[Script Info]
Title: 
[Events]
Format: Layer, Start, End, Style, Name, MarginL, MarginR, MarginV, Effect, Text
Dialogue: 0,0:00:00.00,0:00:25.75,Default,,0000,0000,0000,,{\i1}rc3 preroll music{\i0}
Dialogue: 0,0:00:25.75,0:00:32.97,Default,,0000,0000,0000,,Herald: Good afternoon everyone watching,\Nthe upcoming talk is by Ruben Gonzalez and
Dialogue: 0,0:00:32.97,0:00:36.75,Default,,0000,0000,0000,,Krijn Reijnders, they're both Ph.D.\Nstudents at Radboud University, and Ruben
Dialogue: 0,0:00:36.75,0:00:42.16,Default,,0000,0000,0000,,is also a capture-the-flag player, under\Nthe name "Red Rocket", or affiliated with
Dialogue: 0,0:00:42.16,0:00:47.78,Default,,0000,0000,0000,,"Red Rocket". Their talk will me about\Npost-quantum cryptography. And we'll take
Dialogue: 0,0:00:47.78,0:00:53.07,Default,,0000,0000,0000,,a kind of introductory dive into Kyber.\NThis talk will also be live-translated
Dialogue: 0,0:00:53.07,0:00:58.98,Default,,0000,0000,0000,,into German, so if you don't speak German,\Ndon't despair. Dieser Vortrag wird also
Dialogue: 0,0:00:58.98,0:01:05.91,Default,,0000,0000,0000,,übersetzt simultan in Deutsch, and that's\Nalso the extent of my German. Also, this
Dialogue: 0,0:01:05.91,0:01:10.96,Default,,0000,0000,0000,,talk is prerecorded will last a bit over\N30 minutes, but the Q&A will be live
Dialogue: 0,0:01:10.96,0:01:13.35,Default,,0000,0000,0000,,afterwards. So enjoy.
Dialogue: 0,0:01:13.35,0:01:16.70,Default,,0000,0000,0000,,Ruben Gonzalez: Hello, and welcome to our\Npresentation on Kyber and post-quantum
Dialogue: 0,0:01:16.70,0:01:24.11,Default,,0000,0000,0000,,cryptography. How does it work? First, my\Nname is Ruben Gonzalez, I'm a Ph.D.
Dialogue: 0,0:01:24.11,0:01:27.42,Default,,0000,0000,0000,,student in the Netherlands. I'm doing this\Npresentation together with my colleague
Dialogue: 0,0:01:27.42,0:01:35.59,Default,,0000,0000,0000,,Krijn Reijnders, and we'll be teaching you\Nall about Kyber today. So, first things
Dialogue: 0,0:01:35.59,0:01:40.18,Default,,0000,0000,0000,,first, a small disclaimer, because I don't\Nwant to disappoint any people: We're doing
Dialogue: 0,0:01:40.18,0:01:46.26,Default,,0000,0000,0000,,boomer crypto here, so we won't be talking\Nabout blockchain, NFTs, shitcoins,... at
Dialogue: 0,0:01:46.26,0:01:52.63,Default,,0000,0000,0000,,all. Instead, we're going to bore you with\Nmathematics, weird kinds of key pairs, and
Dialogue: 0,0:01:52.63,0:02:01.97,Default,,0000,0000,0000,,U.S. government agencies. So, our talk is\Ndivided into four segments. First, I'm
Dialogue: 0,0:02:01.97,0:02:06.53,Default,,0000,0000,0000,,going to teach you a little bit about what\Npost-quantum cryptography actually is and
Dialogue: 0,0:02:06.53,0:02:11.54,Default,,0000,0000,0000,,why you should care about it. Then we're\Ngoing to talk about Kyber, which is the
Dialogue: 0,0:02:11.54,0:02:15.86,Default,,0000,0000,0000,,scheme we're going to go into detail\Nabout, because it's just about to take
Dialogue: 0,0:02:15.86,0:02:20.32,Default,,0000,0000,0000,,over the world. And then Kreijn will talk\Nto you a little bit more about the
Dialogue: 0,0:02:20.32,0:02:25.56,Default,,0000,0000,0000,,security guarantees about how the system\Nactually works mathematically. And then
Dialogue: 0,0:02:25.56,0:02:32.73,Default,,0000,0000,0000,,we're going to give you a brief outlook on\Nthe future of crypto and where we're
Dialogue: 0,0:02:32.73,0:02:44.35,Default,,0000,0000,0000,,headed in the field. So, post-quantum\Ncrypto. A little bit of basics here:
Dialogue: 0,0:02:44.35,0:02:50.39,Default,,0000,0000,0000,,Today, cryptography, on a high level, is\Ndivided into two parts; a boring part and
Dialogue: 0,0:02:50.39,0:02:56.12,Default,,0000,0000,0000,,an exciting part. So the boring part is\Ncalled symmetric crypto and symmetric
Dialogue: 0,0:02:56.12,0:03:01.47,Default,,0000,0000,0000,,crypto does what you usually expect from\Ncryptography. So you can encrypt stuff
Dialogue: 0,0:03:01.47,0:03:06.21,Default,,0000,0000,0000,,with it and sometimes you do\Nauthentication with it. But the biggest
Dialogue: 0,0:03:06.21,0:03:12.25,Default,,0000,0000,0000,,part is the encryption stuff. So you have\Na secret team that nobody is allowed to
Dialogue: 0,0:03:12.25,0:03:16.25,Default,,0000,0000,0000,,have, and if you have this secret key you\Ncan encrypt things, and another person
Dialogue: 0,0:03:16.25,0:03:24.30,Default,,0000,0000,0000,,that has the same secret you can decrypt\Nwith it. So that's why it's symmetric -
Dialogue: 0,0:03:24.30,0:03:29.48,Default,,0000,0000,0000,,you have one key for encryption and\Ndecryption. And what you actually use
Dialogue: 0,0:03:29.48,0:03:36.100,Default,,0000,0000,0000,,implementation wise, is almost exclusively\NAES encryption encryption or hash
Dialogue: 0,0:03:36.100,0:03:42.84,Default,,0000,0000,0000,,functions that are from the SHA family and\Nit's a symmetric world. That's a symmetric
Dialogue: 0,0:03:42.84,0:03:47.59,Default,,0000,0000,0000,,side of things. Now you also have\Nasymmetric crypto because if you look at
Dialogue: 0,0:03:47.59,0:03:54.04,Default,,0000,0000,0000,,symmetric crypto, you have this secret\Nkey, but you don't actually have a way of
Dialogue: 0,0:03:54.04,0:03:59.80,Default,,0000,0000,0000,,getting two parties having the same secret\Nkey. And it's where asymmetric crypto
Dialogue: 0,0:03:59.80,0:04:05.53,Default,,0000,0000,0000,,comes into play. So, you can use\Nasymmetric crypto, among other things, to
Dialogue: 0,0:04:05.53,0:04:14.54,Default,,0000,0000,0000,,exchange this secret key. So asymmetric\Ncrypto uses a key pair: a public key that
Dialogue: 0,0:04:14.54,0:04:23.95,Default,,0000,0000,0000,,everybody can have and a secret key that \Nonly the recipient can have. So. Yeah,
Dialogue: 0,0:04:23.95,0:04:29.81,Default,,0000,0000,0000,,essentially with the public key you\Nencrypt, for example, the symmetric key,
Dialogue: 0,0:04:29.81,0:04:36.53,Default,,0000,0000,0000,,and with the private key you decrypt, and\Nhere it feels a bit more difficult.
Dialogue: 0,0:04:36.53,0:04:41.84,Default,,0000,0000,0000,,There's not only two algorithms that are\Nbeing used, but there's an entire zoo of
Dialogue: 0,0:04:41.84,0:04:51.18,Default,,0000,0000,0000,,algorithms used. So, let's look at the zoo\Nreal quick. Probably some of these terms
Dialogue: 0,0:04:51.18,0:04:57.45,Default,,0000,0000,0000,,you've already heard: Curve25519 is pretty\Nbig; maybe you've used RSA before, Diffie-
Dialogue: 0,0:04:57.45,0:05:04.34,Default,,0000,0000,0000,,Hellman, that sort of thing. So there's\Nthis big zoo of different kinds of schemes
Dialogue: 0,0:05:04.34,0:05:10.67,Default,,0000,0000,0000,,in asymmetric crypto that it can use for\Ndifferent things. Sometimes there are
Dialogue: 0,0:05:10.67,0:05:13.77,Default,,0000,0000,0000,,different schemes that you can use for the\Nsame thing, or you can use one scheme for
Dialogue: 0,0:05:13.77,0:05:19.19,Default,,0000,0000,0000,,different things. So it's a bit more\Ncomplicated to make an overview of the
Dialogue: 0,0:05:19.19,0:05:26.22,Default,,0000,0000,0000,,algorithms. But, if you look at the zoo,\Npeople seem to be happy, right? Oh, they
Dialogue: 0,0:05:26.22,0:05:30.51,Default,,0000,0000,0000,,look around, they have a look, things seem\Nto work, it's a happy world. So why would
Dialogue: 0,0:05:30.51,0:05:35.12,Default,,0000,0000,0000,,you want to change that? And in post-\Nquantum crypto, we actually want to change
Dialogue: 0,0:05:35.12,0:05:41.70,Default,,0000,0000,0000,,the asymmetric crypto fundamentally. Well,\Nthere's one big problem with this zoo, and
Dialogue: 0,0:05:41.70,0:05:48.78,Default,,0000,0000,0000,,it's not in the zoo, but it's coming for\Nthe zoo. So there's this guy, Peter Shore,
Dialogue: 0,0:05:48.78,0:05:58.06,Default,,0000,0000,0000,,and he's threatening the zoo. He's about\Nto destroy it and everything in it. And
Dialogue: 0,0:05:58.06,0:06:04.70,Default,,0000,0000,0000,,why is that? Well, we have this big zoo of\Nasymmetric crypto, right? But if you look
Dialogue: 0,0:06:04.70,0:06:11.84,Default,,0000,0000,0000,,at the different schemes in detail, you\Nactually see that they are only based on
Dialogue: 0,0:06:11.84,0:06:17.41,Default,,0000,0000,0000,,two mathematical problems. And that is\Ninteger factorization and the discrete
Dialogue: 0,0:06:17.41,0:06:22.35,Default,,0000,0000,0000,,logarithm. We don't have to we don't have\Nthe time to go into much detail on those,
Dialogue: 0,0:06:22.35,0:06:27.78,Default,,0000,0000,0000,,but you have to know that the entire\Nasymmetric crypto zoo is based on two
Dialogue: 0,0:06:27.78,0:06:35.68,Default,,0000,0000,0000,,problems. And, coincidentally, Peter\NShore, defined an algorithm, a quantum
Dialogue: 0,0:06:35.68,0:06:41.34,Default,,0000,0000,0000,,algorithm, that breaks those two problems\Nand all cryptography that's based on them.
Dialogue: 0,0:06:41.34,0:06:50.94,Default,,0000,0000,0000,,So all of today's crypto is actually\Nbroken if we can use Shore's algorithm.
Dialogue: 0,0:06:50.94,0:06:55.88,Default,,0000,0000,0000,,Now Shore's algorithm is a quantum\Nalgorithm. That means we need a large
Dialogue: 0,0:06:55.88,0:07:02.38,Default,,0000,0000,0000,,enough quantum computer for it to work,\Nbut once we have that, all asymmatric
Dialogue: 0,0:07:02.38,0:07:10.53,Default,,0000,0000,0000,,crypto is destroyed. And why should you\Ncare about that? Well, maybe you use one
Dialogue: 0,0:07:10.53,0:07:16.67,Default,,0000,0000,0000,,of those things here. Well, actually you\Ndo, whether you like it or not. You're
Dialogue: 0,0:07:16.67,0:07:21.80,Default,,0000,0000,0000,,watching this stream right now via TLS.\NMaybe you also use things like SSH or
Dialogue: 0,0:07:21.80,0:07:28.58,Default,,0000,0000,0000,,email encryption or VPNs with IPsec or\NWireGuard. Well, Shore's algorithm would
Dialogue: 0,0:07:28.58,0:07:35.72,Default,,0000,0000,0000,,break all of those protocols. Everything.\NAnd you should care because in the modern
Dialogue: 0,0:07:35.72,0:07:41.94,Default,,0000,0000,0000,,information age, essentially everything is\Ndigital communication. All security is
Dialogue: 0,0:07:41.94,0:07:48.63,Default,,0000,0000,0000,,virtually based on cryptography, so, if\NShorezilla and breaks everything, we do
Dialogue: 0,0:07:48.63,0:07:55.10,Default,,0000,0000,0000,,have a huge problem. So the natural\Nquestion that arises is: "when will we
Dialogue: 0,0:07:55.10,0:08:02.61,Default,,0000,0000,0000,,have large quantum computers?" And the\Nanswer is: "we don't know." Different
Dialogue: 0,0:08:02.61,0:08:12.36,Default,,0000,0000,0000,,experts say different things. The opinions\Nvary from within five years to never. But
Dialogue: 0,0:08:12.36,0:08:15.97,Default,,0000,0000,0000,,the truth is, nobody knows. We can't see\Nin the future. We don't have a magic eight
Dialogue: 0,0:08:15.97,0:08:21.40,Default,,0000,0000,0000,,ball there. But we should definitely be\Nprepared for the large quantum computer
Dialogue: 0,0:08:21.40,0:08:26.68,Default,,0000,0000,0000,,because we don't want all of our\Ninformation security to be broken when,
Dialogue: 0,0:08:26.68,0:08:33.43,Default,,0000,0000,0000,,let's say, a large U.S. government agency\Nall of a sudden manages to build a quantum
Dialogue: 0,0:08:33.43,0:08:41.88,Default,,0000,0000,0000,,computer. So post-quantum crypto is all\Nabout designing asymmetric cryptography
Dialogue: 0,0:08:41.88,0:08:48.25,Default,,0000,0000,0000,,that is unaffected by quantum computers.\NOr let's say we hope they are. But we're
Dialogue: 0,0:08:48.25,0:08:52.95,Default,,0000,0000,0000,,pretty certain they should be unaffected.\NThey're certainly unaffected by Shore's
Dialogue: 0,0:08:52.95,0:08:59.23,Default,,0000,0000,0000,,algorithm. So now that you know a little\Nbit about what post-quantum cryptography
Dialogue: 0,0:08:59.23,0:09:07.45,Default,,0000,0000,0000,,is about and why we need it, I want to\Ntalk about Kyber. Kyber is the post-
Dialogue: 0,0:09:07.45,0:09:15.70,Default,,0000,0000,0000,,quantum scheme that is most likely to be\Nadopted in the near future. So the
Dialogue: 0,0:09:15.70,0:09:23.12,Default,,0000,0000,0000,,asymmetric crypto zoo is threatened -\NLet's make a new new zoo, where people can
Dialogue: 0,0:09:23.12,0:09:32.75,Default,,0000,0000,0000,,and people can be happy and live their\Nfulfilled lives. The standardization
Dialogue: 0,0:09:32.75,0:09:38.31,Default,,0000,0000,0000,,organization NIST launched a call a couple\Nof years back for new cryptographic
Dialogue: 0,0:09:38.31,0:09:44.82,Default,,0000,0000,0000,,schemes that are resilient against quantum\Ncomputers. And first schemes are actually
Dialogue: 0,0:09:44.82,0:09:53.27,Default,,0000,0000,0000,,about to be standardized very soon in\Nearly 2022. So, we want to look at one
Dialogue: 0,0:09:53.27,0:10:00.83,Default,,0000,0000,0000,,scheme that is about to be standardized,\Nand it's called Kyber. Now why are looking
Dialogue: 0,0:10:00.83,0:10:09.73,Default,,0000,0000,0000,,at exactly that scheme? Well, it's very\Nfast, and the public and private key sizes
Dialogue: 0,0:10:09.73,0:10:15.34,Default,,0000,0000,0000,,are not too big, meaning you can actually\Nuse it in real world projects, which is
Dialogue: 0,0:10:15.34,0:10:21.20,Default,,0000,0000,0000,,not always the case for all post-quantum\Nschemes. So it is already, even though
Dialogue: 0,0:10:21.20,0:10:26.17,Default,,0000,0000,0000,,it's not, it's standardized, it has\Nalready seen some adoption in industry.
Dialogue: 0,0:10:26.17,0:10:31.73,Default,,0000,0000,0000,,And it's a lattice-based scheme. And right\Nnow it looks a little bit like lattice is
Dialogue: 0,0:10:31.73,0:10:36.15,Default,,0000,0000,0000,,going to be the future. If you don't know\Nwhat a lot of space scheme is, that's
Dialogue: 0,0:10:36.15,0:10:44.22,Default,,0000,0000,0000,,really fine; Krijn is going to tell you in\Nthe end. So, that was the fun part of our
Dialogue: 0,0:10:44.22,0:10:48.61,Default,,0000,0000,0000,,presentation, the easygoing part. Now we\Nneed to roll up our sleeves, we need to
Dialogue: 0,0:10:48.61,0:10:56.63,Default,,0000,0000,0000,,get our hands dirty and we need some\Nmathematics. And for that, I'm going to
Dialogue: 0,0:10:56.63,0:11:03.85,Default,,0000,0000,0000,,give the mic - turn over to Krijn. (How do\Nyou say that? Give it to Krijn? I don't
Dialogue: 0,0:11:03.85,0:11:08.14,Default,,0000,0000,0000,,know.) Bye.\NKrijn Reijnders: So, now we need maths. So
Dialogue: 0,0:11:08.14,0:11:13.11,Default,,0000,0000,0000,,let's start. What we need in Kyber are\Npolynomials, and we need to work with
Dialogue: 0,0:11:13.11,0:11:17.96,Default,,0000,0000,0000,,polynomials. But actually, you can think\Nof polynomials just like you do of as
Dialogue: 0,0:11:17.96,0:11:23.51,Default,,0000,0000,0000,,numbers. What do I mean with that? I mean\Nthat you can just multiply them and you
Dialogue: 0,0:11:23.51,0:11:29.97,Default,,0000,0000,0000,,can also just add them together like you\Ndo with numbers. And just as we do with
Dialogue: 0,0:11:29.97,0:11:35.48,Default,,0000,0000,0000,,numbers in pre- quantum cryptography, when\Nthey get too big, we reduced them. We do
Dialogue: 0,0:11:35.48,0:11:40.97,Default,,0000,0000,0000,,this modulo operation. We'll do the same\Nfor the coefficients in the polynomials,
Dialogue: 0,0:11:40.97,0:11:45.36,Default,,0000,0000,0000,,but also, when the degree of a polynomial\Ngets too big, we will reduce them by
Dialogue: 0,0:11:45.36,0:11:51.11,Default,,0000,0000,0000,,another polynomial. So we have a modulo\Noperation with polynomials, and in this
Dialogue: 0,0:11:51.11,0:11:56.60,Default,,0000,0000,0000,,way you can do all kinds of things with\Npolynomials. And that's actually all of
Dialogue: 0,0:11:56.60,0:12:01.72,Default,,0000,0000,0000,,the mathematics that we all need\Nfundamentally to work with Kyber. What do
Dialogue: 0,0:12:01.72,0:12:06.90,Default,,0000,0000,0000,,I mean by that? Well, if you can do\Nmultiplication and addition, then you can
Dialogue: 0,0:12:06.90,0:12:11.73,Default,,0000,0000,0000,,also do these things like we do for\Nnumbers with matrices and vectors, so we
Dialogue: 0,0:12:11.73,0:12:17.40,Default,,0000,0000,0000,,can multiply a matrix with a vector and\Nadd another vector. And this works the
Dialogue: 0,0:12:17.40,0:12:21.49,Default,,0000,0000,0000,,same for these polynomials, so you can\Nhave a matrix full of polynomials and a
Dialogue: 0,0:12:21.49,0:12:25.93,Default,,0000,0000,0000,,vector full of polynomials, and you can\Njust multiply them together, add another
Dialogue: 0,0:12:25.93,0:12:30.38,Default,,0000,0000,0000,,vector. It's just this basic operation of\Nmultiplication and addition of
Dialogue: 0,0:12:30.38,0:12:37.76,Default,,0000,0000,0000,,polynomials. It looks a bit more\Ncomplicated, but that's it. And then,
Dialogue: 0,0:12:37.76,0:12:42.21,Default,,0000,0000,0000,,let's say we do this, we have a matrix and\Nwe multiplied by a vector and we add
Dialogue: 0,0:12:42.21,0:12:46.42,Default,,0000,0000,0000,,another small vector. Now if I give you\Nthe end result of this computation, and I
Dialogue: 0,0:12:46.42,0:12:51.77,Default,,0000,0000,0000,,give you this matrix that we started with,\Nit's actually very hard to recover the
Dialogue: 0,0:12:51.77,0:12:56.14,Default,,0000,0000,0000,,vector that we've multiplied the matrix\Nwith. And this is the fundamental problem
Dialogue: 0,0:12:56.14,0:13:02.20,Default,,0000,0000,0000,,that we need in Kyber. And it's called\Nmodule-learning-with-errors. I know this
Dialogue: 0,0:13:02.20,0:13:06.78,Default,,0000,0000,0000,,name does not make a lot of sense, but\Napparently mathematicians thinks it does
Dialogue: 0,0:13:06.78,0:13:15.11,Default,,0000,0000,0000,,aptly describe the problem. So this\Nmatrix, we call it 'A', this secret vector
Dialogue: 0,0:13:15.11,0:13:19.44,Default,,0000,0000,0000,,of ours, we call it 's', then we need to\Nadd a small error term so that it's not
Dialogue: 0,0:13:19.44,0:13:24.00,Default,,0000,0000,0000,,too easy to solve this problem, and then\Nwe get a public value again, which we call
Dialogue: 0,0:13:24.00,0:13:32.70,Default,,0000,0000,0000,,'t'. This gets you the equation A times s\Nplus e equals t. And then the public key
Dialogue: 0,0:13:32.70,0:13:38.73,Default,,0000,0000,0000,,pair is this matrix 'A' and this end\Nresult 't', and the private key is our
Dialogue: 0,0:13:38.73,0:13:45.63,Default,,0000,0000,0000,,secret vector, 's'. That's all that we\Nneed to generate a key pair in Kyber. We
Dialogue: 0,0:13:45.63,0:13:48.89,Default,,0000,0000,0000,,need to ensure actually that the private\Nkey pair has small coefficient, and that
Dialogue: 0,0:13:48.89,0:13:55.57,Default,,0000,0000,0000,,also makes it very compact to transmit.\NAnd also, this error has small
Dialogue: 0,0:13:55.57,0:14:01.57,Default,,0000,0000,0000,,coefficients. For the rest of the\Npresentation: These error terms, they are
Dialogue: 0,0:14:01.57,0:14:05.17,Default,,0000,0000,0000,,necessary, but they complicate the\Nequations are a bit too, so we'll just
Dialogue: 0,0:14:05.17,0:14:09.54,Default,,0000,0000,0000,,write them in emojis so that you know what\Nthe errors are and what are the important
Dialogue: 0,0:14:09.54,0:14:15.73,Default,,0000,0000,0000,,values, and now Ruben will explain again:\NHow can we encrypt and decrypt messages
Dialogue: 0,0:14:15.73,0:14:21.68,Default,,0000,0000,0000,,using such a public and private key pair?\NR.G.: OK, our Boomer is back, and he wants
Dialogue: 0,0:14:21.68,0:14:28.55,Default,,0000,0000,0000,,to encrypt something. So, as an example,\Nhe wants to encrypt the letter C. So C is
Dialogue: 0,0:14:28.55,0:14:33.72,Default,,0000,0000,0000,,not a variable, it's literally the letter\N"C" that he wants to encrypt. And as we
Dialogue: 0,0:14:33.72,0:14:38.58,Default,,0000,0000,0000,,learned earlier, to encrypt something, we\Nneed the public key. So we have this
Dialogue: 0,0:14:38.58,0:14:48.08,Default,,0000,0000,0000,,public key, which is the matrix A and the\Nvector t. So first, we need to transform
Dialogue: 0,0:14:48.08,0:14:52.84,Default,,0000,0000,0000,,the letter "C" into some form that Kyber\Ncan work with because we want to encrypt
Dialogue: 0,0:14:52.84,0:14:58.71,Default,,0000,0000,0000,,it with Kyber. So let's first break it\Ndown into binary, right, in a computer,
Dialogue: 0,0:14:58.71,0:15:04.79,Default,,0000,0000,0000,,everything is binary anyways, so let's say\Nwe used to ASCII encoding. So we turn the
Dialogue: 0,0:15:04.79,0:15:10.23,Default,,0000,0000,0000,,letter "C" into a series of ones and\Nzeros. In this case, it's one zero zero
Dialogue: 0,0:15:10.23,0:15:16.61,Default,,0000,0000,0000,,zero zero one one. Now we have binary\Nrepresentation, but Kyber uses those
Dialogue: 0,0:15:16.61,0:15:21.55,Default,,0000,0000,0000,,polynomials, right? So we have to somehow\Nturn this into a polynomial, which turns
Dialogue: 0,0:15:21.55,0:15:28.62,Default,,0000,0000,0000,,out to be quite simple. So we just do a\Nbinary polynomial, so we take the ones and
Dialogue: 0,0:15:28.62,0:15:34.97,Default,,0000,0000,0000,,zeros and use them as coefficients for a\Npolynomial. In this case, you can see the
Dialogue: 0,0:15:34.97,0:15:43.09,Default,,0000,0000,0000,,polynomial on the slides, quite simple. So\None bit is one polynomial coefficient.
Dialogue: 0,0:15:43.09,0:15:48.57,Default,,0000,0000,0000,,Since zero times something is just zero,\Nwhich is just leave out the zero terms and
Dialogue: 0,0:15:48.57,0:15:54.05,Default,,0000,0000,0000,,shrink our polynomial a bit. So we now\Nhave a plain text and we can use within
Dialogue: 0,0:15:54.05,0:15:58.77,Default,,0000,0000,0000,,Kyber, right? The plaintext is a\Npolynomial "x to the power of six plus x
Dialogue: 0,0:15:58.77,0:16:04.88,Default,,0000,0000,0000,,plus one". That's our plain text. We\Nhaven't encrypted anything yet, but we
Dialogue: 0,0:16:04.88,0:16:10.72,Default,,0000,0000,0000,,have a plain text. So now let's us Kyber\Nto encrypt the plain text polynomial.
Dialogue: 0,0:16:10.72,0:16:17.48,Default,,0000,0000,0000,,First, we have to scale it. We have to\Nmake our polynomial big. And we do that
Dialogue: 0,0:16:17.48,0:16:22.76,Default,,0000,0000,0000,,simply by multiplying the polynomial with\Na large factor. So here I chose 1337, it's
Dialogue: 0,0:16:22.76,0:16:29.84,Default,,0000,0000,0000,,arbitrary, depends on the Kyber instance,\Nbut we just multiply every polynomial
Dialogue: 0,0:16:29.84,0:16:37.47,Default,,0000,0000,0000,,coefficient with the large number 1337. So\Nwe have the same polynomial, but with
Dialogue: 0,0:16:37.47,0:16:44.85,Default,,0000,0000,0000,,larger coefficients. So our scale\Nplaintext is 1337 x to the power of, and
Dialogue: 0,0:16:44.85,0:16:51.89,Default,,0000,0000,0000,,so on and so on. So now we do the actual\Nencryption, which in Kyber, it's actually
Dialogue: 0,0:16:51.89,0:16:57.73,Default,,0000,0000,0000,,quite simple. We just sprinkle in some\Nerror terms. As Krijn mentioned earlier,
Dialogue: 0,0:16:57.73,0:17:03.81,Default,,0000,0000,0000,,in our presentation, small error terms are\Nrepresented as emojis. Because they're not
Dialogue: 0,0:17:03.81,0:17:09.11,Default,,0000,0000,0000,,that important, but you should still know\Nthey're there. So our ciphertext is
Dialogue: 0,0:17:09.11,0:17:16.44,Default,,0000,0000,0000,,actually just two values, v, which is a\Npolynomial and u, which is a vector of
Dialogue: 0,0:17:16.44,0:17:24.64,Default,,0000,0000,0000,,polynomials. So, v is the key value from\Nthe public key, multiplied and added with
Dialogue: 0,0:17:24.64,0:17:35.35,Default,,0000,0000,0000,,error terms, and then the actual scale\Nplaintext message is added as well. u is a
Dialogue: 0,0:17:35.35,0:17:40.19,Default,,0000,0000,0000,,matrix from the public key, multiplied\Nwith an error term and an added error
Dialogue: 0,0:17:40.19,0:17:46.87,Default,,0000,0000,0000,,term. You can see the carrot error term\Nappears in both equations. And that's it.
Dialogue: 0,0:17:46.87,0:17:53.60,Default,,0000,0000,0000,,That's our encryption. (v,u) is the\Nencryption of our plaintext. So doing only
Dialogue: 0,0:17:53.60,0:17:58.05,Default,,0000,0000,0000,,encryption would be kind of boring. We\Nprobably also want to decrypt stuff. So,
Dialogue: 0,0:17:58.05,0:18:03.95,Default,,0000,0000,0000,,how do we do that in Kyber? Well, we need\Nthe private key, right? Public key
Dialogue: 0,0:18:03.95,0:18:10.59,Default,,0000,0000,0000,,encrypts, private key decrypts. So we have\Nour ciphertext, those two values v and u.
Dialogue: 0,0:18:10.59,0:18:17.22,Default,,0000,0000,0000,,And in order to decrypt, we first remove\Nthe public key from it. And we do that
Dialogue: 0,0:18:17.22,0:18:25.14,Default,,0000,0000,0000,,just by taking v minus the private key,\Nmultiplied by u. And if I spell out the
Dialogue: 0,0:18:25.14,0:18:34.10,Default,,0000,0000,0000,,equations, they become quite long. But as\Nyou can see, if you think about the emojis
Dialogue: 0,0:18:34.10,0:18:40.29,Default,,0000,0000,0000,,as error terms is that most of the public\Nkey, or actually the entire public key,
Dialogue: 0,0:18:40.29,0:18:49.48,Default,,0000,0000,0000,,kind of cancels out. So, and d, here on\Nthe slide, is the end result of the
Dialogue: 0,0:18:49.48,0:18:59.90,Default,,0000,0000,0000,,calculations of v minus private key times\Nu. And so we have our message in d, which
Dialogue: 0,0:18:59.90,0:19:04.02,Default,,0000,0000,0000,,is the plain text, but we also have these\Nerror terms laying around and the private
Dialogue: 0,0:19:04.02,0:19:12.38,Default,,0000,0000,0000,,key. Now one core observation is\Nimportant. I mentioned earlier that error
Dialogue: 0,0:19:12.38,0:19:19.31,Default,,0000,0000,0000,,terms are all small, meaning they're\Npolynomials with small coefficients. And
Dialogue: 0,0:19:19.31,0:19:25.58,Default,,0000,0000,0000,,the private key also has polynomials with\Nsmall coefficients. So here on the slide,
Dialogue: 0,0:19:25.58,0:19:32.14,Default,,0000,0000,0000,,everything on the right side is actually\Nsmall, but our plain text is large because
Dialogue: 0,0:19:32.14,0:19:39.11,Default,,0000,0000,0000,,we scaled it earlier. We multiplied it\Nwith a large number 1337. So simply by
Dialogue: 0,0:19:39.11,0:19:46.17,Default,,0000,0000,0000,,kind of rounding everything, we get our\Nscaled plaintext back, because these terms
Dialogue: 0,0:19:46.17,0:19:56.83,Default,,0000,0000,0000,,are small. So just by rounding, we get our\Nscaled plaintext back. And then we have
Dialogue: 0,0:19:56.83,0:20:02.99,Default,,0000,0000,0000,,essentially decrypted. What we now have to\Ndo is just turn it back into the original
Dialogue: 0,0:20:02.99,0:20:11.59,Default,,0000,0000,0000,,text, so we scale down, divide every\Ncoefficient by 1337. We bring back to zero
Dialogue: 0,0:20:11.59,0:20:19.35,Default,,0000,0000,0000,,terms, so every coefficient that is not in\Nthe polynomial has a zero. Yeah, every
Dialogue: 0,0:20:19.35,0:20:23.45,Default,,0000,0000,0000,,term that is not in the polynomial has a\Nzero coefficient. So we bring back the
Dialogue: 0,0:20:23.45,0:20:28.85,Default,,0000,0000,0000,,zeros and then from the binary polynomial,\Nwe can just read out the ones and zeros
Dialogue: 0,0:20:28.85,0:20:37.00,Default,,0000,0000,0000,,from the coefficients. We have back binary\Ncode and this binary now we can decode
Dialogue: 0,0:20:37.00,0:20:46.23,Default,,0000,0000,0000,,again using the ASCII, for example, and we\Nhave our plaintext back. And that's how
Dialogue: 0,0:20:46.23,0:20:54.15,Default,,0000,0000,0000,,Kyber decrypts. And then we can decode the\NKyber plaintext into your original
Dialogue: 0,0:20:54.15,0:21:01.17,Default,,0000,0000,0000,,message, which was a "C". So how does\NKyber looks like for the home consumer?
Dialogue: 0,0:21:01.17,0:21:06.69,Default,,0000,0000,0000,,Well, Kyber comes in three flavors, three\Ndifferent security levels. There's
Dialogue: 0,0:21:06.69,0:21:15.62,Default,,0000,0000,0000,,Kyber512 until Kyber1024. So, in\Ncryptography usually security is measured
Dialogue: 0,0:21:15.62,0:21:22.70,Default,,0000,0000,0000,,in bits. Sometimes it's related to how\Nstrong AES is. So the lowest acceptable
Dialogue: 0,0:21:22.70,0:21:30.44,Default,,0000,0000,0000,,acceptable security level for us is 128\Nbit and the strongest security level we
Dialogue: 0,0:21:30.44,0:21:38.39,Default,,0000,0000,0000,,use in practice is 256 bit. So Kyber512\Nhas around 128 bit security and Kyber1024
Dialogue: 0,0:21:38.39,0:21:48.70,Default,,0000,0000,0000,,as around 256 bit of security. Now that's\Nwhat the end user needs to know. But I
Dialogue: 0,0:21:48.70,0:21:52.63,Default,,0000,0000,0000,,also want to show you what these\Nsecurities actually mean in terms of
Dialogue: 0,0:21:52.63,0:21:58.24,Default,,0000,0000,0000,,Kyber, because Kyber instances are mainly\Ndefined by three variables: n, k, and q.
Dialogue: 0,0:21:58.24,0:22:04.71,Default,,0000,0000,0000,,And what do those mean? Well, n just means\Nthe degree of the polynomials used within
Dialogue: 0,0:22:04.71,0:22:14.53,Default,,0000,0000,0000,,Kyber. So 256 means we have exponents x to\Nthe power of maximum 256. So polynomials
Dialogue: 0,0:22:14.53,0:22:25.23,Default,,0000,0000,0000,,are quite large. 256 coefficients we can\Nstore. k means the size of the vector. So
Dialogue: 0,0:22:25.23,0:22:29.41,Default,,0000,0000,0000,,as you've seen, Kyber uses not only\Npolynomials, but also vectors of
Dialogue: 0,0:22:29.41,0:22:38.35,Default,,0000,0000,0000,,polynomials. So essentially lists of\Nmultiple polynomials. And in Kyber, the k
Dialogue: 0,0:22:38.35,0:22:46.20,Default,,0000,0000,0000,,variable says how many polynomials are in\Nsuch a vector. q is the modulus for the
Dialogue: 0,0:22:46.20,0:22:55.69,Default,,0000,0000,0000,,numbers. I mean, we have coefficients,\Nright? And how big can this coefficients get?
Dialogue: 0,0:22:55.69,0:23:03.35,Default,,0000,0000,0000,,So the largest coefficient that is used\Nwithin Kyber would be 3328 because we take
Dialogue: 0,0:23:03.35,0:23:10.78,Default,,0000,0000,0000,,it modulo 3329. So as you can see, in\NKyber, we don't have to deal with big
Dialogue: 0,0:23:10.78,0:23:15.95,Default,,0000,0000,0000,,numbers, actually. We have to do with a\Npre-quantum cryptography, we have to deal
Dialogue: 0,0:23:15.95,0:23:25.48,Default,,0000,0000,0000,,a lot with huge numbers. Here, the numbers\Nare not that big. Also important is size
Dialogue: 0,0:23:25.48,0:23:33.36,Default,,0000,0000,0000,,to speed tradeoffs. Now here you can see a\Nbar chart of public key, private key and
Dialogue: 0,0:23:33.36,0:23:42.33,Default,,0000,0000,0000,,ciphertext sizes of an elliptic curve\Nscheme, Curve25519, RSA, and kyber in
Dialogue: 0,0:23:42.33,0:23:47.12,Default,,0000,0000,0000,,smallest security level. So those three\Nsecurity schemes are the same security
Dialogue: 0,0:23:47.12,0:23:52.45,Default,,0000,0000,0000,,level, but as you can see, elliptic curve\Ncrypto is really tiny, RSA is somewhat
Dialogue: 0,0:23:52.45,0:23:58.61,Default,,0000,0000,0000,,bigger, an Kyber is even bigger. But if we\Ngo to the highest security level, you see
Dialogue: 0,0:23:58.61,0:24:09.97,Default,,0000,0000,0000,,that Kyber is actually very comparable to\NRSA. However, ecc is still a lot smaller.
Dialogue: 0,0:24:09.97,0:24:15.46,Default,,0000,0000,0000,,But you don't only care about sizes, you\Nalso care about speed, you care about
Dialogue: 0,0:24:15.46,0:24:24.07,Default,,0000,0000,0000,,speed even more. And if we compare the\Nsame security level in Kyber, in elliptic
Dialogue: 0,0:24:24.07,0:24:30.33,Default,,0000,0000,0000,,curve crypto and in RSA, we can see that\NKyber is on fire. Kyber is really, really
Dialogue: 0,0:24:30.33,0:24:37.90,Default,,0000,0000,0000,,fast. So we can throw out RSA and just\Ncompare elliptic curve crypto to Kyber,
Dialogue: 0,0:24:37.90,0:24:44.09,Default,,0000,0000,0000,,and we can see Kyber is even faster than\Nelliptic crypto, which is quite impressive
Dialogue: 0,0:24:44.09,0:24:49.65,Default,,0000,0000,0000,,because ellipctic crypto is already quite\Nfast. And, even more, we can see that the
Dialogue: 0,0:24:49.65,0:24:55.73,Default,,0000,0000,0000,,highest security level of Kyber is faster\Nthan the lowest security level of elliptic
Dialogue: 0,0:24:55.73,0:25:04.80,Default,,0000,0000,0000,,curve crypto. So Kyber - fast as hell. I\Nknow benchmarks are difficult. We have
Dialogue: 0,0:25:04.80,0:25:13.49,Default,,0000,0000,0000,,different kinds of platforms, but as an\Nintuition: Kyber is really fast. So the
Dialogue: 0,0:25:13.49,0:25:18.51,Default,,0000,0000,0000,,thing I want to mention is that Kyber\Nsource code is available online. You can
Dialogue: 0,0:25:18.51,0:25:24.70,Default,,0000,0000,0000,,download it from GitHub, for example, from\Nthe PQClean Project, which has AVX
Dialogue: 0,0:25:24.70,0:25:34.68,Default,,0000,0000,0000,,optimized implementations for desktop\NCPUs, from the pqm4 project, which is the
Dialogue: 0,0:25:34.68,0:25:40.16,Default,,0000,0000,0000,,optimized implementation for ARM-based\Nembedded processors, or there's also a
Dialogue: 0,0:25:40.16,0:25:48.10,Default,,0000,0000,0000,,reference C implementation in the pq-\Ncrystals project. And, last but not least,
Dialogue: 0,0:25:48.10,0:25:52.83,Default,,0000,0000,0000,,the specification, the documentation, the\Ncode, everything is licensed under
Dialogue: 0,0:25:52.83,0:25:58.86,Default,,0000,0000,0000,,Creative Commons zero, meaning that it's\Npublic domain. So there is zero license or
Dialogue: 0,0:25:58.86,0:26:03.95,Default,,0000,0000,0000,,patenting issues with Kyber, it's just\Npublic domain. You can clone and do
Dialogue: 0,0:26:03.95,0:26:10.78,Default,,0000,0000,0000,,whatever you want with it. It's quite\Nnice. So that was it about Kyber, now
Dialogue: 0,0:26:10.78,0:26:16.87,Default,,0000,0000,0000,,Krijn is going to tell you more about what\Nactually lattices are and why Kyber is
Dialogue: 0,0:26:16.87,0:26:27.11,Default,,0000,0000,0000,,actually secure the way it is.\NKrijn: OK, so that was Kyber. And we've
Dialogue: 0,0:26:27.11,0:26:30.86,Default,,0000,0000,0000,,been talking a lot about polynomials, but\Nwe haven't talked so much yet about
Dialogue: 0,0:26:30.86,0:26:35.88,Default,,0000,0000,0000,,lattices. But we did say that Kyber was a\Nlattice based scheme. So what do lattices
Dialogue: 0,0:26:35.88,0:26:39.54,Default,,0000,0000,0000,,have to do with all of this polynomial\Nstuff? And why do we think it's secure
Dialogue: 0,0:26:39.54,0:26:45.42,Default,,0000,0000,0000,,because of this being lattice based? Well,\Nlet's go back to these numbers that we
Dialogue: 0,0:26:45.42,0:26:49.66,Default,,0000,0000,0000,,used for a second, just because they make\Nthese things more understandable and
Dialogue: 0,0:26:49.66,0:26:56.00,Default,,0000,0000,0000,,intuitive. We had this matrix\Nmultiplication. We multiplied the matrix
Dialogue: 0,0:26:56.00,0:27:00.17,Default,,0000,0000,0000,,with a vector. Now let's say we do this\Nfor numbers, right? We have this matrix
Dialogue: 0,0:27:00.17,0:27:05.40,Default,,0000,0000,0000,,13, 4, 2, 9 and we multiplied by a, b.\NWell, actually, what you could also see
Dialogue: 0,0:27:05.40,0:27:13.25,Default,,0000,0000,0000,,here is that you multiply the vector 13\Nover 2 a times and then add the vector 4
Dialogue: 0,0:27:13.25,0:27:17.79,Default,,0000,0000,0000,,over 9 b times. And as you see in the\Nimage, like, you can make different
Dialogue: 0,0:27:17.79,0:27:22.55,Default,,0000,0000,0000,,combinations of that. So if you take a = 1\Nand b = 1, you get the point on the top
Dialogue: 0,0:27:22.55,0:27:29.53,Default,,0000,0000,0000,,right corner and then you can do this for\Na = 2 and b = 1, then 3 and 4 infinitely.
Dialogue: 0,0:27:29.53,0:27:35.15,Default,,0000,0000,0000,,And then you would get all of these dots\Nspread out over the cartesian plane, and
Dialogue: 0,0:27:35.15,0:27:39.64,Default,,0000,0000,0000,,it would go on infinitely in these\Ndimensions. So you would get infinite
Dialogue: 0,0:27:39.64,0:27:49.74,Default,,0000,0000,0000,,number of points just by giving these two\Noriginal vectors 13, 2 and 4, 9. Now, our
Dialogue: 0,0:27:49.74,0:27:54.93,Default,,0000,0000,0000,,secret key s was just actually then a way\Nto pick one of these points, because we
Dialogue: 0,0:27:54.93,0:27:58.99,Default,,0000,0000,0000,,said, well, the Matrix a that we had in\Nthe public key, it describes some sort of
Dialogue: 0,0:27:58.99,0:28:06.31,Default,,0000,0000,0000,,lattice. And then the secret key s\Ndescribed actually a specific point: a
Dialogue: 0,0:28:06.31,0:28:11.24,Default,,0000,0000,0000,,number of times the first vector, plus a\Nnumber of times the second vector. Then
Dialogue: 0,0:28:11.24,0:28:16.16,Default,,0000,0000,0000,,what does this error term do? Well, you\Nknow, it shifts just a bit from this
Dialogue: 0,0:28:16.16,0:28:22.60,Default,,0000,0000,0000,,lattice point that we were at and then we\Nget the end result t over there. And now
Dialogue: 0,0:28:22.60,0:28:28.74,Default,,0000,0000,0000,,it's very difficult actually to get back\Nfrom t to this vector s. We know that it's
Dialogue: 0,0:28:28.74,0:28:35.81,Default,,0000,0000,0000,,the closest vector to this given point t\Nin this lattice described by a. But this
Dialogue: 0,0:28:35.81,0:28:40.20,Default,,0000,0000,0000,,problem of finding the closest vector in\Nthe lattice and in a random letters is
Dialogue: 0,0:28:40.20,0:28:44.84,Default,,0000,0000,0000,,actually very hard. And this is what we\Ncall the closest vector problem, which is
Dialogue: 0,0:28:44.84,0:28:51.15,Default,,0000,0000,0000,,a very good name because we're looking for\Nthe closest vector. So for this two
Dialogue: 0,0:28:51.15,0:28:56.22,Default,,0000,0000,0000,,dimensional example, we had the matrix e\Nand the vector t in the public key, and we
Dialogue: 0,0:28:56.22,0:29:01.52,Default,,0000,0000,0000,,had the vector s in the private key and\Nthat was hidden by this small error term.
Dialogue: 0,0:29:01.52,0:29:07.85,Default,,0000,0000,0000,,So to recap: a gives you these initial\Nvectors, which you can use to describe the
Dialogue: 0,0:29:07.85,0:29:13.91,Default,,0000,0000,0000,,lattice, s gives you a secret point in\Nthat lattice. The error makes sure that
Dialogue: 0,0:29:13.91,0:29:20.46,Default,,0000,0000,0000,,you're close to a lattice point, but not\Ntoo far away. And then we get the end
Dialogue: 0,0:29:20.46,0:29:24.89,Default,,0000,0000,0000,,result t, which is this public point and\Nthen getting back from this information of
Dialogue: 0,0:29:24.89,0:29:32.23,Default,,0000,0000,0000,,this lattice and t to s is the closest\Nvector problem, in a nutshell. You may be
Dialogue: 0,0:29:32.23,0:29:37.87,Default,,0000,0000,0000,,thinking now, OK, this is for numbers I\Ncan see this right. It's just these dots
Dialogue: 0,0:29:37.87,0:29:44.20,Default,,0000,0000,0000,,in this plane. For dimension two OK, I get\Nit. For Dimension three you can think of a
Dialogue: 0,0:29:44.20,0:29:50.84,Default,,0000,0000,0000,,third dimension. Though we were talking\Nabout dimension n way larger than 3 and
Dialogue: 0,0:29:50.84,0:29:56.02,Default,,0000,0000,0000,,polynomials instead of numbers. And how do\Nwe visualize this? And the truth is we
Dialogue: 0,0:29:56.02,0:30:02.09,Default,,0000,0000,0000,,don't actually, but we do know how to\Ncompute it, which was just this
Dialogue: 0,0:30:02.09,0:30:06.84,Default,,0000,0000,0000,,multiplication and addition of\Npolynomials. So we just compute it and we
Dialogue: 0,0:30:06.84,0:30:11.82,Default,,0000,0000,0000,,kind of think of it as a lattice\Nabstractly, but not visually. Now let's
Dialogue: 0,0:30:11.82,0:30:15.84,Default,,0000,0000,0000,,finish with a short look at the future of\Nasymmetric crypto, and let's go back to
Dialogue: 0,0:30:15.84,0:30:20.61,Default,,0000,0000,0000,,the post-quantum crypto zoo that we had.\NWe already took a look at Kyber, but there
Dialogue: 0,0:30:20.61,0:30:25.74,Default,,0000,0000,0000,,was also other cryptographic primitives\Nsuch as Rainbow, Falcon, and SABER and
Dialogue: 0,0:30:25.74,0:30:29.94,Default,,0000,0000,0000,,Dilithium, NTRU, McEliece. Among them,\Nthere are signature schemes, but also
Dialogue: 0,0:30:29.94,0:30:33.87,Default,,0000,0000,0000,,these key exchange mechanisms. Actually,\Nthis zoo is quite different from the one
Dialogue: 0,0:30:33.87,0:30:37.69,Default,,0000,0000,0000,,that we had pre-quantum, the one that we\Nhad pre-quantum as we explained was based
Dialogue: 0,0:30:37.69,0:30:42.90,Default,,0000,0000,0000,,on mostly integer factorization and a\Ndiscrete logarithm problem. But in the
Dialogue: 0,0:30:42.90,0:30:48.30,Default,,0000,0000,0000,,post-quantum setting, we have a variety of\Nproblems. We have hash based cryptography,
Dialogue: 0,0:30:48.30,0:30:52.15,Default,,0000,0000,0000,,lattice based cryptography, code based\Ncryptography, multivariate based
Dialogue: 0,0:30:52.15,0:30:54.84,Default,,0000,0000,0000,,cryptography, and isogeny based\Ncryptography. And these are five quite
Dialogue: 0,0:30:54.84,0:30:59.75,Default,,0000,0000,0000,,different flavors of cryptography, with\Nalso different underlying mathematical
Dialogue: 0,0:30:59.75,0:31:06.22,Default,,0000,0000,0000,,problems. But post-quantum crypto is\Ncoming. For example, Amazon has already
Dialogue: 0,0:31:06.22,0:31:11.50,Default,,0000,0000,0000,,implemented some of the round two\Ncandidates, such as Kyber in post-quantum
Dialogue: 0,0:31:11.50,0:31:17.96,Default,,0000,0000,0000,,TLS. And also the BSI, which is the German\NMinistry for Information Security, has put
Dialogue: 0,0:31:17.96,0:31:23.39,Default,,0000,0000,0000,,out a proposal to integrate post-quantum\Ncryptography into Thunderbird as their
Dialogue: 0,0:31:23.39,0:31:28.59,Default,,0000,0000,0000,,mail client. And even NIST has the\Nfollowing quote that if you haven't
Dialogue: 0,0:31:28.59,0:31:33.52,Default,,0000,0000,0000,,migrated to elliptic curve cryptography\Nyet, don't bother, just directly migrate
Dialogue: 0,0:31:33.52,0:31:40.16,Default,,0000,0000,0000,,to post-quantum crypto. And that wraps up\Nour presentation on post-quantum crypto
Dialogue: 0,0:31:40.16,0:31:45.22,Default,,0000,0000,0000,,and Kyber. If you want to do some further\Nreading, there is a link here to a blog
Dialogue: 0,0:31:45.22,0:31:50.92,Default,,0000,0000,0000,,that goes a bit more in-depth in how Kyber\Nworks and has a very small example. Just
Dialogue: 0,0:31:50.92,0:31:55.34,Default,,0000,0000,0000,,as we've shown you in this video. Thank\Nyou for your attention and we'll take some
Dialogue: 0,0:31:55.34,0:31:58.20,Default,,0000,0000,0000,,questions now.
Dialogue: 0,0:31:58.20,0:32:00.59,Default,,0000,0000,0000,,Question: So why should I care about this\Nnow?
Dialogue: 0,0:32:00.59,0:32:05.64,Default,,0000,0000,0000,,Ruben: Well, that's an excellent question.\NWell, as we know from the Snowden leaks,
Dialogue: 0,0:32:05.64,0:32:16.43,Default,,0000,0000,0000,,the NSA is currently recording a lot of\Ninternet traffic that is encrypted, and
Dialogue: 0,0:32:16.43,0:32:20.51,Default,,0000,0000,0000,,they're recording this encrypted traffic\Nin the hopes of being able to decrypt it
Dialogue: 0,0:32:20.51,0:32:25.75,Default,,0000,0000,0000,,later. For example, using a large quantum\Ncomputer. So first, we have to care about
Dialogue: 0,0:32:25.75,0:32:30.48,Default,,0000,0000,0000,,this now because our internet traffic is\Nalready recorded and could be broken
Dialogue: 0,0:32:30.48,0:32:36.97,Default,,0000,0000,0000,,later. And second, we have to care about\Nthis now because transition, especially
Dialogue: 0,0:32:36.97,0:32:41.31,Default,,0000,0000,0000,,when it comes to cryptography, is really\Nslow because standardization takes a lot
Dialogue: 0,0:32:41.31,0:32:47.02,Default,,0000,0000,0000,,of time. Implementation takes a lot of\Ntime, and adoption takes a lot of time. So
Dialogue: 0,0:32:47.02,0:32:52.05,Default,,0000,0000,0000,,that's why we have to care now.\NQuestion: But are there any downsides?
Dialogue: 0,0:32:52.05,0:32:56.25,Default,,0000,0000,0000,,Krijn: Another very good question.\NActually, yeah, there are some downsides,
Dialogue: 0,0:32:56.25,0:33:01.94,Default,,0000,0000,0000,,but they're not too big. Usually, the keys\Nare a bit larger than we are used to. In
Dialogue: 0,0:33:01.94,0:33:06.69,Default,,0000,0000,0000,,some cases even much larger than we are\Nused to. And the speed is a bit worse than
Dialogue: 0,0:33:06.69,0:33:14.77,Default,,0000,0000,0000,,we are used to. In some schemes, even much\Nslower than we are used to. But while this
Dialogue: 0,0:33:14.77,0:33:19.57,Default,,0000,0000,0000,,is already being adopted, it is also still\Na very active area of research and we are
Dialogue: 0,0:33:19.57,0:33:24.97,Default,,0000,0000,0000,,continuously trying to make the keys\Nsmaller and the schemes more efficient. In
Dialogue: 0,0:33:24.97,0:33:29.60,Default,,0000,0000,0000,,the hopes that we in the end, get very\Nefficient schemes that will solve all of
Dialogue: 0,0:33:29.60,0:33:33.38,Default,,0000,0000,0000,,our post-quantum problems. Why didn't you\Nlet me eat the lettuce?
Dialogue: 0,0:33:33.38,0:33:42.69,Default,,0000,0000,0000,,Ruben: It's my lettuce! Okay, now eat it\Nfor the camera, you can eat one. But it's
Dialogue: 0,0:33:42.69,0:33:49.98,Default,,0000,0000,0000,,not washed.\NHerald: Okay, thank you. The first
Dialogue: 0,0:33:49.98,0:33:54.65,Default,,0000,0000,0000,,question we got from the internet is: Why\Nare you using seven bit ASCII instead of
Dialogue: 0,0:33:54.65,0:33:59.10,Default,,0000,0000,0000,,Unicode?\NRuben: So in that case of the letter c
Dialogue: 0,0:33:59.10,0:34:05.34,Default,,0000,0000,0000,,that wouldn't make a difference anyways.\NWe just prefer to use ASCII because we
Dialogue: 0,0:34:05.34,0:34:10.34,Default,,0000,0000,0000,,really, really want to piss off the\NEuropean people because all of these
Dialogue: 0,0:34:10.34,0:34:17.94,Default,,0000,0000,0000,,umlauts and that kind of stuff. Of course,\Nthey're unnecessary. So ASCII forever.
Dialogue: 0,0:34:17.94,0:34:24.81,Default,,0000,0000,0000,,Herald: I'm surprised that both of us\NEuropeans as well, but let's not get to
Dialogue: 0,0:34:24.81,0:34:34.46,Default,,0000,0000,0000,,the nationalism bit and carry on with the\Nnext question, which is, by the way, how
Dialogue: 0,0:34:34.46,0:34:40.39,Default,,0000,0000,0000,,can you compare the security levels\Naccording to varying n and varying q,
Dialogue: 0,0:34:40.39,0:34:45.88,Default,,0000,0000,0000,,respectively?\NRuben: Sorry, the connection was a bit
Dialogue: 0,0:34:45.88,0:34:53.24,Default,,0000,0000,0000,,lost there. Could you repeat the question?\NHerald: Of course, can you compare the
Dialogue: 0,0:34:53.24,0:34:58.19,Default,,0000,0000,0000,,security levels according to varying n and\Nvarying q, respectively?
Dialogue: 0,0:34:58.19,0:35:06.27,Default,,0000,0000,0000,,Ruben: Yes, of course you can. I'm not\Nsure if I get the question. Of course,
Dialogue: 0,0:35:06.27,0:35:13.36,Default,,0000,0000,0000,,that's how you do it, that's how you\Ncompare and you can do that. I'm not sure
Dialogue: 0,0:35:13.36,0:35:17.68,Default,,0000,0000,0000,,if the question asked me to do that right\Nnow on the spot because that I couldn't
Dialogue: 0,0:35:17.68,0:35:23.39,Default,,0000,0000,0000,,do, but I mean, it was on the slides, like\Nthe security levels that are about to be
Dialogue: 0,0:35:23.39,0:35:29.49,Default,,0000,0000,0000,,standardized, at least. But the one good\Nthing about Kyber, a very good thing that
Dialogue: 0,0:35:29.49,0:35:37.05,Default,,0000,0000,0000,,I want to mention is that, so the\Npolynomials, the size stays the same, the
Dialogue: 0,0:35:37.05,0:35:43.82,Default,,0000,0000,0000,,modulus q stays the same. Only the size of\Nthe vectors change. So how many
Dialogue: 0,0:35:43.82,0:35:48.46,Default,,0000,0000,0000,,polynomials you have in a vector. And that\Nmakes it quite nice to write optimized
Dialogue: 0,0:35:48.46,0:35:54.41,Default,,0000,0000,0000,,code because most parts of the code are\Nliterally the same. If you look at the
Dialogue: 0,0:35:54.41,0:36:00.73,Default,,0000,0000,0000,,implementation, the reference\Nimplementation, you can see that it's
Dialogue: 0,0:36:00.73,0:36:05.65,Default,,0000,0000,0000,,actually the same code for all the\Nsecurity levels, just one header changes
Dialogue: 0,0:36:05.65,0:36:14.94,Default,,0000,0000,0000,,that specifies how big the vectors are. So\Nthat's quite nice. But you can yeah, you
Dialogue: 0,0:36:14.94,0:36:19.82,Default,,0000,0000,0000,,have for RSA, you have different key\Nsizes. So yeah, it's more difficult to
Dialogue: 0,0:36:19.82,0:36:25.76,Default,,0000,0000,0000,,optimize, but here you can just have the\Nsame size as just the vector size changes,
Dialogue: 0,0:36:25.76,0:36:31.59,Default,,0000,0000,0000,,which is nice\NHerald: What about the potential for
Dialogue: 0,0:36:31.59,0:36:37.30,Default,,0000,0000,0000,,hardware acceleration for Kyber? Could\Nthat be possible, feasible?
Dialogue: 0,0:36:37.30,0:36:42.72,Default,,0000,0000,0000,,Ruben: So I am not sure if I just answer\Nthat or Krijn also wants to say something,
Dialogue: 0,0:36:42.72,0:36:49.20,Default,,0000,0000,0000,,but hardware acceleration for post-quantum\Nschemes in general is, as we say, a very
Dialogue: 0,0:36:49.20,0:36:55.61,Default,,0000,0000,0000,,active area of research. So these things\Nare very new. There were some people that
Dialogue: 0,0:36:55.61,0:37:03.12,Default,,0000,0000,0000,,tried to use, there's a paper about it,\Nactually - you can look it up on the
Dialogue: 0,0:37:03.12,0:37:06.90,Default,,0000,0000,0000,,internet - to use RSA bignum hardware\Nacceleration for Kyber, which is a quite
Dialogue: 0,0:37:06.90,0:37:14.01,Default,,0000,0000,0000,,interesting idea because you work in\Ncompletely different things there. But
Dialogue: 0,0:37:14.01,0:37:18.28,Default,,0000,0000,0000,,it's an open question and it's a very\Nactive area of research. So if any of the
Dialogue: 0,0:37:18.28,0:37:22.41,Default,,0000,0000,0000,,viewers are interested in that sort of\Nthing, to, I don't know, try out Kyber or
Dialogue: 0,0:37:22.41,0:37:29.47,Default,,0000,0000,0000,,FPGAs or something. Yeah, try it out! So\Nthere's a lot of potential there, but it's
Dialogue: 0,0:37:29.47,0:37:35.49,Default,,0000,0000,0000,,also, as I said, very actively researched\Nbecause it's relatively new and it just
Dialogue: 0,0:37:35.49,0:37:45.96,Default,,0000,0000,0000,,now finds adaptation in industry.\NHerald: And there's a follow up question
Dialogue: 0,0:37:45.96,0:37:50.58,Default,,0000,0000,0000,,that sort of mirrors it in a way because\Nthat question is: T o what extent is this
Dialogue: 0,0:37:50.58,0:37:56.39,Default,,0000,0000,0000,,feasible on embedded architectures with\Nvery limited hardware to use Kyber there?
Dialogue: 0,0:37:56.39,0:38:06.71,Default,,0000,0000,0000,,Ruben: So I've been using it on a Cortex\NM3, which is ARM-based. So usually the
Dialogue: 0,0:38:06.71,0:38:14.35,Default,,0000,0000,0000,,reference platform, we use the Cortex M4\Nbecause we want to. Like two experiments
Dialogue: 0,0:38:14.35,0:38:18.88,Default,,0000,0000,0000,,that are reproducible, and you can buy\NCortex M4 boards quite cheaply from
Dialogue: 0,0:38:18.88,0:38:28.59,Default,,0000,0000,0000,,various vendors. So it's definitely\Npossible to run Kyber on a Cortex M3. I
Dialogue: 0,0:38:28.59,0:38:33.24,Default,,0000,0000,0000,,mean, there's also a project on GitHub.\NIt's called pqm3, that has Kyber benchmark
Dialogue: 0,0:38:33.24,0:38:41.14,Default,,0000,0000,0000,,for various, yeah M3 boards, but that's\Ndefinitely possible. What I'm working on
Dialogue: 0,0:38:41.14,0:38:51.52,Default,,0000,0000,0000,,right now is testing it on a Cortex M3 and\NM4 for also application level, so included
Dialogue: 0,0:38:51.52,0:38:59.97,Default,,0000,0000,0000,,it in TLS or KEMTLS. Or there's a paper\Nabout WireGuard using Kyber and Dilithium
Dialogue: 0,0:38:59.97,0:39:04.78,Default,,0000,0000,0000,,for example. That's definitely possible.\NThe question, also active area of research
Dialogue: 0,0:39:04.78,0:39:10.48,Default,,0000,0000,0000,,is, how low can you get? Like, how much\Ncan you optimize? Because there are
Dialogue: 0,0:39:10.48,0:39:16.87,Default,,0000,0000,0000,,various tradeoffs, like do we want more\Nspace for code but use less RAM and you
Dialogue: 0,0:39:16.87,0:39:20.96,Default,,0000,0000,0000,,also always have these kinds of tradeoffs\Nin the embedded world. And that's
Dialogue: 0,0:39:20.96,0:39:24.95,Default,,0000,0000,0000,,something I'm a little actively looking\Ninto right now, actually. But it's
Dialogue: 0,0:39:24.95,0:39:33.18,Default,,0000,0000,0000,,certainly possible to run it on embedded\Nsystems. We could also go for a Cortex M0,
Dialogue: 0,0:39:33.18,0:39:38.24,Default,,0000,0000,0000,,which is, like really, really low level,\Nbut the cortex M3 is already running on
Dialogue: 0,0:39:38.24,0:39:41.80,Default,,0000,0000,0000,,smartcards. So that's what I'm currently\Nlooking at and there it's definitely
Dialogue: 0,0:39:41.80,0:39:46.21,Default,,0000,0000,0000,,possible. But as I said, you have to look\Ninto tradeoffs, see how much you want to
Dialogue: 0,0:39:46.21,0:39:51.12,Default,,0000,0000,0000,,waste on ROM, how much you want to waste\Non RAM and how much time do you have for
Dialogue: 0,0:39:51.12,0:39:55.85,Default,,0000,0000,0000,,the runtime? But the benchmarks we are\Nhaving there, as I said. Go to Github,
Dialogue: 0,0:39:55.85,0:40:01.12,Default,,0000,0000,0000,,pqm3, already quite good, so it's\Ndefinitely usable depending on your use
Dialogue: 0,0:40:01.12,0:40:10.85,Default,,0000,0000,0000,,case. I hope that answers the question.\NHerald: So do I. There's another question
Dialogue: 0,0:40:10.85,0:40:15.97,Default,,0000,0000,0000,,by someone who actually has implemented\Nit. So I just briefly read the questions:
Dialogue: 0,0:40:15.97,0:40:21.03,Default,,0000,0000,0000,,I implemented a raw learning error scheme\Nin an insecure "Hold my beer"-style. It
Dialogue: 0,0:40:21.03,0:40:26.11,Default,,0000,0000,0000,,seems to work, but I see about 1% bit\Nerrors in the decrypted text, how do real
Dialogue: 0,0:40:26.11,0:40:32.52,Default,,0000,0000,0000,,implementation handle the expected bit\Nerrors in the decryption?
Dialogue: 0,0:40:32.52,0:40:41.55,Default,,0000,0000,0000,,Ruben: So the easy answer is rounding. So\Nyou just throw away some of the lowest
Dialogue: 0,0:40:41.55,0:40:47.43,Default,,0000,0000,0000,,bits, but that really depends on the\Nscheme. So if he has done some learning
Dialogue: 0,0:40:47.43,0:40:51.74,Default,,0000,0000,0000,,with errors. So there are different\Nflavors of learning with errors. There's
Dialogue: 0,0:40:51.74,0:40:54.39,Default,,0000,0000,0000,,like ring learning with errors, modulo\Nlearning with errors, learning with
Dialogue: 0,0:40:54.39,0:41:00.77,Default,,0000,0000,0000,,errors, and it depends on what he has\Nimplemented. But in the end the thing that
Dialogue: 0,0:41:00.77,0:41:06.14,Default,,0000,0000,0000,,seems to work is just throw off the least\Nsignificant bits, for example, depending
Dialogue: 0,0:41:06.14,0:41:12.73,Default,,0000,0000,0000,,on how many errors you expect. I don't\Nknow, Krijn do you want to add something?
Dialogue: 0,0:41:12.73,0:41:16.53,Default,,0000,0000,0000,,Krijn: No, I think you're doing fine with\Nthe question.
Dialogue: 0,0:41:16.53,0:41:22.15,Default,,0000,0000,0000,,Ruben: If there's no question I'm going to\Nask your questions afterwards. Very
Dialogue: 0,0:41:22.15,0:41:32.00,Default,,0000,0000,0000,,personal ones for history. You know?\NHerald: I shall move on to the next
Dialogue: 0,0:41:32.00,0:41:36.49,Default,,0000,0000,0000,,question, but I think from a layman's\Nperspective, this may also relate to the
Dialogue: 0,0:41:36.49,0:41:40.89,Default,,0000,0000,0000,,last question. The question is: Those\Nsequencing terms are set to be small
Dialogue: 0,0:41:40.89,0:41:45.03,Default,,0000,0000,0000,,relative to the mesh's coefficients. How\Ndo you make sure that those do not
Dialogue: 0,0:41:45.03,0:41:47.91,Default,,0000,0000,0000,,compromise encryption and are chosen\Narbitrarily?
Dialogue: 0,0:41:47.91,0:41:53.80,Default,,0000,0000,0000,,Ruben: So again, I'm really sorry. I had a\Ncouple of hiccoughs, so I didn't get the
Dialogue: 0,0:41:53.80,0:42:00.96,Default,,0000,0000,0000,,question could you repeat it?\NHerald: Sure. The question was: The Secret
Dialogue: 0,0:42:00.96,0:42:06.88,Default,,0000,0000,0000,,key and error terms are set to be small\Nrelative to the message coefficients. How
Dialogue: 0,0:42:06.88,0:42:10.20,Default,,0000,0000,0000,,do you make sure that those do not\Ncompromise the encryption chosen
Dialogue: 0,0:42:10.20,0:42:14.33,Default,,0000,0000,0000,,arbitrarily?\NRuben: OK. I had a hiccough again, Krijn,
Dialogue: 0,0:42:14.33,0:42:20.57,Default,,0000,0000,0000,,did you get the question? Otherwise, I'll\Nanswer what I heard. I think what I think
Dialogue: 0,0:42:20.57,0:42:31.59,Default,,0000,0000,0000,,I heard.\NKrijn: So why are... why don't the
Dialogue: 0,0:42:31.59,0:42:35.91,Default,,0000,0000,0000,,small... the fact that the error and the\Nprivate key are small, why doesn't this
Dialogue: 0,0:42:35.91,0:42:42.91,Default,,0000,0000,0000,,compromise security? And in fact, well you\Nneed the error to be quite small in order
Dialogue: 0,0:42:42.91,0:42:46.66,Default,,0000,0000,0000,,to be able to solve this, this closest\Nvector problem that we've sketched. If the
Dialogue: 0,0:42:46.66,0:42:50.64,Default,,0000,0000,0000,,error is too big then a different vector\Ncould be the closest vector than the one
Dialogue: 0,0:42:50.64,0:42:57.84,Default,,0000,0000,0000,,that you want. Now why the private key has\Nto be small. There are some results that
Dialogue: 0,0:42:57.84,0:43:02.66,Default,,0000,0000,0000,,we know that this does not mean... that it\Ndoesn't break the security basically of
Dialogue: 0,0:43:02.66,0:43:06.90,Default,,0000,0000,0000,,the scheme. I don't know if , Ruben, you\Ncan do a two liner on why that is.
Dialogue: 0,0:43:06.90,0:43:11.75,Default,,0000,0000,0000,,Ruben: So I answer the question always\Nlike: we bring in all those error terms.
Dialogue: 0,0:43:11.75,0:43:19.61,Default,,0000,0000,0000,,How do we make sure that the decryption\Nisn't faulty, right? And actually, it's a
Dialogue: 0,0:43:19.61,0:43:26.44,Default,,0000,0000,0000,,very good question, because there's a\Nprovable, probably negligible probability
Dialogue: 0,0:43:26.44,0:43:32.09,Default,,0000,0000,0000,,that there will be decryption errors.\NHowever, Kyber is fast enough. We handle
Dialogue: 0,0:43:32.09,0:43:39.62,Default,,0000,0000,0000,,them in the KEM Version of Kyber. So what\Nwe have introduced here is the public key
Dialogue: 0,0:43:39.62,0:43:45.30,Default,,0000,0000,0000,,encryption version. Standardized as the\NKEM, which uses internally the public key
Dialogue: 0,0:43:45.30,0:43:49.46,Default,,0000,0000,0000,,encryption version and in the KEM version,\Nyou can be sure that this doesn't happen
Dialogue: 0,0:43:49.46,0:43:56.25,Default,,0000,0000,0000,,because, yeah. To answer the question,\Nthere's a tiny, tiny but negligible
Dialogue: 0,0:43:56.25,0:44:00.85,Default,,0000,0000,0000,,probability that you have a decryption\Nerror, so in that case a very good
Dialogue: 0,0:44:00.85,0:44:06.50,Default,,0000,0000,0000,,question. But if you're really interested,\Nthe blog post, I mean, you can download
Dialogue: 0,0:44:06.50,0:44:14.77,Default,,0000,0000,0000,,the slides and there's a blog post. For\Nthe talk, let's say, so you can go to the
Dialogue: 0,0:44:14.77,0:44:19.77,Default,,0000,0000,0000,,blog post and there's the Kyber\Nspecification reference. They can just
Dialogue: 0,0:44:19.77,0:44:27.01,Default,,0000,0000,0000,,click on the specification and there you\Ncan see that it's a fine tuning of
Dialogue: 0,0:44:27.01,0:44:35.11,Default,,0000,0000,0000,,parameters to make sure that the sprinkled\Nin error terms do not invalidate the
Dialogue: 0,0:44:35.11,0:44:41.90,Default,,0000,0000,0000,,decryption to a certain, within a certain\Nprobability. And we make that probability
Dialogue: 0,0:44:41.90,0:44:47.77,Default,,0000,0000,0000,,in Kyber so low that in reality it will\Nnever happen. Like, 2 to the power of...
Dialogue: 0,0:44:47.77,0:44:56.18,Default,,0000,0000,0000,,lets say magnitude-wise something like\Natoms on Earth or like to give you an idea
Dialogue: 0,0:44:56.18,0:45:00.90,Default,,0000,0000,0000,,of how big the numbers are there. So it's\Na very, very low probability that that
Dialogue: 0,0:45:00.90,0:45:10.57,Default,,0000,0000,0000,,will happen. But a very good question. At\Nleast thats how I interpreted the 50% of
Dialogue: 0,0:45:10.57,0:45:15.56,Default,,0000,0000,0000,,the question that I heard.\NHerald: I am sorry that we seem to have a
Dialogue: 0,0:45:15.56,0:45:21.06,Default,,0000,0000,0000,,technical problem.\NRuben: I think it's just the shitty
Dialogue: 0,0:45:21.06,0:45:27.96,Default,,0000,0000,0000,,internet at my my parents place.\NHerald: That could also be the case also
Dialogue: 0,0:45:27.96,0:45:32.53,Default,,0000,0000,0000,,on my end there are troubles as well. The\Nquestion after that and maybe Krijn can
Dialogue: 0,0:45:32.53,0:45:38.35,Default,,0000,0000,0000,,just start answering it. Would Kyber be\Nbroken if someone found a simple solution
Dialogue: 0,0:45:38.35,0:45:45.23,Default,,0000,0000,0000,,to the closest vector problem?\NKrijn: Yeah, but we that's the case,
Dialogue: 0,0:45:45.23,0:45:48.79,Default,,0000,0000,0000,,that's always the case for encryption. If\Nyou managed to solve the fundamental
Dialogue: 0,0:45:48.79,0:45:52.81,Default,,0000,0000,0000,,problem, then the encryption scheme is\Nbroken. Luckily for the closest vector
Dialogue: 0,0:45:52.81,0:45:57.91,Default,,0000,0000,0000,,problem, we have a very good, we have\Nquite some trust in this problem, so some
Dialogue: 0,0:45:57.91,0:46:04.05,Default,,0000,0000,0000,,other of these post-quantum schemes are\Nbased or more recent problems, so the
Dialogue: 0,0:46:04.05,0:46:10.75,Default,,0000,0000,0000,,closest vector problem is a much older\None. So we do trust it, well I have quite
Dialogue: 0,0:46:10.75,0:46:15.16,Default,,0000,0000,0000,,a bit of trust that it won't be easily\Nbroken in the coming years.
Dialogue: 0,0:46:15.16,0:46:19.57,Default,,0000,0000,0000,,Ruben: So the answer is it's a bit tricky\Nthere, because the close vector problem is
Dialogue: 0,0:46:19.57,0:46:25.05,Default,,0000,0000,0000,,NP hard. So we think this is like a very\Ngood problem to start from. But the
Dialogue: 0,0:46:25.05,0:46:31.48,Default,,0000,0000,0000,,question is also like how are these\Nlattices related to certain instanciations
Dialogue: 0,0:46:31.48,0:46:36.45,Default,,0000,0000,0000,,of the closest vector problem? And are\Nthese specific closest vector problems
Dialogue: 0,0:46:36.45,0:46:41.94,Default,,0000,0000,0000,,maybe a bit simpler or something? But as\NKrijn said we're in the closest vector
Dialogue: 0,0:46:41.94,0:46:45.38,Default,,0000,0000,0000,,problem we trust like this is one of the\Nproblems in post-quantum crypto that we're
Dialogue: 0,0:46:45.38,0:46:49.96,Default,,0000,0000,0000,,pretty certain about. But yeah, if you\Nwould solve it or if you have already
Dialogue: 0,0:46:49.96,0:46:56.83,Default,,0000,0000,0000,,solved it, Kyber would be broken.\NHerald: That sounds like a potential
Dialogue: 0,0:46:56.83,0:47:01.49,Default,,0000,0000,0000,,inscription on the side of a coin. In the\Nclosest vector problem we trust. And
Dialogue: 0,0:47:01.49,0:47:05.85,Default,,0000,0000,0000,,talking about trust. The question after\Nthis is: Would you trust this, this Kyber
Dialogue: 0,0:47:05.85,0:47:10.82,Default,,0000,0000,0000,,algorithm to secure your communications\Nnow?
Dialogue: 0,0:47:10.82,0:47:17.22,Default,,0000,0000,0000,,Ruben: Should I answer or Krijn do you\Nwant to, you haven't said so much?
Dialogue: 0,0:47:17.22,0:47:21.36,Default,,0000,0000,0000,,Krijn: I would actually, yeah, I don't\Nhave. So if you're skeptical about it, you
Dialogue: 0,0:47:21.36,0:47:26.31,Default,,0000,0000,0000,,can also go to. I don't think we discussed\Nit, but you can go to hybrid modes of the
Dialogue: 0,0:47:26.31,0:47:32.71,Default,,0000,0000,0000,,current classical, pre-qantum crypto and\Npost-quantum, if you can suffer the
Dialogue: 0,0:47:32.71,0:47:37.58,Default,,0000,0000,0000,,drawbacks of that. But personally, yeah, I\Nguess I would. Ruben, would you?
Dialogue: 0,0:47:37.58,0:47:45.06,Default,,0000,0000,0000,,Ruben: I would trust Kyber at this moment,\Nbut there's... If you don't trust it as
Dialogue: 0,0:47:45.06,0:47:51.05,Default,,0000,0000,0000,,Krijn said, you can go into hybrid mode,\Nso the idea, for example, for TLS is to
Dialogue: 0,0:47:51.05,0:47:58.05,Default,,0000,0000,0000,,first do elliptic curve crypto and post-\Nquantum crypto together, sort of in a way
Dialogue: 0,0:47:58.05,0:48:02.46,Default,,0000,0000,0000,,that the adversary, the attacker would\Nhave to break both in order to compromise
Dialogue: 0,0:48:02.46,0:48:09.22,Default,,0000,0000,0000,,the communication. So that way, you don't\Nhave to fully trust Kyber yet if you want
Dialogue: 0,0:48:09.22,0:48:15.26,Default,,0000,0000,0000,,to run the hybrid. But of course, the idea\Nis to at some point get rid of this
Dialogue: 0,0:48:15.26,0:48:19.40,Default,,0000,0000,0000,,overhead and just run post-quantum crypto\Nwithout elliptic curve crypto
Dialogue: 0,0:48:19.40,0:48:25.51,Default,,0000,0000,0000,,additionally. But yeah, I mean, I\Npersonally would use it right now. But
Dialogue: 0,0:48:25.51,0:48:32.94,Default,,0000,0000,0000,,what I also want to say is that in the\Nbeginning of every krypto system, RSA,
Dialogue: 0,0:48:32.94,0:48:37.40,Default,,0000,0000,0000,,elliptic curve doesn't matter. In the\Nbeginning, everybody is quite skeptical
Dialogue: 0,0:48:37.40,0:48:41.73,Default,,0000,0000,0000,,and nobody wants to use it yet. And that's\Nfine. Like, that's how the community
Dialogue: 0,0:48:41.73,0:48:45.98,Default,,0000,0000,0000,,works. But over time, usually people gain\Ntrust.
Dialogue: 0,0:48:45.98,0:48:57.02,Default,,0000,0000,0000,,Herald: OK, thank you. Now we're getting\Ninto speculative territory, and one of the
Dialogue: 0,0:48:57.02,0:49:01.43,Default,,0000,0000,0000,,questions is whether you could have any\Nguesses on which of the schemes is
Dialogue: 0,0:49:01.43,0:49:07.24,Default,,0000,0000,0000,,probably going to end up winning the NIST\NPQC competition, post-quantum crypto
Dialogue: 0,0:49:07.24,0:49:11.50,Default,,0000,0000,0000,,competition?\NRuben: So NIST specifically says it's not
Dialogue: 0,0:49:11.50,0:49:23.56,Default,,0000,0000,0000,,a competition, very important. So Kyber is\None of the winners coming out of it, but
Dialogue: 0,0:49:23.56,0:49:34.93,Default,,0000,0000,0000,,that's quite clear. And also you already\Nsee adoption in the real world. We brought
Dialogue: 0,0:49:34.93,0:49:42.29,Default,,0000,0000,0000,,two examples with Amazon and the BSI, for\Nexample, that wants to include it in
Dialogue: 0,0:49:42.29,0:49:49.92,Default,,0000,0000,0000,,Thunderbirds email encryption. So Kyber is\Ngoing to be one of the winners. This is
Dialogue: 0,0:49:49.92,0:49:57.56,Default,,0000,0000,0000,,my... not only opinion, but yeah, that's\Nquite clear. And otherwise, I think
Dialogue: 0,0:49:57.56,0:50:06.34,Default,,0000,0000,0000,,McEliece, which is a code based scheme\Nthat is quite large in all measures, let's
Dialogue: 0,0:50:06.34,0:50:11.64,Default,,0000,0000,0000,,say. But people seem to have more trust in\Nit because it has been around longer.
Dialogue: 0,0:50:11.64,0:50:19.77,Default,,0000,0000,0000,,Yeah, so I'd say those for KEMs and\Neverybody is quite unhappy with the
Dialogue: 0,0:50:19.77,0:50:27.49,Default,,0000,0000,0000,,signatures. So I don't think there will be\Nsignatures standardized like this year or
Dialogue: 0,0:50:27.49,0:50:32.91,Default,,0000,0000,0000,,beginning next year. But Krijn, I don't\Nknow, maybe you have a guess?
Dialogue: 0,0:50:32.91,0:50:38.53,Default,,0000,0000,0000,,Krijn: No, I'm not such a speculative\Nperson, but I think Ruben's answer is
Dialogue: 0,0:50:38.53,0:50:43.69,Default,,0000,0000,0000,,quite a good answer.\NRuben: Now you really have to also
Dialogue: 0,0:50:43.69,0:50:49.17,Default,,0000,0000,0000,,speculate, I mean, come on, you can't just\Npiggyback on my answer.
Dialogue: 0,0:50:49.17,0:50:52.76,Default,,0000,0000,0000,,Krijn: No I definitely can. It's\Ninteresting to note actually that for the
Dialogue: 0,0:50:52.76,0:51:01.96,Default,,0000,0000,0000,,signatures that there's less of a hurry,\Nso to say. It's especially this key
Dialogue: 0,0:51:01.96,0:51:09.09,Default,,0000,0000,0000,,exchange that we wanted to make post-\Nquantum as soon as possible, maybe, or at
Dialogue: 0,0:51:09.09,0:51:13.73,Default,,0000,0000,0000,,least one to standardize quickly and then\Nintegrate into whatever building. Well,
Dialogue: 0,0:51:13.73,0:51:19.83,Default,,0000,0000,0000,,for the signatures there a bit more time\Nso there's also more time to come up with
Dialogue: 0,0:51:19.83,0:51:23.58,Default,,0000,0000,0000,,better solutions there or to analyze the\Ncurrent solutions a bit more.
Dialogue: 0,0:51:23.58,0:51:27.90,Default,,0000,0000,0000,,Ruben: Yeah, that's because I mean what we\Nmentioned is the attacker model, big
Dialogue: 0,0:51:27.90,0:51:33.89,Default,,0000,0000,0000,,government agency, for example. And the\Nkey exchange you have to fix now because
Dialogue: 0,0:51:33.89,0:51:38.82,Default,,0000,0000,0000,,that could be later on broken and then the\Ncommunication can be decrypted. But
Dialogue: 0,0:51:38.82,0:51:44.36,Default,,0000,0000,0000,,signatures like they have a small\Nlifetime, for example, and also they are
Dialogue: 0,0:51:44.36,0:51:49.93,Default,,0000,0000,0000,,used for authentication. So you would need\Nan active adversary. And that, yeah. You
Dialogue: 0,0:51:49.93,0:51:55.64,Default,,0000,0000,0000,,can't like record now and then do an\Nactive attack in 10 years, like, that
Dialogue: 0,0:51:55.64,0:51:58.99,Default,,0000,0000,0000,,doesn't work. So then we have some more\Ntime yeah.
Dialogue: 0,0:51:58.99,0:52:05.04,Default,,0000,0000,0000,,Herald: Well, that's not entirely true.\NThere's a lot of states using, and I'm
Dialogue: 0,0:52:05.04,0:52:10.93,Default,,0000,0000,0000,,talking about signatures, not for the\Nephemeral use in online usage, but the
Dialogue: 0,0:52:10.93,0:52:16.03,Default,,0000,0000,0000,,more the use of signatures, for example,\Ndocument signatures. And for those an
Dialogue: 0,0:52:16.03,0:52:18.18,Default,,0000,0000,0000,,attack would still be relevant for the\Nfuture.
Dialogue: 0,0:52:18.18,0:52:23.59,Default,,0000,0000,0000,,Ruben: If they have, well, if they have a\Nlong runtime, usually signatures or keys
Dialogue: 0,0:52:23.59,0:52:28.79,Default,,0000,0000,0000,,at least, of signatures, they expire at\Nsome point. But yeah, of course, if you
Dialogue: 0,0:52:28.79,0:52:33.81,Default,,0000,0000,0000,,have, if you have signatures that do not\Nhave an expiration date or something, then
Dialogue: 0,0:52:33.81,0:52:37.92,Default,,0000,0000,0000,,they would be under threat as well.\NHerald: In a document signing, you will
Dialogue: 0,0:52:37.92,0:52:42.77,Default,,0000,0000,0000,,have signatures that have a very longer\Nlifetime than you will have for your
Dialogue: 0,0:52:42.77,0:52:45.99,Default,,0000,0000,0000,,typical web transaction, for example. But\NI'm now full dropping out of role as
Dialogue: 0,0:52:45.99,0:52:49.12,Default,,0000,0000,0000,,herald who is a mere vessel of questions\Nfrom the audience.
Dialogue: 0,0:52:49.12,0:52:50.59,Default,,0000,0000,0000,,Ruben: But of course, this is also\Ninteresting for us.
Dialogue: 0,0:52:50.59,0:52:57.42,Default,,0000,0000,0000,,Herald: And I guess with the last version,\Nat least, I think this is the last
Dialogue: 0,0:52:57.42,0:53:01.02,Default,,0000,0000,0000,,question unless there is an additional one\Non IRC, so people have to be quick if they
Dialogue: 0,0:53:01.02,0:53:04.84,Default,,0000,0000,0000,,want to have additional questions. But the\Nlast questions are just very practical.
Dialogue: 0,0:53:04.84,0:53:11.02,Default,,0000,0000,0000,,And basically, do you have any ideas about\Npitfalls when implementing Kyber already?
Dialogue: 0,0:53:11.02,0:53:16.22,Default,,0000,0000,0000,,Do you have suggestions for making sure\Nyou implement it security? Or is it simply
Dialogue: 0,0:53:16.22,0:53:26.10,Default,,0000,0000,0000,,possible to implement it very naively?\NRuben: So. This is always a big fight in
Dialogue: 0,0:53:26.10,0:53:31.01,Default,,0000,0000,0000,,the cryptography community, because\Nthey're the people that say, oh, there are
Dialogue: 0,0:53:31.01,0:53:36.38,Default,,0000,0000,0000,,a handful of chosen ones that are able to\Nimplement it securely. And you should
Dialogue: 0,0:53:36.38,0:53:41.77,Default,,0000,0000,0000,,never, ever, ever do it yourself. I'm on\Nthe opposite side of that, I think people
Dialogue: 0,0:53:41.77,0:53:47.59,Default,,0000,0000,0000,,should play around with implementation.\NTry it out. So, Kyber is among the schemes
Dialogue: 0,0:53:47.59,0:53:54.83,Default,,0000,0000,0000,,that it's definitely, let say easier to\Nimplement in a correct way. However, it
Dialogue: 0,0:53:54.83,0:54:03.65,Default,,0000,0000,0000,,depends where you want to use it because\Nyou also have to take side channels into
Dialogue: 0,0:54:03.65,0:54:08.44,Default,,0000,0000,0000,,consideration, especially if you work on\Nembedded platforms, like power analysis
Dialogue: 0,0:54:08.44,0:54:13.93,Default,,0000,0000,0000,,and that kind of thing. So this is also\Nstill highly investigated. And then if you
Dialogue: 0,0:54:13.93,0:54:18.35,Default,,0000,0000,0000,,go for that kind of implementation, you\Nshould have a masked implementation. So
Dialogue: 0,0:54:18.35,0:54:25.21,Default,,0000,0000,0000,,this would be an own talk for itself. Like\NI don't want to like now give you two
Dialogue: 0,0:54:25.21,0:54:30.28,Default,,0000,0000,0000,,verbs what you should do and then say that\Nit's secure. I mean, it's a bit more
Dialogue: 0,0:54:30.28,0:54:38.59,Default,,0000,0000,0000,,complicated than that. So I can't really\Nsay now do this do that. I can just say on
Dialogue: 0,0:54:38.59,0:54:45.17,Default,,0000,0000,0000,,the spectrum from easy to difficult, Kyber\Nis more on the spectrum of easier to
Dialogue: 0,0:54:45.17,0:54:50.97,Default,,0000,0000,0000,,implement securely. But if you're\Ninterested in that, look up the
Dialogue: 0,0:54:50.97,0:54:55.65,Default,,0000,0000,0000,,implementations. There's a reference\Nimplementation. There's a PQClean and
Dialogue: 0,0:54:55.65,0:55:01.81,Default,,0000,0000,0000,,stuff. Look up the implementations online\Nand look into that and the specification
Dialogue: 0,0:55:01.81,0:55:07.55,Default,,0000,0000,0000,,that is linked in the block post, that is\Nlinked on the slides. There are also some
Dialogue: 0,0:55:07.55,0:55:17.11,Default,,0000,0000,0000,,points that say what you maybe should,\Nwhere you should be careful lets say.
Dialogue: 0,0:55:17.11,0:55:23.60,Default,,0000,0000,0000,,Herald: OK. And there was just an\Nadditional question as well, and that is
Dialogue: 0,0:55:23.60,0:55:28.90,Default,,0000,0000,0000,,what is the status of Kyber in OpenSSL and\NGnuTLS?
Dialogue: 0,0:55:28.90,0:55:42.40,Default,,0000,0000,0000,,Ruben: Okay, so we see adoption in crypto\Nlibraries, but OpenSSL. OK, I don't want
Dialogue: 0,0:55:42.40,0:55:53.61,Default,,0000,0000,0000,,to hate, but OpenSSL codebase is, how do I\Nsay that? Look, it's a bit complex and a
Dialogue: 0,0:55:53.61,0:56:04.14,Default,,0000,0000,0000,,bit difficult for outsiders to get what\NOpenSSL is doing in certain corners of
Dialogue: 0,0:56:04.14,0:56:11.77,Default,,0000,0000,0000,,their code base. But there's a project\Ncalled OpenOQS, no liboqs that is a fork
Dialogue: 0,0:56:11.77,0:56:18.80,Default,,0000,0000,0000,,of OpenSSL, including post-quantum\Nschemes, but not only Kyber, but various
Dialogue: 0,0:56:18.80,0:56:24.63,Default,,0000,0000,0000,,schemes. That's liboqs, its a OpenSSL\Nfork. Now there are other libraries, for
Dialogue: 0,0:56:24.63,0:56:34.67,Default,,0000,0000,0000,,example, WolfSSL, which has a smaller code\Nbase and they already have in their actual
Dialogue: 0,0:56:34.67,0:56:40.53,Default,,0000,0000,0000,,release or in their main branch, let's\Nsay, in git, they already have NTLS post-
Dialogue: 0,0:56:40.53,0:56:46.42,Default,,0000,0000,0000,,quantum schemes, and Kyber is one of them.\NThey have lattice based schemes,if I
Dialogue: 0,0:56:46.42,0:56:53.34,Default,,0000,0000,0000,,remember correctly: Kyber, Dilithium, and\NFalcon. So they already have it included.
Dialogue: 0,0:56:53.34,0:57:00.04,Default,,0000,0000,0000,,WolfSSL , OpenSSL as I said there is a\Nfork that are like benchmarking and
Dialogue: 0,0:57:00.04,0:57:08.87,Default,,0000,0000,0000,,testing stuff in the hopes of later being\Nable to return it to OpenSSL. But as I
Dialogue: 0,0:57:08.87,0:57:14.96,Default,,0000,0000,0000,,said OpenSSL is not exactly ideal for\Nexperimentation, becourse the code base is
Dialogue: 0,0:57:14.96,0:57:23.08,Default,,0000,0000,0000,,quite large and in some corners, quite\Ncomplex to comprehend and so on. Other
Dialogue: 0,0:57:23.08,0:57:30.59,Default,,0000,0000,0000,,libraries are a little faster. I don't\Nknow of any efforts for GnuTLS to be
Dialogue: 0,0:57:30.59,0:57:35.28,Default,,0000,0000,0000,,honest, but I haven't looked into it yet.\NIt's possible that somebody else did
Dialogue: 0,0:57:35.28,0:57:42.74,Default,,0000,0000,0000,,something there. I mean, I've I've worked\Nwith WolfSSL before and with OpenSSL. But
Dialogue: 0,0:57:42.74,0:57:53.65,Default,,0000,0000,0000,,GnuTLS I'm not sure. There are talks to\Ninclude it in GnuPG which you can use for
Dialogue: 0,0:57:53.65,0:57:59.49,Default,,0000,0000,0000,,email encryption, and there are some\Nthere's some progress there. But yeah,
Dialogue: 0,0:57:59.49,0:58:07.96,Default,,0000,0000,0000,,GnuTLS I don't know.\NHerald: All right, OK. This brings us to
Dialogue: 0,0:58:07.96,0:58:15.92,Default,,0000,0000,0000,,our really final question, which is how\Nclose are the current cloud quantum
Dialogue: 0,0:58:15.92,0:58:24.27,Default,,0000,0000,0000,,offerings to be able to enable users to\Nbreak current public key cryptography?
Dialogue: 0,0:58:24.27,0:58:31.05,Default,,0000,0000,0000,,Ruben: If I understand it correctly, Krijn\Nyou can also say something if you want, if
Dialogue: 0,0:58:31.05,0:58:37.43,Default,,0000,0000,0000,,I understand correctly, it's the question\Nis general. If I can use cloud computing
Dialogue: 0,0:58:37.43,0:58:43.34,Default,,0000,0000,0000,,to break public key crypto?\NHerald: No, the question is more specific,
Dialogue: 0,0:58:43.34,0:58:48.00,Default,,0000,0000,0000,,there are quantum offerings by public\Ncloud providers like Amazon right now,
Dialogue: 0,0:58:48.00,0:58:54.11,Default,,0000,0000,0000,,apparently. At least that's what I assume\Nthe person who asking the question is
Dialogue: 0,0:58:54.11,0:59:00.09,Default,,0000,0000,0000,,basing it on. And the question is, to what\Nextent are those available options usable
Dialogue: 0,0:59:00.09,0:59:04.10,Default,,0000,0000,0000,,to break current public key cryptography\Nschemes?
Dialogue: 0,0:59:04.10,0:59:08.68,Default,,0000,0000,0000,,Ruben: So if I understand the question\Ncorrectly is like, already deployed
Dialogue: 0,0:59:08.68,0:59:14.84,Default,,0000,0000,0000,,quantum computers, are they a threat to\Npre-quantum schemes? OK, so far, they are
Dialogue: 0,0:59:14.84,0:59:23.05,Default,,0000,0000,0000,,not like there are quantum computers in\Nuse, but they don't have nearly enough
Dialogue: 0,0:59:23.05,0:59:32.93,Default,,0000,0000,0000,,qbits to break any real word schemes, so\Nit's also more complicated than that
Dialogue: 0,0:59:32.93,0:59:37.15,Default,,0000,0000,0000,,because you don't only need qbits, you\Nalso need quantum registers that are large
Dialogue: 0,0:59:37.15,0:59:41.48,Default,,0000,0000,0000,,enough because you need to entangle all of\Nthe qbits. I mean, there we are going to
Dialogue: 0,0:59:41.48,0:59:46.11,Default,,0000,0000,0000,,quantum mechanics, but you need to\Nentangle the bits and all that kind of
Dialogue: 0,0:59:46.11,0:59:52.00,Default,,0000,0000,0000,,quantum craziness. And then you also need\Nerror correction that's good enough. So
Dialogue: 0,0:59:52.00,1:00:00.02,Default,,0000,0000,0000,,there are still, there are still technical\Nlike engineering problems that you need to
Dialogue: 0,1:00:00.02,1:00:03.89,Default,,0000,0000,0000,,overcome, like in theory it's all fine and\Nstuff, but there's some engineering
Dialogue: 0,1:00:03.89,1:00:08.29,Default,,0000,0000,0000,,efforts that you need to overcome, and the\Ncurrently deployed quantum computers are
Dialogue: 0,1:00:08.29,1:00:16.43,Default,,0000,0000,0000,,not big enough to be a threat to quantum,\Nto pre-quantum schemes unless you have
Dialogue: 0,1:00:16.43,1:00:23.92,Default,,0000,0000,0000,,some toy keysums. But for real\Ndeployments, it's not a threat yet, but it
Dialogue: 0,1:00:23.92,1:00:28.08,Default,,0000,0000,0000,,might be within the next couple of years.\NIt's really difficult to foresee the
Dialogue: 0,1:00:28.08,1:00:35.00,Default,,0000,0000,0000,,development there and the largest quantum\Ncomputers are actual quantum annealers
Dialogue: 0,1:00:35.00,1:00:39.21,Default,,0000,0000,0000,,that work differently, like quantum\Nannealing is a different thing, a
Dialogue: 0,1:00:39.21,1:00:42.77,Default,,0000,0000,0000,,different kind of quantum computer that\Nwe're not too worried about right now.
Dialogue: 0,1:00:42.77,1:00:46.99,Default,,0000,0000,0000,,Like thats D-Wave for example. But yeah,\Nso right now, they're not a threat, but
Dialogue: 0,1:00:46.99,1:00:53.40,Default,,0000,0000,0000,,they might be in the near future.\NKrijn: And especially so with regards to
Dialogue: 0,1:00:53.40,1:00:59.93,Default,,0000,0000,0000,,why you still switch to post-quantum\Ncrypto, is this idea that well,
Dialogue: 0,1:00:59.93,1:01:03.64,Default,,0000,0000,0000,,standardizing crypto and then integrating\Ncrypto and all of this takes years, as we
Dialogue: 0,1:01:03.64,1:01:08.29,Default,,0000,0000,0000,,know from that transition to elliptic\Ncurve crypto. So even if this quantum
Dialogue: 0,1:01:08.29,1:01:13.78,Default,,0000,0000,0000,,computer is 10 15 years away then still\Nthis whole transition thing will take so
Dialogue: 0,1:01:13.78,1:01:20.48,Default,,0000,0000,0000,,long that by the end of it, how long will\Nyour original data have been safe for?
Dialogue: 0,1:01:20.48,1:01:25.90,Default,,0000,0000,0000,,It's anybody's guess.\NRuben: Yeah. I mean, you have to see
Dialogue: 0,1:01:25.90,1:01:30.42,Default,,0000,0000,0000,,asymmetric crypto is everywhere. Like, for\Nexample, also kind of example maybe in my
Dialogue: 0,1:01:30.42,1:01:34.73,Default,,0000,0000,0000,,passport, like my travel document. And\Nthere are documents, for example, out
Dialogue: 0,1:01:34.73,1:01:40.56,Default,,0000,0000,0000,,there that are valid for 10 years like, I\Nthink, a proper passport and all that kind
Dialogue: 0,1:01:40.56,1:01:44.61,Default,,0000,0000,0000,,of stuff. And of course, it really takes\Nlong also with these kinds of things, like
Dialogue: 0,1:01:44.61,1:01:50.67,Default,,0000,0000,0000,,documents like that are issued by\Ngovernments. It just takes time, it takes
Dialogue: 0,1:01:50.67,1:01:57.46,Default,,0000,0000,0000,,a lot of time.\NHerald: OK, thank you very much. I should
Dialogue: 0,1:01:57.46,1:02:01.70,Default,,0000,0000,0000,,also note that from the signal angel,\Nthere have been several very enthusiastic
Dialogue: 0,1:02:01.70,1:02:06.20,Default,,0000,0000,0000,,responses from the audience and not so\Nmuch questions about your talk, that's
Dialogue: 0,1:02:06.20,1:02:09.72,Default,,0000,0000,0000,,also very interesting. So thank you so\Nmuch for doing this, and maybe see you
Dialogue: 0,1:02:09.72,1:02:11.72,Default,,0000,0000,0000,,around.\NKrijn: Thank you.
Dialogue: 0,1:02:11.72,1:02:16.53,Default,,0000,0000,0000,,Ruben: Bye bye!
Dialogue: 0,1:02:16.53,1:02:37.32,Default,,0000,0000,0000,,{\i1}rc3 postroll music{\i0}
Dialogue: 0,1:02:37.32,1:02:41.00,Default,,0000,0000,0000,,Subtitles created by c3subtitles.de\Nin the year 2021. Join, and help us!