Surprisingly enough, 80 percent of data encryption services used today rely on a system that dates back five decades. Levercode is out to change it with a new encryption system.
Flexible and scalable, the Tallinn-based company is building its tools for the long haul, but it still has to replace legacy encryption systems that have been in use for decades.
Stuck in the Seventies
It may come as a surprise, but 80 percent of data encryption services used today rely on a system that dates back five decades. When it was invented, Brezhnev was Soviet premier, Jimmy Carter was the US president, and current Estonian Prime Minister Kaja Kallas wasn’t even born yet.
One reason for its longevity is because the keys generated by the algorithm in the system, called RSA, are hard to break. Prime numbers are factored to produce a public key that can be transferred across channels. A second private key then reads such a key for decryption.
“From one side, RSA is very simple to compute,” says Levercode CTO Oskar Poola. “But to break the key from the other side is close to impossible. So if it isn’t broken, then why fix it?”
It may be broken eventually. Quantum computers in development could have enough computational power to crack RSA, leaving public and private sector systems that rely on RSA encryption exposed to hacks. “RSA is becoming easier to bypass and in less time,” says Poola.
To mitigate this risk, Poola’s firm Levercode has begun offering a different approach for digital identity and data governance that it hopes will take encryption out of the 1970s and into the 2020s. The company last month launched a product called LeverID, billing it as a post-quantum capable digital identity and signature platform for use by governments and businesses alike.
The response so far has been favorable, with interest from partners in the Middle East, Southeast Asia, the Caribbean, and Europe. And governments are just one potential user for LeverID. But the company is just beginning to engage the market.
“You can just imagine a universal login for Volkswagen, Bosch, or Walmart,” comments Poola. “Every user will have their LeverID app, and if they want to log into some internal system they can integrate this solution,” he said. “We can provide high-level security for those companies. LeverID is a fundamental technology that can be applied in the public and private sectors.”
Waking up the world
Levercode is marketing LeverID as a reliable and fast platform, underscoring its universal login functionality and security. But scalability and an ability to iteratively upgrade the offering are core components of the package, according to Riho Kruuv, head of strategic relations at the firm.
“Scalability is where things become more crucial,” he notes. “People are often skeptical how solutions designed in Estonia, a country of 1.3 million, can be applied in France or India,” he says. “But our authentication and the digital signature platform are potentially suitable for a population as big as India’s, which has 1.3 billion people.” Kruuv should know. He used to serve as Estonia’s ambassador to India.
And while current generations of computers might not be able to decrypt RSA-encoded data yet, quantum computers might be able to do so in a few years’ time. “We want to wake up the world,” Kruuv says. “It’s time to get to work so when the time arrives when quantum computers can decode RSA, you will already have a new platform in place,” he says. “Why wait when we can make those changes now?”
Interchanging cryptography standards
Then there is the issue of flexibility in the system, one that Poola insists Levercode has covered.
“LeverID was built in a way that we could interchange cryptography standards in a relatively easy way,” noted Poola. “If we were to arrive at a post-quantum computing standard, we could integrate that into our solution,” he says. “That is a large advantage, having that modularity.”
Levercode doesn’t use RSA in its current offering but instead uses Edwards elliptic curve cryptography, which relies on a different mathematical equation that is even more difficult to solve than RSA. “Looking forward, we are preparing a system that if you implement it and use it in the next five to 10 years, we can provide security immediately for our clients,” says Poola.
Every technology vertical
Though Levercode was founded in 2014, its team has experience in e-governance stretching back decades and has played an active role in the digitalization of Estonian service. Kruuv notes that the switch to digital actually started in the private sector in Estonia in the early 2000s when banks and other companies began to offer e-services around a secure digital identity, a trend that has continued as Estonia built out its digital e-health infrastructure, e-tax solutions, and i-voting.
“This has given us experience in dealing with blockchain technology, wallets, and the fintech sector,” Kruuv says of the company’s background. Right now, Levercode is focused on selling its solutions to partners interested in e-governance, digital health, and fintech. The message is not to replicate what Estonia has, but to use technologies fostered by the local market in new settings.
Even better e-governance than in Estonia
“We have the knowledge and experience to build even better e-governance than we have in Estonia and this is what we offer to other countries,” says Kruuv. “We can do better than Estonia and they can do better.”
As such, the company is looking for partners in contexts located far from their offices in Tallinn.
“These technologies apply to every technological vertical,” underscores Poola, citing banking, e-health, and insurance companies as three use cases for LeverID digital identity. Moreover, users can adapt the system for interactions in-house too. “If they want their data to be securely exchanged between different parts of their company, these technologies would also be applicable,” he says.
New competition welcome
Mark Erlich, head of the electronic identity department at RIA, the Estonian Information System Authority, says that RIA has not yet interacted with Levercode. While it is not the government’s position to comment on offerings from vendors, he notes that there is “no doubt they have a better solution than RSA.” In addition, he believes it is good that Levercode uses Edwards elliptic curve, making LeverID a unique offering in Estonia.
Still, RIA also moved away from RSA years ago and also uses an elliptic curve provided by the US National Institute of Standards and Technology to generate the keys used by electronic identity documents. “Elliptic curves mean the key size is much smaller to achieve the same level of security,” says Erlich. “There are many benefits to using elliptic curves, and, of course, within elliptic curves, there are many algorithms.”
Concerns about quantum computers
However, Erlich warns that concerns about quantum computers might be somewhat inflated at the moment, noting that quantum computers are not only expensive but single-application computers, similar to computers that existed half a century ago. “That means if someone wants to crack RSA or an elliptic curve, they need to build a computer specifically for that application,” he says. State actors might have the resources to do so, but such computers are unattainable for everyday hackers. “I don’t believe there’s anyone so naive to make such a huge investment just to take down one system,” says Erlich. “Of course, this is still a risk, and we can’t just ignore it.”
That being said, Erlich maintains that the market will require new solutions so that if one offering fails, providers can quickly switch. “I welcome that we have more companies that offer these kinds of solutions, so all parties on the market have more options to choose from,” he says. “It’s also great that Levercode is using other algorithms than other firms that are on the market.”