 ideas like this. And there's a lot of XORing and shift rotating the bits and stuff like that. Okay, so how do you create a random number? Well, I'm not sure there's a proof that randomness exists, but quantum physics certainly postulates that it does. The quantum events are essentially random. If you have a radioactive atom or whatever and it has a certain half-life, that means the probability it will decay in that amount of time is 50-50. And there is no way to predict whether that particular particle will decay earlier or later. There's a 50-50 chance. Okay? So you can use quantum phenomena, and people do. Microchanges in temperature, I guess in principle those aren't truly random, but they're close enough because the movement of, I mean, what's temperature? It's movement of molecules. And the molecules are bouncing off of each other. You really have this totally chaotic system. And when I say micro, I mean measuring, you know, thousands or 10,000s or 100,000s of a degree change, maybe even more than that. Anyway, I don't know how to do this, but engineers do. And these do get used, but they're somewhat inefficient. This is not a good way to generate lots and lots of random bits. Yeah. You can look at the stock market, yeah, except that doesn't generate very many random bits, but that's something to do. What people did in the early days frequently is they would take all the internal states of the computer and mash them together and get random bits there. It turned out sometimes they weren't looking at enough internal states and they didn't have enough random bits. I mean, you can calculate the entropy. What people actually do is they will take a small number of random bits generated somehow, hopefully really randomly, and then they'll run it through a function iteratively. I called it RAND here. So you'll start with n bits that are truly random, if you hope. Then you will apply this RAND function, you get n more bits which are supposed to look random. They're not, they depend on the original ones, but, and then you just keep doing this, you get this whole list of things. So people create these, people call this a pseudo-random number generator, okay? And the idea is that the output should be indistinguishable in some appropriate sense from a truly random list of numbers. And there are various ways of measuring randomness, some more convincing than others. You need this, you need hash functions to do digital signatures, you need pseudo-random number generators to do any sort of secure public key cryptography or digital signatures. Okay, so that's what I just said. After generating this truly random seed, you run it through this function. If someone can compromise the place you're getting that seed to sigma zero, you're doomed. Because the RAND function, that's a public function, everyone knows that. If someone knows your sigma zero, they know all your sigmas. Okay, now the definitions of hash functions and these pseudo-random number generators, it's not that complicated to state what you want. It's very, very hard to actually build these. It's very easy to build things that look random and that look like they're secure hash functions but aren't. So I guess what I'm trying to say is, I hope everyone's finding this introduction really interesting. You are not crypto experts who can go out and build secure software after seeing this lecture. I'm not even really capable of doing that. Okay, so how hard are these hard problems? integer factorization, CVP, discrete logs? And the honest answer is we really don't know. We don't have proofs that any of them are hard. Big open problem in computer science is to prove lower bounds on the complexity of computing things. A lot of the problems, well, I guess not a lot of these, in many cases one can prove a certain problem is what's called NP complete or NP hard, which is a certain level of complexity. But we don't actually have a proof that NP hard problems can't be computed quickly. We just think they can't. That's the famous P versus NP problem that has the million dollar reward. So here's the practical answer. How hard are these problems using the algorithms we know? So this is time dependent. 30-some-odd years ago before the number field CIV was created, the top two lines here were different. So people invent new algorithms, it gets quicker. In integer factorization and the discrete log problem on the multiplicative group, this is about how many steps it takes to solve them. E raised to the cube root of the log of the main parameter, the modulus. And using those so secure cryptosystems require two to 4,000 bits. The elliptic of discrete log takes about square to p steps. That may look smaller than this exponential, but it's not. This square root of p is e raised to the one-half log p, right? But here we've got e raised to the cube root of log p, which is smaller. So this is harder. Elliptic curve systems have smaller keys, smaller ciphertexts. And the CVP things roughly a constant in the dimension of the lattice. And they're roughly the same size as the older ones. This is all great. 4,000 bits is really not that much unless you're doing these square barcodes. But this is how hard it is to break these systems using existing algorithms on existing computers. And you can build in Moore's law if you want. I mean, if you double your computing speed every year, that just means the bit security is increasing by 1, right? Multiplying by 2 just makes the length of the binary number one extra bit. So that's actually not a big deal. It's new algorithms that do the danger. And the new algorithms that were suggested are based on quantum computers. I know very little about quantum computers, so this is a super high level summary of what I know plus a little beyond some stuff I don't really know. But anyway, so quantum computers use what are called Q-bits. The computers in your laptops, the chips use bits. A bit is either 0 or 1. It's on or off. Actually not really. It's either positive or negative because it's using charges. But anyway, it's just got two states. A quantum bit, well, if you read the popular literature, takes all values between 0 and 1. But how does it do that? Well, that's not quite what happens. What it really is, is a quantum state is represented by a complex probability distribution, okay? And it has a probability of having various values. And it turns out that if you have a computer that has n of these quantum bits, you can do 2 to the n operations sort of simultaneously. So that's an exponential speedup. That is fantastic if you're actually trying to compute things in the real world. It's a disaster for most crypto systems. So far, the largest quantum computers built, I said a handful of bits here. I think last time, I think IBM may have built one that has almost 100 Q-bits. And it changes every week, so I wasn't going to try to be accurate. You can Google how big is the largest existing quantum computer, if you want, and get some idea. But I like this analogy. So quantum computers, I mean, ten years ago, the biggest quantum computers, I think, had four bits. Okay? But, I mean, the first airplane went 852 feet in 1903. It took less than 20 years to have airplanes with the largest all over the battlefields of World War I. And it took less than 30 years after that to have jets going 500 miles an hour. Okay? So to go from a 4-bit quantum computer to a 4-megabit quantum computer, I mean, 50 years seems reasonable. And people have been working on this already for a while. So here's the big paper that, oh, I'm really running out of time. Okay. So Peter Shore is the one who came up with this idea. And he published a paper that said, if you could build a computer that operated using quantum mechanics, then you could break, you could factor really fast, almost linear time. You could solve the discrete log, just linear time. Okay? So it's, sorry, quadratic time. That's fast enough to break all these systems. So people started looking for public key crypto systems and digital signatures that could not be broken on a quantum computer by which I just mean people don't know how to. And, yeah, I do like this slide as well. Actually, I have two minutes and two slides. That's good. Why should we worry about this if quantum computers won't be built for 5, 10, 20, 30 years? Well, there are a bunch of reasons. One, the current infrastructure, if you want to change all the software in the world that's using cryptography, that takes decades. It's very expensive. So you need to start now. You should start building it into all your software so that even if you're not using it now, you can just sort of turn it on when you need it. That's much less expensive than retrofitting it. And the other thing is if you have a digital document, okay, you guys are a little young, someday you'll buy a condo or a house. And your ownership may be based on a digital document that's digitally signed. You probably don't want someone to be able to steal your house when they can build a quantum computer. So you want that signature to be secure for 50, 60, 70, 80 years. Okay. So Christelle mentioned this, that NIST, the National Institute of Standards and Technology, ran what they didn't call a competition but was really a competition to pick some crypto systems that are secure for quantum computers, against quantum computers. They just announced the four systems that they are going to standardize. One public key crypto system, three digital signatures. You might think why not just pick the best one? Well, there is no best. They have to be secure, but you know, this one's faster in hardware implementation. This one's faster in software. This one has big keys but small messages. This one has small keys. So there's all sorts of compromises. So they picked ones that were kind of in the middle. And the final slide, I am going to do this because it's fun, is this is my own personal experience working in photography as a mathematician. These are the lessons I've learned. First, crypt analysts, which is the name given to people who break crypto systems, they are incredibly clever. And they don't play by your rules. If you create a crypto system you think is secure and you've spent 100 hours checking it, that's irrelevant. You want 100 people who are experts at breaking these systems, checking it. And then you can start to feel a little confident. They'll break the algorithm, they'll break implementations, they'll break software, hardware, the random number generator. They always attack the weakest part of your system. There were crypto systems built on chips where the way people broke them was they put them in a microwave and ran the microwave to make the bits work improperly. And you're always trying to make your crypto system as efficient as possible. And any time you take a crypto system and make it more efficient, you have about a 99 percent chance that you've made it insecure. But it's still worth doing because you do want efficiency and that 1 percent time it works, that's good. So it's kind of like math, 99 percent of your math ideas to do a proof probably don't work. That's about my ratio. But you need to do those to get to the 1 percent that does. So thank you very much. Sorry, I went over a couple of minutes. And I guess I'll see people in the tent.