 Hello everybody. Let me introduce Andrew Savchenko who will speak about quantum computing. Will you please stop talking? Ladies and gentlemen, my talk will be about what quantum computer is and can you hear me? Can I have a mic? Now you can hear me. So, my talk will consist of three parts. First part will be what quantum computer is, how physics works here, how hardware works here, and you will find some physics in this part. Second part is how this impacts cryptography we use daily in our lives. You will find some math here. And the third part will be how can we deal with this problem and what free software solutions are available to handle this. So, please don't expect full strictness of this talk because it's just an overview. So, neither completeness because I will skip some corner cases and some complicated matters. It's just impossible to fit all this in a small time. And you will encounter some equations. I will try to be simple, but you will still have to be some math. Okay. So, let's first of all set up terminology. I will name cryptography as classical or usual or common. Just cryptography we are used to use daily like IS or RSA, DSA, elliptic curves and whatever. I will refer to it as the classical or common cryptography. There is also a terminology for quantum cryptography. I will skip this topic because it has nothing to do with post-quantum cryptography. It uses the same quantum mechanical properties of the particles and matters, but it depends entirely on the proprietary hardware. And there are no free software solutions available here. And this hardware is extremely expensive and not available for everyone. So, quantum cryptography will be mostly outside of my talk here. And finally, post-quantum cryptography, these cryptography algorithms that are designed to withstand abilities of quantum computers that will have available in the nearest future. So, let's talk first about quantum computing. As usual computing, it has three base elements, base stages on which it is built. First of all, the most basic element is qubit. What qubit is? It's an analog to usual bit which is used in computers everywhere. But it is quantum and it is different. We will see how. Second part is quantum logic gates. These are devices and means to operate quantum bits and to realize different logical and analytical actions. And the third part is quantum algorithm. It's a sequence of quantum gates which is used to perform some tasks when applied to qubits. So, let's see, let's take a particle, a fundamental particle. We may take many different particles. But for example, let's take an electron with its spin. Do you know what spin is or should I explain this to you? Louder? Okay. Should I explain to you what is the spin of electron? Okay. Electron is a fundamental particle and it has some quantities like mass, charge. It may have momentum, coordinates, and also it has a unique quantum property which can be seen as a self-rule of the particle. This quantity can have only two values. It can be up and down. You can see this here. This is spin up, this is spin down. And you can denote them as vectors. They denote usually like this. This is vector for spin up. And arrow up or unity and spin down as for zero. We can take not only spin but for example photon particle which is polarized in different directions. Zero polarization or 90 degrees polarization. Polarization is just an angle between electrical and magnetic fields. So if we have such particle I will consider spin for the next considerations because spin is easier to understand here. And it can be in state one or in state zero. But we have such entity for each particle which is called wave function. Wave function is an inherent property of anything, any object in this world including yourself. You have wave functions too, many of them. And this wave function can be described as a combination of two states. And both states one and zero existed once. This is how nature works. This is what is called superposition of the wave function. There are many ways how this can be understood or at least attempted to understood on the level of usual life because this concept is counter-intuitive. But this is how nature works. And my professor in quantum mechanics told me just shut up and calculate. This is the most efficient way to work with this stuff. Because equations, they are perfect, they work flawlessly. And it really doesn't require that we will understand the nature by our means. So these numbers here alpha zero and alpha one are amplitudes of the state. And they are related to probabilities of this particle to be in state zero or in state one. So these numbers are complex numbers and the squares give the probability. So if we will measure the spin of electron, we will have some time zero and some time one. But these results of zero and one will behave according to the probabilities described by these numbers. Next there is a so-called EPR paradox. Einstein-Podolsky-Rosen paradox, which means particle entanglement. It is interesting that this paradox was created to show that quantum mechanics is irrational and wrong. Because Einstein thought it cannot work that way, but it works. And these equations are very great. And what happens? Let's take two particles. We can take one particle, place it here, another particle, place it there. And they are independent and not connected that there is nothing interesting here. But if we will put them together, their functions will intervene and they will form a more complex system. And the system will have multiplications of all possible states for each particle. So if we will take two qubits, two electrons for example, they will have four possible states. If we will add third particle, they will have eight possible states. So complexity of the system increases exponentially with each particle. This means that qubits can be described in exponential form as the sum of all possible amplitudes. And this way, when we add just one element to the system, we double its memory capacity and its processing capacity. This is feature unique to quantum states and it cannot be seen in usual electronics views daily. So n qubits describe two to power n states at once. All the states exist together. And this can be seen like all possible different universes where all the states, all these varieties of states are enabled. They exist at once and when we measure this particle, a very interesting effect happens. When we measure it, the function collapses and we are receiving only one result of all possible values. Of course, there's different probabilities which are explained by these coefficients. This is the main power of quantum computing because power of the system grows exponentially. So what can you do, for example, with these qubits? If you have four terabyte HDD drive with your movies data and so on, it is sufficient to have only 42 qubits to store all your data in this system, just in 42 tiny items, for example. You can store all the entire content of this hard drive. And if you will take 273 qubits, they will be sufficient to store information which can exist in all atoms in visible universe. So if you will take each item in universe and assign bit 0 or 1 to it, you will have just 273 qubits to contain all these possible numbers. This is absolutely amazing and a great feature. And the states can be manipulated by affecting amplitude coefficients. But, well, if it's so cool, it should be able to do many stuff, not just to hack cryptography, but it has some limitations. Only n bits can be extracted from two to other three states. So if you store your movie, your HDD, it exists there, but you cannot retrieve it. You can retrieve only n random bits, only 42 random bits from all these data. So this is a huge limitation of quantum computing and these limits of what algorithms can be used. It can be used only to the cases where you have generated a lot of possible states data and you need to map reduce them somehow to collapse into n bits which are interesting to you. And the result each time will be random. This is a non-deterministic machine, so you will not have the same result each time, but you will have some probability. And you can repeat several times and extract whatever you want. How qubits can be implemented? There are many ways. It's like electronic spin, atomic nuclear spin can be used for these intentions too. Photon can be used, quantum dots, and there are many other inventions. They all have something interesting which can be used to create quantum machine. But there are many problems. The main problem is stability. The system is in an excited state. It wants to decay. It wants to forget what it is, so qubits, at least right now, can't exist for a long period of time. They decay. You have to use them fast and create them once more. And there is a problem with error correction because errors are built up fast and they should be corrected. This is solved by theoretical works and in some practical implementation store. So you may ask why are we using just two states? We can use three states for example. This is known as Q-treats. They have some advantages like more stable decoherence, but they are hard to implement and hard to manipulate. It's the same with usual treats. At the beginning of the usual computing, treats existed. And there were some machines which were using not bits, but treats. But they are harder to implement, harder to use, and nobody bothers with this to implement in reality. And there is such solution as quantum storage. It allows you to store bits from your qubit to some permanent storage. Permanent in terms of quantum computing is right now about two seconds. It is considered a very long time. It was etched experimentally here and later in my presentation you will see numbers in square brackets. They are interactive links and can be used to follow for further reading of various materials. All of them are present at the end of presentation. And this storage was implemented several years ago using phosphorous atom and this is very interesting work. Because it's the first result where for several seconds people were able to save this data. Okay, what are quantum gates? Quantum gates are from theoretical point of view just matrices. So any interaction in our world is basically a matrix. And when someone tells you that our world is matrix, this is to the great true. It's indeed a lot of matrices which are interacting with each other. And they can be implemented using various physical technologies like ion traps or nuclear magnetic resonance. You are probably all accustomed to this effect because this is how magnetic resonance tomography works. Actually, magnetic resonance tomography is a nuclear magnetic resonance tomography and each such tomography is a nuclear device. But in order not to scare people, usually managers avoid the word nuclear and say in magnetic resonance tomography. It's perfectly safe, it has nothing to do with radioactivity, but physics in there is purely nuclear. And the very same effect can be used to manipulate such states. So it is possible, it was proved in CRE that we can provide full set of logical operators which you are used to in usual computing in quantum computing. You can implement or nodes or additions, multiplications, anything. But quantum computers are more efficient to very special operations, you will see this later. And there is another very interesting effect which is also used in quantum computers. All gates are reversible in contrast to classical gates. Any operation until measurement is done, any operation can be reversed. This is a very valuable feature and very unusual for ordinary computing. So this is an example from one of UK universities how they implement these qubits. They can be implemented on a pad from various materials at microscopic scale. You can see, and this is an example just of few, each cell is a qubit basically. So the most important result which you should remember from abilities of quantum computing is that it can store two to point n possible states, but it can operate with the states. It can return only n. So this can be seen as a giant map radius, not strictly map radius of course, but something similar which returns you a very small data up in the end of its work. And in quantum computing to post us 2 plus 2 equals 5, this is absolutely normal situation, as I approve this because result is probabilistic. But what is important than probability of 2 plus 2 equals 4 is higher than probability of 2 plus 2 equals 5. This means that each result must be either repeated multiple times until the probability of success is reached or checked. For example, if we are doing some cryptography work and want to find a key, it is trivial to check the key which would return, right? So we can just check it and if something wrong, repeat the process. For further reading, if you are interested in the subject, I can recommend a very interesting book, The Physics of Quantum Information. So let's now consider one problem, how to find period of a function. It is very important for cryptography and if we have some function on discrete field of integer numbers and we want to find some period R, for example. In classical computing, complexity is big O from N. Big O means the same degree as argument of big O. And we can try to apply discrete fast Fourier transformation to this function. You may ask what the hell I am proposing because complexity of fast Fourier transformation is O from N log N. It is higher than complexity of brute force in this case. But quantum computing allows to perform discrete Fourier transformation very fast. It allows it to perform in polynomial time O from log N squared. It was proven before, it's quite a lot of math there, but this is the main result. So you can see quantum computer as an extremely fast and efficient fast Fourier transformation machine. And it is possible to initialize all initial data just by O from log N operations. So you don't have to repeat each to set each bit separately. This can be done in a group. So many of you maybe have heard about Schur's algorithm which kills RSA. And what show algorithm is? It's a solution for a task of integer factorization problem. RSA is based on the fact that if you have two prime numbers P1 and P2, and we know their product only, it is extremely hard to find each number separately. If you have, for example, numbers of several hundreds of digits long. And this is how RSA basically works at a score. So in order to break it, one needs to find this quickly by some polynomial time. And this can be done by turning factorization problem into period finding problem, which we were discussing before. So how this is done? If some number A and N are co-prime numbers, we can use some little Fermat theorem, which is known from school. It is written this way. That A to the degree R, R, of course, is an integer number equals to 1 by models N. Then we can find this R first by using free transformation on quantum machine. And if we found it, we can write this equation as this one. It means that we have two numbers, which result zero by dividing by models N. And if you have such numbers, we can then find the greatest common divisor of N and this number. And this divisor will be the prime. So the very basic idea is that this part one and part three are implemented using usual conventional computing. You don't need a quantum computer to implement this and this one. Only to do a fast discrete Fourier transform. And probability of this result, it was proved that each time you run a machine, it will return you this probability more than one half through result. Of course, you should check it and if it is wrong, you can repeat again because probability is quite high, you will have your result soon. So what is complexity of factorization process? How many operations do you need to perform in order to factorize number N? For example, let's consider number two in degree 4096. This corresponds to RSAK with 4096 bits. If we will use general number field CF, this is the best algorithm available for general computer. You will require this huge number of operations. It is impossible for a lifetime and even for a lifetime of our planet to implement this. So RSC is unbreakable this way. But complexity of show algorithm is polynomial, it can be depicted this way. And it is just about one billion of operations. This can be done quite fast, just a split of second of fork and key is broken. So this is what happens with RSC. But what are space requirements? How many qubits does one need in order to implement this system? Because it is very hard to have large number of qubits in coherent states. This is a practical problem. And thirdly tells us that limiting factor here is a period finding problem, which requires N squared number of elements. This is just two by N qubits. So for example, for 4000 bits RSAK, you need 8000 qubits. But there was a very interesting achievement here by one of the teams. Yes, it is reference here. They factorized this number, 56153, which is the product of this prime numbers, using just four qubits. So if you look at this equation and take into account the length of this number is 16 bits, then 32 qubits are quite. But these people were managed to implement this attack using only four qubits. So this number can be reduced via various achievements of number theory quite greatly. And it is important that this device operated at room temperature, about 30 Kelvin. So what about discrete logarithms? RSA is based on factorization, and DSA and elliptic curves are different. It was calculated as well for DSA and for elliptic curves. And for DSA, it is approximately, requirements are approximately the same as for RSA. So it can be broken this way. As for elliptic curves, which are extremely popular now, for example, ECDSA or ED25519, they can be broken faster than RSA with the same, with compatible strengths. For example, if you are using ECC key with 256 bits, it has the same strengths approximately as RSA 3072. And if RSA needs 6000 of qubits, it is sufficient to have just 1015 for elliptic curve. This means then when quantum computing will be developed, elliptic curves will be broken much earlier than RSA. And all elliptic curve cryptography, which is widely used now, it's not future proof. Of course, it has its benefits. It requires less CPU resources. It's faster, but it comes at a price. So there is another algorithm in quantum mechanics, which is important in view of cryptography. It's called a Grover algorithm. This is basically a quantum brute force. So if you have some task when you need to, for example, brute force all possible values of possible n values and want to achieve one output, you can implement a so-called Oracle function which checks if your current output is okay. And if it is okay, it is possible to perform this brute force and just by square root from n operations. What this gives to you? For example, if you have a key of this size, 256 degree, right? For example, IE's American encryption standard with this key. Then Grover algorithm can't break it in some reasonable time. So symmetric cryptography is still safe. But if you are using a marginally secure key, for example, 128, you are not secure because it can be broken in quite a manageable time. Let's look at what complexity classes of different problems that we have in number theory. This is what called polynomial problems which can be solved using usual computers. This is n pair problems which cannot be in general case solved. But there is a BQP field. This is a field of problems which can be solved using quantum computers. Quantum computer is not a remedy for each possible NP problem. It cannot solve everything, but it can solve something. For example, Schur's algorithm of factorization problem, it's here. It can be solved, but Grover's algorithm cannot solve general problem. But it can still be useful for you to brute force data. It can be used for various means. For example, to find some mean value of something, to find minimal value in array and similar uses. So let me remind you what is impact of quantum computing on crypto algorithms we are using now. Symmetric cryptography is still safe by case sizes are halved, so you must use long keys and double them. For symmetric cryptography is in bad state, it is dead. It will be dead sometime in the very close future as was estimated by ABM for example. And elliptic curse will fall before RSE. So RSE gives you still some margin of safety, but it's not safe in the long term. And there were developed many different algorithms which are supposed to be resistible to quantum computing. Fourier transformation cannot be used to calculate them in reasonable time. The problem here is that it is impossible to prove this strictly mathematical. We can just assume analysis work. For example, the same with RSE. Nobody can prove that we cannot factorize number in a polynomial time using usual computer. Just nobody have found algorithm to do this factorization. The same here. These algorithms are based on different ideas and some of them exist for a long time. For example, hash-based signatures, they have history of about 30 years now. But they have a problem, they are quite lengthy. For example, a typical signature is about one megabyte. That's not very practical, that's why they were not used widely, but right now we do not have other choice and we have to adapt for them. So let's talk a bit about how real is this problem. I'm talking about just some deep theory and this is not practical. There is one system. It is a working quantum computer. It is not usable for cryptography. It can implement solutions for other problems. But it is very interesting to see progress for this system because it is open, it is commercially available and we can analyze. I'm afraid that for fully fledged quantum computers are just classified because it's extremely powerful weapon against the crypto and we don't have full information available. Just several weeks ago, a machine with 2,000 of qubits were announced and this machine has some interesting features. It operates at school, at school by its functionality and school by its temperature. It operates at just 0.015 Kelvin. Remember, qubits want to decay and you must school them to save them. It is computing a so-called diabetic approximation and it is suitable, at least declared by its developers to be suitable for discrete optimization. We will talk about this later using quantum annealing. By the tests, it beats current available GPU processors by several degrees. Quantum annealing is solving a problem by tuning. Let's say you want to minimize some functions with a lot of values and with a lot of parameters. It is very hard to do using usual computing because you will always fall in some local minimum but you can do this by quantum tuner and this is what this machine does. This is how quantum processor unit looks. It is called down there, it looks like this and this is basically our qubits implemented. I'm talking about this company not only because we can analyze but because it has some free software open and you can see at least how it works and how they manage to operate this system. There is also quantum computer language available that's made by independent developers. It's completely free software. It is a C-like language for quantum computers and it contains an emulator. For a small number of bits, you can compute this on your machine. This is an example of this code. This is an implementation of discrete fast Fourier transform and you can see it here. This is how qubits are developed in time. You can see that this dependence is clearly exponential. Here is a feed for an exponent and this means that development of this area is extremely fast and extremely efficient. This is another graph. It shows you a number of publications. I take it from archive.org in this area. As you can see, growth is great. Why should you care? Because nobody will announce to you that they created the quantum machine capable to break the state. A lot of money is invested in this and Snowden shows that an essay can spend 50 million dollars on development of such machine links are available. We have to be prepared to this. Development is fast and your data is not forward secure right now. It can be recorded and it is recorded and it can be decreated later in some years. We need to develop new solutions but developing something security is very complex. We need to use well-tested algorithms, good protocols, good software and secure environment. Of course, users are not using two simple passwords. So what free software can do here? There are solutions for example, analog of GnuPG named code crypt. It can be used just as you use GnuPG in order to encrypt or sign your messages but it uses post-quantum resistant technology. And there is an OpenSSL fork which is developed using LibOQS by OpenQuantum Systems. It's also free software and it can be used as a drop-in replacement for quantum computing. There is one more library interesting. Sakurai can learn it here and you can find more projects on GitHub and many of them are just tabs, just some probes and not fully functional. So code crypt is a GnuPG-like encryption tool and it allows to do signatures using hash-based algorithm to do asymmetric encryption using Macalus and to use symmetric encryption if you really want a long key. 4,000 kilobits for symmetric encryption is a really huge number. And it has some short comments. Well, not short comments but design solutions. It uses in-memory encryption so you cannot use asymmetric encryption for huge files but this is not needed. You should use symmetric encryption and then encrypt your key asymmetrically. And there is no case server infrastructure so you have no place to upload your key, you're generated, you have to distribute it yourself. This is an example how it can be used to generate key to generate key with selected algorithms. And how to sign and encrypt this data, as you can see, interface is quite similar to GnuPG. There is also an open-quantum-safe project I mentioned before. It provides LibOQS library which has a post-quantum-resistible key exchange using these algorithms. And they maintain a fork of openSSL which uses library to implement these algorithms. But, of course, openSSL itself is quite a terrible solution for cryptography in the means of huge and unmanageable, unauditable code. So, in the summary, I want to emphasize that symmetric cryptography is still secure in post-quantum era but you need to use a long key and double your key sizes. All asymmetric cryptography in the long run is dead and elliptic curves are dead first. So, you can try to use free software solutions available but please be careful because it takes time to develop really robust and reliable software. It can be done just in a month or in a year. So, it is better right now to combine multiple systems. For example, you can encrypt your message using code crypt and then encrypt this result using GnPG. And from the outside, this will be like a normal GnPG message but it will have additional protection. And don't blindly trust standards with questionable constants. I had a question in the interview before the talk what I think about the NIST proposal. NIST blew up one time when they tried to insert vulnerable constants for random numbers generator and I don't trust them and you should be very careful when using what they will propose. So, by the end of the day, usage of post-quantum cryptography depends on you because it is impossible to build a secure solution without community. You need to use it to give it a try. If you want, it will be great. If you will contribute and develop something. If you are a security expert, you can audit the code or even pick into the mess. So, thank you for your attention. Any questions? Any questions? So, thank you very much for your talk. Very, very helpful. So, you say elliptic curves are probably dead before RSA. Now, I helped run the Mozilla root program and they want to put new routes into our program. New routes for SSL, yeah? You understand? So, I helped run the root program, the certificate authority program for Mozilla. Yes? Can you please repeat me? Yes, I have a problem. Okay, so, I run the root program for Mozilla. Root program, you know? And CAs come along and they say we want to add our new routes. We have new ECC routes to add, yeah? Would it be a good idea for us to tell them you may not have ECC routes unless you also have 4096 bit RSA routes, maybe? There is another solution for this problem. Yes? Okay. The question was... Why do you have to repeat the question if I said it into the microphone? Yes, there are a lot of noise. Okay, the question if I understood it correctly was... Wait. From now, take your... Okay. So, the question was what people should do when they add routes, certificates with elliptic curves, right? The 96 bit routes. Okay. It won't help to have it, but there is another solution available. There are so-called isogenic elliptic curves. So, if you really want to use elliptic curves, you can try isogenic curves and they are supposed to be resistant to quantum computing. They are available in this project. This is non-super-single isogenic. But if you have no ability to add them, then better use longer RSA, even 8 kilobits. But none of the browsers support those sorts of curves, though? Yes. Another question? Some questions? Very thanks.