 All right, we're staying on schedule with our next talk from Christian Paquin who is Cryptography Specialist at Microsoft talking about post quantum cryptography. So welcome All right Thank you very much Hello Montreal, it's good to be back in my hometown Open here. I live now somewhere south in the States and It's a great pleasure to come and and come talk about some recent work on the topic of post quantum cryptography if you've been in the previous talk, you know a little bit about that and my goal today is to to well my main goal is to to Have you leave with the idea that even though quantum computers might be a few years away There's some action items that the security community needs to take now to protect against quantum attacks because there's one important factor that Even though Attackers quantum hackers might be something of the future The attacks can actually happen today because data that can be captured today can be decrypted in the future So I'll be talking about that and I'm gonna illustrate my little hackers with the gnomes I don't know if you remember that if you've ever watched 20 years ago this episode from South Park and They introduced these really weird gnomes and they had a very interesting business model They would go around in people's houses and steal their underpants and then well and some Unknown and undecided fashion they had a plan to take this and make profit at the end of the day Turns out it's not a great business to be in the underpants model so Well, we'll see what's gonna happen with these guys later On a completely unrelated note 20 years ago something else happened I was studying right up the hill here at the University of Montreal in the gel bracelet lab These wonderful things that are quantum computers They were great on paper These mathematical magical properties that Philip explained that allow you with position entanglement To calculate wonderful things that are impossible to do with a conventional computer well, that was great and after my studies I needed to get a paycheck so I transitioned to a more practical a sphere of the industry became a applied cryptographer and Well now fast-forward a few years quantum computers start to look a bit more real and a bit more Not so much science fiction, but just a matter of time before they're gonna be built and they're like literally millions of dollars being poured into that a little bit more actually and now most of the world thinks that they're just a Decade away, maybe so that would be a big revolution for the feel of computing In fact, I have colleagues of Microsoft and MSR that are building the actual physical chips the physical hardware to run the quantum computing and The other side of the hall is Software team building all sorts of quantum simulation software to write even they release a plug-in this year A quantum a quantum development kit that you can plug it into visual studio and start writing quantum software So it's it's starting to feel really real and this weird machine that you see on the screen That's actually in the lab of one of our Partners in Copenhagen You know this it's very tiny little quantum chip That they're working on it requires this big machinery and needs to be cooled down to point zero for Kelvin Which is the coolest place on on on the planet. It's colder in deep space and yeah these guys really play with the coolest toys quite literally and So so that's all great and It's it's We'll revolutionize What what's gonna happen what we'll be able to do it has a tons of applications in chemistry to analyze molecular structures and come up with new compounds as a lot of applications in physics All is great. It's all great except for us security practitioners because as Philippe explained The shore algorithm totally destroys the basis for our modern cryptography So all the communications on the internet relies on this public cryptography that becomes essentially unusable if the attacker has a quantum computer and Also this this second algorithm that Grover discovered in 96 affects the the security of the symmetric cryptography the ash functions and the the symmetric encryption but We can deal with that. We just need to double the key sizes and the ash sizes. So not a big deal but okay, so just Just considering shore It basically breaks all the crypto that we use today and I Scratch the word most because you know, there were some old alternatives Back in the days that were never used never been implemented in our software but Essentially everything that we use today is gone. So that's TLS HTTPS that's signal messaging That's SSH. That's all your bitcoins gone Certificates software updates. They all rely on public e cryptography so Come the gnomes are coming back now There they'd like to adapt their business model a little bit So instead of stealing underpants what they can do now is simply collect ciphertext and just wait Just record the the internet traffic and now they have an idea for phase two They just have to wait for a quantum computer and then when they do they can just decrypt it of course It's quite an analogy, but there are a lot of adversaries That have this capability today to just you know every major country every sufficiently large organization can record Huge amount of data. So if you are working in a as a Hacker developer in a small community or in a big corporate environment The question is do you have data? That's encrypted transfer of the internet today that needs to be secure for the foreseeable future and If you do then How long is that data needs to be secure for because if There's a risk that somebody records it then decrypts later Then you might need to think about this post quantum cryptography today Not when the quantum computer comes So now it's a valid question of when is that's gonna be? Yeah, Phillips mentioned also the the the work of my M. Kelly Mosca that at a huge analysis, of course, it's to estimate the time of when this quantum computer will be it's it's a lot of guesswork there's like physicists involved in the How to build the hardware and then the mathematicians the best quantum attacks we could build with this model but there's a lot of very smart people that And then that look at the problem and they estimated you know Maybe a decade 12 years 2030 that there's a very large risk that there might be a quantum computer then so There's a clear need for the industry to move to this new type of cryptography that's post quantum cryptography and I want to make it clear here post quantum cryptography doesn't mean that you Need a quantum computer to do this cryptography That's just normal crypto that we don't know how to break with the quantum computer and There are if Okay, I'll just complete that sentence in one slide Just now the motivation of why again, I'm just to repeat a little bit of myself. Why do we care about this today? First because of this capture now the creep later problem. So data is at risk. Okay, great maybe I've convinced you of that maybe not but Second the other points are also very important If you've ever worked in a standard body before you'll you'll know that it takes a long time to change standards and get new algorithms and new designs adopted TLS 1.3 for example took you know quite a while to to go through and So if we need to update these algorithms and all these standards is gonna take a long time so we need to get started and Also, not just the the standards themselves the crypto stack also needs to be updated So all the the application libraries all the software Takes a long time and we need to know when we're gonna plug in these new algorithms Some of them will have bigger keys they have longer computational time Some assumptions are different than what we used before or elliptic curves and RSA So can the software deal with it as our code agile enough to be able to swap in RSA like how many pieces of software I've seen with just RSA are coded Directly in there and they'll be quite hard to to make a switch So these are issues that we can tackle now and start to experiment with not to be surprised when it's gonna be the time to switch And that's kind of what I hinted earlier So if you have data that needs to be secure for a long time then backtrack all these steps Then we kind of get we need to get started today Well, fortunately, this is happening in the in academia and in the industry It's recognized that we need this transition in fact NIST, which is the national standard National Institute of stances and technologies in the US that basically is the de facto standard organization of the world because most of their Standards get adopted around the planet They have started the standardization process to replace RSA note the curve public ecryptography with new algorithms We're currently in phase two round two of this multi-year process. It's gonna be six seven-year process and they're looking for all sorts of new ideas in all sorts of From all sorts of math families And round one there was 69 proposals. They're down to 26 now in round two and it's it's continuing So I Don't want to I'll go fast on this because if it represented about that, but essentially these new math proposals are not based on factoring and discrete logarithms like RSA and Diffie element where We're using instead they use lattices error correcting codes multivariate systems as base functions isogenes zero knowledge proves even My colleagues have participated in four of these proposals and they're still in round two So if you're interested you can take a look at these specific proposals Tweet out the slides afterwards, so you'll get all the links So okay, so now if you're a developer, I mean you can't deal with that It's like you just told me I need to replace RSA, but with what I don't want to I don't have I Don't know which one of the 26 proposals to pick. How do I deal with that and what if one gets? Disqualified in round three I'm stuck with that. What do I do? So One thing that that we did just asking ourselves all these same questions is to join this this group this open quantum safe project, which is an open source group With the goal of providing a unified framework for this post quantum cryptography and the idea is that Everyone with the schemes and this schemes we can plug it into this this library and Then when you want to experiment with it and integrate it into your higher level applications you just code to the We call OQS library and then if you want to try a scheme you just configure it this way and if you want to call this other scheme You just switch and gonna call psych instead of Frodo then you don't have to modify the application and Our motivation to join and do this work was to we're doing tests Implementing our algorithms in TLS and you know, we don't want to do it 50 times So do it once and then you can just switch the underlying algorithms and it's it's quite easy and Very efficient in development time so over the last Few years the OQS project kind of grew so now we have a Core library in C. We have a bunch of wrappers in C++ C sharp Java. There's some other coming and We also ship forks of a open SSL and open SSH That integrate this post quantum crypto And I'm gonna be demonstrating that in a few minutes What else is there to say there just yeah, it's a collaborative effort if you're interested And in participating and you have some expertise in some other applications you'd like to see Post quantum crypto integrated well, please reach out and and either offer here's a I've did this work And you integrate it in the project or submit pull requests Where it's a very cooperative effort and we're welcoming help from anybody Okay, now in the second part I'm gonna explain some of the integrations we did in the different protocols and You may be interested in that just as a developer or as a user if you'd like to hey, I'm using open SSL I'm using open SSH. Maybe I can try to just plug it some or use some of the post quantum variant In there to to protect myself and my services and project project, sorry products against quantum computing So Well TLS of course is Arguably the most used security protocol It's it's everywhere Open SSL is one of the main libraries implementing it. So that's why we targeted it for our experiments We've integrated in TLS 1.2 and 1.3 in two different flavors of open SSL 1.3 is really nice because the way it's architected The changes are very minimal. So we do the work in the in the key share message In TLS 1.3 the core spec that has been adopted assumes that everything is looks like elliptic curve elliptic curve Diffie Elman and the define the curves in the future is probably going to be extensions for other algorithms But right now we to integrate in this environment. We have to pretend that our post quantum algorithms are new curves so that's how we identify them in the code and We can just plug and play What's oh Yeah, so one interesting note is that we need to edge our bets right now It wouldn't be quite unsafe to just transition to a post quantum algorithm today. You don't want to do that because They've only been around for a few years. We need a decade at least of of Cryptanalysis of really deep analysis to make sure there's nothing wrong with these new ideas. Maybe There's no quantum algorithms for them because the right person hasn't looked at it For long enough or maybe there's a classical attack against these systems. So we don't know so to be safe what we want to do is Do a mix do a hybrid version between the classical Algorithms that we have today with the post quantum ones So how do you achieve that is let's say in a key exchange? In the Diffie element type of setting I'm trying to communicate with a web server So I pick a secret the web server picks a secret. We exchange a message They use a secret and then we can arrive to a common shared key that we use afterwards to protect the communication so we can do that in parallel we can have this conversation with electric curve Diffie element and Have another one in parallel with our post quantum algorithm And then we just mix the master secrets concatenate them and then that's fed into the key derivation and then we end up with a key that that depends both on the classical and post quantum one therefore if Somebody intercepts this communication decrypts it in ten years with a quantum computer. They'll be able to break the electric curve one Part but not the post quantum one because we don't know how to do that with a quantum computer And if somebody made a mistake in the design of the spec or the scheme and they break this new algorithm in five years Then our the analytic curve still protects us. So the hybrid is really The idea to to achieve that There are many subtle ways to do that and there's We're debating what's the best approach the one I describe is like the naive approach just do it in parallel and concatenate It's the easiest to implement and that's the one that we have in our fork There are some more advanced one where you can negotiate which algorithm you want And and the authentication side is also a similar ideas for the authentication and the certificate integration Again, what we've implemented is just this naive approach. We don't say we do RSA and then signature and a And a picnic for to take one Signature and mix them. We define a new algorithm. It's called RSA picnic and everything is concatenated So it's easy to to implement and integrate But there are multiple ways to think about it. You could have two certificates one classical one post quantum You can have one certificate with a post quantum extension in there. There are a lot of options So one interesting question is that okay, you want us to play in integrate post quantum In our deployments. So what's the cost? Is everything is going to crawl to To slow down to a crawl there's a reason why some of these algorithms have never been adopted 30 years ago when they were first proposed because RSA was way better was way faster and smaller like the Recorrection codes are gigantic key size megabytes of Artifacts, so we don't want to deal with that. Well, fortunately the top candidates have very interesting performances For example on the left side, you have the key exchange algorithms The orange one is the our base elliptic curve P256 top of the line Efficiency and security and we see that new hope is the lattice one gets really close to it. There's number of fetches per second So it's quite competitive and the one Just above it P256 new hope is the hybrid one that I I I mentioned we do both The elliptic curve one Plus the post quantum one in one go so it doesn't double the cost because a lot of the cost is the rest of the exchange so the crypto part you don't pay a lot of a of a You don't pay a big penalty to transfer to post quantum so Very interesting To start playing with that that's certainly not a stopper the same thing for signatures basically this new crypto is is is Competitive and will in the next few years be optimized both in algorithmic Algorithically can pronounce our word sorry and in an hardware all sorts of optimizations so That's gonna be interesting SSH. We also did the work and I want to repeat myself It's a little very similar to TLS and conceptually So similar integration in the key exchange and in the authentication part So one interesting project I like to mention is another one we have it's called It's based on the open VPN project Unlike other VPN projects you that use a different Protocol this one uses TLS as its security so we can just use our open SSL fork and get the security for free in in the VPN So what's interesting is that when you start thinking about all the applications that will need to to change? Takes a lot of work dev work to do that But if you do it that the on a VPN level then you can tunnel all your classical unmodified legacy applications through a post quantum tunnel and then the adversary outside Cannot peek into the classical or even if they can break RSA they wouldn't be able to get into that post quantum tunnel so that's a very interesting model to To give a blanket protection against quantum computer without actually changing any code and deal with all sorts of services So that's something we have this one is not part of OQS is part of our Microsoft research project You can also open source you can take a look at it and gives interesting interesting thing to play with and We also integrated in the HSM Some one of our algorithms and all of these Projects are basically to show that okay it works it works in software works in hardware works in different deployments Just to get comfortable to say okay, we want to de-risk these These new algorithms so that when it's time to transition when this picks some winners and some new standards will be ready We know what breaks what doesn't break in the software. We've done the work I just want to conclude with a quick demo Let's see as it shows on the screen. Okay it's always hard to demo cryptography because you know, it's Just showing a green icon on the screen. I'm just going to show an open SSL and Maybe you're already familiar with it. If you have played with open SSL It's this is the open SSL client and server tool. So what I'm gonna do. I apologize on the small size But I'm just gonna read it to you This is I've now just generated a new certificate. That's a hybrid between ECDSA p256 with Q Tesla Which is a lattice signature scheme and the main point here is that that is open as a cell As you know it if you know it It's nothing changes other than the algorithm identifier and now I can start a web server with this Let's go back to my history. There it is So I use the certificate and now it's waiting for a TLS 1.3 connections and I'm gonna connect from this other console This is by the way a Windows subsystem for Linux that I use which is awesome. If you don't know it I recommend you do it I'm going to in a box right here and then Well, this is the boring demo just a bunch of letters no errors and it spits out the certificate And then you can see If you have really good eyes that I'm using here you see the SA Q Tesla one signature and the key exchange with p256 e CDH E plus Frodo So I've kind of decided so I'm gonna go with lattices for this key exchange the lattice scheme signature is the lattice scheme and then This is secure because the curves are secure and then if you have a quantum computer in 10 years and you've recorded that then you wouldn't still not be able to decrypt it because the lattice schemes are unbreakable with a quantum computer and That is it for the presentation So the main point is that okay quantum computers are gonna come in 10 20 50 years who knows As security practitioners, we need to be safe and assume the worst it might come sooner than later We need to be prepared and that you need to start thinking about the transition today. So maybe you're Thinking is just I need to I'll wait when the standard comes out. I'll be ready. I don't develop any of this I'll just adopt the new software as they get updated. But if you want to be proactive and you are Dealing with with data that needs to be secure for a decade or more Then you might want to just sprinkle in says this post quantum protection on top of the classical one To make sure that you're safe against this imminent threat So I thank you for your time. I'm happy to answer any questions now or during the launch break