Let's Go Quantum - Sam Burns

[Music] uh so today we've got uh a kickoff with a talk from Sam burns with his talk let's go Quantum uh Sam's an enthusiastic reader of cryptography specifications uh and is currently a senior software engineer at upm so please give the man a big hand good morning everybody uh thanks very much for coming along this early in the morning I hope you all had a good night last night and well done for making an in um I hope everybody's enjoying the conference so far it looks like a fantastic lineup um so this is my talk let's go Quantum so my name is Sam burns my interests are development software architecture information security um when I'm not doing that I like to go climbing to make my fingers stronger so I can type faster um there are there's some links on the board um so the link to the blog uh the slides are going up on that website probably tomorro is so if you like a copy of the slides you can get them from there um there's some social media links um wouldn't really say I'm that chatty but you can follow me if you really want to um and uh there's a link to my LinkedIn there as well now what we're going to be talking about today is I'm just very quickly going to go over what the core concept of the talk is then we'll take more of a look at the background to Quantum comp Computing and what the current state of the art is uh we'll talk about how you can simulate quantum computers in go if you want to on a laptop um then we're going to talk about postquantum cryptography in general we're going to address um what it is why we need it and why we need it sooner than you think and then I'll go over the features that released in go 123 now breaking news this obviously been a very exciting week for a couple of reasons first of all go 123 was released three days ago Round of Applause for the go [Applause] team thanks very much for all the free stuff um so this happened on Tuesday the 12th of August which is obviously three days ago um so I had to rewrite my talk no I've there are some examples in the slides that were compiled and run with go 123 release candidate 2 but I've been over everything that's changed in the finalized version and basically it doesn't really affect anything that's going to be on the slides fortunately um and then just when I'd finish rewriting the talk on Tuesday and important standards body called n finalized a standard that we've been wait waiting for for well over a year now um so Nest have been they had a group of candidates of possible quum cryptography algorithms they might be recommending um and the final recommendations came out on Tuesday now there's a lot to be said about what they are but if you remember nothing else remember this go 123's implementation offers the same level of security as the finalized version of the cryptographic standard even though it was released on the same day as the finalized version there are some tweaks that are being suggested but they don't affect the security of go 123 and you can and should be using the crypto provided in the TLs package so the talks been Rewritten twice in the last couple of days but at least you're getting up to- dat information at go foron UK you know you get your money's worth at this conference okay so the core concept is basically quantum computers exist they're not great now but one day they will be able to break our encryption this means that we need new encryption starting with TS we're going to have a look at why that's the most important area and why these changes have to happen sooner than you think um so a common question that gets asked is why is this being added so soon to go will'll um we'll talk about why that is and we're starting to get new cryptography starting from Go version 123 so having looked at the core concept let's take a look at what quantum computers actually are quantum Computing is using the complexity of quantum mechanics to perform calculations if predicting the outcome of an experiment is very computationally complex then per to perform that experiment is to get the answer to a very complex calculation quickly quantum computers do exist they're quite new they're in their infancy um you can rent time on a quantum computer via cloud provider now uh some of them even have free tier offerings we'll be talking about that later if you'd like to have a go at running an actual Quantum algorithm which is pretty cool um sadly we won't be doing that today I wasn't quite brave enough to do a live coding demo on a quantum computer but but it can be done it can be done no we'll show you how um and in terms of applications essentially we don't know we know that there will be applications in Crypt analysis it's possible that quantum physics simul ations um uh fluid dynamics and Drug design might be areas where these things are useful but the reality is much like the invention of the Silicon chip we've got this cool thing but we don't yet know everything we're going to use it for so quantum mechanics magic is something that I don't really understand even if I did wouldn't be able to explain it in an hour so there are a few um interpretations of C Haagen interpretation uh the many worlds theory of quantum mechanics phenomena none of them are really any good to us cuz what we need is first of all as I say an interpretation that I can understand and secondly one that I can explain less than an hour so the one we're going with is that there's a magic wizard that does cool stuff to subatomic particles and that's the interpretation that I can now unveil here and we will be using this throughout the talk okay so and if you promise to believe me I to finish on to it now um moving on quick note about image credits there's a a lovely gentleman named Juan deia um who has been using penot to create some images one of which is um a realistic diagram of an electron which he's created for us so we can use this to talk about subatomic particles um electrons have spined this is another one of those areas where a little white lie is much fter than the truth so they are literally spinning promise um it can spin in two different directions we as computer scientists can label things with a zero and a one if we want to so excuse me I do beg you upon so we'll be calling the two different directions that this electron can spin zero and one um to make it look cooler we're going to put little pointy things around the numbers that's called a c from linear algebra notation so this is an electron spinning thank you to s deuz gcia for providing the images um what's happening with this electron is it's spinning in the upwards Direction so we can say that that represents a one if we want to this one spins in the downwards Direction but the interesting thing about electrons is if you have a laser and as it happens because I'm presenting actually do what um what you can do if you fire an electron at a laser like that is that you can make it spin in both directions at the same time so we now have this model of a subatomic particle which can have two contradictory properties at the same time we're going to call this a Quantum superp position and we've labeled it with Ki because putting Greek letters on the slides makes me look clever than I am so um moving on to what this means in engineering terms we can do stuff with this there's a thing called a cubit a cubit is a Quantum bit this is generically any subatomic particle with some binary property that's subject to Quantum phenomena so it doesn't have to be an electron we've used one as an example but any subatomic particle that can be doing two opposite things at once under the careful control of a magic wizard can be thought of as a cubit if we can harness its power and use it for computation unlike classical bits which represent a zero or one a key bit represents both by varying probabilities we've expressed the state of the key bit as Ki equals Alpha K 0 plus beta K 1 again an area where it's slightly faster to lie than it is to tell the truth but Alpha and beta are probabilities sort of there's a little bit more complexity than that but essentially what we're expressing here is that the state of this Quantum superposition is two contradictory things at the same time by two different probabilities kind of now it's useful when reasoning about how these things work to sometimes to represent them in a particular kind of diagram if you decide to go and read more about this you might see this thing called a block sphere which is that little Globe there so what we've done is we've drawn an arrow which is a vector that represents the actual state of our Cubit and the polar values are a one and a zero so that's what the Cubit would look like um well that's what position the Cubit would be in if it represented actually a one or a zero if it's pointing anywhere else there's more information there but it's basically probabilistically both by slightly different margins so it's useful when reasoning about Quantum algorithms what Quantum Gates do to imagine the keyo is this data structure that can be visually represented as a sphere in a three-dimensional Vector space with an arrow going from the center to somewhere on its surface and when you do stuff to a cubit you're moving the arrow basically so that's our representation of a data structure here it's not a z one it's something more complicated there are different physical implementations as I say we'll go over some of them later but uh there's a system called trapped ions um you can also do something cool with superconductors which we'll be talking about there are different physical implementations but you can run the same kind of quantum algorithms on any of them so this is sort of analogous to um In classical Computing touring machines we've seen actual implementations which use silicon Wafers so which use vacuum tubes there's different physical implementations but you can run the same kind of code on them basically now measuring a cubit is a very complicated topic because they're quite small and fitly but um if you'd like a sensible answer about how you do that there are books available this one called uh Quantum Computing and Quantum information by mik and ie which is quite popular uh my only criticism Al it was there weren't enough memes in it so this is what happens when you measure a cuit okay when the state of a cubit is UN is unobserved we can describe the state as being Ki equals Alpha K 0 plus beta K 1 which means the state of the Cubit is some probability of being a zero and some probability of being a one when you look at it however it snaps to a binary value if any in fact if anything touches the Cubit it does what's called Quantum decoherence so it it snaps to a one or a zero suddenly and measuring it counts as touching it so we have here a diagram of deliberate Quantum D coherence through measurement it can often it can also happen by accident but more on that later now what can one do with key bit well the first thing you can do is you can apply Transformations that twist or flip the data structure the vector space pushing the cuit the vector to a new value so basically you do a mathy operation on it that has linear algebra in it and that makes the arrow move um if anything touches a key bit its value becomes zero or one measuring it count as touching it as a developer that's not very satisfactory it's quite hard to write code if when you try to read a variable it just gives you a random number um fortunately some one of the Transformations that you can do on the state of a cubit is called an amplitude amplification so one important thing to realize is one of the operations that you could do to it has the effect of moving the arrow closer to whichever pole it was really close to to begin with so that's called amplitude amplification it amplifies the probability of you getting whatever was the most likely value so then when you interrogate the state of your Cub it you still don't actually get to find out where the arrow was but you do get to find out which hemisphere it was in so you can get some information out of it if not as much as we would normally like so how do you manipulate a cubit well the answer is quantum logic gates much as um those of you who've done a computer science degree will at some point have drawn diagrams of logic gates and then Express them as code you can do the same thing with cubits too um in fact your early experiments in coding on a quantum computer will feel a lot like circuit design um realizing this helps to bridge the gap between what a qbit is and what a Quantum algorithm is even though you know in much the same way it would be fair to say that showing somebody some logic gates doesn't really explain what object orientation is I'm aware that there's a little bit of a gap between the different levels of abstraction here but we'll do the best we can with the hour we've got so um there are an unlimited number of possible Quantum Gates it's not like um classical logic gates where for example a not gate is a un gate it has one input one output there's only really one sensible thing it can do which is to flip it with cubits because there's essentially an unlimited number of possible values they could have that means there's an unlimited number of useful operations you can do on them so even amongst un operators in theory there's there isn't sort of a limit as to how many there are but there are some well-known ones um and part of their power is that they can do some quite complex maths um we've got a couple of examples on the on the screen here but it's not really necessary to go around memorizing them all but the core concept is that when we design a circuit we're representing a Quantum gate and that Quantum gate has some effect on the value of a key bit they're all a little bit different and um for Simplicity we're only working with real numbers on the screen but the truth is um these are complex numbers so the way that the probabilities are expressed these amplitudes have imaginary number components to them as well just um to make things a little more complicated now quantum entanglement means linking two or more cubits by Magic because a wizard does it influencing one cuit infects the entangled group measuring one collapses its wave function so it becomes a one or a zero but so do does do any other cuits to which it's been entangled so when you create a quantum entanglement you have a system of multiple cubits which between them can be in a superposition of a number of different possible States at the same time and when you act on one you're essentially acting on all of them so n in tangle key bits can represent a superposition of two to the power of n States again slight oversimplification and a little white lie that's faster than the truth but that basically gives you an idea of where this idea of parallelism is coming from so we can often think of a quantum computer as having um a parallel processing capability it's fundamentally different from Silicon trips the um the implications of entanglement are where the power of quantum Computing really lies parallelism breaks down the normal relationship between the size of a problem and how long it takes to solve it for example and we will be going over the relevance of this one to cryptography if the problem you're trying to solve is expressing a number as the product of prime factors it's not just the case that quantum computers can do it faster it's that the relationship between the size of the numbers and the number of steps that have to be performed is fundamentally different they're not just running the same algorithm faster they're running a completely different kind of algorithm so Quantum decoherence effect this is when quantum computers go bad so if there's any metaphorical grit in the machine Any background radiation anything like that touching a cubit that sort of makes it break um one thing we can do about that is there's this concept of quantum error correction um so this is the idea that a number of physical cuy bits together can form one logical CU bit um some of the easiest examples to understand excuse me use what are called a and cubits to um and one data Cubit which sort of gets fixed if something breaks but you often need more than one shot to get your code to work so you might if you write quite a large algorithm and try to run it on a large quantum computer find that something's simply got gone wrong and you have to run it again um now in practice the number of physical key bits there are to logical Cubit varies a lot depending on the hardware implementation but there are things that we can do about it because this is an area where um the mechanics is a little fiddly and it is difficult to get things to the right temperature and keep radiation out now excuse me I'm slowly losing my voice while I'm talking um see if I can keep going for another half an hour so different Hardware implementations of quantum computers exist some of these are for example there's a company called ionq that offers a Quantum Computing service using trapped ions which is where little atom is kept prisoner between some magnets for some some reason photonics there's a company called zanadu for example who do what as far as I've been able to gather is something called with laser guns um and superconductors um so IBM's Quantum offerings there's one there picture is actually being cropped that's actually the coing system so that's like the bit of the back on the bit on the back of your fridge um so the way the superconductors work is you make a little circuit it's a very tiny one with no electrical resistance whatsoever create an electrical circuit unplug the battery because there isn't any resistance it keeps spinning um this only works when it's really chilly in there and um until you check which direction your current is going clockwise anticlockwise the answer is kind of both at the same time and you can entangle them because they have an electromagnetic uh influence on other such circuits so you can actually run code on IBM computers using this system if you've run your code at Absolut zero before give it a go um now in terms of the software Eco system the main tool is kiss kit this is a simulator it's probably a good place to start learning um it's got some of the best learning resources available and uh there's also some tools in there for assisted circuit design and optimization that helps you um that helps you actually essentially write your Quantum algorithms um there's a standard called open casm which is a sort of communication standard for talking to quantum computers this integrates with kiss kit Google have an offering called Circ similar to kiss kit um it's another similar library that lets you both simulate quantum computers and integrate with actual Quantum Hardware excuse me and do big uh tensorflow this is a product which is mostly about qml stuff so Quantum machine learning it's a field of research it does exist I'm not sure where yet at the point where it's better than normal classical architecture machine learning but maybe one day um and the CQ sharp language which is uh imagine if C met Python and then started talking to Quantum Hardware that's what it's like um in fact as a matter of fact most of this stuff is written in Python kiss kit is a python Library um so if anybody would uh like to see if we can build up a better go ecosystem for working with this stuff do feel free um so the IBM Freer that I talked about yet 10 minutes of execution time a month um on a real quantum computer you can also run the simulator locally on your own Hardware um I I think it's still true that the machine that IBM are offering for their free tier has 127 cubits or something like that ion ion Q you can use the a credit system the corporate pricing is available and there are other companies of course s do and dawave that um have Quantum Computing offerings but as I say you are going to have to write some python at some point however we don't want to do that we want to write go so let's take a quick look at how we can simulate quantum computers in go thankfully some kind of person has written a library that lets us do that so this GitHub Library here um is a project that's been thanklessly maintained for a number of years by one contributor simulating Quantum Computing in go in a world that's decided to use Python the simulator provides 20 different logic GES so your circuit diagram you've got 20 different options to choose from you can write your Quantum algorithm um and execute it on the simulator I'd urge you to start with problems with fairly small numbers um if you want to factorize things and express them as a product of prime numbers it would be good to start with a number in the low two digits if you're simulating this on a laptop um and it the best thing about the library is it does give an implementation of some of the most important algorithms um we don't really have time to go over how Shaw's algorithm Works in detail but if you're curious afterwards this might be a good place for a go developer to learn about what that is now here is some go code simulating cubits yeah there's a slide with go on it um now on the right there is a simple circuit diagram this shows two Q bits labeled q0 and q1 um on our circuit diagram the first Q bit q0 goes into what's called a hadamard gate which is a un Quantum logic gate and then both Q bits go into what's called a c not gate or controlled not gate and then they both get measured which is what's implied by that little picture of a speedometer and what our algorithm is doing is it's entangling two cubits together so we start off by initializing our two cubits we apply our hard mod gate as we decided to when we draw our circuit diagram uh what we see here is the hand mod gate essentially setting um this Cubit to a super position where both possible outcomes when it's measured are equally likely we then entangle the two cubits together with our c not gate and and what this effectively means is if we measure the system we either get 0 0 or 1 one and that's because the entanglement of the cuy bits is meant that when we measure one of them it sets the other one to the same value so when we then measure the second one it has to have the same value as the first and you can run this several times and you'll get different outputs every time incidentally if this is running on real Quantum Hardware um the effect of the hard mod gate is to produce a true random number generator essentially which has its own implications for encryption but that's another talk for another day now um having taken a look at some actual go code and seen how you can simulate quantum computers and go let's see what happens when you run it so when you run it on a laptop it takes a little bit longer than this I've sped it up but uh here we see it's running the hadm mod gate uh controlled not gate and then when we get a read out from our system you always get either two zeros or two ones so in this case it's we've got 0 0 with a probability of one so that's what happened when we ran it now you've got everything you need to go and run run a Quantum algorithm on a on a laptop and there are a couple of algorithms that you should probably know about one is called Shaw's algorithm shaes algorithm is for factorizing a number and expressing it as a product of two primes this has implications for RSA encryption and for elliptic curve cryptography Grover's algorithm is another one that you should know about if you're studying crypto stuff um it searches through an unsorted data set or solves any problem that can be framed as searching through an unsorted data set and it has implications for anything involving hashing gra algorithm starts by oh thank you very much so gra algorithm um searches through an unsorted data set it starts by putting the system of key bits into uh into a superos of all possible solutions it marks a particular solution which meets its search Criterion um using what's called an oracle function and then it applies amplitude amplification to make sure that that particular solution is the one that's most likely to be output so it's essentially achieving searching through an unsorted data set but instead of running in O nend time it runs in O root end time so it takes the square root of the number of steps that it would have done to search for an unsorted data set on classical architect SE now how to learn Quantum algorithms if you would like to learn more about that we haven't been able to go through the code step by step for the things that I've described but using a simulator like the one and go is a really good way of getting to the bottom of how chores algorithm and um gra algorithm work and if you would like to run the Min life you can probably not with um very large Prime numberers involved but if you want to run some samples you can run them on the IBM quantum computer or any on any of other Quantum offerings that we've talked about now now that we surveyed the basics of quantum Computing let's take a look at postquantum cryptography overall quantum computers are getting better they have implications for encryption it doesn't mean none of our encryption works there are different implications for uh public key cryptography symetric cryptography uh things like the way we do Paro hashing these are these are all things where um the implications of quantum Computing are different and we're going to go through that there's a group called nist or standards body who as I say published their post content cryptography standards uh earlier in the week this is the end of a long process in which I've been taking feedback from mathematicians tweaking things we've now got this standard and the postquantum cryptography is being introduced to go characteristically slowly and cautiously um partly because it was a draft standard that was being implemented so there was a certain amount of caution about what we add to the public API the language what we can't commit to staying the same if you see what I mean by that so like a lot of features added to go it's being done slowly and with a lot of discussion but we're starting with the TLs package in go 1223 in terms of the current uptake of pqc um it's been added to go 123 as I say it's been added to Google Chrome now speaks postquantum in fact um so does the Google homepage we'll talk more about that later Cloud Flare have been using postquantum cryptography for kind of a while now um there are some SSL implementations that use it not for the certificates but for the actual encryption of the communication and messaging apps signal were the first to start using postquantum cryptography WhatsApp messages and most recently iMessages if you use that service You're Now using pqc now this has different implications for different areas of encryption certificate forry for example the certificate systems that we often use now are vulnerable to Sha's algorithm on quantum computers but when it comes to certificates you need a really good quantum computer now to impersonate somebody now and we don't really have one of those yet so this is an area that can wait for a while symmetric key cryptography things like AES um there are some implications for Quantum Computing um but in terms of complexity Theory the speed up's not that much um there's more to be said about this it might not actually be necessary but depending on the security level you're targeting one common perspective is simply increasing the key size used with as solves any problems in the this area for now um so that's not really something we need to worry about hashing algorithms again it's easy to see how Grover's algorithm could impact this security but in terms of the time complexity of breaking a hash using a quantum computer the speed up isn't that great so uh to find the original pre-image takes the square root of the number of steps that it would on classical architecture that's not very significant finding hash collisions there's no real improvements so although Grover's algorithm gives a speed up it's not as much as you think and if you're that worried about it you can switch from sh 256 to sh 512 if you want to to get the same level of security against quantum computer attacks so this is very much an area where we don't really need any new cryptography now um it's also worth noting depending on what you're hashing it may be the case that um passwords that we hash today wouldn't be very useful to anyone in 10 years time so we don't have to worry about that so for a long story to cut a long story short these first three things can wait public key cryptography and key encapsulation mechanisms on the other hand there is this thing called the store now decrypt later threat model so this is the idea that if an attacker is intercepts and stores HTTP communication inclusive of the TLs handshake and then revisits it in years to come and better Cod breaking technology becomes available then the encryption could be broken and your traffic could be read retrospectively we don't really know what we mean by later um you'll hear people saying such quantum computers are 10 years away you'll hear other people saying 30 years we're not really sure this doesn't really have the same predictability as Mo's law once gave us with Sil cont chps for example it's quite hard to know when a quantum computer that's actually practical for crypto analysis will arrive but this store now decry later threat model is essentially the answer to the question of why is this being added to go now there may be some data that you're communicating that you don't care if somebody can read it in years to come there may be other things that you wish communicate which need to stay secret for a long time but this is why the roll out of uh postquantum cryptography is happening before we've got very good quantum computers that's a commonly asked question now public key cryptography that we usually use involves uh RSA which is about big prime numbers and multiplying them together and elliptic curves which little squibbles that are that shape both of these are vulnerable to shaes algorithm running on quantum computers Sha's algorithm gives a very significant speed up um so there's this uh concept of a what's called a bounded error Quantum polinomial time complexity that basically means it runs faster on a quantum computer um so the public key cryptography that we use is often used for key encapsulation mechanis me isms and this is an area where improvements are being made now to cryptographic standards and to the implementation and go so um quick uh reminder on what a g capitation mechanism is a chem is a system where you use public key cryptography symbolized by those little laal templet keys to uh communicate a shared secret which can then be a symmetric key symbolized by the little blue two pin Tumbl key thing so basically the situation is we don't want to encrypt all our our https traffic with something like elliptic curve cryptography it's far too computationally expensive what we can communicate using the public key cryptography as a little AES key which is a SYM key once that shared Secret's been established between a browser and a web server they can then use the this a key which was communicated in secret to symmetrically encrypt and decrypt traffic so this is what's going on in a TLS handshake um in order to reduce the number of uh round trips in TLS 1.3 there's a lot of other stuff in the client hello as well um multiple steps of communication being compressed down to a single round trip but this is what key encapsulation mechanisms are now we've mentioned that one way of doing this is to use RSA or elliptic curve cryptography there is another system which is going to come to the resy which is called l space cryptography this is an alternative to e cdha or to RSA it's based on a class of linear algebra problems called learning with errors which much like quantum mechanics is all about little arrows so um uh ltis there's a two-dimensional ltis on the screen to explain what we mean by ltis but it turns out if you're into linear algebra you can have loads of Dimensions if you want um and learning with errors problem and another system called the shortest Vector problem uh two different um what you might call trap do function so in much the same way as it's easier to multiply two prime numbers together it is to take a large number and work out what the two prime numbers prime factors were in the field of linear algebra there's this learning with errors problem which is where you get a big linear algebra system uh list of equations polinomial equations um you then add what's called error which is getting the answer slightly wrong and if you know what the original equations were it's much quicker to work out the answer than it is to essentially take a public key and work out what the private key must have been so this is a learning with error trap door function in l space cryptography um this is secure against codebreaking attacks on quantum computers so we don't have a thing like Shaw's algorithm or Grover's algorithm where having a quum computer is any particular Advantage if you're trying to break encryption when it uses l bace cryp rography although light space crypto has been known about for a while has been avoided in the past because um it's more computationally expensive to do the encryption so if you have a device running a browser it's got to do a little bit more work to do the encryption uh there are bigger key sizes involved for example um and when it comes to how we decide what Let space cryptography to use there is an American Body called The National Institute of Standards and technology in the 1990s this body chose the best eliptic curves that were recommended as a standard um for much of the last 20 years we've been using eliptic curve cryptography based on their standards um there's this there's been this lengthy multi-year process to narrow down different kinds of postquantum cryptography and decide uh which ones to recommend um and they created amongst other things Kaiba 768 which is standard for pqc you'll also see it called mlkm 768 because somewhere through the standards recommendation process the name was changed thank you now um hybrid encryption means using classical publicly cryptography and postquantum cryptography at the same time there's a gentleman called Bass veston from cloud Flair and he's a he's a mathematician and software engineer at Cloud Flair and his colleague Dr D seila of uh the University of watero Ontario who've come up with a hybrid standard called kyber 25519 excuse me x25519 kaiber 768 draft 00 which um now this tells us a couple of things one of which is that cryptographers don't care much for Branding another is the x25519 part refers to an elliptic curve so there's a layer of elliptic curve cryptography this is a standard that's been used for many years we know it we trust it if there's a problem with it we would probably know by now the kaiber 768 bit is the lce based cryptography so that's um the layer of postquantum encryption that's been added to this standard and draft 0000 refers to the fact that the kyber 768 implementation is based on the draft spec that came out a little over a year ago from nist um this has been used initially by Cloud flare for backend development so if you have um if you're using something like a cloud flare Edge caching server communication between that and the web server was I think the first thing to be encrypted using x25519 kber 768 draft 00 if we take a look at google.com in a recent version of Chrome using the dev tools we can zoom in on the cipher Suite so you right click go inspect click on the little security tab up there that word says security and have a look at the cipher Suite that's being used and we see x255 9 K 76800 this shows that the web server and the browser both speak postquantum cryptography um if the browser were not an up-to-date version of uh Chrome or now works in Firefox as well and other browsers but if it weren't up to date then classical elliptic curve CR photography would have been used instead the website wouldn't rate but what we can see from this is that the communication between the browser and the web server when they were communicating the as key which is that they did so using hybrid postquantum and traditional encryption now the point of this is if you use the hybrid system an attacker would need a quantum computer good enough to break the elliptic curve component and for there to be some problem with Kaio that we don't know about yet and both of these things would have to be true in order for anybody in the future intercepting this traffic to be able to examine the TLs handshake work out what the AES key was and then use that to decrypt our htps traffic this comes with some computational expense in the TLs handshake the ecdh component just 32 bytes in size so during L Shake 32 bytes worth of atic curve type stuff gets sent along with over a kilobyte of uh uh kyber public key going over the wire so that's essentially why latter space cryptography wasn't perhaps practical in years past because the browser's got to do a little bit more computation basically what's new Ando 123 is an x25519 kyber 768 drw 00 hybrid eliptic curve uh pqc encapsulation mechanism this lives in the TLs package the use of the new Cyber Suite is enabled by default fault so if you've written a web server in go you upgrade to 123 if you haven't specified what encryption to use it will start using postcon and cryptography now um You can set config do curve preferences if you want if it's set to nil you get hybrid pqc if you don't want this behavior for some reason you can disable it with the godbug environment variable by setting TLS kyber equals z in practice the probably isn't a reason for you to do that so this was added to go from a different GitHub repository which belonged to a lovely chat called filipo VOD he's a cryptography engineer formerly the lead of the ghost security team and the library in question is called the mlkm 768 Library that's another word for Kaiba it got renamed at some point during the approvals process so this has been taken from this GitHub ported into go and in fact the integration of the library into go was actually live streamed um I shouldn't think any of you spent three hours watching the integration but I did thank you for that felipa um so in terms of integration details the new Cipher Suite is unexported as you can see from The Little X that's not a calog so what that means is by the way this code comes from uh go 123 rc2 I believe the line numbers are different in the release candidate than they are in go 123.0 but um the relevant change the relevant parts of the code hasn't change there were some changes to the crypto package at the last minute that were released in 123.0 but not um anything to do with post Quantum encryption so um it's been a hell of a week so um it this may be one of the defaults but you only get x25519 Kaiba 768 draft 00 if you don't specify curve preferences there is a function called TLS dot default curve preferences um it's unexported function it will return the cipher Suite amongst others and by the way the word curve is being used pretty Loosely here um might need a bit of a rethink at some point but back when the default uh Cipher Suites were all elliptic curve cryptography the name of them was It was decided that they should all be called curves and have curve IDs and then this one comes along where part of it curvy and part of it's not so how are we doing for time okay not too bad so um in terms of caddy so this is the reverse proxy you can use a thing a bit like engine X and Apache it's written in go um it doesn't use go as default curves I did try compiling caddy with go 123 release candidate number two it doesn't do postquantum cryptography when you do that you can specify your own curves but go 123's hybrid curve is curve and inverted comp is unexported so there's no way for you as far as I can tell to get the current version of Ky to work with pqc to solve this problem actually not recently but I think last year Dr vest we talked about earlier um has forked the go run time and created Cloud Flair's own version of go which has amongst other things capital x 25519 k 768 dra 00 Cipher Suite so that means that if you um if you uh take Cloud FL Fork of go use it get the source code of caddy use it to compile caddy then you can create a version of caddy which can essentially be used to host any website and it will use p youc and Cloud Flare have been doing that for kind of a while um not initially B communication between Cloud flare and a browser but communication between caddy and a backend web server this has been in use for for a while now so it is certainly production ready um and uh Cloud Flare have a really good blog post about this and that also studies the uptake of postquantum cryptography and estimates the number of um the number of tearless handshakes there are going on in the world and how many of them use Swit CER sweet it's a really entertaining read um so if we use the new feature by writing a simple web server in go 123 excuse me let's take a look at the new feature by writing simple web server in go 123 we've written a quick HTTP handle Funk which prints hello world here I've got I just Ed some self-sign certificates here and had it listen on a particular port number um and you'll notice I haven't specified which elliptic curve preferences I want to use we run this with go 123 and take a look in our browser again inspect developer all security have a look at the cipher suite and it says that the AES Cipher was encrypted sorry the as symmetric key was encrypted using x25519 Kyer 768 draft 0 Z so we can see that the go implementation's now working and that it's secure um and that it's securely using postquantum cryptography and traditional cryptography hybrid system now the next approval update which happened uh on Tuesday an occasion a frantic rewrite um so this standard was finalized three days ago it's important to understand that the current implementation Ino is of equal security to the finalized version of the standard there will most likely be a tweak to one of the internal implementation details uh wasn't quite brave enough to open a poll request but I did have a go at making the necessary changes locally and whether I did it correctly or not um we will never know but for me it was a for me it was a oneline change to the TLs package to implement the finalized version of the standard um if we had an implement which offers multiple different security levels so Kiva 768 and Kiva 1024 and if all of those security levels were all reusing the same random seed then the updated version of the standard would offer a better level of security the Alro implementations go only implemented Kaiba 768 only so there have been some changes to the cryptographic standards recommendations but the implementation in go offers the same level of security as the new version of the standard you can and should upgrade to go 123 to use the latest version of the TLs package and i' I'd just like to take a moment to thank a number of people who are cleverer than me including Dr Vine himself for helping me make sure that that's true now um possible future developments to take a look at how are we doing for time to take a look at possible future developments um so the nest standards finalization will in the short term uh create an increased uptake in use of postquantum cryptography um we may also end up dropping the z00 or the draft z00 part to make the name of the cipher sweet faster to say when you're doing a talk um the another thing that's likely to happen in the future is implementations that are out there now of the draft version of The Suite could be upgraded to reflect the changes made after the recent n publication so that's if we were to guess at what might change in go4 that's one possible area where people might decide that there's going to be a slight change there um I can't speak for the go team myself but it's certainly a thing that they could do if they wanted to um so function ity in the TLs package could be exported in future possibly with a different curve name um this would either this changeed directly or some alteration to cardi in the future might mean that we're able to use pqc with CI it's another thing that might happen soon um there are cryptographers who feel that the use of um so called hybrid systems by using pqc and traditional uh encryption is a sort of interim measure um largely because we know a lot about elliptic curves we've been using them for a long time they work kyber on the other hand feels a little bit more experimental or newer there may come a time when people decide that we're just going to use what by then everybody will probably be calling mlkm or Kaiba as uh as uh public key cryptography means for key encapsulation mechanisms so we might drop the use of electric curves one day another thing that could potentially happen in the future is changes to the way we do certificates um for https um SSL certificates as well again this wasn't as urgent because in order to assume somebody else's digital identity now you would need a better quantum computer now than it's available so um there are things like uh symmetric cryptography key sizes choice of hashing algorithms which could be changed in future um and one of the nist standards was the one that we've talked about which is the one everybody is using there were two other Publications from nist at the same time that were to do with means of digital signing so those are other areas where the standards bodies now got a mature standards that could be implemented in programming langages in future potentially yeah managed to finish on time well okay thank you very much everybody for your time and attention [Applause] um thank you very much for coming along it was a great turnout um so there are links to the slides that will be going on this blog at sometime soon you can follow me on social media if you want to um but I will make sure that excuse me I will make sure that when the video is available I'll put a link to that up on the website as well now do we have time for questions probably one two who's got the most burning question hi um thanks for the great talk really appreciated um I was just wondering um why does x251 19 Kaiba 768 draft I don't know how you kept a straight face while saying that um use both elliptic curves and lce based crypto is it just trust in elliptic curves yeah I think um because the Kaiba standard was still in draft at the time it was implemented uh there was still a consultation process going on where cryptographers and mathematicians were writing to nist with any recent research there was a feeling that although we do need postquantum cryptography what we also need is not to be using a shiny new thing with word draft in its name as the only means of encrypting https traffic so the reason was just because elliptic curves are tried and tested and we've been using them for a long time and that's why people felt comfortable using the experimental stuff if it's just one layer and there's another layer that we know works okay cool thank you thank you I think we need to clear the room now D we all right massive hand for Sam Burns everyone thank you [Applause] [Music]