 My name is Lukas Manina, I am from Brno University of Technology and I'm here to talk about cybersecurity in post-quantum era. So let me firstly say a few words about our project, which is dedicated to this topic. Actually, this project is with Estonian partners and also this is the cooperation of Brno University of Technology and Red Hat. And this project is more or less for like building the networks and good relationships in the research and innovation. And we have six research challenges and one of them is of course post-quantum cryptography or quantum safe cybersecurity. And this will be the topic for today's short talk, which will be approximately about 35 minutes. So what about our motivation? As you know, today there is a lot of news about developing innovation in the field of quantum computing and what means for the current cybersecurity and for the current protocols that we are using every day. It means a lot because in case that some really functional quantum computer will come then we have the problem, everybody have the problem because everyone use, let's say, a secure connection in HTTPS, right? So everyone should be aware if some quantum computer will be in the world. But what is mean in technical? We will talk about that. So basically quantum computers and current state. At now there are like a lot of big companies which are trying to build the quantum computer. For instance Google, for instance D-Wave, or for instance of course IBM but all of these quantum computers are still not ready to be efficient to crack all things in cryptography. At now we have the oldest which is the D-Wave but D-Wave is based on a different approach which is more or less like analog computer and even it works with thousands qubits. It's not like able to compute short algorithm which is like essential for cracking current asymmetric crypto. But another companies or like big teams, this is not only about IBM and Google these teams are conduct from universities and researchers so they are working on actually really quantum computers and now we have the functional quantum computers with hundreds of qubits. But still this is the good news that these low amounts of qubits are not very like efficient to solve short algorithm and crack the asymmetric crypto. About the short algorithm it was defined in 1994 by Peter Schorr and this algorithm is basically jeopardize all asymmetric crypto and why is that? Because this algorithm can crack basic math problems used in asymmetric crypto. It cracks factorization and digital algorithm problem. So this means for us that everything which is used for authentication based on certificates and for key exchange will be now like not secure and we need to find some substitution and secure options. But as I mentioned we still don't have the quantum computers which are able to let's say fully use short algorithm because there is the estimation that for instance if you would like to crack RSA which 2000 bit keys you need the really functional quantum computer which 4000 qubits perfectly working and then okay you are able to crack it in the seconds. But this is the still big problem. Now we have only hundreds qubits and there is the problem that quantum computers still working with certain probability of mistakes and this estimation for 4000 qubits assume that the quantum computers will be without the mistakes because you need to do the process without the mistakes and then you are able to crack it in the couple of seconds. So this is good news for us, for the security experts that we are still have the time to be prepared. And there is also another algorithm which is less known and his name is Grover Algorithm and this algorithm jeopardize also symmetric crypto. Why is that? Because this algorithm is more general and he like downgrade the problems for let's say finding the secret keys by brute force to this assumption. And this algorithm can like jeopardize symmetric crypto but we have the simple solution we just need to use the longer keys. So symmetric crypto and hash functions are still okay because we can only just use and increase the sizes of the keys. So what about the approaches and countermeasures against the quantum computing threats for the cybersecurity? We have basically two options or two fields which are like be helpful in quantum era. We can use quantum cryptography also known as quantum key distribution. This approach is very, very long, sorry, old and it's only just to serve us to exchange the keys. If you know somebody, Bennett and Brassard exchange protocol so that's it. You need expensive devices. These devices, these sets of Alice and Bob's cost like 100,000 euros. So it's very pricey and it just serve for key exchange. But what about the signing? We need to signing like we have the software updates so then we have to sign the packages. We need also authenticate. We need some certificates. So quantum cryptography based on QKD is not have the answers for this. But what field have the answers? Post-quantum cryptography. Post-quantum cryptography can be run directly on the current computers, current platforms because this cryptography just to look on the mathematical problems and construct cryptographic schemes differently that can withstand short algorithm and quantum computer attacks. So post-quantum cryptography has the cure for all problems what we have and therefore NIST institution like five years ago start with the standardization and just announce the open calls to find the new standards which can be good substitutions in the future. So let's talk directly about the post-quantum cryptography and as I mentioned this crypto solves everything in cybersecurity and prepare us for the post-quantum era. It's fun fact that the post-quantum cryptography is here very long. It's 40 years old. Some schemes are very old but these times when the quantum computing have the booms in the nubes so then a lot of researchers started to more pay attention to this. Post-quantum crypto can be like divided to couple of families, couple of approaches and we will focus on these which are also like present in the standards from the NIST. So one biggest family is lattice based cryptography. This crypto use the lattices. It has high dimensional grids and it used the special problems when just the small chance, small change of coordinates like cause some very hard problems to find the secret or just to forge the signature or correct the cyber text in the schemes used these assumptions. This figure just illustrate three dimensional lattice but it's not very good to imagine how it looks like in the real because the dimensions are, there are more dimensions of course. This is only the illustrative picture with very simple lattice. And as the lattice based crypto is very popular so there is a lot of schemes, a lot of proposals and a lot of proposals just also come in the NIST post-quantum crypto calls. And here is the sum list. I don't want to be too much specific and boring you but this is just for your engine that a lot of schemes show up. Also very remarkable family is co-based cryptography. This family is very long. It's as old as the usually common asymmetric cryptographic schemes like RSA which you know or E or DSA algorithm. And this family use code codes which are more or less known in the link layers when you send the message and then you use the auto-correction codes just to solve some mistakes. So this family is also used for the post-quantum era. And the last big family is the hash based. Why is this family such popular and very important for us because the schemes are also like quite old and it was proven by time that these schemes are like safe. So this is also something which we will use in the future days. And here is just the comparison of all families. On the top you can see the more mature families which is the old ones and very used ones. Code bases are in the middle but it is only just because some schemes show up later after McElis and let this base... Okay, Andrew is also like almost 30 years old, right? But some newer schemes which are using the standards are also quite a young and needs to be more explored if it doesn't have some mistakes and errors. And multivariate cryptography and isogenic-based cryptography is less mature and also it was proven by many teams that these schemes sometimes contain bugs and mistakes and are not safe. Even some schemes here was considered like the standards but some research teams recently in this year just proved that some schemes are not safe and that schemes had to be withdrawn from the competition. And that brings us to the next post-quantum standardisation. In the first round there was, I don't know, maybe more than 40 submissions but some submissions was like correct and don't promote to the second round. In the second round there were 26 semifinals and last year NIST announced four candidates for the standards. What it means? That means a lot. Now the NIST just to point to some few schemes that, okay, these schemes will be probably next RSA, next DSA signatures. So now from the last year, everybody in the field just to work with these schemes, just to implement these schemes in hardware, in software, just edit these schemes into the libraries. We will show some progress in the libraries later in this speech but the red ones are the winners, are the candidates for the standardisation. The interesting fact is that the NIST choose only one candidate for the key exchange, just the substitution for Dixie-Hellman exchange and this is the kyber scheme. And the digital signature, NIST choose three schemes, Dilithium, Falcon and Sphinx Plus. You can also see that the lattice base have the candidates for both purposes and for the digital schemes, they also have the hash base schemes, which is Sphinx Plus. These schemes has own pros and cons and I assume that NIST will be standardised all but we will recommend for different use cases, different schemes. And because they point only just for one chem scheme, which is the kyber, they still open the door to these orange schemes, which is the classic McKellies bike and HQC scheme as the alternatives. Why they do that? Because in case that the lattice base family will be in the future some bugs, some mistake, then we can simply start to use something from the different family, which is the code base, McKellies or bike. We did and a lot of researchers in the field did some estimation, some evaluation because we are curious which schemes will be like good candidates and doesn't affect too much the performance and also the overhead. I mean overhead in the sizes because the post quantum crypto is not just about performance increase and that all algorithms are quite massive considering the number of cycles but these schemes usually have the much bigger sizes of keys and of course then sizes of the signatures. So as we use only like tens of bytes for RSA signatures or EECDSA, now we will use to or we need to use to on the thousands of bytes of the signatures so these signatures will be more massive and it could be the problem for the fields like IOT or some constraining devices or constraining protocols such as SIGFOX, SELORA where you have only just few bytes for the message which are like communicated between the nodes. And this is just the numbers. You can check the presentation. I put it to the chat so we don't need to like spend too much time here and just now let's proceed with the how the institutions across the world looks on the PostQuantum and what should be done. As I mentioned NIST, NIST started everything then American NSA, National Security Agency just released the new proposal of the commercial national security algorithm suite version 2.0 which says that we should directly just started to use PostQuantum cryptographic schemes and exchange these schemes in all protocols and stop use the old common schemes like RSA and ESDSA and so on. But European institutions like French NC German BSI perhaps also the British have the different view, a little different view they are more cautious, they are more like conservative and they say okay, let's start to exchange these schemes but let's do that in the hybrid approach. Let's implement these schemes in parallel and do the hybrid signatures, do the hybrid exchange because they are still not like convinced that the PostQuantum crypto could be like the safe in the next 20 years. So they are like more a little conservative in this but all these institutions just announced that the time for the transition time for the migration should be soon should be since 2025 and should end in 2030. So this is pretty in after next year, right? So we should be like prepared and we should only just also take account these in our projects. And also check new keep also somehow works with these recommendations and will soon announced own view and how should be done in the Czech Republic. And after 2030 I think that we will be use only just the PostQuantum crypto. If not perhaps it will be proven that quantum computer is not like visible to build then we are okay we don't need to do that because the PostQuantum crypto adds the bigger sizes and adds the cycles but it seems that we will migrate to this. And in this table you can just compare simply what should be substituted. So for key establishment when the sessions just built so old RSA or EC Diffie-Hellman or Diffie-Hellman just will be substituted by Kyber. And this is just what says Americans what says NSA, right? This is not like definite what will be recommended by the Germans and French and C and so on. And for the digital signatures used for instance in HTTPS it will be recommended Dilletium. And what is the funny for the digital signatures of software and hardware or some updates will be recommended hash-bait schemes concretely light and meccally signature scheme and extended medical signature scheme. And as we are approaching to that I will be more quick now. So this is just the timeline I already talked about it. Everything will be start in next two years and then that will be like the window of five years when everything should be like transformed to the post-quantum and after 2030 we will just the solely accept the post-quantum solutions. This is the plan of NSA and I think that also European institutions like NSA and CSI and so on will be recommended strongly this. Here we have just the not exhaustive but just some examples of the libraries which are already available for you for developers which you can use if you would like to add the post-quantum crypto. The most famous is Lib OQS library. This is the essential library that just was under the open-quantum safe project and I think that a lot of teams and a lot of the let's say TELUS and OpenSSL libraries use this essential library. But there are like more libraries and you can also check it offline in my presentation. And finally in the last part of my talk in a few minutes I will just go through the protocols which are used today and how they should be changed to instant quantum attacks. So let's start with less known MACSEC protocol. MACSEC is used on the second layer. It is not very common. I think that several of you may be heard about it. So MACSEC just works with Ethernet frames. Of course encryption is fine. It is used as 256 long keys. But for the key agreement there is the Diffie-Hellman or RSA and there we should like use the post-quantum teams. So some recent works from last one or two years just started to do the experiments and just to start to implement the post-quantum crypto inside and just try to figure out if MACSEC will work with this. The conclusions are good for us. I think or the researchers thinks that the MACSEC are fine and could be simply moved to quantum safe. What about the IPSEC? This is more like widely known. It did a work on the third layer and it's used mainly between the rotors or maybe between the branches for building the VPN tunnels. So IPSEC is like big protocol and for the key exchange and authentication it used the internet key exchange protocol version 2. And this protocol still like have some cipher suites using the common crypto. But now also some works proved that a lot of these recent candidates are fine for this. Except the classic Mekalis because classic Mekalis has the huge public keys which are also like exchange. So this could be the obstacle for this. So we need to use really efficient schemes which has the smaller keys like lattice based. And TLS. This is probably most used the protocol because TLS is almost everywhere in the internet. It is used in HTTPS. And TLS also used the key exchange and negutation before the session is built. So elliptic car VSA certificate should be somehow exchanged by the post quantum certificates. And also there are like a lot of studies that prove that some dili tube or falcon signature schemes are fine and even some hybridization also works here. There is only problem with the frames but if you are using the jumbo phrase it could like help us for TLS transition to post quantum. And SSH is also very familiar for you and it also used the asymmetric crypto and it is good that the SSH message are designed to take the big messages which are large enough for post quantum and we can simply use everything from post quantum crypto. Again Mac Elise which using the large keys could be problematic here. And last but not least I just use I just put in my presentation these main protocols are certificates and maybe let's, certificates as you know have the sizes of hundreds, hundreds bytes and of course you can use the chain of certificates which then have the kilobytes sizes, right? And in this picture there is the proposal where should be the some amendments, some modifications in the X.509 certificates format. So you can see that there is a lot of like fields where we should do some modifications and let's say propose some drafts which will be standardized these new certificates and these new formats which will be like ready for carrying the post quantum cryptography schemes. And let's conclude my talk in the time. So we know now that quantum computer is may break current asymmetric cryptography. We know that we need to start to be prepared. We have couple of years to do that. We already have the some standards which are like recommended by NIST and also by NSA and also by BSI and French NC. And we know that there is still open topics if we will do just the straight exchange common cryptography by the post quantum crypto or we will be more like conservative and we will do the hybrid approach. And for some recent works we know that already some libraries and security protocol started to be developed and prepared for the quantum safe or quantum era. So that's it. That's my talk. I hope that you bring something interesting from this speech and there is just the references and thank you for your attention. So I maybe have only just found two quick questions and then I will be stay here and we can like just talk on the coffee. So everybody is here who had the query question. Yes. If I heard you correctly you asked on the symmetric cryptography and your question was about if we should just increase the sizes and if it will be fine. Yeah. I'm sorry if I not empathize strongly. Yes. That's the correct. We need only to just increase the sizes but it is only for the symmetric cryptography. For the asymmetric cryptography we need to change by the new post quantum crypto. I hope that it will be secure if you just double-sized. Any other question? If not, thank you again and I think we can proceed with the next talk.