HTTPS crypto’s days are numbered. Here’s how Google wants to save it

Coming to a browser near you, new, post-quantum crypto.

Dan Goodin

Christiaan Colen

Like many forms of encryption in use today, HTTPS protections are on the brink of a collapse that could bring down the world as we know it. Hanging in the balance are most encrypted communications sent over the last several decades. On Thursday, Google unveiled an experiment designed to head off, or at least lessen, the catastrophe.

In the coming months, Google servers will add a new, experimental cryptographic algorithm to the more established elliptic curve algorithm it has been using for the past few years to help encrypt HTTPS communications. The algorithm—which goes by the wonky name "Ring Learning With Errors"—is a method of exchanging cryptographic keys that's currently considered one of the great new hopes in the age of quantum computing. Like other forms of public key encryption, it allows two parties who have never met to encrypt their communications, making it ideal for Internet usage.

Virtually all forms of public key encryption in use today are secured by math problems that are so hard that they take millennia for normal computers to solve. In a world with quantum computers, the same problems take seconds to solve. No one knows precisely when this potential doomsday scenario will occur. Forecasts call for anywhere from 20 to 100 years. But one thing is certain: once working quantum computers are a reality, they will be able to decrypt virtually all of today's HTTPS communications. Even more unnerving, eavesdroppers who have stashed away decades' worth of encrypted Internet traffic would suddenly have a way to decrypt all of it.

Unlike today's Diffie-Hellman key-exchange method or the RSA and elliptic curve cryptography crypto systems commonly used to encrypt Internet communications, Ring Learning With Errors, or Ring-LWE for short, has no known weaknesses to quantum computing. So over the next year or so, Google plans to combine it with the current algorithms it uses to see how it performs in real-world environments.

"Our aims with this experiment are to highlight an area of research that Google believes to be important and to gain real-world experience with the larger data structures that post-quantum algorithms will likely require," Google software engineer Matt Braithwaite wrote in a blog post published Thursday.
Ring-LWE will be intermingled with current key exchange methods in a way that would require an attacker to defeat both algorithms before the underlying communication could be decrypted. That means communications enabled with the experimental Ring-LWE are no more vulnerable than they would otherwise be. For the time being, the algorithm will be used sparingly on select Google domains, and then only when end users connect using Chrome Canary, a version of Chrome that's intended to be used solely for testing purposes. Canary users can tell if their HTTPS connection has been secured with Ring-LWE by viewing the browser's security panel and looking for the string "CECPQ1" under the key-exchange heading.

Braithwaite said the field of post-quantum cryptography is rapidly developing and referred readers to three recently published research papers (here, here, and here). These papers contribute to the growing body of knowledge involving quantum-resistant algorithms. Given the flux, Google's use of Ring-LWE should be seen as proof-of-concept method that stokes further inquiry rather than a finished product.

"We explicitly do not wish to make our selected post-quantum algorithm a de facto standard," he wrote. "To this end we plan to discontinue this experiment within two years."

Post updated to change headline.