IQT Panel: Emerging PQC Products and Standards

Transcript

and those are great services for people to play around and get get the hang of it you know there's stuff uh out there for for quantum computing a lot of it there's the first stuff coming out also for quantum internet we've got one of our own quantum network explorer you can find that on online and just experiment with quantum and communication the panel we are now having is with david shaw as moderator you saw david just peeking around the corner just now before i introduce him um pick up your printed program at the registration desk there's also a t-shirt for everybody and i'll be wearing it tonight probably at the game so uh david you are you know many of us know you as the guy behind the fact-based insights you're the director there and you're writing so much about about our community you're so knowledgeable of where we're going so you you're an iqt conference on your own i think but um you're uh leading this uh um special topic on the emerging pqc products and and standards so take it away hi uh can i check who we we've got in in the room i was expecting uh dustin and and and michael reading to be we there there's three uh of your panelists uh on the on the stage right now yeah all right so you can start okay uh look just first of all a bit of a of a jargon buster um for anyone that's just dropping into this this session you know this this panel is going to be discussing post quantum cryptography pqc also known as quantum resistant cryptography new maths based cryptographic protocols designed to be proof against attack by a future quantum and conventional computers pqc is also the leading branch of what's uh often called quantum safe cryptography which also includes the techniques from physics-based quantum cryptography and which has been discussed in many other sessions in this great conference i just wanted to go through that because these these terms are sometimes used a little bit differently by different people so first of all let me ask each of our panelists to introduce themselves uh first of all uh michael michael ready uh good afternoon everyone or good evening or good morning depending on which time zone you're in i'm mike reading and i'm the chief technology officer at quanturpy a canada-based quantum security company and happy to be here dustin hello i'm dustin moody from the national institute of standards and technology nist we're part of the department of commerce out outside of dc i'm the project lead for the nist post quantum cryptography project which we'll talk about and this does a lot of other research in many areas of science many other experiments with quantum and so on that you're probably very familiar with uh mike osborne hi i'm the second mike on the panel mike osport and i will get ibm research in zurich switzerland um where i head up um foundational cryptography activities uh including quantum safe as well as kind of like pushing out um implementations of the technology through our throughout our organization so hi everyone and i'm johan hello everybody good afternoon i'm johan polychak cto and co-founder of quan platform i've been a software engineer since i was 12 years old and recently since 2019 we've been working with blockchains on the post quantum problem how to migrate this kind of technology to utilize post-quantum cryptography and quant being the first and only blockchain on the planet which is also ethereum compatible we will talk or at least i will talk a bit about the disproportion of the quantum problem great so let me let me lead leaders into the the topic today so so you know quantum computers powerful enough to threaten our current encryption standards are still still you know many years off uh mike is this something that real ibm customers are actually worried about now absolutely and many of them worried since some time um i guess they really get that um everything that we're not protecting today is potentially lost to a quantum future and i think a lot of them are very aware of the difficulty in um that they're migrating to becoming quantum safe so many of them are still um blurred by the memories of moving from rsa to elliptic curve cryptography or from xiaomi to shar2 and so a lot of them are very cognizant that you know it's um in the in the past it's been a big cost a big effort taking a long time and to be quite frank a lot of our clients a lot of a lot of people out there haven't even managed to migrate so there are still still um live clients running things like des running things like charon just because um how we've used cryptography in the past um with the sort of low-level apis that are typically used it's just so very difficult to extract these from applications and move to something else so so people are really stuck with pre-open ssl version one api interfaces and and that's kind of like preventing them from from actually taking advantage of um as let's say newer things so we really need they really aware the agility the ability to change crypto is very very important dustin when was it that nist first took an interest and this is it's it's quite some time ago now can you can you briefly bring us up today yeah so nist has been aware of post quantum crypto for a long time back in around 2010 or 11 some some of our researchers wrote a survey report on kind of the state of the field back around 2016 we started to take some more concrete steps towards standardization we held a workshop we issued a report and we also announced that we'd be holding this worldwide competition like process like nist has done in the past for some crypto algorithms like shaw 3 and aes since then it's been a number of years we've gone through three rounds of evaluation we we initially had close to 80 algorithms sent in to us that were being evaluated and each round whittled down the number where we selected the most promising ones to move on to the next round currently we're at the end of the third round we have 15 algorithms that are still in play of those seven are finalists and eight are alternates and very very soon we'll be we will be announcing which are the algorithms which we will be standardizing first that announcement's been delayed slightly from what i'd originally hoped it still should be coming any day now so uh well we wait with baited breath but and michael's a controver you have a pqc offering but you've chosen not to be part of the nist process you know a lot of clients would think first about standard solutions why have you gone down a different part well first i'd like to go on the record and say we wholeheartedly embrace the nist process i want that to be clear and especially the philosophy of crypto agility and so our flagship product key space is a platform that provides a whole suite and series of cryptographic algorithms and in particular our mask asymmetric encryption suite will support the nist standards when they're released so if you want to announce anything dustin this would be awesome uh but once those come out we'll of course we'll support them but we also include novel pqcs that we've developed they're from a known branch of cryptography around multivariate polynomial but with some novel enhancements to make them truly quantum secure and overcome some of the issues of the past and the reason they're not in the process was quantropy was founded after nist closed this current process and so we hope to be in line if and when nist opens up future considerations say digital signature or potentially more candidates around key exchange will be there and waiting but in the meantime we'll offer customers the right tool for the job let them have the choice because in some cases this finalist will be what they've got to use because it's dead on the right capability in other cases especially around iot they may be looking for some alternatives that are perhaps lighter weight have some different performance capabilities and as a result they can find the right tool to give them the post quantum security they're seeking johanna i know we had that we had a panel earlier on this afternoon about about blockchain and and and quantum safe but but what's what's your take on how blockchain's affected by the coming threats well uh it will be really critical so when the only thing breaks which you can use to prove your identity that being a currently elliptic of cryptography you really can't do anything i mean anonymity or pseudonym pseudonymity really backfires at this point because there is no centralized entity you just can't wave your id that hey this is me this wallet belongs to me and please release your funds please release my funds and let me migrate to a new pqc protected wallet so there's no such thing you can do and if you think about it how this will go down is that will there will be a series of steps we will start by well acknowledging the problem this is this has been already done so this is the first step then you will see major block chains like ethereum starting hiring uh various post quantum cryptographies experts this has also already been done as well so i can show anyone job openings at the ethereum foundation for this for these roles then as the problem will approach the next step will be that the leaders of these very well-known blockchains will go on stage and tell the public that it's really approaching and encourage everyone to please migrate their wallets to new post quantum post quantum cryptography wallet and even if we assume a 100 success rate and by that i mean that everybody understands the problem everybody is capable of doing such a migration and everybody does it it's it's still doomed because if you look at it how much cryptocurrency is in circulation so how many so-called sleeper wallets there are you just don't know whether the original owner even has the keys for them anymore so even the legitimate owners might not be able to migrate their own funds so and then the end you won't be able to make a difference between a legit owner migrating their own funds and an attack an attacker cracking a wallet open and migrating to their own wallet so it's a really hard problem and it's really hard to solve and even if we were given the task to that please migrate bitcoin or do something about it we just couldn't we just got lucky that we get to utilize post quantum cryptography from block zero so unfortunately i don't have a solution for this either i'm conscious you inside quantum channels it's a great event because it covers such a wide range of these interrelated topics but i'm conscious a good part of the audience probably doesn't uh look at you know normally looking too much detail at post quantum cryptography so i'd like to explore some of the the basics uh johan in discussion of pqc lattice-based cryptographies really come to the fore why are people so excited about wires-based methods well there are certain certain things one is efficiency for sure so if you even if we look back when the uh aes was elected so uh reindel was selected although it was a bit less secure than um serpent for example uh efficiency matters and by that i mean that it will be a whole new phase we can enable iot devices to perform these cryptographic operations and it's a huge difference i mean if we we have architected various applications for blockchain and there is a huge huge difference between running a blockchain node which is telling some kind of information to thermostat for example to set the temperature to 100 100 degrees celsius and believing and doing that or actually verifying that the instructions on the end device itself so it's a it's a huge huge difference in security and also my personal favorite is homomorphic encryption which um well for blockchain i mean what we do it's not such a huge difference because we can blindly trust any cloud provider because data is meant to be public by design but for any other kind of workload being able to outsource your compute compute workloads without having to trust that very organization who you are outsourcing to i think that's also a game changer right mike i in in talking about the light space crypto in pqc we often here talk about structured lattices i mean why is that a good thing why are we likely to see initial standards based on those rather than a fool lattice society structures we use structures on many different forms of crypto not just lattices but they're used for two reasons one is to improve if efficiency in some dimension whether that's performance or size or simplicity or something like that the other thing actually to our characteristics like homomorphic properties so that's why fully homomorphic encryption um you know ended up being solved on lattices um because of the properties that you could add to the via structures um so unstructured lattices or unstriking unstructured crypto if to get the um the security it needs to be complex so complex means things end up being large and slow so that the other you know the other reason is you put things like um rings in there or what we call ideal lattices you know these constructs that actually make um the algorithms far more efficient and that's where the efficiency comes from so that's why lattice algorithms are now you know faster than what we currently use today um i do say that you have to be careful when you add structures um i think we're going to talk about rainbow in a minute but there were some early i would say clumsy attempts at adding structures to early lattice um schemes that were broken so you have this trade-off um you have to do these things very carefully um very easy to make a mistake but at the end of the day you make these things practical and practical in the sense that that is it's they're the nearest things we're gonna have to drop in replacements to what we use already they are larger key sizes but they are faster but they're not that much larger key sizes that you can't use them everywhere other schemes um just because of the large dimensions of keys or or things like this very difficult to use in many scenarios so really important for their practicability dustin just reflecting on the on the pc the next pqc process so far i p patent considerations they seem to have played a more prominent role in in the process than than many might have foreseen why is this area such an issue for cryptographers well cryptographers just don't seem to like patents um for the most part in the history of cryptography there have been algorithms that have been developed that can be freely used and are widely available and are strong and secure and so why would you want to pay for an algorithm when you have a free one available that's been studied by experts and that's historically been the way crypto has proceeded in the post-quantum competition there were some algorithms that have some ip attached so that was a kind of a more complex factor to play in algorithms that have patents tend to not be adopted as widely and nist very much wants the algorithms we select and standardize to be widely adopted around the world and implemented so having a patent can slow that down so it's it's something that we had to weigh in the factor of if any of these algorithms do have patents attached to them how will that impact adoption and our goal is to get strong cryptography widely adopted around the world so so i i think uh you know mike mike already referred to you know something we saw we saw just recently one of the the next pqc finalist was was broken uh the rainbow digital signal signature algorithm was successfully attacked and you know not by a a quantum computer but by a laptop running over a weekend um so it's my how unexpected was the rainbow break and what should we learn from it um for us it wasn't because it was our team that actually broke it uh apologies for that um i think there's a couple of lessons here so so the first thing to say there's a really a lot of discussion on the pqc mailing list about attacks and schemes being weakened and theoretical let's say constructs for very large machines in the future this is this is not what the attack from rainbow was this was a very practical attack um and as essentially the reason for it is that this need for for optimization so rainbow has very large keys uh so in order to make it widely useful you need to do something to to optimize it adding a lot of structure um was that was the path taken and as i mentioned that's something you have to be very careful about so in the end it was actually a mistake um in the in the way that the structures were added that was the cause of the problem in terms of um you know what to think and what to learn i mean at the end of the day this is what i think is really great about this process and that it has taught or let's say focused a lot of cryptographers on other people's algorithms which is a very good thing um at the end of the day in terms of the timing i mean algorithms can be broken at any time i mean they're they're not provably secure so any such attack can come really from a quantum or a classical source at any time so it's it's kind of um um how can i say something you have to live with which is why the agility is very important not to say one thing which is also important that the underlying mathematical hard problem which is called an oil and vinegar problem on which rainbow space is not broken it's really just the optimization of it and if uh if there is a round four signature scheme then then we will also be very very happy to contribute um a something based on that technology but that may be um not quite so optimized because it does have its merits obviously that that attack was it was a conventional attack on the rainbow structures uh but michael do you do you think we've had sufficient specifically quantum crypt analysis on the nest finalists well you know the old saying in cryptography is the you know best you know proof of the security of any algorithm is time and also time is its greatest enemy right because you're giving time for the attackers to come up and you know i always use the analogy you know children who are in college today you know there's always been a google there's always been an internet so their brains work differently and some in the next couple years there'll be children born who there's always been quantum computers and so as a result their brains will work differently and they'll invent new attacks like we've never seen before but so that's why a wide open put it out on the table let everybody see what's going on let everybody you know take a shot at the title uh is the absolute only way to get to anything that has a chance to survive and to do what we need to do which is protect the digital economy that you know the global economy is based on and so that's why for you know even though we're a small startup you know our motto is bring it on because we're whatever we're doing cryptographically we're putting out there because if you can't weather the storm if you can't take on the challenges either what we know or what we can only imagine then we can't be secure so justin we've already had a couple of the panelists talking about the the the the round four and this process and uh uh potentially call for new digital signatures so uh what should we expect there yeah so the next few years what you can see from nist uh like i said the announcement of the primary algorithms that will be standardized first should be coming any day now we also will have some algorithms that are advancing to a fourth round and that's because when we selected the finalists we picked the algorithms that would be ready at the end of the third round and would be ready to go and be standardized right then some of the algorithms we thought needed a little bit more time and we also wanted to keep the focus on the algorithms we thought most promising during the third round so during the fourth round you'll continue to see more of these other algorithms being evaluated lattices were mentioned most of the finalists are lattices but we don't want to put all our eggs in the lattice basket so some of the other candidates are based on codes based on multivariate based on hash functions based on isogenies and so some of these algorithms will be in the fourth round for further val evaluation and could be standardized at the end of the fourth round with regard to signatures at the end of the third round we're seeing that we have a smaller number of signature algorithms that are still remaining and are secure rainbow was attacked gems was another candidate that had some attacks so we have a smaller number of digital signatures we're working with we're very happy with the finalists lattice signature algorithms but we also want to have a backup for them that's not based on lattices that's a general purpose digital signature algorithm so we are also going to have a a call in the within probably about a year or so where we'll open up a smaller competition-like process like we've done to ask for more digital signatures that are general purpose that are not based on structured lattices so that we can complement what we select and have a diverse mathematical families to represent our post-quantum algorithms yeah so thanks so defining defining these new cryptographic standards is one thing uh i guess implementing them and rolling them out over a large organization that's that's that's going to be quite another and that's that's a big piece of work mike you what should a large uh end use organization be doing about this other than calling their ibm account manager of course yeah i think um there's two things okay so there's certain things you can do as an organization but there are certain things if you play in an ecosystem the ecosystem needs to do so there are kind of a couple of dimensions and i think there are two very other important points one is um the business case maybe it's kind of um a requirement to sort of just migrate to quantum state crypto would be a missed opportunity there are other really very important cyber security efforts underway things like zero trust things like secure supply chain that add easily as much cyber security benefit so we would really recommend that organizations look at um combining uh not just looking at migration but combining the move to something quantum safe with a more strategic aspect so for example moving to zero trust technologies that are quantum safe or supply chain or fully homomorphic encryption these sort of things so to combine it with strategic elements that really get a much bigger bang for the buck than just concentrating on the um on on the crypto piece yeah dustin i i believe nist also have a has a migration to pqc project how's that set to help yeah so nist also has what's called the national cyber security center of excellence that has a project to help out with organizations that are going to be migrating to post quantum cryptography they've partnered with the department of homeland security in that and the main goal is just to help put out good information for organizations to prepare and to get ready um there are other organizations that we heard about earlier today that are also issuing guidance um the nist project if if you google it nist post quantum migration you'll come upon it currently they're gathering a community of stakeholders to to work together and help work through some of the solutions that we can we can work out ahead of time without having to wait for the standards so there will be uh reports guidance um things like tools to help you find the crypto you're using that is vulnerable to attacks from a quantum computer um so just a lot of good resources there johan what should blockchain stakeholders be doing about this year other than moving to qan yeah yeah sure so well generally speaking um there are quite some post quantum cryptography uh power change so to say but there are some some things to watch out for so i wouldn't pick a chain which is using purely post quantum cryptography so a hybrid should be in place so i think we should rely on led curve cryptography like all the production blockchains are already running on it and find an efficient solution how to combine the two to uh provide the safe migration path for the future again using there i've also seen such things like using uh nested signature schemes where they try to nest one signature into another and resign it using a different algorithm these are also useless from a point of well many points efficiency storage space exhaustion which is a very important topic for blockchains as the database is continuously growing so well just avoid those and also well this is a rather subjective but introducing new api so currently 99 of the blockchain ecosystem as a whole is running on the ethereum specific specification so i would and again this is not just self-promotion but generally market thing that i would pick a solution which is compatible with 99 of the market so i mean the ethereum specification already covers all possible use case scenarios the blockchain should have so we should pick a solution which which is compatible with that so michael what uh what uh what customer segments uh are you targeting from controversy what's that what's a particular fit for for customers that should look to you to help them along this journey you know i think there's there's a couple different uh sectors you know of course i'll say everybody but you gotta you know because who who doesn't want their stuff to be secure but a little more narrow who's gonna be the first mover right who are gonna make first moves financial institutions because that's where the money is you we saw you know the jp morgan chase example earlier today so you know protecting your your money and your money movement heck yeah you know the carriers right because that's the backbone of the internet so all the previous sessions you know we're all about core networks because again that's what makes the digital economy hum so the carriers are on it for core networking um automotive i think we it may have come up a little bit but you know securing the the the connected car is critical because it weighs 5 000 pounds and goes really fast and so it's got to be safe and that leaves one that actually a lot of folks don't talk about so much but we see you know a real immediate market opportunity and that's in medical devices because it's literally life and death and that can't be compromised and so we actually we were surprised we didn't we thought that would be uh because it is a regulated space but what's regulated is the you know the data integrity and security is an absolute requirement for that so actually surprisingly that's a fast mover and a surprisingly fast mover um in the with interest in post quantum if i could just just take it i mean just briefly touch on a related subject for a moment i think one area that doesn't get a lot of discussion in the pqc setting is is randomness and entropy and i noticed that you know ibm control p qan you've all got offerings in the in this mikey how can ibm customers get their entropy post quantum yeah it's an interesting question so on the quantum side with we have the uh constructs like quantum networks quantum startups so there's been quite a few experiments run both using quantum computers so circuit-based um schemes as well as um for example in our cloud with with external boxes so evaluating kind of like what makes sense there um so if it's for experimentation there are a number of avenues that we can point people to um i have to say that from our enterprise clients then it's really the assurance is the number one thing so having some form of fips 140 certification or common criteria certification and there i think uh maybe that's a question for dustin actually to what extent uh qrng's we may be um accounted for in in the fix or the the the random number requirements for some of the assurance schemes but um so we already have these two things with the qrng's are very much on the experimental evaluation um and they will become i guess more production as and when the assurance schemes allow that [Music] do you want to comment on that dustin about about where you might be with standards on that well i think nist may move towards there we don't have any active standardization of that at the moment but we have things like the nist random beacon that uses you know quantum source quantum physics to generate randomness and is published online so i think we're we're headed in that direction even if we don't have something right now that we're actively doing yeah michael i see that quantropia is a secure if i if i'm getting the part of your offering correct you've got both qrng and pseudo qrng offerings what are the merits of each right so with our with secure we have quantum entropy as a service where we use hardware generated fip certified hardware generation sources to create streams of quantum random numbers in fact we partner with quintessence labs as one of our supply partners on that key technology and then we securely quantum securely transmit it over the internet as a service so that's one modality we then also have secure sync which is digital quantum key distribution so we can have an algorithmic approach to quantum key distribution and synchronization across multiple nodes for again many of the use cases we've seen all day today with our photonic qkd friends and then last but not least you talked about it with pseudo quantum random numbers sometimes you can't have hardware and sometimes you don't have a network connection you need a low entropy device to be able to create sufficient quantum randomness and we can do that algorithm algorithmically we say that four times fast with our quantum permutation or keep uh technology we can actually take that gold standard quantum random number from a certified source but then do entropy expansion in software on the device to create random numbers with a periodicity of 10 to the 500th years such that it can never be compromised and as a result you can get it on literally any device anywhere so streaming synchronized or locally generated it all depends on you know again it's about crypto agility right tool for the right job david can you close uh close the session all right so you're at the end of that questions from the floor then you know we're at the end of the time all right okay well thanks very much to all the panelists and uh sorry for sorry for missing out on the questions at the end no worries thank you thank you so much thank you very much for a great discussion here um yes we all