April 6, 2023

By: Sachin Jain, Principal Director - Consulting, Global Technology Office, LTIMindtree

In today’s technologically advanced and complex digital environment, there is a growing need to safeguard sensitive data from external threats. CXOs of large organizations are exploring the potential of Quantum Communications (QC) to secure their data and communication infrastructure. QC  provides impenetrable security by foiling any attempt at interception by an eavesdropper. It does this by damaging the information and detecting the intruder’s presence. In the banking industry, which is heavily regulated, there are mechanisms in place for securing the customers’ data. Tokenization is one such mechanism. In this blog, we will discuss the traditional implementation of tokenization, some of the challenges associated with that approach, and how quantum technology can be used to resolve those challenges.

What is Tokenization and why is it required?

Whenever we make a purchase online using our credit/debit card, our card details or account details are not used for completing the transaction; instead, a surrogate value is used, which represents the actual information. Tokenization replaces sensitive data such as card details, account numbers, and PINs with unique identification data called “tokens.” Tokens are a random sequence of characters representing sensitive data while preserving its business utility. In banking, tokens are used for performing a transaction using a credit/debit card, either online or at the POS terminal, while the customer information is stored securely in a vault. The vault stores the mapping of tokens against sensitive information. Below are some of the common uses of tokenization:

• Restricting access to sensitive data: Access to sensitive data can be limited, with only those having access to the vault can use the data.
• Avoiding oversharing with third parties: Instead of sharing the actual data with third parties, for example, in the case of payment processing, only the tokens representing the actual data can be shared.
• Analytics: Sensitive data is often required for business purposes such as analytics and reporting. Tokens can be used in place of the actual data for conducting analysis, thus minimizing locations where sensitive data is allowed.

But why should we bother tokenizing the data? Below are some of the benefits:

• Reducing the risk of data breaches: It minimizes the risk of data breaches and protects sensitive data from falling into the hands of malicious actors.
• Reduced compliance requirements: Tokens are usually not subject to compliance scope if there is sufficient separation between the application using the tokens and the tokenization implementation; however, this is not the case with encrypted data.
• Enhancing customer trust: It helps create smooth payment experiences and satisfy customers by reducing the risk of payment fraud.

Tokenization is different from encryption. Unlike encryption, where complex operations scramble the data and it can be decrypted back if someone has the key, tokenization involves simply exchanging the data with the token. So even if the tokens fall into the hands of malicious actors, they won’t be able to retrieve the original data, as the tokens have not been derived from it.

How are tokens generated?

Traditionally, tokens are generated using Random Number Generators (RNGs). RNG  is a system that generates a random sequence of values or an individual random value. They are given the name random as the sequence should not display any distinguishable patterns in their appearance or generation. They are of two types:

• Pseudo-Random Number Generators (PRNG): PRNG systems are deterministic in nature. Here, random numbers can be generated using a computer algorithm that is based on a seed value. The computer algorithms produce the sequence of random numbers based on an initial value known as a seed value or a key. The entire sequence of random numbers can be regenerated if the seed value is known. Hence this method is called “pseudo-random.”
• True Random Number Generators (TRNG): They depend on physical phenomena such as radioactive decay of isotopes, thermal noise, avalanche noise, atmospheric noise, etc., for harvesting randomness. They are non-deterministic, but they can harvest randomness at a limited rate. They are called “true” as they depend on external physical processes.

Seeing tokenization in action

Let us look at the scenario of a customer initiating a purchase using their credit/debit card. For completing the transaction, a token gets requested by the merchant. It is then sent to the merchant by the server, which generates a token using RNG.

The merchant passes the token to their acquirer bank. Then it is passed to the network, where it is processed. The data is within the secure vault, and the network matches the token with the customer account number. Then it is passed on to the issuer along with the account number. The issuer bank verifies the funds and authorizes the transaction. The authorization is passed to the network and proceeds back to the merchant acquirer and back to the merchant.

Fig. 1 – Tokenization Flow (Source – Tokenization – Payment page merchants (juspay.in), Payment Card Tokenization)

Challenges associated with conventional methods

The classical methods of RNG are limited and not completely random, despite their dependency on physical processes and computer algorithms. There is always a risk of these random numbers being compromised if a computer attacks them with strong computational prowess. The confidentiality of file systems, source code, memory, or network communications may be compromised due to such an attack. Below are the challenges associated with them:

• True randomness is unpredictable and difficult to generate within classical computer systems
• It becomes easy for hackers to guess and predict the keys with computationally strong computer systems
• PRNG is deterministic; hence if the seed is known, the complete sequence can be determined
• TRNG is dependent on natural phenomena; therefore, it is rate-limiting
• Sometimes an RNG produces the same output regardless of input; this can happen if the seed has been reused

Quantum Random Number Generation (QRNG)

A new category of RNG systems has emerged that relies on the principles of quantum physics to generate random numbers. Quantum RNG (QRNG) utilizes the random elements of quantum physics to produce a true source of entropy. This enhances the seed quality for key generation. They are different from the classical method in the following ways:

• Quantum processes control the source of entropy, and it produces a true random output
• Ability to monitor the entropy source in real-time
• Attacks on the source of entropy are easily discovered

Quantum RNGs have a high throughput of harvesting randomness and are not rate-limited. Some of their benefits are:

• The random numbers are generated without any bias
• There is no way to manipulate the input source. Quantum sources (light) derive random numbers
• As they depend on a quantum source, the throughput is high and is not rate-limiting. A continuous stream of photons is used for random number generation. The throughput can also be increased if needed
• As QRNG systems depend on the principles of quantum physics, the randomness is of the highest quality. Quantum physics is inherently random, translating into generating high-quality random numbers

Tokenization using QRNG

To generate tokens with truly random numbers, quantum-based RNGs can be used. They can be accessed through the cloud and used as a replacement for the actual information. In the traditional tokenization approach, the tokens generated are stored in the client’s database, which may not be entirely secure. Unlike the conventional approach, in quantum-based tokenization, the tokens are stored in a secure quantum vault which cannot be easily neutralized.

Fig. 2 – Tokenization with QRNG

Tokenization is important for keeping sensitive data secure while preserving its utility. Tokens can be generated using RNG systems. The strength of such systems depends on the degree of randomness generated. Classical RNGs cannot generate truly random sequences and are limited. Quantum RNGs are truly random and ensure full security as they are based on the inherent random nature of quantum mechanics. There are some pitfalls associated with QRNGs as well. They depend on the underlying quantum computers to generate random sequences, and these systems are still not completely fault-tolerant and scalable. Further research and technological advancements will overcome these shortcomings.

Delve into the world of quantum technologies by visiting our page – solving with quantum.