 All right, welcome back everybody. Our next talk will be Sarah McCarthy giving her talk on Quantum Safe Instantaneous Vehicle to Vehicle Communication. Hello, thanks for having me here. This is my first DEF CON and I'm joining it so far. I'm meeting very interesting people. So I'm from the Centre for Secure Information Technologies, which is part of Queen's University Belfast, Northern Ireland. And today I'm going to talk about an aspect of our research into practical quantum safe cryptography. So as Christian Packwin explained yesterday, there is a requirement for the establishment of quantum safe cryptography. So I'm going to reintroduce this topic and the motivations for our research. I will then introduce identity-based encryption, which is an advanced cryptographic primitive, and then describe our software design aimed at constrained devices such as vehicle-to-vehicle communication. I do have a demo, but it wasn't shown up in the screen, but we can give it another go. So currently cryptography is underpinned by hard mathematical problems such as integer factorization and the discrete log problem. And these are infeasible to break with current computing. However, in 1984, Shor's algorithm was proposed. And when this is run on a quantum computer, it can solve integer factorization and the discrete log problem within a feasible amount of time. Therefore, if a quantum computer comes along, our primitives that we use today, such as RSA and elliptical curve cryptography, which are based in these problems, will be broken. There is also Grower's algorithm, which was proposed in 1996. And it threatens the symmetric key primitives. However, we can evade this algorithmic attack by doubling the key sizes. So symmetric key cryptography is safe for now, but public key cryptography will be dead under the realization of a quantum computer. In response to this, researchers are looking at replacing traditional problems with more complex problems, such as lattice-based, code-based, multivariate-based, hash-based, and a solgene-based. So these are all different branches of mathematics. There are many community efforts into this quantum-safe cryptographic research, for example, standards bodies in the US and Europe, NIST, and Etsy are looking towards standardizing quantum-safe primitives. Google trialled a quantum-safe key exchange in its Chrome browser in 2016. European projects such as SafeCrypto have been looking at practical implementations of quantum-safe primitives. There is an annual conference, PQCrypto, which brings together academics and researchers from industry every year, and government bodies, such as the National Cybersecurity Centre in the UK, are also looking at quantum-safe cryptography. To further emphasize the threat, here are some news articles and headlines that have been out in the past couple of years. And it's about researchers are both building quantum computers and protecting against quantum computers. So quantum computing power can be measured in qubits and the number of qubits attained is increasing. However, Andrea's talk on Thursday indicated that over 4,000 qubits are required to factor a 2048-bit number using Schur's algorithm. And if we look in March 2018, Google only reached 72 qubits. So we have a long way to go, but we argue we need to be thinking about this problem today. For example, if we put a satellite into space today, it's going to be needed to be secure for 40 to 50 years. And if a quantum computer comes during that time, the security which it relies upon will be broken. And they won't be able to be used. The Mosca inequality conceptualizes this. So if we set X as a desired lifespan of the security of the product, why the research and development time of the crypto and said the time until the realization of a quantum computer, if X plus Y is less than Z, there is time to act. But if it's more than Z, it's going to be too late. So it's important to look at quantum-safe alternatives today. So Lattices or Lattices are one of the contenders for quantum-safe cryptography. They were first introduced by Ashtai in 1996, and they have many advantages, making them the leading contender of quantum-safe alternatives. We have efficient, they're known for their efficiency, the understanding of the hardness of their underlying problems, and their ability to be extended to advanced primitives such as identity-based encryption, which is when the user's public key is based on its public ID or homomorphic encryption, which allows computation on encrypted data. So this is a two-dimensional Lattice defined by basis vectors B1 and B2. And every vector in the Lattice can be expressed as a linear combination of its basis vectors with integer coefficients. Hard problems around Lattices, such as finding the shortest vector in the Lattice or the closest point in the Lattice to a given point in the space are these problems upon which we can base our cryptographic primitives, as they're known to be infeasible to be broken by a quantum computer. So Lattices allow for cryptographic agility, they have mathematically hard problems, and they have shown promising efficient implementations which are competitive with traditional crypto used today. However, they have large key sizes in comparison to traditional crypto, for example over one megabyte compared to two five six bits. They're also vulnerable to side-channel attacks because Lattices utilise a lot of bespoke components, but components which are not used in traditional crypto today, so we're basically reinventing the wheel when it's coming to protecting against power analysis, timing attacks and fault attacks. The underlying mathematical theory is still relatively new and it's still undergoing undergoing major crypt analysis. For example, we can introduce structure to the Lattices in order to increase the efficiency of the schemes. However, as of yet, there are no known vulnerabilities, but this has not been proven that it doesn't introduce a security risk. In 2016, NIST announced a transition to quantum CF public key cryptography for suite B of its recommended algorithms. Then invited the research community to submit and public key encryption schemes, digital signature schemes and key encapsulation mechanisms. So in the first round, Lattices accounted for over one third of the submissions and NIST selected the most promising candidates to go through to the second round and those who didn't make it were dropped due to a lack of confidence in their security or inefficiency. But by the second round, Lattices accounted for almost one half of the candidates. And additionally, they're the only family to have submissions in round two in all three types of schemes. So this reinforces our confidence and assurance in Lattices. Identity-based encryption removes the need for a large-scale public key infrastructure by using the user ID as a public key. So here's a diagram showing identity-based encryption scheme. The key generator generates master public and private keys for the whole system and the extractor uses a user's ID to generate a private user key for them. If Alice wants to send a message to Bob, all she needs is Bob's public ID and the master public key to encrypt the message. She then sends it to Bob and Bob can decrypt using his private user key. The advantages of identity-based encryption include there's no need for the sender to obtain a certificate, therefore they can send a message more instantaneously. Timestamps can be combined with identity to accommodate key refresh and refocation. There is no need for pre-registration of a user onto a database. They can be extended to further primitives such as signatures, broadcast encryption, key agreement and public key encryption schemes with keyword search. They also mitigate the need for a trust's certificate authority and decryption capabilities can be delegated, for example, to temporary devices or to members of staff within a workforce. However, there's danger of key escrow as the sender authority has access to all private keys and therefore can decrypt any message. Communication channels from the central authority are required to be secure. Key refrication could add complexity, for example, if a key needs revoked before its expiry date and there is a requirement to check the uniqueness of user IDs to prevent two users obtaining the same private key. Today, IBE is used for commercial solutions focusing on email and file encryption. It's also suitable for closed networks such as sensor networks. The UK Emergency Services currently uses the Etsy Standardized Tetris scheme for its communications and since 2018 it has used the Elliptical Curve-based Mikey Saki IBE scheme due to the instantaneous communication capabilities. And today we consider the use of instantaneous communication required for vehicle to vehicle. However, these applications currently are all non-quantum safe. So I'm now going to show an animation to show how identity based encryption can be used for vehicle to vehicle communication. So as an example, consider two autonomous cars in constant contact with the 5G network. The key generator produces the private key of each user by using its already established unique user identity. In this case, the license plate of the car. If the green car wants to send a message to the blue car, it only needs to know the blue car's license plate and the master public key and the license plate guarantees its authenticity. Only the blue car can decrypt this message using the associated private key. Similarly, if the fleet manager wants to send a message to all cars in the system, it simply needs their identities and does not need to maintain a database of public keys. The first lattice based IBE scheme with practical parameters was proposed in 2014 and it used special structured entry lattices to reduce the key sizes, which are between two and four kilobytes and a lattice sampler which samples short vectors within the lattice to create the private information and then proved upon the quality of this, therefore it outputs shorter lattice vectors making it more secure. So all encryption and decryption operations take approximately one millisecond on a moderate power laptop and it can also be extended to digital signature scheme. In 2017, my team proposed algorithmic and software design optimizations to bring the scheme even more within the realm of practicality. These included use of the number theoretic transform, parameter recommendations, bronze modular jcd, barret reduction, the cumulative distribution table sampler and the tiny shat three hash function. We also focused on making it constant time in order to mitigate side channel attacks. So here are some of our performance results. I'd just like to highlight the 80 bit security level and the 192 bit security level. So how does this compare to existing implementations? Well in comparison to the proof of concept implementation of the original paper, you can see massive performance gains particularly in the encrypt and decrypt components. And in comparison to traditional IBE schemes, well this first one cox is based on quadratic residues. However, it's extracted much quicker than ours but the large cipher text render it impractical. The Bowen Franklin scheme is based on pairings on elliptical curves and as you can see we improve upon its extract function and our encrypt and decrypt are greatly improved upon both schemes. So we have obtained promising software results and the encrypt and decrypt has also been implemented on a microcontroller such as found in the engine control unit of cart and the results of this were two orders of magnitude faster than pairings based. The fast results allowed for instantaneous mission critical push to talk applications and emergency and real time communications. And the input identifier is flexible. It can be a MAC address, an email address, a unique ID number, anything that you want. So I do have a demo but it wasn't showing up on the screen so if anyone wants to come up and see it after, no it's not shown up, you're very welcome to come and it involves some like interaction so it's quite fun. So basically it shows how quickly our identity based encryption scheme can work and how if we change the user identity then it can, if you send messages to its old identity they won't be able to decrypt. So thank you very much for your time. I'd just like to give some acknowledgments to my colleagues and former colleagues who have helped with this work. Thank you. All right and now the floor is open for questions. If you have questions just line up here in the middle portion of the room and ask your question. Anyone? All right. Thanks Sarah.