The Future of Cybersecurity in the Age of Quantum Computers

Round 1

Reviewer 1 Report

The author addresses an encryption-agnostic approach that can potentially render computers quantum-resistant named Zero Vulnerability Computing (ZVC). ZVC secures computers by banning all 3rd party permissions, a root cause of most vulnerabilities. The paper is well-written and it is scientifically sound. 

No new results about ZVC are presented by the authors. The paper is hard to read if you are not familiar with the author's previous work "Will Zero Vulnerability Computing (ZVC) Ever Be Possible? Testing the Hypothesis".

Therefore, is there new information about ZVC to justify a new paper? Is this paper about NIST's failure?

Author Response

Thank you very much for judging this paper as “well written” and “scientifically sound.”  Of course any new concept that bends the established rules will not be an easy read without a reference to the context. So will be the quantum-resilience of ZVC, without a familiarity with ZVC, itself. Having said that here are the answers to Reviewer 1’s two questions:

Is there new information about ZVC to justify a new paper?

Of course, there is new info, and that new info is at least as important if not more than the original ZVC disclosure itself. That new info is quantum resistance potential of ZVC that needs to be urgently investigated as an alternate strategy to deal with the potential quantum threats. The novelty of the new info is now further clarified in additional text added to Introduction and Conclusion sections and a Graphical Abstract

Is this paper about NIST’s failure?

Honestly speaking this paper would not have been conceived if NIST’s failure was not reported. It is indeed written in response to NIST’s 2^nd of the 4 selected PQCs failing after 5 years of intense investigation of 84 PQC algorithms. As Quantum Computing has already taken off in QaaS (Quantum-as-a-Service) business model (Scott Fulton III. A buyer’s guide to quantum as a service: Qubits for hire. ZDnet, May 21, 2021. Available at: https://www.zdnet.com/article/a-buyers-guide-to-quantum-as-a-service-qubits-for-hire/), the Quantum/Cybersecurity world needs to know that there is a potential encryption-agnostic method to securely access Quantum Computing services with any threats to the Internet.

In any case this paper was drafted as a “Brief Report” / “Hypothesis” category of “Future Internet’s” accepted article types (https://www.mdpi.com/about/article_types) and not purported to be a full-fledged proof-of-concept validating research.

Reviewer 2 Report

While the topic has a potential interest to readers, the paper seems to be in a conceptual stage without any proof of concept. In addition, the major portion of this paper comes from "Raheman, Fazal, et al. "Will Zero Vulnerability Computing (ZVC) Ever Be Possible? Testing the Hypothesis." Future Internet 14.8 (2022): 238." I would like to see some substantial improvement from the above-mentioned publication with some experiments and the validity of the concepts.

Author Response

Thank you for finding the topic of potential interest to readers. The author does agree with the Reviewer 2 that this work is hypothesis building research at conceptual stage, and not hypothesis validating research that presents a proof of concept. By presenting it as “Brief Report (Hypothesis)” this paper made it clear that this is not a new concept testing/validating research, which over 90% of peer-review is, and should be. But that does not underplay the importance of hypothesis building research on which almost all peer-review piggy backs. If you don’t build a hypothesis or concept methodologically, you can’t comprehensively test a hypothesis or prove a concept. More so when the subject matter is as hot as Quantum Computing. Moreover, the paper has a dedicated section highlighting the “Limitations & Caveats” of this hypothesis building research emphasizing on the conceptual stage of the research and not claiming to be an improvement on an earlier ZVC report. Moreover, substantial new text added to the Introduction and Conclusions sections brings plenty of clarity to the concept. A Graphical Abstract also provides a bird's eye view of the subject matter of the research.

Reviewer 3 Report

After carefully reading this paper, I came up with the following comments:  

 

A.      This contribution is vague and not clearly articulated. Please create a bullet point list at the end of introduction to highlight the specific contributions of this paper

B.       Please highlight the hypothesis of this work too after listing the contributions

C.       Please include a paragraph to justify how your comparative analysis of the surveyed works will led to a mature conclusion.

D.      Justification of the quantity and quality of case studies for investigating the hypothesis of this paper should be given too

E. There should be more discussion on the recent attempts in deploying f Quantum Computers in cybersecurity solutions.

Author Response

In response to Reviewer 3 comments following changes are made:

A. The introduction is edited to highlight the specific contributions in bullet points.

B. The main Quantum-resilience hypothesis is also highlighted

C. A paragraph added each to the introduction and conclusion sections of the paper presents comparative analysis vis-à-vis state of the art approach in countering quantum threats.

D. In the Limitations & Caveat section a 6^th caveat is added to satisfy reviewer comment. "Appropriate Key Performance Indicators (KPIs) should be framed to justify the quantity and quality of the case studies designed to investigate the formulated hypotheses"

E. The author respectfully submits that quantum computers are not deployed as cybersecurity solutions, instead they themselves pose as cybersecurity threat as they can break conventional encryption algorithms.

Please also review the new Graphical Abstract providing a bird's eye view of the research involved.

Reviewer 4 Report

This paper reviews the threaten of quantum computers for cybersecurity, and  analyzes an encryption-agnostic approach that can potentially render

computers quantum resistant, Zero Vulnerability Computing (ZVC), which secures computers by banning all 3rd party permissions. The article is well written and make a comprehensive analysis about ZVC. Before make recommendation, some issues should be clarified.

1.     I advise the author make a brief investment about the quantum algorithms which can threat the cryptography. Such as, [ Algorithms for quantum computation: discrete logarithms and factoring]、[Variational quantum attacks threaten advanced encryption standard based symmetric cryptography].

2.     The authors claimed: ”ZVC is a cybersecurity paradigm that proposes a new zero attack surface computer architecture that restricts all third-party applications exclusively to a web interface only, declining permissions for any utilization of computing resources by any nonnative program and creates a switchable in-computer offline storage for securing sensitive data at the user’s behest” . In my opinion, ZVC is an approach to secure data by physical method, it is not particularly designed for against quantum computers. Can the author provide more insight about the ZVC and quantum computer? And I am confused why the author propose to combine Solid State Software on a chip (3SoC) with quantum computer?

3.     Figure 5 is not in the central of the page.

Author Response

The 3 comments of Reviewer 4 are responded as follows:

1. The  response to the reviewer’s second question will clarify this issue better. But for whatever it is worth and with due respect this paper is neither about quantum computing, nor about encryptions. It is about a rule bending encryption agnostic approach to cybersecurity and intended to be a brief report/hypothesis. Delving into quantum cryptography will digress from its primary focus and defeat its purpose as a Brief Report/Hypothesis.
2. I fully agree with Reviewer 4 that ZVC was neither designed with Quantum Computers in mind, nor it has anything to do with quantum computing per se. Quantum resilience is just a chance possibility that we explore, because, if ZVC security does not rely on encryption it inherently has to be resistant to quantum computing that essentially threatens encryption. Having said that, ZVC isn’t just securing data by physical method but by banning 3^rd party permission to complete obliterate the attack surface. The confusion probably lies in comprehending ZVC as an integral part of quantum computing, which it is not. In simple terms ZVC is to quantum computing as a hardware authenticator is to any legacy computing, totally unrelated. With that understanding it should be clear that this paper does not attempt to combine 3SoC with quantum computer. If it works, it will just provide an unhackable secure gatekeeping service to quantum computing and preclude quantum computing from being used by bad actors to threaten the rest of the Internet.

3. Figure 5 is now center aligned.

The novelty of this research is further clarified in a Graphical Abstract

Round 2

Reviewer 2 Report

The citation number of the references should match the citations in the text.

Author Response

Thank you for the review of the revised manuscript. After thorough review of the citations we found just one citation error in  section 5.1, page 9 line 12. The correct references are [20,21] and not [19, 20]. The citation error is now corrected in the revised manuscript.

Reviewer 3 Report

Authors could manage to improve the presentation of their manuscript, which I am happy with, though, I have some minor comments. 

Please make sure all the materials, such as figures that used from other 3rd party sources are permitted from the copyright holder to reshare them in your manuscript. Having them with citation only that isn't enough to cover the copyright.

Author Response

Thank you for finding the revised manuscript improved and publication worthy. Regarding the copyright I had already sent a detailed response to Ms Zhang's (Assistant Editor) mail regarding copyright. Pasting here my response:

Dear Ms Zhang,

Thank you for your query regarding the copyright for reuse of figures 1, 2, 3. The reuse authorization of these figures are herein explained.

Figure 1: The reuse of this figure is authorized under Creative Commons license as specified here: https://www.flickr.com/photos/ibm_research_zurich/40786969122

The exact verbiage of the CC license for unrestricted reuse of this image can be viewed by clicking on the creative commons icon just below the image publication date (https://creativecommons.org/licenses/by-nd/2.0/)

Figure 2: The reuse of this figure is implicitly authorized under the International copyright as "fair use" doctrine under the US copyright laws and under Article 17(7) exceptions for “quotation, criticism, review [as well as] caricature, parody, and pastiche”  of EU Copyright Directive, 2019.

Figure 3: This figure isn't actually reuse but is actually new graphic drawn from data collated from my previously published work, which this paper cites (Raheman, Fazal, et al. "Will Zero Vulnerability Computing (ZVC) Ever Be Possible? Testing the Hypothesis." Future Internet 14.8 (2022): 238)

I hope the above disclosure clears any obstacle for reuse of these figures. If there are further questions please do not hesitate to ask.

Cheers :)

Fazal