Without further ado, I think we are two minutes late. I'm going to give you that two minutes, Professor. I'd like to invite Professor Bart Preneel from University of Leuven to give his presentation. Good morning and thank you for joining me. It's a great pleasure to be here. So I've been on the internet since 1980. I have 37 years of experience in cryptography and I had a large research group in applied cryptography in Leuven that brought to you the AES, which you all have been using today. Although I do cryptography, I also have been involved in start-ups.
I had a mobile authentication start-up. I'm on the board of a company called Approach Cyber, which does cyber security services. I've also been running the Belgian contact tracing app as a kind of hobby. But today we'll speak about long-term problems, namely the quantum threat. I heard a session this morning and people said this is how hackers get in today.
Well, if you worry about today or next week, you don't have to pay attention. This is a problem within 10 years. The quantum threat is not happening now. It's a long-term problem, but I try to convince you it is a problem. So cryptography actually is a success. When I started in cryptography, there were probably like 100,000 cryptographic devices out there. The governments had some, the banks had some, the military had some, and that was it. Today we have something like 80 billion cryptographic devices and software libraries out there.
And about 50 billion are there not to protect the users but to protect companies and governments against the users with access control and control of accounts. But we also have quite some cryptography to protect users. We have secure encryption on our phones or insecure encryption on the mobile phone system. But the more secure parts of cryptography are our apps and our storage and our mobile devices.
In fact, we finally got billions of users secured with cryptography. This is a very good long news story. And of course, hackers never break cryptography. They try to bypass it. They try to get access to keys. They try to issue fake certificates.
But still, without cryptography, you would be really in very big trouble. And so this is a success story in spite of all the other problems. But we also have to understand that changing this ecosystem is very difficult. And the details are also important on this slide, but what you see here is different versions of TLS on the top 150,000 websites. So this is not mom and pop, bakery, somewhere. This is the major websites in the world. And what you will see, for example, in response to these known documents, a new version of TLS has been created that's simpler, more robust, and much more secure.
This happened in 2018. Even today, six years later, only 60% of the top 150,000 web servers support 1.3. So it takes more than 10 years, probably 12 years, to get the top 150,000 websites to just support 1.3. This is a standard that is available. The documents are available. The codes are available.
But still, we don't upgrade. Getting rid of things is even worse. What you see here is the curve of how we got rid of SSL 3.0. It was a standard from 1996, and so there was a really bad attack in 2013. We should have gotten rid of it much earlier already, but we never got it. Then there was a poodle attack, and even then, we still have some of those top websites supporting SSL 3.0. That's an important message. Getting rid of cryptography, upgrading cryptography, takes more than 10 years. Cryptography does more than just protecting communications.
Today, we focus mostly on the encryption of connections. Stored data, in most cases, local storage, is not protected with public e-cryptography, with symmetric cryptography, although there is now cloud storage that uses public e-cryptography. The future of cryptography is somewhere else. Where most cryptographers are now putting all their energy is in protecting data during processing. Things like multi-party computation, volume of encryption, like cryptographic versions of confidential computing, this is now where all the research and development and the exciting startups are.
But today, we just speak about the boring part, the soft problems, quote-unquote, which is communications and storage. Something happened in 1981. Two scientists, Manin in the Soviet Union and Feynman, had this idea of building quantum computers. They did this because they wanted to simulate physics processes. Physics is very complex, which is quantum physics.
So, predicting the behavior of systems is very difficult. So, they had the idea, why don't we build a computer that operates based on the principles of physics? It doesn't have bits. It has qubits and this kind of bit of magic. A qubit is a superposition of zero and one at the same time. Their view was, with this, we can simulate stuff much better. People started working on this very, very slowly, building the first qubits and the first gates.
But then, in 1994, a breakthrough came. A computer scientist, Peter Shore, actually showed that if you could build quite a large quantum computer, and today we say with large, about 20 million qubits, which are about 2,000 logical qubits, so there was a lot of error correction happening to get real 2,000 qubits, you could actually break all modern public cryptography.
Now, I showed you this 70 billion devices. About half of it is public cryptography.
And, well, there is RSA, there is discrete log, there is elliptic curve, whatever, it doesn't matter. Everything we use today, about half the cryptography is badly broken, if such a computer exists.
So, of course, these computers will also have many benefits for humanity. They will lead to better molecules, better physics, better materials, better medicine.
So, I'm not saying these things are bad, but they actually have one bad use, which means governments are very interested. In 2001, the first implementation was built between Stanford and IBM, and they managed to actually factor 15 on a 7-bit quantum computer. That gives you a bit of the idea. It took about 20 years to get from the concept to 7 qubits.
And then, the first cryptographic conference dealing with post-quantum cryptography happened in Leuven, actually, in 2006. So, the main universities working on this topic were Darmstadt in Germany, Leuven in Belgium, and Eindhoven in the Netherlands.
So, we were working earlier on this, but in 2006, there was enough critical mass to bring, actually, 50 or 100 scientists in one room and start discussing, can we build new cryptography that will resist attacks on quantum computers? That's how long we're already working on this problem.
So, for symmetric crypto, there is also this rumor that there is Grover's algorithm that actually halves key sizes, but in fact, there was a very nice talk given in September by Sam Jacques that actually shows this is just theory. It's not going to affect you, and if you really want to upgrade from AS128 to 256, I'm not going to stop you, but don't use the computer as excuse because it's not needed. But do it anyway, it's fine, it's cheap, but this is what the easy part is actually not really helping much. That's the main message from this talk.
So, many large players are building quantum computers now. Governments, of course, behind the scenes. IBM is nice because they have the most detailed roadmap, which they keep changing all the time, and I'm not sure they always stick to that roadmap, but at least they're very detailed, and other companies make very coarse roadmaps with only three or four points. IBM is nice because of the details. I don't have time to explain you the details, but the main message is counting qubits is meaningless.
It's not about counting qubits, it's about also scalability, it's about error correction, about how long the computer lasts, how long does it last. So, it's a multi-dimensional, very complex problem, and in fact, nobody has any idea how you will put 20 million qubits together and make them work. That's the honest version of this. But of course, there is progress, and there are now machines with about 100 physical qubits, that is a few logical qubits. That's where we are today. You can also ask the experts, and Michaela Moska does that on a regular basis.
So, you can ask experts how long they think it will take before these 20 million qubits, so the 2,000 logical qubits, will actually be available, and then these experts, some are optimists, some are pessimists, and some say it will take five years. There's like a 14% chance that optimism in five years is going to happen. The pessimists say that in 20 years, it's only 56%. You have to be very careful as well. These experts are biased. They're all people who get large grants to build quantum computers.
They're not going to say it's not going to work, because they get millions of dollars of grants. But still, they are smart people, and they're all not going to make stupid claims either.
So, whatever you want to believe on this, very smart people believe that in the next 15 years, there is a reasonable chance that such a computer can be built. I think it would be really stupid to assume it will not happen. Maybe it will run into the ground, like fusion has been running into the ground for many years, but the question is really, can you take the risk? Can you now sit around and say, oh, it's not going to happen? Let's see. What's happening is post-quantum cryptography, and we use a new kind of mathematics called lattices.
Okay, what some people try to sell you is quantum key distribution. You can also use quantum physics to secure your communications. Unfortunately, it only works point to point. Unfortunately, it's only very slow, and it's not very secure. It doesn't work for stored data, so I would say, don't do the same as the Chinese government and European Commission. Don't put your money there. This is not going to solve your problem. Trust me. Maybe in 30 years, but not in the next 5 to 10 years or 20 years.
Okay, so should you worry about this or not? So then we just use some simple mathematics. I will only show one equation this morning. I know it's early, and you're not mathematicians, but I will show one equation which you all will understand. You just make your guess until the first large quantum computer is at 5 years, 10 years, 15 years, 20 years. You put your number Q. Then how long does it take you to switch? And I ran an app, and I thought naively as an academic, you know, I have a contact tracing app. There is a problem with the algorithm.
I push a new version, and within a week, everybody has a new version. That's not how it works. And I showed you what TLS happened.
For TLS, even if this is a top website, 10 years is not enough. So it depends on your application.
Of course, banks can just issue new cards to their customers, and then they know there will be updates. Banks can upgrade their terminals, but that probably takes also 10 years because they have so many. But you make your guess how long it will take to upgrade your system between 3 and 12 years. Maybe it will be 20 years. And then the last question is, how long does your data need to be confidential? So this is the famous harvest now, decrypt later.
So today, if you talk on the internet, you all write this note in documents, and you know that your data will be captured and analyzed. If it's encrypted, they will try to use Twix to decrypt it. If that fails, they will store it in Utah in case they can decrypt in the future. And this is what the NSA did 10 years ago. You can be sure that other governments do the same thing now as well, and some other actors as well, because storage is so cheap that actually it doesn't cost much to have cold storage of exabytes just in case you can decrypt in the future.
Okay, so when should you upgrade to new cryptography? When should you replace RSA and elliptic curve?
Well, in the year 2024, plus Q minus X minus Y. Okay, that's my only equation I will show. You just plug in your numbers, and then you can figure out when to do it. So I'll just give you an example. Say Q is 16, you're optimistic it will only be happening in 2040. And you need 7 years to upgrade your systems. Really impressive if you can do that. And then you want 10 years security, which is kind of standard for business. It's not what governments need. They need 50 years or 100 years. Medical data, actually it's a lifetime very often. So there you should put in 50 or 70.
So plug in the numbers you have to change. Even with these optimistic numbers, you have to change today. You're already too late.
Okay, so of course one perspective is this is a problem for after my retirement for several of us in the room here, and I don't worry. Okay, I will be retiring in 2030 and getting another job, but that's something else. But we can think it's not our problem. On the other hand, the other reaction is, well, we better start today because we are already too late.
Of course, your company will not be affected for 10 years. So the big question is, can you convince your CFO to actually give you money to deal with a problem that will be after his retirement or her retirement?
Okay, so why does it take so long? Well, the standards are just out as I will show you. Then it has to be implemented, validated, and deployed. And you have to be really fast to do it in six or seven years. And then you need this 10 years your data to be secure because in 2029, you will still be encrypting with the current systems. And then these systems can be decrypted in 2040. But it's a very long-term problem, which is not what we typically deal with.
Typically, we worry about a ransom attack of tomorrow or the breach of next week. The good news is for signing data for things like blockchain or cryptocurrencies, Y is zero. More or less, if you change your signatures the day before the computer, you're still okay. But even then, you have to start planning as well to deal with this. The good news is that the US government paid attention. So in 2016, under pressure of the NSA, because the NSA has a really big problem because they do bad things.
And if you do bad and illegal things, then you want to keep it secret for 50 to 100 years because you don't want to go to jail when you're 70 years old for something that you did when you were 20 and working for the NSA. So they actually pressured NIST to do something because their Y is 50 to 100. And so NIST started a competition. In the meantime, actually, ITF published faster two signature standards, which have some usage issues. They're stateful, so they're not usable for cloud environments, but they're kind of quickly standardized based on old technologies from the 70s.
And then after a long competition with many contenders and many attacks, more or less two standards emerged, ML-Chem and ML-DSA. Terrible names. Nobody can remember them. They used to be called Kyber and Elytium, which were not so good names either, but at least you could remember them.
But okay, we now have to deal with ML-Chem and ML-DSA. And if you want to be cool, ML stands for Modeler Lattice. But nobody knows what it is, but I showed you a lattice, right? So it's okay. Then Germany tends to like also Michaelis and FrodoChem, and France also likes FrodoChem. So that may be allowed. And then Falcon will maybe be standardized next year. So after six years of competition, NIST decided it was a variable algorithm, but they didn't know how it worked. And so then they took another year to write the draft standard. It's just out, and so they now think how it works.
So I don't like Falcon. Falcon uses floating point arithmetic. This is also something which says trouble. But it will come out maybe next year, and then NIST is not so happy with the schemes that they have because they all depend on lattices. They depend on one single problem, and maybe someday somebody finds a way to use quantum producers to actually break lattice-based schemes. And then we have a really, really, really big problem. So this is why there is other schemes based on multivariate, based on codes, based on isogenies are being developed now, and there will be more standards coming.
But at least there are standards out today. They were published a few months ago. That's the good news. How does it look like?
Well, some stuff is faster, okay, but key sizes and ciphertexts are 3 to 15 times bigger. And for TLS, it means, especially for short messages and short connections, overheads of a factor 2 to 3 in your network speeds and your delays. So for some connections, it's really, really bad. It's terrible for certificates in PKI, because as we will see signatures are also 15 to 30 times bigger. So a certificate chain very often has a number of public keys and signatures. And so we're used to the change of a kilobyte or a bit more, and now it will become tens of kilobytes for a chain.
And for some settings, it's okay, but for some others, it's going to be a dramatic problem. And if you plug this in, it will actually break. Stuff will break. Encryption is about the same, and encryption is actually faster with post-quantum. So it's not that actually everything is worse. Some things even got faster, but keys got bigger, and ciphertexts got bigger, signatures got bigger, and public keys of signatures got bigger too.
Again, speed of verification is comparable to fast. So it's not all bad news. It's not as slow. It's just very big keys. Michaelis is the most extreme case. It's a half a megabyte key, while the RSA key is something like 2,000 bits. So this is going to be a culture shock.
So today, we're in the pre-quantum era. We're now moving to a hybrid era, because people don't fully trust these new algorithms. So what we will do is have a double protection. We'll keep using RSA and ECC.
Anyway, it's not broken yet. In the meantime, we also encrypt and sign with the new schemes.
Okay, now you have two options. You can have security of both or either. So you have two options. You can encrypt first with one and then the other, and then the other side has to also have the two decryption algorithms. Then you have the real long-term security. But then if the other side hasn't upgraded, they will not be able to decrypt. So if you go for the cheap option and you encrypt once with the old system, once with the new, then you have backward compatibility.
But then, of course, you don't have long-term security. So for encryption, in fact, you have no choice, and this or approach is not going to work. For signatures, it works, and there you can sign twice, and that's okay. But then you can decide on the policy whether both should be correct or one of them should be correct.
And then, of course, eventually, once these computers are there, there will be no point in using RSA and ECC, because apparently these quantum computers, if they work, they will do it in seconds or minutes. So there will be no point in still using RSA or ECC. That's probably somewhere 2040, 2050. So it's going to be challenging, and I think the biggest problem will be the PKIs. We have now large PKIs everywhere, and it's going to be very difficult to plug-replace them. So the NSA published a timeline with very interesting messages in there.
First, they don't like Falcon. Second, they don't like the low security levels. So I didn't go into the details, but NIST has five security levels, and the NSA says, we only do the top one. The rest we don't even care about. You should be careful, because performance numbers I gave are for the lower security levels. So for the high security levels, performance numbers are a bit worse, and keys are even bigger. But the NSA has said, we're going to move, and we're going to do it seriously. We don't go for any low-level security, only level five, and a very ambitious schedule.
So they want to, next year already, support software updates, and then start networking and browsers in 2026, operating systems in 2027, and NIST applications in 2028, and they want to be completely done with everything by 2033. I don't know whether the defenders are going to manage that, to be honest, but that's their schedule. Then the really bizarre thing nobody understands is, RSA says no hybrid mode. If you're really paranoid, then you could say that means they already have a quantum computer, and they feel that, you know, it's no point in still using RSA.
That's the most extreme paranoid interpretation. The other interpretation is, maybe they find this hybrid stuff too complex, and they expect more bugs and more problems in hybrid mode. NIST published their schedule a few weeks ago, and they say, well, the lower key lengths you can use until 2031, and everything has to be done in 2035.
That's, again, a very ambitious schedule. What about Europe?
Well, Germany has a plan, France has a plan, the Netherlands has a plan, and Europe announced a statement in April that there was a problem, and that they were going to do something about it. They encouraged the member states to start thinking of a plan. So there is a committee that started a meeting in September.
So far, they have not invited academics, and they're just thinking about how they can make a European plan. So Europe is going to end up terribly late to the show, I'm afraid. What is it all about? It's not only technology, of course, it's also the governance. You have to find out which cryptography you're using, and monitor also. There are tools for this out there. Then all that your policies are being followed, because most banks find out that they actually have 25 CAs everywhere.
Most banks find out that they acquired a company, or that some of their suppliers acquired a company that uses old, crappy crypto somewhere in one of their products. And so it's only by doing a thorough analysis, by doing a software bill of materials, you actually find out what you're using in your crypto bill of materials. Then try to enforce this, mitigate this, and try to retire stuff. Talk to your vendors, and tell them that we want to start migrating. Simplify your crypto policies. And then the most important message, make sure that you now have an agile environment.
Because maybe in 10 years, we'll tell you as cryptographers, you know, this MLChem was cool, but we have something much better. And we don't really know whether MLChem is so secure, maybe we should actually use FrodoChem. And if you're then again hard-coded everything like we did in the last 30 years, then you'll have another problem. And you'll be again too late. So maybe you can plan now and be more flexible. And then of course, have deployment models as well. So time to wrap up. So it's a long-term problem. So if you want to forget about it and retire, be my friend. It's fine. That's okay.
Nobody will be there. You will be somewhere on your Greek island fishing every day, and nobody will. It's not your problem, but there will be a problem somewhere. And my analysis is, as an organization, you really can't take the risk. The banks are pushed by the ECB. So the banks are now moving, because they understood that the ECB will whip them.
In 2002, I was already in the Bank of England to talk about this problem. So the banks or ECB is aware of the problem, but the banks are talking to their vendors. And the vendors say, okay, we'll do this. How much do you pay? And the banks say, nothing, because if you have a secure service today, we want a secure service tomorrow. So why should we pay more for the same service? So this is the battle that's now happening probably in the meeting rooms around this building, the big challenge. Automotive also understood that if you today design a car, it will be on the road in three to five years.
And for the first time, it will be there hopefully for the next 20 more years. So they already look at how they have secure update and security mechanisms. The other sectors are just sitting and waiting there. Nobody wants to pay. Nobody wants to move. And I think regulation will have to come in and stop things. So PKI is complex. And if you just upgrade, things will break. So what you need is a risk-based approach, because you would not be able to upgrade everything.
You need crypto agility, which means you really start thinking about what you're going to do next after you replace everything by this version, what will be the next version. And finally, we should hope that the EU finally gets forwarded its strategy. Thank you very much for your attention.
Thank you, Professor. We went over time a bit. So if you have any questions to the professor, I'm sure he's going to be available after this session.
