BSidesMCR 2019: Quantum Computers And Cryptography - Imran Shaheem

so this is a secret message his contents are known only by me it's in fact my hotel key but that diminishes my point this offers away safely and securely now when you have some secret information that you wish communicated to only specific parties be it a pen test report or your Netflix credentials how would you ensure only your intended target was able to receive the message I hope for everyone in the room the answer was either some cryptographic solution or sod off I'm not showing my Netflix as I'm sure many of you are aware there is a looming technology that is set to change the landscape of cryptography quantum computers they will force a change

that's already begun although the NCSC for example predict that quantum computers won't be cryptographically relevant for another 10 years the drive to move to cryptographic standards resistant to this new threat has already begun in this talk we'll provide an introduction to this cutting edge field discuss paradigms for security testing and types of things to look for when offering remediation advice quantum cryptography and quantum resistant cryptography are set to play increasing roles within our industry and jobs in the next few years so before we begin I suppose it's prudent to introduce myself as you've been told my name is Imran hello I have an embassy in theoretical physics in particular gravity particles and fields and during my studies I participated in

online bug bounty programs I found a p2 in a fortune 10 company and largely because of this was part of the group or did the bug prowl to 2017 VIP researcher accolade that was the transitionary point for myself from wanting to do cybersecurity as a hobby to something I've wanted to do full-time as my job and I was fortunate enough to be able to join Cyprus in January of last year and I've been very happily working as a security consultant in the industry ever since okay introductions are out the way so to begin we'll talk about classical information just a little bit of a background before we get to quantum information and this is because

Shannon's seminal 1948 paper discussing classical information theory put forward two important points that are relevant to our talk today the first was the concept of entropy which is a measure of information or randomness or disorder and the second is that it is possible to communicate reliably over noisy channels provided the rate of communication is less than the channel capacity now with quantum information we begin with the idea that quantum systems are the ultimate physical medium for storing and processing information we're essentially dealing with the building blocks of the universe where as low level as we can possibly get on a physical on a physical level we can get performance enhancements and performance increases with architecture and with new

algorithms but the building blocks themselves the materials were using are the most efficient we can for the storage and processing of information it tries the quantum information theory tries to extend Shannon's theory by replacing bits of information which in Erik 2d quantum systems called qubits and classical channels by the noisy quantum Channel counterparts in quantum cryptography much like in classical cryptography one would like to transmit or share information securely except now we're using the fact that quantum states cannot be learned without being disturbed for quantum key distribution and other unique quantum phenomena for other aspects of cryptography so again we'll start classical computers to go suburban introduction to quantum gates as we know it classical computers

information is stored in bits ones and zeros if storing one number take 64 bits then storing n numbers will take 64 times n bits calculations are essentially done the same way as they are by hat as such the class of problems that can be solved efficiently are the same as that can be solved by hand where efficiency refers to the idea that the evaluation time doesn't increase too quickly with the size of the input with quantum computers information is thirty cubits and a qubit like a classical bit can be in a state of zero and one however it could also be in a superposition of these states say a 0 plus B 1 where a and B are complex

numbers we use complex numbers as they provide benefits in the calculation and comprehension of qubit States such as the ability to map States to positions on as firm as shown in the image whereas a bit can exist as either 0 or 1 the two points a qubit can exist in a continuum of states and these are only confined by the boundary of the sphere with poles at 0 & 1 calculations are performed by mathematical operations called unitary transformations these are them on the states of the qubits and when combined with the principle of superposition this creates possibilities not available for hand calculations this translates to more efficient algorithms for factoring searching and simulation of quantum

systems another benefit of super positions is you get far more storage capacity on a cuba in fact exponential storage you could store say two numbers on one qubit mapping each one to a stay you'd be able to store tuneup cube for numbers and two qubits so is that manager started to come again to sleep already so yeah so the two qubits you have to store for numbers with three cubits a there is actually an equation on the board that then if it's big enough to make out that you can be arranging manipulate to tell you exactly how many qubits you'd need to store n numbers I'll leave it as a little puzzle for the mathematically inclined and

anyone who's really interested can't reach me run after and I'll tell you exactly how much those so quantum computers better at everything well they utilize quantum mechanics to solve problems much faster than it's possible with a classical computer quantum mechanics realizing the principles of probability in quantum mechanics we depend on numbers called probability amplitudes which can be positive active or complex numbers a simplification of the process is that we're trying to orchestrate sir so some of the wrong answers have positive amplitudes others have negative amplitudes and when the calculations done they've destructively interfere and cancel each other out thus the wrong answer isn't observed we also want the correct answers to constructive interference let's hear

them this is a huge oversimplification but is essentially how the process works in general problems that utilize parallelism the ability to split problem into several parts and solve them all simultaneously to arrive at a solution are other problems that will benefit the most from the games that quantum computers have to offer problems like prime number factorization the most efficient route through a complicated city grid both great candidates or is it you're unlikely to see much of an FPS increase in your favorite video games apologies to any for my fans so where are we currently with quantum computers well the largest gate module processor was released in March of last year by Google no surprise called Bristlecone it

weighs in at 72 qubits once there are far larger quantum annealing processors which are designed to solve very specific sets of problems gate model processes are what we normally think of when we think of a con from computer and are applicable to a far wider set of problems they considered the universal quantum computer but that was last year and what's happening this year well in January IVM who've been very busy this year introduced their first commercial commercially available quantum system the Q system one it weighs in about twenty cubits and mr. Morimoto director of IBM Research in Tokyo and global VP said IBM intends to commercialize quantum computers within three to five years when he expects quantum computers

to be able to outperform supercomputers in specific domains so it's virtual first commercial computer can be seen as a sort of statement of intent we also had a research breakthrough this year and succeeded in showing experimental evidence for a new state of matter topological superconductive 'ti as it is very casually turned whilst the emotive to this day was seen in a 2d system it is believed that the system can be scaled and expanded and used for the construction of qubits this yields a potential for increased calculation speeds and boosted storage finally with cue experience iBM has effectively brought quantum police found like a sales pitch for IBM promised us it has effectively brought the computers to

your home with the cloud quantum computing binocular this allows for experiments to be run on cue systems and simulators that is quantum systems and simulators and is available for the public you can go sign up for the public beta right now the cloud promises to facilitate great strides in quantum related fields by allowing more people access to the technology cool sort of cover an introduction on the quantum computer side of things let's look at the cryptography side and I appreciate they're probably people in this room you know far more about classical cryptography than I do so this might be teaching grandma how to suck eggs but bear with me so we're all in the same page with cryptography

before we move on to quantum cryptography so what is the goal of classical cryptography well we want to allow secure communications over public channels there are a bunch of ways to do this one of them is the one time pad algorithm where two parties a and B or Alice and Bob use a one time free shared key to encrypt information book and issue with this approach is that of secure key distribution which has historically made it impractical for most applications so have you get past this secure key distribution issue well we have things like the public private key path which relies on the fact that certain mathematical tools are computationally hard for instance the factorization of large numbers into

prime factors as used in the RSA algorithm the RSA algorithm has proved to be rather useful as current computers can only factor numbers as large as 250 decimal digits I think so far the biggest has been about 232 decimal digits as computers become more powerful larger prime factors will need to be used in order to preserve the security of the algorithm but that isn't seen as a huge issue that is until quantum computers which threw a monkey wrench into the whole operation in 1994 Peter shor showed that a quantum computer to give back to large numbers into their prime factors in polynomial time now pull it no real time algorithm is said to be fast it's things like addition

subtraction square roots and logarithms on a classical computer and as you can imagine this will compromise the security of the RSA algorithm and others that use similar techniques if quantum computer could calculate prime factors as quick as a classical computer could do logs so now that we know a little bit about classical cryptography let's move on to quantum cryptography now quantum cryptography derives its trends from a few weird properties of quantum mechanics to begin with we have the no-cloning theorem and this state that's impossible to create an identical copy of an arbitrary unknown and I must stress unknown quantum state as such intercept and replay attacks are inherently protected against as we will see later with quantum superposition we

have two or more quantum states which can be summed to create another valid quantum state that is every quantum state can be thought of as a sum of two or more distinct States as we've seen already with quantum computers this principle is critical to how they work and contributes to many of the benefits such systems offer finally and perhaps the most famous of the quantum phenomena listed is quantum entanglement which is the interruption of quantum states resulting in a quantum system that is no longer independent so you have two systems that interact and they can no longer be described independently of one another to describe one system or one part of the system you have to describe

the other into effect one part you must affect the other it has massive implications for secure communications and a teleportation of information with active research taking place in the fields now I came across very recently a great analogy for in time like most of analogies totally breaks down if you actually look at it so please don't focus on it too much they gives you the general idea of how it works so imagine I had two balls in front of me a red ball and a blue ball I put them both in a box a separate box one for the red ball one for the blue ball and I hide them underneath this desk I then pick someone who's

particularly quick in the audience you can pretty quick Iguchi you can have this box it has one of the balls in it you don't know which one I then ask you to run as fast as you can out of here in fact we run so fast that you're running on the speed of light and just keep running out it's been alike for like 30 years would all wait here it's 5:00 leave the planet just keep going in a straight line thirty years later I'll take the other box up we don't know what color balls in here and so we can say it's either red or blue or quantumly we can also say it can be in a

superposition of red and blue is it in fact exists over both states similar sense then I reveal the port and the ball to you I've opened the box and we see we've got the red ball we instantly know that 30 light-years away there's a very exhausted young man in the third row who has a blue ball now we haven't violated any of the laws of physics to do this but in describing one part of the system we've also described the other part of the system the two were were linked on some fundamental level and by forcing our ball to be red we've also caused his ball to be blue and so in a nutshell and

if you don't look too closely that's it son so the pros and cons of quantum cryptography well a pro is that cannot be unknowingly intercepted we'll see this in more detail later but due to the properties of the no-cloning theorem and quantum entanglement it is impossible for information to be unknowingly intercepted it's also secured a respective computing power the security comes from the underlying physical properties of these devices it's baked into the universe and it can't just be cracked with more computing power finally it's secured at the physical level if we're thinking of the OSI model it's secure the lowest layer and as such can secure the complete end-to-end encryption without any need for SSL or VPN as good as it sounds

there are some cons it is ridiculously expensive at the moment and this is due to it being the cutting edge of cryptography research and development costs are high as are the fabrication costs of specialist components needed to support fragile quantum states and this all effects the final sale price the core requirement for exacting conditions that means that if you Matt dictates the need for special infrastructure capable of supporting quantum cryptography which also has its own associated costs finally there are practical problems in the implementation this is a very new technology and there are still these practical problems to overcome for example fiber based quantum key distribution can only travel so far although as we'll touch on later there

have been some breakthroughs in this area so where are we contemplate or affirm right now 2019 well we have two random number generators which are essential for the secure imported secure encryption keys and fully an enhancement of entropy and as we described earlier entropy entropy can be said to be a measure of this order randomness or uncertainty in a system and to the introduction of truly random number generators or of obvious benefit and in fact Shannon who was to be a person who made that seminal 1940 paper conveying the concept of entropy had a great anecdote about coming up with the term injury he said my greatest concern was what to call it I thought calling it information but

that way was overly used so I decided to call it uncertainty when I discussed this with John von Neumann he had a better idea for Newman told me you should call her entropy for two reasons in the first place your uncertainty function has been used in statistical mechanics under that name already so it hasn't it and in the second place and more importantly no one really knows what entropy really is and in a debate you'll always have the advantage we also have right now quantum key distribution devices and these allow for the secure key a key exchange for encryption of multitude of devices animosity of applications and they're being sought by a bunch of different

companies in wanting use multitude three times ID quanta cos Cerberus three system magic technologies qpn system and quintessence labs to protect are some examples sales so far generally led by the financial market and following that we have government and defense in fact last year the financial segment had a market share of around 38% so that's a pretty huge and this was followed quite closely behind by government and defense which accounted for about 31 percent and 27 percent of the market respectively so that that's almost the whole market plans for new quantum key distribution networks exist in the US with the TEL Japan with NI CT and China with quantum Sita so we are seeing big governments

across the world started to adopt this technology and in fact their as their mark is estimated to grow to four point eight billion by 2023 coming from 1.7 billion last year cool so we touched on that but what exactly is quantum key distribution it is certainly the best known and most well developed branch of quantum cryptography it has the goal of provide an information theoretically secure solution to the problems of key exchange utilizing qkd protocols I'm going to say quantum key distribution a lots are abbreviated to qkd for the sake of my voice in your res utilizing qkt protocols to parties should be able to establish a key that can be used for secure communications without that key

being unknowingly intercepted by a third party this should remain the case even if all communications were done over public channels they still should not be able to be an unknown eavesdropper who is able to enumerate the key whilst unconditional security has been proven mathematically that is to say there are no constraints placed on the abilities of the each dropper and this is not something possible with classical key distribution there are some assumptions that need to be made one being that the universe hasn't had a change of heart and the laws of quantum mechanics still hold to be true and the other being that to genuine parties so Allison Bob our a and B can successfully authenticated

others so you can't impersonate neither and thus conducts man-in-the-middle attacks whilst it's seemingly secure there are still issues in its implementation with key generation rate being a particular issue we can't generate keys as quick as we can with classical systems not at the moment at least and transmission today that distance is still being in issue when I first talked about transmission distance I had someone tell me what do you mean it can't go further than a few nanometers that's not exactly what I mean it can definitely go further than a few nanometers and in fact you've had some breakthroughs in this area in 2018 last year new query me at I'll put forward away to possibly overcome the

resistance limit entirely or at least make massive strides in it and that is the proposed twin field qkd scheme this suggests that the optical kirei could be achieved on 550 kilometers of standard optical fibre already used in communications today are the same person then turned around asked me does that mean we can use it in current systems which is a perfectly valid question and no we still have things like switches and stuff like that and that would get in the way and could destroy Danica quantum states but it means that materials we use today materials that aren't particularly expensive can be employed in creating qkt systems so what besides QD is there when it comes to

quantum cryptography it's not the end-all and Beall so there's been a lot of work in the field of quantum cryptography that has focused on qkz but it's not being the only branch where this has taken place other areas that address issues with qkd such as the inefficiency of qkd for large networks utilizing symmetric it's Hana crypto systems due to the key management overheads or other is related to other cryptography entirely different tasks and functions are all being actively researched we have things like quantum fingerprinting quantum digital signatures and entity authentication that have all had good strides made in their respective fields haven't spoken about qkd let's have a look at one of the most popular quantum

key distribution protocols and the basis for many commercial devices that are available today so what is the goal well the goal is to establish a key between Alice and Bob such as an eavesdropper will call they Eve can't listen and learn just by listening and once this kid's been established it can then be used to communicate the caller securely using something like the one time pile algorithm the basic idea is the elephant ball but use quantum systems to establish the key and if Eve tries to learn the state of the system surely never to be disturbed that state and this can be detected by both Alice and Bob Eve can sabotage the protocol sure in which case Alice and Bob won't be

able to establish the key however the goal is to make sure that if Alice and Bob agree that the protocol is successful the chance that Eve knows the key is very very small oh yeah also BB 84 is a key distribution system proposed by Bennett and Prasad in 1984 and nothing to do with stalls have had that comment before so what are the steps now this prepares the qubit randomly in one of four states and sends it to Bob Bob measures the received Cuba in one of two bases randomly with a probability of half or 50/50 for each one of those two places a listen Bob did reveal the basis in which the qubit was both prepared by

Alice and measured by Bob they do this for a classical channel but they do not say the state or respective outcome of their measurements and encoding if the basis coincide they add a bit to their list otherwise they disregard that qubit entirely in order to make sure he hasn't tampered they broke a proportion of their key bits say half and compare them using a classical channel they should see no significant differences if they see differences that are much higher than the error array of the channel they no use be meddling so is it secure there are several mathematical proofs attesting to the security of this protocol one such proof is provided in the further reading slide

for anyone interested however the maths can be a little hairy and the more so as we go from less simple proofs so today we'll just focus on the intuition behind the proof the central principle is that in order for you to learn the key the qubits that are sent by Alice must be intercepted and measured if Eve knows the basis to which the qubits were prepared happy days she can measure it in the correct basis learn the state without altering it and pass it on to Bob it she's not cheating it's not an unknown quantum state she knows the state he was prepared to she can measure her play with it will not play with it

because then it would change but measure and then pass it on undisturbed however the problem is M doesn't know which stay Alice used and so this leaves her with two possible alternatives Yves can choose one of the two bases randomly she's got a 50/50 shot measuring that basis and impasse the system went to Bob if if choose if Eve chooses the same basis as that of Alice's prepared today then she obtains the result she's looking for happy days again and can pass on the states above totally undisturbed bubble never know on the other hand if Eve measures in the other basis then a state sent to Bob will have alters completely and when Bob makes his

own measurements there is a one in four chance that he'll obtain Alice's prepared state those aren't great odds so what else can she do well you can keep the system sent by Alice and measure up only off to classical communications taking place once she knows and it says I pay in this state Bob says I've mentioned it in this stage he's like cool I'll measure in a state I was prepared in she can decode the whole key but she has to send something to Bob and since she's keeping Alice's qubit and stare and then unknown state so she can't float them no-cloning theorem prohibits that hello okay cool so yeah so she has said some things

about she can send to either Alice Nathan long and which case she won't have it because there is no cloning theorem or she can make up some data and send it to Bob so that's what she does she makes up a bunch of bogus data and sends her on to Bob now there's a significant chance that Bob's measurements will give a different result to those that would have been made if he had got Alice's original signal because there's a very low likelihood that Bob that Yves made up data somehow perfectly resembles Alice's original data so using the first option there's a small likelihood of successful eavesdropping which further diminishes as we use a greater number of qubits and

with a second option there's no real charm is due to the no-cloning theorem meaning Eve is essentially making up data and hoping it magically matches with Alice's so in general Eve may employ more sophisticated attacks in which several successive qubits are measured this makes the proof of security more hairy and the maths more ugly but at the heart of the proof is the fact that quantum information cannot be copied as dictated by the no-cloning theorem quantum cryptography is fast approaching the stage of technological applications with several companies in the process of producing cryptographic systems based on this new b84 protocol as we've mentioned commercial qkd sisters and systems that already exist include the ID Quantico

service tree system we talked about and can be bought for the low low price of $82,000 now that was when I first checked this out and that price may have dropped by since then it could be as low as $50,000 now who knows

generally in commercial systems the four states the qubits are implemented as full polarizations of a single photon state companies manufacturing such systems include Toshiba I drew Quantico secure net quintessence labs and magic technologies great so we know about the BBA fee for protocol let's get to the fun stuff let's break it so when you take away from this talk is a paradigm on how to approach pen testing quantum systems it's not as scary as it sounds vulnerabilities can be broken down into two broad classes we have inherent flaws and implementation flaws inherent flaws exists when assumption made during the creation of a protocol doesn't hold to be true a new mathematical technique or approach for instance may break the

security of that protocol an example of a protocol with inherent flaws would be SSL version through implementation flaws on the other hand exists because real-world physical systems aren't perfect nor is Arthur that's a hard word to say our adaptation of the doesn't sound like as hardware to say it is when years that stood up here our adaptation of their ethical principles to physical mediums such informations can be exploited to compromise and otherwise secure protocol as we're about to see so to begin with let's remove a bit of abstraction from the BBA t4 protocol and think about Alice and Bob setup Alice needs a process for encoding her qubits some sort of photon generator a laser

and Bob needs an observation machine to carry out measurements some sort of photon detector you can exploit Hardware weaknesses in these components to compromise the BP 84 protocol we start with one that is called the indirect copying attack and this actually plays with it one of the assumptions we made earlier which is that Allison Bob needs to be able to successfully authenticate each other so in this Eve constructs a list of all of Alice's possible States she can use to encode her qubits even it intercepts Alice's qubits as they're transmitted to Bob she measures them and find each qubits value having found this information she's messed around with those qubits they're no longer in the original state she gets

rid of them she then sends qubits to Bob matching Alice's original signal that she creates herself now that might sound like cheating but it isn't these are no longer unknown quantum states and through her measurements she's created qubits and through clever mathematical operations she can reverse engineer with a high probability of success Alice's original signal so once he reproduces Alice's original signal she sends it on to Bob Bob's never the wiser it's important to know that this attack only works on protocols like BB 84 where the quantum state is encoded in transit alongside this Eve must know all of the possible states Alice can use to include her qubits and try to keep her time interval between

successive qubits as close as possible to Alice's original signal alongside keeping the delay between Alice sending and Bob receiving as small as possible so that her presence isn't further cool that's not an easy ask so let's look at another attack this one is called the photon number splitting attack and this does deal with component weaknesses in physical systems so practically with with most Kinkaid II devices I don't know if it's true or qkd with devices but for most single photon sources aren't used and that's because they're incredibly difficult to manufacture as such we coherent pulses are used in most actual cryptographic devices a weak coherent pulse is a photon pulse that has a low mean photon number and that is

to say a low number of photons in that pulse on average I do think almost like they think all we use we pair of pulses are just scared to stick my neck out and savor it can be achieved by passing short low powered laser pulses through a Nintendo enters the pns attack takes advantage of a limitation present in we coherent pulse generators and that's that salt sometimes multiple photon pulses are emitted so what happens when a multiple photon pulse is emitted well you can intercept a portion of those photons and send the rest on to Bob Eve waits for elephant Bob to announce their respective transfer and detection basis via their classical channel and then she measures her

captured photons just like Bob would and bill Turkey alongside them both The Pianist attack was powerful is complex to implement and this is because the probability that a multiple photon pulse is emitted for a good week coherent pulse generator is only around 5% as such Eve has to check whether the emitted pulse contains multiple photons or not and this demands both proper hardware and algorithms given that this is all in place however it be very hard for Bob mrs. Hecht ease presence finally we come to my favor of the attacks and it is called a light injection attack arguably the most science fictiony sounding of the three but photon numbers playing let's give it one for this money

you can execute this attack against Alice or Bob so let's say the case about it begin with and then we'll work our way back to attacking Bob Eve sends a light pulse at one of the devices in this case Alice's photon generator and registers the reflected pulse that comes back because of the design of qkd Hardware the reflected pulse will indicate which process or photon generator will be used by analysts to generate the next Cuba Eve knows which process Alice is about to use to encode her qubits and thus you can perform an intercept and replay attack with a hundred percent certainty that she'll be using the correct observer for each incoming Cuba you can capture the entire

key as Alice sensor and sim qubits to Bob without Alice or Bob being able to detect the presence using the information again communicated over the classical channel he will be able to create the same key as Alice and Bob Snively the attacking Bob is a very similar process she sends a light pulse at Bob's device enumerates in the reflected pulse which detection basis he's going to be using she matches the same detection basis so when Bob's right she's white the qubits unchanged gets passed on to Bob happy days when she's wrong Bob's wrong as well which means it doesn't matter that she was wrong because Alice is just gonna tell Bob get rid of that Cuba any way you measured it

wrong so in either case she gets the bullet up the key alongside Bob and neither Alice or Bob have any clue that she was there so those are all problematic what can we do about them how could we offer clients remediation advice well remediation advice comes in two flavors or a combination of both of them I wanted to give the Neapolitan joke but it's only two flavors passive measures include inherent properties of the infrastructure that make them resistant to such attacks an example of a passive measure for Alice would be an attenuator at the output of a setup Eve requires more powerful lasers to get through the attenuator well then we add in an optical isolator and a bandpass filter

the optical isolate all allowed qubits through Alice's light through and with no problem but in the opposite direction Eve trying to come in and makes the power requirements incredibly high it makes them untenable with the inclusion of the bandpass filter and the attenuator to do this though there's a small note we do need to change from single photon States that we were using theoretically to the wheat per home pulses that don't make much of difference because they're actually what's generally used in qadian devices we also have active measures and an active measure is the introduction of tools designed to mitigate specific attacks so we could say have a detector to warn Alice and Bob average and

all peak power of an incoming pulse rise above a certain level if they if that happens they know he was trying to send a light pulse powerful enough that the reflected pulse contains information about their encoding and detection bases this 11 to the fact someone is trying to numerate their key they can either then scrap the protocol and start again or they can can try and convince themselves whatever they were trying to say really isn't that important and just lever so we've talked about quantum cryptography and now we'll talk about what's considered quantum resistant or post quantum cryptography I don't like the term post quantum cryptography because it implies we've already got quantum and now we're moving on to post constant

when we have you even got quantum yet it's a problem most people worry about yesterday post quantum cryptography leverages cryptographic algorithms which can be run on classical or modern like computers we have in front of us and these algorithms thought to be secure against quantum computer attacks as we've stated the problem with most algorithms that we use today is that their security is based upon a class of mathematically difficult problems all of which can be solved in a sufficiently powerful quantum computer even though current publicly known quantum computers lack the processing power to be cryptographically relevant many cryptographers are designing new algorithms for when quantum computers become powerful enough to be a threat there are currently four main flavors of

public key post quantum crypto systems the first because this is a mouthful is lattice based crypto systems I was not a lecture book that'd be hard to get through this is the most well understood and widely studies family of hard math problems if that's being researched for post quantum cryptography it is perhaps the most popular flavor due to the historic mathematical interest and the versatility of the crypto schemes possible allowing for the replacement of essentially all endangered protocols but also the introduction of entirely new classes and cryptographic tools that are not currently available when using factoring or other hard mathematical problems the second is code base crypto systems it's another popular flavor that includes crypto systems which rely on

error correcting codes such as the mikelis algorithm the original McCullough signature used random dropper codes which has withstood scrutiny for over 30 years however many variants which aim to structure the code more so as to reduce key sizes have been shown to be insecure unfortunately so we've also got hash trees public key cryptosystems and hash based digital signatures were invented in the late seventies they fill out a vogue as there is a limit to the number of signatures that can be signed using a corresponding set of private keys post ponton cryptography has revitalized interest in this field however and finally we have multivariate crypto systems this includes encryption schemes based on the difficulty of solving systems of

multivariate equations whilst attempts to build secure multivariate multivariate equation encryption circles have failed such schemes could provide a basis for the construction of a quantum secure signature at some point I also wanted to quickly touch upon symmetric encryption as given that suitably large keys are used systems like AES are already in quantum resistor in addition to this key management protocols which employs symmetric keys like her Burris are inherently secure against attack by a quantum computer some researchers suggest expanding the use of purpose like key management system as a way to get post quantum cryptography today and with Kerberos roasting either pentester can only encourage this kind of thinking so post quantum cryptography what other person

hunts as well an obvious pros the costs due to the decreased research and development expenses relative to quantum cryptography in addition to it being less resource-intensive the cost of post quantum cryptography is significantly less oh can you hear me is this what yeah ok cool so as I was saying it's a lot cheaper due to the decreased research and development expenses relatives of quantum cryptography in addition to it being less resource-intensive the cost of post partum photography is significantly lower then it's quantum counterplot it also works on current infrastructure which is great it works this way and it feeds into the lower costs as expensive and specialized equipment is not required in order to facilitate post

quantum photography this form of cryptography should be capable of running on current classical computers and as such may have a larger scope of possible applications during no small part to the prior two reasons this field is massively popular with tons of active research taking place and many supporters including the NCSC however it does have several issues due to this being such a young fields it essentially bought as a response to the increasing threat quantum computers continue to bless on current cryptography there may be many flaws and inherent weaknesses that are yet to be uncovered simply due to the fields immaturity any such issue when discovered would immediately threaten the confidentiality of data secured using the relevant encryption a

particular challenge of post quantum photography is the implementation of quantum safe algorithms into existing systems I'm sure many of us have come across clients who are forced to run outdated and vulnerable cryptography key to legacy systems which don't support modern TLS implementations this issue will only be made worse by the introduction of post quantum cryptography unless these implementation issues are overcome finally we have key size they're often trade-offs related to key size computational efficiency and cipher text or signature size as kept as such care must be taken when choosing which post quantum cryptography algorithms to employ Wayne for example the effort required to send large public keys over the internet so this is all interesting but why are we talking about

it now what's the point of having this conversation today well no one is sure when cryptographically relevant quantum computers will be available depending on how who you ask even estimates range from a few years to never but the general consensus is that we should plan for around a decade as such a worst case scenario can be put forward of the complete failure of a massive portion of cryptographic sisters within 10 years we should put in place a strategy early enough that will allow for quantum resilience in terms of protect sensitive data for the full term of its security life the strategies we put in place need testing and assurance so that in an attempt to adjust vulnerabilities we

don't end up introducing more for some day taking the argue day it's already too late with harvesting attacks we could already have people intercepting malicious actors intercepting data today for decryption when quantum computers ensure your honor so you want to be in the front-runners you want to be offering that assurance and testing for new quantum systems and you decide that this all sounds great and you want to build your own ensemble app how do you go about this it might not be as scary as it seems there are two ways you can build a physical system to test particular protocols and implementations all use virtualization with a physical apparatus you'd be forgiven for thinking building one would require exorbitant

sums of money essentially all you need to say model the bp80 floor protocol would be a source some kind of laser a photon detector some polarization filters and beams oh and then some electronics as well to control all the components and register output there are kits available which contain all the necessary components to create an analogous setter look ukt protocols and they I've seen some go for around two and a half thousand pounds which relatively compared to like an actual full gun want some love this ridiculously cheap however we can go cheaper with virtualization you can model the protocols and opponents we can leave bridge the quantum cloud for example which allows for the exploration

of quantum applications fire systems and simulators to muzzle and test qkd particles utilizing real-world ones and sisters however this was pointed out to me so I should stress please don't hack the actual clouds platform please use it to model the protocols and hack the quantum cryptography side of it leave IBM alone unless they've asked you to testify I've got a public blog that we can also use software such as MATLAB or Visual Basic to model all of our components include the logic of these protocols and create an inexpensive virtual lab that one there's quite a lot of material available to help in such a death and there are actually several academic research papers that used this

virtualization approach and published in peer-reviewed journals my personal recommendation would be to start with a virtual lab and once you've identified poster once you've identified potential vulnerabilities then build an analogous physical model to determine how best to exploit the issues identified and also whether they constitute digits of a vulnerability and if so under what conditions sound in conclusion there is no better physical medium for storing and processing information then quantum systems according to quantum information theory quantum cryptography can be secured on the physical level and there are many probes but also several quads and physical handles yet to overcome commercial systems relying on quantum principles are already beginning to emerge as we've seen and can be tested

as we also see and while several protocols are securing them there exists many pentesting applications in the physical implementations of such systems the landscape of cryptography is changing under our feet and it's up to us to adapt to it for the introduction of new protocols some completely secure and though this still exists many pentesting applications in the physical implementations of subsystems if you can't find an inherent flaw look for an implementation for what components were used in the construction of the system what were their technical limitations how can these limitations be abused and protected against technical details for many components are publicly available and so research into the compromise of these devices can be done without ever

having to need one in front of you so here are some various further reading slides these were all really useful in the construction of this talk and also provide more detail into the circuit areas than I've been able to go through in just an hour how are the obligatory image references just so no one shouts at me and I'd also like to thank Cyprus for allowing me the time and resources to put this presentation together they'd be brilliant particularly I'd like to thank also mark Prather Catherine Freneau in London's Brad for their guidance of encouragement besides Manchester for providing such a stellar platform and you will listening patiently thank you very much I think we

should try to get this mic up on running through through Kansas anyone go any questions right well okay Scott the most gorgeous man in InfoSec I can't ask you a question after that you mentioned the AES is currently considered to be quantum resistant is that with 128 bits much record we have to go higher so it's to do with I don't know the introduces there but I know it's it's quantum resistive in the same way that one can control a lot of computers won't have any extra power but it's not yeah it's not using say I'm number factorization where was the Jesus have an obvious benefit and so if it's secure against their classical system a

yes it should also be secure against a quantum system is it shouldn't be able to crack it much faster thanks so much I'm told I really enjoyed it we've every cause I'm a computer it tends to be a logarithm not a logarithmic improvement an integer factorization sighs it seems to be jumped last time I checked it the largest number of quantum computer to factorize ins 14 do you know what the numbers they came from Jones knows so I don't know exactly what we've gone up to it changes by quickie but I do know after the main estimate again lets peek into that and but estimates and guesses that we would need around four thousand cubits with a good architecture and good

noise reduction and error code Corrections to get to crack something like RSA 204 eight so we're still away off but it's we have in quantum pieces we have like a version of Moore's law happening so it shouldn't take as scary as 4000 cubic something as massive as it's done it shouldn't take a great amount of time together any more questions no okay with Tom period this bit more of a simple world book what really will the end product be light for just the general public more than the private sensors and all that so it really depends on where and how far breakthroughs happen within quantum cryptography so far with qkd and stuff you're very much right and saying it's a

lot of private sector stuff and we're not going to really see a lot of that happening for us it's it's really whether we can get some of the smaller fields say enter your education and stuff like that how many how much room we give it to grow and how much funding the giver and kind of a legs on that it's really quite to be able to kind of predict on the public citizen side but what I would say is even if we don't get there very soon with quantum photography it's very promising with post quantum cryptography that will get things like securing your home computer on the internet and going from TLS to some post

quantum cryptography solution since any more questions for your mom no okay thanks again anyway