
rc3 preroll music

Herald: Good afternoon everyone watching,
the upcoming talk is by Ruben Gonzalez and

Krijn Reijnders, they're both Ph.D.
students at Radboud University, and Ruben

is also a capturetheflag player, under
the name "Red Rocket", or affiliated with

"Red Rocket". Their talk will me about
postquantum cryptography. And we'll take

a kind of introductory dive into Kyber.
This talk will also be livetranslated

into German, so if you don't speak German,
don't despair. Dieser Vortrag wird also

übersetzt simultan in Deutsch, and that's
also the extent of my German. Also, this

talk is prerecorded will last a bit over
30 minutes, but the Q&A will be live

afterwards. So enjoy.

Ruben Gonzalez: Hello, and welcome to our
presentation on Kyber and postquantum

cryptography. How does it work? First, my
name is Ruben Gonzalez, I'm a Ph.D.

student in the Netherlands. I'm doing this
presentation together with my colleague

Krijn Reijnders, and we'll be teaching you
all about Kyber today. So, first things

first, a small disclaimer, because I don't
want to disappoint any people: We're doing

boomer crypto here, so we won't be talking
about blockchain, NFTs, shitcoins,... at

all. Instead, we're going to bore you with
mathematics, weird kinds of key pairs, and

U.S. government agencies. So, our talk is
divided into four segments. First, I'm

going to teach you a little bit about what
postquantum cryptography actually is and

why you should care about it. Then we're
going to talk about Kyber, which is the

scheme we're going to go into detail
about, because it's just about to take

over the world. And then Kreijn will talk
to you a little bit more about the

security guarantees about how the system
actually works mathematically. And then

we're going to give you a brief outlook on
the future of crypto and where we're

headed in the field. So, postquantum
crypto. A little bit of basics here:

Today, cryptography, on a high level, is
divided into two parts; a boring part and

an exciting part. So the boring part is
called symmetric crypto and symmetric

crypto does what you usually expect from
cryptography. So you can encrypt stuff

with it and sometimes you do
authentication with it. But the biggest

part is the encryption stuff. So you have
a secret team that nobody is allowed to

have, and if you have this secret key you
can encrypt things, and another person

that has the same secret you can decrypt
with it. So that's why it's symmetric 

you have one key for encryption and
decryption. And what you actually use

implementation wise, is almost exclusively
AES encryption encryption or hash

functions that are from the SHA family and
it's a symmetric world. That's a symmetric

side of things. Now you also have
asymmetric crypto because if you look at

symmetric crypto, you have this secret
key, but you don't actually have a way of

getting two parties having the same secret
key. And it's where asymmetric crypto

comes into play. So, you can use
asymmetric crypto, among other things, to

exchange this secret key. So asymmetric
crypto uses a key pair: a public key that

everybody can have and a secret key that
only the recipient can have. So. Yeah,

essentially with the public key you
encrypt, for example, the symmetric key,

and with the private key you decrypt, and
here it feels a bit more difficult.

There's not only two algorithms that are
being used, but there's an entire zoo of

algorithms used. So, let's look at the zoo
real quick. Probably some of these terms

you've already heard: Curve25519 is pretty
big; maybe you've used RSA before, Diffie

Hellman, that sort of thing. So there's
this big zoo of different kinds of schemes

in asymmetric crypto that it can use for
different things. Sometimes there are

different schemes that you can use for the
same thing, or you can use one scheme for

different things. So it's a bit more
complicated to make an overview of the

algorithms. But, if you look at the zoo,
people seem to be happy, right? Oh, they

look around, they have a look, things seem
to work, it's a happy world. So why would

you want to change that? And in post
quantum crypto, we actually want to change

the asymmetric crypto fundamentally. Well,
there's one big problem with this zoo, and

it's not in the zoo, but it's coming for
the zoo. So there's this guy, Peter Shore,

and he's threatening the zoo. He's about
to destroy it and everything in it. And

why is that? Well, we have this big zoo of
asymmetric crypto, right? But if you look

at the different schemes in detail, you
actually see that they are only based on

two mathematical problems. And that is
integer factorization and the discrete

logarithm. We don't have to we don't have
the time to go into much detail on those,

but you have to know that the entire
asymmetric crypto zoo is based on two

problems. And, coincidentally, Peter
Shore, defined an algorithm, a quantum

algorithm, that breaks those two problems
and all cryptography that's based on them.

So all of today's crypto is actually
broken if we can use Shore's algorithm.

Now Shore's algorithm is a quantum
algorithm. That means we need a large

enough quantum computer for it to work,
but once we have that, all asymmatric

crypto is destroyed. And why should you
care about that? Well, maybe you use one

of those things here. Well, actually you
do, whether you like it or not. You're

watching this stream right now via TLS.
Maybe you also use things like SSH or

email encryption or VPNs with IPsec or
WireGuard. Well, Shore's algorithm would

break all of those protocols. Everything.
And you should care because in the modern

information age, essentially everything is
digital communication. All security is

virtually based on cryptography, so, if
Shorezilla and breaks everything, we do

have a huge problem. So the natural
question that arises is: "when will we

have large quantum computers?" And the
answer is: "we don't know." Different

experts say different things. The opinions
vary from within five years to never. But

the truth is, nobody knows. We can't see
in the future. We don't have a magic eight

ball there. But we should definitely be
prepared for the large quantum computer

because we don't want all of our
information security to be broken when,

let's say, a large U.S. government agency
all of a sudden manages to build a quantum

computer. So postquantum crypto is all
about designing asymmetric cryptography

that is unaffected by quantum computers.
Or let's say we hope they are. But we're

pretty certain they should be unaffected.
They're certainly unaffected by Shore's

algorithm. So now that you know a little
bit about what postquantum cryptography

is about and why we need it, I want to
talk about Kyber. Kyber is the post

quantum scheme that is most likely to be
adopted in the near future. So the

asymmetric crypto zoo is threatened 
Let's make a new new zoo, where people can

and people can be happy and live their
fulfilled lives. The standardization

organization NIST launched a call a couple
of years back for new cryptographic

schemes that are resilient against quantum
computers. And first schemes are actually

about to be standardized very soon in
early 2022. So, we want to look at one

scheme that is about to be standardized,
and it's called Kyber. Now why are looking

at exactly that scheme? Well, it's very
fast, and the public and private key sizes

are not too big, meaning you can actually
use it in real world projects, which is

not always the case for all postquantum
schemes. So it is already, even though

it's not, it's standardized, it has
already seen some adoption in industry.

And it's a latticebased scheme. And right
now it looks a little bit like lattice is

going to be the future. If you don't know
what a lot of space scheme is, that's

really fine; Krijn is going to tell you in
the end. So, that was the fun part of our

presentation, the easygoing part. Now we
need to roll up our sleeves, we need to

get our hands dirty and we need some
mathematics. And for that, I'm going to

give the mic  turn over to Krijn. (How do
you say that? Give it to Krijn? I don't

know.) Bye.
Krijn Reijnders: So, now we need maths. So

let's start. What we need in Kyber are
polynomials, and we need to work with

polynomials. But actually, you can think
of polynomials just like you do of as

numbers. What do I mean with that? I mean
that you can just multiply them and you

can also just add them together like you
do with numbers. And just as we do with

numbers in pre quantum cryptography, when
they get too big, we reduced them. We do

this modulo operation. We'll do the same
for the coefficients in the polynomials,

but also, when the degree of a polynomial
gets too big, we will reduce them by

another polynomial. So we have a modulo
operation with polynomials, and in this

way you can do all kinds of things with
polynomials. And that's actually all of

the mathematics that we all need
fundamentally to work with Kyber. What do

I mean by that? Well, if you can do
multiplication and addition, then you can

also do these things like we do for
numbers with matrices and vectors, so we

can multiply a matrix with a vector and
add another vector. And this works the

same for these polynomials, so you can
have a matrix full of polynomials and a

vector full of polynomials, and you can
just multiply them together, add another

vector. It's just this basic operation of
multiplication and addition of

polynomials. It looks a bit more
complicated, but that's it. And then,

let's say we do this, we have a matrix and
we multiplied by a vector and we add

another small vector. Now if I give you
the end result of this computation, and I

give you this matrix that we started with,
it's actually very hard to recover the

vector that we've multiplied the matrix
with. And this is the fundamental problem

that we need in Kyber. And it's called
modulelearningwitherrors. I know this

name does not make a lot of sense, but
apparently mathematicians thinks it does

aptly describe the problem. So this
matrix, we call it 'A', this secret vector

of ours, we call it 's', then we need to
add a small error term so that it's not

too easy to solve this problem, and then
we get a public value again, which we call

't'. This gets you the equation A times s
plus e equals t. And then the public key

pair is this matrix 'A' and this end
result 't', and the private key is our

secret vector, 's'. That's all that we
need to generate a key pair in Kyber. We

need to ensure actually that the private
key pair has small coefficient, and that

also makes it very compact to transmit.
And also, this error has small

coefficients. For the rest of the
presentation: These error terms, they are

necessary, but they complicate the
equations are a bit too, so we'll just

write them in emojis so that you know what
the errors are and what are the important

values, and now Ruben will explain again:
How can we encrypt and decrypt messages

using such a public and private key pair?
R.G.: OK, our Boomer is back, and he wants

to encrypt something. So, as an example,
he wants to encrypt the letter C. So C is

not a variable, it's literally the letter
"C" that he wants to encrypt. And as we

learned earlier, to encrypt something, we
need the public key. So we have this

public key, which is the matrix A and the
vector t. So first, we need to transform

the letter "C" into some form that Kyber
can work with because we want to encrypt

it with Kyber. So let's first break it
down into binary, right, in a computer,

everything is binary anyways, so let's say
we used to ASCII encoding. So we turn the

letter "C" into a series of ones and
zeros. In this case, it's one zero zero

zero zero one one. Now we have binary
representation, but Kyber uses those

polynomials, right? So we have to somehow
turn this into a polynomial, which turns

out to be quite simple. So we just do a
binary polynomial, so we take the ones and

zeros and use them as coefficients for a
polynomial. In this case, you can see the

polynomial on the slides, quite simple. So
one bit is one polynomial coefficient.

Since zero times something is just zero,
which is just leave out the zero terms and

shrink our polynomial a bit. So we now
have a plain text and we can use within

Kyber, right? The plaintext is a
polynomial "x to the power of six plus x

plus one". That's our plain text. We
haven't encrypted anything yet, but we

have a plain text. So now let's us Kyber
to encrypt the plain text polynomial.

First, we have to scale it. We have to
make our polynomial big. And we do that

simply by multiplying the polynomial with
a large factor. So here I chose 1337, it's

arbitrary, depends on the Kyber instance,
but we just multiply every polynomial

coefficient with the large number 1337. So
we have the same polynomial, but with

larger coefficients. So our scale
plaintext is 1337 x to the power of, and

so on and so on. So now we do the actual
encryption, which in Kyber, it's actually

quite simple. We just sprinkle in some
error terms. As Krijn mentioned earlier,

in our presentation, small error terms are
represented as emojis. Because they're not

that important, but you should still know
they're there. So our ciphertext is

actually just two values, v, which is a
polynomial and u, which is a vector of

polynomials. So, v is the key value from
the public key, multiplied and added with

error terms, and then the actual scale
plaintext message is added as well. u is a

matrix from the public key, multiplied
with an error term and an added error

term. You can see the carrot error term
appears in both equations. And that's it.

That's our encryption. (v,u) is the
encryption of our plaintext. So doing only

encryption would be kind of boring. We
probably also want to decrypt stuff. So,

how do we do that in Kyber? Well, we need
the private key, right? Public key

encrypts, private key decrypts. So we have
our ciphertext, those two values v and u.

And in order to decrypt, we first remove
the public key from it. And we do that

just by taking v minus the private key,
multiplied by u. And if I spell out the

equations, they become quite long. But as
you can see, if you think about the emojis

as error terms is that most of the public
key, or actually the entire public key,

kind of cancels out. So, and d, here on
the slide, is the end result of the

calculations of v minus private key times
u. And so we have our message in d, which

is the plain text, but we also have these
error terms laying around and the private

key. Now one core observation is
important. I mentioned earlier that error

terms are all small, meaning they're
polynomials with small coefficients. And

the private key also has polynomials with
small coefficients. So here on the slide,

everything on the right side is actually
small, but our plain text is large because

we scaled it earlier. We multiplied it
with a large number 1337. So simply by

kind of rounding everything, we get our
scaled plaintext back, because these terms

are small. So just by rounding, we get our
scaled plaintext back. And then we have

essentially decrypted. What we now have to
do is just turn it back into the original

text, so we scale down, divide every
coefficient by 1337. We bring back to zero

terms, so every coefficient that is not in
the polynomial has a zero. Yeah, every

term that is not in the polynomial has a
zero coefficient. So we bring back the

zeros and then from the binary polynomial,
we can just read out the ones and zeros

from the coefficients. We have back binary
code and this binary now we can decode

again using the ASCII, for example, and we
have our plaintext back. And that's how

Kyber decrypts. And then we can decode the
Kyber plaintext into your original

message, which was a "C". So how does
Kyber looks like for the home consumer?

Well, Kyber comes in three flavors, three
different security levels. There's

Kyber512 until Kyber1024. So, in
cryptography usually security is measured

in bits. Sometimes it's related to how
strong AES is. So the lowest acceptable

acceptable security level for us is 128
bit and the strongest security level we

use in practice is 256 bit. So Kyber512
has around 128 bit security and Kyber1024

as around 256 bit of security. Now that's
what the end user needs to know. But I

also want to show you what these
securities actually mean in terms of

Kyber, because Kyber instances are mainly
defined by three variables: n, k, and q.

And what do those mean? Well, n just means
the degree of the polynomials used within

Kyber. So 256 means we have exponents x to
the power of maximum 256. So polynomials

are quite large. 256 coefficients we can
store. k means the size of the vector. So

as you've seen, Kyber uses not only
polynomials, but also vectors of

polynomials. So essentially lists of
multiple polynomials. And in Kyber, the k

variable says how many polynomials are in
such a vector. q is the modulus for the

numbers. I mean, we have coefficients,
right? And how big can this coefficients get?

So the largest coefficient that is used
within Kyber would be 3328 because we take

it modulo 3329. So as you can see, in
Kyber, we don't have to deal with big

numbers, actually. We have to do with a
prequantum cryptography, we have to deal

a lot with huge numbers. Here, the numbers
are not that big. Also important is size

to speed tradeoffs. Now here you can see a
bar chart of public key, private key and

ciphertext sizes of an elliptic curve
scheme, Curve25519, RSA, and kyber in

smallest security level. So those three
security schemes are the same security

level, but as you can see, elliptic curve
crypto is really tiny, RSA is somewhat

bigger, an Kyber is even bigger. But if we
go to the highest security level, you see

that Kyber is actually very comparable to
RSA. However, ecc is still a lot smaller.

But you don't only care about sizes, you
also care about speed, you care about

speed even more. And if we compare the
same security level in Kyber, in elliptic

curve crypto and in RSA, we can see that
Kyber is on fire. Kyber is really, really

fast. So we can throw out RSA and just
compare elliptic curve crypto to Kyber,

and we can see Kyber is even faster than
elliptic crypto, which is quite impressive

because ellipctic crypto is already quite
fast. And, even more, we can see that the

highest security level of Kyber is faster
than the lowest security level of elliptic

curve crypto. So Kyber  fast as hell. I
know benchmarks are difficult. We have

different kinds of platforms, but as an
intuition: Kyber is really fast. So the

thing I want to mention is that Kyber
source code is available online. You can

download it from GitHub, for example, from
the PQClean Project, which has AVX

optimized implementations for desktop
CPUs, from the pqm4 project, which is the

optimized implementation for ARMbased
embedded processors, or there's also a

reference C implementation in the pq
crystals project. And, last but not least,

the specification, the documentation, the
code, everything is licensed under

Creative Commons zero, meaning that it's
public domain. So there is zero license or

patenting issues with Kyber, it's just
public domain. You can clone and do

whatever you want with it. It's quite
nice. So that was it about Kyber, now

Krijn is going to tell you more about what
actually lattices are and why Kyber is

actually secure the way it is.
Krijn: OK, so that was Kyber. And we've

been talking a lot about polynomials, but
we haven't talked so much yet about

lattices. But we did say that Kyber was a
lattice based scheme. So what do lattices

have to do with all of this polynomial
stuff? And why do we think it's secure

because of this being lattice based? Well,
let's go back to these numbers that we

used for a second, just because they make
these things more understandable and

intuitive. We had this matrix
multiplication. We multiplied the matrix

with a vector. Now let's say we do this
for numbers, right? We have this matrix

13, 4, 2, 9 and we multiplied by a, b.
Well, actually, what you could also see

here is that you multiply the vector 13
over 2 a times and then add the vector 4

over 9 b times. And as you see in the
image, like, you can make different

combinations of that. So if you take a = 1
and b = 1, you get the point on the top

right corner and then you can do this for
a = 2 and b = 1, then 3 and 4 infinitely.

And then you would get all of these dots
spread out over the cartesian plane, and

it would go on infinitely in these
dimensions. So you would get infinite

number of points just by giving these two
original vectors 13, 2 and 4, 9. Now, our

secret key s was just actually then a way
to pick one of these points, because we

said, well, the Matrix a that we had in
the public key, it describes some sort of

lattice. And then the secret key s
described actually a specific point: a

number of times the first vector, plus a
number of times the second vector. Then

what does this error term do? Well, you
know, it shifts just a bit from this

lattice point that we were at and then we
get the end result t over there. And now

it's very difficult actually to get back
from t to this vector s. We know that it's

the closest vector to this given point t
in this lattice described by a. But this

problem of finding the closest vector in
the lattice and in a random letters is

actually very hard. And this is what we
call the closest vector problem, which is

a very good name because we're looking for
the closest vector. So for this two

dimensional example, we had the matrix e
and the vector t in the public key, and we

had the vector s in the private key and
that was hidden by this small error term.

So to recap: a gives you these initial
vectors, which you can use to describe the

lattice, s gives you a secret point in
that lattice. The error makes sure that

you're close to a lattice point, but not
too far away. And then we get the end

result t, which is this public point and
then getting back from this information of

this lattice and t to s is the closest
vector problem, in a nutshell. You may be

thinking now, OK, this is for numbers I
can see this right. It's just these dots

in this plane. For dimension two OK, I get
it. For Dimension three you can think of a

third dimension. Though we were talking
about dimension n way larger than 3 and

polynomials instead of numbers. And how do
we visualize this? And the truth is we

don't actually, but we do know how to
compute it, which was just this

multiplication and addition of
polynomials. So we just compute it and we

kind of think of it as a lattice
abstractly, but not visually. Now let's

finish with a short look at the future of
asymmetric crypto, and let's go back to

the postquantum crypto zoo that we had.
We already took a look at Kyber, but there

was also other cryptographic primitives
such as Rainbow, Falcon, and SABER and

Dilithium, NTRU, McEliece. Among them,
there are signature schemes, but also

these key exchange mechanisms. Actually,
this zoo is quite different from the one

that we had prequantum, the one that we
had prequantum as we explained was based

on mostly integer factorization and a
discrete logarithm problem. But in the

postquantum setting, we have a variety of
problems. We have hash based cryptography,

lattice based cryptography, code based
cryptography, multivariate based

cryptography, and isogeny based
cryptography. And these are five quite

different flavors of cryptography, with
also different underlying mathematical

problems. But postquantum crypto is
coming. For example, Amazon has already

implemented some of the round two
candidates, such as Kyber in postquantum

TLS. And also the BSI, which is the German
Ministry for Information Security, has put

out a proposal to integrate postquantum
cryptography into Thunderbird as their

mail client. And even NIST has the
following quote that if you haven't

migrated to elliptic curve cryptography
yet, don't bother, just directly migrate

to postquantum crypto. And that wraps up
our presentation on postquantum crypto

and Kyber. If you want to do some further
reading, there is a link here to a blog

that goes a bit more indepth in how Kyber
works and has a very small example. Just

as we've shown you in this video. Thank
you for your attention and we'll take some

questions now.

Question: So why should I care about this
now?

Ruben: Well, that's an excellent question.
Well, as we know from the Snowden leaks,

the NSA is currently recording a lot of
internet traffic that is encrypted, and

they're recording this encrypted traffic
in the hopes of being able to decrypt it

later. For example, using a large quantum
computer. So first, we have to care about

this now because our internet traffic is
already recorded and could be broken

later. And second, we have to care about
this now because transition, especially

when it comes to cryptography, is really
slow because standardization takes a lot

of time. Implementation takes a lot of
time, and adoption takes a lot of time. So

that's why we have to care now.
Question: But are there any downsides?

Krijn: Another very good question.
Actually, yeah, there are some downsides,

but they're not too big. Usually, the keys
are a bit larger than we are used to. In

some cases even much larger than we are
used to. And the speed is a bit worse than

we are used to. In some schemes, even much
slower than we are used to. But while this

is already being adopted, it is also still
a very active area of research and we are

continuously trying to make the keys
smaller and the schemes more efficient. In

the hopes that we in the end, get very
efficient schemes that will solve all of

our postquantum problems. Why didn't you
let me eat the lettuce?

Ruben: It's my lettuce! Okay, now eat it
for the camera, you can eat one. But it's

not washed.
Herald: Okay, thank you. The first

question we got from the internet is: Why
are you using seven bit ASCII instead of

Unicode?
Ruben: So in that case of the letter c

that wouldn't make a difference anyways.
We just prefer to use ASCII because we

really, really want to piss off the
European people because all of these

umlauts and that kind of stuff. Of course,
they're unnecessary. So ASCII forever.

Herald: I'm surprised that both of us
Europeans as well, but let's not get to

the nationalism bit and carry on with the
next question, which is, by the way, how

can you compare the security levels
according to varying n and varying q,

respectively?
Ruben: Sorry, the connection was a bit

lost there. Could you repeat the question?
Herald: Of course, can you compare the

security levels according to varying n and
varying q, respectively?

Ruben: Yes, of course you can. I'm not
sure if I get the question. Of course,

that's how you do it, that's how you
compare and you can do that. I'm not sure

if the question asked me to do that right
now on the spot because that I couldn't

do, but I mean, it was on the slides, like
the security levels that are about to be

standardized, at least. But the one good
thing about Kyber, a very good thing that

I want to mention is that, so the
polynomials, the size stays the same, the

modulus q stays the same. Only the size of
the vectors change. So how many

polynomials you have in a vector. And that
makes it quite nice to write optimized

code because most parts of the code are
literally the same. If you look at the

implementation, the reference
implementation, you can see that it's

actually the same code for all the
security levels, just one header changes

that specifies how big the vectors are. So
that's quite nice. But you can yeah, you

have for RSA, you have different key
sizes. So yeah, it's more difficult to

optimize, but here you can just have the
same size as just the vector size changes,

which is nice
Herald: What about the potential for

hardware acceleration for Kyber? Could
that be possible, feasible?

Ruben: So I am not sure if I just answer
that or Krijn also wants to say something,

but hardware acceleration for postquantum
schemes in general is, as we say, a very

active area of research. So these things
are very new. There were some people that

tried to use, there's a paper about it,
actually  you can look it up on the

internet  to use RSA bignum hardware
acceleration for Kyber, which is a quite

interesting idea because you work in
completely different things there. But

it's an open question and it's a very
active area of research. So if any of the

viewers are interested in that sort of
thing, to, I don't know, try out Kyber or

FPGAs or something. Yeah, try it out! So
there's a lot of potential there, but it's

also, as I said, very actively researched
because it's relatively new and it just

now finds adaptation in industry.
Herald: And there's a follow up question

that sort of mirrors it in a way because
that question is: T o what extent is this

feasible on embedded architectures with
very limited hardware to use Kyber there?

Ruben: So I've been using it on a Cortex
M3, which is ARMbased. So usually the

reference platform, we use the Cortex M4
because we want to. Like two experiments

that are reproducible, and you can buy
Cortex M4 boards quite cheaply from

various vendors. So it's definitely
possible to run Kyber on a Cortex M3. I

mean, there's also a project on GitHub.
It's called pqm3, that has Kyber benchmark

for various, yeah M3 boards, but that's
definitely possible. What I'm working on

right now is testing it on a Cortex M3 and
M4 for also application level, so included

it in TLS or KEMTLS. Or there's a paper
about WireGuard using Kyber and Dilithium

for example. That's definitely possible.
The question, also active area of research

is, how low can you get? Like, how much
can you optimize? Because there are

various tradeoffs, like do we want more
space for code but use less RAM and you

also always have these kinds of tradeoffs
in the embedded world. And that's

something I'm a little actively looking
into right now, actually. But it's

certainly possible to run it on embedded
systems. We could also go for a Cortex M0,

which is, like really, really low level,
but the cortex M3 is already running on

smartcards. So that's what I'm currently
looking at and there it's definitely

possible. But as I said, you have to look
into tradeoffs, see how much you want to

waste on ROM, how much you want to waste
on RAM and how much time do you have for

the runtime? But the benchmarks we are
having there, as I said. Go to Github,

pqm3, already quite good, so it's
definitely usable depending on your use

case. I hope that answers the question.
Herald: So do I. There's another question

by someone who actually has implemented
it. So I just briefly read the questions:

I implemented a raw learning error scheme
in an insecure "Hold my beer"style. It

seems to work, but I see about 1% bit
errors in the decrypted text, how do real

implementation handle the expected bit
errors in the decryption?

Ruben: So the easy answer is rounding. So
you just throw away some of the lowest

bits, but that really depends on the
scheme. So if he has done some learning

with errors. So there are different
flavors of learning with errors. There's

like ring learning with errors, modulo
learning with errors, learning with

errors, and it depends on what he has
implemented. But in the end the thing that

seems to work is just throw off the least
significant bits, for example, depending

on how many errors you expect. I don't
know, Krijn do you want to add something?

Krijn: No, I think you're doing fine with
the question.

Ruben: If there's no question I'm going to
ask your questions afterwards. Very

personal ones for history. You know?
Herald: I shall move on to the next

question, but I think from a layman's
perspective, this may also relate to the

last question. The question is: Those
sequencing terms are set to be small

relative to the mesh's coefficients. How
do you make sure that those do not

compromise encryption and are chosen
arbitrarily?

Ruben: So again, I'm really sorry. I had a
couple of hiccoughs, so I didn't get the

question could you repeat it?
Herald: Sure. The question was: The Secret

key and error terms are set to be small
relative to the message coefficients. How

do you make sure that those do not
compromise the encryption chosen

arbitrarily?
Ruben: OK. I had a hiccough again, Krijn,

did you get the question? Otherwise, I'll
answer what I heard. I think what I think

I heard.
Krijn: So why are... why don't the

small... the fact that the error and the
private key are small, why doesn't this

compromise security? And in fact, well you
need the error to be quite small in order

to be able to solve this, this closest
vector problem that we've sketched. If the

error is too big then a different vector
could be the closest vector than the one

that you want. Now why the private key has
to be small. There are some results that

we know that this does not mean... that it
doesn't break the security basically of

the scheme. I don't know if , Ruben, you
can do a two liner on why that is.

Ruben: So I answer the question always
like: we bring in all those error terms.

How do we make sure that the decryption
isn't faulty, right? And actually, it's a

very good question, because there's a
provable, probably negligible probability

that there will be decryption errors.
However, Kyber is fast enough. We handle

them in the KEM Version of Kyber. So what
we have introduced here is the public key

encryption version. Standardized as the
KEM, which uses internally the public key

encryption version and in the KEM version,
you can be sure that this doesn't happen

because, yeah. To answer the question,
there's a tiny, tiny but negligible

probability that you have a decryption
error, so in that case a very good

question. But if you're really interested,
the blog post, I mean, you can download

the slides and there's a blog post. For
the talk, let's say, so you can go to the

blog post and there's the Kyber
specification reference. They can just

click on the specification and there you
can see that it's a fine tuning of

parameters to make sure that the sprinkled
in error terms do not invalidate the

decryption to a certain, within a certain
probability. And we make that probability

in Kyber so low that in reality it will
never happen. Like, 2 to the power of...

lets say magnitudewise something like
atoms on Earth or like to give you an idea

of how big the numbers are there. So it's
a very, very low probability that that

will happen. But a very good question. At
least thats how I interpreted the 50% of

the question that I heard.
Herald: I am sorry that we seem to have a

technical problem.
Ruben: I think it's just the shitty

internet at my my parents place.
Herald: That could also be the case also

on my end there are troubles as well. The
question after that and maybe Krijn can

just start answering it. Would Kyber be
broken if someone found a simple solution

to the closest vector problem?
Krijn: Yeah, but we that's the case,

that's always the case for encryption. If
you managed to solve the fundamental

problem, then the encryption scheme is
broken. Luckily for the closest vector

problem, we have a very good, we have
quite some trust in this problem, so some

other of these postquantum schemes are
based or more recent problems, so the

closest vector problem is a much older
one. So we do trust it, well I have quite

a bit of trust that it won't be easily
broken in the coming years.

Ruben: So the answer is it's a bit tricky
there, because the close vector problem is

NP hard. So we think this is like a very
good problem to start from. But the

question is also like how are these
lattices related to certain instanciations

of the closest vector problem? And are
these specific closest vector problems

maybe a bit simpler or something? But as
Krijn said we're in the closest vector

problem we trust like this is one of the
problems in postquantum crypto that we're

pretty certain about. But yeah, if you
would solve it or if you have already

solved it, Kyber would be broken.
Herald: That sounds like a potential

inscription on the side of a coin. In the
closest vector problem we trust. And

talking about trust. The question after
this is: Would you trust this, this Kyber

algorithm to secure your communications
now?

Ruben: Should I answer or Krijn do you
want to, you haven't said so much?

Krijn: I would actually, yeah, I don't
have. So if you're skeptical about it, you

can also go to. I don't think we discussed
it, but you can go to hybrid modes of the

current classical, preqantum crypto and
postquantum, if you can suffer the

drawbacks of that. But personally, yeah, I
guess I would. Ruben, would you?

Ruben: I would trust Kyber at this moment,
but there's... If you don't trust it as

Krijn said, you can go into hybrid mode,
so the idea, for example, for TLS is to

first do elliptic curve crypto and post
quantum crypto together, sort of in a way

that the adversary, the attacker would
have to break both in order to compromise

the communication. So that way, you don't
have to fully trust Kyber yet if you want

to run the hybrid. But of course, the idea
is to at some point get rid of this

overhead and just run postquantum crypto
without elliptic curve crypto

additionally. But yeah, I mean, I
personally would use it right now. But

what I also want to say is that in the
beginning of every krypto system, RSA,

elliptic curve doesn't matter. In the
beginning, everybody is quite skeptical

and nobody wants to use it yet. And that's
fine. Like, that's how the community

works. But over time, usually people gain
trust.

Herald: OK, thank you. Now we're getting
into speculative territory, and one of the

questions is whether you could have any
guesses on which of the schemes is

probably going to end up winning the NIST
PQC competition, postquantum crypto

competition?
Ruben: So NIST specifically says it's not

a competition, very important. So Kyber is
one of the winners coming out of it, but

that's quite clear. And also you already
see adoption in the real world. We brought

two examples with Amazon and the BSI, for
example, that wants to include it in

Thunderbirds email encryption. So Kyber is
going to be one of the winners. This is

my... not only opinion, but yeah, that's
quite clear. And otherwise, I think

McEliece, which is a code based scheme
that is quite large in all measures, let's

say. But people seem to have more trust in
it because it has been around longer.

Yeah, so I'd say those for KEMs and
everybody is quite unhappy with the

signatures. So I don't think there will be
signatures standardized like this year or

beginning next year. But Krijn, I don't
know, maybe you have a guess?

Krijn: No, I'm not such a speculative
person, but I think Ruben's answer is

quite a good answer.
Ruben: Now you really have to also

speculate, I mean, come on, you can't just
piggyback on my answer.

Krijn: No I definitely can. It's
interesting to note actually that for the

signatures that there's less of a hurry,
so to say. It's especially this key

exchange that we wanted to make post
quantum as soon as possible, maybe, or at

least one to standardize quickly and then
integrate into whatever building. Well,

for the signatures there a bit more time
so there's also more time to come up with

better solutions there or to analyze the
current solutions a bit more.

Ruben: Yeah, that's because I mean what we
mentioned is the attacker model, big

government agency, for example. And the
key exchange you have to fix now because

that could be later on broken and then the
communication can be decrypted. But

signatures like they have a small
lifetime, for example, and also they are

used for authentication. So you would need
an active adversary. And that, yeah. You

can't like record now and then do an
active attack in 10 years, like, that

doesn't work. So then we have some more
time yeah.

Herald: Well, that's not entirely true.
There's a lot of states using, and I'm

talking about signatures, not for the
ephemeral use in online usage, but the

more the use of signatures, for example,
document signatures. And for those an

attack would still be relevant for the
future.

Ruben: If they have, well, if they have a
long runtime, usually signatures or keys

at least, of signatures, they expire at
some point. But yeah, of course, if you

have, if you have signatures that do not
have an expiration date or something, then

they would be under threat as well.
Herald: In a document signing, you will

have signatures that have a very longer
lifetime than you will have for your

typical web transaction, for example. But
I'm now full dropping out of role as

herald who is a mere vessel of questions
from the audience.

Ruben: But of course, this is also
interesting for us.

Herald: And I guess with the last version,
at least, I think this is the last

question unless there is an additional one
on IRC, so people have to be quick if they

want to have additional questions. But the
last questions are just very practical.

And basically, do you have any ideas about
pitfalls when implementing Kyber already?

Do you have suggestions for making sure
you implement it security? Or is it simply

possible to implement it very naively?
Ruben: So. This is always a big fight in

the cryptography community, because
they're the people that say, oh, there are

a handful of chosen ones that are able to
implement it securely. And you should

never, ever, ever do it yourself. I'm on
the opposite side of that, I think people

should play around with implementation.
Try it out. So, Kyber is among the schemes

that it's definitely, let say easier to
implement in a correct way. However, it

depends where you want to use it because
you also have to take side channels into

consideration, especially if you work on
embedded platforms, like power analysis

and that kind of thing. So this is also
still highly investigated. And then if you

go for that kind of implementation, you
should have a masked implementation. So

this would be an own talk for itself. Like
I don't want to like now give you two

verbs what you should do and then say that
it's secure. I mean, it's a bit more

complicated than that. So I can't really
say now do this do that. I can just say on

the spectrum from easy to difficult, Kyber
is more on the spectrum of easier to

implement securely. But if you're
interested in that, look up the

implementations. There's a reference
implementation. There's a PQClean and

stuff. Look up the implementations online
and look into that and the specification

that is linked in the block post, that is
linked on the slides. There are also some

points that say what you maybe should,
where you should be careful lets say.

Herald: OK. And there was just an
additional question as well, and that is

what is the status of Kyber in OpenSSL and
GnuTLS?

Ruben: Okay, so we see adoption in crypto
libraries, but OpenSSL. OK, I don't want

to hate, but OpenSSL codebase is, how do I
say that? Look, it's a bit complex and a

bit difficult for outsiders to get what
OpenSSL is doing in certain corners of

their code base. But there's a project
called OpenOQS, no liboqs that is a fork

of OpenSSL, including postquantum
schemes, but not only Kyber, but various

schemes. That's liboqs, its a OpenSSL
fork. Now there are other libraries, for

example, WolfSSL, which has a smaller code
base and they already have in their actual

release or in their main branch, let's
say, in git, they already have NTLS post

quantum schemes, and Kyber is one of them.
They have lattice based schemes,if I

remember correctly: Kyber, Dilithium, and
Falcon. So they already have it included.

WolfSSL , OpenSSL as I said there is a
fork that are like benchmarking and

testing stuff in the hopes of later being
able to return it to OpenSSL. But as I

said OpenSSL is not exactly ideal for
experimentation, becourse the code base is

quite large and in some corners, quite
complex to comprehend and so on. Other

libraries are a little faster. I don't
know of any efforts for GnuTLS to be

honest, but I haven't looked into it yet.
It's possible that somebody else did

something there. I mean, I've I've worked
with WolfSSL before and with OpenSSL. But

GnuTLS I'm not sure. There are talks to
include it in GnuPG which you can use for

email encryption, and there are some
there's some progress there. But yeah,

GnuTLS I don't know.
Herald: All right, OK. This brings us to

our really final question, which is how
close are the current cloud quantum

offerings to be able to enable users to
break current public key cryptography?

Ruben: If I understand it correctly, Krijn
you can also say something if you want, if

I understand correctly, it's the question
is general. If I can use cloud computing

to break public key crypto?
Herald: No, the question is more specific,

there are quantum offerings by public
cloud providers like Amazon right now,

apparently. At least that's what I assume
the person who asking the question is

basing it on. And the question is, to what
extent are those available options usable

to break current public key cryptography
schemes?

Ruben: So if I understand the question
correctly is like, already deployed

quantum computers, are they a threat to
prequantum schemes? OK, so far, they are

not like there are quantum computers in
use, but they don't have nearly enough

qbits to break any real word schemes, so
it's also more complicated than that

because you don't only need qbits, you
also need quantum registers that are large

enough because you need to entangle all of
the qbits. I mean, there we are going to

quantum mechanics, but you need to
entangle the bits and all that kind of

quantum craziness. And then you also need
error correction that's good enough. So

there are still, there are still technical
like engineering problems that you need to

overcome, like in theory it's all fine and
stuff, but there's some engineering

efforts that you need to overcome, and the
currently deployed quantum computers are

not big enough to be a threat to quantum,
to prequantum schemes unless you have

some toy keysums. But for real
deployments, it's not a threat yet, but it

might be within the next couple of years.
It's really difficult to foresee the

development there and the largest quantum
computers are actual quantum annealers

that work differently, like quantum
annealing is a different thing, a

different kind of quantum computer that
we're not too worried about right now.

Like thats DWave for example. But yeah,
so right now, they're not a threat, but

they might be in the near future.
Krijn: And especially so with regards to

why you still switch to postquantum
crypto, is this idea that well,

standardizing crypto and then integrating
crypto and all of this takes years, as we

know from that transition to elliptic
curve crypto. So even if this quantum

computer is 10 15 years away then still
this whole transition thing will take so

long that by the end of it, how long will
your original data have been safe for?

It's anybody's guess.
Ruben: Yeah. I mean, you have to see

asymmetric crypto is everywhere. Like, for
example, also kind of example maybe in my

passport, like my travel document. And
there are documents, for example, out

there that are valid for 10 years like, I
think, a proper passport and all that kind

of stuff. And of course, it really takes
long also with these kinds of things, like

documents like that are issued by
governments. It just takes time, it takes

a lot of time.
Herald: OK, thank you very much. I should

also note that from the signal angel,
there have been several very enthusiastic

responses from the audience and not so
much questions about your talk, that's

also very interesting. So thank you so
much for doing this, and maybe see you

around.
Krijn: Thank you.

Ruben: Bye bye!

rc3 postroll music

Subtitles created by c3subtitles.de
in the year 2021. Join, and help us!