Quantum computers present a unique threat to many aspects of modern information technology. In particular, many cryptographic systems could be at risk of compromise in the event a malicious actor came into possession of a capable quantum computer.
Mastercard is intending to stay ahead of the game in this regard. It has launched a new contactless credit card that it says is impervious to certain types of quantum attack.
The card is based on new industry standards from EMVco, a technical body that works in the secure payment space. Known as the EMV Contactless Kernel Specifications, they outline functionality for payment devices like ATMs and point-of-sale terminals to process transactions. The specification includes a new “Secure Channel” method of communication between card and reader that aims to protect against common attacks like eavesdropping, relay, and man-in-the-middle attacks. The new cards are intended to be compatible with existing payment hardware out in the field.
The main highlight of the new cards, though, is in how they operate, cryptographically speaking. Traditionally, payment card systems have relied on public-key cryptography, using methods like the ever-popular RSA algorithm. As explained in our public key encryption primer, the theory is simple. A private key is two prime numbers, and the public key is their product. Encrypt a message using the public key, and it can only be decrypted with the prime numbers in the private key. The problem for attackers is that even though they know the public key, it’s very difficult to figure out the private key, simply because finding two large prime factors of an even larger number is hard.
That is, unless you have the help of a quantum computer. A quantum computer with a sufficient number of qubits can run Shor’s algorithm to quickly find prime factors of very large numbers. This can be used to reveal the private key for a wide variety of encryption algorithms. This would crack open everything from world financial systems to the encrypted documents of governments and companies around the globe. The one benefit we currently have is that no quantum computer with enough entangled qubits yet exists to break our commonly-used algorithms. Experts believe it’s only a matter of time, however, and even the US government is rapidly moving to alternative quantum-secure encryption methods.
Mastercard’s new plastic will thus shift towards new algorithms it says are “quantum-resistant,” and thus not subject to these attacks. This will also involve the use of longer key lengths to further increase the robustness of the encryption method. Ease of use is also important, though, so the new system will keep the authentication process to under 0.5 seconds.
Interestingly, the documentation from EMVco indicates that the new cards will include Elliptic Curve Cryptography (ECC) for authentication purposes. Traditional ECC is not actually considered quantum-secure. In fact, for the key lengths currently in common use, ECC is likely slightly easier to break than RSA with a quantum computer.
So it could just be marketing bluster from Mastercard. It would seem foolhardy for one of the world’s largest payment processors to roll out new technology that was already known to be incapable of solving the stated problem. Instead, it’s perhaps more likely that Mastercard is using some new variant of ECC that is potentially secure against typical quantum computing attacks. Various ideas have sprouted in this area, though some have recently been proven insecure. Maybe they are focusing on some other algorithm, but will also support ECC. But then how to stop degrade attacks?
Overall, it’s a good thing that companies like Mastercard are already pursuing quantum security. Rolling out such infrastructure takes plenty of time, after all. Plus, once a quantum computer is up and running in the hands of a malicious actor, it will be far too late to act. However, at the same time, new encryption methods must be rigorously explored to ensure they indeed deliver on the security we need them to have. Here’s hoping the new cards have been subject to such due diligence.
Headline image: “Credit Card With Money Ver3” from ccPix.com