How Andersen Cheng plans to defend against the quantum computer

Andersen Cheng has a way with striking and memorable analogies. “Boris Johnson‘s government is committing £1bn to building a Frankenstein’s monster,” he says. “I’m trying to build a cage without any government funding to stop it running wild.” The “monster” in question is the quantum computer, which is a hacker’s dream. The “cage” is what Post-Quantum was set up last year to create.

Cheng was born in Hong Kong but came to England to do his O-levels and A-levels. His parents sent him to a school in Devon. “They wanted me to be as far from London as possible,” he says. He duly learned to drive a tractor and milk cows, but went on to study engineering at Imperial College and do an MBA. When he started working in the City at the end of the Eighties as a “computer auditor”, there were only six portable compact computers in the whole company and disdain for the techies from people still using calculators.

Cheng became head of credit risk at JP Morgan in the midst of the dotcom bubble. He recalls how Boo.com burnt through $150m in 18 months. “There just wasn’t enough broadband speed for all those virtual mannequins spinning around,” he says. After a spell in private equity, Cheng decided to break away and set up on his own as a consultant in the fast-growing realm of cryptography, working on top secret projects for the British government. “It was so classified even the project name was secret,” he says.

Cheng came up with a surveillance-proof communication device that connected London to UK embassies around the world. At the same time he was working on surveillance equipment that could monitor satellite calls and was used to catch criminals and terrorists around the world. So, like Clint Eastwood in A Fistful of Dollars, he was getting paid by both factions: hackers and anti-hacking security. He was half-poacher, half-gamekeeper, equally adept at encrypting and decrypting. He also discovered that the drawback of coming up with a great bit of kit for the MoD is (a) you can’t sell it to anyone else, and (b) the MoD is no great hurry to pay you either.

I reckon that Cheng could have become a Mr Big of the criminal underworld. He knows exactly how to steal your identity. “It’s easy,” he says. “And if your ID is stolen it can be sold time and time again – and you become like a slave. The people who own your identity can apply for a credit card in your name anywhere in the world.”

Fortunately for law-abiding citizens, Cheng decided to do what he could to avert what he calls a “cybergeddon.” In 2018 he came to the conclusion that we are “losing the battle against the hackers”. He was sitting around with his two co-founders and one of them said, “What are we going to do about it?” To which Cheng replied, “Why don’t we try to save the world?”

They had realised that the common encryption protocol governing our computers, RSA, is extremely vulnerable to attack by quantum computers. RSA relies on it being too difficult (or too time-consuming) to factorise the product of two large prime numbers. For a quantum computer, this is a piece of cake, given that where a “classical” computer has to do its calculations sequentially, a quantum computer is capable of carrying out a billion calculations simultaneously. So it could, in theory, break into each and every computer in the world and steal all the data.

“Quantum scientists,” says Cheng, “talk up all the good things about building a QC. They have to because they’re selling their project. But they don’t know what they’re talking about.” The maths is already there to break public-key cryptography and unlock your computer. It’s called “Shor’s algorithm” (invented by the American mathematician Peter Shor). Hackers of the world are only waiting for adequate computing power to come along to stage a massive smash-and-grab.

Fortunately, you may say, the quantum computer doesn’t exist yet. But it will. Google has already claimed “quantum supremacy” (and earlier this year at Davos the head of Google, Sundar Pichai, reckoned their super computers will crack encryption in as little as five years). Microsoft and Honeywell and others are all beavering away at entangling qubits. So one fine day some computing giant will make a polite public announcement that they have cracked it? Cheng reckons that this is the least likely scenario. “It’s much more probable that it will happen behind closed doors. The first quantum computer won’t look good and it will probably break down after a few hours, but it won’t matter. As soon as it’s switched on, all the computer systems in the whole world will become vulnerable. And somebody will be able to empty all the bitcoin wallets.”

This is why he speaks about “post-quantum cryptography” and how to be “self-sovereign” (ie, in control). The mission of Post-Quantum is to protect your identity and your data, to make it “quantum ready”, and they’re already working with the likes of Barclays, Avaya and Amazon Connect. A moment of enlightenment occurred in 2014 when Cheng and his PQ Solutions team released an ultra-secure chat app – “PQ chat” – so fiendishly well encrypted it ended up on an Isis “recommended tools guide”. “It was like a terrorist Trustpilot,” says Cheng. “The counterterrorism people originally thought they were a bunch of nomads. They were amazed to discover they all had degrees. Terrorists are tech-savvy and sophisticated.” Cheng removed the app to stop it “falling into the wrong hands”. But he also realised that it had to be possible for legitimate authorities to be able to poke around in your phone conversations and messages in certain circumstances. “If you’re a murderer or a terrorist or a paedophile, you shouldn’t be able to get away with it.”

It’s not long since Apple locked horns with the FBI over access to one of their iPhones that was allegedly used in a criminal conspiracy. Post-Quantum aims to provide higher-level quantum-proof encryption, but also a system of decryption, when required. “It’s not a back door,” says Cheng. “Not even a side door. It’s a front door. You can show it to the world. It’s important you know it’s there.”

The system for keeping the bad guys out – even when armed with a quantum computer – is based on “error-correcting codes” (first developed by a CalTech professor back in 1978), meaning the code contains deliberate errors that are impossible to figure out, even if you’re fully quantum. So the same message, when encrypted, is NTS (Never the Same). It’s “semantically secure”, in Cheng’s phrase. Thus protecting privacy. Which is good for you and your data. On the other hand, letting the good guys have a peek when necessary depends on a so-called “trusted guardian”. Not Cheng. “We would know nothing. We can be trusted not to sell your data – or have it hacked – because we wouldn’t know it in the first place.” But there are keyholders, or rather “splitkey”-holders, each holding on to a fragment of the key. If a certain number (or “quorum”) agree, like the members of a round table, then it is possible to fit enough parts of the key back together again to get access. Just in case you turn out to be one of the bad guys after all. “It’s the equivalent of having a warrant,” says Cheng. “It’s important we should have one in the virtual world too.”

Post-Quantum’s identity business Nomidio is bidding to engineer the first hack-resistant, privacy-preserving “immunity passport”. And its post-quantum system is one of the finalists in a NIST (the US National Institute of Standards and Technology) competition. It will be open-source, available to be deployed widely. It’s more for Queen and country, or rather the world, than a big earner as such. “We could have gone into almost anything else if we wanted to make loadsa money,” says Cheng. “Where am I going to go? The Caribbean? I like it here.”