The Third Future of Cyber Webinar Series — Cyber Security in a Post-Quantum World
They keys to keeping data secure in a post-quantum world.
As we move into a new era of quantum computing, there is growing interest in understanding the future vulnerabilities of current cryptographic techniques. Tune into the Third Post-Quantum Computing Conference, hosted by Surrey Centre for Cyber Security, for the latest thinking on how we can keep data secure in the coming years.
You’ll learn
The experts’ thoughts on cybersecurity in a post-quantum world and potential impact on existing computing systems
Digital divides between those countries that have quantum computers and those that do not, and what this means for cybersecurity on the global stage
Whether further advances in mathematics are likely to reveal new vulnerabilities in the algorithms that keep data secure
Who is this for?
Host
Guest speakers
Transcript
00:14 right i hope we can hear me fantastic
00:18 welcome
00:19 welcome to the university of surrey
00:21 to our
00:23 uh the surrey center for cyber security
00:26 our first
00:27 real event which is a hybrid event and a
00:30 joint event
00:32 and there's an annoying echo in the hall
00:35 so we have a real audience and we have
00:36 an online audience
00:38 so if if you catch people actually
00:40 looking off to stages
00:43 france center is because we're in the
00:44 real world so it's really good to see
00:47 the people in this lecture theater and
00:49 it's really good to see the numbers that
00:51 we've got online
00:53 so
00:54 as i said a joint
00:56 hybrid event so we're delivering this
00:58 both in real and online uh we've also
01:01 got joint hybrid speakers so we've got
01:03 some real speakers here we've also got
01:05 some speakers online who will be
01:07 talking a really exciting topic
01:10 and before we dive into that i just want
01:12 to remind everyone
01:14 uh the coveted precautions so we gave
01:16 everyone notes for that
01:18 try remember to wear your masks when
01:19 you're moving around master okay when
01:21 you're sitting down when you're eating
01:22 drinking or presenting otherwise try and
01:25 keep masters what we do at the
01:26 university and what we encourage our
01:28 students to do
01:31 without further ado i'd like to
01:33 ask our two
01:35 joint sponsors so professor steve
01:37 schneider and martin smith of the sussex
01:40 so i'm going to ask steve to kick off uh
01:42 with a a couple of slides about
01:45 the university of surrey's cyber work
01:49 steve
01:55 thank you andrew
02:00 so i'm delighted to uh welcome you to
02:03 this uh this hybrid event this is
02:06 the first first of these future of cyber
02:08 security events that we're doing
02:11 for real and so welcome to everyone
02:13 who's
02:14 uh who's physically here and also
02:16 welcome to everyone who's tuning in
02:18 online
02:19 so i'll just say a few words about the
02:22 surrey center for cyber security
02:26 so i'm the the director
02:29 steve schneider
02:30 and
02:33 we we've been here at the university
02:36 as the center for cyber security um
02:39 for well there's been security work
02:42 going on here for nearly two decades we
02:44 set up these at the center in 2014 to
02:46 consolidate cyber research from across
02:49 the the university
02:51 and currently we have about you know
02:54 over 40 academics and researchers
02:57 in the group doing um doing research
02:59 into various aspects of cyber security
03:02 we've got recognition from the national
03:05 cyber security center as an academic
03:08 center of excellence
03:10 both in cyber security research we've
03:12 had that since 2015
03:14 and also more recently in cyber security
03:17 education so we've got a gold level uh
03:21 recognition of that we had that from the
03:23 inaugural um
03:25 and the inaugural um
03:28 roll out of of the acse
03:30 recognition since 2020 we're only one
03:33 one of only four universities that has
03:35 that
03:36 and then we also have a masters in
03:39 information security that's accredited
03:41 by gchq
03:43 and we contribute into standards work
03:46 and i'll just talk a bit about some of
03:47 the
03:48 research areas that we that we cover
03:51 so in terms of our expertise we focus on
03:54 uh well foundations and applications so
03:56 in terms of foundations we look at
03:59 trusted systems systems that are
04:01 resilient um secure privacy and so on so
04:04 we work in areas like verification
04:07 that's
04:08 proving that that systems meet
04:10 particular security
04:12 properties distributed systems for
04:14 resilience
04:15 one of the specialisms of that we've
04:17 been involved in for some time is in
04:20 blockchain and distributed ledger
04:21 technologies
04:23 and then we have
04:24 some strong activity in communications
04:27 and networks and in conjunction with
04:29 the 5g innovation center also at surrey
04:32 more recently we've been looking at
04:34 aspects of social media and how
04:37 how you have to worry about the flow of
04:39 information and the ways in which that
04:41 can be misused
04:42 and we have a very strong group in
04:45 applied cryptography so that's also one
04:46 of our specialisms
04:48 um and that's it that includes the
04:51 post-quantum cryptography work that um
04:54 the today's event is about so that's one
04:57 of the areas that we're um that we
04:59 specialize in and that's what you know
05:02 in part what's led to the topic for for
05:04 today so you'll be hearing more about
05:05 that particular aspect of our work in um
05:08 in the talks coming up in the first talk
05:10 coming up
05:13 and then in terms of the
05:16 application areas the application
05:17 domains
05:19 we
05:20 take these these foundations and we
05:21 apply them in particular areas and the
05:24 areas that we focus most strongly on are
05:26 in transport that's both rail and
05:29 automotive so various security aspects
05:32 um in there
05:33 government so things like electronic
05:35 voting
05:36 digital identity distributed ledger
05:38 technologies use uh use there so that's
05:41 another application domain
05:43 communications i've already mentioned
05:46 clearly very strong security
05:47 requirements in communication systems
05:50 and in finance so electronic payments
05:53 fraud detection uh transactions uh
05:56 digital economy
05:57 so those are the main application areas
05:59 that we work in so we
06:01 look at the stack from foundational
06:04 research through to um through to
06:06 application domains where we
06:09 make a real difference so just one
06:11 example of of this
06:13 in the news recently you may have seen
06:15 in the last couple of weeks
06:16 an attack
06:18 on
06:18 the way in which visa and apple pay um
06:21 interact so we have
06:23 um so this just just broke
06:26 a couple of weeks ago and here is the
06:28 the front page of the bbc website
06:30 website and there's this
06:32 um this news article on researchers find
06:34 apple pay a visa contactless hack and
06:37 you can see on the on the you know front
06:39 page it's even above britney spears at
06:41 that time um really really their top
06:43 story for uh for a while uh that was
06:45 researchers at surrey in conjunction
06:48 with
06:49 colleagues in birmingham discovered this
06:52 at this attack and it's made about 300
06:54 news outlets around around the world so
06:56 this is a way in which
06:58 a
06:59 contactless
07:00 payment transaction can be undermined
07:02 and money can be taken taken out of um
07:06 out of the phone that's got this enabled
07:07 even um even without needing to unlock
07:09 the phone so you know this is a an
07:12 example of the kind of work that that's
07:14 going on here in kind of protocols and
07:16 finance and in fact two of the two of
07:18 the team uh lee and also chris uh here
07:21 in the audience at the moment and joanna
07:23 mariano is the kind of lead from from
07:26 surrey on that so i'll just
07:28 show this as an example of some of the
07:30 research that that goes on here that
07:33 makes makes an impact um out in the real
07:35 world
07:37 so that's all i'm going to say about um
07:40 about the surrey center for cyber
07:41 security
07:42 so now for our co-host
07:45 um martin smith who's going to tell us
07:48 something about the sussex sassic have
07:49 been a wonderful organization to work
07:51 with um here's martin the founder and
07:53 chairman of sassy yeah i've got an echo
07:57 i'm hoping that
07:59 there's about a hundred more people plus
08:01 watching this
08:02 through that screen so hello everybody
08:05 um i don't know is that all working okay
08:09 do we know
08:10 it's perfect well welcome everybody um
08:13 oh i've got some buttons
08:16 i confidently said i knew how to use
08:17 this at the beginning so i'm hoping i
08:19 can
08:20 um yeah
08:23 the cyber security uh sorry the security
08:25 awareness special interest group is a
08:28 networking forum for
08:30 pre-covered it was three and a half
08:31 thousand post
08:33 now it's six thousand um it's grown
08:36 tremendously during the pandemic because
08:39 we went online
08:40 and we've been doing presentations
08:42 online
08:43 uh every day since march 20.
08:46 to cyber security professionals
08:49 was uk may now
08:51 around the world
08:52 it's a cso chief information security
08:55 officer safe zone it's where cyber
08:57 security professionals academics
08:58 government
08:59 suppliers can come together and talk
09:02 with each other about cyber security
09:03 issues
09:05 it's sponsored by a number of
09:07 organizations
09:08 both public sector private sector uh
09:11 corporates suppliers a right mix
09:15 but it's it's a no selling environment
09:17 it's it's a genuine think tank that
09:20 encourages us to address the issues
09:22 which is why i'm so pleased to be here
09:24 today with andrew and steve
09:27 um the opportunity for our community to
09:30 consider things like i know you are
09:32 about where things are going in the
09:33 future is fabulous and i i think we're
09:36 talking about doing more of these
09:37 already
09:38 um so something like today's topic is is
09:41 fascinating and i'm really really
09:42 pleased to be here
09:44 um just as a snapshot next week the week
09:48 after
09:49 all sorts of topics three times a week
09:51 if anybody wants to join in doesn't know
09:53 about sasig go to our website um and
09:56 join us it's all free everything's free
09:58 with the sasig and we cover every topic
10:01 we can possibly think of um that one at
10:03 the bottom there is just the importance
10:05 of being courteous with each other with
10:06 nice with each other when we're doing
10:08 business
10:09 um those are the sorts of issues that i
10:11 like to think about rather than just the
10:13 straightforward
10:14 difficult techy stuff
10:17 yeah we've got the national police
10:18 chief's council uh which is the old acpo
10:21 if you remember the association of chief
10:23 it's all the forces in the country
10:24 coming together
10:26 we've got a major event there if anybody
10:28 wants to come to that it's a real event
10:30 the kia in oval
10:32 that's a free event as well that's where
10:35 we're trying to get the police law
10:36 enforcement to work more closely with
10:38 business to help fight cyber crimes all
10:40 good stuff i think
10:42 thank you for being here
10:44 for inviting me here today uh it's a
10:46 pleasure to be here
10:47 um as i said there's loads of sassy
10:49 people out there that know me if you
10:51 don't know sassig please join in it's uh
10:54 it's a great way to think about the
10:56 whole cyber security conundrum
11:03 thanks martin i thought he was bravely
11:05 going to start giving lee's uh
11:07 presentation
11:09 post quantum photography i was looking
11:10 forward
11:15 um so now it gives me great pleasure to
11:17 invite our own professor chen to um
11:20 kick off the presentations now you're
11:22 doing this as a joint presentation with
11:24 one of your colleagues who's going to
11:25 kick him remotely so we're really
11:26 pushing the boundaries here you've got
11:28 half a presentation in the real and half
11:30 online and so we hope we get that now
11:33 i'm lee chin chen
11:35 and and join with me i have two
11:38 colleagues from huawei sylvia and the
11:40 rebeta they are in munich
11:44 and syria will join me for half of the
11:47 plantation and for a better you will see
11:51 his demos
11:53 and after our
11:55 panelists discussions
11:58 okay let's start
12:00 the talk is about
12:02 post-quantum cryptography and the future
12:06 of trusted computing
12:12 as you all know for cyber security we
12:15 have three major aspects
12:19 security privacy and trust
12:22 security and privacy
12:24 are well known probably people have
12:27 talked about
12:28 them a lot
12:30 and chest
12:32 is
12:34 getting there getting popular and draw a
12:37 lot of attentions recently but
12:40 much less
12:43 mature
12:44 or the
12:45 the well used
12:47 in the world
12:50 what do i mean suggest for computer
12:54 security chester means suggested
12:57 computing
12:58 so trusted computing is try to solve
13:02 a problem
13:03 which let the people generally
13:07 believe
13:08 their computer system behave like they
13:11 supposed to be
13:14 it's a
13:15 very
13:16 simple
13:17 straightforward question whether my
13:20 computer actually do what i think it's
13:23 doing
13:24 but this question is not easy to answer
13:30 just a computing researcher has
13:34 have been doing it for over 20 years try
13:37 to solve the problem
13:39 we actually get solution at least i
13:41 believe
13:44 but
13:44 we are still
13:46 looking for people i use it to benefit
13:49 from it
13:51 so we want to our computer
13:54 to
13:55 to be uh correctly functional
13:58 including our personal device which like
14:01 pcs phones and
14:04 cars even
14:05 and we also want to our remote services
14:08 doing correctly like a bank
14:11 the shops and any cloud service
14:15 providers
14:16 they use their computer systems
14:19 and more recently we also
14:23 consider not only individual device
14:27 individual computer should be
14:30 trustworthy but also the whole system
14:34 including like networks
14:37 for example the swan network
14:41 should be chess worthy
14:45 to build a chesty computing system
14:48 number one things we need to do
14:51 is to choose
14:53 a lot of trust
14:56 we need to starter from somewhere
14:58 yeah
14:59 so loot of chester is
15:02 the first point
15:05 actually we have already seen a lot of
15:08 trusted devices
15:10 they are designed to serve as a loot of
15:13 trust
15:16 i'm sure you have heard some of them if
15:19 uh if not all of them
15:21 like
15:22 uh chested platform module tpm and sgx
15:27 stress zone
15:29 theta
15:30 parental
15:32 c2
15:35 pc m and tc tbcm those are probably only
15:40 available in china
15:42 and
15:43 the very first one is telus's
15:48 hsm i'm sure aginware
15:51 will be able to tell us much more about
15:54 how the
15:56 hsm is used at the root of trust
16:02 let's take a tpm as an example
16:06 tpm also from the uh
16:10 designer tested the pre-adjusted
16:13 computing group which is an industry
16:15 standard body specified tpm
16:18 specifications
16:19 from their point of view tpm
16:22 could be
16:25 everything so not only hardware could be
16:28 the
16:28 firmware or software but the essential
16:32 version of tpm is a very small
16:36 cheaper hardware device
16:39 it is embedded in many of our computers
16:44 particularly for the personal pc
16:47 and a lot of servers as well
16:50 tpm provide a lot of security functions
16:55 the number one security function is
16:58 called attestation service
17:00 so what that means that means tpm
17:04 sitting inside of a computer
17:07 measure the state of the computer report
17:10 the state letter anybody then the meta
17:14 is local or remotely to verify the state
17:19 so this measurement reporting and
17:21 verification solutions is called
17:25 an
17:25 attestation service
17:31 tpm actually work as a cryptographic
17:35 co-processor we also say tpm is a crypto
17:39 engine
17:42 tpm supported
17:44 various crypto algorithms
17:47 basically including asymmetric
17:50 encryption symmetric encryption data
17:53 signatures
17:54 anonymous digital signatures like a
17:57 directory and director anonymous letter
18:00 station bia
18:02 and also message authentication code
18:06 hash function and the key exchanges
18:10 so these slides list
18:12 the algorithms currently tpm support
18:18 but
18:19 when a large-scale quantum computer
18:22 became a reality
18:25 many algorithms from tpm
18:28 will be broken
18:30 so that means
18:31 in quantum computer age
18:34 today's tpm
18:36 will
18:37 not survive
18:38 from quantum attack
18:43 what can we do
18:46 we need a smooth transition
18:49 from today's tpm
18:51 to a future tpm
18:53 that will be secure
18:55 against quantum computer attacks
18:59 that is exactly what the project names
19:03 talk about future tpm
19:06 so future tpm
19:08 is a eu h2020
19:12 project
19:13 so the project including 15 partners
19:17 from 10 different countries
19:20 and both
19:22 surrey and huawei are partners
19:27 so surrey played the technical
19:29 leading role in this project and huawei
19:33 is a very important
19:35 industry
19:36 demonstrator create
19:39 yeah we both join
19:41 this project
19:44 make our
19:46 contributions
19:48 so project start
19:50 in the beginning of 2018 for three years
19:55 so you can tell project project
19:58 have completed but even so the research
20:01 is still angry
20:07 future tpm has a very simple target
20:11 we want to design a quantum resistant
20:15 tested platform module
20:17 so that's when we called qrtpm
20:22 but the project also have a list of
20:25 operations
20:26 of the objectives
20:29 that include a full set of qr crypto
20:33 crafter algorithms
20:35 which should be targeted
20:38 for inclusion in the next generation of
20:42 tpm
20:43 then a
20:45 full range of implementation of tpm
20:48 environment
20:49 so we would like to
20:51 test our algorithms in different tpm
20:55 environment including hardware software
20:58 and virtual machines
21:01 so we also check a runtime assessment
21:04 and the real world user case
21:07 we have three real world user case
21:10 they are the
21:11 mobile payment
21:13 and
21:14 personal activity track and the device
21:17 management
21:18 so device management
21:21 is the one we're going to take example
21:23 to introduce
21:25 you
21:26 in this presentation
21:28 so this
21:30 user case
21:32 was led by my colleagues
21:35 from huawei
21:36 they are server and the roberto that's
21:39 why they became involved in our in this
21:43 plantation and i will let the serious to
21:46 introduce
21:47 this work this user case
21:50 and you will have chance to see the
21:53 demonstration by roberto later
21:56 okay save it you must be somewhere
22:00 yes now the floyd
22:04 thank you lee and um
22:06 good afternoon to everyone
22:09 hi my name is sylvia vlasiano
22:11 leading trusted computing and system
22:13 integrity research at huawei in the
22:16 research center
22:18 and i'm glad to introduce to you our
22:20 contribution to the future tvm project
22:26 as lee mentioned huawei has been
22:28 responsible for the device management
22:30 use case
22:31 which we have modeled on the scenario of
22:34 an enterprise network infrastructure
22:37 this is of course a very familiar
22:39 scenario for huawei as we are also
22:43 one of the biggest providers of
22:45 telecommunication infrastructure
22:48 our enterprise network
22:50 selected for this demonstrator is
22:52 composed of network elements
22:54 particularly routers
22:57 a network management system or nms
23:00 as well as
23:02 endpoints such as laptops and servers
23:06 you can see on the right side of the
23:08 screen
23:09 a diagram which tries to convey
23:12 the relationship between the routers and
23:13 the nms
23:15 practically
23:16 the nms is controlling all the routers
23:19 in the system and is periodically
23:22 monitoring their activity
23:24 sending to them management commands in
23:26 response to certain network events
23:29 our goal with this demonstrator is to
23:31 leverage trusted computing and the
23:33 quantum resistant epm researched in the
23:36 future tpm project
23:38 to influence the routing policy in the
23:40 network
23:41 so that the traffic goes as much as
23:43 possible through trustworthy routers
23:46 only
23:50 so
23:51 why would we need future tpm for our
23:53 scenario
23:55 that is because without hardware
23:57 anchored protection current network
23:59 management solutions have significant
24:01 weaknesses
24:03 these solutions would benefit from the
24:06 introduction of trusted computing and
24:08 future tpm technology to address the
24:10 following aspects
24:11 first weak device identification
24:14 in general the device key is stored in
24:16 these routers or in traditional network
24:19 devices in the device storage on the
24:21 disk and pretty much unprotected
24:25 also software integrity is not monitored
24:29 for example a compromised router could
24:31 ignore management commands sent by the
24:33 nms
24:34 or could influence the routing protocols
24:37 in the network in order to
24:39 mount an attack
24:41 without a trustworthy detection
24:42 mechanism by the network management
24:44 system an attacker can continue to
24:46 perform his actions and the nms and its
24:49 administrators would just assume that
24:51 the router is not compromised
24:54 besides software
24:56 data integrity and confidentiality is
24:58 not monitored either and in particular
25:02 data is often stored in plain text and
25:04 integrity is not verified on the device
25:07 this means that
25:09 when accessed it can
25:12 if it's compromised data can compromise
25:14 uh the actual operation of the entire
25:16 router
25:18 last and certainly not least
25:20 telecom equipment has a very long life
25:23 span of more than 10 years and sometimes
25:26 close to 20 years this means that
25:29 existing product architectures
25:32 must be able to switch to quantum
25:33 resistant algorithms
25:35 when quantum computing becomes practical
25:38 or of course when
25:40 regulations and standards
25:42 mandates so
25:50 after
25:51 introduction of trusted computing in the
25:53 future future tpm technology
25:55 the device management demonstrator will
25:57 offer the following features
26:00 first
26:01 strong hardware based identification
26:04 for this we would leverage the
26:06 endorsement keys and the station key
26:09 that we find in the tpm
26:11 and these will be used to make sure that
26:14 every device has a unique hardware bound
26:16 identity that cannot be forged and
26:18 cannot be copied so we can always be
26:20 sure that we talk to the right device
26:24 second
26:25 we will have comprehensive integrity
26:27 verification or civ
26:29 this is huawei's solution for providing
26:32 load time runtime and offline integrity
26:36 for the programs for the applications
26:39 and the data on the on the router
26:42 and it allows us also to have coarse
26:45 grain runtime integrity
26:47 protection and detection capability
26:50 for
26:51 the main processes that run on the
26:54 system
26:56 based on comprehensive integrity
26:57 verification and hardware identification
27:01 we will be able also to provide secure
27:03 zero touch provisioning to the routers
27:05 this means that when a router will be
27:08 added to the network
27:10 there is no need to rely on a trusted
27:13 operator human operator
27:15 to configure the router or to set up
27:19 trust relationships or even worse to do
27:22 trust on first use for communicating
27:24 with the router
27:27 in the
27:28 precise focus of this event
27:30 we will also offer integration with
27:33 quantum resistant tpm and use of quantum
27:36 resistant algorithms in the entire step
27:39 and based on all these four features we
27:42 will be able to provide finally trust
27:45 aware routing decisions so that the
27:48 network management system can define the
27:50 routing policy in the network based on
27:53 trustworthy information and not based on
27:56 simple assumptions of trust
27:59 according to the focus of this workshop
28:00 and in the interest of time i'll focus
28:03 today only on the quantum resistant
28:05 crypto related work that we have done in
28:07 this demonstrator
28:13 in this slide we are
28:15 outlining the demonstrator setup with
28:17 the software stack
28:19 each component
28:21 is placed in a separate virtual machine
28:23 on top of a hypervisor
28:25 and
28:26 these components such as the nms the ra
28:29 server the routers and
28:32 a test client and web server are
28:35 communicating among themselves through
28:37 virtual bridges
28:38 this
28:39 virtual platform allows us to leverage
28:42 the software tpm that has been
28:45 the software quantum resistant epm that
28:47 has been implemented by one of our
28:49 project partners
28:50 as virtual tpm so we would be able to
28:53 validate
28:54 both scenarios related to traditional
28:56 telecom infrastructure but also to
28:58 virtualize infrastructure such as for
29:00 example nfv or network function
29:03 virtualization
29:05 these components practically behave like
29:09 real routers leveraging the tpm just
29:11 like it would be a physical tpm
29:21 here we are summarizing the
29:22 modifications that we have made to the
29:24 software tpm to work in a virtualized
29:27 environment
29:28 on the right side we see the software
29:30 tpm and the lib tpms components that are
29:34 the back end of the virtualized software
29:36 tpm
29:37 the front end is exposed in the virtual
29:40 machine on the right side
29:42 one of the problems is that
29:44 virtualization components assume that
29:46 the maximum size of tpm commands is 4096
29:50 bytes which is not true anymore with
29:52 quantum resistant epms because
29:55 the commands need to be bigger to
29:57 support the longer key lengths and
30:00 parameters
30:02 thus the components with green label
30:05 have been modified to have a larger
30:07 buffer to store and to transfer tpm
30:09 commands and responses
30:12 between the back end and the front end
30:15 in addition
30:16 components interacting with the quantum
30:18 resistant tpm
30:20 the the components with orange border
30:22 also needed to be modified to use the
30:25 new definition of some tpm structures
30:27 for example
30:29 some
30:30 16-bit integers have been replaced with
30:32 32-bit equivalents
30:35 finally openssl
30:37 has been modified to support quantum
30:40 resistant algorithms for non-tpm crypto
30:43 operations such as for example tls
30:46 channels
30:53 here we are
30:54 giving a few details into the
30:56 performance evaluation of the quantum
30:58 resistant epm
31:00 it is practically highlighting the
31:02 various phases of the demonstrator life
31:05 cycle and of the router operations
31:08 and you see here the router boot time
31:11 which is when the
31:13 router is loading software and software
31:15 is measured and measurements recorded in
31:17 the tpm
31:18 as well as a number of key creation
31:21 steps an attestation key that is used to
31:24 sign
31:25 measurements taken during the boot time
31:27 as well as tls key creation for setting
31:30 up trusted channels with the management
31:33 we also have a tls connection step
31:36 that we highlight and as well the
31:38 operation the tpm operation called quote
31:41 which is reading measurements from the
31:43 tpm and providing them signed for a
31:46 verifier
31:48 what we can see from the numbers is that
31:51 when there is intensive usage of the tpm
31:54 the time of completion of a phase is at
31:57 least three times slower than when when
32:00 we use the quantum resistant tpm
32:02 in some phases such as the router boot
32:05 we don't have so much impact because we
32:07 don't use asymmetric crypto
32:09 however in the other phases we have this
32:12 impact
32:13 still we don't create keys all the time
32:17 and we don't create tls connections all
32:19 the time so the impact is not actually
32:21 as high in real
32:26 life here we also have a slide which
32:30 shows the evaluation of tpm performance
32:34 practically
32:36 oh i think
32:38 yeah
32:39 here we also see the evaluation of the
32:41 quantum resistant tpm performance
32:43 compared with the tpm 2.0
32:46 according to each tpm command that we
32:49 are using
32:50 what can be seen again the commands are
32:52 listed according to the phases that i
32:54 showed earlier is that each individual
32:56 command is actually
32:58 on average 10 times slower with a
33:00 quantum resistant tpm
33:10 reaching the conclusions
33:12 the lessons learned from this
33:13 demonstrator are that
33:15 migration from tpm 2.0 to the quantum
33:18 resistant tpm is feasible and it is
33:21 fully compatible with the system
33:23 integrity use cases that we have for
33:25 trusted computing
33:27 also the performance impact despite
33:29 being
33:30 reasonably high at the
33:32 at the individual level of the
33:34 operations it is in the
33:36 entire solution reasonable and we expect
33:39 that it can only be improved with real
33:42 life implementations
33:44 also tpm and trusted computing are again
33:47 validated as a foundation for system
33:50 security and this time in network
33:52 infrastructures
33:53 and also new trust-based use cases such
33:56 as trust aware routing can be built on
33:59 top of them
34:01 last but not least quantum resistance
34:03 must be implemented across the entire
34:06 trusted computing stack
34:08 from the tpm firmware itself to the
34:10 crypto libraries and to the tls
34:12 connections that are used in
34:14 communications because as we know
34:17 security is as strong as our weakest
34:20 link so therefore we need to make sure
34:22 that across the entire stack we have
34:24 quantum resistance
34:28 my last slide would be about a few
34:30 industry thoughts
34:32 about migrating to a quantum resistant
34:35 world
34:37 huawei is a device vendor first of all
34:40 and what i can say is that device
34:42 vendors can implement quantum resistant
34:44 cryptographic standards once they will
34:46 be available however we need to realize
34:50 that long life devices manufactured
34:52 today
34:53 will need to comply first with today's
34:55 standards and national regulations
34:58 still
34:59 they would need to survive in expected
35:02 quantum computer times perhaps 10 plus
35:05 10 or more years later
35:07 and this while always remaining
35:09 compliant to the regulations of the day
35:13 this makes the so that migration path to
35:16 quantum reaction cryptography is not a
35:18 very easy one
35:20 there are uh the various national
35:22 organizations such as the nist the
35:25 german bsi or the national cyber
35:28 security center in the uk have put out
35:31 certain migration guidelines
35:34 that are useful
35:35 mostly for customer organizations
35:37 however there is not so much guidance
35:39 useful for the vendors that produce
35:42 devices
35:43 in
35:44 in the case of the vendors we are uh
35:47 often looking at hybrid approaches in
35:49 which we would use quantum resistant
35:52 cryptography as well as non-quantum
35:54 resistant cryptography in a combination
35:57 so that we get the best of both worlds
35:59 or at least that that would be the hope
36:02 however this is a sub-optimal solution
36:05 it has cost disadvantages and it impacts
36:08 the performance as well as making it
36:11 more complex to manage the devices
36:14 what's most challenging in my opinion is
36:18 to migrate the hardware anchored routes
36:20 of trust to quantum resistant primitives
36:23 and that is because
36:25 while for software we could imagine
36:28 cryptographic agility which allows us
36:30 with the software update to change the
36:32 cryptographic algorithms that are used
36:35 this is not really an option for routes
36:37 of trust that rely on immutable
36:39 algorithms and keys practically fixed in
36:42 hardware
36:43 and
36:44 one of the biggest challenges that i
36:47 would expect to to have is
36:49 how we can
36:51 recover in case one of the chosen
36:54 quantum resistant algorithms or its
36:56 implementation is later found to be weak
36:59 and i'm referring to these harder anchor
37:01 roots of trust
37:02 so that's why i believe we need to
37:05 rethink cryptographic agility into a
37:07 more comprehensive concept and i would
37:10 call that cryptographic resilience which
37:12 would be the ability
37:14 to
37:15 change the cryptographic
37:17 primitives at the lowest level of our
37:20 roots of trust at our
37:22 security foundations in case we would
37:25 have the need
37:27 and with this i conclude my part of the
37:29 talk i would invite you to follow our
37:32 demonstrator after the the event it will
37:34 be played as a video and i hand over
37:37 back to lee thank you
37:39 thank you
37:44 all right
37:45 let's see what
37:47 future tpm
37:48 project and
37:51 tell us
37:52 the project at least from my point of
37:55 view
37:56 is run at just the right time
38:00 because the quantum
38:03 computer is coming although we don't
38:05 know when yet but we believe it's coming
38:08 and
38:10 post-quantum cryptography research
38:13 is
38:15 is getting popular
38:17 and the more applications from other
38:20 side is
38:21 more application about chester computing
38:24 devices like a tpm
38:27 is also developed and the gpm is
38:30 invented in
38:32 very large number of computers is pretty
38:35 much everywhere even for those computers
38:38 they are not
38:40 have a specific chip called tpm but they
38:43 have a different names
38:45 shape with similar functions
38:48 so that means the time is correct
38:51 but also project phaser
38:53 face a very big challenge
38:56 because the quantum resistant
38:58 cryptography is not yet mature
39:01 it's still in a very early stage
39:04 particularly
39:06 the standardization worker in this field
39:09 is just the beginning and nist is
39:12 leading the this
39:15 quantum post-quantum crypto activities
39:18 but we still need to wait a few few
39:21 years for mr selected the first set of
39:25 algorithms
39:27 so
39:28 that means
39:29 we cannot wait we have to
39:33 make our actions the project
39:36 is
39:37 now complete but
39:40 our work is still carry on
39:45 we actually find there are bigger bigger
39:48 room
39:49 to improve our work
39:52 including algorithms design
39:55 implementation
39:57 as serial
39:58 indicated
40:00 the algorithms we choose is still much
40:03 slower than today's computer so we need
40:08 improve the algorithm design and
40:10 implementation
40:12 we also need to
40:15 work closely with standard bodies and
40:19 try to find what we can
40:22 recommend to industry and our
40:25 the users
40:27 so for our
40:29 the project partners we closely work
40:32 with nist some of our partners are
40:35 involved in the
40:37 and pkc computation some of us involved
40:40 in tcg and in iso iec standard
40:45 the last thing is
40:47 we
40:48 strongly feel we need more
40:51 research
40:52 projectors to carry on our mission
40:56 luckily we got a few other fundings
41:00 in this field
41:01 one eu project called a suit that is
41:07 using tested computing technology
41:10 to
41:11 enhance security in ict systems so this
41:16 is another three years project funded by
41:19 eu and we have 14 partners from 10
41:23 different
41:24 countries
41:25 we have interesting user cases as well
41:29 this is including smarter manufacturing
41:32 smart cities smarter aerospace and
41:36 smarter satellite communications
41:40 we have another project which is
41:42 recently started
41:45 this is also h2020 project
41:48 called the second
41:50 that is
41:51 to build the security and the privacy
41:54 solution
41:55 for internet of things device
41:58 this is also three years project started
42:02 on september this year
42:05 so we have 20 partners from 10 european
42:09 countries
42:13 in this project our user case is focused
42:17 on healthcare security
42:21 data protection
42:23 so we set up
42:25 some special user case
42:28 in the healthcare ecosystem
42:36 although we have
42:38 a very good research team and put a lot
42:42 of
42:43 a lot of effort in this area
42:46 but we still strongly believe
42:49 there are many challenges
42:51 for secure computing
42:53 tested computing the
42:56 research
42:57 so
42:59 in one on the one side we need to build
43:03 a strong load of trust
43:05 in the other side we need to find
43:08 a
43:09 a writer at a station service
43:12 and also we have to face challenges for
43:16 tested computing practice although tpm
43:20 and the various
43:21 uh chested devices
43:23 have been embedded in our computer
43:26 sitting there but not actually many
43:29 people notice them many people use them
43:31 we need to build a lot a lot of
43:34 applications and we also need to let the
43:38 user knows how to use them hopefully
43:41 those applications we will they are
43:44 robust enough and they are
43:46 flexible enough
43:48 ideally they are transparent to users
43:51 they will not have to be noticed but
43:53 they just benefit from that
43:56 i think that's all
43:58 we need to talk
43:59 thank you very much thank you savior
44:02 thank you roberto
44:04 thank you professor chen
44:08 and thank you sylvia um online we did
44:11 get all of your slides and your voice it
44:12 was it worked faultlessly um so
44:16 please be reassured i know how awful it
44:17 is giving a webinar to a blank screen
44:19 and wondering if you've still got an
44:20 audience i'm just a reminder to the
44:23 people
44:24 online we have about 100 viewers online
44:27 to put your questions
44:28 into the q a we're going to deal with q
44:30 a at the end we're going to have a panel
44:32 session rather than do them presentation
44:34 by presentation so we've had a couple of
44:36 questions already in uh keep asking
44:39 questions we'll store them up and then
44:40 we can give deliver them to the whole
44:42 panel um for those in the audience here
44:44 write down your notes uh remember that
44:46 question you're going to ask because by
44:48 the end of the presentations you'll be
44:51 wondering what what you were thinking of
44:53 earlier so uh keep remembering those uh
44:56 now for our next one it gives me great
44:57 pleasure to uh invite uh adrian waller
45:00 from tales uh adrian over to you
45:04 see if this works
45:08 okay so hi everybody i'm adrian waller
45:10 from tallis
45:12 so i'm going to
45:14 give a fairly short presentation so the
45:16 main aim of this is to firstly introduce
45:18 why is post-quantum cyber security
45:20 relevant for talus as a company
45:23 and
45:25 then what have we done about it and
45:26 where have we got to
45:28 and then at the end it's a
45:30 little bit into where we see the main
45:32 gaps going forwards or where we think
45:34 more research and work needs to be done
45:37 so firstly um you may or may not have
45:39 come across tallis maybe you have um so
45:42 we are a large
45:43 multinational engineering company so the
45:46 main thing is that we we make things and
45:48 integrate things
45:50 we work in these areas
45:54 so the first one is digital identity and
45:56 security is the most obvious area where
45:58 post quantum
45:59 matters because this is the part of the
46:01 business that makes cryptographic
46:03 products and i'll give a slide on that
46:05 in a minute
46:06 um
46:08 but all of the other areas that we work
46:09 in uh will be significantly affected by
46:12 the problems of a working quantum
46:15 computer that can break the algorithms
46:17 that we use today
46:19 so the main issues that we have is
46:21 all of these systems that we produce for
46:23 say defense aerospace etc tend to be
46:26 very long-lived um it's not unusual to
46:29 have um systems
46:31 in place for 40 years
46:33 so if we are thinking now of building
46:35 such a system
46:36 and that's well within the time frame of
46:38 you know working quantum computers etc
46:40 so we really need to know what we're
46:42 going to do about it for those
46:44 and the other big issue is that not only
46:47 that
46:47 they are quite hard to change
46:49 so it's not a case of i will just wait
46:51 and see and then we'll just swap
46:53 something out and that's fine
46:55 these things you know for various
46:57 reasons mainly because a lot of them are
46:58 safety critical they are hard and it's
47:02 generally unwise to make a lot of
47:03 changes to them
47:05 so this is definitely a pressing matter
47:07 for this
47:09 in all of these areas
47:11 just a quick slide on the kind of the
47:14 crypto products bit so um the main thing
47:17 to note here is that it's very wide and
47:19 varied
47:20 so we do lots of different things that
47:22 range from um
47:23 [Music]
47:24 very high performance um hardware
47:26 security modules and encrypters that sit
47:28 in you know data centers etc
47:31 and down to really small things and in
47:33 particular things like sim cards um
47:35 e-sims that sit in your mobile phones
47:37 where so
47:39 very varied and
47:40 how you make use of post quantum
47:42 algorithms etc is very different in all
47:44 of these situations
47:49 so firstly slide on so i'm from talus uk
47:52 research
47:53 so based in reading so this slide is on
47:57 what we've been doing in this area since
47:59 in fact 2013 is when we first started
48:01 working on this
48:03 um
48:04 our main focus is on not developing new
48:06 algorithms that's not the thing that we
48:08 do
48:09 we're very interested in
48:11 can we use those algorithms in our
48:13 products and services etc
48:15 and in particular this second bullet
48:17 point
48:18 talk out say industrialization of
48:20 solutions so it's not just about oh
48:23 there's an algorithm um how do we
48:25 actually
48:26 implement make use of that and etc in
48:29 our systems and particularly for talus
48:32 embedded systems is a real focus
48:36 so i've put a few examples of
48:38 bits of work that we've done there so
48:40 just briefly mention
48:41 so as i say since 2013 we've done quite
48:44 a bit of work on analyzing different
48:46 candidates for quantum safe algorithms
48:49 um we had this um european project save
48:52 crypto from 2015 to 2019
48:56 so in that one we were looking at um
48:58 tallest we're looking at a satellite use
48:59 case
49:00 and making use of uh quantum safe ipsec
49:03 so we worked out how to
49:05 to do that and implement it and we
49:07 implemented i just mentioned the hybrid
49:09 key exchange using conventional and
49:12 quantum safe
49:13 the idea being that you're kind of
49:14 hedging your bets in case the quantum
49:16 safe algorithms are turn out to be not
49:18 secure
49:20 we've done some other bits of work such
49:22 as quantity based quantum safe identity
49:24 based encryption
49:26 um outside of the crypto itself
49:29 an interesting thing is this quantum
49:31 threat assessment so this is how do you
49:33 determine
49:35 how much at risk are you from a quantum
49:37 computer where is it and what might you
49:39 need to do about it so
49:41 we've helped developed like an internal
49:43 methodology for that
49:45 and also we are active in standards and
49:47 in particular the etsy standards group
49:49 here and i'll talk more about that later
49:52 just to mention that one of my
49:53 colleagues is currently secretary of
49:54 that working group
49:58 so in the the wider talus
50:00 i think um two main things to notice so
50:03 um
50:04 even though we in the uk don't do
50:05 algorithm development they do in france
50:08 and one of the candidates for this nist
50:10 competition which is the kind of the
50:12 main competition for developing
50:14 the algorithms that we will use that are
50:16 quantum resistant
50:17 so
50:19 palace is one of the authors of one of
50:20 those candidates falcon
50:23 and
50:24 can you actually make use of quant post
50:26 quantum solutions in products today so
50:29 we have at least one example which is
50:30 this lunar hsm um the box you can see
50:34 there um and in the related high speed
50:37 encrypters where um these stateful hash
50:39 based signatures are available as an
50:41 option if you want to use them today
50:47 okay
50:49 so so that's kind of where we are so
50:51 what are the next steps or the main
50:53 challenges
50:57 so
50:58 people have mentioned already today so
51:00 to lee and someone have mentioned about
51:03 um there's a lot of work on developing
51:05 these quantum resistant algorithms
51:08 um the main thing is this nist
51:10 competition in the us which although
51:12 it's the us it's really the de facto
51:14 world um effort in producing these
51:16 algorithms
51:18 um it's now reached it's getting close
51:20 to completion i think it's still got
51:21 another couple of years left
51:23 um but it's reached a stage where we
51:24 have some
51:26 i guess reasonably mature
51:28 um algorithms in these areas and i've
51:30 just listed them up there so
51:32 so it's getting close to completion
51:36 one thing i've noted at the bottom
51:38 something called the
51:40 most of the algorithms are based on the
51:42 the same kind of underlying mathematical
51:44 hard problems the lattice based
51:46 so a potential issue is that are we
51:48 putting say all our eggs in one basket
51:51 and do we need a wide variety so they do
51:53 have some what they call alternate
51:55 algorithms from different categories so
51:57 that may be one area but at the moment
51:59 that is based
52:00 seems okay
52:02 and from a tally's point of view so
52:04 we've tried out all of these algorithms
52:06 probably um and certainly in a wide
52:09 variety of products and in most cases
52:11 from our application point of view
52:13 can it meet the requirements that
52:14 everything is kind of fine really um
52:17 there's no real problems with one
52:19 exception which is my next slide
52:22 what's the main issue from the algorithm
52:24 point of view from our i think it's them
52:26 it's really that the digital signature
52:28 algorithms have
52:29 well relatively large signatures and
52:31 certainly compared to the algorithms
52:33 that we use today
52:34 um in most cases that can be coped with
52:37 and but there are a few cases where it
52:39 doesn't quite meet the application
52:40 requirements so two that we're aware of
52:43 in talus
52:44 so some of the work that we did in telus
52:46 uk was on this satellite use case
52:48 and there the we were looking at the
52:51 command and control channel from the
52:53 ground up to the satellites
52:55 and that channel has very low bandwidth
52:58 so the issue is that sending
53:00 signed messages becomes much much longer
53:03 these signature sizes make a significant
53:05 difference
53:06 so we kind of worked out that it was
53:08 kind of borderline acceptable with the
53:09 current candidates but it's not ideal
53:12 um we noted that uh there is an
53:15 algorithm called bliss
53:16 um which wasn't actually entered into
53:18 the nist competition but funnily enough
53:21 uh then
53:22 met the requirements for that use case a
53:24 lot better so that is one option maybe
53:27 that's a something that should be
53:28 revisited or another alternative
53:32 and the other main area where this is a
53:34 problem is for very limited processes
53:37 and here we're looking at things like
53:38 sim
53:39 and e7s or very limited microcontrollers
53:43 and we have found that some of these
53:45 signature candidates in fact
53:47 in some cases all of them can't be
53:48 implemented on some of our platforms um
53:51 this is because of the fact that the
53:52 keys and signatures are much bigger and
53:55 things don't fit in the realm available
53:57 so there are two ways to approach this
54:00 so nist have already aware of some of
54:02 these issues and they've has said
54:04 at their last um
54:06 i guess conference that
54:08 they may consider looking at algorithms
54:10 with smaller signature sizes and maybe
54:13 that's a good approach
54:14 um but the other way to look at it is
54:16 that maybe in fact
54:18 um within the next 10 years our hardware
54:21 will improve so this isn't a problem
54:22 anyway um this is probably almost
54:25 certainly the case for things like sims
54:26 that uh you know
54:28 within the time scales that we'll need
54:30 to implement some of these things that
54:31 maybe the hardware will improve that's
54:33 not a problem
54:34 but it's certainly an issue that we need
54:36 to consider
54:41 so looking at a different track so
54:43 slightly away from the algorithms um
54:46 looking at what's happening in the etsy
54:49 this is cyber qsc working group so they
54:52 have a different focus so they're not so
54:54 much looking at
54:55 developing algorithms they're looking at
54:57 how can we use them and what might be
54:58 the issues for industry
55:00 so
55:01 this fits more where i guess we'll tell
55:03 us a mostly focused
55:06 so
55:07 so mainly they are kind of following the
55:08 outcomes of the nist competition but
55:11 producing standards to help us make use
55:13 of those algorithms in real use cases
55:18 so some examples of some of the recent
55:20 work so previous talk mentioned
55:22 migration so there is a technical report
55:24 from etsy
55:26 kind of
55:27 which covers some of these issues of how
55:28 do we
55:29 do this thing of migrating to quantum
55:31 safe
55:33 and i'll come back to that in a second
55:34 at the bottom of the slide
55:36 um there is some work on things like
55:38 this hybrid thing how can we do that so
55:40 if you don't fully trust the quantum
55:42 resistant algorithms you know what are
55:44 ways to make sure we can combine them
55:46 with conventional just to
55:49 give you a bit of breathing room in case
55:50 there's a problem
55:52 um there's some work on a wider class of
55:54 algorithms that nist are not currently
55:56 looking at so identity-based encryption
55:58 in particular
56:00 which
56:00 is not used a lot but it does have some
56:03 important use cases particularly in
56:05 public safety communications
56:07 which is an interest to tell us
56:10 and just note the last one that
56:14 they've noted that a lot of the
56:15 information around the algorithms in the
56:17 nist competition is a bit kind of um
56:19 hard to find or it's not all in one
56:21 place so they produced one simple report
56:24 um so if you wanted to find information
56:25 on those algorithms that's where to look
56:29 i think the most important thing from
56:31 i guess my antalya's point of view where
56:33 we think there's a gap is on this
56:34 migration problem and i was really
56:36 interested to see that that was
56:37 mentioned in the last talk
56:39 so
56:40 some work has started so in etsy they're
56:42 looking at a particular use case of
56:44 intelligent transport systems to try and
56:47 look at what are the problems and try
56:48 and work through them of how you might
56:50 do it
56:51 um nist have also noted this and are
56:53 starting an activity um to look at this
56:55 in a much more widely so they're looking
56:57 at wider use cases and what kind of
57:00 tools might be helpful
57:02 and i think i would stress that this is
57:04 probably the big challenge so it's not
57:06 enough to have the algorithms but how do
57:08 we actually work out
57:09 how do we make sure we you know change
57:12 all the systems that we have in such a
57:13 way that's not disruptive and so on um
57:16 to migrate to those
57:20 and my last slide then
57:23 so is just to point out it's not all
57:25 about cryptography when we're thinking
57:26 of quantum computing in cyber security
57:30 i freely admit on this next slide if it
57:32 comes up
57:36 to
57:36 to not to be
57:38 in a slight state of ignorance in um on
57:40 this topic of quantum computing more
57:42 generally but most of the interesting in
57:45 quantum computing is not because of
57:47 cryptanalysis and cryptography is
57:49 because of optimization problems machine
57:51 learning etc
57:53 so obviously those um we have those kind
57:56 of problems in cyber security
57:58 um i've just listed a few examples down
58:00 on the from a defender's perspective at
58:02 the bottom so things like detecting
58:04 attacks
58:05 and we have like
58:07 um optimizing your security
58:09 architectures to on
58:11 for against various criteria um at a
58:13 kind of an enterprise level there's you
58:15 know finance investment strategy kind of
58:17 problems
58:18 and there are cryptography related
58:20 problems things like prng construction
58:23 or maybe even side channel analysis
58:26 so
58:27 i think i'll leave this with an open
58:30 question maybe there is
58:31 you know more work on this but uh
58:34 i don't think it's that well known at
58:36 the moment
58:37 how will that affect cyber security and
58:39 the real issue here for me is i think
58:41 you know obviously these things can help
58:43 the defenders and the attackers but in
58:45 you know is there kind of an advantage
58:47 for one or the other or not and and how
58:49 do we work with that in the future
58:52 and
58:53 i think that's it so i've become
58:54 slightly
58:56 early but maybe made up a good time
59:02 [Applause]
59:05 thank you very much perfect timing
59:06 actually um keep the questions coming in
59:08 online so those of you who are watching
59:11 uh keep keep the questions coming in
59:12 we'll catch up at the end uh those of
59:14 you in the theater write them down so
59:16 you don't forget and there's a lot of
59:18 lot of interesting stuff coming forward
59:20 now
59:20 um for our next talk a real pleasure to
59:23 um invite professor tim spiller from
59:26 university of york professor of quantum
59:28 information technologies really looking
59:29 forward to this one
59:31 tim over to you
59:35 afternoon everyone who's here and
59:38 virtual actually this is the second
59:40 event i've been to i went to one in
59:41 glasgow a couple of weeks ago and it
59:43 really is nice to actually
59:45 go to a physical event again
59:47 uh
59:48 what i'm going to do is give you a very
59:51 quick overview of quantum technologies
59:54 and a potential advantage tell you a bit
59:56 about what's going on
59:58 in the uk
59:59 in that and uh
60:01 comment a little at the end about the
60:03 particular impact
60:05 for security some of which you've heard
60:07 already so
60:10 so there's a whole spectrum of quantum
60:12 technologies kind of every quantum
60:15 sorry every technology sector has the
60:17 potential where uh there could be some
60:20 advantage gained and
60:22 the fundamental feature of quantum
60:24 technologies is that they utilize
60:27 some
60:28 fundamental feature of quantum physics
60:31 and there are different ones that
60:32 underpin
60:34 various of the technologies that i'll
60:35 mention in a minute and
60:38 because
60:40 because they utilize fundamental
60:41 features of quantum physics they
60:43 actually manipulate and and whether it's
60:46 communicate store process or whatever
60:48 information in
60:49 uh
60:50 in a rather different way from
60:52 conventional i t
60:54 and in certain cases that means that
60:57 that there is
60:58 a potential if you use
61:00 these properties such as superposition
61:02 entanglement or whatever that you can
61:05 actually do something
61:07 which goes beyond any capability
61:14 so there are advantages that can be
61:17 achieved not everywhere but in some
61:19 places and so people you may well see
61:23 that the term quantum advantage referred
61:25 to in some cases so very quickly
61:28 that's certainly clicked through a few
61:32 okay so the first one
61:33 computing you've already heard mention
61:35 of quantum computing the thing about uh
61:37 quantum superposition is it means you
61:39 can have many different states of a
61:41 quantum system coexisting all in
61:43 parallel at the same time and so hand
61:45 wavingly if those are states of a
61:47 computer you can process many different
61:50 computations
61:51 in an individual device a quantum
61:54 computer at the same time and if you can
61:56 combine all of those parallel
61:58 computations and extract something
62:00 interesting at the end then there is
62:01 potential to significantly speed up and
62:05 in some cases exponentially speed up
62:08 certain uh computations that can be done
62:11 and and you've heard that there are
62:13 there are various things that can be
62:14 done uh there are very positive things
62:16 simulation and modeling and those may be
62:18 done with actually relatively small
62:20 quantum computers cryptanalysis we'll
62:23 come back to that uh and you've already
62:25 heard it mentioned that's a kind of
62:26 threat if you like in in the
62:29 security domain uh and there are so
62:32 there's a whole host of quantum
62:33 algorithms
62:35 that have been devised uh
62:37 at the minute where we are with the
62:39 hardware is that if you like
62:41 there isn't one winner there isn't a a
62:44 particular way forward i'm sure you've
62:46 heard that google and ibm are both
62:48 working on super conducting qubits there
62:50 are other projects pursuing doing
62:52 content computing with light you can use
62:54 other bits of condensed matter uh little
62:57 defects in diamond can be used as
62:59 quantum bits so there's a whole host of
63:02 different candidates and there isn't one
63:04 favorite way forward yet and they are
63:06 just at the point where they've
63:08 demonstrated in certain cases and with
63:10 certain problems
63:12 so
63:13 there's still a long way before this
63:14 becomes a threat there's an awful lot of
63:16 work to be done to build quantum
63:18 computers big enough that that threat
63:20 would become real the crypto analysis
63:22 threat but because of the progress and
63:23 because quantum advantage has never been
63:25 demonstrated at least the threat is
63:27 thought now to be real
63:29 okay so next thing that was computing
63:32 sensing and measurement and things if
63:35 you take quantum states of it might be
63:37 light it might be matter
63:39 then you can potentially uh
63:41 image your senses more accurately than
63:44 you can do
63:45 with the same kind of device if it's
63:48 just a conventional device so that might
63:50 be imaging you might be able to image
63:51 things with greater precision or you
63:54 might be able to sense things such as
63:56 gravity so people uh
63:59 oops
64:02 come on
64:05 yes okay so in the sensing case you know
64:08 this example here if you've actually got
64:10 some some resource where uh
64:13 two light states photons or whatever are
64:15 entangled if you bounce one of them off
64:17 an object and then recombine you may be
64:19 able to
64:21 to resolve things about that object more
64:23 accurate than you could in
64:27 if you were using that light if it's
64:28 like
64:29 in
64:30 in conventional resources and and people
64:33 have thought so probably light and atoms
64:35 are the main candidates for this uh you
64:37 would use light if it's energy you might
64:39 use atoms if you're trying to sense
64:42 gravitational field variations and
64:44 things like that but you also might have
64:46 little nanomechanical devices that
64:48 vibrate that could be used to sense
64:50 other external fields such as electric
64:53 magnetic fields and so on so
64:55 so the message is that there could be a
64:57 quantum advantage in sensing an image
64:59 from constructing new new devices there
65:03 so the one i'm really interested in and
65:05 it's the one that i work on mostly these
65:06 days is communications and
65:10 the idea there that is if one sends
65:14 quantum signals uh
65:17 from
65:17 the usual to people at uh alice and bob
65:20 if one sends quantum signals then if
65:23 anyone tries to intercept those
65:25 the the other fundamental feature of
65:27 quantum physics that kicks in is that
65:29 there will be an irreversible
65:30 disturbance
65:32 and that's not just because they're a
65:33 bit clumsy that's built into nature so
65:35 that's not avoidable even in the future
65:37 that's a fundamental part of quantum
65:39 physics and so you can kind of see that
65:41 if alice sends quantum things to bob
65:43 anyone happens to have a look in the
65:44 middle then they will introduce
65:46 disturbance so you can know that that
65:48 interaction has
65:49 and
65:50 uh the quantum
65:52 medium that we use uh for quantum
65:55 communications is light it doesn't
65:57 necessarily have to be down optical
65:58 fibers although a lot of it is it could
66:00 well be through free space
66:02 and i'll briefly mention both of those
66:04 so so that's a very quick tour of of
66:06 quantum technologies
66:08 because of the potential in 2013 the uk
66:11 government decided to start a whole
66:13 national pro so i'm not going to talk
66:14 through quite a few of these slides in
66:16 detail but i just want to illustrate for
66:18 you that in 2013 there was a big
66:20 investment made
66:22 in the uk which which involved uh very
66:25 many uh
66:27 activities but if you like the
66:28 centerpiece that was set up at that time
66:30 were four technology hubs
66:33 that were pursued that would pursue
66:35 technology development in in the
66:37 relevant uh areas of
66:40 of quantum technology so that
66:42 program was set up started in 2014
66:45 the initial investment was about 270
66:48 million from uk government and that was
66:50 augmented with with uh with various
66:53 other bits and pieces and then there was
66:55 a renewal of the program uh from 2019 to
66:59 2024
67:01 uh with further government money and and
67:03 also a significant proportion of
67:06 industry-funded projects through
67:07 innovate uk where industry makes a
67:10 significant contribution and the rough
67:12 figure now is that over a 10-year period
67:14 there's been an investment of of about a
67:17 billion pounds
67:19 that's including the industry
67:20 contributions as well as uk government
67:22 so it's a very substantial effort and as
67:25 i said the centerpiece is
67:27 is
67:28 in the technology development is really
67:30 the four hubs that were formed and they
67:32 cover pretty much all the technology set
67:34 sectors that i mentioned so there's one
67:36 that basically works on sensors and
67:38 timing and mostly uses atoms and that's
67:42 led by the university of birmingham
67:44 there's one that works on imaging
67:46 so clearly they use light that's led by
67:48 the university of glasgow
67:50 there's a computing and simulation hub
67:53 and and in the
67:55 first phase they focus mainly on iron
67:57 trapping but they've now diversified and
67:59 they include other platforms including
68:01 superconducting qubits and so on and now
68:03 if you like they now have an outlet
68:05 because there is also a new national
68:07 quantum computing center that's being
68:09 built at harwell near oxford so that
68:11 will be a physical building and if you
68:13 like that will be one tech transfer
68:15 route for the
68:17 computing and simulation hub and then
68:19 there's a quantum communications hub
68:21 which deals with secure communications
68:24 in the quantum world and that's the
68:25 thing i lead from york so so those are
68:27 the four hubs i just wanted to show you
68:29 this each hub will show you a very
68:31 similar picture
68:33 so when i talk about a hub led by the
68:35 university of york we have 10
68:37 of the order of 10 university partners
68:39 across the uk
68:41 we have numerous industry partners and
68:44 national laboratories and so on and and
68:46 so each of the four hubs has focused the
68:49 uk
68:50 expertise no matter where it is into a
68:52 large distributed project and so
68:55 so in our case these are all our
68:57 partners who are working uh with us on
69:00 on quantum communications
69:02 and
69:05 state
69:07 most of what we've done actually over
69:09 the over the period of uh since we
69:12 started 2014
69:14 has focused on one thing if you like
69:17 which is the most mature quantum comms
69:19 technology at the minute which is
69:20 quantum key distribution and what
69:22 quantum key distribution enables
69:25 is that it enables
69:28 secure sharing of a key between two
69:30 parties and
69:33 as i say the
69:35 the hint that you can do something like
69:37 that is that if alice sends quantum
69:39 things to bob and someone has a look in
69:41 the middle uh there is a guarantee that
69:43 some of those quantum signals will be
69:45 disturbed and there's a very clever
69:48 protocol based on that whereby alice and
69:50 bob can then uh exchange ordinary
69:53 information which doesn't have to be
69:55 secured
69:57 and
69:58 they can develop a shared secret key
70:01 between them and and once they've got
70:03 this key it can clearly be used as
70:05 ordinary symmetric keys for whatever
70:07 application you can use symmetric keys
70:09 for that's fine uh
70:12 the one thing i should stress uh is that
70:15 quantum key distribution does need some
70:18 authentication it cannot bootstrap
70:20 itself from nothing so if alice and bob
70:23 have never met before then
70:25 something has to be used to authenticate
70:27 and so perhaps it should have been
70:29 called quantum key expansion but in the
70:31 end quantum key distribution was the
70:33 phrase that won so so there has to be uh
70:36 some authentication as well which might
70:38 be through some pre-shared key but it
70:40 may well involve uh collaboration if you
70:42 like with use of quantum post quantum
70:45 cryptography or quantum safe
70:47 cryptography and so
70:49 but
70:50 if you combine those two uh as i'll
70:52 comment then i think that's the way
70:53 forward for
70:56 quantum safe communications in in in the
70:59 long term
71:05 okay so
71:07 i'll just highlight a couple of things
71:09 so in the first five years of the hub
71:12 which ran from 2014 to 2019
71:16 we pursued many uh parallel uh
71:19 projects if you like and i'll just
71:22 highlight some that are particularly
71:24 relevant for uh
71:26 for security so we we've built in in the
71:29 uk the first uh quantum network
71:32 and and i stress that this is
71:35 is a network of of trusted nodes so
71:38 there are quantum key distribution links
71:40 between points that you have to trust so
71:43 the guarantee is you can detect
71:45 eavesdropping between these trusted
71:47 points but at the trusted points you
71:49 have to have uh you have to have
71:51 conventional and physical security and
71:54 and so we've we've got a network around
71:57 bristol uh one around cambridge we've
72:00 got a link from cambridge to to bt's uh
72:04 adastral park r d headquarters and and
72:07 we're using bits of the national dart
72:09 fiber facility to actually can
72:11 construct a link between bristol and
72:14 cambridge as well so that's one thing we
72:15 did we've pursued small handheld devices
72:19 that have the potential to have a
72:20 quantum transmitter in your phone of the
72:23 future and a quantum receiver in the
72:25 wall
72:26 and and so that work is now quite mature
72:29 as well we put stuff on chip
72:32 so so some of our partners are focused
72:35 on with a view to future
72:37 commercialization putting both quantum
72:39 transmitters and receivers on ship and
72:41 there was a spin out that came uh during
72:44 phase one from our partner at the
72:46 university of bristol called quetz
72:48 that's focused on on putting quantum com
72:51 stuff on on chip
72:53 we also participate in standards work
72:55 that's already been mentioned there is a
72:57 parallel etsy uh standards working group
72:59 on on quantum key distribution
73:02 and hub partners have been actively
73:03 involved in that for for many years now
73:06 so that's a bit of a snapshot of
73:08 of what we've done uh over the past five
73:10 years and then moving on from that uh
73:14 oops
73:18 moving on from that we're now in what's
73:20 called phase two of the uk national
73:22 program which is 2019-2024
73:25 and we're continuing a lot of the work
73:28 that we've done in in phase one in
73:30 particular we're we're expanding our our
73:33 network and we're looking about
73:35 combining within that network uh quantum
73:38 key distribution and post quantum
73:40 cryptography uh
73:43 we're doing further work on standards
73:46 more work on chip based stuff
73:48 the handheld work is maturing we're
73:50 looking if you like people have used the
73:53 phrase in the future that could be a
73:55 quantum internet there's an awful long
73:57 way to go before that but taking some
73:59 first steps towards that one thing you
74:02 would absolutely need before you can do
74:03 anything distributed in quantum is to be
74:05 able to distribute quantum entanglement
74:08 in a reliable way and so we've we've
74:10 done some uh significant progress on on
74:14 that probably the biggest thing that
74:16 we're doing in in phase two is that
74:19 we're looking at a demonstration to do
74:21 a quantum key exchange between a small
74:23 satellite and a ground station because
74:26 in the future if you want to get
74:27 worldwide with quantum communications
74:31 then satellite would seem to be a very
74:32 good way to do it in that you can do an
74:35 exchange in one place you can let the
74:36 satellite go elsewhere and then do
74:38 another exchange in that model you'd
74:40 have to trust the satellite but
74:42 nevertheless that seems pretty much the
74:44 only way you're going to get quantum
74:45 signals from one side of the world to
74:47 the other so
74:49 so that gives you a very brief overview
74:51 of what we're doing in the hub
74:54 and i just want to close with
74:57 some comments about uh the particular
75:00 impact for
75:01 for information security so you've
75:03 already heard about the threat from
75:05 quantum computing and and
75:08 at what point should one worry about
75:09 that well
75:11 if you're sending encrypted data around
75:14 at the minute that could be vulnerable
75:16 when a quantum computer comes along then
75:18 you should be worried now if the
75:20 security shelf life
75:22 and the retooling time for your secure
75:24 hardware if the sum of those two things
75:28 actually exceeds the time to
75:30 uh google or whoever producing a large
75:32 quantum computer then maybe you need to
75:34 be worried now about that so we know
75:37 about the quantum threat and when that
75:39 actually kicks in i think depends on on
75:42 uh how long you want your information to
75:44 be
75:45 secure
75:46 i've mentioned very briefly new quantum
75:48 sensors they'll enable us to uh
75:51 and image things more accurately than we
75:54 can at the minute but
75:56 despite both of these two things
75:59 then uh there are and as i said quantum
76:03 key distribution is the most advanced
76:05 there are
76:08 now quantum means that are resistant
76:11 with a guarantee to both of these so no
76:14 matter what
76:15 the adversary or eavesdropper has in the
76:17 future to throw at you if you use
76:20 quantum key distribution
76:22 uh
76:23 modulo the authentication matter that i
76:25 mentioned then you have a guarantee that
76:27 you are proof against these two things
76:30 now we've heard quite a lot about
76:32 the new mathematical techniques
76:34 the the
76:35 the mathematical uh algorithms that are
76:38 certainly immune to shaw's algorithm
76:40 which is the main threat at the minute
76:42 up here
76:43 but are thought to be immune to
76:45 algorithms that might emerge as well
76:47 although
76:48 it was noted that everything seems to be
76:50 focusing on lattice-based approaches
76:53 which might concern me because
76:55 presumably peter shaw and all his
76:57 buddies are also now thinking about that
77:00 would be the appropriate place to
77:01 develop a new algorithm so i think it
77:03 would be good to have a basket of
77:05 algorithms which
77:07 uh i know that this process is
77:08 developing so that we will have
77:10 potential immunity
77:12 to just one new algorithm in the quantum
77:15 domain period but anyway
77:18 the fact is i think that because we have
77:20 both of these
77:22 uh both of these capabilities then the
77:25 the way forward may well mean that we
77:27 combine the two of them
77:29 to future quantum safe communications so
77:32 i'm going to stop there and and
77:36 if i could put up a last slide if people
77:38 are interested in further reading there
77:39 are various links there and i'm happy
77:41 for these slides to be shared as well
77:45 thank you
77:47 [Applause]
77:52 thank you tim and thanks for coping with
77:54 the microphone i hope people got
77:57 online got
77:59 the
78:00 um
78:01 the presentation that tim gave um
78:03 certainly
78:05 after the first few minutes we did so
78:06 that's great um keep the questions
78:08 coming in um we've got some interesting
78:10 questions starting to appear uh keep
78:12 questions uh here
78:14 so this is the point where we go to q a
78:18 um and for that i'd like to
78:20 reinvite the panel
78:22 um both online i'm hoping we can
78:25 assemble the online panel if not we have
78:28 three real world panelists
78:30 so tim lee
78:32 and adrian
78:34 if you want to grab a chair
78:36 over there
78:38 social distances is making this a
78:40 slightly uh slightly challenging
78:42 prospect
78:45 space your chairs out to your comfort
78:47 level
78:50 um you've heard each other's
78:51 presentations um we've got a uh several
78:54 questions coming in online uh we'll hope
78:57 to do the um the demo from uh the the
79:00 talk from
79:01 ali at the end if we can re-establish
79:04 um the question is whether we can
79:05 establish an ava online uh panel as well
79:09 um if not we'll proceed here
79:13 well let's just crack on and hope the
79:15 the technical glitches sort themselves
79:17 out i mean one of the things that
79:19 occurred to me seeing your presentations
79:22 was that there was an awful lot of work
79:23 to do
79:24 um and in a relatively potentially a
79:27 relatively short space of time
79:30 um with the likes of google ibm
79:32 promising million bit
79:34 million million qubit computers by the
79:36 end of the decade whether you
79:39 think that's realistic or not
79:41 um
79:42 when do you think the effects of uh
79:45 quantum vulnerabilities will actually
79:47 start to be felt
79:49 um and i'll go to our
79:52 real world panel first i see we've got
79:54 the online panel i'm hoping that they
79:56 can hear us
79:57 um
79:58 if you can raise your hand when you want
79:59 to talk just so i can keep it
80:01 coordinated lee you you were first off
80:03 tomorrow i think that the time is now
80:06 is not anywhere uh later
80:10 like tim mentioned
80:12 if you have data you encrypted
80:15 and
80:16 today we don't have a large scalable
80:19 quantum quantum computer be able to
80:21 break your data but your data is
80:24 publicly available anyway so
80:27 if anybody correct your data i don't
80:29 want to say who but they can
80:32 later on to
80:35 let later on they can
80:37 break your data that's the one thing the
80:39 other thing from my point of view is
80:43 people lost the chest
80:45 the chest is very important for cyber
80:48 security
80:49 because the quantum compute
80:51 computer were coming one day and if we
80:54 don't do anything and
80:56 then the trust in cyber security
81:00 where we lost if
81:02 nobody trusted
81:04 us then we kind of lost so that's why i
81:07 think castrati is there already
81:10 so the time is now and people happen now
81:13 got a later yeah the problem of um
81:15 acquiring encrypted records now with the
81:18 view that in years to come they will be
81:21 able to decrypt them and sort of do uh
81:23 reverse attacks and that that being done
81:26 by some governments in the world who are
81:28 that this was done as far back as the
81:30 second world war where we were um we and
81:32 others were acquiring records and then
81:34 with the intent of being able to decrypt
81:36 them in the future it becomes quite a
81:38 vulnerability so okay um
81:41 jim adrian any comments on on that
81:43 i would just endorse that i mean i i
81:45 think it's very hard to predict
81:49 when a quantum computer will emerge i'm
81:52 on my slide i mentioned
81:54 mike mosca uh
81:56 waterloo in canada who's come up with
81:58 that
81:59 eq inequality
82:02 i think he has tried to make estimates
82:04 of
82:05 probabilities of a large quantum
82:08 computer existing in 10 or 20 years and
82:12 so then you you know that
82:15 those probabilities are not small
82:17 but they're not one either but then
82:20 you've got to ask the question
82:22 how worried are you about the long-term
82:24 security you know if if they are very if
82:26 it's very sensitive information at the
82:28 minute
82:29 then i think you should be concerned if
82:32 it's something that will be redundant in
82:33 a couple of years time if exposed at
82:35 that point then clearly you don't care
82:37 yet but
82:38 but i think the threat is now
82:40 sufficiently big the if it's if it's
82:43 important data that you want to keep
82:46 secure for a long time i think the
82:48 threat exists there so there's an
82:50 interesting subtlety to that which
82:52 who are likely to be the first users of
82:55 large-scale workable quantum computers
82:58 and they're likely to be few in number i
83:01 i don't want to repeat the sort of the
83:03 the ibm only needs five computers sort
83:06 of mistake but the first
83:08 high qubit working
83:10 quantum computers are likely to be owned
83:12 by governments or very large
83:15 i.t corporates so there won't be many of
83:17 them around initially so that kind of
83:20 shapes of you know where the where the
83:22 problem is going to come from um
83:25 it's not going to be the kind of thing
83:26 that the average bedroom hacker has
83:28 access to
83:30 one imagines
83:32 probably not but
83:34 there will be lots of steps before that
83:36 where modest size machines that are
83:38 useful for research purposes or or
83:41 perhaps running optimization algorithms
83:43 and that exist
83:45 and then of course if you can network
83:46 those together you end up with a bigger
83:48 more powerful machine so so i agree it's
83:51 likely the very big ones are likely to
83:53 be owned by governments or whatever at
83:55 first but
83:56 but there may be other ones out there at
83:58 more modest scale that might still
84:01 play a role
84:03 adrian any thoughts to add to that and
84:05 then i'll come to our online panel see
84:06 whether we can get to get that working
84:08 just to add that
84:10 people i'm talking about encryption but
84:12 it
84:12 the problem is not just encryption even
84:14 now and it was mentioned in one of the
84:16 talks about the roots of trust and so on
84:19 so certainly for things like in our
84:20 safety critical systems that last a long
84:22 time
84:23 you know again we need to be thinking
84:25 about this now when we are thinking
84:26 about it now which is a good thing
84:28 so it shouldn't go away with just
84:30 thinking oh i don't encrypt stuff i'm
84:31 not worried about long-term encryption
84:33 therefore i'm okay i think this is a
84:35 general problem
84:37 um for anyone who uses cryptography
84:38 really
84:40 so hearing a very clear and resounding
84:42 now is the problem we'll come on to the
84:44 what uh
84:46 what can people do about it
84:48 let's go to the online panel see whether
84:50 we can get any of them um talking i
84:53 can't control this so um if
84:57 if one of you wants to make a comment
84:58 can you raise your hand just that i can
85:00 uh get our
85:02 audio people to make sure that you're
85:04 audible
85:06 uh anyone want to make a comment
85:09 um
85:11 at least from our perspective it is the
85:13 right time to look at this not only from
85:16 the algorithm perspective but really for
85:18 how we can prepare to adopt these
85:20 algorithms in in our systems
85:23 and indeed one of the points i made was
85:26 that routes of trust produced today need
85:28 to be resistant tomorrow but also roots
85:31 of trust from tomorrow need to be
85:32 resistant for even longer time so it's
85:35 incredibly hard to make this transition
85:38 and to to make the decision on which
85:40 algorithms to use
85:41 and i guess once we would have some
85:44 standards
85:45 i still hope we will have some time
85:47 before uh quantum computers are indeed a
85:50 threat that would allow us this time to
85:53 to
85:54 to make sure that we know how to adopt
85:55 the algorithms correctly so yeah i think
85:57 we need a lot of time and the time is
85:59 right now
86:02 let's go to ali um you were going to
86:04 make a point
86:06 see if we can hear you
86:10 can you hear me now i can't hear you go
86:12 ahead
86:13 yes um sorry i said i had technical
86:16 issues at the beginning so i couldn't
86:17 hear the question if you could please
86:19 repeat it i'll be more than happy to
86:21 answer uh okay so this is about um
86:25 when do we need to start worrying about
86:27 um the the impact of uh
86:30 quantum computing on the world of uh
86:32 cryptography cybersecurity and so forth
86:36 true um i mean nsa started worrying
86:40 since 2015 right when they made the
86:42 announcement about
86:43 the quantum threat being a real threat
86:45 and
86:46 asking this to follow with a
86:48 standardization process for post-quantum
86:50 cryptography so i think that um
86:53 we we kind of like identified this as a
86:56 community cyber security cryptography
86:58 that it is a real threat given as uh
87:01 you know
87:02 panelists already mentioned uh
87:04 you know the long lifespan of some uh of
87:07 our sensitive data um that we need to
87:11 get ready for it so i think that um we
87:13 kind of like all agreed on this and um
87:16 nist is about to announce the um the
87:19 actual standards by the end of the year
87:21 um i think that the
87:23 the question now is uh for people and
87:26 for you know for large corporates and
87:28 and and all stakeholders how to get
87:30 ready for or how to transition to the
87:32 new standards
87:34 and that is a challenging
87:36 task and challenging phase
87:39 a lot of people don't know where to
87:41 start from
87:43 because
87:45 i guess nobody remembers last time when
87:47 we had to change all the public key
87:49 cryptography because we never had to
87:52 and it's the first time that we're
87:53 changing all the public key cryptography
87:55 layer and our cyber security and when we
87:57 started it was largely uh you know for
88:00 communications and between governments
88:02 etc and now you have cryptography
88:03 literally everywhere and public key
88:05 cryptography in particular is you know
88:07 in your bank card in your car key
88:09 literally everywhere so
88:11 um i think that the real challenge now
88:14 is the transition phase and uh the
88:16 preparation for uh like putting road map
88:19 for transition to
88:21 uh post quantum cryptography i heard uh
88:24 also uh panelists talking about qkd and
88:27 the likes i think that it has niche
88:29 application and
88:32 it it will be used where it is suitable
88:36 it's not a replacement of public key
88:38 cryptography
88:39 for many reasons
88:41 but i could see them working together in
88:44 the near future i guess
88:47 thank you ali um roberto so um a new
88:50 member of the panel uh part of the
88:52 huawei team um
88:54 what are your views on um whether we
88:56 need to worry so far we've got five
88:58 votes in
88:59 uh as now uh what are your views
89:04 also in my opinion uh
89:06 we should start to worry
89:08 about it now
89:10 because
89:13 there are many many aspects
89:16 of the transition uh from non-quantum
89:19 computer to quantum computer and one of
89:20 these is also the
89:22 technical problem
89:25 because
89:27 we have the experience from the future
89:29 tpm project that
89:32 is not immediate to integrate a quantum
89:34 resistant algorithm into
89:36 the current software
89:39 so we experience a
89:41 number of challenges
89:43 and
89:46 so when we
89:47 when we want to
89:50 to predict the
89:51 transition time from non-quantum
89:53 computer and to quantum computer
89:55 we also need to to
89:58 to
89:59 consider
90:01 the effort for adapting the software
90:04 this is from my personal experience
90:07 thank you thank you um
90:10 so um i'm gonna come back to the real
90:12 panel and and do the what and as um tim
90:14 pointed out you know that
90:16 we're worried about uh
90:18 largely one particular form of attack in
90:20 the shaw uh algorithm but as jim pointed
90:23 out there's nothing to stop additional
90:25 clever mathematicians coming along and
90:28 designing new algorithms that are going
90:29 to uh threaten other parts of the the
90:32 cryptographic world um but getting to
90:35 the question of what should we do so in
90:37 practical terms given the scale of some
90:40 of the technical challenges that we're
90:42 we've talked about we've alluded to this
90:44 afternoon um
90:46 what can
90:47 our audience um who are largely security
90:50 experts who are working in large
90:53 enterprises uh and starting to worry
90:55 about this as a
90:57 as a potential threat of the future
90:59 people have
91:00 those who've been around for a few years
91:02 remember y2k
91:03 people are talking about q2k now um and
91:07 that we've got a few years grace but but
91:10 what can we do practically now
91:13 um adrian do you have a view on that
91:16 put you on the spot
91:17 definitely the first thing to do is this
91:19 kind of
91:20 thorough quantum threat assessment i
91:22 kind of mentioned this
91:24 briefly in my talk but this is to
91:26 highlight to everyone in your
91:27 organizations
91:28 what would be the actual risk
91:30 um if you know working quantum computer
91:33 was available and the algorithms you're
91:34 relying on
91:35 um become you know insecure and i think
91:38 the first thing that
91:41 will become apparent is how embedded now
91:44 cryptography is in everything that we do
91:47 so if you did this kind of thorough
91:48 assessment you'd find that you know
91:50 pretty much everything that you're
91:52 currently relying on would become a
91:53 problem and that should be a red flag
91:56 you know for your organization to say
91:57 that yeah we really need to start
91:59 really thinking about this it's not just
92:01 uh you know like y2k in some sense maybe
92:05 was you know over hyped but uh if you
92:08 consider what the issues are for this
92:10 then yeah i think you that would
92:12 highlight why it's really a problem
92:14 thanks adrian tim do you have a
92:17 any advice
92:20 no i i think i'll just endorse that i
92:22 mean i think the most important thing is
92:24 to do an assessment at the minute and
92:26 clearly
92:28 the post quantum options will be
92:30 decided relatively soon
92:32 and then
92:34 with a longer term view i think it may
92:36 well be
92:37 quantum solutions as well that can offer
92:42 can offer some some help maybe they will
92:45 be applied in certain cases in
92:48 in the first instance i mean the
92:49 technology is still quite expensive
92:52 so it's not something that i think could
92:54 be very widely deployed now but but
92:58 you know service providers like bt are
93:00 now running trials of this for certain
93:03 cases so i think
93:05 i think there will be an offering in
93:07 that direction from
93:09 from
93:10 you know industry soon and so then it
93:13 may be a matter of actually
93:15 looking at what the options are but
93:18 certainly in the short term it seems
93:20 people should be looking at the pqc
93:23 options
93:24 because these aren't quick transitions
93:26 are they not when they're routed in from
93:28 tpns to switches to
93:30 um you know the whole infrastructure has
93:32 potentially got to be looked at
93:35 and it's not something we can do
93:36 overnight it's going to take years to
93:38 ripple through
93:40 that's certainly true
93:42 but as i say i think it's worth it it is
93:44 interesting now that the big service
93:47 providers are now
93:48 becoming
93:50 aware of quantum solutions and trialling
93:53 them and looking at them
93:56 thank you lee any any
93:58 afterthoughts on that
94:00 yeah i only i only want to add the one
94:02 thing is i think the whole industry
94:05 should be work together but actually now
94:07 industry is working together it's it's
94:10 take time like
94:12 every everyone else said
94:14 for a tpm as an example the original tpm
94:18 design taken many years and the transfer
94:22 from isa to elliptical curve also took
94:25 many years
94:26 now tpm
94:28 the specification designs over 20 years
94:31 but the use tpm is just started so for
94:36 transfer this to the quantum resistant i
94:39 expected many years as necessary
94:42 but now the good thing is the industry
94:45 already noticed that the the research
94:48 community is also noticed that so that's
94:50 good thing
94:52 thank you thank you right well i'm going
94:54 to ask the same question to our online
94:55 panel in the same orders just so we know
94:58 what can people do what what should the
95:00 experts be do uh sylvia if i can come to
95:03 you first
95:05 actually that's a wonderful question and
95:07 it's a question i've been asking myself
95:10 as well and trying to make other
95:12 experts also ask themselves
95:14 just imagine that it's not about the
95:17 switch to quantum resistance but imagine
95:20 that tomorrow some somebody publishes a
95:23 catastrophic vulnerability in rsa or in
95:26 ecc
95:27 and we have lots of devices out there in
95:29 the field which you will not be able to
95:31 just update even if we would have an uh
95:34 let's say a replacement algorithm simply
95:36 because at their at their
95:39 most fundamental level these algorithms
95:41 are burning hardware for example for
95:43 securely booting their firmware there's
95:45 always a key in the boot rom and some
95:48 code which is fixed and you will not be
95:50 able to update that so that means you're
95:52 vulnerable and that that's not related
95:55 to quantum computers at all it can
95:57 happen for any other algorithms and it
95:58 can happen even after we might have
96:01 standardized some quantum resistance
96:03 algorithms as well
96:04 so what i believe we need to do is to
96:07 think
96:08 how we can find ways to to allow us to
96:12 change the crypto primitives from their
96:14 most fundamental level in devices and
96:18 have the ability to change them
96:20 perhaps to some algorithms that are not
96:22 yet known or not yet standardized at the
96:25 time when the devices are produced and
96:27 if we would find ways to do this and
96:29 perhaps do it by relying on
96:32 rather simpler
96:33 cryptographic primitives that have the
96:36 chance to to withstand
96:37 also
96:39 let's say attacks that that we would be
96:41 uh expecting then that would give us a
96:43 chance to migrate yeah so for example we
96:46 have today some some
96:49 initial standards around quantum
96:51 resistant crypto which are not nist
96:54 standards they're ietf standards and
96:55 they they rely on xmss extendable merkle
96:58 signatures and
97:00 for example they are relying in on hash
97:03 functions they are very simple
97:04 constructions
97:05 can we use such algorithms to allow us
97:08 to migrate
97:09 other
97:10 algorithms in the stack
97:12 in the future can we do something that
97:15 would allow us to to
97:18 to change even those devices out there
97:20 in the field that cannot be changed
97:21 easily i think
97:23 that's the kind of thinking we should
97:25 have
97:26 thank you thank you uh ali um you know
97:29 pq shield uh you started this company
97:32 with uh some of these
97:34 answers to these questions in mind what
97:36 are your thoughts on what we should be
97:37 doing
97:40 yeah a great question actually
97:42 um i mean as as a company uh heavily
97:45 involved in the next standardization
97:47 process
97:49 and
97:50 building products and software and
97:52 hardware and
97:54 communication
97:55 and decryptive messaging etc i think
97:57 that
97:59 we've seen
98:00 a
98:02 great change in in in um
98:05 in terms of
98:08 you know people that we were talking to
98:10 in 2018
98:12 were asking okay so what what is post
98:14 quantum crypto and why do we need it and
98:16 and now there are um
98:19 actual customers and partners that are
98:22 um
98:23 trying and uh
98:25 puts quantum crypto in
98:28 in software and in hardware as in fpgas
98:32 and have clear road maps for uh for for
98:35 silicon so
98:36 um people are aware of of of this threat
98:39 and they're putting road maps for this
98:41 they understand uh if they are designing
98:43 a product that is gonna uh go out to
98:46 market in three four years and and stay
98:48 there for 15 20 years then they need to
98:51 do the the preparation now and they need
98:53 to take post quantum crypto into
98:56 consideration uh now so i think the um
98:59 things have have changed a lot and
99:01 people are a lot more aware of of uh the
99:04 quantum threat uh we struggled a lot
99:07 explaining to people the difference
99:09 between uh post-quantum crypto and
99:12 uh qkd and qrng and
99:15 you know um
99:17 it's a lucky and unlucky field because
99:20 there's lots of hype around quantum
99:22 computing and
99:24 um uh yeah
99:27 but i think that we've moved a long way
99:29 now and people are uh following nist and
99:32 the translation process etc i don't
99:34 think that we can do everything like i
99:36 mean um i i heard uh our friend
99:39 mentioning how can we do you know risk
99:41 mitigation i think that
99:43 there's no ideal solution
99:45 we we have some sort of
99:48 risk assessments and and
99:50 and uh
99:51 cryptography is just a you know a tool
99:54 to mitigate the risk uh can we just you
99:57 know
99:58 bring it to zero it's it's impossible um
100:01 there are there will always be attacks
100:03 and vulnerabilities uh they come
100:06 together software and hardware will come
100:07 with
100:08 vulnerabilities um
100:10 even when when it comes to qkd and
100:13 quantum computing and and everything
100:16 around it we've learned this you know
100:18 there's no perfect solution when you
100:20 deploy it in the field it's impossible
100:22 to for it to be perfect there will be
100:24 ways to to to go around it and what
100:27 we're doing here and you know in terms
100:29 of cryptography is to use the the best
100:31 uh tools that we've got now we we we
100:35 know that rsa is effectively broken
100:37 analytical crypto is effectively broken
100:40 um we should not stick to these two
100:43 algorithms for for long we should just
100:45 move to something that we know that it's
100:47 not
100:48 you know it's not broken we don't know
100:49 of any album that can break it um but
100:52 that's
100:53 you know
100:53 that's the best that we we can do now i
100:55 guess um and um as i said um
100:59 stakeholders already
101:01 moving to uh put clear road maps for
101:04 transition to post quantum crypto
101:08 i'm going to come to our audience for
101:10 our next question in a minute but before
101:11 we do that i wanted to give roberto a
101:13 chance
101:14 for any additional insights on what's
101:16 already been said about what we should
101:17 do next
101:18 how would you roberto
101:20 uh yes uh from my point of view um
101:24 one of the problem is
101:26 this long time for standardization which
101:28 is
101:29 absolutely needed because we need to be
101:31 sure that
101:33 the argument that would be standardized
101:36 are secure
101:38 but
101:39 from the software point of view if
101:42 tomorrow
101:43 the centralization body said
101:46 the algorithm is ready we still
101:50 need to integrate them so in my opinion
101:52 one way to
101:54 reduce the time for the
101:56 migration would be to
101:59 do experience with the version of the
102:01 algorithm that we have now that
102:04 maybe they are closer to the final
102:06 version maybe not but
102:08 uh
102:08 they are uh
102:10 closer than uh the lsa algorithm for
102:15 example
102:17 so when we integrate a controversial
102:19 algorithm into the tpm for example we
102:22 we see that
102:24 the storage
102:25 needs to be
102:26 increased and so
102:29 if we we make experience with uh the
102:32 current version of the algorithm then
102:34 later
102:35 uh it would be easier for us to
102:38 to
102:40 enhance the software with the
102:42 the final version of the algorithm
102:48 so um a chance for
102:50 any of those burning questions in the
102:51 audience um
102:53 anyone want to ask the panel
102:56 a question
102:57 raise your hand and and shout loudly
103:01 i'm looking everyone's looking
103:04 quiet
103:06 i shall refer back to my online audience
103:09 who are busily
103:11 putting in questions
103:13 um
103:14 i mean this question about how long uh
103:17 things might take to both both correct
103:20 for the perceived threat
103:21 but i've got a question here which is um
103:24 we talk about qr crypto agreements um
103:27 are we able to robustly test them and
103:30 how long will they be resistant for and
103:32 is that an impossible question to answer
103:35 [Music]
103:37 it's kind of related to to some of the
103:39 questions that were asked uh some of the
103:40 points that we made earlier um
103:43 any views on that
103:45 the sort of testing regimes what can we
103:46 do to make sure that the
103:48 uh
103:49 the resistant
103:52 candidates that we're playing with stand
103:54 the test of time or should we just give
103:56 up on that
103:58 no we we were not a gave up the test
104:01 means a lot of different
104:04 aspects
104:06 like nist
104:08 have
104:09 pqc
104:11 the
104:12 activities they don't want to say this
104:14 is the competition but actually is a
104:16 competition the testing is let the whole
104:20 cryptographic
104:22 community
104:24 to attack it to attack all the
104:26 algorithms and if they
104:29 if they can survive from those various
104:32 attacks and they have been tested
104:35 and then also we have some performance
104:37 testing like rewriter and the service
104:40 doing
104:41 in this performance
104:43 evaluation and to set testing how good
104:46 how bad if they are implemented in the
104:49 real world those are the testing from my
104:51 country
104:54 tim adrian any additional thoughts on
104:56 that
104:57 well i mean clearly the threat at the
104:59 minute is shaw's algorithm but the
105:02 unknown is are the other algorithms
105:04 which might be
105:06 devised in the future
105:08 that
105:09 that clearly have to utilize quantum
105:12 parallelism in
105:13 some way like shaw's algorithm does i
105:16 think to get that speed up it's going to
105:18 have to do that but that's an unknown
105:20 but but clearly
105:22 you know a candidate doesn't even become
105:24 a candidate if it's not already
105:26 presumably tried and tested against
105:27 short outlet
105:29 and so
105:32 i think those who are expert in the
105:34 mathematics have
105:36 reason for thinking that there will be
105:38 robustness of these algorithms that are
105:40 being devised against quantum attacks
105:43 but it's there's no proof i don't i
105:46 think it will be very hard to prove
105:48 that that somebody can't devise another
105:51 algorithm in the future
105:53 but i think there are there are
105:55 mathematical underpinnings that make
105:56 people have confidence these algorithms
105:59 will at least stand
106:00 some test of time
106:02 certainly against sure
106:04 like algorithms if there was something
106:06 that was utilizing quantum parallelism
106:10 but i i i'm not aware that there's any
106:13 proof
106:15 so if i give the pump but we might be
106:17 entering a sort of period of uh
106:18 cryptographic uncertainty
106:21 in the future
106:23 adrian
106:24 yeah but just to add to that that we've
106:26 always been in a situation of
106:27 cryptographic uncertainty that
106:30 there's nothing different here i think
106:32 the key thing is that you know as leo
106:34 said that
106:35 to the best of the techniques that we
106:37 know today these algorithms have been
106:38 thoroughly tested and then we'll be in
106:40 the situation as we are with our current
106:42 algorithms of maybe someone comes up
106:44 with a new clever method that
106:46 something that we've lived with for
106:48 many years and will continue to live
106:50 with
106:52 thank you okay i'll go to our online
106:54 panel any any thoughts on the question
106:55 i'm hoping you're hearing the answer and
106:57 the questions um i'll go around again if
107:00 you don't want to answer just say sylvia
107:02 any
107:03 thoughts on this
107:06 i guess just two comments from my side
107:09 testing is of course important
107:11 especially because uh these algorithms
107:13 did not
107:14 benefit from
107:16 uh the extended timelines that
107:18 cryptanalysis uh had a disposal for
107:22 other algorithms in the past and second
107:25 let's not forget that besides the
107:27 algorithm itself
107:29 very often problems are found in
107:30 implementations and
107:32 there is always the challenge of
107:35 deciding when an implementation is
107:36 sufficiently good
107:38 that's
107:40 a general software related
107:42 challenge and
107:44 we need to
107:46 reach a point where we have
107:48 sufficiently good implementations
107:50 available uh easily and openly so that
107:53 people can use them with confidence so
107:55 yeah testing also the implementation is
107:57 very important
107:59 ali any any any thoughts to add to that
108:02 yeah i think that testing never stops
108:04 right um
108:06 once we have a
108:08 enough level of confidence you start
108:10 using cryptosystems but testing really
108:13 never stops i mean one of the oldest
108:15 crypto libraries is openssl and we still
108:18 every couple of years have a
108:20 devastating flow uh they're right
108:23 although
108:24 probably all software engineers and
108:26 cryptographers have looked at it
108:28 at some point in their career so testing
108:30 really never never stops and as they
108:33 they
108:34 you know um
108:35 clearly mentioned that it's also about
108:37 the implementation once you implement
108:39 things then um i mean there are there
108:42 are the crypt analysis that happens at
108:43 an algorithmic level and mathematical
108:45 level and there is the uh there are the
108:47 bugs and the the
108:49 implementation flaws and attacks that
108:51 attack the implementation and this is a
108:53 full range of of of attacks uh i think
108:56 that the confidence in the mathematical
108:58 foundation
109:00 is strong enough to believe that
109:03 the likes of your algorithm will not
109:05 apply to it and that's a mathematical
109:07 thing we know the rsa and three discrete
109:10 logarithm problem come from come from
109:12 one family uh of mathematical problems
109:16 and uh the for instance lattice problems
109:18 come you know they don't belong to that
109:20 family and so far since 1996 you know
109:23 all quantum
109:25 computing people
109:26 didn't manage to find i mean not just
109:29 for cryptography
109:30 it's not like we we've we've had i don't
109:32 know 100 quantum algorithms so far it's
109:35 really difficult to build a a quantum
109:37 argument that where you can actually
109:40 um
109:41 you know
109:42 take advantage of of all the nice
109:45 features that uh not just the
109:46 parallelism but also the quantum
109:48 interference etc so that you can
109:50 actually
109:51 build something that is faster than
109:53 classical
109:54 algorithms it's it's really challenging
109:56 and difficult um but i think that the uh
110:00 what comes with testing is the crypto
110:02 agility you need to be crypto agile da
110:05 when you want to tune the parameters uh
110:08 because of the advances in crypto
110:10 analysis which is going to be expected
110:12 that this is something possible um in
110:15 software so that's that's the best way
110:17 to to handle this i guess
110:20 thank you roberto any additional
110:22 insights on that
110:24 uh yes uh something uh on top of what i
110:28 said
110:29 that
110:31 we need to keep a margin uh when
110:34 we
110:35 implemented a
110:37 quantum recent algorithm
110:39 in the sense that for example
110:41 if we expect the size of the key to be
110:44 [Music]
110:46 certain a certain amount
110:48 we need to maybe
110:50 make room for a big bigger key because
110:52 uh maybe at some point
110:54 we discovered that uh
110:56 [Music]
110:58 with this size the the the agreed of the
111:01 kid the kid algorithm is vulnerable but
111:03 if we had we have enough room in in the
111:06 chip
111:08 then we can switch it to a more more
111:10 resistant uh version of the algorithm
111:13 and
111:14 could be fine could be a mitigation
111:20 i'm conscious of time um we're running
111:22 up against the uh the six o'clock uh
111:25 completion time that we promised
111:27 um i i've got some great questions still
111:29 uh from the online community and i'm
111:31 hoping that perhaps we can deal with
111:33 those um afterwards we can ask our
111:36 panelists to respond to some of them um
111:38 so what one perhaps for the cyber
111:40 specialists i rather like is do we see
111:43 uh foresee cyber security becoming less
111:46 about human behavior and more about
111:48 attacks and networks and deep machine
111:50 and ai and so on so really focusing on
111:53 the deep guts of the security
111:55 infrastructure rather than the weak
111:58 human side of it
112:00 i like that question perhaps it deserves
112:01 longer than we've got to discuss that
112:04 and some other questions about
112:06 hybrid computing using quantum and
112:09 conventional computing
112:12 large amounts of
112:14 question about large amounts of
112:15 computing and applications being
112:16 commoditized do we see quantum as a
112:19 service being something that perhaps the
112:22 bad guys will have access to and some
112:24 other questions around that so some
112:26 great questions coming in line um but i
112:28 think we should draw stumps there um i
112:30 have promised or we have promised our
112:32 online community uh a demonstration from
112:35 roberto and his colleagues at huawei um
112:37 so
112:38 for the online audience stay around
112:41 um for the real world audience you're
112:44 invited to our networking opportunity
112:47 you get to have real cups of whatever
112:49 we've provided and tea and biscuits and
112:52 everything else i'd like to thank our
112:55 real world panel and our online panel uh
112:57 to
112:58 lead tim and adrian
113:00 to um
113:02 silvio uh ali and
113:04 roberto
113:06 in the conventional way so a round of
113:08 applause and i hope the people at
113:10 uh online are doing the same so thank
113:12 you very much
113:14 um so that that
113:16 that brings to an end uh this seminar on
113:20 from our future of cyber series this is
113:23 something that we run about every
113:24 quarter we're trying to look forward
113:27 into
113:29 get away from thinking about cyber
113:30 security in terms of what's the current
113:33 problem the problem over the next few
113:34 months and start to think about the kind
113:37 of issues that might face us uh in years
113:40 to come and that's the the the cyber
113:42 security of the post quantum world is uh
113:44 a real example of that for our next one
113:47 uh which we plan around the january
113:50 late january early february uh we're
113:52 going to be looking at some of the
113:53 research that we've done in the cyber
113:54 security team um and uh
113:57 some of our external speakers around
114:00 social media and the impact of social
114:02 media in the long term uh some of the
114:04 impact we've already seen in things like
114:07 mental health in
114:09 the political world and so on so a great
114:12 uh
114:14 can of worms to be opened there and we
114:16 hope we can entertain you with that and
114:18 we hope to again
114:20 involve the sasig who have been a
114:22 fantastic partner of this um and i hope
114:25 this this joint endeavor between the
114:26 university and the sasik uh so i'd like
114:29 to give my thanks to sassig and then
114:31 finally to the tech team who've had the
114:34 challenge of dealing with a hybrid event
114:37 joint event with hybrid uh with with
114:40 real-world um
114:42 presenters um and online presenters it's
114:44 not easy and we're feeling our way on
114:46 this so apologies for any glitches but i
114:48 think they did magnificently thank you
114:50 all
114:51 and join us after the event thank you
114:57 hello welcome to this presentation my
114:59 name is roberto sasso i'm from huawei
115:02 and today i would like to present you
115:03 the result of the device management use
115:05 case
115:07 first i will give an overview of the use
115:08 case
115:09 then i will describe more in detail the
115:12 technology and functionality of the
115:13 demonstrator
115:14 then i will provide the result of the
115:16 evaluation of the tpm performance and
115:19 kpi and lastly i will go to the
115:22 conclusion
115:24 the device management use case is about
115:26 managing a network infrastructure
115:28 composed of network elements such as
115:30 routers a network management system or
115:33 an msn and endpoints such as laptops and
115:36 server
115:38 in this network infrastructure the nms
115:40 acquires periodically the router to
115:42 obtain their status
115:44 and sends configuration command in order
115:46 to
115:47 respond to certain events for example
115:49 when a router becomes offline
115:54 we need the future tpm project in order
115:56 to solve some issues
115:58 that
115:59 affects especially scenario where there
116:02 is no other base the protection
116:04 in particular we would like to address a
116:06 weak device identification because the
116:08 device key is stored in the device
116:10 storage unprotected
116:12 and we would like to address the fact
116:14 that the software integrity is not
116:15 monitored
116:16 and compromised the router for example
116:18 could ignore management command sent by
116:20 the nms and an attacker can continue to
116:23 perform his action without being
116:24 detected
116:26 we would also like to address the fact
116:28 that the data integrity incoherent child
116:30 is not more intelligent and data is
116:32 often stored in plain text and can be
116:34 accessed also
116:36 when the device is compromised
116:39 lastly since telco equipments are very
116:41 long life span in greater than 10 years
116:44 with this project we would like to
116:47 be able to migrate from
116:49 um
116:51 from non-qual algorithms top 1
116:52 algorithms when quantum computing
116:54 becomes practical
116:57 in this presentation we will show the
116:59 new network management solution for
117:01 following the strong security
117:03 requirement to define wp-1
117:06 we would like also to show
117:07 that an advanced technology operating
117:10 system level for remote attestation
117:12 the vectorization components that are
117:14 required to
117:17 to work
117:18 for with required tpm
117:20 and the software tpm
117:25 the device management demonstrator
117:27 addresses the weakness that i previously
117:29 mentioned in particular provide a strong
117:31 hardware based identification
117:33 continuously monitoring system data and
117:36 system and data integrity provides a
117:38 security retouch provisioning
117:40 integration with the qr tpm and user
117:42 quantum resistant algorithm and provides
117:45 trust aware routing decision
117:49 a common issue in network management is
117:52 that
117:53 the
117:53 [Music]
117:55 the key for the identification is
117:57 storage in the device storage
117:59 unprotected and it's easy to move this
118:01 key to another device to impersonate a
118:03 legitimate one the tpm solves this issue
118:06 because the key cannot
118:10 leave the tpm in plain text and are
118:13 bound to a specific tpm
118:15 usually the dpm is soldered in the main
118:17 board
118:18 and they cannot be moved simply to
118:20 another device
118:21 the tpm also can be uniquely identified
118:24 by in its endorsement
118:26 key which is certified by the dpm vendor
118:30 and the certificate is available
118:32 via offline mechanisms such as image
118:36 we would like to
118:38 protect and detect system integrity in
118:41 particular we are interested in three
118:43 aspects a lot of integrity so we would
118:45 like to ensure that the code and
118:46 configuration file of the application
118:49 are the right one when a process is
118:51 started
118:52 we will also like to monitor the process
118:54 interaction and to ensure that multiple
118:56 files are
118:58 updated by the legitimate ones
119:01 and we would like to detect a malicious
119:03 modification between reboots when the
119:06 integrity protection is not enabled
119:11 compressive integrity verification or
119:13 cfe is the solution that allow us to
119:18 protect these three aspects of the
119:20 integrity
119:21 in particular it's built on top of the
119:23 current security sub system
119:26 integrity measurement architecture and
119:27 extended verification modules and
119:29 consists of a set of three extensions
119:32 for the linux kernel imadages listed for
119:35 the low time integrating infoflow lsm
119:38 for the runtime integrity and dvm with a
119:40 tpm key for offline integrity
119:43 cv provides a more complete protection
119:45 and detection of the integrity of the
119:47 application because
119:48 it does not only monitor regular file
119:50 but also alter process communication
119:52 channels such as fifo and socket
119:55 it also provides a simplified simplified
119:57 integra and integration with after
119:59 motorization into existing products
120:01 because with the cmv that the station
120:03 can be done by simply as trying to
120:05 establish a trusted channel
120:10 cp uses the tpm in order to protect a
120:13 tls key for device identification and
120:16 for the motorization of the router
120:19 it follows the task computing principle
120:21 of measure before load
120:23 for all the components that are involved
120:25 during the boot process and if all the
120:28 measurable components
120:30 are the same for the components included
120:33 in the ceiling policy when the key
120:35 was created then the tpm
120:38 allowed the key to be unsealed
120:40 the saving policy is first verified by
120:43 the array server and after that a
120:45 certificate or for the dls key is issued
120:48 by the nms
120:50 this slide shows the difference between
120:52 a good router and a compromised router
120:55 in the first case since all the
120:56 components are the legitimate one the
120:59 tpm allows the ceiling of the tpm the
121:01 dls key
121:02 and then the router can establish a the
121:04 less connection with an ms
121:07 in the second case since the
121:09 one components were tampered with by an
121:11 attacker
121:12 the tpm
121:14 didn't allow the router to guess the tls
121:17 key and cannot establish a tls
121:19 connection with nmis the nmis found that
121:22 the router is compromised
121:25 the demonstrator offer also security
121:27 touch provisioning which is particularly
121:29 effective because it avoided to place a
121:31 trust in the network operator for the
121:34 correct configuration of the router in
121:36 the initial phase
121:38 the router
121:40 are admitted to the network only if they
121:42 have avoided certificate
121:44 and they are configured to get the
121:46 certificate of the first port
121:48 the router can get a certificate only if
121:51 the current configuration match the one
121:54 defined by the network administrator
121:57 and after
121:58 the router gets the certificate
122:00 any change from the verified
122:02 configuration
122:03 cause the unseen of the telescope to
122:05 face
122:08 if a malicious network operator tried to
122:11 subvert a router before or after the
122:13 router gets a certificate
122:15 the nms will notice it because the
122:17 enrollment of the dls connection phase
122:20 in this slide
122:22 we show which component we had to modify
122:24 in order to use the software dpm in a
122:26 virtualized environment on the left side
122:28 we see that we replace the tss with the
122:31 qrtss
122:32 in order to do the software dpm
122:34 provisioning
122:35 when the virto machine is created
122:37 we also modify the components between
122:40 the
122:41 qrtpm in the center and the endpoint in
122:44 direct side in a virtual machine
122:47 and those are represented with a green
122:49 label
122:50 because the components
122:52 have a limitation for the buffer to
122:54 store the tpm commands
122:57 and this limitation is 4096 bytes what
123:01 but with the acquire algorithms we need
123:04 a bigger buffer because uh qr keys are
123:06 bigger
123:08 we also modified the endpoints of the
123:10 communication with the qr tpm
123:13 um and those are represented with the
123:15 orange border
123:17 because we had to use an updated
123:19 definition for some dcg structure
123:22 finally we are also using a modifier
123:24 version of openssl with support
123:27 for quantum resistant algorithms for
123:30 non-tpm crypto operations
123:34 in this slide we show the setup of the
123:36 demo each component is placed in a
123:38 separate virtual machine and the vita
123:40 machine can communicate between
123:42 themselves with virtual bridges which
123:46 are created in the host
123:49 now we can proceed with a demonstration
123:51 of the user stories
123:53 the network administrator wants to
123:54 restrict access to the network
123:55 infrastructure only to the router that
123:58 he controls since the router can be
124:00 uniquely identified from the endorsement
124:02 key credential
124:04 he gets the endorsement key credential
124:06 from the device itself or from the tpm
124:08 binder via email and then upload these
124:12 certificates
124:14 to the nmas and the nms store them in a
124:16 database
124:19 we can perform the registration of the
124:21 router directory in the graphical
124:24 interface of the nms
124:27 so this is the dashboard and currently
124:29 in the list of router there are no
124:32 router registered
124:34 so we will go to the console of the
124:35 network administrator
124:38 which previously fetched the endorsement
124:42 key credential of the router
124:44 and creates a zip file of this
124:46 endorsement key credential
124:52 then the network administrator
124:55 upload the certificate to the nms
124:58 dashboard
125:04 and we can see now that
125:07 there are
125:08 four new router registered
125:11 but at the moment we didn't uh test them
125:20 then the network administrator can
125:22 proceed to the definition of the trusted
125:24 routine policy and in particular assigns
125:27 for which the possible result of the
125:29 integrity evaluation
125:31 a cost
125:33 for the routing table
125:35 the eager the cost and the less likely
125:36 is that a router is choosing for the
125:38 delivery of the packets
125:43 then
125:44 the network operator connects the router
125:46 to the network and this is when the
125:48 secure zero touch provisioning is
125:51 activated
125:52 in the first part of the user story the
125:54 router creates an application key
125:57 and sends it to the array server the
125:59 reserver first verify that the tpm of
126:02 the router is a genuine one
126:04 and if it is true
126:07 issue a certificate for that decision
126:09 key
126:13 in the second part of the user stories
126:16 the router generate a tls key
126:19 and
126:20 associate it to the current software
126:23 configuration
126:24 and certify this dls
126:27 key with that station key that it
126:29 previously generated
126:30 and send a bot
126:33 the tls key
126:35 and
126:36 the csr
126:39 containing this key to the array server
126:42 the receiver verify the key policy by
126:45 comparing the
126:47 the software configuration with a list
126:50 of reference values for files in the
126:52 router image which are assigned by the
126:54 letter by the vendor
126:57 if the verification of the key points is
126:59 successful
127:01 the reserve will ask the nms to issue a
127:03 certificate for the dls key of the
127:05 router
127:06 and send it to the router
127:09 to demonstrate this user story we go to
127:11 the console of the network operator and
127:14 we start a script to connect to the
127:16 routers in the virtual machine and to
127:19 initiate the secure geotouch
127:20 provisioning we can see now in the
127:22 dashboard that
127:24 there are four new endorsement key
127:27 credentials allowed but the
127:29 corresponding router didn't do yet
127:31 the secure zero touch provisioning as
127:33 shown here
127:36 we can see in the bottom part of the
127:39 in the left side
127:41 also the log of the software dpm of
127:43 router 1 and where we see the dpm
127:45 commands executing during the security
127:48 touch provisioning
127:49 now we start the script
128:05 and we will see the list of tpm commands
128:07 executed
128:12 for example we see
128:14 that this command is
128:16 cc certified is executed when
128:19 the generated
128:21 the less key is certified with a at the
128:23 session key
128:27 and also we see
128:29 the cc sign
128:31 command
128:33 that
128:34 is executed in order to sign the
128:36 certificate signing request
128:39 with the dls key and before it is sent
128:42 to the array server
128:44 now
128:45 the
128:46 security touch provisioning is completed
128:48 for all the router and we refresh the
128:51 web page
128:57 and now we see that
128:59 the router
129:01 claim
129:02 the endorsement key credential
129:04 and all the router successfully
129:06 completed at the attestation
129:10 and they have a dls availables
129:12 certificate
129:18 now the network administrator is able to
129:20 monitor the average state of network
129:23 infrastructure because each router
129:25 now has a key and a ntls key certificate
129:30 so the nms periodically tried to
129:31 establish a dls connection with the
129:33 router
129:34 and if the configuration of the router
129:37 is the verified one
129:39 then the tpm allow the ceiling of the
129:41 dls key and allows the router to
129:44 continue the tls protocol
129:46 if the configuration on the current
129:48 configuration of the router is not the
129:50 correct one the dpm
129:53 cannot
129:54 allow the router to use the tls key and
129:57 in this case the router sends its
129:59 measurement and the dpm quarter to the
130:01 ray server for a precise integrity
130:03 evaluation
130:05 to demonstrate the user story we can
130:07 simply enable the periodic refresh of
130:09 the web page
130:10 of the dashboard
130:13 and
130:14 we enable the refresh every 10 seconds
130:18 now we can move to the bottom part of
130:20 the screen and we will see the tpm
130:22 commands is executed and related to the
130:25 establishment of the tls connection
130:31 here for example we can see the cc
130:34 loader command
130:36 that is executed to load the tls key
130:39 we see the definition of the policy
130:42 session in order to unseal the tls key
130:46 and the cc
130:47 sign command in order to perform the dls
130:50 protocol
130:55 in this user story
130:57 the network administrator can also
130:59 enforce the transa routine policy
131:02 since now the nms periodically monitors
131:05 the integrity of each router
131:08 it can also
131:09 update the routing table of each router
131:12 depending on the result of the integrity
131:13 evaluation
131:15 in particular in this case a router 2 is
131:18 found compromised
131:19 and then the routing table of router 1
131:21 and router 4 are updated in particular
131:24 the cost
131:25 for reaching router 2 is 30 as shown in
131:29 the yellow rectangle and now the
131:31 preferred part of the packets is router
131:34 1 router 3 and router 4.
131:38 to demonstrate the user story we connect
131:41 to router 2 as an attacker
131:43 and we will perform an attack
131:45 before that we go to the console of the
131:48 client
131:49 and we check the connectivity with a web
131:51 server
131:53 seems that the web server is reachable
131:56 we will also check in another console of
131:58 the client that i prefer the part of the
132:00 packet
132:02 and currently the packet will go through
132:04 router 4 router 2 and router 1.
132:08 at the moment we can see on the left
132:10 side in the dashboard that all the
132:12 router are in a good state
132:17 if we move to the right side to the
132:19 output of the first manager
132:21 we go to the
132:23 cpu usage column and we see some peaks
132:26 which are due to the periodic
132:28 attestation
132:30 if we move to the
132:32 network utilization column we see that
132:35 now router 2 is a continuous line
132:37 because this router is selected for the
132:39 delivery of the packets
132:42 and
132:43 router 3 is instead a non-continuous
132:46 line because the network is used just
132:47 for the periodic attestation
132:52 now we will perform an attack on a
132:54 router tool and we will
132:56 modify
132:58 a system file in a non-authorized way
133:05 at the next attestation
133:07 the nms finds that
133:10 something is wrong with router 2
133:12 but at this point ask the array server
133:16 to do a verification with the explicit
133:18 attestation
133:20 and this can be shown in the log of the
133:22 software dpm of router 2
133:25 we see the cc
133:26 command
133:28 and since the especially at the station
133:30 also phase
133:32 and the dynamics marks router 2 as bed
133:35 and change the router and the routing
133:38 table the cost
133:40 in router 1
133:42 and
133:43 router 4 to
133:46 change the cost to 230.
133:50 now we move to the output of a field
133:52 manager
133:54 and we see that in the network
133:55 utilization column now
133:59 in router 2 we don't have any more
134:01 continuous line but we have a
134:03 non-continuous line
134:05 and
134:06 for routers 2 is router 3 instead we
134:08 have a continuous line because now this
134:10 router is a selected for the delivery of
134:12 the packets
134:14 we have a confirmation of this also
134:16 in the output of the trace route in the
134:19 console of the client
134:21 and of course the
134:23 client again
134:24 connected to the web server
134:32 in this slide
134:33 we show some
134:35 numbers for the
134:37 performance and the difference between
134:39 the dpm 2.0 and the qr tpm for each
134:42 phase of the lifecycle of the
134:44 demonstrator
134:45 for the core version of the demonstrator
134:47 we use
134:48 a kiter for the endorsement key
134:50 deletium for the decision key in the tls
134:53 key and a charge under 56 for the other
134:56 algorithm
134:57 we see that when there is intensive use
134:59 of the usage of the dpm
135:02 the core version of the demonstrator is
135:04 three timers lower than the
135:07 version with the
135:08 dpm 2.0
135:11 in this line
135:12 we also see
135:14 a more detailed view of which
135:16 tpm commands are executed for each
135:19 phase of the lifecycle of the
135:20 demonstrator
135:22 and also the parameters that are passed
135:24 to the tpm
135:26 we see that for most of the tpm commands
135:29 the qr
135:30 version is 10 times slower
135:35 we also evaluated the network
135:38 performance
135:39 by capturing a network of packets from
135:42 one router in the engine
135:44 and checking the source
135:46 and we also
135:47 found
135:49 the time
135:50 from when then an mms
135:53 found the compromise the router to when
135:57 [Music]
135:58 the packets are diverted
136:00 away from the compromised router and we
136:03 found that
136:04 90.8 percent of the packets were
136:07 successful successfully diverted away
136:09 from the compromise of the router
136:11 this plantation percentage is much
136:13 better in for a real scenario for
136:15 example a zoom call of 31 minutes and
136:18 the percentage is
136:19 99.92 percent
136:24 in this slide we saw the quantitative
136:25 kpi
136:26 and for the targeted value we
136:29 used a reasonable pessimistic estimation
136:32 and nevertheless
136:34 our measured value for mod 36 so that we
136:38 satisfy all the quantitative kpi
136:41 the same applies for the qualitative api
136:46 conclusion
136:47 in this project we show that the
136:49 migration from dpm 2.0 to qr dpm is
136:52 visible
136:53 and is fully compatible with a system
136:55 integrity use case of trusted computing
136:57 with reasonable performance impact
137:00 classic computing and tpm can be used
137:03 certainly in a network infrastructure to
137:06 increment their security
137:08 and also a new
137:10 trust base of the use case can be built
137:12 on
137:14 the one that we defined
137:17 in order to you to have quantum
137:18 resistance we we have to modify the
137:21 entire trusted computing stack from tpm
137:24 finware to crypto library ntls
137:29 thanks for your attention
