may be enough to ensure that payers don’t reveal their identities to anyone. Even the central bank will only check that the eCash that comes to it for verification has its signature and not been spent before.

Payments made using such highly private CBDCs may also be fast and able to handle peak demand. However, this is only true as long as the RSA encryption technology is strong enough to keep malicious actors at bay. Introduce quantum-safe cryptography into the equation, and the cost to users increases: A one-second payment cycle stretches to five; transactions per second drop by a factor of 200. More experimentation is needed. If it turns out that a central bank’s virtual signature on CBDC tokens is not impervious to quantum counterfeiting — or can only become foolproof by making financial transactions too slow to be of practical use — then ordinary people are going to reject them.

As the ChatGPT-induced revolution in generative artificial intelligence has shown, meaningful breakthroughs can elude a field for decades. But once they do occur, they can multiply at an overwhelming speed. Quantum computing may be no different. Prime numbers have served the internet age well, but the private sector and public authorities can no longer take their continued guardianship for granted.