-
rc3 preroll music
-
Herald: Good afternoon everyone watching,
the upcoming talk is by Ruben Gonzalez and
-
Krijn Reijnders, they're both Ph.D.
students at Radboud University, and Ruben
-
is also a capture-the-flag player, under
the name "Red Rocket", or affiliated with
-
"Red Rocket". Their talk will me about
post-quantum cryptography. And we'll take
-
a kind of introductory dive into Kyber.
This talk will also be live-translated
-
into German, so if you don't speak German,
don't despair. Dieser Vortrag wird also
-
übersetzt simultan in Deutsch, and that's
also the extent of my German. Also, this
-
talk is prerecorded will last a bit over
30 minutes, but the Q&A will be live
-
afterwards. So enjoy.
-
Ruben Gonzalez: Hello, and welcome to our
presentation on Kyber and post-quantum
-
cryptography. How does it work? First, my
name is Ruben Gonzalez, I'm a Ph.D.
-
student in the Netherlands. I'm doing this
presentation together with my colleague
-
Krijn Reijnders, and we'll be teaching you
all about Kyber today. So, first things
-
first, a small disclaimer, because I don't
want to disappoint any people: We're doing
-
boomer crypto here, so we won't be talking
about blockchain, NFTs, shitcoins,... at
-
all. Instead, we're going to bore you with
mathematics, weird kinds of key pairs, and
-
U.S. government agencies. So, our talk is
divided into four segments. First, I'm
-
going to teach you a little bit about what
post-quantum cryptography actually is and
-
why you should care about it. Then we're
going to talk about Kyber, which is the
-
scheme we're going to go into detail
about, because it's just about to take
-
over the world. And then Kreijn will talk
to you a little bit more about the
-
security guarantees about how the system
actually works mathematically. And then
-
we're going to give you a brief outlook on
the future of crypto and where we're
-
headed in the field. So, post-quantum
crypto. A little bit of basics here:
-
Today, cryptography, on a high level, is
divided into two parts; a boring part and
-
an exciting part. So the boring part is
called symmetric crypto and symmetric
-
crypto does what you usually expect from
cryptography. So you can encrypt stuff
-
with it and sometimes you do
authentication with it. But the biggest
-
part is the encryption stuff. So you have
a secret team that nobody is allowed to
-
have, and if you have this secret key you
can encrypt things, and another person
-
that has the same secret you can decrypt
with it. So that's why it's symmetric -
-
you have one key for encryption and
decryption. And what you actually use
-
implementation wise, is almost exclusively
AES encryption encryption or hash
-
functions that are from the SHA family and
it's a symmetric world. That's a symmetric
-
side of things. Now you also have
asymmetric crypto because if you look at
-
symmetric crypto, you have this secret
key, but you don't actually have a way of
-
getting two parties having the same secret
key. And it's where asymmetric crypto
-
comes into play. So, you can use
asymmetric crypto, among other things, to
-
exchange this secret key. So asymmetric
crypto uses a key pair: a public key that
-
everybody can have and a secret key that
only the recipient can have. So. Yeah,
-
essentially with the public key you
encrypt, for example, the symmetric key,
-
and with the private key you decrypt, and
here it feels a bit more difficult.
-
There's not only two algorithms that are
being used, but there's an entire zoo of
-
algorithms used. So, let's look at the zoo
real quick. Probably some of these terms
-
you've already heard: Curve25519 is pretty
big; maybe you've used RSA before, Diffie-
-
Hellman, that sort of thing. So there's
this big zoo of different kinds of schemes
-
in asymmetric crypto that it can use for
different things. Sometimes there are
-
different schemes that you can use for the
same thing, or you can use one scheme for
-
different things. So it's a bit more
complicated to make an overview of the
-
algorithms. But, if you look at the zoo,
people seem to be happy, right? Oh, they
-
look around, they have a look, things seem
to work, it's a happy world. So why would
-
you want to change that? And in post-
quantum crypto, we actually want to change
-
the asymmetric crypto fundamentally. Well,
there's one big problem with this zoo, and
-
it's not in the zoo, but it's coming for
the zoo. So there's this guy, Peter Shore,
-
and he's threatening the zoo. He's about
to destroy it and everything in it. And
-
why is that? Well, we have this big zoo of
asymmetric crypto, right? But if you look
-
at the different schemes in detail, you
actually see that they are only based on
-
two mathematical problems. And that is
integer factorization and the discrete
-
logarithm. We don't have to we don't have
the time to go into much detail on those,
-
but you have to know that the entire
asymmetric crypto zoo is based on two
-
problems. And, coincidentally, Peter
Shore, defined an algorithm, a quantum
-
algorithm, that breaks those two problems
and all cryptography that's based on them.
-
So all of today's crypto is actually
broken if we can use Shore's algorithm.
-
Now Shore's algorithm is a quantum
algorithm. That means we need a large
-
enough quantum computer for it to work,
but once we have that, all asymmatric
-
crypto is destroyed. And why should you
care about that? Well, maybe you use one
-
of those things here. Well, actually you
do, whether you like it or not. You're
-
watching this stream right now via TLS.
Maybe you also use things like SSH or
-
email encryption or VPNs with IPsec or
WireGuard. Well, Shore's algorithm would
-
break all of those protocols. Everything.
And you should care because in the modern
-
information age, essentially everything is
digital communication. All security is
-
virtually based on cryptography, so, if
Shorezilla and breaks everything, we do
-
have a huge problem. So the natural
question that arises is: "when will we
-
have large quantum computers?" And the
answer is: "we don't know." Different
-
experts say different things. The opinions
vary from within five years to never. But
-
the truth is, nobody knows. We can't see
in the future. We don't have a magic eight
-
ball there. But we should definitely be
prepared for the large quantum computer
-
because we don't want all of our
information security to be broken when,
-
let's say, a large U.S. government agency
all of a sudden manages to build a quantum
-
computer. So post-quantum crypto is all
about designing asymmetric cryptography
-
that is unaffected by quantum computers.
Or let's say we hope they are. But we're
-
pretty certain they should be unaffected.
They're certainly unaffected by Shore's
-
algorithm. So now that you know a little
bit about what post-quantum cryptography
-
is about and why we need it, I want to
talk about Kyber. Kyber is the post-
-
quantum scheme that is most likely to be
adopted in the near future. So the
-
asymmetric crypto zoo is threatened -
Let's make a new new zoo, where people can
-
and people can be happy and live their
fulfilled lives. The standardization
-
organization NIST launched a call a couple
of years back for new cryptographic
-
schemes that are resilient against quantum
computers. And first schemes are actually
-
about to be standardized very soon in
early 2022. So, we want to look at one
-
scheme that is about to be standardized,
and it's called Kyber. Now why are looking
-
at exactly that scheme? Well, it's very
fast, and the public and private key sizes
-
are not too big, meaning you can actually
use it in real world projects, which is
-
not always the case for all post-quantum
schemes. So it is already, even though
-
it's not, it's standardized, it has
already seen some adoption in industry.
-
And it's a lattice-based scheme. And right
now it looks a little bit like lattice is
-
going to be the future. If you don't know
what a lot of space scheme is, that's
-
really fine; Krijn is going to tell you in
the end. So, that was the fun part of our
-
presentation, the easygoing part. Now we
need to roll up our sleeves, we need to
-
get our hands dirty and we need some
mathematics. And for that, I'm going to
-
give the mic - turn over to Krijn. (How do
you say that? Give it to Krijn? I don't
-
know.) Bye.
Krijn Reijnders: So, now we need maths. So
-
let's start. What we need in Kyber are
polynomials, and we need to work with
-
polynomials. But actually, you can think
of polynomials just like you do of as
-
numbers. What do I mean with that? I mean
that you can just multiply them and you
-
can also just add them together like you
do with numbers. And just as we do with
-
numbers in pre- quantum cryptography, when
they get too big, we reduced them. We do
-
this modulo operation. We'll do the same
for the coefficients in the polynomials,
-
but also, when the degree of a polynomial
gets too big, we will reduce them by
-
another polynomial. So we have a modulo
operation with polynomials, and in this
-
way you can do all kinds of things with
polynomials. And that's actually all of
-
the mathematics that we all need
fundamentally to work with Kyber. What do
-
I mean by that? Well, if you can do
multiplication and addition, then you can
-
also do these things like we do for
numbers with matrices and vectors, so we
-
can multiply a matrix with a vector and
add another vector. And this works the
-
same for these polynomials, so you can
have a matrix full of polynomials and a
-
vector full of polynomials, and you can
just multiply them together, add another
-
vector. It's just this basic operation of
multiplication and addition of
-
polynomials. It looks a bit more
complicated, but that's it. And then,
-
let's say we do this, we have a matrix and
we multiplied by a vector and we add
-
another small vector. Now if I give you
the end result of this computation, and I
-
give you this matrix that we started with,
it's actually very hard to recover the
-
vector that we've multiplied the matrix
with. And this is the fundamental problem
-
that we need in Kyber. And it's called
module-learning-with-errors. I know this
-
name does not make a lot of sense, but
apparently mathematicians thinks it does
-
aptly describe the problem. So this
matrix, we call it 'A', this secret vector
-
of ours, we call it 's', then we need to
add a small error term so that it's not
-
too easy to solve this problem, and then
we get a public value again, which we call
-
't'. This gets you the equation A times s
plus e equals t. And then the public key
-
pair is this matrix 'A' and this end
result 't', and the private key is our
-
secret vector, 's'. That's all that we
need to generate a key pair in Kyber. We
-
need to ensure actually that the private
key pair has small coefficient, and that
-
also makes it very compact to transmit.
And also, this error has small
-
coefficients. For the rest of the
presentation: These error terms, they are
-
necessary, but they complicate the
equations are a bit too, so we'll just
-
write them in emojis so that you know what
the errors are and what are the important
-
values, and now Ruben will explain again:
How can we encrypt and decrypt messages
-
using such a public and private key pair?
R.G.: OK, our Boomer is back, and he wants
-
to encrypt something. So, as an example,
he wants to encrypt the letter C. So C is
-
not a variable, it's literally the letter
"C" that he wants to encrypt. And as we
-
learned earlier, to encrypt something, we
need the public key. So we have this
-
public key, which is the matrix A and the
vector t. So first, we need to transform
-
the letter "C" into some form that Kyber
can work with because we want to encrypt
-
it with Kyber. So let's first break it
down into binary, right, in a computer,
-
everything is binary anyways, so let's say
we used to ASCII encoding. So we turn the
-
letter "C" into a series of ones and
zeros. In this case, it's one zero zero
-
zero zero one one. Now we have binary
representation, but Kyber uses those
-
polynomials, right? So we have to somehow
turn this into a polynomial, which turns
-
out to be quite simple. So we just do a
binary polynomial, so we take the ones and
-
zeros and use them as coefficients for a
polynomial. In this case, you can see the
-
polynomial on the slides, quite simple. So
one bit is one polynomial coefficient.
-
Since zero times something is just zero,
which is just leave out the zero terms and
-
shrink our polynomial a bit. So we now
have a plain text and we can use within
-
Kyber, right? The plaintext is a
polynomial "x to the power of six plus x
-
plus one". That's our plain text. We
haven't encrypted anything yet, but we
-
have a plain text. So now let's us Kyber
to encrypt the plain text polynomial.
-
First, we have to scale it. We have to
make our polynomial big. And we do that
-
simply by multiplying the polynomial with
a large factor. So here I chose 1337, it's
-
arbitrary, depends on the Kyber instance,
but we just multiply every polynomial
-
coefficient with the large number 1337. So
we have the same polynomial, but with
-
larger coefficients. So our scale
plaintext is 1337 x to the power of, and
-
so on and so on. So now we do the actual
encryption, which in Kyber, it's actually
-
quite simple. We just sprinkle in some
error terms. As Krijn mentioned earlier,
-
in our presentation, small error terms are
represented as emojis. Because they're not
-
that important, but you should still know
they're there. So our ciphertext is
-
actually just two values, v, which is a
polynomial and u, which is a vector of
-
polynomials. So, v is the key value from
the public key, multiplied and added with
-
error terms, and then the actual scale
plaintext message is added as well. u is a
-
matrix from the public key, multiplied
with an error term and an added error
-
term. You can see the carrot error term
appears in both equations. And that's it.
-
That's our encryption. (v,u) is the
encryption of our plaintext. So doing only
-
encryption would be kind of boring. We
probably also want to decrypt stuff. So,
-
how do we do that in Kyber? Well, we need
the private key, right? Public key
-
encrypts, private key decrypts. So we have
our ciphertext, those two values v and u.
-
And in order to decrypt, we first remove
the public key from it. And we do that
-
just by taking v minus the private key,
multiplied by u. And if I spell out the
-
equations, they become quite long. But as
you can see, if you think about the emojis
-
as error terms is that most of the public
key, or actually the entire public key,
-
kind of cancels out. So, and d, here on
the slide, is the end result of the
-
calculations of v minus private key times
u. And so we have our message in d, which
-
is the plain text, but we also have these
error terms laying around and the private
-
key. Now one core observation is
important. I mentioned earlier that error
-
terms are all small, meaning they're
polynomials with small coefficients. And
-
the private key also has polynomials with
small coefficients. So here on the slide,
-
everything on the right side is actually
small, but our plain text is large because
-
we scaled it earlier. We multiplied it
with a large number 1337. So simply by
-
kind of rounding everything, we get our
scaled plaintext back, because these terms
-
are small. So just by rounding, we get our
scaled plaintext back. And then we have
-
essentially decrypted. What we now have to
do is just turn it back into the original
-
text, so we scale down, divide every
coefficient by 1337. We bring back to zero
-
terms, so every coefficient that is not in
the polynomial has a zero. Yeah, every
-
term that is not in the polynomial has a
zero coefficient. So we bring back the
-
zeros and then from the binary polynomial,
we can just read out the ones and zeros
-
from the coefficients. We have back binary
code and this binary now we can decode
-
again using the ASCII, for example, and we
have our plaintext back. And that's how
-
Kyber decrypts. And then we can decode the
Kyber plaintext into your original
-
message, which was a "C". So how does
Kyber looks like for the home consumer?
-
Well, Kyber comes in three flavors, three
different security levels. There's
-
Kyber512 until Kyber1024. So, in
cryptography usually security is measured
-
in bits. Sometimes it's related to how
strong AES is. So the lowest acceptable
-
acceptable security level for us is 128
bit and the strongest security level we
-
use in practice is 256 bit. So Kyber512
has around 128 bit security and Kyber1024
-
as around 256 bit of security. Now that's
what the end user needs to know. But I
-
also want to show you what these
securities actually mean in terms of
-
Kyber, because Kyber instances are mainly
defined by three variables: n, k, and q.
-
And what do those mean? Well, n just means
the degree of the polynomials used within
-
Kyber. So 256 means we have exponents x to
the power of maximum 256. So polynomials
-
are quite large. 256 coefficients we can
store. k means the size of the vector. So
-
as you've seen, Kyber uses not only
polynomials, but also vectors of
-
polynomials. So essentially lists of
multiple polynomials. And in Kyber, the k
-
variable says how many polynomials are in
such a vector. q is the modulus for the
-
numbers. I mean, we have coefficients,
right? And how big can this coefficients get?
-
So the largest coefficient that is used
within Kyber would be 3328 because we take
-
it modulo 3329. So as you can see, in
Kyber, we don't have to deal with big
-
numbers, actually. We have to do with a
pre-quantum cryptography, we have to deal
-
a lot with huge numbers. Here, the numbers
are not that big. Also important is size
-
to speed tradeoffs. Now here you can see a
bar chart of public key, private key and
-
ciphertext sizes of an elliptic curve
scheme, Curve25519, RSA, and kyber in
-
smallest security level. So those three
security schemes are the same security
-
level, but as you can see, elliptic curve
crypto is really tiny, RSA is somewhat
-
bigger, an Kyber is even bigger. But if we
go to the highest security level, you see
-
that Kyber is actually very comparable to
RSA. However, ecc is still a lot smaller.
-
But you don't only care about sizes, you
also care about speed, you care about
-
speed even more. And if we compare the
same security level in Kyber, in elliptic
-
curve crypto and in RSA, we can see that
Kyber is on fire. Kyber is really, really
-
fast. So we can throw out RSA and just
compare elliptic curve crypto to Kyber,
-
and we can see Kyber is even faster than
elliptic crypto, which is quite impressive
-
because ellipctic crypto is already quite
fast. And, even more, we can see that the
-
highest security level of Kyber is faster
than the lowest security level of elliptic
-
curve crypto. So Kyber - fast as hell. I
know benchmarks are difficult. We have
-
different kinds of platforms, but as an
intuition: Kyber is really fast. So the
-
thing I want to mention is that Kyber
source code is available online. You can
-
download it from GitHub, for example, from
the PQClean Project, which has AVX
-
optimized implementations for desktop
CPUs, from the pqm4 project, which is the
-
optimized implementation for ARM-based
embedded processors, or there's also a
-
reference C implementation in the pq-
crystals project. And, last but not least,
-
the specification, the documentation, the
code, everything is licensed under
-
Creative Commons zero, meaning that it's
public domain. So there is zero license or
-
patenting issues with Kyber, it's just
public domain. You can clone and do
-
whatever you want with it. It's quite
nice. So that was it about Kyber, now
-
Krijn is going to tell you more about what
actually lattices are and why Kyber is
-
actually secure the way it is.
Krijn: OK, so that was Kyber. And we've
-
been talking a lot about polynomials, but
we haven't talked so much yet about
-
lattices. But we did say that Kyber was a
lattice based scheme. So what do lattices
-
have to do with all of this polynomial
stuff? And why do we think it's secure
-
because of this being lattice based? Well,
let's go back to these numbers that we
-
used for a second, just because they make
these things more understandable and
-
intuitive. We had this matrix
multiplication. We multiplied the matrix
-
with a vector. Now let's say we do this
for numbers, right? We have this matrix
-
13, 4, 2, 9 and we multiplied by a, b.
Well, actually, what you could also see
-
here is that you multiply the vector 13
over 2 a times and then add the vector 4
-
over 9 b times. And as you see in the
image, like, you can make different
-
combinations of that. So if you take a = 1
and b = 1, you get the point on the top
-
right corner and then you can do this for
a = 2 and b = 1, then 3 and 4 infinitely.
-
And then you would get all of these dots
spread out over the cartesian plane, and
-
it would go on infinitely in these
dimensions. So you would get infinite
-
number of points just by giving these two
original vectors 13, 2 and 4, 9. Now, our
-
secret key s was just actually then a way
to pick one of these points, because we
-
said, well, the Matrix a that we had in
the public key, it describes some sort of
-
lattice. And then the secret key s
described actually a specific point: a
-
number of times the first vector, plus a
number of times the second vector. Then
-
what does this error term do? Well, you
know, it shifts just a bit from this
-
lattice point that we were at and then we
get the end result t over there. And now
-
it's very difficult actually to get back
from t to this vector s. We know that it's
-
the closest vector to this given point t
in this lattice described by a. But this
-
problem of finding the closest vector in
the lattice and in a random letters is
-
actually very hard. And this is what we
call the closest vector problem, which is
-
a very good name because we're looking for
the closest vector. So for this two
-
dimensional example, we had the matrix e
and the vector t in the public key, and we
-
had the vector s in the private key and
that was hidden by this small error term.
-
So to recap: a gives you these initial
vectors, which you can use to describe the
-
lattice, s gives you a secret point in
that lattice. The error makes sure that
-
you're close to a lattice point, but not
too far away. And then we get the end
-
result t, which is this public point and
then getting back from this information of
-
this lattice and t to s is the closest
vector problem, in a nutshell. You may be
-
thinking now, OK, this is for numbers I
can see this right. It's just these dots
-
in this plane. For dimension two OK, I get
it. For Dimension three you can think of a
-
third dimension. Though we were talking
about dimension n way larger than 3 and
-
polynomials instead of numbers. And how do
we visualize this? And the truth is we
-
don't actually, but we do know how to
compute it, which was just this
-
multiplication and addition of
polynomials. So we just compute it and we
-
kind of think of it as a lattice
abstractly, but not visually. Now let's
-
finish with a short look at the future of
asymmetric crypto, and let's go back to
-
the post-quantum crypto zoo that we had.
We already took a look at Kyber, but there
-
was also other cryptographic primitives
such as Rainbow, Falcon, and SABER and
-
Dilithium, NTRU, McEliece. Among them,
there are signature schemes, but also
-
these key exchange mechanisms. Actually,
this zoo is quite different from the one
-
that we had pre-quantum, the one that we
had pre-quantum as we explained was based
-
on mostly integer factorization and a
discrete logarithm problem. But in the
-
post-quantum setting, we have a variety of
problems. We have hash based cryptography,
-
lattice based cryptography, code based
cryptography, multivariate based
-
cryptography, and isogeny based
cryptography. And these are five quite
-
different flavors of cryptography, with
also different underlying mathematical
-
problems. But post-quantum crypto is
coming. For example, Amazon has already
-
implemented some of the round two
candidates, such as Kyber in post-quantum
-
TLS. And also the BSI, which is the German
Ministry for Information Security, has put
-
out a proposal to integrate post-quantum
cryptography into Thunderbird as their
-
mail client. And even NIST has the
following quote that if you haven't
-
migrated to elliptic curve cryptography
yet, don't bother, just directly migrate
-
to post-quantum crypto. And that wraps up
our presentation on post-quantum crypto
-
and Kyber. If you want to do some further
reading, there is a link here to a blog
-
that goes a bit more in-depth in how Kyber
works and has a very small example. Just
-
as we've shown you in this video. Thank
you for your attention and we'll take some
-
questions now.
-
Question: So why should I care about this
now?
-
Ruben: Well, that's an excellent question.
Well, as we know from the Snowden leaks,
-
the NSA is currently recording a lot of
internet traffic that is encrypted, and
-
they're recording this encrypted traffic
in the hopes of being able to decrypt it
-
later. For example, using a large quantum
computer. So first, we have to care about
-
this now because our internet traffic is
already recorded and could be broken
-
later. And second, we have to care about
this now because transition, especially
-
when it comes to cryptography, is really
slow because standardization takes a lot
-
of time. Implementation takes a lot of
time, and adoption takes a lot of time. So
-
that's why we have to care now.
Question: But are there any downsides?
-
Krijn: Another very good question.
Actually, yeah, there are some downsides,
-
but they're not too big. Usually, the keys
are a bit larger than we are used to. In
-
some cases even much larger than we are
used to. And the speed is a bit worse than
-
we are used to. In some schemes, even much
slower than we are used to. But while this
-
is already being adopted, it is also still
a very active area of research and we are
-
continuously trying to make the keys
smaller and the schemes more efficient. In
-
the hopes that we in the end, get very
efficient schemes that will solve all of
-
our post-quantum problems. Why didn't you
let me eat the lettuce?
-
Ruben: It's my lettuce! Okay, now eat it
for the camera, you can eat one. But it's
-
not washed.
Herald: Okay, thank you. The first
-
question we got from the internet is: Why
are you using seven bit ASCII instead of
-
Unicode?
Ruben: So in that case of the letter c
-
that wouldn't make a difference anyways.
We just prefer to use ASCII because we
-
really, really want to piss off the
European people because all of these
-
umlauts and that kind of stuff. Of course,
they're unnecessary. So ASCII forever.
-
Herald: I'm surprised that both of us
Europeans as well, but let's not get to
-
the nationalism bit and carry on with the
next question, which is, by the way, how
-
can you compare the security levels
according to varying n and varying q,
-
respectively?
Ruben: Sorry, the connection was a bit
-
lost there. Could you repeat the question?
Herald: Of course, can you compare the
-
security levels according to varying n and
varying q, respectively?
-
Ruben: Yes, of course you can. I'm not
sure if I get the question. Of course,
-
that's how you do it, that's how you
compare and you can do that. I'm not sure
-
if the question asked me to do that right
now on the spot because that I couldn't
-
do, but I mean, it was on the slides, like
the security levels that are about to be
-
standardized, at least. But the one good
thing about Kyber, a very good thing that
-
I want to mention is that, so the
polynomials, the size stays the same, the
-
modulus q stays the same. Only the size of
the vectors change. So how many
-
polynomials you have in a vector. And that
makes it quite nice to write optimized
-
code because most parts of the code are
literally the same. If you look at the
-
implementation, the reference
implementation, you can see that it's
-
actually the same code for all the
security levels, just one header changes
-
that specifies how big the vectors are. So
that's quite nice. But you can yeah, you
-
have for RSA, you have different key
sizes. So yeah, it's more difficult to
-
optimize, but here you can just have the
same size as just the vector size changes,
-
which is nice
Herald: What about the potential for
-
hardware acceleration for Kyber? Could
that be possible, feasible?
-
Ruben: So I am not sure if I just answer
that or Krijn also wants to say something,
-
but hardware acceleration for post-quantum
schemes in general is, as we say, a very
-
active area of research. So these things
are very new. There were some people that
-
tried to use, there's a paper about it,
actually - you can look it up on the
-
internet - to use RSA bignum hardware
acceleration for Kyber, which is a quite
-
interesting idea because you work in
completely different things there. But
-
it's an open question and it's a very
active area of research. So if any of the
-
viewers are interested in that sort of
thing, to, I don't know, try out Kyber or
-
FPGAs or something. Yeah, try it out! So
there's a lot of potential there, but it's
-
also, as I said, very actively researched
because it's relatively new and it just
-
now finds adaptation in industry.
Herald: And there's a follow up question
-
that sort of mirrors it in a way because
that question is: T o what extent is this
-
feasible on embedded architectures with
very limited hardware to use Kyber there?
-
Ruben: So I've been using it on a Cortex
M3, which is ARM-based. So usually the
-
reference platform, we use the Cortex M4
because we want to. Like two experiments
-
that are reproducible, and you can buy
Cortex M4 boards quite cheaply from
-
various vendors. So it's definitely
possible to run Kyber on a Cortex M3. I
-
mean, there's also a project on GitHub.
It's called pqm3, that has Kyber benchmark
-
for various, yeah M3 boards, but that's
definitely possible. What I'm working on
-
right now is testing it on a Cortex M3 and
M4 for also application level, so included
-
it in TLS or KEMTLS. Or there's a paper
about WireGuard using Kyber and Dilithium
-
for example. That's definitely possible.
The question, also active area of research
-
is, how low can you get? Like, how much
can you optimize? Because there are
-
various tradeoffs, like do we want more
space for code but use less RAM and you
-
also always have these kinds of tradeoffs
in the embedded world. And that's
-
something I'm a little actively looking
into right now, actually. But it's
-
certainly possible to run it on embedded
systems. We could also go for a Cortex M0,
-
which is, like really, really low level,
but the cortex M3 is already running on
-
smartcards. So that's what I'm currently
looking at and there it's definitely
-
possible. But as I said, you have to look
into tradeoffs, see how much you want to
-
waste on ROM, how much you want to waste
on RAM and how much time do you have for
-
the runtime? But the benchmarks we are
having there, as I said. Go to Github,
-
pqm3, already quite good, so it's
definitely usable depending on your use
-
case. I hope that answers the question.
Herald: So do I. There's another question
-
by someone who actually has implemented
it. So I just briefly read the questions:
-
I implemented a raw learning error scheme
in an insecure "Hold my beer"-style. It
-
seems to work, but I see about 1% bit
errors in the decrypted text, how do real
-
implementation handle the expected bit
errors in the decryption?
-
Ruben: So the easy answer is rounding. So
you just throw away some of the lowest
-
bits, but that really depends on the
scheme. So if he has done some learning
-
with errors. So there are different
flavors of learning with errors. There's
-
like ring learning with errors, modulo
learning with errors, learning with
-
errors, and it depends on what he has
implemented. But in the end the thing that
-
seems to work is just throw off the least
significant bits, for example, depending
-
on how many errors you expect. I don't
know, Krijn do you want to add something?
-
Krijn: No, I think you're doing fine with
the question.
-
Ruben: If there's no question I'm going to
ask your questions afterwards. Very
-
personal ones for history. You know?
Herald: I shall move on to the next
-
question, but I think from a layman's
perspective, this may also relate to the
-
last question. The question is: Those
sequencing terms are set to be small
-
relative to the mesh's coefficients. How
do you make sure that those do not
-
compromise encryption and are chosen
arbitrarily?
-
Ruben: So again, I'm really sorry. I had a
couple of hiccoughs, so I didn't get the
-
question could you repeat it?
Herald: Sure. The question was: The Secret
-
key and error terms are set to be small
relative to the message coefficients. How
-
do you make sure that those do not
compromise the encryption chosen
-
arbitrarily?
Ruben: OK. I had a hiccough again, Krijn,
-
did you get the question? Otherwise, I'll
answer what I heard. I think what I think
-
I heard.
Krijn: So why are... why don't the
-
small... the fact that the error and the
private key are small, why doesn't this
-
compromise security? And in fact, well you
need the error to be quite small in order
-
to be able to solve this, this closest
vector problem that we've sketched. If the
-
error is too big then a different vector
could be the closest vector than the one
-
that you want. Now why the private key has
to be small. There are some results that
-
we know that this does not mean... that it
doesn't break the security basically of
-
the scheme. I don't know if , Ruben, you
can do a two liner on why that is.
-
Ruben: So I answer the question always
like: we bring in all those error terms.
-
How do we make sure that the decryption
isn't faulty, right? And actually, it's a
-
very good question, because there's a
provable, probably negligible probability
-
that there will be decryption errors.
However, Kyber is fast enough. We handle
-
them in the KEM Version of Kyber. So what
we have introduced here is the public key
-
encryption version. Standardized as the
KEM, which uses internally the public key
-
encryption version and in the KEM version,
you can be sure that this doesn't happen
-
because, yeah. To answer the question,
there's a tiny, tiny but negligible
-
probability that you have a decryption
error, so in that case a very good
-
question. But if you're really interested,
the blog post, I mean, you can download
-
the slides and there's a blog post. For
the talk, let's say, so you can go to the
-
blog post and there's the Kyber
specification reference. They can just
-
click on the specification and there you
can see that it's a fine tuning of
-
parameters to make sure that the sprinkled
in error terms do not invalidate the
-
decryption to a certain, within a certain
probability. And we make that probability
-
in Kyber so low that in reality it will
never happen. Like, 2 to the power of...
-
lets say magnitude-wise something like
atoms on Earth or like to give you an idea
-
of how big the numbers are there. So it's
a very, very low probability that that
-
will happen. But a very good question. At
least thats how I interpreted the 50% of
-
the question that I heard.
Herald: I am sorry that we seem to have a
-
technical problem.
Ruben: I think it's just the shitty
-
internet at my my parents place.
Herald: That could also be the case also
-
on my end there are troubles as well. The
question after that and maybe Krijn can
-
just start answering it. Would Kyber be
broken if someone found a simple solution
-
to the closest vector problem?
Krijn: Yeah, but we that's the case,
-
that's always the case for encryption. If
you managed to solve the fundamental
-
problem, then the encryption scheme is
broken. Luckily for the closest vector
-
problem, we have a very good, we have
quite some trust in this problem, so some
-
other of these post-quantum schemes are
based or more recent problems, so the
-
closest vector problem is a much older
one. So we do trust it, well I have quite
-
a bit of trust that it won't be easily
broken in the coming years.
-
Ruben: So the answer is it's a bit tricky
there, because the close vector problem is
-
NP hard. So we think this is like a very
good problem to start from. But the
-
question is also like how are these
lattices related to certain instanciations
-
of the closest vector problem? And are
these specific closest vector problems
-
maybe a bit simpler or something? But as
Krijn said we're in the closest vector
-
problem we trust like this is one of the
problems in post-quantum crypto that we're
-
pretty certain about. But yeah, if you
would solve it or if you have already
-
solved it, Kyber would be broken.
Herald: That sounds like a potential
-
inscription on the side of a coin. In the
closest vector problem we trust. And
-
talking about trust. The question after
this is: Would you trust this, this Kyber
-
algorithm to secure your communications
now?
-
Ruben: Should I answer or Krijn do you
want to, you haven't said so much?
-
Krijn: I would actually, yeah, I don't
have. So if you're skeptical about it, you
-
can also go to. I don't think we discussed
it, but you can go to hybrid modes of the
-
current classical, pre-qantum crypto and
post-quantum, if you can suffer the
-
drawbacks of that. But personally, yeah, I
guess I would. Ruben, would you?
-
Ruben: I would trust Kyber at this moment,
but there's... If you don't trust it as
-
Krijn said, you can go into hybrid mode,
so the idea, for example, for TLS is to
-
first do elliptic curve crypto and post-
quantum crypto together, sort of in a way
-
that the adversary, the attacker would
have to break both in order to compromise
-
the communication. So that way, you don't
have to fully trust Kyber yet if you want
-
to run the hybrid. But of course, the idea
is to at some point get rid of this
-
overhead and just run post-quantum crypto
without elliptic curve crypto
-
additionally. But yeah, I mean, I
personally would use it right now. But
-
what I also want to say is that in the
beginning of every krypto system, RSA,
-
elliptic curve doesn't matter. In the
beginning, everybody is quite skeptical
-
and nobody wants to use it yet. And that's
fine. Like, that's how the community
-
works. But over time, usually people gain
trust.
-
Herald: OK, thank you. Now we're getting
into speculative territory, and one of the
-
questions is whether you could have any
guesses on which of the schemes is
-
probably going to end up winning the NIST
PQC competition, post-quantum crypto
-
competition?
Ruben: So NIST specifically says it's not
-
a competition, very important. So Kyber is
one of the winners coming out of it, but
-
that's quite clear. And also you already
see adoption in the real world. We brought
-
two examples with Amazon and the BSI, for
example, that wants to include it in
-
Thunderbirds email encryption. So Kyber is
going to be one of the winners. This is
-
my... not only opinion, but yeah, that's
quite clear. And otherwise, I think
-
McEliece, which is a code based scheme
that is quite large in all measures, let's
-
say. But people seem to have more trust in
it because it has been around longer.
-
Yeah, so I'd say those for KEMs and
everybody is quite unhappy with the
-
signatures. So I don't think there will be
signatures standardized like this year or
-
beginning next year. But Krijn, I don't
know, maybe you have a guess?
-
Krijn: No, I'm not such a speculative
person, but I think Ruben's answer is
-
quite a good answer.
Ruben: Now you really have to also
-
speculate, I mean, come on, you can't just
piggyback on my answer.
-
Krijn: No I definitely can. It's
interesting to note actually that for the
-
signatures that there's less of a hurry,
so to say. It's especially this key
-
exchange that we wanted to make post-
quantum as soon as possible, maybe, or at
-
least one to standardize quickly and then
integrate into whatever building. Well,
-
for the signatures there a bit more time
so there's also more time to come up with
-
better solutions there or to analyze the
current solutions a bit more.
-
Ruben: Yeah, that's because I mean what we
mentioned is the attacker model, big
-
government agency, for example. And the
key exchange you have to fix now because
-
that could be later on broken and then the
communication can be decrypted. But
-
signatures like they have a small
lifetime, for example, and also they are
-
used for authentication. So you would need
an active adversary. And that, yeah. You
-
can't like record now and then do an
active attack in 10 years, like, that
-
doesn't work. So then we have some more
time yeah.
-
Herald: Well, that's not entirely true.
There's a lot of states using, and I'm
-
talking about signatures, not for the
ephemeral use in online usage, but the
-
more the use of signatures, for example,
document signatures. And for those an
-
attack would still be relevant for the
future.
-
Ruben: If they have, well, if they have a
long runtime, usually signatures or keys
-
at least, of signatures, they expire at
some point. But yeah, of course, if you
-
have, if you have signatures that do not
have an expiration date or something, then
-
they would be under threat as well.
Herald: In a document signing, you will
-
have signatures that have a very longer
lifetime than you will have for your
-
typical web transaction, for example. But
I'm now full dropping out of role as
-
herald who is a mere vessel of questions
from the audience.
-
Ruben: But of course, this is also
interesting for us.
-
Herald: And I guess with the last version,
at least, I think this is the last
-
question unless there is an additional one
on IRC, so people have to be quick if they
-
want to have additional questions. But the
last questions are just very practical.
-
And basically, do you have any ideas about
pitfalls when implementing Kyber already?
-
Do you have suggestions for making sure
you implement it security? Or is it simply
-
possible to implement it very naively?
Ruben: So. This is always a big fight in
-
the cryptography community, because
they're the people that say, oh, there are
-
a handful of chosen ones that are able to
implement it securely. And you should
-
never, ever, ever do it yourself. I'm on
the opposite side of that, I think people
-
should play around with implementation.
Try it out. So, Kyber is among the schemes
-
that it's definitely, let say easier to
implement in a correct way. However, it
-
depends where you want to use it because
you also have to take side channels into
-
consideration, especially if you work on
embedded platforms, like power analysis
-
and that kind of thing. So this is also
still highly investigated. And then if you
-
go for that kind of implementation, you
should have a masked implementation. So
-
this would be an own talk for itself. Like
I don't want to like now give you two
-
verbs what you should do and then say that
it's secure. I mean, it's a bit more
-
complicated than that. So I can't really
say now do this do that. I can just say on
-
the spectrum from easy to difficult, Kyber
is more on the spectrum of easier to
-
implement securely. But if you're
interested in that, look up the
-
implementations. There's a reference
implementation. There's a PQClean and
-
stuff. Look up the implementations online
and look into that and the specification
-
that is linked in the block post, that is
linked on the slides. There are also some
-
points that say what you maybe should,
where you should be careful lets say.
-
Herald: OK. And there was just an
additional question as well, and that is
-
what is the status of Kyber in OpenSSL and
GnuTLS?
-
Ruben: Okay, so we see adoption in crypto
libraries, but OpenSSL. OK, I don't want
-
to hate, but OpenSSL codebase is, how do I
say that? Look, it's a bit complex and a
-
bit difficult for outsiders to get what
OpenSSL is doing in certain corners of
-
their code base. But there's a project
called OpenOQS, no liboqs that is a fork
-
of OpenSSL, including post-quantum
schemes, but not only Kyber, but various
-
schemes. That's liboqs, its a OpenSSL
fork. Now there are other libraries, for
-
example, WolfSSL, which has a smaller code
base and they already have in their actual
-
release or in their main branch, let's
say, in git, they already have NTLS post-
-
quantum schemes, and Kyber is one of them.
They have lattice based schemes,if I
-
remember correctly: Kyber, Dilithium, and
Falcon. So they already have it included.
-
WolfSSL , OpenSSL as I said there is a
fork that are like benchmarking and
-
testing stuff in the hopes of later being
able to return it to OpenSSL. But as I
-
said OpenSSL is not exactly ideal for
experimentation, becourse the code base is
-
quite large and in some corners, quite
complex to comprehend and so on. Other
-
libraries are a little faster. I don't
know of any efforts for GnuTLS to be
-
honest, but I haven't looked into it yet.
It's possible that somebody else did
-
something there. I mean, I've I've worked
with WolfSSL before and with OpenSSL. But
-
GnuTLS I'm not sure. There are talks to
include it in GnuPG which you can use for
-
email encryption, and there are some
there's some progress there. But yeah,
-
GnuTLS I don't know.
Herald: All right, OK. This brings us to
-
our really final question, which is how
close are the current cloud quantum
-
offerings to be able to enable users to
break current public key cryptography?
-
Ruben: If I understand it correctly, Krijn
you can also say something if you want, if
-
I understand correctly, it's the question
is general. If I can use cloud computing
-
to break public key crypto?
Herald: No, the question is more specific,
-
there are quantum offerings by public
cloud providers like Amazon right now,
-
apparently. At least that's what I assume
the person who asking the question is
-
basing it on. And the question is, to what
extent are those available options usable
-
to break current public key cryptography
schemes?
-
Ruben: So if I understand the question
correctly is like, already deployed
-
quantum computers, are they a threat to
pre-quantum schemes? OK, so far, they are
-
not like there are quantum computers in
use, but they don't have nearly enough
-
qbits to break any real word schemes, so
it's also more complicated than that
-
because you don't only need qbits, you
also need quantum registers that are large
-
enough because you need to entangle all of
the qbits. I mean, there we are going to
-
quantum mechanics, but you need to
entangle the bits and all that kind of
-
quantum craziness. And then you also need
error correction that's good enough. So
-
there are still, there are still technical
like engineering problems that you need to
-
overcome, like in theory it's all fine and
stuff, but there's some engineering
-
efforts that you need to overcome, and the
currently deployed quantum computers are
-
not big enough to be a threat to quantum,
to pre-quantum schemes unless you have
-
some toy keysums. But for real
deployments, it's not a threat yet, but it
-
might be within the next couple of years.
It's really difficult to foresee the
-
development there and the largest quantum
computers are actual quantum annealers
-
that work differently, like quantum
annealing is a different thing, a
-
different kind of quantum computer that
we're not too worried about right now.
-
Like thats D-Wave for example. But yeah,
so right now, they're not a threat, but
-
they might be in the near future.
Krijn: And especially so with regards to
-
why you still switch to post-quantum
crypto, is this idea that well,
-
standardizing crypto and then integrating
crypto and all of this takes years, as we
-
know from that transition to elliptic
curve crypto. So even if this quantum
-
computer is 10 15 years away then still
this whole transition thing will take so
-
long that by the end of it, how long will
your original data have been safe for?
-
It's anybody's guess.
Ruben: Yeah. I mean, you have to see
-
asymmetric crypto is everywhere. Like, for
example, also kind of example maybe in my
-
passport, like my travel document. And
there are documents, for example, out
-
there that are valid for 10 years like, I
think, a proper passport and all that kind
-
of stuff. And of course, it really takes
long also with these kinds of things, like
-
documents like that are issued by
governments. It just takes time, it takes
-
a lot of time.
Herald: OK, thank you very much. I should
-
also note that from the signal angel,
there have been several very enthusiastic
-
responses from the audience and not so
much questions about your talk, that's
-
also very interesting. So thank you so
much for doing this, and maybe see you
-
around.
Krijn: Thank you.
-
Ruben: Bye bye!
-
rc3 postroll music
-
Subtitles created by c3subtitles.de
in the year 2021. Join, and help us!