Quantum Crime - A First Glance
How crime might adapt to new tools in a post-quantum world
Technology breeds crime and we are constantly trying to develop technology to stay one step ahead of the person trying to use it negatively.
— Frank Abagnale
Crime is very unlikely to ever go away. With each new waning, waxing, passing, or remaining technological trend, criminals have adapted to make use of it for nefarious purposes against their fellow man or woman.
All crime requires some kind of opportunity (though the converse, that all opportunity leads to crime, is not necessarily true). As threat models change and as new tools become available, new opportunities will emerge - and we are able to foresee at least some of them on the horizon in the coming post-quantum world.
Come with us as we explore why…
Fraud
Fraud has come a long way since the time of Hegestratos in 300BC. The Greek sea merchant died escaping the crew of his ship who had caught him trying to sink it, whilst empty, its valuable and insured cargo safely on land ready to be resold - and a loan taken out on the insurance to be kept. Quantum computers might not have helped poor Hegestratos - but modern day first party fraud need not go to such lengths and costs to swindle insurers or banks out of money.
Fraud is a crime that is old, reliable, and often profitable. It takes many forms and guises, as ‘wrongful deceit for the intent of personal gain’ is a very open definition of a whole plethora of possible malicious activities that plague everyone - from billionaires to bricklayers.
For discussing crime, it might be useful to touch upon how modern crime currently does things. The steps are roughly as follows:
The fraudster finds a way of instilling confidence that they are going to be able to deliver something that they secretly have no intention of delivering. 🗣️
They find a mark, and convince them that they should take part in this scheme as the delivery will be a “huge payoff for all!” 💰$$$💰
The mark parts with something of value - usually money - and the fraudster lingers for long enough to ensure they have as much as they can. ⏳
The fraudster disappears, along with the value they have no intention of giving back once the lie is uncovered. 🏃💨
One of the ways you can convince a mark that you can deliver on something is to forge a document (or some other contract) that attests that you already have something of value that you do not, and this is where we will start our quantum crime journey…
Quantum Forgery
The easiest way to leverage quantum computers to make quick, and multitudinous CA$H is to use the cryptography breaking capabilities that is driving billions of dollars of public and private spending into the migration towards post-quantum cryptography (PQC) - a directive from the Whitehouse no less!
So how would this work?
First, let’s discuss digital signatures. These are cryptograms that are generated by one person, call them Alice, but can be verified by anyone else, say Bob. For any given file, Alice can generate a unique string, called a ‘hash’, uniquely (mostly) for every file that Alice comes across, writes, generates, etc. Alice can then use a private key, that only Alice knows, to encrypt this hash thereby creating a digital ‘signature’ for this file, formed of a public key (related to, but different from the private key Alice used earlier) and the cryptogram string.
Bob, to verify the digital signature, can decrypt the hash with Alice’s public key. Bob can then generate the same hash of the file that was sent and can compare to see if they match. This is a digital signature verification protocol, and it’s very, very common to use these in the modern world. One industry that uses this process a lot is finance (another, not perhaps very surprisingly, being law).
But how is this digital signature secure? Well, the mathematical ‘number-search’ required to impersonate Alice is a gargantuan computational task to modern computers. So either, someone malicious completed a task that is nearly impossible, or they genuinely have the private key… we can use Occam’s Razor to trust that Alice’s signature is legitimate if it passes the check by Bob.
The mathematics that relates the public and private keys is the keystone for this whole process - it is this mathematics that says that nobody can ‘feasibly crack’ Alice’s private key knowing only their public key. But it is this mathematics that quantum computers might be able to peer into, causing many issues.
So the question of crime leads us to asking this; if I could break digital signatures, then what would be the most profitable ways to make money?
Sure, you could commit some small crime, but with quantum computers likely to remain VERY expensive, we’d better thinking big. Tinder Swindler big, perhaps?
There’s a fascinating part of this story to do with credit notes. In part of the Tinder Swindler story, various documents are used to build an illusion of credit on behalf of the women being used to facilitate theft. One way that has been touted to fix this would be to use said digital signatures - even the now-defunct always-questionable Credit Suisse has a whole document on “how to verify digital signatures in documents”, free online: https://www.credit-suisse.com/media/assets/private-banking/docs/ch/privatkunden/online-und-mobile-banking/dig-sig-anleitung-en.pdf
So what would the steps of a quantum forgery be? Let’s imagineer some crime:
I find a document that has the template I want, and remove the digital signature. 🔎
I acquire the public key of the signing authority, as I know their private key is valid given the document had it. 📜
QUANTUM TIME - I break the private key from the public key using a quantum computer to do my bidding. ⚛️
I make a fake document, and then apply the cracked private key to the hash to make my own signature - indistinguishable from a real one. ✍️
💰$PROFIT$💸
It’s remarkably a straightforward workflow, no doubt with many details, embellishments, and nuances for success that I don’t go anywhere near here. But as with most crime, success has a straightforward shape… Another common form of financial crime is called:
Money Laundering
Money Laundering is the practice of hiding the true source of money. Sold some drugs but want to buy a boat? You need money laundering. Broken some arms sanctions and sold guns to people nobody likes, but still want to be able to visit Wimbledon for the final, or Art Basel in Miami? Money laundering will be for you.
Money Laundering has three steps that are generally acknowledged, summarised as follows:
Placement - literally ‘placing’ the ill-gotten gains into something that has the ability to look legitimate.
Layering - setting up shell companies in friendly countries and moving the money round and round until only you (and your accountants) know anything about it.
Integration/Extraction) - buying a yacht🛥️/private jet🛩️/SO’s Hermès Birkin 👜/Damien Hirst Original (💎+💀) .
Money laundering is HUGE business - and to keep our kneecaps intact, we won’t say more about the manner of the business. But suffice to say that if you could utilise a quantum computer to make MORE money through ‘untraceable money movements’, then there is going to be significant interest from those in this line of work.
Quantum and Identity
Underpinning much of our digital lives is some notion of ‘digital identity’, and as you’ve probably guessed - it involves a lot of mathematics. 🧮
The mathematics of digital identity is essentially the same/very similar/close-enough-if-you-squint to the mathematics we use in digital signatures. There is some secret part and some public part and there is mathematics in the middle making sure that only the holder of the private key is the one who can perform certain actions, validated by the associated public key.
So imagine this scenario; Bank of the Future has implemented a Universal Identity scheme that allows it to provide every customer with a digital identity that can be used for making financial transfers (payments of many kinds). Lets say that this is a public/private key made by the customer in a special secure app that allows the Bank of the Future to digitally sign each customer’s public key for added verification.
This kind of digital secret sauce is remarkably commonplace, but now suppose a Quantum Criminal comes along - what can they do? Well one thing is some old-fashioned money laundering… but make it virtually untraceable!!
It would work something like this:
The criminal is given money from bribery to clean for a shady government agent.
They find the public keys of some unsuspecting customers - plural, as there are going to be many steps to wash the money through, and from as many backgrounds and countries as they can manage to find (this makes following the trail more difficult).
The criminals use a quantum computer to crack the private keys of each customer, and prepare a chain of transactions from their placement point…
The placement point is a huge discount warehouse goods company - and they issue fake ‘refunds’ to each of the customers whose keys they have cracked.
They then use the broken private keys to move the money to other offshore accounts as soon as the money clears.
They continue with their regular Layering and Integration as before.
Whilst this is a slightly contrived example, it does show that where you can compromise a public-private key pair, you usually have the potential to commit some kind of malicious, even criminal activity!
Examples of potentially vulnerable key signature schemes go far beyond regular banks, and include many blockchain technologies. Whether the price is closer to the moon or the earth any criminal would love to spend your Digital Coinz!
The theoretically linear(-ish) time that quantum computers might take to break such digital identity schemes is what makes the quantum computer valuable here. If they become workable to solve vast problems in chemistry and artificial intelligence, then they also become capable of valuable contributions to organised crime.
These classes of crimes are more overlooked from the slightly sexier crimes found in games like Grand Theft Auto or Mafia. But don’t be fooled, that doesn’t make the payoff any less valuable nor appealing to a motivated attacker.
Cryptography Doesn’t Just Apply to Data
…it applies to many modern forms of identity, too. A lot is made of the ‘Store/Hack Now - Decrypt Later’ issue with the quantum threat to cryptography. But what we have noticed is that really, this is ‘Hack Now - Crack Later’, which applies to identity and privacy, as well as data security and integrity.
If there’s one message to take away from this blog post, it’s that cryptography applies to much more than just the safe transfer of information without disclosing to a third party what is being said. Cryptography now also applies to mechanisms and protocols by which we prove who we are. Gone are the days of “two recent bank statements and a signed letter from your former Geography teacher” - for better or worse, we have placed many of our identity bets on the cryptographic horse.
There are growing ways and means of using more sophisticated and nuanced cryptographic protocols to do ever more interesting and innovative things - look at the recent explosion in MPC and Zero-Knowledge proofs coming out of Web3-metaverse-land! What many don’t realise outside of a relatively small sphere is the amount of pre-quantum preparation we are going to need to do.
Whilst the Quantum Threat is a ‘Maybe?’ with a capital ‘M’, it does point towards the need for much better practices and distributed risk across multiple cryptographic primitives, protocols, and regimes. The benefits, however, are very un-quantum - but that’s a discussion for another day.
The mathematics that underpins many of these things has a high likelihood to be based on the hardness of problems that we know (or at least, strongly suspect) quantum computers will turn out to be very good at, if we ever get them operating at large scale computations. This poses several risks and rewards to all kinds of people - but one thing that is very rarely talked about is Quantum Crime.
The Future - Fixing our Secrets with Cryptographic Agility
It would be remiss of us to talk only about a problem and not what the proposed solutions are! Indeed, scientists (mostly mathematicians and computer scientists) have been working away at creating ‘quantum secure’ or ‘post-quantum’ cryptographic systems that do not (we think/hope/may one day prove) fall victim to the quantum computer’s entangled eye!
Indeed, the US Government’s own NIST has been running a competition since 2016 that aims to scour the academic earth to find solutions to this very pernicious problem. And last year, they finally finalised new candidates for standardisation that are post-quantum safe! This is just the first small step towards a new post-quantum world… But this is far from the whole story.
You see, such has been the hubris of mathematicians and cryptographers (the latter is the name given to people who specialise in cryptography), that we have built systems that are monstrously monolithic. To give you an idea - the NSA stopped using PAPER TAPE to exchange cryptographic secret keys in just 2019(!!).
Although humorous, this example demonstrates something that is an endemic problem with cryptography - namely; many of our ‘best practices’ have been ‘best practices’ for a very, very long time. And this is bad news, because where we have a culture that treats cryptography as something that does not change very much it is very hard to then move the whole cultural and administrative mechanism towards a more agile approach - and to this, ignoring any technical issues and impediments that are almost certain to crop up along the way!
Defeating such ‘protocol ossification’ is a challenge embraced by some of the most practical and effective engineering and knowledge about internet solutions - it is worth reading Cloudflare’s account of moving to PQC, for example. But even for them, this move presents problems and challenges that are key to the broader rollout of these new cryptographic ideas and code.
And we need to do this - because we all need good cryptography before we NEED good cryptography.
We hope you found this brief exploration interesting! Subscribe and sign up for more!
“Criminals have means motive and opportunity – Heroes do too.”
— Chris Penn
— Mark C. (@LargeCardinal), Jul 2023