CRYPTO AND PRIVACY VILLAGE  Integrating postquantum crypto into reallife applications
Video in TIB AVPortal:
CRYPTO AND PRIVACY VILLAGE  Integrating postquantum crypto into reallife applications
Formal Metadata
Title 
CRYPTO AND PRIVACY VILLAGE  Integrating postquantum crypto into reallife applications

Title of Series  
Author 

License 
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. 
Identifiers 

Publisher 

Release Date 
2018

Language 
English

Content Metadata
Subject Area 
00:00
Real number
Projective plane
Cartesian coordinate system
Information privacy
Cryptography
Computer font
Cryptography
Quantum cryptography
Quantum
Video game
Selforganization
Quantum
Fingerprint
00:47
Word
INTEGRAL
Multiplication sign
Quantum
Quantum
Quantum computer
Surface of revolution
YouTube
Surface of revolution
01:35
Superposition principle
Beta function
Ferry Corsten
State of matter
Multiplication sign
1 (number)
Function (mathematics)
Information privacy
Disk readandwrite head
Computer
Neuroinformatik
Measurement
Qubit
Semiconductor memory
Different (Kate Ryan album)
Physical law
Quantum computer
Physical system
Social class
Programming language
Algorithm
Software developer
Parallel port
Physicalism
Bit
Category of being
Software development kit
Arithmetic mean
Quantum entanglement
Wave
Process (computing)
Quantum mechanics
Quantum
Quantum cryptography
Pattern language
Resultant
Spacetime
Classical physics
Point (geometry)
Trail
Slide rule
Link (knot theory)
Algorithm
Virtual machine
Maxima and minima
Student's ttest
Distance
Surface of revolution
Spacetime
Quantum
Computerassisted translation
Traffic reporting
Alpha (investment)
Distribution (mathematics)
Doppelspalt
Key (cryptography)
Parallel computing
Classical physics
Physical law
State of matter
Stack (abstract data type)
Cryptography
Particle system
Maize
Visualization (computer graphics)
Doubling the cube
Physics
Qubit
Superposition principle
07:18
Superposition principle
Algorithm
Image resolution
Orientation (vector space)
Virtual machine
Black box
Field (computer science)
Computer
Neuroinformatik
Measurement
Cryptography
Physical law
Spacetime
Quantum
Quantum computer
Information security
Social class
Stability theory
Algorithm
Parallel computing
Optimization problem
Classical physics
State of matter
Field (computer science)
Bit
Auto mechanic
Cryptography
Category of being
Telecommunication
Physicist
Quantum mechanics
Computer science
Physics
Quantum
Quicksort
Qubit
Quantum computer
08:34
Inverse function
Divisor
Database
Inversion (music)
Number
Frequency
Cryptography
Root
Internetworking
Hash function
Square number
Encryption
Quantum
Algorithm
Polynomial
Key (cryptography)
Block (periodic table)
Forcing (mathematics)
Field (computer science)
Database
Cryptography
Publickey cryptography
Elliptic curve
Frequency
Symmetric matrix
Hash function
Function (mathematics)
Block (periodic table)
Quantum computer
Reduction of order
10:07
Observational study
Field (computer science)
Neuroinformatik
2 (number)
Number
Estimator
Different (Kate Ryan album)
Diagram
Divisor
Quantum
Quantum computer
Information security
RSA (algorithm)
Algorithm
Distribution (mathematics)
Key (cryptography)
Projective plane
Bit
Cryptography
Arithmetic mean
Exterior algebra
Quantum mechanics
Quantum
Quantum cryptography
Hill differential equation
12:51
Standard deviation
Functional (mathematics)
Transport Layer Security
Multiplication sign
Icosahedron
Malware
Internetworking
Hybrid computer
Encryption
Quantum
Quantum computer
Service (economics)
Algorithm
Standard deviation
Weight
Cryptography
Software
Publickey infrastructure
Chain
Quantum cryptography
Configuration space
Quicksort
Collision
Active contour model
Asynchronous Transfer Mode
14:44
Standard deviation
Cryptosystem
Code
Multiplication sign
Curve
List of unsolved problems in mathematics
1 (number)
Numbering scheme
Ellipse
Electronic signature
Encapsulation (objectoriented programming)
Mechanism design
Graphical user interface
Lattice (group)
Hash function
Encryption
Symmetrickey algorithm
Process (computing)
Quantum computer
Information security
Error message
Physical system
Family
Algorithm
Polynomial
Stress (mechanics)
Numbering scheme
Publickey cryptography
Electronic signature
Type theory
Category of being
Exterior algebra
Ring (mathematics)
System programming
National Institute of Standards and Technology
Quantum
Website
Encryption
Energy level
Multivariate Analyse
Web page
Polynomial
Functional (mathematics)
Link (knot theory)
Divisor
Code
Automatic differentiation
Field (computer science)
2 (number)
Revision control
Energy level
Nichtlineares Gleichungssystem
Quantum cryptography
Standard deviation
Key (cryptography)
Code
Cryptography
Cartesian coordinate system
System call
Error message
Personal digital assistant
Network topology
Lattice (group)
Revision control
Video Genie
Family
20:08
Slide rule
Open source
Code
INTEGRAL
Multiplication sign
Transport Layer Security
Curve
Numbering scheme
Open set
Electronic signature
Lattice (group)
Different (Kate Ryan album)
Error message
Proof theory
Collaborationism
Multiplication
Algorithmic information theory
Key (cryptography)
Twin prime
Bit
Cartesian coordinate system
Publickey cryptography
Electronic signature
KeilfĆ¶rmige Anordnung
Error message
Ring (mathematics)
National Institute of Standards and Technology
Encryption
Mathematician
Family
Resultant
22:32
Suite (music)
Greatest element
Code
INTEGRAL
Logarithm
Multiplication sign
Numbering scheme
Open set
Icosahedron
Electronic signature
Public key certificate
Derivation (linguistics)
Pointer (computer programming)
Mathematics
Core dump
Encryption
Software framework
Algorithm
Constructor (objectoriented programming)
Feedback
Transport Layer Security
Fitness function
Menu (computing)
Bit
SchlĆ¼sselverteilung
Open set
Cue sports
Electronic signature
National Institute of Standards and Technology
Quantum
Encryption
Resultant
Asynchronous Transfer Mode
Point (geometry)
Slide rule
Functional (mathematics)
Random number generation
Link (knot theory)
Transport Layer Security
Disintegration
Authentication
Branch (computer science)
Limit (category theory)
Prototype
Hybrid computer
Energy level
Authentication
Key (cryptography)
Suite (music)
Projective plane
Cartesian coordinate system
Cryptography
General linear model
27:21
Presentation of a group
INTEGRAL
Code
Multiplication sign
Demo (music)
1 (number)
Numerical integration
Set (mathematics)
Open set
Measurement
Wiki
Web 2.0
Mechanism design
Different (Kate Ryan album)
Computer configuration
Diagram
Extension (kinesiology)
Quantum computer
Error message
Information security
InjektivitĆ¤t
Curve
Algorithm
Web page
Transport Layer Security
Shared memory
Electronic signature
Ring (mathematics)
Website
Quantum
Normal (geometry)
Asynchronous Transfer Mode
Point (geometry)
Web page
Server (computing)
Transport Layer Security
Real number
Disintegration
Similarity (geometry)
Branch (computer science)
Twitter
Number
Prototype
Software testing
Multiplication
Key (cryptography)
Information
Demo (music)
Server (computing)
Client (computing)
Computer network
Line (geometry)
Cryptography
Elliptic curve
Hybrid computer
Video game
Finitestate machine
Communications protocol
Computer worm
32:30
INTEGRAL
Code
Multiplication sign
Numbering scheme
Client (computing)
Electronic signature
Public key certificate
Neuroinformatik
Measurement
Derivation (linguistics)
Mechanism design
Lattice (group)
Different (Kate Ryan album)
Multivariate Analyse
Series (mathematics)
Extension (kinesiology)
Algorithm
Transport Layer Security
Shared memory
Bit
SchlĆ¼sselverteilung
Numbering scheme
Publickey cryptography
Measurement
Virtual machine
Electronic signature
Type theory
Hash function
Ring (mathematics)
Quantum
Figurate number
Resultant
Implementation
Server (computing)
Virtual machine
Graph coloring
Field (computer science)
Number
Revision control
Goodness of fit
Hybrid computer
Software testing
Authentication
Key (cryptography)
Surface
Classical physics
Physical law
Computer network
Elliptic curve
Hybrid computer
Publickey infrastructure
Social class
Game theory
Communications protocol
Library (computing)
Extension (kinesiology)
36:42
Point (geometry)
Asynchronous Transfer Mode
Algorithm
INTEGRAL
Multiplication sign
Transport Layer Security
Disintegration
Similarity (geometry)
Bit
SchlĆ¼sselverteilung
Open set
Cryptography
Mereology
Public key certificate
Electronic signature
Virtuelles privates Netzwerk
Software
Hybrid computer
Hybrid computer
Quantum
Musical ensemble
Communications protocol
Information security
Asynchronous Transfer Mode
38:06
Point (geometry)
Web page
Implementation
Decision tree learning
INTEGRAL
Multiplication sign
Disintegration
Set (mathematics)
Control flow
Client (computing)
Open set
Stack (abstract data type)
Public key certificate
Web service
Centralizer and normalizer
Root
Computer hardware
Implementation
Quantum computer
Point cloud
Algorithm
Server (computing)
Projective plane
Client (computing)
Bit
Local area network
Cartesian coordinate system
Cryptography
Software
National Institute of Standards and Technology
Quantum
Information security
RSA (algorithm)
Library (computing)
40:43
Empennage
Server (computing)
Code
Transport Layer Security
Multiplication sign
Real number
Control flow
Open set
Public key certificate
Hand fan
Web 2.0
Hybrid computer
Software testing
Quantum computer
Tunis
Service (economics)
Algorithm
Demo (music)
Feedback
Bit
Cryptography
Cartesian coordinate system
Proof theory
Category of being
Software
Hybrid computer
42:56
Web page
Server (computing)
Transport Layer Security
Numbering scheme
Client (computing)
Public key certificate
Web 2.0
Lattice (group)
Quantum computer
Authentication
Curve
Default (computer science)
Algorithm
Touchscreen
Key (cryptography)
Database transaction
SchlĆ¼sselverteilung
Line (geometry)
Directory service
System call
Connected space
Electronic signature
Hybrid computer
Password
Telecommunication
Configuration space
Quantum
Video game console
Communications protocol
Asynchronous Transfer Mode
46:29
Service (economics)
Empennage
00:00
please welcome our next speaker Christian Paquin on integrating post quantum crypto into real life applications thank you thank you so welcome everybody to the last session in the crypto and privacy village first of all I'd like to thank the organizers for an invitation it's a great pleasure to come here have come to present my work and along with the work of my esteemed colleagues from the post quantum cryptography research and today I'll be talking about our experiments and incubation projects of integrating post quantum cryptography into real life applications so little outline very
00:50
straightforward and logical start to introduce what is quantum computing the quantum and then talk about what we need to do after that the post quantum world and then I'll discuss our integration experiments so first of all so just a
01:09
little poll like you know who's familiar not just a word but quantum computing works in the room oh very good about on YouTube see that later in the comments
01:22
ok so we've all heard about quantum computing at least the words and we've been hearing the quantum revolution is coming well I've been hearing that for a very long time that was a very young
01:36
student at the University of Montreal well a bit 20 years ago was trying studying a quantum computing and quantum cryptography with under supervision of elbrus ah who cocreated our coats covered quantum key distribution and quantum teleportation so it was really hard to be in that lab and do anything other than quantum it was quantum everything then I decided to go and get a job it was a bit hard to be applied cryptography and doing some quantum things at the time so I went off becoming a quantum or crypto developer work at the company zero knowledge systems where we built a predecessor to tour did some PKI work then I went to a company called Kritika where we built a animus credential system for PKI with privacy and technology called develop the you prove technology ended up at Microsoft and then many years later I'm back at this quantum thing but this time on the other side of the fence not trying to build a quantum computer but trying to defend against it and I'll talk about it a bit more so it's hard to just keep track of what's going on there's every week there's seem to be a new result new quantum computer being built bigger many more qubits I can put slides anymore of our news report just put the search slide and search link and then you'll be able to find the the results of the week also down the hall my colleagues at Microsoft Research are building or trying to build a quantum computer and also integral east this year a Visual Studio programming language too sharp in which you can program a quantum computer so we don't have the chip yet but when we do we'll be able to just plug in that software and be able to use it so they're trying really hard to do it which mean for us crypto specialist we have to do some
03:35
things to defend against it I'll talk about it later so first of all what is a quantum computer well very simply it's just a machine that operates with the laws of quantum mechanics computers we have they all operate with their classical laws of physics we understood them but when we start using smaller particles that follows different laws of physics there's some really weird things that are happening so first the basic of a quantum computer is a qubit a quantum bit and unlike its classical counterpart it's not either 0 or 1 it can be 0 and 1 at the same time a bit like that famous experiment thought experiment of the cat that can be dead or alive showing your scat well a quantum bit can be zero and one at the same time which is great if you want to build algorithms with that because imagine you're trying to solve a problem trying to let's say trying to find a path in a maze well if I can see zeros turn left one is turn right then you can put it both 0 and 1 at the same time and then I have both had to be taken at the same time you know I'll have the computation Pat's be followed at the same time and at the end one of your parallel path of computation will have found the exit to the maze the problem is that when you look at the solution when you look at your quantum register at your memory you this quantum superposition is not visible to to you in the classical world one state gets picked at random depending on the amplitudes alpha and beta of the quantum bit and only one result a random gets returned to you so grave parallelism not great output so quantum algorithms they have to find ways to use quantum interference like if you remember your physics class this double slit experiment where you can put two holes in a piece of paper shining sunlight and then kind of the wave properties interference makes a little black white black white pattern because the waves interfere at some points and where there should be lights there there's not because the light particles the interfere and cancel each other so we can do the same with quantum algorithms where we can just have some Pat's being destroyed and only the the computation results that you want get popped up at the end of the computation so it's very subtle and hard art to to design quantum algorithms but there's a few that are being around another strange properties that qubits can be entangled entangled means that imagine you have two coins and you you take them apart and you flip them and you're gonna get zeros and ones and double zeros double ones zeros and ones ones and zeros but if there are quantum coins and you add them in a special way and they become entangled and you can separate them and it can be very far apart and you flip them they're always either zeros are always either 1y either it tails or head are tails you'll never see tail and head and head or tail that's really weird that freaked out Einstein recall that a spooky action at a distance because he imagined that one coin would get a result and would need to send a faster than light signal to the other coin so it matches its response so it's hard to understand what's going on but it's just an observable fact that these particles can be entangled and to always share a state across space and that can be used in quantum algorithms as well and
07:20
quantum computers can be built with all sorts of things the the spin of an electron the orientation of a photon my colleagues are betting on this topological computer be used with onions that could provide better stability with bigger machines and refer Faymann a famous physicists famously said nobody understands quantum mechanics you just get used to it for us computer scientists we don't really care like I don't never care how it's built it's just a black box and you give me these mathematical properties and we can design algorithms to solve new new problems new class of problems so it's
08:01
all great some of my colleagues are very excited about that security folks are a bit more worried because although quantum computing provides great advances in many fields in chemistry to find new ways to design molecules and and and optimization problems and machine learning it has terrible consequences for cryptography because there are two algorithms ironically the first two algorithms that I've known and 20 years ago were only used to break cryptography almost the first one here is the quantum menace to
08:35
us this is Peter shor design in 94 is famous algorithm that by doing what's called period finding and algorithms that can be used to factor large numbers and find a discrete log of numbers which are the two problems underpinning RSA and DSA and the elliptic curve variants like ECT age DSA so using shor we can basically break most of the cryptography all the public key cryptography that we use today on the Internet the other algorithm that's very important is a Grover algorithm it
09:20
allows database search function inversion it improves it by a square root factor essentially it's kind of described as finding a needle in a haystack it's able to to find a unique solution to function that you're looking for and it can be used to help the brute force of finding a digester international or breaking a block ciphers like AES and it has consequences but they're not terrible because of the square root improvement what we need to do to secure against this algorithm is just double the key the key size of AES or double the hash size of sha256 to 512 so okay it sounds bad so how long do
10:11
we have when is this quantum computer going to be built well there's been a lot of studies about that trying to see what's the best estimate when the shore algorithm will be built Micheli Mosca's professor waterloo as a often cited quote that by 2031 is a 1/2 chance the 50% chance that we'll get a quantum computer and he revised that in 2017 to you last year this 1 in 6 chance 10 years ago so and another researcher Ben Simon Benjamin from Oxford if you're willing to go my Nathan project meaning you just put all your effort as a big government behind it then maybe yeah six to twelve years some of my colleagues also share this 2030 deadline or estimate and that's a little diagram that shows you the difference between breaking RSA 2048 with a classical or quantum computer so you need about number of bits due to for the algorithm and for a classical computer it would take billions of years or we're safe we know that for a quantum computer depending on its operational speed so I want gigahertz for example you would just get a few seconds so what's a gamechanger it breaks it totally so now what we need to do given the quantum people would be very optimistic we're gonna say yeah we're gonna be able to we've been trying we're gonna be able to soon so we don't I don't necessarily believe that we're gonna have a fully functional computer in 12 years but as security specialists we have to be careful and assume the worst case and be ready to have something else and we do we do need something else we need alternatives socalled quantum safe algorithms or post quantum cryptography algorithms which are quantum algorithms that are secured against a quantum computer doesn't mean that they run on a quantum computer that doesn't mean that at all and it's not quantum cryptography which is another field or quantum key distribution which is a using quantum mechanics to exchange a key so these are all separate subjects this is normal classical cryptography for which we don't know any classical or quantum algorithms to break them and that is the
12:48
big feel of post quantum cryptography which is getting more and more attention
12:52
but first question we can get now is why would we care about this now okay we'll think about it in 10 years you know we have time we're busy we have all sorts of things to do we have Lock chain so implement and all sorts of things well the main one of the main reason the big reason is that the secrets you have today are at risk not to be encrypted now but they can be captured now recorded now and decrypted later all major countries are the capabilities now to just save the Internet traffic and decrypt it later they're at their leisure when they have a quantum computer so that's very significant another more practical but no less important item is that it takes a long time to update standards and software so we need to understand today so if we are to replace these algorithms what does it mean to plug them in TLS in SSH and to update all our software stack we know in Microsoft we have a lot of experience new from the flame malware and all or stuck snakes and all attacking very old ash functions like md5 you know only 5 collisions we know it's been outdated it's been replace but there's some very old software that's still running it and some weird configuration takes a long time to get rid of it so we need to make sure  by the time the quantum computer is here all the insecure algorithms are gone and lastly one thing that's very important to consider is the ability to to use hybrid modes so to be able to use classical cryptography with those quantum cryptography in a safety net to have best of both worlds of the two protections and that's going to be an interesting scenario for awhile I'll
14:42
describe that later so most of the
14:45
industry now is focused on the NIST competition NIST is the national standard Institute of sensors and technologies in the u.s. it is the basically the defacto they define the defect of standards for for the cryptography use around the planet whatever NIST does typically is followed around the world and they've basically made a call to replace the cryptography that we have today with post quantum version so they have its competition it started in November of this last year and they're basically looking for a new signature and encryption mechanisms with five security levels and they got 64 submissions in their competition the 19 signature schemes and the rest are encryption or key encapsulation mechanisms so you can see all the details on that at that link all the submissions and some of the work I'll be presenting later is integrating some of these in in higher level applications and they think that they're gonna have like standards by 2022 2024 so to let to give us time to integrate so that we're ready by this 2030 deadline so what do these post quantum
16:11
algorithms look like we know we cannot base them on factoring and we cannot base them on discrete log because they're broken by sure so there are many more families of mathematical problems that we can use to build a new type of crypto systems the first one and the most popular one is the the lattice based systems they're based on mathematical lattices and as one of them has been around for a long time and true has been around from the mid nineties always been competing with RSA but there was no ever reason to move away from RSA so never got much traction but now it's kind of some people have been looking at it and also being more newer versions updated problems with provable security for example they're learning with error problem and it's ring version door ring our lwe and i'll be presenting one scheme that's ads been a design by Picard and some of my colleagues have been designing this the scheme be CNS to plug it into TLS it's been improved optimized by another team and became new hope and then there's some other subsequent scheme like frodo that comes back without the ring i'll talk about it in a few seconds another family is their code based systems they're based on error correcting codes they've been around forever and they've also been proposed as a public key system at the same time as RSA so they've been around for a long time but they have some disadvantages they're huge keys so they were never considered as an alternative to our site until now and there's been a lot of code based system proposed 19 of them out of the 64 another one is multivariate system so they're based on essentially multivariable polynomials and you have to solve the equations also developed in the 90s and now nine submissions based on this family the other one is ash based systems so these ones also very old like a lot of these the ideas are date back from a long time because researchers cryptography cryptography researchers have been busy and proposing things but in practice we're very conservative we pick the standard and we are not allowed to be creative and take new ideas in very often until we're forced to so this one signatures based on import signatures and Merkel coinventor public key cryptography designed this merkel signature scheme which is the tree of digest and there's been new or proposal lms and MMX MSS extended merkel signature scheme i think that means and these will probably be considered for earlier adoption than what the NIST competition because they're very well understood we know the impact of quantum computer and ash functions and we know that Grover is optimal so we know it's like the worst case scenario we can go with that and we'll be safe and there's some pros and cons with with the ash tree versions but at least we know that they'll be secure and finally there's the other category there's seven of them is one that we've been working on based on ISO genies they've been a talk last year in the village about it on this idh and under the one from my colleague is based on symmetric ciphers and zeroknowledge proves called picnic a signature scheme so there's a wide thing so nist and crypto okay academia will be very busy to analyze all that you know you need a specialized page in each field to be in a centers on one scheme here so so takes a lot of it's hard to find
20:09
somebody with the knowledge to look all that so this it's the old industry is looking at that in detail I don't want to go into details about these slides because they're very small but these are slides from NIST after the competition deadline that just showed some results of performance that they ran you see a key size so this is different families so lattices typically perform very well and some others like the code base for example epic very large keys public keys and and so might be more difficult to integrate same thing with signatures let you inspect the slides at your leisure to see the details I'm just gonna fastforward through that a little bit so my colleagues I've been dealing more with crypto integrations and then programming these things some of my colleagues are actual mathematicians building these schemes and these are the four collaborations we add in the competition as you can see it's always multi or zatia teams a lot of collaboration across the industry and academia to to make these so Frodo is essentially like New Hope but without the ring assumption and they're learning with air so Frodo's you remove the ring get it and so it's team felt it was more secured at the ring learning where there might not be as secure as we know because it's very new and the just learning whatever counterpart is safer slower but it's safer psyche is updated s ith allows you to reuse the keys so felt it was a better design for the submission picnic as I described it a little bit and Q Tesla is a ring learning with error signature scheme so all the code is all open source of these things like all these submissions and you can take a look and experiment with them so one thing we did is trying to plug these into reallife applications like in TLS and open SSL see how it works so after doing that a few time independently gets bothersome so along with a colleague
22:33
Douglas Dibble I'd at McMaster now he's at Waterloo he started this project called open quantum safe and we join and integrated our solutions and I helped designing the the signature API in that project essentially the goal is to have a framework where you can plug in all these post quantum algorithms and then in turn you take the framework this come in a P I and integrate it into your applications so that if you take that and plug it into open SSL and then you have a new scheme then you can just integrate it in oqs and then you get the integration and to open SSL OpenSSH for free so it's a very it's very useful it's been useful to us it allows us to do a prototyping really fast and it's also open right so we're open to invitation so I don't know that the a lot of people in this room I'm sure some of them might know I've been involved with one of the 64 submissions you might wanna take submissions if the core team didn't have time to take a new algorithm and plug it in we're trying to do that but you can accelerate that by submitting a poll request with your own algorithms and integrated it into a Q s if you want to see how it performs in TLS for example there are two branches one is the master branch which allow us to have a tighter integration and reusing a random number generator and all the constructors of oqs come in code and it's meant for integration in the applications and with the goal to ship it and there's a nice branch which has a more lightweight approach is just to take the new submissions and easily integrate them without touching their code base too much and just to be able to compare them so okay you get the link there so feel free to come use that project or contribute to it we're welcoming feedback and and new
24:31
contributions okay so now I'll be talking a bit about the integrations that we've been doing so the first one we did was in TLS 1.2 we've integrated into open ssl 1.0 1.0 0.2 open ssl has two layers there's the bottom crypto layer and there's the top ssl layer so for the two key exchange we only had to touch the ssl layer because when there's the post quantum crypto which is branch off to oqs rather than using the lowlevel crypto API but why we integrated the signature API in the PKI we added to touch the PKI asn.1 infrastructure which is in the crypto layer so that was a bit more work actually a lot more work but the result is that URL are able to issue post quantum certificates and use them in TLS to do authentication so for key exchange we have two modes we define new cipher suites and we also defined ibrid cipher suites in which you essentially do a classical key exchange and a post quantum key exchange and then you take the results of both you can't edit them and that's what you feed into the as the master premaster secret that gets fed  the key derivation function of TLS and that gives you double the protection so we might be worried that you're doubling the time deficient the work so I might have bad consequences on performance but we'll see that's not that bad on the next slide and we also as I said the post quantum certificates and there were some problems there are some of these schemes for example picnic has very large signatures so the signature size in TLS is 2 to the 16 so everything passed the level 1 of picnic there's level 1 3 and 5 or so everything 3 & 5 didn't fit in TL so that's why it's useful to do these experiments right now we can see and give feedback to the designers that ok it's it's things too big it won't fit so the crypto designers might want to tweak their things remove a few bits here and there so it fits into a known algorithms are targeting so that's why we were able to in fact this work was done before the submission didn't fit change a few things and what was submitted to NIST made sure that would fit into TLS and also tested an apache 2.4 point 25 at that time and worked well so could deploy that and so can you can test it just download our fork and you'll be able to test that if you don't have time to take notes in there that's all in the open quantum safe project everything is listed there without sub projects and forks so don't
27:22
worry about that so this is an interesting a diagram that shows our experiments running these algorithms in TLS so this these are pre nested missions so all the other games are either been optimized or changed to be more secure so take the performance as a grain of salt here with a grain of salt but the what's interesting is to see the trend so you see the HG the orange line here is the baseline that's basically what's being used favored today by a web servers we see that some of the post quantum ones like new hope is Gladys bring learning with air quite efficient even more efficient at ICI DHG and the Frodo one is a same one without the ring without the ring so just the learning with error option so slower but no that's bad these are connections per second so here it's 900 up to 1600 and ECT HG like 1200 there so so it's not bad like things are gonna have to give at some point we can't have the same efficiency as we have today in the world while the quantum computer exists but things are not catastrophic I would see we've seen some you look at the specs of some of these crypto algorithm this is the terrible the key sizes and running time but when you plug them in real life like it would with the good settings you see that's that's not that bad and the other interesting thing is that here is we retrieve multiple payloads like webpages of different sizes one byte 1k 10k and 100k so normal websites today they're quite big so the cost of the crypto gets amortized like if the more the bigger the website the page then the cost of to do the TLS negotiation gets amortized with the download time of the page so the more we get to normal sized pages they all kind of merge together and the cost of the post quantum there is not very apparent bottom line this stuff is quite practical and can be considered to be used today in the ibrid mode and the other thing I haven't mentioned is the hybrid modes you have here you see the HD and you have here New Hope plus EC DHT you run run Dalton Tyrell so very close to a CD HD so the coastal neo and the same thing with Frodo and Frodo plus EC DHE here so you so running the hybrid which is the recommended way to go for for a while because you you want the security of the classical system today with the protection that against future quantum computer you want it now and it doesn't cost you too much to have it this is a similar diagram with with signatures also don't care about the numbers too much but the cloth during we see that comparing here a picnic and RSA for the signature just because that's was the only of a governor a viable in oqs when we did that that's pre submission and yeah so picnics more expensive as a very big certificate but at the end of the day when you plug it in the real world TLS it's it's really not that bad okay now most interesting more recent work the TLS 1.3 integration so T is 1.3 was officially released yesterday now we already got it working no POS did that overnight no we've been doing on the draft specs and a draft code in the this is the integration we did in open SSL 1.1 and better for so it's really nice to work with TLS 1.3 I'm just gonna put all the information right there because it's a way nicer protocols state machine is cleaner so it's easier to deal with integration points in particular the key shares that's where you put all the crypto information and without you exchange and it already supports hybrid with with the pre shared key PS key and you see the HD so there's already is mechanisms to negotiate multiple keys which is nice that we can use the base spec consider everything curves because they only use elliptic curves so we have to cheat and call ourself curves that's all what we do to define new algorithms but I figure that's going to be fixed at some point and somebody will write extensions probably you want to retrograde the retrofit RSA in there I'm sure some people will do that so somebody will define will get gree at some point on post quantum official ways to integrate so right now just test and prototype which is call ourselves curves and we tested that in the injects web server just because Apache didn't support TLS 1.3 on the master branch when I tried that but this web server did also you can use curl to your tests and everything works and the details are also on this open quantum safe wiki page
32:19
all right I wanted to am i doing on time see okay I guess I'll finish the presentation first and now I get to the demo afterwards so a little bit about
32:34
hybrid scenarios I've been talking about the key exchange hybrid and there are multiple ways to go about it so the first one the one that we have implemented is called the naive implementation you essentially just do the classical key exchange and the post quantum one and dependently and then you just mix the results you concatenate the results feed that into the key derivation scheme you just need to give a new name to this algorithm as a combo scheme so you define a new like can you identify her for that and then you can call it in your library there are more advanced proposals out there one by a white and one by Hannegan Stabila they have different pros and cons one that supports multiple key shares you could mix classical and a lattice scheme and the code base game and like multivariate scheme all in there to to edge your bet that's the roulette here to add your bet you don't have to pick a number you can pick a color or a series of numbers so to be safer the other one is more of a dual just two schemes and I did not implement that and this integration just because OpenSSL was not ready they didn't even support multiple key shares at the time which is needed by the base pack so when they do and we can take that code and upgrade it and do more advanced hybrid schemes for PGI it's we haven't done that yet what's a good future work it's also not as urgent because for key exchange as I said you can record the traffic now and decrypt it later so the attack is valid today for breaking the authentication it's an active attack so you need somebody to be able to break your signature or forge your certificate during the lifetime of the certificate so that's like let's say the certificate is valid for you so if we have quantum computer in ten years and nine years we'll care about that but we're starting to think about it so and the year or two we'll probably have a solution for that and the question is out do you convey two signatures in the TLS exchange so do you have two certificates do you have a certificate with two public keys one and an extension do you use the TLS extension mechanisms to provide a second public key multiple ways to go around it about it and this paper is a good overview of all the problems that needs to be solved in that case but as I said it's not as urgent for ibrid deployments today but our performance measures with
35:15
TLS 1.3 that was Ron just on this machine on localhost between the client and server just to get ballpark figures so nothing's optimized but just to get the ballpark and that's with the schemes that were in oqs some of the schemes so we see again that the lattice the ring version of the lattice performed very well very comparable to EC DHE which is the orange baseline and when you remove the ring assumptions you get something like Frodo and it's not as efficient but more more trusty more trusting us in it and something like and true surface like this something like psych which is really nice because it's a very comparable to elliptic curves the closest thing we have to elliptic curves it can be a dropin replacements and a lot of protocols that assume elliptic curve the field and type exchanges unfortunately they don't perform as well and for signatures we get the expected again Q test law wand lattice scheme performs very well as well as ECDSA with P 256 and picnic it's a simpler assumptions and the way hash functions performs this a bit slower than RSA okay
36:43
so that was one tlso has been a lot of work in TLS because it's an important protocol we also did other integrations one is an SSH SSH [Music] as another protocol I mean it's you know similar to TLS in in spirit so you can go in and replace the crypto parts with the post quantum once and it's another exercise that we did and the latest software that we have is a fork of openness the sage 7.7 uses the key exchange algorithms in oqs so the more we had and refreshed that fork then the more algorithms we'll have in there and it supports a post quantum and hybrid modes for the key exchange only no signature is yet so I don't want to spend too much time on that because a little bit similar ideas but you can check it out in our fork if you want to try so another interesting integration
37:41
point that we have is open VPN so unlike other VPN solutions Open VPN uses TLS for its security so which is nice and uses open SSL so we can use the open SSL fork to to protect the VPN exchange and so we have a fork of Open VPN that allows you to test the key exchange algorithms and use either RSA or picnic certificate so what's nice about that is
38:09
that for a long time in the future there's going to be applications that will never be updated or there's going to take a long time to be updated so there's gonna be a long tail set of applications that will not be quantum safe for a long time so what you can do is just have your classical software running and just wrap it in a VPN post quantum VPN tunnel so then you don't have to touch the applications and you can just secure the channel and you get great protection against quantum computers in centralized manner so we tested that for example with a client our raspberry pi and when those clients communicating with Azure VM Linux VM and to do that also have your did a little experiment with you have their mobile phones connect to an access point and then that thing calls your web services or post quantum VPN so don't have to change the phone or have to change your applications it's very cheap and easy way to achieve that and that's project is available also on our get up page and a welcome to try it another integration
39:27
that we did was an artwork to see if we could actually write these these post quantum libraries in insecure hardware so we partnered with the ultimate goal tried it on one over there HSM and essentially we just using their their the reference implementation of picnic and and compiled it for the HSM a little bit of engineering there and then got it to work able to issue picnic root certificates on the device and be able to issue end users RSA certificates and everything works as expected and the details of that are can be found in the picnic NIST submission so if you're interested so all this goes to to say that we've post contemn cryptography is it's it's it's just crypto algorithms okay it's nothing fancy about it there's just things that we have not studied for 20 years so they're they're new but other than that there's just regular algorithms they can be integrated across all the software stack and art we're so at this point it's a matter of us in community and if any of you have a software that they realize on cryptography you can take these things and starting with the open quantum safe project and try to integrate it and see what breaks so we wanna we want to see
40:46
what breaks and and know and you as owner of crypto software you want to see if you put it these new coil golems what's gonna break so you can be agile and be able to change it when it's ready not today but in 10 years when you'll have to change then you want to be ready and good thing to try it now and you can give feedback to descriptive designers then this competition is quite new its recent so there's these algorithms I'll be able to update themselves before the final so if we find out that just by just changing this this property's reduced the bit size by one or two it's gonna fit this application it's good feedback for the designers of these algorithms and hybrid solutions important thing to consider and because it's cheap way as we've seen it with TLS it's not a big impact but it could have a great protection for future proofing your your data against quantum computers and also centralized solutions like having a postmortem VPN allows you to get a blanket protection without modifying your legacy applications or touching all your applications today so that's that I'm gonna switch to the TLS demo I'm gonna run it on localhost
42:06
because you know DEFCON so I will not communicate with a real web server but everything is real code running here apologize is very small so let's see I'm gonna try to type and hold the mic at the same time so what the first thing I'm gonna do this is in our open SSL fork the first thing I'm gonna do is generate a certificate you can't really read but it's the standard openness is I'll tune the requests tool to generate a certificate the only thing that's different is I am requesting a Q test lucky all the rest is standard open SSL so there he goes it's very fast as expected we just print out the certificate that was just okay it's
42:58
like looks like an RSA thigh ski like some crypto algorithms will just scroll a few screens until it ends but cute
43:05
Tesla is a very compact scheme and very efficient being a lattice one the key
43:11
also works pretty well so now I'm gonna just start a server so it's the s server tool specifying the certificate cute Tesla one that's yeah it's Artie and cutest low key and asking for TLS 1.3 all right there we go and now on the other console I'm just gonna have the client it's going to ask for Frodo so it's gonna be a Frodo key exchange with the authentication is going to be provided with Q Tesla so it's a fully post quantum key exchange and authentication transaction and it's going to talk to the port here so there you go because the exchange got the certificate you're gonna have to believe me what's written here because it's not very clear but signature q Tesla Wan and the server p2p o actually asked for the hybrid P 256 here so you see that's the hybrid scheme so I did ec DHT with P 256 curve and using Frodo and we get TLS 1.2 connection so now let's try to deploy that in an actual web server so I'm gonna copy these certificates is at copy q Tesla dot star into my engines configuration directory it's asking for my password first try very nice so let me just okay so I'm going to just look at the engine's configuration and we can see here I'm specifying the cutest la certificate as the SSL certificate and then the last line SSL protocol TLS 1.3 so I'm just going to start it all right the web server now is running and I'm just gonna repeat my client call same thing so establish the communication and then we can make sure that the HTTP connection works I'm just gonna get the default web page get slash and I get the HTML welcome page back all this calling from a TLS 1.3 post Quantum client to tell us 1.3 post quantum server everything works well and you can deploy that and have fun today in the hybrid mode and get protection against the quantum computers that might be built in 10 years or might actually been built in some very dark rooms and very powerful organizations so that completes
46:32
the talk I'll be happy to answer questions if you have any [Applause]