CRYPTO AND PRIVACY VILLAGE - Integrating post-quantum crypto into real-life applications

Video thumbnail (Frame 0) Video thumbnail (Frame 1172) Video thumbnail (Frame 2366) Video thumbnail (Frame 5318) Video thumbnail (Frame 10953) Video thumbnail (Frame 11951) Video thumbnail (Frame 12841) Video thumbnail (Frame 13934) Video thumbnail (Frame 15168) Video thumbnail (Frame 19125) Video thumbnail (Frame 22040) Video thumbnail (Frame 24144) Video thumbnail (Frame 30189) Video thumbnail (Frame 33749) Video thumbnail (Frame 36752) Video thumbnail (Frame 41035) Video thumbnail (Frame 48472) Video thumbnail (Frame 52790) Video thumbnail (Frame 55047) Video thumbnail (Frame 56440) Video thumbnail (Frame 59133) Video thumbnail (Frame 61079) Video thumbnail (Frame 63028) Video thumbnail (Frame 64389) Video thumbnail (Frame 69715)
Video in TIB AV-Portal: CRYPTO AND PRIVACY VILLAGE - Integrating post-quantum crypto into real-life applications

Formal Metadata

CRYPTO AND PRIVACY VILLAGE - Integrating post-quantum crypto into real-life applications
Title of Series
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
Real number Projective plane Cartesian coordinate system Information privacy Cryptography Computer font Cryptography Quantum cryptography Quantum Video game Self-organization Quantum Fingerprint
Word INTEGRAL Multiplication sign Quantum Quantum Quantum computer Surface of revolution YouTube Surface of revolution
Superposition principle Beta function Ferry Corsten State of matter Multiplication sign 1 (number) Function (mathematics) Information privacy Disk read-and-write head Computer Neuroinformatik Measurement Qubit Semiconductor memory Different (Kate Ryan album) Physical law Quantum computer Physical system Social class Programming language Algorithm Software developer Parallel port Physicalism Bit Category of being Software development kit Arithmetic mean Quantum entanglement Wave Process (computing) Quantum mechanics Quantum Quantum cryptography Pattern language Resultant Spacetime Classical physics Point (geometry) Trail Slide rule Link (knot theory) Algorithm Virtual machine Maxima and minima Student's t-test Distance Surface of revolution Spacetime Quantum Computer-assisted translation Traffic reporting Alpha (investment) Distribution (mathematics) Doppelspalt Key (cryptography) Parallel computing Classical physics Physical law State of matter Stack (abstract data type) Cryptography Particle system Maize Visualization (computer graphics) Doubling the cube Physics Qubit Superposition principle
Superposition principle Algorithm Image resolution Orientation (vector space) Virtual machine Black box Field (computer science) Computer Neuroinformatik Measurement Cryptography Physical law Spacetime Quantum Quantum computer Information security Social class Stability theory Algorithm Parallel computing Optimization problem Classical physics State of matter Field (computer science) Bit Auto mechanic Cryptography Category of being Telecommunication Physicist Quantum mechanics Computer science Physics Quantum Quicksort Qubit Quantum computer
Inverse function Divisor Database Inversion (music) Number Frequency Cryptography Root Internetworking Hash function Square number Encryption Quantum Algorithm Polynomial Key (cryptography) Block (periodic table) Forcing (mathematics) Field (computer science) Database Cryptography Public-key cryptography Elliptic curve Frequency Symmetric matrix Hash function Function (mathematics) Block (periodic table) Quantum computer Reduction of order
Observational study Field (computer science) Neuroinformatik 2 (number) Number Estimator Different (Kate Ryan album) Diagram Divisor Quantum Quantum computer Information security RSA (algorithm) Algorithm Distribution (mathematics) Key (cryptography) Projective plane Bit Cryptography Arithmetic mean Exterior algebra Quantum mechanics Quantum Quantum cryptography Hill differential equation
Standard deviation Functional (mathematics) Transport Layer Security Multiplication sign Icosahedron Malware Internetworking Hybrid computer Encryption Quantum Quantum computer Service (economics) Algorithm Standard deviation Weight Cryptography Software Public-key infrastructure Chain Quantum cryptography Configuration space Quicksort Collision Active contour model Asynchronous Transfer Mode
Standard deviation Cryptosystem Code Multiplication sign Curve List of unsolved problems in mathematics 1 (number) Numbering scheme Ellipse Electronic signature Encapsulation (object-oriented programming) Mechanism design Graphical user interface Lattice (group) Hash function Encryption Symmetric-key algorithm Process (computing) Quantum computer Information security Error message Physical system Family Algorithm Polynomial Stress (mechanics) Numbering scheme Public-key cryptography Electronic signature Type theory Category of being Exterior algebra Ring (mathematics) System programming National Institute of Standards and Technology Quantum Website Encryption Energy level Multivariate Analyse Web page Polynomial Functional (mathematics) Link (knot theory) Divisor Code Automatic differentiation Field (computer science) 2 (number) Revision control Energy level Nichtlineares Gleichungssystem Quantum cryptography Standard deviation Key (cryptography) Code Cryptography Cartesian coordinate system System call Error message Personal digital assistant Network topology Lattice (group) Revision control Video Genie Family
Slide rule Open source Code INTEGRAL Multiplication sign Transport Layer Security Curve Numbering scheme Open set Electronic signature Lattice (group) Different (Kate Ryan album) Error message Proof theory Collaborationism Multiplication Algorithmic information theory Key (cryptography) Twin prime Bit Cartesian coordinate system Public-key cryptography Electronic signature Keilförmige Anordnung Error message Ring (mathematics) National Institute of Standards and Technology Encryption Mathematician Family Resultant
Suite (music) Greatest element Code INTEGRAL Logarithm Multiplication sign Numbering scheme Open set Icosahedron Electronic signature Public key certificate Derivation (linguistics) Pointer (computer programming) Mathematics Core dump Encryption Software framework Algorithm Constructor (object-oriented programming) Feedback Transport Layer Security Fitness function Menu (computing) Bit Schlüsselverteilung Open set Cue sports Electronic signature National Institute of Standards and Technology Quantum Encryption Resultant Asynchronous Transfer Mode Point (geometry) Slide rule Functional (mathematics) Random number generation Link (knot theory) Transport Layer Security Disintegration Authentication Branch (computer science) Limit (category theory) Prototype Hybrid computer Energy level Authentication Key (cryptography) Suite (music) Projective plane Cartesian coordinate system Cryptography General linear model
Presentation of a group INTEGRAL Code Multiplication sign Demo (music) 1 (number) Numerical integration Set (mathematics) Open set Measurement Wiki Web 2.0 Mechanism design Different (Kate Ryan album) Computer configuration Diagram Extension (kinesiology) Quantum computer Error message Information security Injektivität Curve Algorithm Web page Transport Layer Security Shared memory Electronic signature Ring (mathematics) Website Quantum Normal (geometry) Asynchronous Transfer Mode Point (geometry) Web page Server (computing) Transport Layer Security Real number Disintegration Similarity (geometry) Branch (computer science) Twitter Number Prototype Software testing Multiplication Key (cryptography) Information Demo (music) Server (computing) Client (computing) Computer network Line (geometry) Cryptography Elliptic curve Hybrid computer Video game Finite-state machine Communications protocol Computer worm
INTEGRAL Code Multiplication sign Numbering scheme Client (computing) Electronic signature Public key certificate Neuroinformatik Measurement Derivation (linguistics) Mechanism design Lattice (group) Different (Kate Ryan album) Multivariate Analyse Series (mathematics) Extension (kinesiology) Algorithm Transport Layer Security Shared memory Bit Schlüsselverteilung Numbering scheme Public-key cryptography Measurement Virtual machine Electronic signature Type theory Hash function Ring (mathematics) Quantum Figurate number Resultant Implementation Server (computing) Virtual machine Graph coloring Field (computer science) Number Revision control Goodness of fit Hybrid computer Software testing Authentication Key (cryptography) Surface Classical physics Physical law Computer network Elliptic curve Hybrid computer Public-key infrastructure Social class Game theory Communications protocol Library (computing) Extension (kinesiology)
Point (geometry) Asynchronous Transfer Mode Algorithm INTEGRAL Multiplication sign Transport Layer Security Disintegration Similarity (geometry) Bit Schlüsselverteilung Open set Cryptography Mereology Public key certificate Electronic signature Virtuelles privates Netzwerk Software Hybrid computer Hybrid computer Quantum Musical ensemble Communications protocol Information security Asynchronous Transfer Mode
Point (geometry) Web page Implementation Decision tree learning INTEGRAL Multiplication sign Disintegration Set (mathematics) Control flow Client (computing) Open set Stack (abstract data type) Public key certificate Web service Centralizer and normalizer Root Computer hardware Implementation Quantum computer Point cloud Algorithm Server (computing) Projective plane Client (computing) Bit Local area network Cartesian coordinate system Cryptography Software National Institute of Standards and Technology Quantum Information security RSA (algorithm) Library (computing)
Empennage Server (computing) Code Transport Layer Security Multiplication sign Real number Control flow Open set Public key certificate Hand fan Web 2.0 Hybrid computer Software testing Quantum computer Tunis Service (economics) Algorithm Demo (music) Feedback Bit Cryptography Cartesian coordinate system Proof theory Category of being Software Hybrid computer
Web page Server (computing) Transport Layer Security Numbering scheme Client (computing) Public key certificate Web 2.0 Lattice (group) Quantum computer Authentication Curve Default (computer science) Algorithm Touchscreen Key (cryptography) Database transaction Schlüsselverteilung Line (geometry) Directory service System call Connected space Electronic signature Hybrid computer Password Telecommunication Configuration space Quantum Video game console Communications protocol Asynchronous Transfer Mode
Service (economics) Empennage
please welcome our next speaker Christian Paquin on integrating post quantum crypto into real life applications thank you thank you so welcome everybody to the last session in the crypto and privacy village first of all I'd like to thank the organizers for an invitation it's a great pleasure to come here have come to present my work and along with the work of my esteemed colleagues from the post quantum cryptography research and today I'll be talking about our experiments and incubation projects of integrating post quantum cryptography into real life applications so little outline very
straightforward and logical start to introduce what is quantum computing the quantum and then talk about what we need to do after that the post quantum world and then I'll discuss our integration experiments so first of all so just a
little poll like you know who's familiar not just a word but quantum computing works in the room oh very good about on YouTube see that later in the comments
ok so we've all heard about quantum computing at least the words and we've been hearing the quantum revolution is coming well I've been hearing that for a very long time that was a very young
student at the University of Montreal well a bit 20 years ago was trying studying a quantum computing and quantum cryptography with under supervision of elbrus ah who co-created our coats covered quantum key distribution and quantum teleportation so it was really hard to be in that lab and do anything other than quantum it was quantum everything then I decided to go and get a job it was a bit hard to be applied cryptography and doing some quantum things at the time so I went off becoming a quantum or crypto developer work at the company zero knowledge systems where we built a predecessor to tour did some PKI work then I went to a company called Kritika where we built a animus credential system for PKI with privacy and technology called develop the you prove technology ended up at Microsoft and then many years later I'm back at this quantum thing but this time on the other side of the fence not trying to build a quantum computer but trying to defend against it and I'll talk about it a bit more so it's hard to just keep track of what's going on there's every week there's seem to be a new result new quantum computer being built bigger many more qubits I can put slides anymore of our news report just put the search slide and search link and then you'll be able to find the the results of the week also down the hall my colleagues at Microsoft Research are building or trying to build a quantum computer and also integral east this year a Visual Studio programming language too sharp in which you can program a quantum computer so we don't have the chip yet but when we do we'll be able to just plug in that software and be able to use it so they're trying really hard to do it which mean for us crypto specialist we have to do some
things to defend against it I'll talk about it later so first of all what is a quantum computer well very simply it's just a machine that operates with the laws of quantum mechanics computers we have they all operate with their classical laws of physics we understood them but when we start using smaller particles that follows different laws of physics there's some really weird things that are happening so first the basic of a quantum computer is a qubit a quantum bit and unlike its classical counterpart it's not either 0 or 1 it can be 0 and 1 at the same time a bit like that famous experiment thought experiment of the cat that can be dead or alive showing your scat well a quantum bit can be zero and one at the same time which is great if you want to build algorithms with that because imagine you're trying to solve a problem trying to let's say trying to find a path in a maze well if I can see zeros turn left one is turn right then you can put it both 0 and 1 at the same time and then I have both had to be taken at the same time you know I'll have the computation Pat's be followed at the same time and at the end one of your parallel path of computation will have found the exit to the maze the problem is that when you look at the solution when you look at your quantum register at your memory you this quantum superposition is not visible to to you in the classical world one state gets picked at random depending on the amplitudes alpha and beta of the quantum bit and only one result a random gets returned to you so grave parallelism not great output so quantum algorithms they have to find ways to use quantum interference like if you remember your physics class this double slit experiment where you can put two holes in a piece of paper shining sunlight and then kind of the wave properties interference makes a little black white black white pattern because the waves interfere at some points and where there should be lights there there's not because the light particles the interfere and cancel each other so we can do the same with quantum algorithms where we can just have some Pat's being destroyed and only the the computation results that you want get popped up at the end of the computation so it's very subtle and hard art to to design quantum algorithms but there's a few that are being around another strange properties that qubits can be entangled entangled means that imagine you have two coins and you you take them apart and you flip them and you're gonna get zeros and ones and double zeros double ones zeros and ones ones and zeros but if there are quantum coins and you add them in a special way and they become entangled and you can separate them and it can be very far apart and you flip them they're always either zeros are always either 1y either it tails or head are tails you'll never see tail and head and head or tail that's really weird that freaked out Einstein recall that a spooky action at a distance because he imagined that one coin would get a result and would need to send a faster than light signal to the other coin so it matches its response so it's hard to understand what's going on but it's just an observable fact that these particles can be entangled and to always share a state across space and that can be used in quantum algorithms as well and
quantum computers can be built with all sorts of things the the spin of an electron the orientation of a photon my colleagues are betting on this topological computer be used with onions that could provide better stability with bigger machines and refer Faymann a famous physicists famously said nobody understands quantum mechanics you just get used to it for us computer scientists we don't really care like I don't never care how it's built it's just a black box and you give me these mathematical properties and we can design algorithms to solve new new problems new class of problems so it's
all great some of my colleagues are very excited about that security folks are a bit more worried because although quantum computing provides great advances in many fields in chemistry to find new ways to design molecules and and and optimization problems and machine learning it has terrible consequences for cryptography because there are two algorithms ironically the first two algorithms that I've known and 20 years ago were only used to break cryptography almost the first one here is the quantum menace to
us this is Peter shor design in 94 is famous algorithm that by doing what's called period finding and algorithms that can be used to factor large numbers and find a discrete log of numbers which are the two problems underpinning RSA and DSA and the elliptic curve variants like ECT age DSA so using shor we can basically break most of the cryptography all the public key cryptography that we use today on the Internet the other algorithm that's very important is a Grover algorithm it
allows database search function inversion it improves it by a square root factor essentially it's kind of described as finding a needle in a haystack it's able to to find a unique solution to function that you're looking for and it can be used to help the brute force of finding a digester international or breaking a block ciphers like AES and it has consequences but they're not terrible because of the square root improvement what we need to do to secure against this algorithm is just double the key the key size of AES or double the hash size of sha-256 to 512 so okay it sounds bad so how long do
we have when is this quantum computer going to be built well there's been a lot of studies about that trying to see what's the best estimate when the shore algorithm will be built Micheli Mosca's professor waterloo as a often cited quote that by 2031 is a 1/2 chance the 50% chance that we'll get a quantum computer and he revised that in 2017 to you last year this 1 in 6 chance 10 years ago so and another researcher Ben Simon Benjamin from Oxford if you're willing to go my Nathan project meaning you just put all your effort as a big government behind it then maybe yeah six to twelve years some of my colleagues also share this 2030 deadline or estimate and that's a little diagram that shows you the difference between breaking RSA 2048 with a classical or quantum computer so you need about number of bits due to for the algorithm and for a classical computer it would take billions of years or we're safe we know that for a quantum computer depending on its operational speed so I want gigahertz for example you would just get a few seconds so what's a game-changer it breaks it totally so now what we need to do given the quantum people would be very optimistic we're gonna say yeah we're gonna be able to we've been trying we're gonna be able to soon so we don't I don't necessarily believe that we're gonna have a fully functional computer in 12 years but as security specialists we have to be careful and assume the worst case and be ready to have something else and we do we do need something else we need alternatives so-called quantum safe algorithms or post quantum cryptography algorithms which are quantum algorithms that are secured against a quantum computer doesn't mean that they run on a quantum computer that doesn't mean that at all and it's not quantum cryptography which is another field or quantum key distribution which is a using quantum mechanics to exchange a key so these are all separate subjects this is normal classical cryptography for which we don't know any classical or quantum algorithms to break them and that is the
big feel of post quantum cryptography which is getting more and more attention
but first question we can get now is why would we care about this now okay we'll think about it in 10 years you know we have time we're busy we have all sorts of things to do we have Lock chain so implement and all sorts of things well the main one of the main reason the big reason is that the secrets you have today are at risk not to be encrypted now but they can be captured now recorded now and decrypted later all major countries are the capabilities now to just save the Internet traffic and decrypt it later they're at their leisure when they have a quantum computer so that's very significant another more practical but no less important item is that it takes a long time to update standards and software so we need to understand today so if we are to replace these algorithms what does it mean to plug them in TLS in SSH and to update all our software stack we know in Microsoft we have a lot of experience new from the flame malware and all or stuck snakes and all attacking very old ash functions like md5 you know only 5 collisions we know it's been outdated it's been replace but there's some very old software that's still running it and some weird configuration takes a long time to get rid of it so we need to make sure - by the time the quantum computer is here all the insecure algorithms are gone and lastly one thing that's very important to consider is the ability to to use hybrid modes so to be able to use classical cryptography with those quantum cryptography in a safety net to have best of both worlds of the two protections and that's going to be an interesting scenario for awhile I'll
describe that later so most of the
industry now is focused on the NIST competition NIST is the national standard Institute of sensors and technologies in the u.s. it is the basically the de-facto they define the defect of standards for for the cryptography use around the planet whatever NIST does typically is followed around the world and they've basically made a call to replace the cryptography that we have today with post quantum version so they have its competition it started in November of this last year and they're basically looking for a new signature and encryption mechanisms with five security levels and they got 64 submissions in their competition the 19 signature schemes and the rest are encryption or key encapsulation mechanisms so you can see all the details on that at that link all the submissions and some of the work I'll be presenting later is integrating some of these in in higher level applications and they think that they're gonna have like standards by 2022 2024 so to let to give us time to integrate so that we're ready by this 2030 deadline so what do these post quantum
algorithms look like we know we cannot base them on factoring and we cannot base them on discrete log because they're broken by sure so there are many more families of mathematical problems that we can use to build a new type of crypto systems the first one and the most popular one is the the lattice based systems they're based on mathematical lattices and as one of them has been around for a long time and true has been around from the mid nineties always been competing with RSA but there was no ever reason to move away from RSA so never got much traction but now it's kind of some people have been looking at it and also being more newer versions updated problems with provable security for example they're learning with error problem and it's ring version door ring our lwe and i'll be presenting one scheme that's ads been a design by Picard and some of my colleagues have been designing this the scheme be CNS to plug it into TLS it's been improved optimized by another team and became new hope and then there's some other subsequent scheme like frodo that comes back without the ring i'll talk about it in a few seconds another family is their code based systems they're based on error correcting codes they've been around forever and they've also been proposed as a public key system at the same time as RSA so they've been around for a long time but they have some disadvantages they're huge keys so they were never considered as an alternative to our site until now and there's been a lot of code based system proposed 19 of them out of the 64 another one is multivariate system so they're based on essentially multivariable polynomials and you have to solve the equations also developed in the 90s and now nine submissions based on this family the other one is ash based systems so these ones also very old like a lot of these the ideas are date back from a long time because researchers cryptography cryptography researchers have been busy and proposing things but in practice we're very conservative we pick the standard and we are not allowed to be creative and take new ideas in very often until we're forced to so this one signatures based on import signatures and Merkel co-inventor public key cryptography designed this merkel signature scheme which is the tree of digest and there's been new or proposal lms and MMX MSS extended merkel signature scheme i think that means and these will probably be considered for earlier adoption than what the NIST competition because they're very well understood we know the impact of quantum computer and ash functions and we know that Grover is optimal so we know it's like the worst case scenario we can go with that and we'll be safe and there's some pros and cons with with the ash tree versions but at least we know that they'll be secure and finally there's the other category there's seven of them is one that we've been working on based on ISO genies they've been a talk last year in the village about it on this idh and under the one from my colleague is based on symmetric ciphers and zero-knowledge proves called picnic a signature scheme so there's a wide thing so nist and crypto okay academia will be very busy to analyze all that you know you need a specialized page in each field to be in a centers on one scheme here so so takes a lot of it's hard to find
somebody with the knowledge to look all that so this it's the old industry is looking at that in detail I don't want to go into details about these slides because they're very small but these are slides from NIST after the competition deadline that just showed some results of performance that they ran you see a key size so this is different families so lattices typically perform very well and some others like the code base for example epic very large keys public keys and and so might be more difficult to integrate same thing with signatures let you inspect the slides at your leisure to see the details I'm just gonna fast-forward through that a little bit so my colleagues I've been dealing more with crypto integrations and then programming these things some of my colleagues are actual mathematicians building these schemes and these are the four collaborations we add in the competition as you can see it's always multi or zatia teams a lot of collaboration across the industry and academia to to make these so Frodo is essentially like New Hope but without the ring assumption and they're learning with air so Frodo's you remove the ring get it and so it's team felt it was more secured at the ring learning where there might not be as secure as we know because it's very new and the just learning whatever counterpart is safer slower but it's safer psyche is updated s ith allows you to reuse the keys so felt it was a better design for the submission picnic as I described it a little bit and Q Tesla is a ring learning with error signature scheme so all the code is all open source of these things like all these submissions and you can take a look and experiment with them so one thing we did is trying to plug these into real-life applications like in TLS and open SSL see how it works so after doing that a few time independently gets bothersome so along with a colleague
Douglas Dibble I'd at McMaster now he's at Waterloo he started this project called open quantum safe and we join and integrated our solutions and I helped designing the the signature API in that project essentially the goal is to have a framework where you can plug in all these post quantum algorithms and then in turn you take the framework this come in a P I and integrate it into your applications so that if you take that and plug it into open SSL and then you have a new scheme then you can just integrate it in oqs and then you get the integration and to open SSL OpenSSH for free so it's a very it's very useful it's been useful to us it allows us to do a prototyping really fast and it's also open right so we're open to invitation so I don't know that the a lot of people in this room I'm sure some of them might know I've been involved with one of the 64 submissions you might wanna take submissions if the core team didn't have time to take a new algorithm and plug it in we're trying to do that but you can accelerate that by submitting a poll request with your own algorithms and integrated it into a Q s if you want to see how it performs in TLS for example there are two branches one is the master branch which allow us to have a tighter integration and reusing a random number generator and all the constructors of oqs come in code and it's meant for integration in the applications and with the goal to ship it and there's a nice branch which has a more lightweight approach is just to take the new submissions and easily integrate them without touching their code base too much and just to be able to compare them so okay you get the link there so feel free to come use that project or contribute to it we're welcoming feedback and and new
contributions okay so now I'll be talking a bit about the integrations that we've been doing so the first one we did was in TLS 1.2 we've integrated into open ssl 1.0 1.0 0.2 open ssl has two layers there's the bottom crypto layer and there's the top ssl layer so for the two key exchange we only had to touch the ssl layer because when there's the post quantum crypto which is branch off to oqs rather than using the low-level crypto API but why we integrated the signature API in the PKI we added to touch the PKI asn.1 infrastructure which is in the crypto layer so that was a bit more work actually a lot more work but the result is that URL are able to issue post quantum certificates and use them in TLS to do authentication so for key exchange we have two modes we define new cipher suites and we also defined ibrid cipher suites in which you essentially do a classical key exchange and a post quantum key exchange and then you take the results of both you can't edit them and that's what you feed into the as the master premaster secret that gets fed - the key derivation function of TLS and that gives you double the protection so we might be worried that you're doubling the time deficient the work so I might have bad consequences on performance but we'll see that's not that bad on the next slide and we also as I said the post quantum certificates and there were some problems there are some of these schemes for example picnic has very large signatures so the signature size in TLS is 2 to the 16 so everything passed the level 1 of picnic there's level 1 3 and 5 or so everything 3 & 5 didn't fit in TL so that's why it's useful to do these experiments right now we can see and give feedback to the designers that ok it's it's things too big it won't fit so the crypto designers might want to tweak their things remove a few bits here and there so it fits into a known algorithms are targeting so that's why we were able to in fact this work was done before the submission didn't fit change a few things and what was submitted to NIST made sure that would fit into TLS and also tested an apache 2.4 point 25 at that time and worked well so could deploy that and so can you can test it just download our fork and you'll be able to test that if you don't have time to take notes in there that's all in the open quantum safe project everything is listed there without sub projects and forks so don't
worry about that so this is an interesting a diagram that shows our experiments running these algorithms in TLS so this these are pre nested missions so all the other games are either been optimized or changed to be more secure so take the performance as a grain of salt here with a grain of salt but the what's interesting is to see the trend so you see the HG the orange line here is the baseline that's basically what's being used favored today by a web servers we see that some of the post quantum ones like new hope is Gladys bring learning with air quite efficient even more efficient at ICI DHG and the Frodo one is a same one without the ring without the ring so just the learning with error option so slower but no that's bad these are connections per second so here it's 900 up to 1600 and ECT HG like 1200 there so so it's not bad like things are gonna have to give at some point we can't have the same efficiency as we have today in the world while the quantum computer exists but things are not catastrophic I would see we've seen some you look at the specs of some of these crypto algorithm this is the terrible the key sizes and running time but when you plug them in real life like it would with the good settings you see that's that's not that bad and the other interesting thing is that here is we retrieve multiple payloads like webpages of different sizes one byte 1k 10k and 100k so normal websites today they're quite big so the cost of the crypto gets amortized like if the more the bigger the website the page then the cost of to do the TLS negotiation gets amortized with the download time of the page so the more we get to normal sized pages they all kind of merge together and the cost of the post quantum there is not very apparent bottom line this stuff is quite practical and can be considered to be used today in the ibrid mode and the other thing I haven't mentioned is the hybrid modes you have here you see the HD and you have here New Hope plus EC DHT you run run Dalton Tyrell so very close to a CD HD so the coastal neo and the same thing with Frodo and Frodo plus EC DHE here so you so running the hybrid which is the recommended way to go for for a while because you you want the security of the classical system today with the protection that against future quantum computer you want it now and it doesn't cost you too much to have it this is a similar diagram with with signatures also don't care about the numbers too much but the cloth during we see that comparing here a picnic and RSA for the signature just because that's was the only of a governor a viable in oqs when we did that that's pre submission and yeah so picnics more expensive as a very big certificate but at the end of the day when you plug it in the real world TLS it's it's really not that bad okay now most interesting more recent work the TLS 1.3 integration so T is 1.3 was officially released yesterday now we already got it working no POS did that overnight no we've been doing on the draft specs and a draft code in the this is the integration we did in open SSL 1.1 and better for so it's really nice to work with TLS 1.3 I'm just gonna put all the information right there because it's a way nicer protocols state machine is cleaner so it's easier to deal with integration points in particular the key shares that's where you put all the crypto information and without you exchange and it already supports hybrid with with the pre shared key PS key and you see the HD so there's already is mechanisms to negotiate multiple keys which is nice that we can use the base spec consider everything curves because they only use elliptic curves so we have to cheat and call ourself curves that's all what we do to define new algorithms but I figure that's going to be fixed at some point and somebody will write extensions probably you want to retrograde the retrofit RSA in there I'm sure some people will do that so somebody will define will get gree at some point on post quantum official ways to integrate so right now just test and prototype which is call ourselves curves and we tested that in the injects web server just because Apache didn't support TLS 1.3 on the master branch when I tried that but this web server did also you can use curl to your tests and everything works and the details are also on this open quantum safe wiki page
all right I wanted to am i doing on time see okay I guess I'll finish the presentation first and now I get to the demo afterwards so a little bit about
hybrid scenarios I've been talking about the key exchange hybrid and there are multiple ways to go about it so the first one the one that we have implemented is called the naive implementation you essentially just do the classical key exchange and the post quantum one and dependently and then you just mix the results you concatenate the results feed that into the key derivation scheme you just need to give a new name to this algorithm as a combo scheme so you define a new like can you identify her for that and then you can call it in your library there are more advanced proposals out there one by a white and one by Hannegan Stabila they have different pros and cons one that supports multiple key shares you could mix classical and a lattice scheme and the code base game and like multivariate scheme all in there to to edge your bet that's the roulette here to add your bet you don't have to pick a number you can pick a color or a series of numbers so to be safer the other one is more of a dual just two schemes and I did not implement that and this integration just because OpenSSL was not ready they didn't even support multiple key shares at the time which is needed by the base pack so when they do and we can take that code and upgrade it and do more advanced hybrid schemes for PGI it's we haven't done that yet what's a good future work it's also not as urgent because for key exchange as I said you can record the traffic now and decrypt it later so the attack is valid today for breaking the authentication it's an active attack so you need somebody to be able to break your signature or forge your certificate during the lifetime of the certificate so that's like let's say the certificate is valid for you so if we have quantum computer in ten years and nine years we'll care about that but we're starting to think about it so and the year or two we'll probably have a solution for that and the question is out do you convey two signatures in the TLS exchange so do you have two certificates do you have a certificate with two public keys one and an extension do you use the TLS extension mechanisms to provide a second public key multiple ways to go around it about it and this paper is a good overview of all the problems that needs to be solved in that case but as I said it's not as urgent for ibrid deployments today but our performance measures with
TLS 1.3 that was Ron just on this machine on localhost between the client and server just to get ballpark figures so nothing's optimized but just to get the ballpark and that's with the schemes that were in oqs some of the schemes so we see again that the lattice the ring version of the lattice performed very well very comparable to EC DHE which is the orange baseline and when you remove the ring assumptions you get something like Frodo and it's not as efficient but more more trusty more trusting us in it and something like and true surface like this something like psych which is really nice because it's a very comparable to elliptic curves the closest thing we have to elliptic curves it can be a drop-in replacements and a lot of protocols that assume elliptic curve the field and type exchanges unfortunately they don't perform as well and for signatures we get the expected again Q test law wand lattice scheme performs very well as well as ECDSA with P 256 and picnic it's a simpler assumptions and the way hash functions performs this a bit slower than RSA okay
so that was one tlso has been a lot of work in TLS because it's an important protocol we also did other integrations one is an SSH SSH [Music] as another protocol I mean it's you know similar to TLS in in spirit so you can go in and replace the crypto parts with the post quantum once and it's another exercise that we did and the latest software that we have is a fork of openness the sage 7.7 uses the key exchange algorithms in oqs so the more we had and refreshed that fork then the more algorithms we'll have in there and it supports a post quantum and hybrid modes for the key exchange only no signature is yet so I don't want to spend too much time on that because a little bit similar ideas but you can check it out in our fork if you want to try so another interesting integration
point that we have is open VPN so unlike other VPN solutions Open VPN uses TLS for its security so which is nice and uses open SSL so we can use the open SSL fork to to protect the VPN exchange and so we have a fork of Open VPN that allows you to test the key exchange algorithms and use either RSA or picnic certificate so what's nice about that is
that for a long time in the future there's going to be applications that will never be updated or there's going to take a long time to be updated so there's gonna be a long tail set of applications that will not be quantum safe for a long time so what you can do is just have your classical software running and just wrap it in a VPN post quantum VPN tunnel so then you don't have to touch the applications and you can just secure the channel and you get great protection against quantum computers in centralized manner so we tested that for example with a client our raspberry pi and when those clients communicating with Azure VM Linux VM and to do that also have your did a little experiment with you have their mobile phones connect to an access point and then that thing calls your web services or post quantum VPN so don't have to change the phone or have to change your applications it's very cheap and easy way to achieve that and that's project is available also on our get up page and a welcome to try it another integration
that we did was an artwork to see if we could actually write these these post quantum libraries in insecure hardware so we partnered with the ultimate goal tried it on one over there HSM and essentially we just using their their the reference implementation of picnic and and compiled it for the HSM a little bit of engineering there and then got it to work able to issue picnic root certificates on the device and be able to issue end users RSA certificates and everything works as expected and the details of that are can be found in the picnic NIST submission so if you're interested so all this goes to to say that we've post contemn cryptography is it's it's it's just crypto algorithms okay it's nothing fancy about it there's just things that we have not studied for 20 years so they're they're new but other than that there's just regular algorithms they can be integrated across all the software stack and art we're so at this point it's a matter of us in community and if any of you have a software that they realize on cryptography you can take these things and starting with the open quantum safe project and try to integrate it and see what breaks so we wanna we want to see
what breaks and and know and you as owner of crypto software you want to see if you put it these new coil golems what's gonna break so you can be agile and be able to change it when it's ready not today but in 10 years when you'll have to change then you want to be ready and good thing to try it now and you can give feedback to descriptive designers then this competition is quite new its recent so there's these algorithms I'll be able to update themselves before the final so if we find out that just by just changing this this property's reduced the bit size by one or two it's gonna fit this application it's good feedback for the designers of these algorithms and hybrid solutions important thing to consider and because it's cheap way as we've seen it with TLS it's not a big impact but it could have a great protection for future proofing your your data against quantum computers and also centralized solutions like having a post-mortem VPN allows you to get a blanket protection without modifying your legacy applications or touching all your applications today so that's that I'm gonna switch to the TLS demo I'm gonna run it on localhost
because you know DEFCON so I will not communicate with a real web server but everything is real code running here apologize is very small so let's see I'm gonna try to type and hold the mic at the same time so what the first thing I'm gonna do this is in our open SSL fork the first thing I'm gonna do is generate a certificate you can't really read but it's the standard openness is I'll tune the requests tool to generate a certificate the only thing that's different is I am requesting a Q test lucky all the rest is standard open SSL so there he goes it's very fast as expected we just print out the certificate that was just okay it's
like looks like an RSA thigh ski like some crypto algorithms will just scroll a few screens until it ends but cute
Tesla is a very compact scheme and very efficient being a lattice one the key
also works pretty well so now I'm gonna just start a server so it's the s server tool specifying the certificate cute Tesla one that's yeah it's Artie and cutest low key and asking for TLS 1.3 all right there we go and now on the other console I'm just gonna have the client it's going to ask for Frodo so it's gonna be a Frodo key exchange with the authentication is going to be provided with Q Tesla so it's a fully post quantum key exchange and authentication transaction and it's going to talk to the port here so there you go because the exchange got the certificate you're gonna have to believe me what's written here because it's not very clear but signature q Tesla Wan and the server p2p o actually asked for the hybrid P 256 here so you see that's the hybrid scheme so I did ec DHT with P 256 curve and using Frodo and we get TLS 1.2 connection so now let's try to deploy that in an actual web server so I'm gonna copy these certificates is at copy q Tesla dot star into my engines configuration directory it's asking for my password first try very nice so let me just okay so I'm going to just look at the engine's configuration and we can see here I'm specifying the cutest la certificate as the SSL certificate and then the last line SSL protocol TLS 1.3 so I'm just going to start it all right the web server now is running and I'm just gonna repeat my client call same thing so establish the communication and then we can make sure that the HTTP connection works I'm just gonna get the default web page get slash and I get the HTML welcome page back all this calling from a TLS 1.3 post Quantum client to tell us 1.3 post quantum server everything works well and you can deploy that and have fun today in the hybrid mode and get protection against the quantum computers that might be built in 10 years or might actually been built in some very dark rooms and very powerful organizations so that completes
the talk I'll be happy to answer questions if you have any [Applause]