Steve Schneider, Director of Surrey Centre for Cyber Security

The Third Future of Cyber Webinar Series — Cyber Security in a Post-Quantum World

Industry Voices Security
Steve Schneider headshot
Title slide that says, “SURREY CENTRE FOR CYBER SECURITY,” University of Surrey, Guildford, Surrey GU2 7XH, UK,” “+44 (0)1483 68 6058,” SCCS@surrey.ac.uk,” “surrey.ac.uk/sccs,” “Twitter: @SCCS_UniSureey,” “For more information, download brochures from surrey.ac.uk/sccs or get in touch by email.”

They keys to keeping data secure in a post-quantum world. 

As we move into a new era of quantum computing, there is growing interest in understanding the future vulnerabilities of current cryptographic techniques. Tune into the Third Post-Quantum Computing Conference, hosted by Surrey Centre for Cyber Security, for the latest thinking on how we can keep data secure in the coming years. 

Show more

You’ll learn

  • The experts’ thoughts on cybersecurity in a post-quantum world and potential impact on existing computing systems

  • Digital divides between those countries that have quantum computers and those that do not, and what this means for cybersecurity on the global stage

  • Whether further advances in mathematics are likely to reveal new vulnerabilities in the algorithms that keep data secure

Who is this for?

Security Professionals Network Professionals

Host

Steve Schneider headshot
Steve Schneider
Director of Surrey Centre for Cyber Security 

Guest speakers

Martin Smith MBE
Chairman & Founder, SASIG
Liqun Chen
Professor, University of Surrey
Silviu Vlasceanu
Senior Technical Expert, Huawei
Roberto Sassu
Senior Security Engineer, Huawei
Adrian Waller
Chief Technical Consultant, Thales Group

Transcript

00:14 right i hope we can hear me fantastic

00:18 welcome

00:19 welcome to the university of surrey

00:21 to our

00:23 uh the surrey center for cyber security

00:26 our first

00:27 real event which is a hybrid event and a

00:30 joint event

00:32 and there's an annoying echo in the hall

00:35 so we have a real audience and we have

00:36 an online audience

00:38 so if if you catch people actually

00:40 looking off to stages

00:43 france center is because we're in the

00:44 real world so it's really good to see

00:47 the people in this lecture theater and

00:49 it's really good to see the numbers that

00:51 we've got online

00:53 so

00:54 as i said a joint

00:56 hybrid event so we're delivering this

00:58 both in real and online uh we've also

01:01 got joint hybrid speakers so we've got

01:03 some real speakers here we've also got

01:05 some speakers online who will be

01:07 talking a really exciting topic

01:10 and before we dive into that i just want

01:12 to remind everyone

01:14 uh the coveted precautions so we gave

01:16 everyone notes for that

01:18 try remember to wear your masks when

01:19 you're moving around master okay when

01:21 you're sitting down when you're eating

01:22 drinking or presenting otherwise try and

01:25 keep masters what we do at the

01:26 university and what we encourage our

01:28 students to do

01:31 without further ado i'd like to

01:33 ask our two

01:35 joint sponsors so professor steve

01:37 schneider and martin smith of the sussex

01:40 so i'm going to ask steve to kick off uh

01:42 with a a couple of slides about

01:45 the university of surrey's cyber work

01:49 steve

01:55 thank you andrew

02:00 so i'm delighted to uh welcome you to

02:03 this uh this hybrid event this is

02:06 the first first of these future of cyber

02:08 security events that we're doing

02:11 for real and so welcome to everyone

02:13 who's

02:14 uh who's physically here and also

02:16 welcome to everyone who's tuning in

02:18 online

02:19 so i'll just say a few words about the

02:22 surrey center for cyber security

02:26 so i'm the the director

02:29 steve schneider

02:30 and

02:33 we we've been here at the university

02:36 as the center for cyber security um

02:39 for well there's been security work

02:42 going on here for nearly two decades we

02:44 set up these at the center in 2014 to

02:46 consolidate cyber research from across

02:49 the the university

02:51 and currently we have about you know

02:54 over 40 academics and researchers

02:57 in the group doing um doing research

02:59 into various aspects of cyber security

03:02 we've got recognition from the national

03:05 cyber security center as an academic

03:08 center of excellence

03:10 both in cyber security research we've

03:12 had that since 2015

03:14 and also more recently in cyber security

03:17 education so we've got a gold level uh

03:21 recognition of that we had that from the

03:23 inaugural um

03:25 and the inaugural um

03:28 roll out of of the acse

03:30 recognition since 2020 we're only one

03:33 one of only four universities that has

03:35 that

03:36 and then we also have a masters in

03:39 information security that's accredited

03:41 by gchq

03:43 and we contribute into standards work

03:46 and i'll just talk a bit about some of

03:47 the

03:48 research areas that we that we cover

03:51 so in terms of our expertise we focus on

03:54 uh well foundations and applications so

03:56 in terms of foundations we look at

03:59 trusted systems systems that are

04:01 resilient um secure privacy and so on so

04:04 we work in areas like verification

04:07 that's

04:08 proving that that systems meet

04:10 particular security

04:12 properties distributed systems for

04:14 resilience

04:15 one of the specialisms of that we've

04:17 been involved in for some time is in

04:20 blockchain and distributed ledger

04:21 technologies

04:23 and then we have

04:24 some strong activity in communications

04:27 and networks and in conjunction with

04:29 the 5g innovation center also at surrey

04:32 more recently we've been looking at

04:34 aspects of social media and how

04:37 how you have to worry about the flow of

04:39 information and the ways in which that

04:41 can be misused

04:42 and we have a very strong group in

04:45 applied cryptography so that's also one

04:46 of our specialisms

04:48 um and that's it that includes the

04:51 post-quantum cryptography work that um

04:54 the today's event is about so that's one

04:57 of the areas that we're um that we

04:59 specialize in and that's what you know

05:02 in part what's led to the topic for for

05:04 today so you'll be hearing more about

05:05 that particular aspect of our work in um

05:08 in the talks coming up in the first talk

05:10 coming up

05:13 and then in terms of the

05:16 application areas the application

05:17 domains

05:19 we

05:20 take these these foundations and we

05:21 apply them in particular areas and the

05:24 areas that we focus most strongly on are

05:26 in transport that's both rail and

05:29 automotive so various security aspects

05:32 um in there

05:33 government so things like electronic

05:35 voting

05:36 digital identity distributed ledger

05:38 technologies use uh use there so that's

05:41 another application domain

05:43 communications i've already mentioned

05:46 clearly very strong security

05:47 requirements in communication systems

05:50 and in finance so electronic payments

05:53 fraud detection uh transactions uh

05:56 digital economy

05:57 so those are the main application areas

05:59 that we work in so we

06:01 look at the stack from foundational

06:04 research through to um through to

06:06 application domains where we

06:09 make a real difference so just one

06:11 example of of this

06:13 in the news recently you may have seen

06:15 in the last couple of weeks

06:16 an attack

06:18 on

06:18 the way in which visa and apple pay um

06:21 interact so we have

06:23 um so this just just broke

06:26 a couple of weeks ago and here is the

06:28 the front page of the bbc website

06:30 website and there's this

06:32 um this news article on researchers find

06:34 apple pay a visa contactless hack and

06:37 you can see on the on the you know front

06:39 page it's even above britney spears at

06:41 that time um really really their top

06:43 story for uh for a while uh that was

06:45 researchers at surrey in conjunction

06:48 with

06:49 colleagues in birmingham discovered this

06:52 at this attack and it's made about 300

06:54 news outlets around around the world so

06:56 this is a way in which

06:58 a

06:59 contactless

07:00 payment transaction can be undermined

07:02 and money can be taken taken out of um

07:06 out of the phone that's got this enabled

07:07 even um even without needing to unlock

07:09 the phone so you know this is a an

07:12 example of the kind of work that that's

07:14 going on here in kind of protocols and

07:16 finance and in fact two of the two of

07:18 the team uh lee and also chris uh here

07:21 in the audience at the moment and joanna

07:23 mariano is the kind of lead from from

07:26 surrey on that so i'll just

07:28 show this as an example of some of the

07:30 research that that goes on here that

07:33 makes makes an impact um out in the real

07:35 world

07:37 so that's all i'm going to say about um

07:40 about the surrey center for cyber

07:41 security

07:42 so now for our co-host

07:45 um martin smith who's going to tell us

07:48 something about the sussex sassic have

07:49 been a wonderful organization to work

07:51 with um here's martin the founder and

07:53 chairman of sassy yeah i've got an echo

07:57 i'm hoping that

07:59 there's about a hundred more people plus

08:01 watching this

08:02 through that screen so hello everybody

08:05 um i don't know is that all working okay

08:09 do we know

08:10 it's perfect well welcome everybody um

08:13 oh i've got some buttons

08:16 i confidently said i knew how to use

08:17 this at the beginning so i'm hoping i

08:19 can

08:20 um yeah

08:23 the cyber security uh sorry the security

08:25 awareness special interest group is a

08:28 networking forum for

08:30 pre-covered it was three and a half

08:31 thousand post

08:33 now it's six thousand um it's grown

08:36 tremendously during the pandemic because

08:39 we went online

08:40 and we've been doing presentations

08:42 online

08:43 uh every day since march 20.

08:46 to cyber security professionals

08:49 was uk may now

08:51 around the world

08:52 it's a cso chief information security

08:55 officer safe zone it's where cyber

08:57 security professionals academics

08:58 government

08:59 suppliers can come together and talk

09:02 with each other about cyber security

09:03 issues

09:05 it's sponsored by a number of

09:07 organizations

09:08 both public sector private sector uh

09:11 corporates suppliers a right mix

09:15 but it's it's a no selling environment

09:17 it's it's a genuine think tank that

09:20 encourages us to address the issues

09:22 which is why i'm so pleased to be here

09:24 today with andrew and steve

09:27 um the opportunity for our community to

09:30 consider things like i know you are

09:32 about where things are going in the

09:33 future is fabulous and i i think we're

09:36 talking about doing more of these

09:37 already

09:38 um so something like today's topic is is

09:41 fascinating and i'm really really

09:42 pleased to be here

09:44 um just as a snapshot next week the week

09:48 after

09:49 all sorts of topics three times a week

09:51 if anybody wants to join in doesn't know

09:53 about sasig go to our website um and

09:56 join us it's all free everything's free

09:58 with the sasig and we cover every topic

10:01 we can possibly think of um that one at

10:03 the bottom there is just the importance

10:05 of being courteous with each other with

10:06 nice with each other when we're doing

10:08 business

10:09 um those are the sorts of issues that i

10:11 like to think about rather than just the

10:13 straightforward

10:14 difficult techy stuff

10:17 yeah we've got the national police

10:18 chief's council uh which is the old acpo

10:21 if you remember the association of chief

10:23 it's all the forces in the country

10:24 coming together

10:26 we've got a major event there if anybody

10:28 wants to come to that it's a real event

10:30 the kia in oval

10:32 that's a free event as well that's where

10:35 we're trying to get the police law

10:36 enforcement to work more closely with

10:38 business to help fight cyber crimes all

10:40 good stuff i think

10:42 thank you for being here

10:44 for inviting me here today uh it's a

10:46 pleasure to be here

10:47 um as i said there's loads of sassy

10:49 people out there that know me if you

10:51 don't know sassig please join in it's uh

10:54 it's a great way to think about the

10:56 whole cyber security conundrum

11:03 thanks martin i thought he was bravely

11:05 going to start giving lee's uh

11:07 presentation

11:09 post quantum photography i was looking

11:10 forward

11:15 um so now it gives me great pleasure to

11:17 invite our own professor chen to um

11:20 kick off the presentations now you're

11:22 doing this as a joint presentation with

11:24 one of your colleagues who's going to

11:25 kick him remotely so we're really

11:26 pushing the boundaries here you've got

11:28 half a presentation in the real and half

11:30 online and so we hope we get that now

11:33 i'm lee chin chen

11:35 and and join with me i have two

11:38 colleagues from huawei sylvia and the

11:40 rebeta they are in munich

11:44 and syria will join me for half of the

11:47 plantation and for a better you will see

11:51 his demos

11:53 and after our

11:55 panelists discussions

11:58 okay let's start

12:00 the talk is about

12:02 post-quantum cryptography and the future

12:06 of trusted computing

12:12 as you all know for cyber security we

12:15 have three major aspects

12:19 security privacy and trust

12:22 security and privacy

12:24 are well known probably people have

12:27 talked about

12:28 them a lot

12:30 and chest

12:32 is

12:34 getting there getting popular and draw a

12:37 lot of attentions recently but

12:40 much less

12:43 mature

12:44 or the

12:45 the well used

12:47 in the world

12:50 what do i mean suggest for computer

12:54 security chester means suggested

12:57 computing

12:58 so trusted computing is try to solve

13:02 a problem

13:03 which let the people generally

13:07 believe

13:08 their computer system behave like they

13:11 supposed to be

13:14 it's a

13:15 very

13:16 simple

13:17 straightforward question whether my

13:20 computer actually do what i think it's

13:23 doing

13:24 but this question is not easy to answer

13:30 just a computing researcher has

13:34 have been doing it for over 20 years try

13:37 to solve the problem

13:39 we actually get solution at least i

13:41 believe

13:44 but

13:44 we are still

13:46 looking for people i use it to benefit

13:49 from it

13:51 so we want to our computer

13:54 to

13:55 to be uh correctly functional

13:58 including our personal device which like

14:01 pcs phones and

14:04 cars even

14:05 and we also want to our remote services

14:08 doing correctly like a bank

14:11 the shops and any cloud service

14:15 providers

14:16 they use their computer systems

14:19 and more recently we also

14:23 consider not only individual device

14:27 individual computer should be

14:30 trustworthy but also the whole system

14:34 including like networks

14:37 for example the swan network

14:41 should be chess worthy

14:45 to build a chesty computing system

14:48 number one things we need to do

14:51 is to choose

14:53 a lot of trust

14:56 we need to starter from somewhere

14:58 yeah

14:59 so loot of chester is

15:02 the first point

15:05 actually we have already seen a lot of

15:08 trusted devices

15:10 they are designed to serve as a loot of

15:13 trust

15:16 i'm sure you have heard some of them if

15:19 uh if not all of them

15:21 like

15:22 uh chested platform module tpm and sgx

15:27 stress zone

15:29 theta

15:30 parental

15:32 c2

15:35 pc m and tc tbcm those are probably only

15:40 available in china

15:42 and

15:43 the very first one is telus's

15:48 hsm i'm sure aginware

15:51 will be able to tell us much more about

15:54 how the

15:56 hsm is used at the root of trust

16:02 let's take a tpm as an example

16:06 tpm also from the uh

16:10 designer tested the pre-adjusted

16:13 computing group which is an industry

16:15 standard body specified tpm

16:18 specifications

16:19 from their point of view tpm

16:22 could be

16:25 everything so not only hardware could be

16:28 the

16:28 firmware or software but the essential

16:32 version of tpm is a very small

16:36 cheaper hardware device

16:39 it is embedded in many of our computers

16:44 particularly for the personal pc

16:47 and a lot of servers as well

16:50 tpm provide a lot of security functions

16:55 the number one security function is

16:58 called attestation service

17:00 so what that means that means tpm

17:04 sitting inside of a computer

17:07 measure the state of the computer report

17:10 the state letter anybody then the meta

17:14 is local or remotely to verify the state

17:19 so this measurement reporting and

17:21 verification solutions is called

17:25 an

17:25 attestation service

17:31 tpm actually work as a cryptographic

17:35 co-processor we also say tpm is a crypto

17:39 engine

17:42 tpm supported

17:44 various crypto algorithms

17:47 basically including asymmetric

17:50 encryption symmetric encryption data

17:53 signatures

17:54 anonymous digital signatures like a

17:57 directory and director anonymous letter

18:00 station bia

18:02 and also message authentication code

18:06 hash function and the key exchanges

18:10 so these slides list

18:12 the algorithms currently tpm support

18:18 but

18:19 when a large-scale quantum computer

18:22 became a reality

18:25 many algorithms from tpm

18:28 will be broken

18:30 so that means

18:31 in quantum computer age

18:34 today's tpm

18:36 will

18:37 not survive

18:38 from quantum attack

18:43 what can we do

18:46 we need a smooth transition

18:49 from today's tpm

18:51 to a future tpm

18:53 that will be secure

18:55 against quantum computer attacks

18:59 that is exactly what the project names

19:03 talk about future tpm

19:06 so future tpm

19:08 is a eu h2020

19:12 project

19:13 so the project including 15 partners

19:17 from 10 different countries

19:20 and both

19:22 surrey and huawei are partners

19:27 so surrey played the technical

19:29 leading role in this project and huawei

19:33 is a very important

19:35 industry

19:36 demonstrator create

19:39 yeah we both join

19:41 this project

19:44 make our

19:46 contributions

19:48 so project start

19:50 in the beginning of 2018 for three years

19:55 so you can tell project project

19:58 have completed but even so the research

20:01 is still angry

20:07 future tpm has a very simple target

20:11 we want to design a quantum resistant

20:15 tested platform module

20:17 so that's when we called qrtpm

20:22 but the project also have a list of

20:25 operations

20:26 of the objectives

20:29 that include a full set of qr crypto

20:33 crafter algorithms

20:35 which should be targeted

20:38 for inclusion in the next generation of

20:42 tpm

20:43 then a

20:45 full range of implementation of tpm

20:48 environment

20:49 so we would like to

20:51 test our algorithms in different tpm

20:55 environment including hardware software

20:58 and virtual machines

21:01 so we also check a runtime assessment

21:04 and the real world user case

21:07 we have three real world user case

21:10 they are the

21:11 mobile payment

21:13 and

21:14 personal activity track and the device

21:17 management

21:18 so device management

21:21 is the one we're going to take example

21:23 to introduce

21:25 you

21:26 in this presentation

21:28 so this

21:30 user case

21:32 was led by my colleagues

21:35 from huawei

21:36 they are server and the roberto that's

21:39 why they became involved in our in this

21:43 plantation and i will let the serious to

21:46 introduce

21:47 this work this user case

21:50 and you will have chance to see the

21:53 demonstration by roberto later

21:56 okay save it you must be somewhere

22:00 yes now the floyd

22:04 thank you lee and um

22:06 good afternoon to everyone

22:09 hi my name is sylvia vlasiano

22:11 leading trusted computing and system

22:13 integrity research at huawei in the

22:16 research center

22:18 and i'm glad to introduce to you our

22:20 contribution to the future tvm project

22:26 as lee mentioned huawei has been

22:28 responsible for the device management

22:30 use case

22:31 which we have modeled on the scenario of

22:34 an enterprise network infrastructure

22:37 this is of course a very familiar

22:39 scenario for huawei as we are also

22:43 one of the biggest providers of

22:45 telecommunication infrastructure

22:48 our enterprise network

22:50 selected for this demonstrator is

22:52 composed of network elements

22:54 particularly routers

22:57 a network management system or nms

23:00 as well as

23:02 endpoints such as laptops and servers

23:06 you can see on the right side of the

23:08 screen

23:09 a diagram which tries to convey

23:12 the relationship between the routers and

23:13 the nms

23:15 practically

23:16 the nms is controlling all the routers

23:19 in the system and is periodically

23:22 monitoring their activity

23:24 sending to them management commands in

23:26 response to certain network events

23:29 our goal with this demonstrator is to

23:31 leverage trusted computing and the

23:33 quantum resistant epm researched in the

23:36 future tpm project

23:38 to influence the routing policy in the

23:40 network

23:41 so that the traffic goes as much as

23:43 possible through trustworthy routers

23:46 only

23:50 so

23:51 why would we need future tpm for our

23:53 scenario

23:55 that is because without hardware

23:57 anchored protection current network

23:59 management solutions have significant

24:01 weaknesses

24:03 these solutions would benefit from the

24:06 introduction of trusted computing and

24:08 future tpm technology to address the

24:10 following aspects

24:11 first weak device identification

24:14 in general the device key is stored in

24:16 these routers or in traditional network

24:19 devices in the device storage on the

24:21 disk and pretty much unprotected

24:25 also software integrity is not monitored

24:29 for example a compromised router could

24:31 ignore management commands sent by the

24:33 nms

24:34 or could influence the routing protocols

24:37 in the network in order to

24:39 mount an attack

24:41 without a trustworthy detection

24:42 mechanism by the network management

24:44 system an attacker can continue to

24:46 perform his actions and the nms and its

24:49 administrators would just assume that

24:51 the router is not compromised

24:54 besides software

24:56 data integrity and confidentiality is

24:58 not monitored either and in particular

25:02 data is often stored in plain text and

25:04 integrity is not verified on the device

25:07 this means that

25:09 when accessed it can

25:12 if it's compromised data can compromise

25:14 uh the actual operation of the entire

25:16 router

25:18 last and certainly not least

25:20 telecom equipment has a very long life

25:23 span of more than 10 years and sometimes

25:26 close to 20 years this means that

25:29 existing product architectures

25:32 must be able to switch to quantum

25:33 resistant algorithms

25:35 when quantum computing becomes practical

25:38 or of course when

25:40 regulations and standards

25:42 mandates so

25:50 after

25:51 introduction of trusted computing in the

25:53 future future tpm technology

25:55 the device management demonstrator will

25:57 offer the following features

26:00 first

26:01 strong hardware based identification

26:04 for this we would leverage the

26:06 endorsement keys and the station key

26:09 that we find in the tpm

26:11 and these will be used to make sure that

26:14 every device has a unique hardware bound

26:16 identity that cannot be forged and

26:18 cannot be copied so we can always be

26:20 sure that we talk to the right device

26:24 second

26:25 we will have comprehensive integrity

26:27 verification or civ

26:29 this is huawei's solution for providing

26:32 load time runtime and offline integrity

26:36 for the programs for the applications

26:39 and the data on the on the router

26:42 and it allows us also to have coarse

26:45 grain runtime integrity

26:47 protection and detection capability

26:50 for

26:51 the main processes that run on the

26:54 system

26:56 based on comprehensive integrity

26:57 verification and hardware identification

27:01 we will be able also to provide secure

27:03 zero touch provisioning to the routers

27:05 this means that when a router will be

27:08 added to the network

27:10 there is no need to rely on a trusted

27:13 operator human operator

27:15 to configure the router or to set up

27:19 trust relationships or even worse to do

27:22 trust on first use for communicating

27:24 with the router

27:27 in the

27:28 precise focus of this event

27:30 we will also offer integration with

27:33 quantum resistant tpm and use of quantum

27:36 resistant algorithms in the entire step

27:39 and based on all these four features we

27:42 will be able to provide finally trust

27:45 aware routing decisions so that the

27:48 network management system can define the

27:50 routing policy in the network based on

27:53 trustworthy information and not based on

27:56 simple assumptions of trust

27:59 according to the focus of this workshop

28:00 and in the interest of time i'll focus

28:03 today only on the quantum resistant

28:05 crypto related work that we have done in

28:07 this demonstrator

28:13 in this slide we are

28:15 outlining the demonstrator setup with

28:17 the software stack

28:19 each component

28:21 is placed in a separate virtual machine

28:23 on top of a hypervisor

28:25 and

28:26 these components such as the nms the ra

28:29 server the routers and

28:32 a test client and web server are

28:35 communicating among themselves through

28:37 virtual bridges

28:38 this

28:39 virtual platform allows us to leverage

28:42 the software tpm that has been

28:45 the software quantum resistant epm that

28:47 has been implemented by one of our

28:49 project partners

28:50 as virtual tpm so we would be able to

28:53 validate

28:54 both scenarios related to traditional

28:56 telecom infrastructure but also to

28:58 virtualize infrastructure such as for

29:00 example nfv or network function

29:03 virtualization

29:05 these components practically behave like

29:09 real routers leveraging the tpm just

29:11 like it would be a physical tpm

29:21 here we are summarizing the

29:22 modifications that we have made to the

29:24 software tpm to work in a virtualized

29:27 environment

29:28 on the right side we see the software

29:30 tpm and the lib tpms components that are

29:34 the back end of the virtualized software

29:36 tpm

29:37 the front end is exposed in the virtual

29:40 machine on the right side

29:42 one of the problems is that

29:44 virtualization components assume that

29:46 the maximum size of tpm commands is 4096

29:50 bytes which is not true anymore with

29:52 quantum resistant epms because

29:55 the commands need to be bigger to

29:57 support the longer key lengths and

30:00 parameters

30:02 thus the components with green label

30:05 have been modified to have a larger

30:07 buffer to store and to transfer tpm

30:09 commands and responses

30:12 between the back end and the front end

30:15 in addition

30:16 components interacting with the quantum

30:18 resistant tpm

30:20 the the components with orange border

30:22 also needed to be modified to use the

30:25 new definition of some tpm structures

30:27 for example

30:29 some

30:30 16-bit integers have been replaced with

30:32 32-bit equivalents

30:35 finally openssl

30:37 has been modified to support quantum

30:40 resistant algorithms for non-tpm crypto

30:43 operations such as for example tls

30:46 channels

30:53 here we are

30:54 giving a few details into the

30:56 performance evaluation of the quantum

30:58 resistant epm

31:00 it is practically highlighting the

31:02 various phases of the demonstrator life

31:05 cycle and of the router operations

31:08 and you see here the router boot time

31:11 which is when the

31:13 router is loading software and software

31:15 is measured and measurements recorded in

31:17 the tpm

31:18 as well as a number of key creation

31:21 steps an attestation key that is used to

31:24 sign

31:25 measurements taken during the boot time

31:27 as well as tls key creation for setting

31:30 up trusted channels with the management

31:33 we also have a tls connection step

31:36 that we highlight and as well the

31:38 operation the tpm operation called quote

31:41 which is reading measurements from the

31:43 tpm and providing them signed for a

31:46 verifier

31:48 what we can see from the numbers is that

31:51 when there is intensive usage of the tpm

31:54 the time of completion of a phase is at

31:57 least three times slower than when when

32:00 we use the quantum resistant tpm

32:02 in some phases such as the router boot

32:05 we don't have so much impact because we

32:07 don't use asymmetric crypto

32:09 however in the other phases we have this

32:12 impact

32:13 still we don't create keys all the time

32:17 and we don't create tls connections all

32:19 the time so the impact is not actually

32:21 as high in real

32:26 life here we also have a slide which

32:30 shows the evaluation of tpm performance

32:34 practically

32:36 oh i think

32:38 yeah

32:39 here we also see the evaluation of the

32:41 quantum resistant tpm performance

32:43 compared with the tpm 2.0

32:46 according to each tpm command that we

32:49 are using

32:50 what can be seen again the commands are

32:52 listed according to the phases that i

32:54 showed earlier is that each individual

32:56 command is actually

32:58 on average 10 times slower with a

33:00 quantum resistant tpm

33:10 reaching the conclusions

33:12 the lessons learned from this

33:13 demonstrator are that

33:15 migration from tpm 2.0 to the quantum

33:18 resistant tpm is feasible and it is

33:21 fully compatible with the system

33:23 integrity use cases that we have for

33:25 trusted computing

33:27 also the performance impact despite

33:29 being

33:30 reasonably high at the

33:32 at the individual level of the

33:34 operations it is in the

33:36 entire solution reasonable and we expect

33:39 that it can only be improved with real

33:42 life implementations

33:44 also tpm and trusted computing are again

33:47 validated as a foundation for system

33:50 security and this time in network

33:52 infrastructures

33:53 and also new trust-based use cases such

33:56 as trust aware routing can be built on

33:59 top of them

34:01 last but not least quantum resistance

34:03 must be implemented across the entire

34:06 trusted computing stack

34:08 from the tpm firmware itself to the

34:10 crypto libraries and to the tls

34:12 connections that are used in

34:14 communications because as we know

34:17 security is as strong as our weakest

34:20 link so therefore we need to make sure

34:22 that across the entire stack we have

34:24 quantum resistance

34:28 my last slide would be about a few

34:30 industry thoughts

34:32 about migrating to a quantum resistant

34:35 world

34:37 huawei is a device vendor first of all

34:40 and what i can say is that device

34:42 vendors can implement quantum resistant

34:44 cryptographic standards once they will

34:46 be available however we need to realize

34:50 that long life devices manufactured

34:52 today

34:53 will need to comply first with today's

34:55 standards and national regulations

34:58 still

34:59 they would need to survive in expected

35:02 quantum computer times perhaps 10 plus

35:05 10 or more years later

35:07 and this while always remaining

35:09 compliant to the regulations of the day

35:13 this makes the so that migration path to

35:16 quantum reaction cryptography is not a

35:18 very easy one

35:20 there are uh the various national

35:22 organizations such as the nist the

35:25 german bsi or the national cyber

35:28 security center in the uk have put out

35:31 certain migration guidelines

35:34 that are useful

35:35 mostly for customer organizations

35:37 however there is not so much guidance

35:39 useful for the vendors that produce

35:42 devices

35:43 in

35:44 in the case of the vendors we are uh

35:47 often looking at hybrid approaches in

35:49 which we would use quantum resistant

35:52 cryptography as well as non-quantum

35:54 resistant cryptography in a combination

35:57 so that we get the best of both worlds

35:59 or at least that that would be the hope

36:02 however this is a sub-optimal solution

36:05 it has cost disadvantages and it impacts

36:08 the performance as well as making it

36:11 more complex to manage the devices

36:14 what's most challenging in my opinion is

36:18 to migrate the hardware anchored routes

36:20 of trust to quantum resistant primitives

36:23 and that is because

36:25 while for software we could imagine

36:28 cryptographic agility which allows us

36:30 with the software update to change the

36:32 cryptographic algorithms that are used

36:35 this is not really an option for routes

36:37 of trust that rely on immutable

36:39 algorithms and keys practically fixed in

36:42 hardware

36:43 and

36:44 one of the biggest challenges that i

36:47 would expect to to have is

36:49 how we can

36:51 recover in case one of the chosen

36:54 quantum resistant algorithms or its

36:56 implementation is later found to be weak

36:59 and i'm referring to these harder anchor

37:01 roots of trust

37:02 so that's why i believe we need to

37:05 rethink cryptographic agility into a

37:07 more comprehensive concept and i would

37:10 call that cryptographic resilience which

37:12 would be the ability

37:14 to

37:15 change the cryptographic

37:17 primitives at the lowest level of our

37:20 roots of trust at our

37:22 security foundations in case we would

37:25 have the need

37:27 and with this i conclude my part of the

37:29 talk i would invite you to follow our

37:32 demonstrator after the the event it will

37:34 be played as a video and i hand over

37:37 back to lee thank you

37:39 thank you

37:44 all right

37:45 let's see what

37:47 future tpm

37:48 project and

37:51 tell us

37:52 the project at least from my point of

37:55 view

37:56 is run at just the right time

38:00 because the quantum

38:03 computer is coming although we don't

38:05 know when yet but we believe it's coming

38:08 and

38:10 post-quantum cryptography research

38:13 is

38:15 is getting popular

38:17 and the more applications from other

38:20 side is

38:21 more application about chester computing

38:24 devices like a tpm

38:27 is also developed and the gpm is

38:30 invented in

38:32 very large number of computers is pretty

38:35 much everywhere even for those computers

38:38 they are not

38:40 have a specific chip called tpm but they

38:43 have a different names

38:45 shape with similar functions

38:48 so that means the time is correct

38:51 but also project phaser

38:53 face a very big challenge

38:56 because the quantum resistant

38:58 cryptography is not yet mature

39:01 it's still in a very early stage

39:04 particularly

39:06 the standardization worker in this field

39:09 is just the beginning and nist is

39:12 leading the this

39:15 quantum post-quantum crypto activities

39:18 but we still need to wait a few few

39:21 years for mr selected the first set of

39:25 algorithms

39:27 so

39:28 that means

39:29 we cannot wait we have to

39:33 make our actions the project

39:36 is

39:37 now complete but

39:40 our work is still carry on

39:45 we actually find there are bigger bigger

39:48 room

39:49 to improve our work

39:52 including algorithms design

39:55 implementation

39:57 as serial

39:58 indicated

40:00 the algorithms we choose is still much

40:03 slower than today's computer so we need

40:08 improve the algorithm design and

40:10 implementation

40:12 we also need to

40:15 work closely with standard bodies and

40:19 try to find what we can

40:22 recommend to industry and our

40:25 the users

40:27 so for our

40:29 the project partners we closely work

40:32 with nist some of our partners are

40:35 involved in the

40:37 and pkc computation some of us involved

40:40 in tcg and in iso iec standard

40:45 the last thing is

40:47 we

40:48 strongly feel we need more

40:51 research

40:52 projectors to carry on our mission

40:56 luckily we got a few other fundings

41:00 in this field

41:01 one eu project called a suit that is

41:07 using tested computing technology

41:10 to

41:11 enhance security in ict systems so this

41:16 is another three years project funded by

41:19 eu and we have 14 partners from 10

41:23 different

41:24 countries

41:25 we have interesting user cases as well

41:29 this is including smarter manufacturing

41:32 smart cities smarter aerospace and

41:36 smarter satellite communications

41:40 we have another project which is

41:42 recently started

41:45 this is also h2020 project

41:48 called the second

41:50 that is

41:51 to build the security and the privacy

41:54 solution

41:55 for internet of things device

41:58 this is also three years project started

42:02 on september this year

42:05 so we have 20 partners from 10 european

42:09 countries

42:13 in this project our user case is focused

42:17 on healthcare security

42:21 data protection

42:23 so we set up

42:25 some special user case

42:28 in the healthcare ecosystem

42:36 although we have

42:38 a very good research team and put a lot

42:42 of

42:43 a lot of effort in this area

42:46 but we still strongly believe

42:49 there are many challenges

42:51 for secure computing

42:53 tested computing the

42:56 research

42:57 so

42:59 in one on the one side we need to build

43:03 a strong load of trust

43:05 in the other side we need to find

43:08 a

43:09 a writer at a station service

43:12 and also we have to face challenges for

43:16 tested computing practice although tpm

43:20 and the various

43:21 uh chested devices

43:23 have been embedded in our computer

43:26 sitting there but not actually many

43:29 people notice them many people use them

43:31 we need to build a lot a lot of

43:34 applications and we also need to let the

43:38 user knows how to use them hopefully

43:41 those applications we will they are

43:44 robust enough and they are

43:46 flexible enough

43:48 ideally they are transparent to users

43:51 they will not have to be noticed but

43:53 they just benefit from that

43:56 i think that's all

43:58 we need to talk

43:59 thank you very much thank you savior

44:02 thank you roberto

44:04 thank you professor chen

44:08 and thank you sylvia um online we did

44:11 get all of your slides and your voice it

44:12 was it worked faultlessly um so

44:16 please be reassured i know how awful it

44:17 is giving a webinar to a blank screen

44:19 and wondering if you've still got an

44:20 audience i'm just a reminder to the

44:23 people

44:24 online we have about 100 viewers online

44:27 to put your questions

44:28 into the q a we're going to deal with q

44:30 a at the end we're going to have a panel

44:32 session rather than do them presentation

44:34 by presentation so we've had a couple of

44:36 questions already in uh keep asking

44:39 questions we'll store them up and then

44:40 we can give deliver them to the whole

44:42 panel um for those in the audience here

44:44 write down your notes uh remember that

44:46 question you're going to ask because by

44:48 the end of the presentations you'll be

44:51 wondering what what you were thinking of

44:53 earlier so uh keep remembering those uh

44:56 now for our next one it gives me great

44:57 pleasure to uh invite uh adrian waller

45:00 from tales uh adrian over to you

45:04 see if this works

45:08 okay so hi everybody i'm adrian waller

45:10 from tallis

45:12 so i'm going to

45:14 give a fairly short presentation so the

45:16 main aim of this is to firstly introduce

45:18 why is post-quantum cyber security

45:20 relevant for talus as a company

45:23 and

45:25 then what have we done about it and

45:26 where have we got to

45:28 and then at the end it's a

45:30 little bit into where we see the main

45:32 gaps going forwards or where we think

45:34 more research and work needs to be done

45:37 so firstly um you may or may not have

45:39 come across tallis maybe you have um so

45:42 we are a large

45:43 multinational engineering company so the

45:46 main thing is that we we make things and

45:48 integrate things

45:50 we work in these areas

45:54 so the first one is digital identity and

45:56 security is the most obvious area where

45:58 post quantum

45:59 matters because this is the part of the

46:01 business that makes cryptographic

46:03 products and i'll give a slide on that

46:05 in a minute

46:06 um

46:08 but all of the other areas that we work

46:09 in uh will be significantly affected by

46:12 the problems of a working quantum

46:15 computer that can break the algorithms

46:17 that we use today

46:19 so the main issues that we have is

46:21 all of these systems that we produce for

46:23 say defense aerospace etc tend to be

46:26 very long-lived um it's not unusual to

46:29 have um systems

46:31 in place for 40 years

46:33 so if we are thinking now of building

46:35 such a system

46:36 and that's well within the time frame of

46:38 you know working quantum computers etc

46:40 so we really need to know what we're

46:42 going to do about it for those

46:44 and the other big issue is that not only

46:47 that

46:47 they are quite hard to change

46:49 so it's not a case of i will just wait

46:51 and see and then we'll just swap

46:53 something out and that's fine

46:55 these things you know for various

46:57 reasons mainly because a lot of them are

46:58 safety critical they are hard and it's

47:02 generally unwise to make a lot of

47:03 changes to them

47:05 so this is definitely a pressing matter

47:07 for this

47:09 in all of these areas

47:11 just a quick slide on the kind of the

47:14 crypto products bit so um the main thing

47:17 to note here is that it's very wide and

47:19 varied

47:20 so we do lots of different things that

47:22 range from um

47:23 [Music]

47:24 very high performance um hardware

47:26 security modules and encrypters that sit

47:28 in you know data centers etc

47:31 and down to really small things and in

47:33 particular things like sim cards um

47:35 e-sims that sit in your mobile phones

47:37 where so

47:39 very varied and

47:40 how you make use of post quantum

47:42 algorithms etc is very different in all

47:44 of these situations

47:49 so firstly slide on so i'm from talus uk

47:52 research

47:53 so based in reading so this slide is on

47:57 what we've been doing in this area since

47:59 in fact 2013 is when we first started

48:01 working on this

48:03 um

48:04 our main focus is on not developing new

48:06 algorithms that's not the thing that we

48:08 do

48:09 we're very interested in

48:11 can we use those algorithms in our

48:13 products and services etc

48:15 and in particular this second bullet

48:17 point

48:18 talk out say industrialization of

48:20 solutions so it's not just about oh

48:23 there's an algorithm um how do we

48:25 actually

48:26 implement make use of that and etc in

48:29 our systems and particularly for talus

48:32 embedded systems is a real focus

48:36 so i've put a few examples of

48:38 bits of work that we've done there so

48:40 just briefly mention

48:41 so as i say since 2013 we've done quite

48:44 a bit of work on analyzing different

48:46 candidates for quantum safe algorithms

48:49 um we had this um european project save

48:52 crypto from 2015 to 2019

48:56 so in that one we were looking at um

48:58 tallest we're looking at a satellite use

48:59 case

49:00 and making use of uh quantum safe ipsec

49:03 so we worked out how to

49:05 to do that and implement it and we

49:07 implemented i just mentioned the hybrid

49:09 key exchange using conventional and

49:12 quantum safe

49:13 the idea being that you're kind of

49:14 hedging your bets in case the quantum

49:16 safe algorithms are turn out to be not

49:18 secure

49:20 we've done some other bits of work such

49:22 as quantity based quantum safe identity

49:24 based encryption

49:26 um outside of the crypto itself

49:29 an interesting thing is this quantum

49:31 threat assessment so this is how do you

49:33 determine

49:35 how much at risk are you from a quantum

49:37 computer where is it and what might you

49:39 need to do about it so

49:41 we've helped developed like an internal

49:43 methodology for that

49:45 and also we are active in standards and

49:47 in particular the etsy standards group

49:49 here and i'll talk more about that later

49:52 just to mention that one of my

49:53 colleagues is currently secretary of

49:54 that working group

49:58 so in the the wider talus

50:00 i think um two main things to notice so

50:03 um

50:04 even though we in the uk don't do

50:05 algorithm development they do in france

50:08 and one of the candidates for this nist

50:10 competition which is the kind of the

50:12 main competition for developing

50:14 the algorithms that we will use that are

50:16 quantum resistant

50:17 so

50:19 palace is one of the authors of one of

50:20 those candidates falcon

50:23 and

50:24 can you actually make use of quant post

50:26 quantum solutions in products today so

50:29 we have at least one example which is

50:30 this lunar hsm um the box you can see

50:34 there um and in the related high speed

50:37 encrypters where um these stateful hash

50:39 based signatures are available as an

50:41 option if you want to use them today

50:47 okay

50:49 so so that's kind of where we are so

50:51 what are the next steps or the main

50:53 challenges

50:57 so

50:58 people have mentioned already today so

51:00 to lee and someone have mentioned about

51:03 um there's a lot of work on developing

51:05 these quantum resistant algorithms

51:08 um the main thing is this nist

51:10 competition in the us which although

51:12 it's the us it's really the de facto

51:14 world um effort in producing these

51:16 algorithms

51:18 um it's now reached it's getting close

51:20 to completion i think it's still got

51:21 another couple of years left

51:23 um but it's reached a stage where we

51:24 have some

51:26 i guess reasonably mature

51:28 um algorithms in these areas and i've

51:30 just listed them up there so

51:32 so it's getting close to completion

51:36 one thing i've noted at the bottom

51:38 something called the

51:40 most of the algorithms are based on the

51:42 the same kind of underlying mathematical

51:44 hard problems the lattice based

51:46 so a potential issue is that are we

51:48 putting say all our eggs in one basket

51:51 and do we need a wide variety so they do

51:53 have some what they call alternate

51:55 algorithms from different categories so

51:57 that may be one area but at the moment

51:59 that is based

52:00 seems okay

52:02 and from a tally's point of view so

52:04 we've tried out all of these algorithms

52:06 probably um and certainly in a wide

52:09 variety of products and in most cases

52:11 from our application point of view

52:13 can it meet the requirements that

52:14 everything is kind of fine really um

52:17 there's no real problems with one

52:19 exception which is my next slide

52:22 what's the main issue from the algorithm

52:24 point of view from our i think it's them

52:26 it's really that the digital signature

52:28 algorithms have

52:29 well relatively large signatures and

52:31 certainly compared to the algorithms

52:33 that we use today

52:34 um in most cases that can be coped with

52:37 and but there are a few cases where it

52:39 doesn't quite meet the application

52:40 requirements so two that we're aware of

52:43 in talus

52:44 so some of the work that we did in telus

52:46 uk was on this satellite use case

52:48 and there the we were looking at the

52:51 command and control channel from the

52:53 ground up to the satellites

52:55 and that channel has very low bandwidth

52:58 so the issue is that sending

53:00 signed messages becomes much much longer

53:03 these signature sizes make a significant

53:05 difference

53:06 so we kind of worked out that it was

53:08 kind of borderline acceptable with the

53:09 current candidates but it's not ideal

53:12 um we noted that uh there is an

53:15 algorithm called bliss

53:16 um which wasn't actually entered into

53:18 the nist competition but funnily enough

53:21 uh then

53:22 met the requirements for that use case a

53:24 lot better so that is one option maybe

53:27 that's a something that should be

53:28 revisited or another alternative

53:32 and the other main area where this is a

53:34 problem is for very limited processes

53:37 and here we're looking at things like

53:38 sim

53:39 and e7s or very limited microcontrollers

53:43 and we have found that some of these

53:45 signature candidates in fact

53:47 in some cases all of them can't be

53:48 implemented on some of our platforms um

53:51 this is because of the fact that the

53:52 keys and signatures are much bigger and

53:55 things don't fit in the realm available

53:57 so there are two ways to approach this

54:00 so nist have already aware of some of

54:02 these issues and they've has said

54:04 at their last um

54:06 i guess conference that

54:08 they may consider looking at algorithms

54:10 with smaller signature sizes and maybe

54:13 that's a good approach

54:14 um but the other way to look at it is

54:16 that maybe in fact

54:18 um within the next 10 years our hardware

54:21 will improve so this isn't a problem

54:22 anyway um this is probably almost

54:25 certainly the case for things like sims

54:26 that uh you know

54:28 within the time scales that we'll need

54:30 to implement some of these things that

54:31 maybe the hardware will improve that's

54:33 not a problem

54:34 but it's certainly an issue that we need

54:36 to consider

54:41 so looking at a different track so

54:43 slightly away from the algorithms um

54:46 looking at what's happening in the etsy

54:49 this is cyber qsc working group so they

54:52 have a different focus so they're not so

54:54 much looking at

54:55 developing algorithms they're looking at

54:57 how can we use them and what might be

54:58 the issues for industry

55:00 so

55:01 this fits more where i guess we'll tell

55:03 us a mostly focused

55:06 so

55:07 so mainly they are kind of following the

55:08 outcomes of the nist competition but

55:11 producing standards to help us make use

55:13 of those algorithms in real use cases

55:18 so some examples of some of the recent

55:20 work so previous talk mentioned

55:22 migration so there is a technical report

55:24 from etsy

55:26 kind of

55:27 which covers some of these issues of how

55:28 do we

55:29 do this thing of migrating to quantum

55:31 safe

55:33 and i'll come back to that in a second

55:34 at the bottom of the slide

55:36 um there is some work on things like

55:38 this hybrid thing how can we do that so

55:40 if you don't fully trust the quantum

55:42 resistant algorithms you know what are

55:44 ways to make sure we can combine them

55:46 with conventional just to

55:49 give you a bit of breathing room in case

55:50 there's a problem

55:52 um there's some work on a wider class of

55:54 algorithms that nist are not currently

55:56 looking at so identity-based encryption

55:58 in particular

56:00 which

56:00 is not used a lot but it does have some

56:03 important use cases particularly in

56:05 public safety communications

56:07 which is an interest to tell us

56:10 and just note the last one that

56:14 they've noted that a lot of the

56:15 information around the algorithms in the

56:17 nist competition is a bit kind of um

56:19 hard to find or it's not all in one

56:21 place so they produced one simple report

56:24 um so if you wanted to find information

56:25 on those algorithms that's where to look

56:29 i think the most important thing from

56:31 i guess my antalya's point of view where

56:33 we think there's a gap is on this

56:34 migration problem and i was really

56:36 interested to see that that was

56:37 mentioned in the last talk

56:39 so

56:40 some work has started so in etsy they're

56:42 looking at a particular use case of

56:44 intelligent transport systems to try and

56:47 look at what are the problems and try

56:48 and work through them of how you might

56:50 do it

56:51 um nist have also noted this and are

56:53 starting an activity um to look at this

56:55 in a much more widely so they're looking

56:57 at wider use cases and what kind of

57:00 tools might be helpful

57:02 and i think i would stress that this is

57:04 probably the big challenge so it's not

57:06 enough to have the algorithms but how do

57:08 we actually work out

57:09 how do we make sure we you know change

57:12 all the systems that we have in such a

57:13 way that's not disruptive and so on um

57:16 to migrate to those

57:20 and my last slide then

57:23 so is just to point out it's not all

57:25 about cryptography when we're thinking

57:26 of quantum computing in cyber security

57:30 i freely admit on this next slide if it

57:32 comes up

57:36 to

57:36 to not to be

57:38 in a slight state of ignorance in um on

57:40 this topic of quantum computing more

57:42 generally but most of the interesting in

57:45 quantum computing is not because of

57:47 cryptanalysis and cryptography is

57:49 because of optimization problems machine

57:51 learning etc

57:53 so obviously those um we have those kind

57:56 of problems in cyber security

57:58 um i've just listed a few examples down

58:00 on the from a defender's perspective at

58:02 the bottom so things like detecting

58:04 attacks

58:05 and we have like

58:07 um optimizing your security

58:09 architectures to on

58:11 for against various criteria um at a

58:13 kind of an enterprise level there's you

58:15 know finance investment strategy kind of

58:17 problems

58:18 and there are cryptography related

58:20 problems things like prng construction

58:23 or maybe even side channel analysis

58:26 so

58:27 i think i'll leave this with an open

58:30 question maybe there is

58:31 you know more work on this but uh

58:34 i don't think it's that well known at

58:36 the moment

58:37 how will that affect cyber security and

58:39 the real issue here for me is i think

58:41 you know obviously these things can help

58:43 the defenders and the attackers but in

58:45 you know is there kind of an advantage

58:47 for one or the other or not and and how

58:49 do we work with that in the future

58:52 and

58:53 i think that's it so i've become

58:54 slightly

58:56 early but maybe made up a good time

59:02 [Applause]

59:05 thank you very much perfect timing

59:06 actually um keep the questions coming in

59:08 online so those of you who are watching

59:11 uh keep keep the questions coming in

59:12 we'll catch up at the end uh those of

59:14 you in the theater write them down so

59:16 you don't forget and there's a lot of

59:18 lot of interesting stuff coming forward

59:20 now

59:20 um for our next talk a real pleasure to

59:23 um invite professor tim spiller from

59:26 university of york professor of quantum

59:28 information technologies really looking

59:29 forward to this one

59:31 tim over to you

59:35 afternoon everyone who's here and

59:38 virtual actually this is the second

59:40 event i've been to i went to one in

59:41 glasgow a couple of weeks ago and it

59:43 really is nice to actually

59:45 go to a physical event again

59:47 uh

59:48 what i'm going to do is give you a very

59:51 quick overview of quantum technologies

59:54 and a potential advantage tell you a bit

59:56 about what's going on

59:58 in the uk

59:59 in that and uh

60:01 comment a little at the end about the

60:03 particular impact

60:05 for security some of which you've heard

60:07 already so

60:10 so there's a whole spectrum of quantum

60:12 technologies kind of every quantum

60:15 sorry every technology sector has the

60:17 potential where uh there could be some

60:20 advantage gained and

60:22 the fundamental feature of quantum

60:24 technologies is that they utilize

60:27 some

60:28 fundamental feature of quantum physics

60:31 and there are different ones that

60:32 underpin

60:34 various of the technologies that i'll

60:35 mention in a minute and

60:38 because

60:40 because they utilize fundamental

60:41 features of quantum physics they

60:43 actually manipulate and and whether it's

60:46 communicate store process or whatever

60:48 information in

60:49 uh

60:50 in a rather different way from

60:52 conventional i t

60:54 and in certain cases that means that

60:57 that there is

60:58 a potential if you use

61:00 these properties such as superposition

61:02 entanglement or whatever that you can

61:05 actually do something

61:07 which goes beyond any capability

61:14 so there are advantages that can be

61:17 achieved not everywhere but in some

61:19 places and so people you may well see

61:23 that the term quantum advantage referred

61:25 to in some cases so very quickly

61:28 that's certainly clicked through a few

61:32 okay so the first one

61:33 computing you've already heard mention

61:35 of quantum computing the thing about uh

61:37 quantum superposition is it means you

61:39 can have many different states of a

61:41 quantum system coexisting all in

61:43 parallel at the same time and so hand

61:45 wavingly if those are states of a

61:47 computer you can process many different

61:50 computations

61:51 in an individual device a quantum

61:54 computer at the same time and if you can

61:56 combine all of those parallel

61:58 computations and extract something

62:00 interesting at the end then there is

62:01 potential to significantly speed up and

62:05 in some cases exponentially speed up

62:08 certain uh computations that can be done

62:11 and and you've heard that there are

62:13 there are various things that can be

62:14 done uh there are very positive things

62:16 simulation and modeling and those may be

62:18 done with actually relatively small

62:20 quantum computers cryptanalysis we'll

62:23 come back to that uh and you've already

62:25 heard it mentioned that's a kind of

62:26 threat if you like in in the

62:29 security domain uh and there are so

62:32 there's a whole host of quantum

62:33 algorithms

62:35 that have been devised uh

62:37 at the minute where we are with the

62:39 hardware is that if you like

62:41 there isn't one winner there isn't a a

62:44 particular way forward i'm sure you've

62:46 heard that google and ibm are both

62:48 working on super conducting qubits there

62:50 are other projects pursuing doing

62:52 content computing with light you can use

62:54 other bits of condensed matter uh little

62:57 defects in diamond can be used as

62:59 quantum bits so there's a whole host of

63:02 different candidates and there isn't one

63:04 favorite way forward yet and they are

63:06 just at the point where they've

63:08 demonstrated in certain cases and with

63:10 certain problems

63:12 so

63:13 there's still a long way before this

63:14 becomes a threat there's an awful lot of

63:16 work to be done to build quantum

63:18 computers big enough that that threat

63:20 would become real the crypto analysis

63:22 threat but because of the progress and

63:23 because quantum advantage has never been

63:25 demonstrated at least the threat is

63:27 thought now to be real

63:29 okay so next thing that was computing

63:32 sensing and measurement and things if

63:35 you take quantum states of it might be

63:37 light it might be matter

63:39 then you can potentially uh

63:41 image your senses more accurately than

63:44 you can do

63:45 with the same kind of device if it's

63:48 just a conventional device so that might

63:50 be imaging you might be able to image

63:51 things with greater precision or you

63:54 might be able to sense things such as

63:56 gravity so people uh

63:59 oops

64:02 come on

64:05 yes okay so in the sensing case you know

64:08 this example here if you've actually got

64:10 some some resource where uh

64:13 two light states photons or whatever are

64:15 entangled if you bounce one of them off

64:17 an object and then recombine you may be

64:19 able to

64:21 to resolve things about that object more

64:23 accurate than you could in

64:27 if you were using that light if it's

64:28 like

64:29 in

64:30 in conventional resources and and people

64:33 have thought so probably light and atoms

64:35 are the main candidates for this uh you

64:37 would use light if it's energy you might

64:39 use atoms if you're trying to sense

64:42 gravitational field variations and

64:44 things like that but you also might have

64:46 little nanomechanical devices that

64:48 vibrate that could be used to sense

64:50 other external fields such as electric

64:53 magnetic fields and so on so

64:55 so the message is that there could be a

64:57 quantum advantage in sensing an image

64:59 from constructing new new devices there

65:03 so the one i'm really interested in and

65:05 it's the one that i work on mostly these

65:06 days is communications and

65:10 the idea there that is if one sends

65:14 quantum signals uh

65:17 from

65:17 the usual to people at uh alice and bob

65:20 if one sends quantum signals then if

65:23 anyone tries to intercept those

65:25 the the other fundamental feature of

65:27 quantum physics that kicks in is that

65:29 there will be an irreversible

65:30 disturbance

65:32 and that's not just because they're a

65:33 bit clumsy that's built into nature so

65:35 that's not avoidable even in the future

65:37 that's a fundamental part of quantum

65:39 physics and so you can kind of see that

65:41 if alice sends quantum things to bob

65:43 anyone happens to have a look in the

65:44 middle then they will introduce

65:46 disturbance so you can know that that

65:48 interaction has

65:49 and

65:50 uh the quantum

65:52 medium that we use uh for quantum

65:55 communications is light it doesn't

65:57 necessarily have to be down optical

65:58 fibers although a lot of it is it could

66:00 well be through free space

66:02 and i'll briefly mention both of those

66:04 so so that's a very quick tour of of

66:06 quantum technologies

66:08 because of the potential in 2013 the uk

66:11 government decided to start a whole

66:13 national pro so i'm not going to talk

66:14 through quite a few of these slides in

66:16 detail but i just want to illustrate for

66:18 you that in 2013 there was a big

66:20 investment made

66:22 in the uk which which involved uh very

66:25 many uh

66:27 activities but if you like the

66:28 centerpiece that was set up at that time

66:30 were four technology hubs

66:33 that were pursued that would pursue

66:35 technology development in in the

66:37 relevant uh areas of

66:40 of quantum technology so that

66:42 program was set up started in 2014

66:45 the initial investment was about 270

66:48 million from uk government and that was

66:50 augmented with with uh with various

66:53 other bits and pieces and then there was

66:55 a renewal of the program uh from 2019 to

66:59 2024

67:01 uh with further government money and and

67:03 also a significant proportion of

67:06 industry-funded projects through

67:07 innovate uk where industry makes a

67:10 significant contribution and the rough

67:12 figure now is that over a 10-year period

67:14 there's been an investment of of about a

67:17 billion pounds

67:19 that's including the industry

67:20 contributions as well as uk government

67:22 so it's a very substantial effort and as

67:25 i said the centerpiece is

67:27 is

67:28 in the technology development is really

67:30 the four hubs that were formed and they

67:32 cover pretty much all the technology set

67:34 sectors that i mentioned so there's one

67:36 that basically works on sensors and

67:38 timing and mostly uses atoms and that's

67:42 led by the university of birmingham

67:44 there's one that works on imaging

67:46 so clearly they use light that's led by

67:48 the university of glasgow

67:50 there's a computing and simulation hub

67:53 and and in the

67:55 first phase they focus mainly on iron

67:57 trapping but they've now diversified and

67:59 they include other platforms including

68:01 superconducting qubits and so on and now

68:03 if you like they now have an outlet

68:05 because there is also a new national

68:07 quantum computing center that's being

68:09 built at harwell near oxford so that

68:11 will be a physical building and if you

68:13 like that will be one tech transfer

68:15 route for the

68:17 computing and simulation hub and then

68:19 there's a quantum communications hub

68:21 which deals with secure communications

68:24 in the quantum world and that's the

68:25 thing i lead from york so so those are

68:27 the four hubs i just wanted to show you

68:29 this each hub will show you a very

68:31 similar picture

68:33 so when i talk about a hub led by the

68:35 university of york we have 10

68:37 of the order of 10 university partners

68:39 across the uk

68:41 we have numerous industry partners and

68:44 national laboratories and so on and and

68:46 so each of the four hubs has focused the

68:49 uk

68:50 expertise no matter where it is into a

68:52 large distributed project and so

68:55 so in our case these are all our

68:57 partners who are working uh with us on

69:00 on quantum communications

69:02 and

69:05 state

69:07 most of what we've done actually over

69:09 the over the period of uh since we

69:12 started 2014

69:14 has focused on one thing if you like

69:17 which is the most mature quantum comms

69:19 technology at the minute which is

69:20 quantum key distribution and what

69:22 quantum key distribution enables

69:25 is that it enables

69:28 secure sharing of a key between two

69:30 parties and

69:33 as i say the

69:35 the hint that you can do something like

69:37 that is that if alice sends quantum

69:39 things to bob and someone has a look in

69:41 the middle uh there is a guarantee that

69:43 some of those quantum signals will be

69:45 disturbed and there's a very clever

69:48 protocol based on that whereby alice and

69:50 bob can then uh exchange ordinary

69:53 information which doesn't have to be

69:55 secured

69:57 and

69:58 they can develop a shared secret key

70:01 between them and and once they've got

70:03 this key it can clearly be used as

70:05 ordinary symmetric keys for whatever

70:07 application you can use symmetric keys

70:09 for that's fine uh

70:12 the one thing i should stress uh is that

70:15 quantum key distribution does need some

70:18 authentication it cannot bootstrap

70:20 itself from nothing so if alice and bob

70:23 have never met before then

70:25 something has to be used to authenticate

70:27 and so perhaps it should have been

70:29 called quantum key expansion but in the

70:31 end quantum key distribution was the

70:33 phrase that won so so there has to be uh

70:36 some authentication as well which might

70:38 be through some pre-shared key but it

70:40 may well involve uh collaboration if you

70:42 like with use of quantum post quantum

70:45 cryptography or quantum safe

70:47 cryptography and so

70:49 but

70:50 if you combine those two uh as i'll

70:52 comment then i think that's the way

70:53 forward for

70:56 quantum safe communications in in in the

70:59 long term

71:05 okay so

71:07 i'll just highlight a couple of things

71:09 so in the first five years of the hub

71:12 which ran from 2014 to 2019

71:16 we pursued many uh parallel uh

71:19 projects if you like and i'll just

71:22 highlight some that are particularly

71:24 relevant for uh

71:26 for security so we we've built in in the

71:29 uk the first uh quantum network

71:32 and and i stress that this is

71:35 is a network of of trusted nodes so

71:38 there are quantum key distribution links

71:40 between points that you have to trust so

71:43 the guarantee is you can detect

71:45 eavesdropping between these trusted

71:47 points but at the trusted points you

71:49 have to have uh you have to have

71:51 conventional and physical security and

71:54 and so we've we've got a network around

71:57 bristol uh one around cambridge we've

72:00 got a link from cambridge to to bt's uh

72:04 adastral park r d headquarters and and

72:07 we're using bits of the national dart

72:09 fiber facility to actually can

72:11 construct a link between bristol and

72:14 cambridge as well so that's one thing we

72:15 did we've pursued small handheld devices

72:19 that have the potential to have a

72:20 quantum transmitter in your phone of the

72:23 future and a quantum receiver in the

72:25 wall

72:26 and and so that work is now quite mature

72:29 as well we put stuff on chip

72:32 so so some of our partners are focused

72:35 on with a view to future

72:37 commercialization putting both quantum

72:39 transmitters and receivers on ship and

72:41 there was a spin out that came uh during

72:44 phase one from our partner at the

72:46 university of bristol called quetz

72:48 that's focused on on putting quantum com

72:51 stuff on on chip

72:53 we also participate in standards work

72:55 that's already been mentioned there is a

72:57 parallel etsy uh standards working group

72:59 on on quantum key distribution

73:02 and hub partners have been actively

73:03 involved in that for for many years now

73:06 so that's a bit of a snapshot of

73:08 of what we've done uh over the past five

73:10 years and then moving on from that uh

73:14 oops

73:18 moving on from that we're now in what's

73:20 called phase two of the uk national

73:22 program which is 2019-2024

73:25 and we're continuing a lot of the work

73:28 that we've done in in phase one in

73:30 particular we're we're expanding our our

73:33 network and we're looking about

73:35 combining within that network uh quantum

73:38 key distribution and post quantum

73:40 cryptography uh

73:43 we're doing further work on standards

73:46 more work on chip based stuff

73:48 the handheld work is maturing we're

73:50 looking if you like people have used the

73:53 phrase in the future that could be a

73:55 quantum internet there's an awful long

73:57 way to go before that but taking some

73:59 first steps towards that one thing you

74:02 would absolutely need before you can do

74:03 anything distributed in quantum is to be

74:05 able to distribute quantum entanglement

74:08 in a reliable way and so we've we've

74:10 done some uh significant progress on on

74:14 that probably the biggest thing that

74:16 we're doing in in phase two is that

74:19 we're looking at a demonstration to do

74:21 a quantum key exchange between a small

74:23 satellite and a ground station because

74:26 in the future if you want to get

74:27 worldwide with quantum communications

74:31 then satellite would seem to be a very

74:32 good way to do it in that you can do an

74:35 exchange in one place you can let the

74:36 satellite go elsewhere and then do

74:38 another exchange in that model you'd

74:40 have to trust the satellite but

74:42 nevertheless that seems pretty much the

74:44 only way you're going to get quantum

74:45 signals from one side of the world to

74:47 the other so

74:49 so that gives you a very brief overview

74:51 of what we're doing in the hub

74:54 and i just want to close with

74:57 some comments about uh the particular

75:00 impact for

75:01 for information security so you've

75:03 already heard about the threat from

75:05 quantum computing and and

75:08 at what point should one worry about

75:09 that well

75:11 if you're sending encrypted data around

75:14 at the minute that could be vulnerable

75:16 when a quantum computer comes along then

75:18 you should be worried now if the

75:20 security shelf life

75:22 and the retooling time for your secure

75:24 hardware if the sum of those two things

75:28 actually exceeds the time to

75:30 uh google or whoever producing a large

75:32 quantum computer then maybe you need to

75:34 be worried now about that so we know

75:37 about the quantum threat and when that

75:39 actually kicks in i think depends on on

75:42 uh how long you want your information to

75:44 be

75:45 secure

75:46 i've mentioned very briefly new quantum

75:48 sensors they'll enable us to uh

75:51 and image things more accurately than we

75:54 can at the minute but

75:56 despite both of these two things

75:59 then uh there are and as i said quantum

76:03 key distribution is the most advanced

76:05 there are

76:08 now quantum means that are resistant

76:11 with a guarantee to both of these so no

76:14 matter what

76:15 the adversary or eavesdropper has in the

76:17 future to throw at you if you use

76:20 quantum key distribution

76:22 uh

76:23 modulo the authentication matter that i

76:25 mentioned then you have a guarantee that

76:27 you are proof against these two things

76:30 now we've heard quite a lot about

76:32 the new mathematical techniques

76:34 the the

76:35 the mathematical uh algorithms that are

76:38 certainly immune to shaw's algorithm

76:40 which is the main threat at the minute

76:42 up here

76:43 but are thought to be immune to

76:45 algorithms that might emerge as well

76:47 although

76:48 it was noted that everything seems to be

76:50 focusing on lattice-based approaches

76:53 which might concern me because

76:55 presumably peter shaw and all his

76:57 buddies are also now thinking about that

77:00 would be the appropriate place to

77:01 develop a new algorithm so i think it

77:03 would be good to have a basket of

77:05 algorithms which

77:07 uh i know that this process is

77:08 developing so that we will have

77:10 potential immunity

77:12 to just one new algorithm in the quantum

77:15 domain period but anyway

77:18 the fact is i think that because we have

77:20 both of these

77:22 uh both of these capabilities then the

77:25 the way forward may well mean that we

77:27 combine the two of them

77:29 to future quantum safe communications so

77:32 i'm going to stop there and and

77:36 if i could put up a last slide if people

77:38 are interested in further reading there

77:39 are various links there and i'm happy

77:41 for these slides to be shared as well

77:45 thank you

77:47 [Applause]

77:52 thank you tim and thanks for coping with

77:54 the microphone i hope people got

77:57 online got

77:59 the

78:00 um

78:01 the presentation that tim gave um

78:03 certainly

78:05 after the first few minutes we did so

78:06 that's great um keep the questions

78:08 coming in um we've got some interesting

78:10 questions starting to appear uh keep

78:12 questions uh here

78:14 so this is the point where we go to q a

78:18 um and for that i'd like to

78:20 reinvite the panel

78:22 um both online i'm hoping we can

78:25 assemble the online panel if not we have

78:28 three real world panelists

78:30 so tim lee

78:32 and adrian

78:34 if you want to grab a chair

78:36 over there

78:38 social distances is making this a

78:40 slightly uh slightly challenging

78:42 prospect

78:45 space your chairs out to your comfort

78:47 level

78:50 um you've heard each other's

78:51 presentations um we've got a uh several

78:54 questions coming in online uh we'll hope

78:57 to do the um the demo from uh the the

79:00 talk from

79:01 ali at the end if we can re-establish

79:04 um the question is whether we can

79:05 establish an ava online uh panel as well

79:09 um if not we'll proceed here

79:13 well let's just crack on and hope the

79:15 the technical glitches sort themselves

79:17 out i mean one of the things that

79:19 occurred to me seeing your presentations

79:22 was that there was an awful lot of work

79:23 to do

79:24 um and in a relatively potentially a

79:27 relatively short space of time

79:30 um with the likes of google ibm

79:32 promising million bit

79:34 million million qubit computers by the

79:36 end of the decade whether you

79:39 think that's realistic or not

79:41 um

79:42 when do you think the effects of uh

79:45 quantum vulnerabilities will actually

79:47 start to be felt

79:49 um and i'll go to our

79:52 real world panel first i see we've got

79:54 the online panel i'm hoping that they

79:56 can hear us

79:57 um

79:58 if you can raise your hand when you want

79:59 to talk just so i can keep it

80:01 coordinated lee you you were first off

80:03 tomorrow i think that the time is now

80:06 is not anywhere uh later

80:10 like tim mentioned

80:12 if you have data you encrypted

80:15 and

80:16 today we don't have a large scalable

80:19 quantum quantum computer be able to

80:21 break your data but your data is

80:24 publicly available anyway so

80:27 if anybody correct your data i don't

80:29 want to say who but they can

80:32 later on to

80:35 let later on they can

80:37 break your data that's the one thing the

80:39 other thing from my point of view is

80:43 people lost the chest

80:45 the chest is very important for cyber

80:48 security

80:49 because the quantum compute

80:51 computer were coming one day and if we

80:54 don't do anything and

80:56 then the trust in cyber security

81:00 where we lost if

81:02 nobody trusted

81:04 us then we kind of lost so that's why i

81:07 think castrati is there already

81:10 so the time is now and people happen now

81:13 got a later yeah the problem of um

81:15 acquiring encrypted records now with the

81:18 view that in years to come they will be

81:21 able to decrypt them and sort of do uh

81:23 reverse attacks and that that being done

81:26 by some governments in the world who are

81:28 that this was done as far back as the

81:30 second world war where we were um we and

81:32 others were acquiring records and then

81:34 with the intent of being able to decrypt

81:36 them in the future it becomes quite a

81:38 vulnerability so okay um

81:41 jim adrian any comments on on that

81:43 i would just endorse that i mean i i

81:45 think it's very hard to predict

81:49 when a quantum computer will emerge i'm

81:52 on my slide i mentioned

81:54 mike mosca uh

81:56 waterloo in canada who's come up with

81:58 that

81:59 eq inequality

82:02 i think he has tried to make estimates

82:04 of

82:05 probabilities of a large quantum

82:08 computer existing in 10 or 20 years and

82:12 so then you you know that

82:15 those probabilities are not small

82:17 but they're not one either but then

82:20 you've got to ask the question

82:22 how worried are you about the long-term

82:24 security you know if if they are very if

82:26 it's very sensitive information at the

82:28 minute

82:29 then i think you should be concerned if

82:32 it's something that will be redundant in

82:33 a couple of years time if exposed at

82:35 that point then clearly you don't care

82:37 yet but

82:38 but i think the threat is now

82:40 sufficiently big the if it's if it's

82:43 important data that you want to keep

82:46 secure for a long time i think the

82:48 threat exists there so there's an

82:50 interesting subtlety to that which

82:52 who are likely to be the first users of

82:55 large-scale workable quantum computers

82:58 and they're likely to be few in number i

83:01 i don't want to repeat the sort of the

83:03 the ibm only needs five computers sort

83:06 of mistake but the first

83:08 high qubit working

83:10 quantum computers are likely to be owned

83:12 by governments or very large

83:15 i.t corporates so there won't be many of

83:17 them around initially so that kind of

83:20 shapes of you know where the where the

83:22 problem is going to come from um

83:25 it's not going to be the kind of thing

83:26 that the average bedroom hacker has

83:28 access to

83:30 one imagines

83:32 probably not but

83:34 there will be lots of steps before that

83:36 where modest size machines that are

83:38 useful for research purposes or or

83:41 perhaps running optimization algorithms

83:43 and that exist

83:45 and then of course if you can network

83:46 those together you end up with a bigger

83:48 more powerful machine so so i agree it's

83:51 likely the very big ones are likely to

83:53 be owned by governments or whatever at

83:55 first but

83:56 but there may be other ones out there at

83:58 more modest scale that might still

84:01 play a role

84:03 adrian any thoughts to add to that and

84:05 then i'll come to our online panel see

84:06 whether we can get to get that working

84:08 just to add that

84:10 people i'm talking about encryption but

84:12 it

84:12 the problem is not just encryption even

84:14 now and it was mentioned in one of the

84:16 talks about the roots of trust and so on

84:19 so certainly for things like in our

84:20 safety critical systems that last a long

84:22 time

84:23 you know again we need to be thinking

84:25 about this now when we are thinking

84:26 about it now which is a good thing

84:28 so it shouldn't go away with just

84:30 thinking oh i don't encrypt stuff i'm

84:31 not worried about long-term encryption

84:33 therefore i'm okay i think this is a

84:35 general problem

84:37 um for anyone who uses cryptography

84:38 really

84:40 so hearing a very clear and resounding

84:42 now is the problem we'll come on to the

84:44 what uh

84:46 what can people do about it

84:48 let's go to the online panel see whether

84:50 we can get any of them um talking i

84:53 can't control this so um if

84:57 if one of you wants to make a comment

84:58 can you raise your hand just that i can

85:00 uh get our

85:02 audio people to make sure that you're

85:04 audible

85:06 uh anyone want to make a comment

85:09 um

85:11 at least from our perspective it is the

85:13 right time to look at this not only from

85:16 the algorithm perspective but really for

85:18 how we can prepare to adopt these

85:20 algorithms in in our systems

85:23 and indeed one of the points i made was

85:26 that routes of trust produced today need

85:28 to be resistant tomorrow but also roots

85:31 of trust from tomorrow need to be

85:32 resistant for even longer time so it's

85:35 incredibly hard to make this transition

85:38 and to to make the decision on which

85:40 algorithms to use

85:41 and i guess once we would have some

85:44 standards

85:45 i still hope we will have some time

85:47 before uh quantum computers are indeed a

85:50 threat that would allow us this time to

85:53 to

85:54 to make sure that we know how to adopt

85:55 the algorithms correctly so yeah i think

85:57 we need a lot of time and the time is

85:59 right now

86:02 let's go to ali um you were going to

86:04 make a point

86:06 see if we can hear you

86:10 can you hear me now i can't hear you go

86:12 ahead

86:13 yes um sorry i said i had technical

86:16 issues at the beginning so i couldn't

86:17 hear the question if you could please

86:19 repeat it i'll be more than happy to

86:21 answer uh okay so this is about um

86:25 when do we need to start worrying about

86:27 um the the impact of uh

86:30 quantum computing on the world of uh

86:32 cryptography cybersecurity and so forth

86:36 true um i mean nsa started worrying

86:40 since 2015 right when they made the

86:42 announcement about

86:43 the quantum threat being a real threat

86:45 and

86:46 asking this to follow with a

86:48 standardization process for post-quantum

86:50 cryptography so i think that um

86:53 we we kind of like identified this as a

86:56 community cyber security cryptography

86:58 that it is a real threat given as uh

87:01 you know

87:02 panelists already mentioned uh

87:04 you know the long lifespan of some uh of

87:07 our sensitive data um that we need to

87:11 get ready for it so i think that um we

87:13 kind of like all agreed on this and um

87:16 nist is about to announce the um the

87:19 actual standards by the end of the year

87:21 um i think that the

87:23 the question now is uh for people and

87:26 for you know for large corporates and

87:28 and and all stakeholders how to get

87:30 ready for or how to transition to the

87:32 new standards

87:34 and that is a challenging

87:36 task and challenging phase

87:39 a lot of people don't know where to

87:41 start from

87:43 because

87:45 i guess nobody remembers last time when

87:47 we had to change all the public key

87:49 cryptography because we never had to

87:52 and it's the first time that we're

87:53 changing all the public key cryptography

87:55 layer and our cyber security and when we

87:57 started it was largely uh you know for

88:00 communications and between governments

88:02 etc and now you have cryptography

88:03 literally everywhere and public key

88:05 cryptography in particular is you know

88:07 in your bank card in your car key

88:09 literally everywhere so

88:11 um i think that the real challenge now

88:14 is the transition phase and uh the

88:16 preparation for uh like putting road map

88:19 for transition to

88:21 uh post quantum cryptography i heard uh

88:24 also uh panelists talking about qkd and

88:27 the likes i think that it has niche

88:29 application and

88:32 it it will be used where it is suitable

88:36 it's not a replacement of public key

88:38 cryptography

88:39 for many reasons

88:41 but i could see them working together in

88:44 the near future i guess

88:47 thank you ali um roberto so um a new

88:50 member of the panel uh part of the

88:52 huawei team um

88:54 what are your views on um whether we

88:56 need to worry so far we've got five

88:58 votes in

88:59 uh as now uh what are your views

89:04 also in my opinion uh

89:06 we should start to worry

89:08 about it now

89:10 because

89:13 there are many many aspects

89:16 of the transition uh from non-quantum

89:19 computer to quantum computer and one of

89:20 these is also the

89:22 technical problem

89:25 because

89:27 we have the experience from the future

89:29 tpm project that

89:32 is not immediate to integrate a quantum

89:34 resistant algorithm into

89:36 the current software

89:39 so we experience a

89:41 number of challenges

89:43 and

89:46 so when we

89:47 when we want to

89:50 to predict the

89:51 transition time from non-quantum

89:53 computer and to quantum computer

89:55 we also need to to

89:58 to

89:59 consider

90:01 the effort for adapting the software

90:04 this is from my personal experience

90:07 thank you thank you um

90:10 so um i'm gonna come back to the real

90:12 panel and and do the what and as um tim

90:14 pointed out you know that

90:16 we're worried about uh

90:18 largely one particular form of attack in

90:20 the shaw uh algorithm but as jim pointed

90:23 out there's nothing to stop additional

90:25 clever mathematicians coming along and

90:28 designing new algorithms that are going

90:29 to uh threaten other parts of the the

90:32 cryptographic world um but getting to

90:35 the question of what should we do so in

90:37 practical terms given the scale of some

90:40 of the technical challenges that we're

90:42 we've talked about we've alluded to this

90:44 afternoon um

90:46 what can

90:47 our audience um who are largely security

90:50 experts who are working in large

90:53 enterprises uh and starting to worry

90:55 about this as a

90:57 as a potential threat of the future

90:59 people have

91:00 those who've been around for a few years

91:02 remember y2k

91:03 people are talking about q2k now um and

91:07 that we've got a few years grace but but

91:10 what can we do practically now

91:13 um adrian do you have a view on that

91:16 put you on the spot

91:17 definitely the first thing to do is this

91:19 kind of

91:20 thorough quantum threat assessment i

91:22 kind of mentioned this

91:24 briefly in my talk but this is to

91:26 highlight to everyone in your

91:27 organizations

91:28 what would be the actual risk

91:30 um if you know working quantum computer

91:33 was available and the algorithms you're

91:34 relying on

91:35 um become you know insecure and i think

91:38 the first thing that

91:41 will become apparent is how embedded now

91:44 cryptography is in everything that we do

91:47 so if you did this kind of thorough

91:48 assessment you'd find that you know

91:50 pretty much everything that you're

91:52 currently relying on would become a

91:53 problem and that should be a red flag

91:56 you know for your organization to say

91:57 that yeah we really need to start

91:59 really thinking about this it's not just

92:01 uh you know like y2k in some sense maybe

92:05 was you know over hyped but uh if you

92:08 consider what the issues are for this

92:10 then yeah i think you that would

92:12 highlight why it's really a problem

92:14 thanks adrian tim do you have a

92:17 any advice

92:20 no i i think i'll just endorse that i

92:22 mean i think the most important thing is

92:24 to do an assessment at the minute and

92:26 clearly

92:28 the post quantum options will be

92:30 decided relatively soon

92:32 and then

92:34 with a longer term view i think it may

92:36 well be

92:37 quantum solutions as well that can offer

92:42 can offer some some help maybe they will

92:45 be applied in certain cases in

92:48 in the first instance i mean the

92:49 technology is still quite expensive

92:52 so it's not something that i think could

92:54 be very widely deployed now but but

92:58 you know service providers like bt are

93:00 now running trials of this for certain

93:03 cases so i think

93:05 i think there will be an offering in

93:07 that direction from

93:09 from

93:10 you know industry soon and so then it

93:13 may be a matter of actually

93:15 looking at what the options are but

93:18 certainly in the short term it seems

93:20 people should be looking at the pqc

93:23 options

93:24 because these aren't quick transitions

93:26 are they not when they're routed in from

93:28 tpns to switches to

93:30 um you know the whole infrastructure has

93:32 potentially got to be looked at

93:35 and it's not something we can do

93:36 overnight it's going to take years to

93:38 ripple through

93:40 that's certainly true

93:42 but as i say i think it's worth it it is

93:44 interesting now that the big service

93:47 providers are now

93:48 becoming

93:50 aware of quantum solutions and trialling

93:53 them and looking at them

93:56 thank you lee any any

93:58 afterthoughts on that

94:00 yeah i only i only want to add the one

94:02 thing is i think the whole industry

94:05 should be work together but actually now

94:07 industry is working together it's it's

94:10 take time like

94:12 every everyone else said

94:14 for a tpm as an example the original tpm

94:18 design taken many years and the transfer

94:22 from isa to elliptical curve also took

94:25 many years

94:26 now tpm

94:28 the specification designs over 20 years

94:31 but the use tpm is just started so for

94:36 transfer this to the quantum resistant i

94:39 expected many years as necessary

94:42 but now the good thing is the industry

94:45 already noticed that the the research

94:48 community is also noticed that so that's

94:50 good thing

94:52 thank you thank you right well i'm going

94:54 to ask the same question to our online

94:55 panel in the same orders just so we know

94:58 what can people do what what should the

95:00 experts be do uh sylvia if i can come to

95:03 you first

95:05 actually that's a wonderful question and

95:07 it's a question i've been asking myself

95:10 as well and trying to make other

95:12 experts also ask themselves

95:14 just imagine that it's not about the

95:17 switch to quantum resistance but imagine

95:20 that tomorrow some somebody publishes a

95:23 catastrophic vulnerability in rsa or in

95:26 ecc

95:27 and we have lots of devices out there in

95:29 the field which you will not be able to

95:31 just update even if we would have an uh

95:34 let's say a replacement algorithm simply

95:36 because at their at their

95:39 most fundamental level these algorithms

95:41 are burning hardware for example for

95:43 securely booting their firmware there's

95:45 always a key in the boot rom and some

95:48 code which is fixed and you will not be

95:50 able to update that so that means you're

95:52 vulnerable and that that's not related

95:55 to quantum computers at all it can

95:57 happen for any other algorithms and it

95:58 can happen even after we might have

96:01 standardized some quantum resistance

96:03 algorithms as well

96:04 so what i believe we need to do is to

96:07 think

96:08 how we can find ways to to allow us to

96:12 change the crypto primitives from their

96:14 most fundamental level in devices and

96:18 have the ability to change them

96:20 perhaps to some algorithms that are not

96:22 yet known or not yet standardized at the

96:25 time when the devices are produced and

96:27 if we would find ways to do this and

96:29 perhaps do it by relying on

96:32 rather simpler

96:33 cryptographic primitives that have the

96:36 chance to to withstand

96:37 also

96:39 let's say attacks that that we would be

96:41 uh expecting then that would give us a

96:43 chance to migrate yeah so for example we

96:46 have today some some

96:49 initial standards around quantum

96:51 resistant crypto which are not nist

96:54 standards they're ietf standards and

96:55 they they rely on xmss extendable merkle

96:58 signatures and

97:00 for example they are relying in on hash

97:03 functions they are very simple

97:04 constructions

97:05 can we use such algorithms to allow us

97:08 to migrate

97:09 other

97:10 algorithms in the stack

97:12 in the future can we do something that

97:15 would allow us to to

97:18 to change even those devices out there

97:20 in the field that cannot be changed

97:21 easily i think

97:23 that's the kind of thinking we should

97:25 have

97:26 thank you thank you uh ali um you know

97:29 pq shield uh you started this company

97:32 with uh some of these

97:34 answers to these questions in mind what

97:36 are your thoughts on what we should be

97:37 doing

97:40 yeah a great question actually

97:42 um i mean as as a company uh heavily

97:45 involved in the next standardization

97:47 process

97:49 and

97:50 building products and software and

97:52 hardware and

97:54 communication

97:55 and decryptive messaging etc i think

97:57 that

97:59 we've seen

98:00 a

98:02 great change in in in um

98:05 in terms of

98:08 you know people that we were talking to

98:10 in 2018

98:12 were asking okay so what what is post

98:14 quantum crypto and why do we need it and

98:16 and now there are um

98:19 actual customers and partners that are

98:22 um

98:23 trying and uh

98:25 puts quantum crypto in

98:28 in software and in hardware as in fpgas

98:32 and have clear road maps for uh for for

98:35 silicon so

98:36 um people are aware of of of this threat

98:39 and they're putting road maps for this

98:41 they understand uh if they are designing

98:43 a product that is gonna uh go out to

98:46 market in three four years and and stay

98:48 there for 15 20 years then they need to

98:51 do the the preparation now and they need

98:53 to take post quantum crypto into

98:56 consideration uh now so i think the um

98:59 things have have changed a lot and

99:01 people are a lot more aware of of uh the

99:04 quantum threat uh we struggled a lot

99:07 explaining to people the difference

99:09 between uh post-quantum crypto and

99:12 uh qkd and qrng and

99:15 you know um

99:17 it's a lucky and unlucky field because

99:20 there's lots of hype around quantum

99:22 computing and

99:24 um uh yeah

99:27 but i think that we've moved a long way

99:29 now and people are uh following nist and

99:32 the translation process etc i don't

99:34 think that we can do everything like i

99:36 mean um i i heard uh our friend

99:39 mentioning how can we do you know risk

99:41 mitigation i think that

99:43 there's no ideal solution

99:45 we we have some sort of

99:48 risk assessments and and

99:50 and uh

99:51 cryptography is just a you know a tool

99:54 to mitigate the risk uh can we just you

99:57 know

99:58 bring it to zero it's it's impossible um

100:01 there are there will always be attacks

100:03 and vulnerabilities uh they come

100:06 together software and hardware will come

100:07 with

100:08 vulnerabilities um

100:10 even when when it comes to qkd and

100:13 quantum computing and and everything

100:16 around it we've learned this you know

100:18 there's no perfect solution when you

100:20 deploy it in the field it's impossible

100:22 to for it to be perfect there will be

100:24 ways to to to go around it and what

100:27 we're doing here and you know in terms

100:29 of cryptography is to use the the best

100:31 uh tools that we've got now we we we

100:35 know that rsa is effectively broken

100:37 analytical crypto is effectively broken

100:40 um we should not stick to these two

100:43 algorithms for for long we should just

100:45 move to something that we know that it's

100:47 not

100:48 you know it's not broken we don't know

100:49 of any album that can break it um but

100:52 that's

100:53 you know

100:53 that's the best that we we can do now i

100:55 guess um and um as i said um

100:59 stakeholders already

101:01 moving to uh put clear road maps for

101:04 transition to post quantum crypto

101:08 i'm going to come to our audience for

101:10 our next question in a minute but before

101:11 we do that i wanted to give roberto a

101:13 chance

101:14 for any additional insights on what's

101:16 already been said about what we should

101:17 do next

101:18 how would you roberto

101:20 uh yes uh from my point of view um

101:24 one of the problem is

101:26 this long time for standardization which

101:28 is

101:29 absolutely needed because we need to be

101:31 sure that

101:33 the argument that would be standardized

101:36 are secure

101:38 but

101:39 from the software point of view if

101:42 tomorrow

101:43 the centralization body said

101:46 the algorithm is ready we still

101:50 need to integrate them so in my opinion

101:52 one way to

101:54 reduce the time for the

101:56 migration would be to

101:59 do experience with the version of the

102:01 algorithm that we have now that

102:04 maybe they are closer to the final

102:06 version maybe not but

102:08 uh

102:08 they are uh

102:10 closer than uh the lsa algorithm for

102:15 example

102:17 so when we integrate a controversial

102:19 algorithm into the tpm for example we

102:22 we see that

102:24 the storage

102:25 needs to be

102:26 increased and so

102:29 if we we make experience with uh the

102:32 current version of the algorithm then

102:34 later

102:35 uh it would be easier for us to

102:38 to

102:40 enhance the software with the

102:42 the final version of the algorithm

102:48 so um a chance for

102:50 any of those burning questions in the

102:51 audience um

102:53 anyone want to ask the panel

102:56 a question

102:57 raise your hand and and shout loudly

103:01 i'm looking everyone's looking

103:04 quiet

103:06 i shall refer back to my online audience

103:09 who are busily

103:11 putting in questions

103:13 um

103:14 i mean this question about how long uh

103:17 things might take to both both correct

103:20 for the perceived threat

103:21 but i've got a question here which is um

103:24 we talk about qr crypto agreements um

103:27 are we able to robustly test them and

103:30 how long will they be resistant for and

103:32 is that an impossible question to answer

103:35 [Music]

103:37 it's kind of related to to some of the

103:39 questions that were asked uh some of the

103:40 points that we made earlier um

103:43 any views on that

103:45 the sort of testing regimes what can we

103:46 do to make sure that the

103:48 uh

103:49 the resistant

103:52 candidates that we're playing with stand

103:54 the test of time or should we just give

103:56 up on that

103:58 no we we were not a gave up the test

104:01 means a lot of different

104:04 aspects

104:06 like nist

104:08 have

104:09 pqc

104:11 the

104:12 activities they don't want to say this

104:14 is the competition but actually is a

104:16 competition the testing is let the whole

104:20 cryptographic

104:22 community

104:24 to attack it to attack all the

104:26 algorithms and if they

104:29 if they can survive from those various

104:32 attacks and they have been tested

104:35 and then also we have some performance

104:37 testing like rewriter and the service

104:40 doing

104:41 in this performance

104:43 evaluation and to set testing how good

104:46 how bad if they are implemented in the

104:49 real world those are the testing from my

104:51 country

104:54 tim adrian any additional thoughts on

104:56 that

104:57 well i mean clearly the threat at the

104:59 minute is shaw's algorithm but the

105:02 unknown is are the other algorithms

105:04 which might be

105:06 devised in the future

105:08 that

105:09 that clearly have to utilize quantum

105:12 parallelism in

105:13 some way like shaw's algorithm does i

105:16 think to get that speed up it's going to

105:18 have to do that but that's an unknown

105:20 but but clearly

105:22 you know a candidate doesn't even become

105:24 a candidate if it's not already

105:26 presumably tried and tested against

105:27 short outlet

105:29 and so

105:32 i think those who are expert in the

105:34 mathematics have

105:36 reason for thinking that there will be

105:38 robustness of these algorithms that are

105:40 being devised against quantum attacks

105:43 but it's there's no proof i don't i

105:46 think it will be very hard to prove

105:48 that that somebody can't devise another

105:51 algorithm in the future

105:53 but i think there are there are

105:55 mathematical underpinnings that make

105:56 people have confidence these algorithms

105:59 will at least stand

106:00 some test of time

106:02 certainly against sure

106:04 like algorithms if there was something

106:06 that was utilizing quantum parallelism

106:10 but i i i'm not aware that there's any

106:13 proof

106:15 so if i give the pump but we might be

106:17 entering a sort of period of uh

106:18 cryptographic uncertainty

106:21 in the future

106:23 adrian

106:24 yeah but just to add to that that we've

106:26 always been in a situation of

106:27 cryptographic uncertainty that

106:30 there's nothing different here i think

106:32 the key thing is that you know as leo

106:34 said that

106:35 to the best of the techniques that we

106:37 know today these algorithms have been

106:38 thoroughly tested and then we'll be in

106:40 the situation as we are with our current

106:42 algorithms of maybe someone comes up

106:44 with a new clever method that

106:46 something that we've lived with for

106:48 many years and will continue to live

106:50 with

106:52 thank you okay i'll go to our online

106:54 panel any any thoughts on the question

106:55 i'm hoping you're hearing the answer and

106:57 the questions um i'll go around again if

107:00 you don't want to answer just say sylvia

107:02 any

107:03 thoughts on this

107:06 i guess just two comments from my side

107:09 testing is of course important

107:11 especially because uh these algorithms

107:13 did not

107:14 benefit from

107:16 uh the extended timelines that

107:18 cryptanalysis uh had a disposal for

107:22 other algorithms in the past and second

107:25 let's not forget that besides the

107:27 algorithm itself

107:29 very often problems are found in

107:30 implementations and

107:32 there is always the challenge of

107:35 deciding when an implementation is

107:36 sufficiently good

107:38 that's

107:40 a general software related

107:42 challenge and

107:44 we need to

107:46 reach a point where we have

107:48 sufficiently good implementations

107:50 available uh easily and openly so that

107:53 people can use them with confidence so

107:55 yeah testing also the implementation is

107:57 very important

107:59 ali any any any thoughts to add to that

108:02 yeah i think that testing never stops

108:04 right um

108:06 once we have a

108:08 enough level of confidence you start

108:10 using cryptosystems but testing really

108:13 never stops i mean one of the oldest

108:15 crypto libraries is openssl and we still

108:18 every couple of years have a

108:20 devastating flow uh they're right

108:23 although

108:24 probably all software engineers and

108:26 cryptographers have looked at it

108:28 at some point in their career so testing

108:30 really never never stops and as they

108:33 they

108:34 you know um

108:35 clearly mentioned that it's also about

108:37 the implementation once you implement

108:39 things then um i mean there are there

108:42 are the crypt analysis that happens at

108:43 an algorithmic level and mathematical

108:45 level and there is the uh there are the

108:47 bugs and the the

108:49 implementation flaws and attacks that

108:51 attack the implementation and this is a

108:53 full range of of of attacks uh i think

108:56 that the confidence in the mathematical

108:58 foundation

109:00 is strong enough to believe that

109:03 the likes of your algorithm will not

109:05 apply to it and that's a mathematical

109:07 thing we know the rsa and three discrete

109:10 logarithm problem come from come from

109:12 one family uh of mathematical problems

109:16 and uh the for instance lattice problems

109:18 come you know they don't belong to that

109:20 family and so far since 1996 you know

109:23 all quantum

109:25 computing people

109:26 didn't manage to find i mean not just

109:29 for cryptography

109:30 it's not like we we've we've had i don't

109:32 know 100 quantum algorithms so far it's

109:35 really difficult to build a a quantum

109:37 argument that where you can actually

109:40 um

109:41 you know

109:42 take advantage of of all the nice

109:45 features that uh not just the

109:46 parallelism but also the quantum

109:48 interference etc so that you can

109:50 actually

109:51 build something that is faster than

109:53 classical

109:54 algorithms it's it's really challenging

109:56 and difficult um but i think that the uh

110:00 what comes with testing is the crypto

110:02 agility you need to be crypto agile da

110:05 when you want to tune the parameters uh

110:08 because of the advances in crypto

110:10 analysis which is going to be expected

110:12 that this is something possible um in

110:15 software so that's that's the best way

110:17 to to handle this i guess

110:20 thank you roberto any additional

110:22 insights on that

110:24 uh yes uh something uh on top of what i

110:28 said

110:29 that

110:31 we need to keep a margin uh when

110:34 we

110:35 implemented a

110:37 quantum recent algorithm

110:39 in the sense that for example

110:41 if we expect the size of the key to be

110:44 [Music]

110:46 certain a certain amount

110:48 we need to maybe

110:50 make room for a big bigger key because

110:52 uh maybe at some point

110:54 we discovered that uh

110:56 [Music]

110:58 with this size the the the agreed of the

111:01 kid the kid algorithm is vulnerable but

111:03 if we had we have enough room in in the

111:06 chip

111:08 then we can switch it to a more more

111:10 resistant uh version of the algorithm

111:13 and

111:14 could be fine could be a mitigation

111:20 i'm conscious of time um we're running

111:22 up against the uh the six o'clock uh

111:25 completion time that we promised

111:27 um i i've got some great questions still

111:29 uh from the online community and i'm

111:31 hoping that perhaps we can deal with

111:33 those um afterwards we can ask our

111:36 panelists to respond to some of them um

111:38 so what one perhaps for the cyber

111:40 specialists i rather like is do we see

111:43 uh foresee cyber security becoming less

111:46 about human behavior and more about

111:48 attacks and networks and deep machine

111:50 and ai and so on so really focusing on

111:53 the deep guts of the security

111:55 infrastructure rather than the weak

111:58 human side of it

112:00 i like that question perhaps it deserves

112:01 longer than we've got to discuss that

112:04 and some other questions about

112:06 hybrid computing using quantum and

112:09 conventional computing

112:12 large amounts of

112:14 question about large amounts of

112:15 computing and applications being

112:16 commoditized do we see quantum as a

112:19 service being something that perhaps the

112:22 bad guys will have access to and some

112:24 other questions around that so some

112:26 great questions coming in line um but i

112:28 think we should draw stumps there um i

112:30 have promised or we have promised our

112:32 online community uh a demonstration from

112:35 roberto and his colleagues at huawei um

112:37 so

112:38 for the online audience stay around

112:41 um for the real world audience you're

112:44 invited to our networking opportunity

112:47 you get to have real cups of whatever

112:49 we've provided and tea and biscuits and

112:52 everything else i'd like to thank our

112:55 real world panel and our online panel uh

112:57 to

112:58 lead tim and adrian

113:00 to um

113:02 silvio uh ali and

113:04 roberto

113:06 in the conventional way so a round of

113:08 applause and i hope the people at

113:10 uh online are doing the same so thank

113:12 you very much

113:14 um so that that

113:16 that brings to an end uh this seminar on

113:20 from our future of cyber series this is

113:23 something that we run about every

113:24 quarter we're trying to look forward

113:27 into

113:29 get away from thinking about cyber

113:30 security in terms of what's the current

113:33 problem the problem over the next few

113:34 months and start to think about the kind

113:37 of issues that might face us uh in years

113:40 to come and that's the the the cyber

113:42 security of the post quantum world is uh

113:44 a real example of that for our next one

113:47 uh which we plan around the january

113:50 late january early february uh we're

113:52 going to be looking at some of the

113:53 research that we've done in the cyber

113:54 security team um and uh

113:57 some of our external speakers around

114:00 social media and the impact of social

114:02 media in the long term uh some of the

114:04 impact we've already seen in things like

114:07 mental health in

114:09 the political world and so on so a great

114:12 uh

114:14 can of worms to be opened there and we

114:16 hope we can entertain you with that and

114:18 we hope to again

114:20 involve the sasig who have been a

114:22 fantastic partner of this um and i hope

114:25 this this joint endeavor between the

114:26 university and the sasik uh so i'd like

114:29 to give my thanks to sassig and then

114:31 finally to the tech team who've had the

114:34 challenge of dealing with a hybrid event

114:37 joint event with hybrid uh with with

114:40 real-world um

114:42 presenters um and online presenters it's

114:44 not easy and we're feeling our way on

114:46 this so apologies for any glitches but i

114:48 think they did magnificently thank you

114:50 all

114:51 and join us after the event thank you

114:57 hello welcome to this presentation my

114:59 name is roberto sasso i'm from huawei

115:02 and today i would like to present you

115:03 the result of the device management use

115:05 case

115:07 first i will give an overview of the use

115:08 case

115:09 then i will describe more in detail the

115:12 technology and functionality of the

115:13 demonstrator

115:14 then i will provide the result of the

115:16 evaluation of the tpm performance and

115:19 kpi and lastly i will go to the

115:22 conclusion

115:24 the device management use case is about

115:26 managing a network infrastructure

115:28 composed of network elements such as

115:30 routers a network management system or

115:33 an msn and endpoints such as laptops and

115:36 server

115:38 in this network infrastructure the nms

115:40 acquires periodically the router to

115:42 obtain their status

115:44 and sends configuration command in order

115:46 to

115:47 respond to certain events for example

115:49 when a router becomes offline

115:54 we need the future tpm project in order

115:56 to solve some issues

115:58 that

115:59 affects especially scenario where there

116:02 is no other base the protection

116:04 in particular we would like to address a

116:06 weak device identification because the

116:08 device key is stored in the device

116:10 storage unprotected

116:12 and we would like to address the fact

116:14 that the software integrity is not

116:15 monitored

116:16 and compromised the router for example

116:18 could ignore management command sent by

116:20 the nms and an attacker can continue to

116:23 perform his action without being

116:24 detected

116:26 we would also like to address the fact

116:28 that the data integrity incoherent child

116:30 is not more intelligent and data is

116:32 often stored in plain text and can be

116:34 accessed also

116:36 when the device is compromised

116:39 lastly since telco equipments are very

116:41 long life span in greater than 10 years

116:44 with this project we would like to

116:47 be able to migrate from

116:49 um

116:51 from non-qual algorithms top 1

116:52 algorithms when quantum computing

116:54 becomes practical

116:57 in this presentation we will show the

116:59 new network management solution for

117:01 following the strong security

117:03 requirement to define wp-1

117:06 we would like also to show

117:07 that an advanced technology operating

117:10 system level for remote attestation

117:12 the vectorization components that are

117:14 required to

117:17 to work

117:18 for with required tpm

117:20 and the software tpm

117:25 the device management demonstrator

117:27 addresses the weakness that i previously

117:29 mentioned in particular provide a strong

117:31 hardware based identification

117:33 continuously monitoring system data and

117:36 system and data integrity provides a

117:38 security retouch provisioning

117:40 integration with the qr tpm and user

117:42 quantum resistant algorithm and provides

117:45 trust aware routing decision

117:49 a common issue in network management is

117:52 that

117:53 the

117:53 [Music]

117:55 the key for the identification is

117:57 storage in the device storage

117:59 unprotected and it's easy to move this

118:01 key to another device to impersonate a

118:03 legitimate one the tpm solves this issue

118:06 because the key cannot

118:10 leave the tpm in plain text and are

118:13 bound to a specific tpm

118:15 usually the dpm is soldered in the main

118:17 board

118:18 and they cannot be moved simply to

118:20 another device

118:21 the tpm also can be uniquely identified

118:24 by in its endorsement

118:26 key which is certified by the dpm vendor

118:30 and the certificate is available

118:32 via offline mechanisms such as image

118:36 we would like to

118:38 protect and detect system integrity in

118:41 particular we are interested in three

118:43 aspects a lot of integrity so we would

118:45 like to ensure that the code and

118:46 configuration file of the application

118:49 are the right one when a process is

118:51 started

118:52 we will also like to monitor the process

118:54 interaction and to ensure that multiple

118:56 files are

118:58 updated by the legitimate ones

119:01 and we would like to detect a malicious

119:03 modification between reboots when the

119:06 integrity protection is not enabled

119:11 compressive integrity verification or

119:13 cfe is the solution that allow us to

119:18 protect these three aspects of the

119:20 integrity

119:21 in particular it's built on top of the

119:23 current security sub system

119:26 integrity measurement architecture and

119:27 extended verification modules and

119:29 consists of a set of three extensions

119:32 for the linux kernel imadages listed for

119:35 the low time integrating infoflow lsm

119:38 for the runtime integrity and dvm with a

119:40 tpm key for offline integrity

119:43 cv provides a more complete protection

119:45 and detection of the integrity of the

119:47 application because

119:48 it does not only monitor regular file

119:50 but also alter process communication

119:52 channels such as fifo and socket

119:55 it also provides a simplified simplified

119:57 integra and integration with after

119:59 motorization into existing products

120:01 because with the cmv that the station

120:03 can be done by simply as trying to

120:05 establish a trusted channel

120:10 cp uses the tpm in order to protect a

120:13 tls key for device identification and

120:16 for the motorization of the router

120:19 it follows the task computing principle

120:21 of measure before load

120:23 for all the components that are involved

120:25 during the boot process and if all the

120:28 measurable components

120:30 are the same for the components included

120:33 in the ceiling policy when the key

120:35 was created then the tpm

120:38 allowed the key to be unsealed

120:40 the saving policy is first verified by

120:43 the array server and after that a

120:45 certificate or for the dls key is issued

120:48 by the nms

120:50 this slide shows the difference between

120:52 a good router and a compromised router

120:55 in the first case since all the

120:56 components are the legitimate one the

120:59 tpm allows the ceiling of the tpm the

121:01 dls key

121:02 and then the router can establish a the

121:04 less connection with an ms

121:07 in the second case since the

121:09 one components were tampered with by an

121:11 attacker

121:12 the tpm

121:14 didn't allow the router to guess the tls

121:17 key and cannot establish a tls

121:19 connection with nmis the nmis found that

121:22 the router is compromised

121:25 the demonstrator offer also security

121:27 touch provisioning which is particularly

121:29 effective because it avoided to place a

121:31 trust in the network operator for the

121:34 correct configuration of the router in

121:36 the initial phase

121:38 the router

121:40 are admitted to the network only if they

121:42 have avoided certificate

121:44 and they are configured to get the

121:46 certificate of the first port

121:48 the router can get a certificate only if

121:51 the current configuration match the one

121:54 defined by the network administrator

121:57 and after

121:58 the router gets the certificate

122:00 any change from the verified

122:02 configuration

122:03 cause the unseen of the telescope to

122:05 face

122:08 if a malicious network operator tried to

122:11 subvert a router before or after the

122:13 router gets a certificate

122:15 the nms will notice it because the

122:17 enrollment of the dls connection phase

122:20 in this slide

122:22 we show which component we had to modify

122:24 in order to use the software dpm in a

122:26 virtualized environment on the left side

122:28 we see that we replace the tss with the

122:31 qrtss

122:32 in order to do the software dpm

122:34 provisioning

122:35 when the virto machine is created

122:37 we also modify the components between

122:40 the

122:41 qrtpm in the center and the endpoint in

122:44 direct side in a virtual machine

122:47 and those are represented with a green

122:49 label

122:50 because the components

122:52 have a limitation for the buffer to

122:54 store the tpm commands

122:57 and this limitation is 4096 bytes what

123:01 but with the acquire algorithms we need

123:04 a bigger buffer because uh qr keys are

123:06 bigger

123:08 we also modified the endpoints of the

123:10 communication with the qr tpm

123:13 um and those are represented with the

123:15 orange border

123:17 because we had to use an updated

123:19 definition for some dcg structure

123:22 finally we are also using a modifier

123:24 version of openssl with support

123:27 for quantum resistant algorithms for

123:30 non-tpm crypto operations

123:34 in this slide we show the setup of the

123:36 demo each component is placed in a

123:38 separate virtual machine and the vita

123:40 machine can communicate between

123:42 themselves with virtual bridges which

123:46 are created in the host

123:49 now we can proceed with a demonstration

123:51 of the user stories

123:53 the network administrator wants to

123:54 restrict access to the network

123:55 infrastructure only to the router that

123:58 he controls since the router can be

124:00 uniquely identified from the endorsement

124:02 key credential

124:04 he gets the endorsement key credential

124:06 from the device itself or from the tpm

124:08 binder via email and then upload these

124:12 certificates

124:14 to the nmas and the nms store them in a

124:16 database

124:19 we can perform the registration of the

124:21 router directory in the graphical

124:24 interface of the nms

124:27 so this is the dashboard and currently

124:29 in the list of router there are no

124:32 router registered

124:34 so we will go to the console of the

124:35 network administrator

124:38 which previously fetched the endorsement

124:42 key credential of the router

124:44 and creates a zip file of this

124:46 endorsement key credential

124:52 then the network administrator

124:55 upload the certificate to the nms

124:58 dashboard

125:04 and we can see now that

125:07 there are

125:08 four new router registered

125:11 but at the moment we didn't uh test them

125:20 then the network administrator can

125:22 proceed to the definition of the trusted

125:24 routine policy and in particular assigns

125:27 for which the possible result of the

125:29 integrity evaluation

125:31 a cost

125:33 for the routing table

125:35 the eager the cost and the less likely

125:36 is that a router is choosing for the

125:38 delivery of the packets

125:43 then

125:44 the network operator connects the router

125:46 to the network and this is when the

125:48 secure zero touch provisioning is

125:51 activated

125:52 in the first part of the user story the

125:54 router creates an application key

125:57 and sends it to the array server the

125:59 reserver first verify that the tpm of

126:02 the router is a genuine one

126:04 and if it is true

126:07 issue a certificate for that decision

126:09 key

126:13 in the second part of the user stories

126:16 the router generate a tls key

126:19 and

126:20 associate it to the current software

126:23 configuration

126:24 and certify this dls

126:27 key with that station key that it

126:29 previously generated

126:30 and send a bot

126:33 the tls key

126:35 and

126:36 the csr

126:39 containing this key to the array server

126:42 the receiver verify the key policy by

126:45 comparing the

126:47 the software configuration with a list

126:50 of reference values for files in the

126:52 router image which are assigned by the

126:54 letter by the vendor

126:57 if the verification of the key points is

126:59 successful

127:01 the reserve will ask the nms to issue a

127:03 certificate for the dls key of the

127:05 router

127:06 and send it to the router

127:09 to demonstrate this user story we go to

127:11 the console of the network operator and

127:14 we start a script to connect to the

127:16 routers in the virtual machine and to

127:19 initiate the secure geotouch

127:20 provisioning we can see now in the

127:22 dashboard that

127:24 there are four new endorsement key

127:27 credentials allowed but the

127:29 corresponding router didn't do yet

127:31 the secure zero touch provisioning as

127:33 shown here

127:36 we can see in the bottom part of the

127:39 in the left side

127:41 also the log of the software dpm of

127:43 router 1 and where we see the dpm

127:45 commands executing during the security

127:48 touch provisioning

127:49 now we start the script

128:05 and we will see the list of tpm commands

128:07 executed

128:12 for example we see

128:14 that this command is

128:16 cc certified is executed when

128:19 the generated

128:21 the less key is certified with a at the

128:23 session key

128:27 and also we see

128:29 the cc sign

128:31 command

128:33 that

128:34 is executed in order to sign the

128:36 certificate signing request

128:39 with the dls key and before it is sent

128:42 to the array server

128:44 now

128:45 the

128:46 security touch provisioning is completed

128:48 for all the router and we refresh the

128:51 web page

128:57 and now we see that

128:59 the router

129:01 claim

129:02 the endorsement key credential

129:04 and all the router successfully

129:06 completed at the attestation

129:10 and they have a dls availables

129:12 certificate

129:18 now the network administrator is able to

129:20 monitor the average state of network

129:23 infrastructure because each router

129:25 now has a key and a ntls key certificate

129:30 so the nms periodically tried to

129:31 establish a dls connection with the

129:33 router

129:34 and if the configuration of the router

129:37 is the verified one

129:39 then the tpm allow the ceiling of the

129:41 dls key and allows the router to

129:44 continue the tls protocol

129:46 if the configuration on the current

129:48 configuration of the router is not the

129:50 correct one the dpm

129:53 cannot

129:54 allow the router to use the tls key and

129:57 in this case the router sends its

129:59 measurement and the dpm quarter to the

130:01 ray server for a precise integrity

130:03 evaluation

130:05 to demonstrate the user story we can

130:07 simply enable the periodic refresh of

130:09 the web page

130:10 of the dashboard

130:13 and

130:14 we enable the refresh every 10 seconds

130:18 now we can move to the bottom part of

130:20 the screen and we will see the tpm

130:22 commands is executed and related to the

130:25 establishment of the tls connection

130:31 here for example we can see the cc

130:34 loader command

130:36 that is executed to load the tls key

130:39 we see the definition of the policy

130:42 session in order to unseal the tls key

130:46 and the cc

130:47 sign command in order to perform the dls

130:50 protocol

130:55 in this user story

130:57 the network administrator can also

130:59 enforce the transa routine policy

131:02 since now the nms periodically monitors

131:05 the integrity of each router

131:08 it can also

131:09 update the routing table of each router

131:12 depending on the result of the integrity

131:13 evaluation

131:15 in particular in this case a router 2 is

131:18 found compromised

131:19 and then the routing table of router 1

131:21 and router 4 are updated in particular

131:24 the cost

131:25 for reaching router 2 is 30 as shown in

131:29 the yellow rectangle and now the

131:31 preferred part of the packets is router

131:34 1 router 3 and router 4.

131:38 to demonstrate the user story we connect

131:41 to router 2 as an attacker

131:43 and we will perform an attack

131:45 before that we go to the console of the

131:48 client

131:49 and we check the connectivity with a web

131:51 server

131:53 seems that the web server is reachable

131:56 we will also check in another console of

131:58 the client that i prefer the part of the

132:00 packet

132:02 and currently the packet will go through

132:04 router 4 router 2 and router 1.

132:08 at the moment we can see on the left

132:10 side in the dashboard that all the

132:12 router are in a good state

132:17 if we move to the right side to the

132:19 output of the first manager

132:21 we go to the

132:23 cpu usage column and we see some peaks

132:26 which are due to the periodic

132:28 attestation

132:30 if we move to the

132:32 network utilization column we see that

132:35 now router 2 is a continuous line

132:37 because this router is selected for the

132:39 delivery of the packets

132:42 and

132:43 router 3 is instead a non-continuous

132:46 line because the network is used just

132:47 for the periodic attestation

132:52 now we will perform an attack on a

132:54 router tool and we will

132:56 modify

132:58 a system file in a non-authorized way

133:05 at the next attestation

133:07 the nms finds that

133:10 something is wrong with router 2

133:12 but at this point ask the array server

133:16 to do a verification with the explicit

133:18 attestation

133:20 and this can be shown in the log of the

133:22 software dpm of router 2

133:25 we see the cc

133:26 command

133:28 and since the especially at the station

133:30 also phase

133:32 and the dynamics marks router 2 as bed

133:35 and change the router and the routing

133:38 table the cost

133:40 in router 1

133:42 and

133:43 router 4 to

133:46 change the cost to 230.

133:50 now we move to the output of a field

133:52 manager

133:54 and we see that in the network

133:55 utilization column now

133:59 in router 2 we don't have any more

134:01 continuous line but we have a

134:03 non-continuous line

134:05 and

134:06 for routers 2 is router 3 instead we

134:08 have a continuous line because now this

134:10 router is a selected for the delivery of

134:12 the packets

134:14 we have a confirmation of this also

134:16 in the output of the trace route in the

134:19 console of the client

134:21 and of course the

134:23 client again

134:24 connected to the web server

134:32 in this slide

134:33 we show some

134:35 numbers for the

134:37 performance and the difference between

134:39 the dpm 2.0 and the qr tpm for each

134:42 phase of the lifecycle of the

134:44 demonstrator

134:45 for the core version of the demonstrator

134:47 we use

134:48 a kiter for the endorsement key

134:50 deletium for the decision key in the tls

134:53 key and a charge under 56 for the other

134:56 algorithm

134:57 we see that when there is intensive use

134:59 of the usage of the dpm

135:02 the core version of the demonstrator is

135:04 three timers lower than the

135:07 version with the

135:08 dpm 2.0

135:11 in this line

135:12 we also see

135:14 a more detailed view of which

135:16 tpm commands are executed for each

135:19 phase of the lifecycle of the

135:20 demonstrator

135:22 and also the parameters that are passed

135:24 to the tpm

135:26 we see that for most of the tpm commands

135:29 the qr

135:30 version is 10 times slower

135:35 we also evaluated the network

135:38 performance

135:39 by capturing a network of packets from

135:42 one router in the engine

135:44 and checking the source

135:46 and we also

135:47 found

135:49 the time

135:50 from when then an mms

135:53 found the compromise the router to when

135:57 [Music]

135:58 the packets are diverted

136:00 away from the compromised router and we

136:03 found that

136:04 90.8 percent of the packets were

136:07 successful successfully diverted away

136:09 from the compromise of the router

136:11 this plantation percentage is much

136:13 better in for a real scenario for

136:15 example a zoom call of 31 minutes and

136:18 the percentage is

136:19 99.92 percent

136:24 in this slide we saw the quantitative

136:25 kpi

136:26 and for the targeted value we

136:29 used a reasonable pessimistic estimation

136:32 and nevertheless

136:34 our measured value for mod 36 so that we

136:38 satisfy all the quantitative kpi

136:41 the same applies for the qualitative api

136:46 conclusion

136:47 in this project we show that the

136:49 migration from dpm 2.0 to qr dpm is

136:52 visible

136:53 and is fully compatible with a system

136:55 integrity use case of trusted computing

136:57 with reasonable performance impact

137:00 classic computing and tpm can be used

137:03 certainly in a network infrastructure to

137:06 increment their security

137:08 and also a new

137:10 trust base of the use case can be built

137:12 on

137:14 the one that we defined

137:17 in order to you to have quantum

137:18 resistance we we have to modify the

137:21 entire trusted computing stack from tpm

137:24 finware to crypto library ntls

137:29 thanks for your attention

Show more