/299$jev22-talk-49246

Hallo Du!
Bevor du loslegst den Talk zu transkribieren, sieh dir bitte noch einmal unseren Style Guide an: https://wiki.c3subtitles.de/de:styleguide. Solltest du Fragen haben, dann kannst du uns gerne direkt fragen oder unter https://webirc.hackint.org/#irc://hackint.org/#subtitles oder https://rocket.events.ccc.de/channel/subtitles oder https://chat.rc3.world/channel/subtitles erreichen.
Bitte vergiss nicht deinen Fortschritt im Fortschrittsbalken auf der Seite des Talks einzutragen.
Vielen Dank für dein Engagement!

Hey you!
Prior to transcribing, please look at your style guide: https://wiki.c3subtitles.de/en:styleguide. If you have some questions you can either ask us personally or write us at https://webirc.hackint.org/#irc://hackint.org/#subtitles or https://rocket.events.ccc.de/channel/subtitles or https://chat.rc3.world/channel/subtitles .
Please don't forget to mark your progress in the progress bar at the talk's website.
Thank you very much for your commitment!

======================================================================

welcome everybody to this shy version of the chaotic year and event I'm the Cara and I will be your announcement shark it is my great pleasure to be able to announce the talk post Quantum cryptography detour delays and disasters by Tanya longer and DJ Bernstein T long is a cryptographer and the number theorist she specializes into postquantum cryptography that is replacing cryptography we use today with versions that are safe from attack from Quantom computers she's a professor at einhoven University of Technology and she boasts a very impressive number of Publications and lectures she also was the coordinate coordinator of PQ crypto a paneuropean Consortium for the deployment of postquantum crypto djb is a professor at University of Illinois of in Chicago and he's a professor at University of boho he works on cryptography and he invented some of the cers used in open source cryptography possibly some of the ciphers you're using right now to watch this talk together they created an even more impressive set of projects ranging from simplifying the development of secure cryptography to building postquantum secure Primitives both of them are engaged as activists to fight for more transparent cryptography standardization process and now everybody please put together your your flippers to make a pitch PCH noise put your hands together for T longer and djb all right well thank you for the nice introduction let's Dive Right into things GNA start with https so when you're going to an https website a secure website then you're using TLS transport layer security to secure your communication now TLS uses two kinds of cryptography for a few different reasons first of all it relies on public key cryptography now that's doing two things for you first of all it's providing signatures public key signatures this makes sure that an attacker is not able to substitute the attacker's data for the server's data pretend to be the server and also TLS is using public key encryption for ins
tance nist p256 RSA 496 is a signature system NIS p256 it can be used for encryption and this is something which scrambles your data so that the attacker cannot understand it now for performance reasons the cryptographic picture is more complicated than just this public key cryptography it also includes symmetric cryptography sometimes called secret key cryptography so this has in when you put everything together into TLS has three basic pieces there's public e encryption that's what instead of scrambling your data so attackers can't understand it public key encryption is just scrambling a key it's sending a key securely secretly from one end to the other and then the signatures are used public key signatures to make sure that the attacker is not able to substitute a different key and then that key is used to protect your data with symmetric cryptography and then it's possible to have slides like this about every other protocol that you're using like SSH but okay they all work pretty similarly to this now I'm going to highlight two parts to this Slide the RSA 496 typical signature system and typical encryption system nist b256 because these things are going to be broken by quantum computers without quantum computers we don't know any threats against them but once the attacker has a big quantum computer which seems like it's going to happen I mean it's not a guarantee maybe all the quantum computer efforts are going to fail for some reason but it seems that Quantum Computing is more and more successful and once the quantum computers are big enough maybe 10 years from now then attackers will be able to run an attack algorithm called Shores algorithm which will find your secret RSA key and your secret nist p256 key and this is something where the attackers can look back at the data they're recording now it's not just a threat to Future data it's a threat to the confidentiality the secrecy of your data today because the attackers are already recording everything they ca
n on the internet and then when they have a big quantum computer they will go back and retroactively decrypt everything because they can break RSA 496 and nist p256 in particular the encryption is provided by nist p256 and they can go back in time and break the encryption that you're using today what do we do about this well the standard approach is what's called postquantum cryptography that's what you heard before was in our title that's the replacement cryptography which is designed assuming that the attacker has a big quantum computer all right so so uh the Harold had already nicely mentioned that uh I was coordinator of a pter project and that means I've been tingling the world around and already given talks about postquantum cryptography so here's a screenshot from a talk I gave well six and a half years ago where I was highlighting just like Dan was doing today the importance of doing post Quant cryptography and I was highlighting that it's important to do recommendations to say what algorithms we should use in order to replace these RSA and NIS p256 that you saw on the previous slides and then I was also going into the question of well should we standardize now or standardize later and there arguments on both sides and well standardizing now six years ago felt like there is still so much to do and we going to have much better system if you wait a little bit longer on the other hand well there is this concern about uh lots of agencies and other dark Forces collecting the data and so that any day later that it gets rolled out would be a well a loss of data loss of security and so it would be important to actually get things going and so our solution back then what I was advertising then 2016 was in 2015 we had actually issued some recommendations saying well calization takes a long time we're not there yet but if somebody wants to protect themselves here is what we and well it's quite number of researchers who signed up this um statement as a part of the P CTO
project what we commend and so our recommendations were what we call conservative in cryptography so that doesn't mean politically conservative it just means boring it means that something has been around for a long time lots of people have analyzed it and we don't expect any changes there on the symmetric key side while Dan was already saying that those are basically unaffected by quantum computers so if you're going for large enough sizes with 256bit keys then as or sell 20 or sh 20 are just fine also for authentication so the part once you have the key is unaffected and then for public key encryption public key signatures those were the ones where we have to replace the RSA 496 and the um ECC disput to 56 those we have other Replacements and we gave here our high confidence one so that's the meal system which the name might appear again a bit later and also uh some hash based signatures um and swings you a see later and we also announced some under evaluations which means well we're not quite comfortable if you use them now but okay in the future those might be okay and so for us this was like okay we put a stake in the ground we're saying these are safe and so basically well people should do that and everyone lives happy after Ever After and be done with the talk or did everybody live happily ever after let's take a look at what actually happened after this so the setup of well here's some things to roll out actually there was an experiment run by Google which was saying in 2016 Google Chrome actually added a post Quantum option now that doesn't mean that every web server was supporting it it was just an experiment where Google also turned it on on some of their servers and said okay let's let's see how well this works and they sounded really excited in the blog post announcing this that they're going to be helping protect users against quantum computers and let's see if this thing works all right the system they used is called New Hope now they didn't just enc
rypt with New Hope New Hope is a a postquantum encryption system they also encrypted with pre-quantum encryption elliptic curve cryptography ECC like Tanya mentioned before NIS p256 is an example of ECC X 2559 is another example of ECC this is something you're using today to encrypt your data and what Google did was encrypted with New Hope for hopefully postquantum security and encrypted with x25519 like they're normally doing today the point of this is that if something goes horribly wrong with New Hope then we're still going to have pre-quantum security so at least there won't be an immediate security problem they're not making things worse of course if New Hope is broken they're not making things better but the whole point was to try making things better and still guarantee that you're not making things worse by encrypting with both the pre-quantum and postquantum stuff and this is really important to have these backup plans because New Hope is a new crypto system well it was in 2016 the main parts of the New Hope design were coming from 2010 and 2014 and 2015 and that's not a lot of time to review things in cryptography things can sometimes be around for years and then you find big security problems so it's really important for these new crypto systems to give them time to mature another issue with new crypto systems is that well sometimes they're patented patents last for 20 years and this happened for New Hope a patent holder contacted Google and said hey I want some money for your New Hope experiment Google never issued a public statement about this uh patent threat but for some reason in November 2016 they removed the New Hope option from chrome and from their servers now some more things happened in 2016 the US government has an agency the National Institute of Standards and technology which has a long history of cooperating with the US National Security Agency and they said that one year later at the end of 2017 they would like cryptographers to submit pro
posals of postquantum crypto systems encryption systems and signature systems to be standardized eventually and then one of the interesting things they said inside this uh call for submissions is that you're not allowed to to submit hybrids so encrypting both with post Quantum systems and with ECC or signing with something that you're using now and whatever postquantum proposal they said the algorithms must not incorporate ECC or anything else that would be broken by quantum computers from a software engineering perspective it's good to have an ECC layer separately from everything else and say whatever you do postquantum will combine with x25519 for example but they weren't saying you you must combine everything with ECC say with x25519 as a separate layer they were just saying do not submit anything combined with ECC Now by setting up this competition for postquantum crypto nist was telling industry please wait please don't deploy postquantum crypto and this was there's sort of a carrot in a stick I mean the the stick here is patents where um Google had just gotten in trouble for for deploying something and oops there's a patent on it what else is patented well nist said we are going to have a process leading to cryptographic standards that can be freely implemented so no patents stopping you from implementing things and they also said we're going to select something that's strong they said the security provided by a cryptographic scheme is the most important factor in the evaluation so okay industry looking at this says yeah okay let's let's wait for for nest and also other standardization organizations said let's wait so ETF has a research organization irtf setting internet standards and well the the crypto group inside irtf said well for for a few things that are sitting around that we're looking at already we'll we'll standardize those some hash-based systems but for everything else we're going to wait for nest and ISO the international standards organization t
hey also said we're going to wait for nist not absolutely every organization said this for example the Chinese government said we're going to run our own competition but well who cares all right so back to the nist competition so here is the whole big flood of submissions so end of 2017 there were 69 submissions from 260 cryptographers not going to read out all these names but this was quite a load for the Crypt analyst so this was something where hey look we had some fun early 2017 those who have seen us on stage um around then in 2018 we've been given talks about all the fund we had in breaking those but it was quite a load well let's see what nist was doing the competition so 2019 so two years well year and a bit later they were narrowing down the field to 26 candidates and then in 2020 in July they were also narrowing it down even further out of these 26 they were taking only 15 candidates well purpose for that is to focus the attention on something so that makes sense and then of course I mean they're prioritizing the strongest candidates except for when there's an application that really really needs something more efficient actually no that's not what they did at all if you read the report and you look at which candidates they selected whenever they had a choice between speed and security I mean they threw away things which were definitely broken and they threw away things that were clearly so inefficient nobody could possibly use them but taking for example Sphinx that was T mentioned before very conservative everybody agrees this is the safest signature system that's there and well nist did not say of course use Sphinx the current version Sphinx plus with all sorts of choices uh they didn't say use finin plus they said well we're going to wait on standardizing Spinx plus unless so many things are broken that well we feel like we have to use Sphinx plus and well okay so then uh in uh July this year they said all right we are selecting uh four standards um on
e of those was Sphinx plus along with four more candidates to continue studying and well that might tell you hey okay maybe their confidence was shaken so what happened there all right so seeing the 20 69 submissions again fast forwarding by five and a half years the picture looks quite different okay so here's a color coding the blue ones are the ones that are still in the nist competition so those are the four to be standardized systems and four round four candidates um gray ones didn't make it and means that they haven't been broken but that might just be well they were deselected so early that nobody was interested in breaking them anymore uh the brown color stands for Less security than claimed red really broken red with an underline means really really I mean like I mean it broken like attack scps so first of all what you can see from a from a glimpse at this there's a lot of broken schemes there's also some interesting purple fairly found the right bottom and if you remember from watercolors purple is the mix of red and blue so psych was selected in July and broken in July after analysis of something like 5 years um with an attack which is running now in second so Psych is kind of the poster child of something really going wrong but there were lots of things that could say yeah they shook the confidence a little bit which well then made nist at least select swings they didn't cause them to select all other conservative choices some of those are still on the back burner but um just to see this is not a mature field now what was happening for deployment in the meantime remember there there's two pieces from Tanya's slides from 2016 she was saying well you want to roll something out now to protect people because we have a security problem now attackers are recording things now and we have to try to protect that and we have to do that faster than the standardization process which Google was starting in 2016 but they got scared because of well the the patent probl
em um well okay by 2019 industry and various open source projects were starting to look at this and say you know actually maybe it's uh time to get back to Rolling things out I mean something went wrong in6 16 but okay at this point nist has collected statements from all the submitters in this competition saying which submissions are patented and so okay that gives us a lot of information from from 260 cryptographers saying what they have patents on and also it's becoming more and more obvious in 2019 that big quantum computers are coming so examples of what happened in 2019 op SSH version 8 copying tiny SSH said we're going to add a hybrid elliptic curve cryptography Plus streamline and true Prime so this is one of the uh postquantum encryption proposals not something used by default but if you put a line into your server configuration and align in the client configuration then it's using postquantum crypto and well if the entry part of that gets broken then at least there's still ECC July 2019 Google and Cloud flare ran a big experiment with postquantum crypto with two parts of that experiment one option in the experiment some users were encrypting with another version of Entry entry Hrs S Plus ECC of course always use hybrids uh and then the second option was encrypting with psych plus plus ECC yeah Tanya says oops this is an example of how important it is to make sure you're combining everything with ECC elliptic curve crypto so that you do not lose security compared to today where we're all using elliptic curve crypto try experimenting with the postquantum system plus ECC so that that the worst case is that you you are doing nothing but I mean hopefully something's getting better that the psych users at least had the ECC security the entry users as far as we know they're they're okay also in 2019 in October Google claimed Quantum Supremacy meaning that they had a quantum computer doing something faster than any regular supercomputer could do it it's not a usefu
l computation and it's still going to be years before we have useful computations running on quantum computers faster than regular computers but it's still I mean the name Quantum Supremacy is really misleading but it it it is an interesting step forward in Quantum Computing and I I guess the name also attracted attention to this as something that people have to worry about for the future now in 2021 and 2022 op SSH and also ipx software in openbsd and internal communication and in Google all of these suddenly upgraded to actually well op SSH version 9.0 is providing a version of entw plus ECC by default so if you have op SSH 9 installed on your server and whichever server you're connecting to and your client then um it's just automatically trying this this postquantum option and actually openness is HB to version 8.5 supports exactly the same thing you in that case you have to turn on uh a configuration line um for the client and the server to use it but open SSH H9 it's just being done by default and same for for Google they are now as of November so last month they are encrypting their internal communication with the other entry variant I mentioned and hrss and elliptic curve crypto so that hopefully the entw holds up and then that's secure against future quantum computers and this is also nicely in line with well what sanitization body is saying so as then said before um sanitization bodies are not yet standardizing the crypto system themselves but they're encouraging people to look into things and well get used to it for instance the uh us American NC so that's the banking stand nx9 they say that well yes they will eventually get to postquantum standards so they're expecting a simultaneous use of both classical cryptography which we call prequantum cryptography and postquantum crypto for both security and acceptance so also they're thinking well look the one thing is standardized and audited and the other part is the slightly still new uncomfortable but okay we
need it for long-term security as well and there might even require this hybrid combination for long term now from the US to the French so NY to Oni so that's the French uh standardization or the security office they also saying well definitely don't use post Quant cter alone because it's super important post quantor is kind of immature however the immaturity should not serve as an argument for postponing the first deployments so NC is LC is is really encouraging people to um start using hybrids using some well wellestablished pre cryptography together with some postquantum cryptography all right great so everything's moving forward along the lines that we're in Tanya slides from 2016 that there's I mean standardization is is slowly moving but in the meantime we're rolling out trying to roll out postquantum crypto along with ECC in case something goes wrong and then well trying to get users protected as quickly as possible now what did the US government say about this well it turns out starting in 2021 the US US Government made very clear that it wants you now you might be thinking they want you to protect yourself against quantum computers but no no no they want you to not protect yourself against quantum computers for example here's a quote from the chief of the computer security division in nist's Information Technology laboratory which is the the head of the division running this postquantum competition in July 2021 shortly after while various openbsd projects and op SSH started uh rolling things out he said do not let people start to buy and Implement non-standard postquantum cryptography and then another example NSA that works closely with nist said do not implement or use non-standard postquantum cryptography and just in case people didn't get the message the Department of Homeland Security do you think maybe these agencies talk to each other uh Department of Homeland Security said do not use postquantum cryptographic industry products until standardization
implementation and testing of replacement products with approved algorithms are completed by nist all right so that's already kind of um unhappy news um the other part that's really weird about this is what they're saying is if you're deploying post Quan cryptography that you should not use hybrids and you might think like did I maybe misunderstand a not for yes or something so here was an NSA guy at a conference and while this slide was snap by marusin but I was in that talk and I can confirm he was really pointing out that no you shall not do c hyers he was also echoing the message of yeah yeah don't Mark with crypto so don't use anything right now but also they do not expect to approve postquantum algorithms with any kind of just to be safe combined with an older algorithm guidance and afterwards they also posted more guidance saying that no it will be a one to one replacement rip out ECC and RSA plug in post Quant Cryptor and their argument for it is basically well there might be bugs in your elliptic curve software so turn off elliptic curve cryptography not a good idea um unless of course you're the attacker then it's a great idea now you might be thinking okay okay of course we're going to use um hybrids even if NSA is trying to encourage people not to everybody else wants to use hybrids and and for this thing saying don't uh don't use something non-standard well that delay is is done now I mean that's what n said in July right they they said we're standardizing kyber and that means deploy kyber um well no actually they're not saying that so let's look at the details first of all remember there was this patent problem for for Google with New Hope um well the son of New Hope is called kyber kyber is is sort of apparently they were confusing Star Trek and Star Wars so internally they were rumored to have kyber named um New Hope the Next Generation and then they um uh managed to get a better name for it later so anyway kyber is is a lot like new hope that it's i
t's got patent problems and this is the only encryption system this selected Sphinx plus and selected two other signature possibilities and selected one encryption system kybers that's the only way to protect your data with what n says it's it's selected as standards for postquantum crypto and kyber like New Hope is in the middle of well seven different patent families that we know about doesn't mean they all apply it's pretty complicated to figure out if you're looking at a patent you have to understand how patent law works and analyze what the patent means in terms of all the prior art and the extensions that patent law applies and well okay it's it's complicated the one easy way to get out of patents is to buy them and give them away for free and so nist in July said we negotiated with several third parties to enter into various agreements to overcome potential poal adoption challenges posed by third party patents okay great party um can use kyber except well companies look at this and say um can you please show us the agreements so we can see what exactly you signed for example Scott Flur from Cisco said Cisco cannot use kyber until we get the text to the licenses okay so then well yeah it turned out uh if you look more closely nist actually admitted that they had not signed anything in July but they said they would and in November they finally said yes we have signed two license agreements and here's some excerpts from the text of the licenses great party we can use kyber but if you look at the text the licenses are for a standard prescribed by nist any modification anything different from what nist standardizes for kyber you are not allowed to use under these licenses you must use exactly what they have standardized and now you you might be thinking well okay they they select Ed kyber they standardized it in July but no they didn't what they said in July is we are planning to standardized kyber which is not the same as saying we have standardized kyber they ar
e aiming to complete their initial kyber standard by around 2024 and even worse we don't actually know what kyber version 2024 is going to be because they're still proposing changes to it so to summarize in 2024 if that's when they issue the standard then the license will let you use whatever kyber is standardized at that point and maybe in 2023 they'll settle down they will stabilize um kyber and maybe the other five patent families that we know about do not apply to kyber there are cases where people have walked through a Minefield and not gotten blown up all right that brings us to the end of our talk I think we explained enough about the delays and detours now what do we mean by disasters of course I mean something getting broken that was already deployed in the Google and Cloud flare experiment is is is a disaster but it was a backup plan because they were using hybrids that was kind of okay what we really think is a disaster is that we're here in 2022 and we still do not have post cryptography on your mobile phones on your laptops it's still not wiely deployed we're happy to point to examples where getting used but it's not widely deployed your data is still prequantum encrypted and therefore well automatically decryptable with a Quant computer and that's a real disaster thank you for your
[Music]
attention nor the technology I use in the background I use in post Quantum cryptography which is s I think my SSH connection does at least so I guess it's something always we we can always count on open BSD um absolutely so I let's check if there are some questions so one question would be as a developer developing some software not necessarily cryptographic should I ensure the crypto is I use is post Quantum secure in a hybrid way now well you have a a slide exactly on this come on show the slide well I mean we we did foresee some questions about like well this was kind of depressing what can we do now and so we have a slide prepared of a little bit more optimistic what can you do now and of course yes our suggestion is to deploy hybrids um I'm feeling like this this flashback to 2016 where I was going like hey you can do something now here are our suggestions these we feel really really comfortable about and here I'm still standing 2022 December saying yeah mle is actually a very conservative system and we don't have this patent trouble that Kaiba is going through and you can do something um so to explain a little bit what hybrid means is it means to combine a a prequin with a post Quan system and so in in encryption you want them to jointly generate a key and in public key signatures of course you have to ensure that both signatures individually valid in order for the the highd signature to be developed want to say um oh just I mean there are various uh libraries out there that you can take a look at which will give you an idea of some of the uh different systems that you can try deploying when you look at the libraries the the software quality is not as bad as it was a few years ago for postquantum software um there's there's some people who are putting a lot of work into improving the software quality there's still a lot of risks there but um it it um I I think I mean compared to the risk of doing nothing and guaranteeing that data is going to be exposed to Fu
ture attackers with quantum computers that are recording the data right now um you definitely want to try things out so for example one of the libraries that has a few different systems implemented is called open Quantum safe oqs um there's various other libraries specific to uh particular crypto systems so most system designers have some sort of software but again you have to worry about how good the the software quality is um there's a a new Library coming out um lib Jade which has a lot of verification of the the software um so I would say very high quality but unfortunately the only postquantum um encryption system that it provides at the moment is kyber which well I mean planning ahead for 2024 that becomes usable but right now um unfortunately it's not uh so if you want something which is that kind of speed um then well if you look at what op SSH is doing what Google is doing with different versions of entw then the the software there has been at least somewhat battle tested so you can try try doing that but always make sure you're doing hybrids with with ECC um just in case something goes horribly wrong with the the postquantum part isn't it kind of hard to develop my own combiner though so because I still need to have a correct way of combining the two schemes the pre-quantum one or the post Quantum one you do yes and it is definitely possible so even something as simple as saying like sign with one system sign with the other system check both signatures we have seen software getting that wrong so it's it's definitely important to to go through that very very carefully for for encryption um you you typically you have ECC is exchanging a key and then your postquantum system is exchanging a key and you hash both of those keys together with whatever your favorite hash function is standard hash function that'll be fine um but again that's something that yes you're saying combiners there's various study ofun sorry anybody gets that standard means cryptographic ha
sh function not use something like X has use something that's cryptographic yeah so so take for example take sha 512 and um I mean that's that's a it's an NSA design actually but people have been bashing on it for a long time and have not broken it um for something which has gone through more public review there's the Sha three systems and that's something which it's usually not a performance problem to be hashing like two 32 byte strings together I mean concatenate them and then hash and you'll get another uh string coming out of that and then that's your your key for your symmetric cryptography now there are some proposals of how to do this so there's an RFC so from the um ITF so CFG and there's also something in the M standards of how you can do hybrids uh to put a little bit of of self advertisement we have a last slide of the the slide de that will be uploaded and for instance there are some in studies um that reced and so in those we're also going through details of how you can combine hybrids so how you can safely do this and of course there's inst still the choice um so you would be selecting your own system and well as you can see there's some concerns there with a patent situation I should also say for research for experiments you can use Skype it's just a problem if you want to deploy it so I mean like there's a warning in general but if you're just a hobbyist or tinging with it want to write this research paper it's not a problem but in general you have a choice between using the most efficient systems which is basically what Google has been doing saying well let's try something new and shiny and see whether it blows up our computers and luckily it didn't blow up the computers so Google could continue operating with with a combination of you hope or later on ENT and ECC um or you could say well the most important part is that systems remain secure we're willing to do a little hit in speed or bandwidth on its on and so taking the most conservative postqua
ntum systems and combine them with elliptic Curves in RSA so that's also a choice that you would need to do if you well want to roll without so would it be okay to deploy um one of one of the uh cyers that are still left in the competition that is not yet or will not be standardized by nist even though there's no known attack so in general I guess T is going to fire up the colorful picture here um when you look at a picture like this with so much red on there then you have to feel like as cryptographers we don't know what we're doing I mean how could we have so many things being broken it's it's really really risky and um I I would say that whether something has been picked by nist or not is not actually adding that much information here um okay you want to comment on this well I just say the things that I Des selected in the first round really didn't get much attention I would I mean people did lose interest things that are survived into the third round and then just didn't get select in the fourth round for instance like the two entro variant entro Prime and entro hrss Cam that are mentioned here um those got into the third round survived till the end of the third round and just didn't win the beauty competition that M was running and so I think those are just as fine as the ones which I'm blue but in general all these things are scary there's very few yeah Soo um Andrew and Entre H SS those are the ones that are rolled out in by Google and and open SSH but but very few of these things uh very few of the 69 submissions have the same security level now against known attacks as they had five years ago when they were submitted um so I mean there's there's always been some loss of security because attacks are getting better um it's just that well some had enough of a security margin to survive that but to to make a safe decision it's unfortunately um it's necessary to look at the history of these things and say all right how well have they held up how much have they'
been studied exactly what Tanya was emphasizing that I mean there's some of these things that have been studied very little some have been studied more and um it's it's how well the systems have held up through that study that really dictates how risky they are in the end I mean for instance Three Bears it's a beautiful system but it was deselected after about two and so I guess it just stopped people from looking and it didn't get much analysis before so it feels like it should be fine but it's also severely under researched but if you're looking at the uh round three selection of those which are still black or dark gray here I would say those are most defined and of course of course the blue ones as well okay choose one that is blue or black on this slide I think that is some pretty specific idence um very very quick last questions if I'm a if I'm a tinf fall head hat can I do anything to protect my communication well uh tunnel things through open SSH that's a good start um I mean the situation right now most communication of course you need the client and the server to be supporting things and well there there's various experiments and a little bit of real deployment um where I mean some there's some VPN deployment for instance yes so right there's some some postquantum VPN so mulad has um a a postquantum option so they're using mle and you can um so they're they're using wire guard for the VPN and then um wire guard has an option for feeding in an an extra key a pre-shared key which mulat is doing with mlee so he of upload through mle for postquantum security to mulad now of course that that's a VPN where you're not going end to end to you know you want to to go all the way to whichever site you're communicating with and getting endtoend security rolled out means that the client and the ultimate server need to support postquantum crypto and well with lots of delays of that happening it's it's unfortunately much less in place than um could have imagined years ago
when when it seemed like there was a lot of enthusiasm for them work on something well okay Tanya would like me to uh put in a plug for PQ connect coming soon which is hopefully going to make it a lot easier to deploy some postquantum crypto for securing your connections end to end but it's still not released yet so um can't say too much about it look for PQ connect I think that's it um thank you so much for being here and sharing your information sharing this update about postquantum cryptography um thank you you so much Tanya longer and djb thank
[Music]
you