Rethinking Digital Security: Prof. Ashutosh Dhar Dwivedi on Encryption, the Quantum Threat, and Why Passwords Have to Go

Prof. Ashutosh Dhar Dwivedi, who is now an assistant professor at Aalborg University, started as a postdoctoral researcher at the same university. Before that, he started as a software developer intern, and through various internship research projects and PhD holdings, he went on to become a professor and a cryptographer. His research path shows appointments at Brenner University as a historical researcher, the University of Waterloo, the Technical University of Denmark, and Copenhagen Business School before joining Aalborg.

It is always interesting to learn something when it is taught with fun or with stories. Prof. Dwivedi used a similar way to explain cryptography. He introduced this concept with a narrative framework. He started with a story of how Alice wanted to share a secret message to Bob. A guy named Oscar is trying to invade privacy by intercepting the message in transit. To stop Oscar, Alice and Bob switch to encryption. Encryption is an end-to-end lock, a digital lock to maintain your privacy. Alice drops the message inside and locks the box with a key and then sends the lockbox. Oscar can intercept the box, but without the key, the contents are unreadable. Bob, holding the matching key, opens the box and reads the message. This is symmetric key cryptography. Alice and Bob use the same key to encrypt and decrypt. The mathematical operation underlying many symmetric encryption systems is XOR, the exclusive OR operation. XOR is its own inverse. If a message is XORed with a key, the result is ciphertext. If the ciphertext is XORed with the same key, the original message is restored. The mathematics is elegant. The practical problem is harder. How do Alice and Bob share the key in the first place if Oscar is monitoring every communication?

Also Read: The 8th edition of PiCET at Parul University with International Speakers

The key exchange problem was solved by Whitfield Diffie and Martin Hellman with the introduction of public key cryptography, also called asymmetric cryptography. In this model, each party generates two mathematically related keys. The public key can be shared freely with anyone. The private key must be kept secret and never transmitted.

If Bob wants Alice to send him confidential information, he shares his public key openly. Alice encrypts her message using Bob’s public key. The encrypted message can only be decrypted with Bob’s private key. Oscar can intercept the encrypted message and obtain Bob’s public key, but cannot decrypt the message without the private key Bob has never transmitted. The mathematics that makes this work is based on certain problems that are easy to perform in one direction (multiplying two large prime numbers) but computationally hard to reverse (factoring the product back into its primes).

Digital signatures work in the opposite direction from encryption. Alice uses her private key to sign a message. Anyone with Alice’s public key can verify that the signature is genuine and originated from Alice. Importantly, Alice cannot later deny signing the message, a property called non-repudiation, which is essential in financial and legal contexts. Students entering the B.Tech in Cyber Security at Parul University study public key cryptography, digital signatures, and non-repudiation in detail as part of the core curriculum.

One of the most conceptually demanding sections of the keynote concerned quantum computing and its threat to existing cryptographic systems. Prof. Dwivedi introduced quantum mechanics through Schrodinger’s cat, the thought experiment in which a cat in a sealed box exists simultaneously in two states (alive and dead) until the box is opened and the observation collapses the state into a single outcome. This is the principle of superposition: a quantum system can occupy multiple states at the same time.

Prof. Dwivedi translated the concept into computing. A classical bit is either 0 or 1. A quantum bit, or qubit, exists in a superposition of both 0 and 1 simultaneously. This is not a metaphor. The physical state of the qubit, measured before observation, represents both values. The computational consequence is dramatic. A quantum computer does not try one possibility at a time. It explores many possibilities simultaneously, in a sense. For certain classes of problems, particularly those that involve factoring large numbers into prime components, the computational speedup over classical methods is enormous.

This is where the cryptographic threat sits. The RSA algorithm and most other public key cryptographic systems base their security on the assumption that factoring large numbers is computationally infeasible for classical computers. Quantum computers, once sufficiently powerful, will make that assumption false. The entire security infrastructure of the internet, including online banking, e-commerce, secure messaging, and digital signatures, depends on cryptographic foundations that a sufficiently powerful quantum computer will break.

Prof. Dwivedi outlined two principal responses to the quantum threat. The first is post-quantum cryptography. These are new classical encryption algorithms designed to be mathematically hard to break even with a quantum computer. They are not quantum algorithms themselves. They run on ordinary computers. They are based on mathematical problems that quantum algorithms struggle with as much as classical algorithms do.

The field is currently active. The National Institute of Standards and Technology (NIST) in the United States has been running standardisation competitions for post-quantum cryptographic algorithms. The NIST Post-Quantum Cryptography project has selected initial standards based on lattice-based and hash-based cryptography. Prof. Dwivedi noted that his own research has moved significantly in this direction in recent years.

There is second response to the quantum threat that is Quantum Key Distribution (QKD).

Where post-quantum cryptography uses classical algorithms that are resistant to quantum attacks, QKD uses quantum mechanics itself to distribute encryption keys. Any attempt to intercept the key changes the quantum state of the carrier particles, alerting the legitimate parties that the key has been compromised.

Prof. Dwivedi shared details of a recently completed research project in Denmark. The collaborative effort involved the Technical University of Denmark, Aalborg University, the University of Southern Denmark, the University of Copenhagen, government ministries, and private sector partners. The project established a quantum communication infrastructure connecting two Danish cities, Odense and Copenhagen. Prof. Dwivedi showed images from his laboratory of the quantum key generation devices in use. The project was delayed somewhat but was successfully completed and demonstrated. This is real-world validation of QKD as a practical technology rather than a theoretical concept.

Prof. Dwivedi was clear that QKD is not without weaknesses. The communication channel itself is quantum, but the surrounding infrastructure (routers, endpoints, management systems) remains classical. The intersection of quantum communication with classical network management is itself a research frontier. Collaboration between cryptographic researchers and network systems engineers is needed to build genuinely robust quantum-secured systems.

The session included a discussion on authentication led by Prof. Dwivedi. He observed that encryption remained successful while authentication remained an issue to be solved. Fifteen years ago, online authentication relied on simple passwords and IDs like mobile numbers, birth dates, family names, and similar details. The passwords were really easy to crack.

Stronger password policies were introduced in response. The new patterns ask for a better and stronger passkey, such as a combination of uppercase letters, lowercase letters, numbers, and special characters. The purpose is to prevent brute-force attacks. The surrounding consequences are unintentional. As online services increased (banking portals, email, social media, e-commerce, etc.), users had to keep track of dozens of complex passwords.

Nobody can reliably remember twenty different random strings. The practical response was widespread password reuse. The same password for Gmail, Facebook, and the bank portal. The consequence of any single data breach became access to all accounts.

• Credential stuffing attacks: automated attempts to use leaked credentials from one service to access accounts on other services.
• Dark web credential markets: billions of leaked username-password combinations bought and sold annually on dark web markets accessible through Tor and similar tools.
• Physical credential leakage: in India specifically, photocopy operators outside banks collect hundreds of Aadhaar cards, bank card photocopies, and identity documents at the end of each day. These physical documents feed directly into digital attacks.

When passwords alone failed, the industry moved to multi-factor authentication, most commonly OTP-based verification. Even if an attacker knows the password, they cannot complete a login without the one-time password sent to the registered mobile number. The system genuinely reduced account breaches for several years. The system, however, has its own structural failure modes.

Prof. Dwivedi described SIM swap fraud in detail with a personal example. He needed to replace a SIM card for his mother’s old phone. He went to the telecom shop, handed over the old SIM, and received a new SIM without any serious identity verification. If he had been an attacker with a stolen phone, he could have walked into any shop, reported the SIM as lost or damaged, and obtained a new SIM for that number. The new SIM would give him access to every OTP sent to that number, including banking OTPs, government service OTPs, and authentication codes for every service tied to that number.

Beyond SIM swap fraud, OTP systems are vulnerable to social engineering. An attacker who has collected some personal information about the victim (from a leaked database, from social media) can call posing as bank staff or police, use specific details to sound credible, create urgency or fear, and extract the OTP from the victim directly. India has seen a sharp rise in digital arrest scams operating exactly along these lines, where victims receive threatening calls from people posing as law enforcement and transfer large sums under pressure. Malware installed on phones or computers can also intercept OTPs directly.

The technical answer to the authentication problem, in Prof. Dwivedi’s framing, has existed for years but remains underdeployed. Password-less authentication using FIDO2 hardware security keys is mature, well-standardised, and commercially available. Yet most banks and services in India and large parts of the world have not adopted it. Users still receive SMS OTPs and deal with SIM-related problems that should have been obsolete years ago.

The core idea of password-less authentication is to use cryptographic keys instead of passwords. The user does not remember a password, does not type a password, and does not transmit a password over the network at any point. The entire authentication happens through mathematical operations involving a private key (which stays on the user’s device and never leaves it) and a public key (which is stored on the server). During registration, the device generates the key pair, sends the public key to the server, and signs a server-issued challenge with the private key. During subsequent logins, the server issues a fresh challenge, the device signs it with the private key, and the server verifies the signature using the stored public key. No password is ever created, stored, or transmitted.

Prof. Dwivedi conducted a live demonstration using a YubiKey, a small USB device that stores private and public keys securely inside hardware. He logged into his Google account using the YubiKey. After entering the PIN, the system waited for a physical touch on the key itself. The physical requirement is the critical security property. Even if a remote attacker has compromised the authentication process digitally, they cannot proceed without physically touching the device that is in the user’s hand. An attacker sitting anywhere in the world cannot touch a device that is in the user’s pocket.

Denmark uses a national authentication system called MetaID that works on principles similar to FIDO2 and is seamlessly integrated into banking, healthcare, and public services. The single unified digital identity system is backed by strong cryptographic foundations. Prof. Dwivedi expressed curiosity about why this model has not been adopted more widely in other countries, though he acknowledged that policy, infrastructure, and public adoption challenges all contribute to the slow rollout.

Prof. Dwivedi closed with a personal story that demonstrated a critical operational principle. He received an email that appeared to be from an assistant professor at the Technical University of Denmark, sharing a file. He did not personally know the professor, so he initially suspected phishing. He checked the name on the official DTU website, verified that the person was real, and clicked the link. The link asked for his credentials. He entered his email and password. Later that day, DTU sent a notification about a data breach. The professor’s account had been compromised. The email had come from the professor’s actual compromised account, which is why it had survived all the standard phishing checks.

What saved Prof. Dwivedi was two-factor authentication. Even though the attacker had his username and password, the attacker could not complete the login without the second factor, which was a notification on Prof. Dwivedi’s personal device. The story carried a sharp message. Sophisticated phishing attacks can fool even trained cryptographers. The defence is not awareness alone. The defence is structural: multi-factor authentication, hardware security keys, and password-less systems that make compromised credentials less catastrophic.

Check Out: Faculty of Engineering and Technology at Parul University, programes that prepare you for all the new track of researches.