 Hello and welcome back. Please join me in welcoming Philippe Lamontagne, who is a researcher at the Canada's National Research Council. He's going to be presenting on quantum cryptography at what it implies for a society. Thank you, and thank you all for coming to my talk. Fair warning, it's probably going to be the most theoretical talk of the conference, and there might be one other talk that competes me in terms of terroriticalness, and it's the 130 talk on elliptic cryptography. So I'm going to present post-quantum cryptography. My goal here today is that we get out of this talk at a high level understanding of what's post-quantum cryptography. It's better. And there's some echo. Hello, hello. So, so yeah, so my goal is that you get out of this talk a high-level understanding of what is post-quantum crypto, what are the types of problem that were interesting to solve with post-quantum crypto. So without further ado, let's jump right in. And before going into post-quantum crypto, we're going to look at pre-quantum cryptography. Basically the golden age of cryptography, which is the 1970s, with these two guys, Whitfield Diffie and Martin Hellman, that introduced new directions in cryptography. And for those of you who know this paper, these new directions are essentially public key cryptography or asymmetric cryptography. And the problem they introduced is basically digital signature and public key encryption. They didn't propose a real scheme that implements those ideas. They just proposed the ideas and showed that this was something interesting to do in crypto. But it's those three guys, Rivesh Amir and Adelman, that first proposed the first real scheme for public key cryptography. And we know this scheme, RSA, is based on the hard death factor in our numbers, and it's one of the most used today. And we've come a long way since then. So there's this whole field of public key cryptography that allows us to do plenty of things like online shopping or just allow us to have a trust infrastructure on the internet. So the things we can do is basically key exchange, public key encryption, digital signatures, certificates to know who you're talking to over the web. And it's based on very simple ideas, is that you have some problems that are harder to compute, that are easy to compute in one direction, but that are hard to inverse. So for example, this is the example that you take on the Wikipedia page for the Fielman Key Exchange. You have Alice and Bob that want to share a common secret. But they only know there's a public paint color, yellow, and they each have their secret colors, which is blue. So let's say red and blue. And by mixing those colors together, they first mix the yellow and their secret color, then they exchange the resulting colors, and then they mix them again. And now at the end, they get the same color, which is a common secret. And the assumption is that it's hard given this shade of blue to recover the two colors that were used to obtain that shade of blue. And so there are many ways of mixing paint that we can think of. The most popular are factoring and discrete log. Discrete log is what's used basically in a elliptic curve cryptography. And really any so-called trapdoor permutation allows us to do this kind of cryptography, these kind of tasks. And I'm going to talk a bit more about what I mean by a trapdoor permutation later in the talk. So now, fast forward today, we have plenty of devices all connected to the internet. And these devices all use cryptography in some way or in the other. If I have a smartwatch that's receiving updates from software updates from, let's say, the Apple server, then Apple has to the code that's updated to this watch is authenticated using a public key certificate. And even the server that pushes the update is authenticated using public key cryptography. So what we have essentially is a chain of trust where we have this certificate emitting authority that we all know and trust. And we trust this certificate authority to verify the identity of Apple before issuing a certificate for Apple. And then Apple can verify the identity of Facebook before issuing a certificate to Facebook. And Facebook can then sign its binaries using its certificate. But then what happens is that if you have really powerful threat actors that are capable of breaking the root of this chain, then everything collapses. And that's one of the threats of quantum computing. It would allow you to emit fake certificates and just fake essentially any identity on the web. So now a bit more about computing. Of course, I'm referring to Shor's algorithm, which we'll come to in a few slides. But beforehand, I'd like to give you a really brief overview of what quantum computing is about and what it can and cannot do. So quantum computing, really the most important aspect is that you can have a superposition of states, of quantum states. So let's say I take a photon and make it go through some kind of semi-reflective mirror. And then that mirror lets the photon through on one side if it's let's say in horizontal polarization. And it goes to the other side, to the bottom side, if it's in vertical polarization. And of course, I'm not a physicist, so I only sketch this in a very high overview. But the thing is about quantum cryptography, about quantum mechanics is that this photon can be not in either of those places, but at the two places at the same time. But another very important aspect is that you cannot see the photon at both places at the same time. You have to, as soon as you look at it, it materializes either in the right eye or in the left eye, but not in both. So why is this useful for computing? Well, you can think of those two positions as if the photon is on the upper row, it encodes a zero. If it's at the bottom, it encodes a one. And I can put those through a quantum computer, do some very intensive compute function, so function F, that's very intensive to compute an input zero and an input one. So now, because I have those two paths that are computing in parallel, I get a superposition of the two outcomes. But then again, I can only get one of the two outcomes, because as soon as I try to look at those photons, one is going to disappear, it's going to collapse on one of the two paths. But it's still useful to compute some functions in superposition. One of the things that you can do, and that's used, that the main tool behind Shor's algorithm, is that you can have this kind of state. This is a notation for saying that it's a superposition of all input A's. And here, my function is just the modular exponent modulo n, for some basis x. And I can put that through a procedure that's called quantum Fourier transform. And then I get some output. Those are probabilities of observing those values. So here you can think of it as I have a probability one half of seeing the photon here and one half of seeing the photon here. But now I have many values and I have some probabilities of observing some values. And so what QFT tells me is that these peaks in probabilities are going to be related to the structure of the function. In this case, it's going to be the period of the function. So this is a function since it's modern. It repeats itself every so often. And so the amount of steps after which it repeats itself is given by one of those peaks. And each of those peaks is a multiple of that value. So now that we have QFT, we can introduce Shor's factoring algorithm, which is conceptually really simple. So the algorithm in a nutshell is you just pick a random value lower than the one you try to factorize. So here you want to factorize n. And classically, like without the quantum computer, you know how to factor n. If you know a value r, such that you take x to the exponent r, and it's congruent to one modulo n. So this is using a classical algorithm. If you know this r, then you can factor n efficiently. So I've already briefly mentioned that this function f is a periodic function, and the quantum Fourier transform gives you essentially the period of this function. So you just apply quantum Fourier transform. It gives you the r with good probability. And then you can factor using the classical algorithm. And so we saw in the last slide that we have many peaks. And some of them are good values for r. Some of them are bad values. But the essence is that you have a good enough probability, and you can just repeat that process enough time. And you're going to find this r eventually. And the time, the amount of times that you have to repeat this process is polynomial in the number of bits of n. So it's a polynomial algorithm to factor large numbers. All right, so this breaks cryptography essentially. Once we have a quantum computer, everything that we use as cryptography on the internet is threatened. So the aftermath of this is that factoring, discrete logarithm. So I just showed you the algorithm for factoring, but it's the same essentially for discrete logarithms, except it's a bit more complicated. Actually it's a lot more complicated, so I didn't have time to present it. So those tasks are easy for a quantum computer. And we rely on the hardness of those tasks to do cryptography. So public encryption and digital signatures are broken in a world where a quantum, a scalable quantum computer exists. So this includes RSA, Diffielman, digital signatures, anything basically on elliptic curves. Symmetric cryptography is okay. So Shor's algorithm doesn't tell us anything about symmetric key crypto. And there is another algorithm that has an impact on those namely Shor's Grover's algorithm. But you can basically ignore it by just doubling the key size. So those are okay. And hash functions also are not threatened by Shor's algorithm. A bit by Grover, but it's the same story. You just have to increase the security parameter. So now we're ready to look at what we do when we can't do factoring. We can't do Diffie Hellman, discrete log. We have to propose new problems that are hard. And this is what post quantum crypto is about. So I mentioned briefly chapter permutations at the beginning. A chapter permutation is essentially a function that's easy to compute in one direction. So if I have x, I can compute f of x very easily. But it's hard to invert. So if I have an output y, and I want to know which x produced this output y, this should be hard to compute on a classical and a quantum computer. But what a trapdoor function means is that if you know some other input which we name a trapdoor, then this is easy to invert. And so one way to think of this would be if you have a Lego set, it's very easy to disassemble a Lego set to obtain the pieces. But if I have the pieces, it's very hard to reassemble that set unless I have the instructions that tell me step by step how to reconstruct it. And not all of the functions that not all of the problems that are used for post quantum crypto are of this form. But if you have a function of this form, then it's easy to do public crypto because your public key is this function. And I encrypt this way to obtain a suffer text. The crypting is hard. Unless I know the secret key, which is the trapdoor to my function. So this gives you essentially a abstraction of what we want to look for to do public key cryptography. So now the problems on which post quantum cryptography reside. So the first one is lattice based cryptography. So a lattice is basically a set of point in a vector space. And those points are specified by a basis B1 and B2. So the points are all the linear combinations of B1 and B2 and they span the whole space. So now you can think of those points as going and continuing to infinity in each direction. And of course, so this is an example in 2D, but in practice you want to have many dimensions so that the problems become big. Right? So there are two problems that are conjectured to be hard for lattices. The first one is to find the shortest vector in the lattice. So in this case, the shortest vector of my lattice starting from the origin is just this vector at this point and this is B1 minus 2B2. And the other problem is to find the closest vector problem. So I have a point that's not on the lattice, but that's between points of the lattice, let's say this green point. And I want to find the closest point, which is the red one. So those are the problems that are conjectured to be hard. But they are problems that are easy to solve if you have a good basis. So a good basis would be like the rectilinear basis that we all know like vectors that are essentially orthogonal to each other and that are pretty short. And a bad basis would be vectors that are very long and very close to each other. So if they all point in the same direction, then it's hard to know how do you combine them to obtain the shortest vector in the lattice. So how do you do encryption with that? Well, actually you can do signature also, but I'm just going to show you how to encrypt. So to encrypt the idea, there are many schemes also proposed for this problem, but I'm just going to present one to get the intuition. So the idea is your private key is a good lattice and your public key is a bad lattice for the closest vector problem. Your message is a point on the lattice, so you have to find a way to encode a specific message as a point on the lattice. To encrypt, you take that point, let's say the red point is my message. So to encrypt, I'm going to add a random noise vector that's going to push it in the direction. So now here, the green point is my ciphertext. So my ciphertext ascended over a public channel. With the public key, it's hard to decrypt because I have to find the closest point. But with the private key, which is the good basis, this problem becomes easy. I can find the red point that's closest to my ciphertext and I can decrypt the message. So this is lattice-based cryptography. The next one we're going to look at is hash-based crypto. Hash-based crypto, there's only signatures for it. And it's based on a scheme that's called Lamport one-time signatures. I'm sorry, I have to go a bit quicker because I'm running out of time. So Lamport one-time signatures are signatures that are only secure for one instantiation of the signature. They work as follows. So let's say I want to sign a message at three bits. Then my private key is going to be three pair of values. And which value I choose for the signature is going to depend on those bits. So the first bit is one. So I get to get the second value here. The first value here because the second bit is zero and the third value because the third bit, the second value of the third pair because the third bit is one. And this is my signature. So we can already see why it's called one-time signature because I leak essentially half of my key by signing a message. And to verify, well, I'm going to use the following public key in which each of those y's is a hash function applied to that x. So like this. And I'm going to take the corresponding y's and check if the x has to the same y that's in my public key. So I can verify using that public key signatures because those x's are part of the signature. But I cannot forge a signature because I don't know this other x. So I couldn't sign 001, for example, because I don't know this x unless I know the private key. And to know this x without the private key, I'd have to find a preimage to this y01. And this is a problem that's hard if you have good hash functions. Of course, you get the problem that you can only sign once with a given key. So you have many keys that you need to take care of. If you output thousands of hash per seconds, thousands of signatures per second, there's going to be a problem. There are some solutions to that, which is to use a Merkle tree structure to generate many keys from a given key. But the problem is that those schemes are stateful. So you have to remember what's, so you have a procedure to generate many keys. And you have to remember what's the key that you're going to use next. And there's also a scheme that uses a random number generator for those key generations. So this is hash-based signatures. The next one, again, sorry, I have to go quickly through those. I didn't live myself enough time. The other one are based on multivariate polynomials. So the problem is the following. I have this polynomial. So it's multivariate, quadratric polynomial. So multivariate because I have many variables, quadratric because I have at most two variables per term. Two, my power is at most two. And the assumption is that it's hard in general to inverse those polynomials. So I have a given output. It's hard to find an input x1, x2 that's going to give the specific output. And how do you base encryption on that? Are you going to choose a function that's basically a collection of polynomials? And I'm going to encrypt the message by... Well, no, I'm going too fast. So those are all polynomials that are supposed to be hard to invert in general. But I choose them so that I know how to invert them. I choose them with a specific structure that tells me how to invert them. So I take a collection of those and then to hide this structure that gives me how to efficiently invert them, I'm going to hide it with two other polynomials that are also easy to invert. And I'm going to sandwich that function between those two other functions. So this is my public key, the sandwiched function. And so this is a general instance of a problem. So this is just from the attacker's point of view, this is a random polynomial. And the goal is to invert that polynomial. But from the harness, from the person that has the private key, which is the description of those three functions, then it's easy to invert. So how do you do encryption with that? Well, to encrypt, you apply P on an input. So the input is, let's say, your message is a bunch of variables with some given values. And to encrypt, you just apply P. And now to decrypt, given this private key, which is S, F and T, you just invert those three polynomials and you get the clear text from that procedure. So with the private key, you can invert efficiently, but without it, you cannot. And finally, the last problem, post-quantum problem that I'm going to show you is code-based cryptography. Code-based cryptography is based on a re-correcting code, and it's based more specifically on the hardness of decoding a random linear code. So I can specify a code by a matrix G. So this is an example of the Hamming code. For those of you who don't know much about a re-correcting code, so this is the Hamming code. And to encode it for this word, zero, one, one, I multiply the word times the matrix G. So the first part is the identity, so I recover my word, zero, one, one. But then the second part is what we call parity bits. So here I have one, one, zero. So I'm going to have one plus zero, one times zero, plus one times one, plus one times zero, times one. So I'm going to get one. And for the other part, it's zero on one. So I'm going to get zero times zero, plus one times one, plus one times one, but it's an XOR, the addition. So I'm going to get zero. And these are my parity bits that can tell me how to detect an error. But I don't know, with this code, I cannot correct an error. I can only detect one. But in general, you know, you have this code space, and those green dots are my code words. And I take this, encrypt is not the right word. I take this word, I send it in the code space to add some redundancy to it, and then I send it over a noisy channel, which is going to introduce some noise, which is my red dot. And to recover the original message, I have to decode, so send the noisy message to the green dot, which is a code word. And then I can recover the original message. So this is not an encoding that that's secure. This is not encryption. This is adding redundancy to correct errors. But you can build a crypto system on that. Your private key is an efficient decoder for, let's say, this error correcting code. And the public key is a random generator matrix, or random matrix of this form for the same code space. So the hypothesis is that it's hard in general to recover the green dot from the red dot if you don't know, if you don't have an efficient decoder already. So to build a public key crystal system from that, you take the clear text, you send it as a code word. So you take your W, you encode it as C, and then you add errors. So adding errors is encrypting. Anybody can generate code words with the random generator matrix, the public key. Anybody can add noise, so anybody can encrypt. But only with the efficient decoder can I remove the errors and recover the original clear text. So this is the idea behind code-based cryptography. So the main takeaways of my talk is that public key, the public key infrastructure that we know and love today on the internet is threatened by quantum computing. There are alternatives for the problems that are broken. So RSA broken, discrete log is broken, but you can replace them by some of the problems that I presented, such as the lattice-based crypto, which is currently one of the most flexible alternatives. Ash-based crypto. So I indicated in parenthesis that it's old. Well, old is a good thing in cryptography. It means that it hasn't been broken since its invention in the 70s. Multivariate cryptography is pretty fast. It's useful for embedded devices. Code-based crypto, also it's pretty old. There's been schemes that have been proposed a long time ago. And there are other more recent proposals, well, recent and some other roles that I didn't have time to talk about. The other takeaway is that we have to act now to implement Postcom Tom Crypto, to standardize it, and Christian is going to talk a bit about that in the next talk. And also I'd like to finish by citing Michele Mosca from the University of Waterloo. And he uses this equation a lot of time. It says, if X plus Y is greater than Z, then we're in trouble. And what are those variables? Well, X is the time that your data needs to stay secure. Y is the time that it takes to implement Postcom Tom Crypto. And Z is the time that it takes until we have a quantum computer capable of breaking RSA. So if it takes more time to replace the infrastructure and keep the data secure X years, then it takes time to build a quantum computer. Then the data that's protected by this system is going to be compromised. All right, so this is it. Thank you.