 Thank you very much. I'm excited that so many people are here to this very technical talk and much worse it's a mathematical talk and to say something hackerish it's a good thing that you're here because in some talk from the last year during some talks last year I told you that cryptography can guarantee us what the government cannot guarantee anymore as already mentioned in the opening talk we are happy that many OS companies offer good encryption now which changes to the game if we have end-to-end encryption then the method that I hold up an antenna in the middle is not possible anymore so you then have to attack the end devices which is not an awesome security but it's better than the current system this talk will be full because update every little topic about in cryptography a bit yeah and I will talk about which everything that has happened during the last year since now so I will talk about symmetric procedures then about hash functions which will keep us busy a bit apparently there is more interest now but it's still not treated very well then we will talk about public key procedures and then elliptic curves and then post quantum cryptography what does it really mean to have a quantum computer for the applications so someone so apparently until with probably until 2030 quantum computers will really come into the game and if you want to protect information for longer times we really have to think about that and in the so if we have something like in vitro fertilization we have the situation that you have to protect the name of the father so we have a very long ever tea and a high expiry date of crypto graphic protocols with something which we would like to have in a similar way of a cryptography so but even even for mathematicians it's quite difficult to predict the future well but what is quite positive or what I find find surprising is that more and more protocols in quantum area are being are being utilized for instance we can identify the sender of communication so the Mackey is published that is a sort of social demand to protocol but this can definitely be addressed by cryptography and this is what I want to find a few examples for let's start with with symmetric cryptography well our c4 is obviously broken we suspected as much but by now we can say that in the industry this is being actually displaced this is being pushed out of the system a is a yes 256 but is still a recommendation but if it's if it's really critical you can use to two ciphers so so a double double send encryption so this is something which we already had ten years ago with with with a crypto phone this is a like the more super paranoid construction which will allow you to well fend off any kind of attacks so if you're doing this double double encryption the how-to is is important there is an important there's a there's a paper by someone called more so the first encryption method is obviously the one that that is like decisive for for the security all together so it's a cascade relying on the first on the strength of the first encryption so if we have if we have a commutative commutative like a equals be or vice versa that that means it's irrelevant which like which was first so so in a symmetric area where there's not that much new well let's look at let's look at hash functions that in practice they are they can be attacked so this was also eight years ago at in a talk this is still valid but with with the current trusted computing standards it's still used it's still used even though it's not recommended anymore as much so controlling says we can use it we doesn't cost anything we're still allowed to use it but group of us say it should be discontinued so this is a difficult situation which in fact does does entail quite a few drastic security problems so Shah to this is actually officially from from NSA home home made it's a similar construction but for the third for the third version there was a there was a different competition and the main selection here it was that it's an constructed in a entirely different way so this kind of selection procedure is something that we should watch very carefully or accompany critically process analog from the model process from is it is a new construction so similarly with if we're if we're setting up the ash three really entirely in a new manner this means that there are there are maybe different problems but maybe you can avoid all the problems but at least it has to be accompanied well critically one demand I have from NIST this this hasn't been optimized the the encryption procedure itself well listen you're in a competition with with people like with the US government everyone knows says we can do it better we're faster this isn't a good idea so be aware of that the developers were angry so I think maybe that's also a success of political pressure coming from from activists coming from from our side well what can you do if you're if you're a cryptographer and if you're unsure you can take the you can like scale it up like say Shah 512 well maybe it's even better if you use 256 bit so it's a worth it's worth looking into these higher higher methods so making more rounds like making more tours within the hash functions actually means that obviously you have a higher security standards but this is kind of Russian Russian space technology if there's not if one scale isn't enough we'll make a we'll make a second one next to next to it so this is the kind of double double approach and this is what we what we've done with with cryptophone but also with Bitcoin for instance so fundamentally this Shah 256 will be done twice so I think this is actually quite quite a decent solution and another benefit is obviously that like like with with Bitcoin we have different hash functions take for example how you make make an account how you generate an account within Bitcoin you can it's used Shah 256 is used as well as something which is called ripe MD 160 so both in combination actually enhances security so you obviously have to be careful that you're not like taking the security problems of either either hash function with you like doubling the problems but I think there there is a this is the kind of work around which is quite elegant so obviously it's it's it's about it's about money so the consensus was to establish trust you need something which is very conservative but stable and yeah just like the reply is just whoa let's just hash again and that's just like with a with a with a smile but generally I think it's quite a good idea and this can be accomplished on a technological level like if you're looking at a program package which you'll which you're securing as a package maybe it's it's it's it makes sense to have another have another hash function so some software packages actually do do use this method already from sort of engineering point of view this is a good idea just to have these different hash functions next to each other I was surely before to make a funny battle but with three domains we don't have time for that so I use a different description of so I use the classical wirestress form this means it's a curve it's points in a three in a plane it's epsilon square equals x to power of three plus ix plus b with the condition at a and b the first thing they're a little respect I'm richten sollte also these are the first the first condition it's easy for mathematicians to follow but it shows that when you choose your parameters you want to have to see which curves to assault as you don't want to have singularities a short remark I have a little different opinion as when shown longer but the implementer is likely stoutly entlasted werden soll the implementers should be released but the point which is not on the line it's trivial you can use one line of code to avoid the curfellik besteht einfach die x-coordinate und y-coordinate in x und y-coordinate in zu setzen und schauen was da rauskommt we put in numbers for x and y and see what with resort from this line und große freude ausgelöst hat bei der äußerung dass die implementierer sich nicht darum kümmern müssen wenn sie seine tollen kurven verwenden ich glaube er hat bessere argument für seine darstellung als hier das vermeiden einer einzigen er hat better arguments than just avoiding one line of code we want to see clearly that that the parameters which you get from outside you want to test them and if mathematicians tell you to do to test these guys you should really do that so if it says test if your parameters are online so as an implement you should do it wobei ich natürlich mit der mit der generellen konstruktion das wenn die general construction when you have on math when mathematicians want to wild bad constructions einer meinung in aber noch einmal ich halte es durch aus für sinnvoll i think it makes sense when you auf der kurve ist eine einzig program zahle ist es bitte doch drin zu lassen leave it in when you want to test your parameters let's talk about the little curves you have a more nicer picture from ecu pedia you see a curve here and you see if the points which do their stuff you can nicely define points it just put a line into with two lines and intercept with the other line and you can calculate that that there is a one point of interception and you mirror this at x axis or otherwise you take the inverse with respect to zero that's a geometrical representation and you see how easy it is to get this from mathematical group that's the picture in the rear room in in real life you discrete values so you don't have a graphical description I just wanted to show this so you can see the formulas I'm using also most of my guns for mathematical to say it mathematically discrete on a circle group form with point addition on a elliptic curve are in a finite body also kurz wir machen das problem dass mehr mit dem mehr irgendwie bisher mit normalen zahlen arbeiten as far we were using with normal numbers and now we're doing this on an interesting mathematical structure that's the main idea we have and based on this based on this it could be way more secure we now have four points which we should think about it the first problem is a generic one when we use procedure with discrete procedures then we have the problem that for every signature we need a new random generated value that's interested for hacker why for the case there had been a file between in cc-berlin in cc-berlin there's an electron microscope i don't know what these people are doing with it but you can use this for moving atoms and that's the fight usually it's more useful to just manipulate the random generator and when you're talking in the hacker area we can just repeat time when you repeat the value then you have a problem here i have some mathematical lines that's from the handbook of applied cryptography 97 that's free in the net the security problems are not at dsa but it's in this general it's visible in this node 66 in the last remark and that's a sign that mathematical and implement should talk with other with each other more when we have a problem we have a practical problem at 70 27 3c we had the console of p3 just exactly with them problem we have contact us i don't want to have the joke that no north koreans were working at but i want to go a step further and i think a similar problem we had would be coin bitcoin had a broken java random generation and then it first movements from bank accounts which were not authorized so it's a practical problem we have today problem the ps3 had this problem bitcoin had this problem and in the area of hardware i can't sleep well at night but i think about these elliptic curves and this whole discussion of this cryptography of this aggressive problem when in my id there are a little curves i don't need the key i just need to have the access to the random generator and enter the twice the same value then i have this secret key and that's not good that's a problem which i will repeat my whole life because people are just ignoring it that's a problem which so probably i'll have a look at my id so even the talk yesterday about elliptic curves um that wasn't much new for me well what we actually know now is that we have two two areas that aren't like that you can't transfer to attacks these we only have generic attacks index calculus and what is called a sieve this is under an exponential level but it's more than a polynomial level so this just means only generic attacks attacks we make shorter keys because we're just assuming that we only have generic attacks so that's a sort of paradox this is what this is the baby step this is sigma root n so this is the the birthday paradox this is kind of a folk law i think it's it's wrong to to say that there's nothing except for these super super easy super easy systems so in practice we have even with a shower 256 we have 128 bit realistically so um let's move on to quantum computation short algorithm is like the most important aspect of this for for two reasons this has even been mentioned in in big bang theory that's not the only reason why it's relevant but also because the nsa really relies on this heavily if you look at if you look at the formula this is a national logarithm so this is this is if we have a we're still in a very low area with a with a n n 3 to the power of 3 that's that's not the problem the elliptic curves have a shorter key length so they're a lot more vulnerable against quantum computer attacks so due to the shore algorithm this obviously needs news a lot less qubits than in a in a comparable scenario with rsa for example so post snowden we can tell exactly where the money is going we can see how the nsa is really heavily investing into the quantum computing area and actually we can tell exactly how much money is going there right up to the last cent so just in the in the last uh in the last weeks there's been what what i call a certification apocalypse um with microsoft microsoft um it's it all started when when elliptic curves were checked in in november this this year so and i'm going to be talking about that in detail in my talk later on so um just to to mention it at all but i'll i'll be discussing that in depth later so uh moving on to rsa um i'm quite proud to demonstrate that this is this is this is a lot stable even the rsa in python just um this line of code it's a bit of a cheat or a workaround but rsa is exactly what what's what's put here this is the message to the power of e and the only mystery we have in the entire equation is is the n so this actually means that there is a lot less scope for for bugs and for programming errors as such so rsa that means that with a with a key generation this isn't like a total meltdown if if there's an error in that on that level so elliptic curves there's we should mention like what there is um a specific difficulty or patent madness surrounding this whole area even even like trivial mathematical applications are being are being patented and as a mathematician you're like in a constant facepalm mode what kind of little little mathematic then to the truisms are being patented so can you still trust the the minister or the nsa curves like there there are service providers they they've put a lot of effort and research into this they're gonna be it should be they should be reliable but can we still rely on this post post snowden i think what's what's the size is that is the random bit generator which we actually caught the nsa out this means that even within the nist standard there is a standardized back door actually built in and this is this is the existence of this back door has been proved within the nist standard through snowden's revelations so we should think about alternatives so their brain pool curves so these are developed in the european union and benstein lange are also very interesting even though some present representations are probably not necessary but it's interesting the work he delivered is quite interesting um so but there you use we still need to invest more time researching one credit point for bitcoin is that you should use a key that has 256 bit length quick quiz what well let's have a quiz what do you notice freak what is especially strange there is equal to zero yeah that's right why is it equal to zero it's a so we we leave one parameter out and we can we can just calculate and we'll say secure what this is it would you biden den platz wechsel sorry about um let's be more aggressive performance optimizing and the zeroing of parameters is probably not what you should use if you want to secure want to be secure so another point um post quantum cryptography um there are some procedures and they're interesting but we have to invest more time and money researching and some colleagues of his are researching and he wants people to put it put in more money into that field so he thinks it's a good idea okay so learn from bitcoin uh bitcoin will survive quantum computing and more the most interesting uh idea is the public key um so if i do a transaction only if i do a transaction we when you post your public key it can be exposed when you expose it only once and your money is not anymore on your account your attackers are not able to get it so using a new bank account every time i would like to repeat at this point for security of your bitcoins the most implementations uh do it like this in the last part uh research we should do research in a curve generation we should realize that there is advanced signature schemes so blind signatures and group signatures we can use the outbreak um it won't use math to make sure uh our policy our political direct anonymous attestation this means looks at me made an analysis in 2006 analysis about this which you can find on that we showed that there are parameters which you can change and see how easy it is to reveal the dignity so mathematically we can make sure also classical parts in summary one of the most beautiful sites is from uh edit snow norm crypto work it's not a it's a basic protection the defense against the dark arts for the digital world uh nicely from but you can understand it easily and i'd like to close this talk with this uh we have to investigate research and inform ourselves thanks you very much for your attention uh this concludes uh