Abstract image of a woman sitting on books and studying on a laptop

Post-Quantum Cryptography, or how Kai almost hacked a mental health app

Miguel Parramón Teixidó, profile picture
Miguel Parramón Teixidó

This presentation discusses the future implications of quantum computing on current cryptographic systems, framed through a fictional story set in 2029 about Kai, a full-stack engineer at MOHT. The narrative begins with Kai discovering a suspicious code commit in a mental health app project, which leads into a broader discussion about quantum computing's threat to current cryptographic systems. Key aspects covered in the presentation: 1. A practical example through Kai's story demonstrating how quantum computing could potentially break multiple layers of security: - SSH keys - HTTPS connections - VPN encryption - Digital signatures - E2E encryption - Cryptocurrency wallets 2. Technical fundamentals: - Basics of encryption (symmetric vs asymmetric) - Public Key Cryptography (PKC) - Integer factorization - Quantum computing concepts (qubits, superposition) - Shor's algorithm 3. The "Store Now, Decrypt Later" threat: - Current data can be stored and decrypted later when quantum computers become powerful enough - This makes quantum computing a present threat, not just a future one 4. Impact across different sectors: - Governments and militaries (likely prepared) - Large companies and banks (working on solutions) - SMEs (need to stay updated) - Legacy systems using PKC - Cryptocurrency ecosystem 5. Solutions through Post-Quantum Cryptography: - NIST PQC Algorithm competition winners - CRYSTALS-Kyber for general encryption - CRYSTALS-Dilithium, FALCON, and SPHINCS+ for digital signatures 6. Actionable recommendations for different roles: - General users (minimal action needed) - Frontend developers (5-year horizon) - Backend/DevOps (4-5 year horizon) - Security professionals (immediate action required) - Cryptocurrency users (need to stay informed about exchanges/chains implementing quantum-resistant solutions)

Software
Related topics:
Quantum ComputingInsights on Software Development Information Security
1 of 55
Download to read offline
1
2
3
Most read
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
Information Classification: CONFIDENTIAL (sensitivebusiness information, the level of protection is dictated by legal agreements) Post-Quantum Cryptography …or how Kai almost hacked their mental health app
Information Classification: CONFIDENTIAL (sensitivebusiness information, the level of protection is dictated by legal agreements) Kai and her git commit
KAI AND HER GIT COMMIT Say hello to Kai! • It's 2029 • Kai, • Full-stack engineer • Long-tenured MOHT employee • Working on a new mental health app • Arrives a Tuesday morning to the office…
Suweta's Code Review: "this looks strange…" • MR for a new CRUD endpoint in a Django app (Code generation tool) • CRUD endpoint • Input sanitization through a serializer • One of the fields accepts raw text → SQL injection vector • …but Kai is sure she didn't write that line! KAI AND HER GIT COMMIT
Kai checks the commit… • Checks the commit on GitLab app • PGP signed by her • She pushed yesterday by SSH (as usual) • Commit is from the right time, 5:07pm • No force-push KAI AND HER GIT COMMIT
How could this happen? • Kai follows good security practices: • locks her screen when she's away, • Uses strong passwords, • uses VPN when appropriate • … • Cracking SSH or PGP keys takes millions of years with a supercomputer, right? KAI AND HER GIT COMMIT
Information Classification: CONFIDENTIAL (sensitivebusiness information, the level of protection is dictated by legal agreements) Let's talk quantum What's the type of encryption that can be broken by quantum cryptography?
To know what happened… • How encryption works • Public Key Cryptography (not symmetric) • Integer factorization • P versus NP problem, Complexity theory • BQP Quantum computers • …all this in 5 minutes! LET'S TALK QUANTUM
Information Classification: CONFIDENTIAL (sensitivebusiness information, the level of protection is dictated by legal agreements) Let's talk encryption …for 5 minutes
Encryption = garble & ungarble HOW ENCRYPTION WORKS
Symmetric vs Asymmetric cryptography HOW ENCRYPTION WORKS
Public Key Cryptography: asymetric encryption HOW ENCRYPTION WORKS
Public Key Cryptography Algorithms: • Integer factorization: RSA • Discrete logarithm: Diffie-Hellman Key Exchange, ECDSA (GitHub keys) …solved by Quantum Computers! HOW ENCRYPTION WORKS
Integer Factorization • Most efficient classical algorithm: General Number Field Sieve • Complexity: • … puts it in the NP space HOW ENCRYPTION WORKS
Information Classification: CONFIDENTIAL (sensitivebusiness information, the level of protection is dictated by legal agreements) Complexity Theory • ...what is that BQP thing? • Bounded-error Quantum Polynomial time • Finally, Quantum Computers! HOW ENCRYPTION WORKS
Information Classification: CONFIDENTIAL (sensitivebusiness information, the level of protection is dictated by legal agreements) Quantum Collapse …QFT, superposition, entanglement, qubits (society as well?)
What is a qubit? • Superposition: "Sphere of probability" • 1 bit = 2 states, 2 bits = 4, 3 = 8… states = 2^qbit_count • When read, collapses • one state appears QUANTUM COLLAPSE
What do I use it for? QUANTUM COLLAPSE
QFT for • Shor's algorithm • Solves integer factorization in BPQ time • …we just need a lot of qubits QUANTUM COLLAPSE
Post-Quantum Cryptography, or how Kai almost hacked a mental health app
Post-Quantum Cryptography, or how Kai almost hacked a mental health app
Qubit growth vs algo efficiency QUANTUM COLLAPSE
Advances are accelerating QUANTUM COLLAPSE https://azure.microsoft.com/en-us/blog/quantum/2025/02/19/microsoft-unveils-majorana-1-the-worlds-first-quantum-processor-powered-by-topological-qubits/ The world’s first Quantum Processing Unit (QPU) powered by a Topological Core, designed to scale to a million qubits on a single chip.
Information Classification: CONFIDENTIAL (sensitivebusiness information, the level of protection is dictated by legal agreements) What happened to Kai? …or, "quantum computers break that too?!" (suspend your disbelief a bit for a while please ^^)
WHAT HAPPENED TO KAI? SSH key • Kai had an old SSH key last used 2 years ago using Ed25519 • Private key can be deduced public key can be deduced using Shor's, encryption broken! • An attacker can't get the public key right? She set it up on GitLab's UI which uses…
WHAT HAPPENED TO KAI? HTTPS • GitLab.com uses HTTPS, where she set her SSH public key • Public key → Private key using Shor's, SSH auth roken! • good thing that Kai follows security recommendations, so she was using a…
WHAT HAPPENED TO KAI? VPN • She was using a VPN in the office to do this sensitive operation • VPN uses AES PKC to protect the transfer of AES keys → broken! • Anyway, she was on a WiFi with WPA3, uses safe symmetrical encryption, however…
WHAT HAPPENED TO KAI? Digital Signature • Routers in the office get updates that are digitally-signed • Digital Signature = PKC = broken, router was hacked! • …but how was Kai targeted in the first place?
WHAT HAPPENED TO KAI? E2E Encryption • She was talking to a friend through WhatsApp about the mental health app project • WhatsApp uses E2E encryption, uses PKC, broken! • …and reading her messages the hacker knew how to target the hack! But why her?
WHAT HAPPENED TO KAI? Cryptocurrencies • Because I paid for the attack to steal the DB's data! • I paid the hacker in crypto, but… • Wallet addresses use PKC, broken! • And then the hacker stole all my crypto as well!
WHAT HAPPENED TO KAI? Wait wait wait… why should I worry now? • This is not a problem yet, right? • 5 – 10 years horizon • Introducing…
Information Classification: CONFIDENTIAL (sensitivebusiness information, the level of protection is dictated by legal agreements) Store now, decrypt later
We know it's coming, so it's a danger now STORE NOW, DECRYPT LATER
The US government is preparing already STORE NOW, DECRYPT LATER
Information Classification: CONFIDENTIAL (sensitivebusiness information, the level of protection is dictated by legal agreements) World Wide Web of consequences
Governments • Will be fine • Most likely militaries around the world have their own quantum computers already WWW OF CONSEQUENCES
WWW OF CONSEQUENCES Big companies (including banks) • Will be fine • Either have their own already, will have, or will be protected beforehand • Example: Singapore, August 2024
SMEs • Their IT departments better stay up to date! • …specially if they handle money or PII WWW OF CONSEQUENCES
Old running systems using PKC • e.g.: • Servers using SSH login • Servers using SFTP • Email servers • VPN clients • Software using digitally-signed updates • Update or be vulnerable WWW OF CONSEQUENCES
Cryptocurrencies • Exchanges will update • Big chains will update: Bitcoin, Ethereum • What about forks, altcoins? • Self-managed wallets: • Live wallets: update wallet software to use PQC • Abandoned wallets in obsolete chains: open season! WWW OF CONSEQUENCES
How exactly do we prepare • We need some PKC for the post-quantum world • We could call that something like… WWW OF CONSEQUENCES
Information Classification: CONFIDENTIAL (sensitivebusiness information, the level of protection is dictated by legal agreements) Post-Quantum Cryptography it took a while, but yeah!
What is broken in PKC? • Integer factorization • Discrete logarithm POST-QUANTUM CRYPTOGRAPHY
What is not? • Ring-learning with errors (Ring-LWE) • Based on the hardness of lattice-based problems • Here's a video to know more: • youtu.be/QDdOoYdb748 POST-QUANTUM CRYPTOGRAPHY
Show me the code 4 NIST PQC Algorithms: • From a 6-year competition www.nist.gov/news-events/news/2022/07/nist-announces-first-four-quantum-resistant-cryptographic-algorithms POST-QUANTUM CRYPTOGRAPHY
And the winners are… For general encryption to access secure websites: • CRYSTALS-Kyber • Small encryption keys • Fast operation speed POST-QUANTUM CRYPTOGRAPHY
And the winners are… For Digital Signatures: • CRYSTALS-Dilithium • High efficiency, primary • FALCON • High efficiency, smaller signatures • SPHINCS+ • Larger, slower • Important!: Not based on lattice math POST-QUANTUM CRYPTOGRAPHY
Information Classification: CONFIDENTIAL (sensitivebusiness information, the level of protection is dictated by legal agreements) What should I do now? Defense Against the (future) Quantum Arts
For general users • Not much, tech people will take care of it ;) WHAT SHOULD I DO NOW?
Tech people: Frontend • When using public keys: • SSH, PGP, … • Be on the lookout for new quantum-resistant algo choices • Use them • Warning Horizon: ~5 years from now WHAT SHOULD I DO NOW?
Tech people: Backend/DevOps & more • Stakes are higher • Inter-system communication: • API_TOKEN, automated SSH or SFTP, … • Use QR-algos • Horizon: ~4-5 years • Direct calls to PKC libraries or code: • Use QR-algos: ~3-2 years • HTTP Certs, other DevOps stuff (not an expert): same applies WHAT SHOULD I DO NOW?
Tech people: Security • This responsibility is part of your JD ;) • Read more about these topics • Get acquainted with new attack vectors on PKC • Check the 4 NIST algorithms and their usage • Try them out! openquantumsafe.org • Warning Horizon: now! WHAT SHOULD I DO NOW?
Cryptocurrency user 1. Panic 2. Stay updated with your exchanges/chain(s)' work towards using QR-PKC 3. If their timeline doesn’t look good, move the assets to other QR-exchanges/chains • Some big ones are doing it already, but there is a lot of misinformation/blogspam. • DYOR WHAT SHOULD I DO NOW?
Information Classification: CONFIDENTIAL (sensitivebusiness information, the level of protection is dictated by legal agreements) Closing notes …those were a lot of slides!
CLOSING NOTES Thank you all! • We can see now that Code Reviews are useful right? Remember Suweta? ^^ • Very interesting but complicated topic, hope I picked your curiosity to delve deeper into the issue. • Questions, comments?

More Related Content

PPTX
Post-Quantum Cryptography… or how Kai almost hacked a banking app​
mparramon1
 
PDF
Breaking Smart Speakers: We are Listening to You.
Priyanka Aash
 
PPTX
Programming for the Internet of Things
Kinoma
 
PPTX
Python-Assisted Red-Teaming Operation
Satria Ady Pradana
 
PPTX
Protecting Data with Short-Lived Encryption Keys and Hardware Root of Trust
Dan Griffin
 
PPTX
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Abhinav Biswas
 
PDF
Security intermediate practical cryptography_certs_and 802.1_x_rich langston...
Aruba, a Hewlett Packard Enterprise company
 
PPTX
How to write secure code
Flaskdata.io
 
Post-Quantum Cryptography… or how Kai almost hacked a banking app​
mparramon1
 
Breaking Smart Speakers: We are Listening to You.
Priyanka Aash
 
Programming for the Internet of Things
Kinoma
 
Python-Assisted Red-Teaming Operation
Satria Ady Pradana
 
Protecting Data with Short-Lived Encryption Keys and Hardware Root of Trust
Dan Griffin
 
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Abhinav Biswas
 
Security intermediate practical cryptography_certs_and 802.1_x_rich langston...
Aruba, a Hewlett Packard Enterprise company
 
How to write secure code
Flaskdata.io
 

Similar to Post-Quantum Cryptography, or how Kai almost hacked a mental health app (20)

PPTX
Creating Havoc using Human Interface Device
Positive Hack Days
 
PDF
Dylan Butler & Oliver Hager - Building a cross platform cryptocurrency app
DevCamp Campinas
 
PPTX
CloudStack Secured
John Kinsella
 
PDF
Beginner’s Guide on How to Start Exploring IoT Security 1st Session
veerababu penugonda(Mr-IoT)
 
PDF
BSides Rochester 2018: Esteban Rodriguez: Ducky In The Middle: Injecting keys...
JosephTesta9
 
PDF
IoT security zigbee -- Null Meet bangalore
veerababu penugonda(Mr-IoT)
 
PDF
Hack one iot device, break them all!
Justin Black
 
PPTX
Ethical hacking
Rishabha Garg
 
PPTX
LoginCat from TekMonks
Rohit Kapoor
 
PPTX
Login cat tekmonks - v3
TEKMONKS
 
PPTX
Inria Tech Talk IoT - 28 Mars 2018
FrenchTechCentral
 
PPTX
Inetsecurity.in Ethical Hacking presentation
Joshua Prince
 
PPTX
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
Rapid7
 
PDF
IT security for all. Bootcamp slides
Wallarm
 
PPTX
Resource slides for blockchain related question
Lin Lin (Wendy)
 
PPTX
Wireless LAN Security Fundamentals #AirheadsConf Italy
Aruba, a Hewlett Packard Enterprise company
 
PDF
Life as an enterprise security geek from underground. (What enterprises want ...
LINE Corporation
 
PDF
Serverless Security: What's Left To Protect
Guy Podjarny
 
PDF
Microsegmentation from strategy to execution
AlgoSec
 
PDF
Cybersecurity Roadmap for Beginners
Sanjeev Kumar Jaiswal
 
Creating Havoc using Human Interface Device
Positive Hack Days
 
Dylan Butler & Oliver Hager - Building a cross platform cryptocurrency app
DevCamp Campinas
 
CloudStack Secured
John Kinsella
 
Beginner’s Guide on How to Start Exploring IoT Security 1st Session
veerababu penugonda(Mr-IoT)
 
BSides Rochester 2018: Esteban Rodriguez: Ducky In The Middle: Injecting keys...
JosephTesta9
 
IoT security zigbee -- Null Meet bangalore
veerababu penugonda(Mr-IoT)
 
Hack one iot device, break them all!
Justin Black
 
Ethical hacking
Rishabha Garg
 
LoginCat from TekMonks
Rohit Kapoor
 
Login cat tekmonks - v3
TEKMONKS
 
Inria Tech Talk IoT - 28 Mars 2018
FrenchTechCentral
 
Inetsecurity.in Ethical Hacking presentation
Joshua Prince
 
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
Rapid7
 
IT security for all. Bootcamp slides
Wallarm
 
Resource slides for blockchain related question
Lin Lin (Wendy)
 
Wireless LAN Security Fundamentals #AirheadsConf Italy
Aruba, a Hewlett Packard Enterprise company
 
Life as an enterprise security geek from underground. (What enterprises want ...
LINE Corporation
 
Serverless Security: What's Left To Protect
Guy Podjarny
 
Microsegmentation from strategy to execution
AlgoSec
 
Cybersecurity Roadmap for Beginners
Sanjeev Kumar Jaiswal
 

Recently uploaded (20)

PDF
Types of Token_ From Utility to Security.pdf
Herond Labs
 
PPTX
Patient Appointment Booking in Odoo with online payment
AxisTechnolabs
 
PPTX
AMADEUS TRAVEL AGENT SOFTWARE | AMADEUS TICKETING SYSTEM
philipnathen82
 
PPTX
Computer Software and OS of computer science of grade 11.pptx
GauravDahal9
 
PPTX
Log360_SIEM_Solutions Overview PPT_Feb 2020.pptx
nonameist3434
 
PDF
Cost to Outsource Software Development in 2025
Omega Incorporations- Best Software Development Company
 
PDF
How Tridens DevSecOps Ensures Compliance, Security, and Agility
Tridens
 
PDF
Microsoft Office 365 Crack Download Free
wasibhadar
 
PPTX
Monitoring Stack: Grafana, Loki & Promtail
GhanshyamSwami3
 
PDF
Wondershare Recoverit Full Crack New Version (Latest 2025)
hashmi66g66
 
PPTX
GSA Content Generator Crack (2025 Latest)
halimaanam8
 
PPTX
assetexplorer- product-overview - presentation
nonameist3434
 
PDF
MCP Security Tutorial - Beginner to Advanced
Harish Ramadoss
 
PDF
Designing Intelligence for the Shop Floor.pdf
nikglvk
 
DOCX
How to Use SharePoint as an ISO-Compliant Document Management System
Sharepoint Designs
 
PDF
CCleaner 6.39.11548 Crack 2025 License Key
viktamscs
 
PDF
AI Guide for Business Growth - Arna Softech
Arna Softech
 
PPTX
Weekly report ppt - harsh dattuprasad patel.pptx
bikerslovers123
 
PPTX
Oracle Fusion HCM Cloud Demo for Beginners
DharanOracleerp
 
PDF
Ableton Live Suite for MacOS Crack Full Download (Latest 2025)
hashmi66g66
 
Types of Token_ From Utility to Security.pdf
Herond Labs
 
Patient Appointment Booking in Odoo with online payment
AxisTechnolabs
 
AMADEUS TRAVEL AGENT SOFTWARE | AMADEUS TICKETING SYSTEM
philipnathen82
 
Computer Software and OS of computer science of grade 11.pptx
GauravDahal9
 
Log360_SIEM_Solutions Overview PPT_Feb 2020.pptx
nonameist3434
 
Cost to Outsource Software Development in 2025
Omega Incorporations- Best Software Development Company
 
How Tridens DevSecOps Ensures Compliance, Security, and Agility
Tridens
 
Microsoft Office 365 Crack Download Free
wasibhadar
 
Monitoring Stack: Grafana, Loki & Promtail
GhanshyamSwami3
 
Wondershare Recoverit Full Crack New Version (Latest 2025)
hashmi66g66
 
GSA Content Generator Crack (2025 Latest)
halimaanam8
 
assetexplorer- product-overview - presentation
nonameist3434
 
MCP Security Tutorial - Beginner to Advanced
Harish Ramadoss
 
Designing Intelligence for the Shop Floor.pdf
nikglvk
 
How to Use SharePoint as an ISO-Compliant Document Management System
Sharepoint Designs
 
CCleaner 6.39.11548 Crack 2025 License Key
viktamscs
 
AI Guide for Business Growth - Arna Softech
Arna Softech
 
Weekly report ppt - harsh dattuprasad patel.pptx
bikerslovers123
 
Oracle Fusion HCM Cloud Demo for Beginners
DharanOracleerp
 
Ableton Live Suite for MacOS Crack Full Download (Latest 2025)
hashmi66g66
 

Post-Quantum Cryptography, or how Kai almost hacked a mental health app

  • 1. Information Classification: CONFIDENTIAL (sensitivebusiness information, the level of protection is dictated by legal agreements) Post-Quantum Cryptography …or how Kai almost hacked their mental health app
  • 2. Information Classification: CONFIDENTIAL (sensitivebusiness information, the level of protection is dictated by legal agreements) Kai and her git commit
  • 3. KAI AND HER GIT COMMIT Say hello to Kai! • It's 2029 • Kai, • Full-stack engineer • Long-tenured MOHT employee • Working on a new mental health app • Arrives a Tuesday morning to the office…
  • 4. Suweta's Code Review: "this looks strange…" • MR for a new CRUD endpoint in a Django app (Code generation tool) • CRUD endpoint • Input sanitization through a serializer • One of the fields accepts raw text → SQL injection vector • …but Kai is sure she didn't write that line! KAI AND HER GIT COMMIT
  • 5. Kai checks the commit… • Checks the commit on GitLab app • PGP signed by her • She pushed yesterday by SSH (as usual) • Commit is from the right time, 5:07pm • No force-push KAI AND HER GIT COMMIT
  • 6. How could this happen? • Kai follows good security practices: • locks her screen when she's away, • Uses strong passwords, • uses VPN when appropriate • … • Cracking SSH or PGP keys takes millions of years with a supercomputer, right? KAI AND HER GIT COMMIT
  • 7. Information Classification: CONFIDENTIAL (sensitivebusiness information, the level of protection is dictated by legal agreements) Let's talk quantum What's the type of encryption that can be broken by quantum cryptography?
  • 8. To know what happened… • How encryption works • Public Key Cryptography (not symmetric) • Integer factorization • P versus NP problem, Complexity theory • BQP Quantum computers • …all this in 5 minutes! LET'S TALK QUANTUM
  • 9. Information Classification: CONFIDENTIAL (sensitivebusiness information, the level of protection is dictated by legal agreements) Let's talk encryption …for 5 minutes
  • 10. Encryption = garble & ungarble HOW ENCRYPTION WORKS
  • 11. Symmetric vs Asymmetric cryptography HOW ENCRYPTION WORKS
  • 12. Public Key Cryptography: asymetric encryption HOW ENCRYPTION WORKS
  • 13. Public Key Cryptography Algorithms: • Integer factorization: RSA • Discrete logarithm: Diffie-Hellman Key Exchange, ECDSA (GitHub keys) …solved by Quantum Computers! HOW ENCRYPTION WORKS
  • 14. Integer Factorization • Most efficient classical algorithm: General Number Field Sieve • Complexity: • … puts it in the NP space HOW ENCRYPTION WORKS
  • 15. Information Classification: CONFIDENTIAL (sensitivebusiness information, the level of protection is dictated by legal agreements) Complexity Theory • ...what is that BQP thing? • Bounded-error Quantum Polynomial time • Finally, Quantum Computers! HOW ENCRYPTION WORKS
  • 16. Information Classification: CONFIDENTIAL (sensitivebusiness information, the level of protection is dictated by legal agreements) Quantum Collapse …QFT, superposition, entanglement, qubits (society as well?)
  • 17. What is a qubit? • Superposition: "Sphere of probability" • 1 bit = 2 states, 2 bits = 4, 3 = 8… states = 2^qbit_count • When read, collapses • one state appears QUANTUM COLLAPSE
  • 18. What do I use it for? QUANTUM COLLAPSE
  • 19. QFT for • Shor's algorithm • Solves integer factorization in BPQ time • …we just need a lot of qubits QUANTUM COLLAPSE
  • 22. Qubit growth vs algo efficiency QUANTUM COLLAPSE
  • 23. Advances are accelerating QUANTUM COLLAPSE https://azure.microsoft.com/en-us/blog/quantum/2025/02/19/microsoft-unveils-majorana-1-the-worlds-first-quantum-processor-powered-by-topological-qubits/ The world’s first Quantum Processing Unit (QPU) powered by a Topological Core, designed to scale to a million qubits on a single chip.
  • 24. Information Classification: CONFIDENTIAL (sensitivebusiness information, the level of protection is dictated by legal agreements) What happened to Kai? …or, "quantum computers break that too?!" (suspend your disbelief a bit for a while please ^^)
  • 25. WHAT HAPPENED TO KAI? SSH key • Kai had an old SSH key last used 2 years ago using Ed25519 • Private key can be deduced public key can be deduced using Shor's, encryption broken! • An attacker can't get the public key right? She set it up on GitLab's UI which uses…
  • 26. WHAT HAPPENED TO KAI? HTTPS • GitLab.com uses HTTPS, where she set her SSH public key • Public key → Private key using Shor's, SSH auth roken! • good thing that Kai follows security recommendations, so she was using a…
  • 27. WHAT HAPPENED TO KAI? VPN • She was using a VPN in the office to do this sensitive operation • VPN uses AES PKC to protect the transfer of AES keys → broken! • Anyway, she was on a WiFi with WPA3, uses safe symmetrical encryption, however…
  • 28. WHAT HAPPENED TO KAI? Digital Signature • Routers in the office get updates that are digitally-signed • Digital Signature = PKC = broken, router was hacked! • …but how was Kai targeted in the first place?
  • 29. WHAT HAPPENED TO KAI? E2E Encryption • She was talking to a friend through WhatsApp about the mental health app project • WhatsApp uses E2E encryption, uses PKC, broken! • …and reading her messages the hacker knew how to target the hack! But why her?
  • 30. WHAT HAPPENED TO KAI? Cryptocurrencies • Because I paid for the attack to steal the DB's data! • I paid the hacker in crypto, but… • Wallet addresses use PKC, broken! • And then the hacker stole all my crypto as well!
  • 31. WHAT HAPPENED TO KAI? Wait wait wait… why should I worry now? • This is not a problem yet, right? • 5 – 10 years horizon • Introducing…
  • 32. Information Classification: CONFIDENTIAL (sensitivebusiness information, the level of protection is dictated by legal agreements) Store now, decrypt later
  • 33. We know it's coming, so it's a danger now STORE NOW, DECRYPT LATER
  • 34. The US government is preparing already STORE NOW, DECRYPT LATER
  • 35. Information Classification: CONFIDENTIAL (sensitivebusiness information, the level of protection is dictated by legal agreements) World Wide Web of consequences
  • 36. Governments • Will be fine • Most likely militaries around the world have their own quantum computers already WWW OF CONSEQUENCES
  • 37. WWW OF CONSEQUENCES Big companies (including banks) • Will be fine • Either have their own already, will have, or will be protected beforehand • Example: Singapore, August 2024
  • 38. SMEs • Their IT departments better stay up to date! • …specially if they handle money or PII WWW OF CONSEQUENCES
  • 39. Old running systems using PKC • e.g.: • Servers using SSH login • Servers using SFTP • Email servers • VPN clients • Software using digitally-signed updates • Update or be vulnerable WWW OF CONSEQUENCES
  • 40. Cryptocurrencies • Exchanges will update • Big chains will update: Bitcoin, Ethereum • What about forks, altcoins? • Self-managed wallets: • Live wallets: update wallet software to use PQC • Abandoned wallets in obsolete chains: open season! WWW OF CONSEQUENCES
  • 41. How exactly do we prepare • We need some PKC for the post-quantum world • We could call that something like… WWW OF CONSEQUENCES
  • 42. Information Classification: CONFIDENTIAL (sensitivebusiness information, the level of protection is dictated by legal agreements) Post-Quantum Cryptography it took a while, but yeah!
  • 43. What is broken in PKC? • Integer factorization • Discrete logarithm POST-QUANTUM CRYPTOGRAPHY
  • 44. What is not? • Ring-learning with errors (Ring-LWE) • Based on the hardness of lattice-based problems • Here's a video to know more: • youtu.be/QDdOoYdb748 POST-QUANTUM CRYPTOGRAPHY
  • 45. Show me the code 4 NIST PQC Algorithms: • From a 6-year competition www.nist.gov/news-events/news/2022/07/nist-announces-first-four-quantum-resistant-cryptographic-algorithms POST-QUANTUM CRYPTOGRAPHY
  • 46. And the winners are… For general encryption to access secure websites: • CRYSTALS-Kyber • Small encryption keys • Fast operation speed POST-QUANTUM CRYPTOGRAPHY
  • 47. And the winners are… For Digital Signatures: • CRYSTALS-Dilithium • High efficiency, primary • FALCON • High efficiency, smaller signatures • SPHINCS+ • Larger, slower • Important!: Not based on lattice math POST-QUANTUM CRYPTOGRAPHY
  • 48. Information Classification: CONFIDENTIAL (sensitivebusiness information, the level of protection is dictated by legal agreements) What should I do now? Defense Against the (future) Quantum Arts
  • 49. For general users • Not much, tech people will take care of it ;) WHAT SHOULD I DO NOW?
  • 50. Tech people: Frontend • When using public keys: • SSH, PGP, … • Be on the lookout for new quantum-resistant algo choices • Use them • Warning Horizon: ~5 years from now WHAT SHOULD I DO NOW?
  • 51. Tech people: Backend/DevOps & more • Stakes are higher • Inter-system communication: • API_TOKEN, automated SSH or SFTP, … • Use QR-algos • Horizon: ~4-5 years • Direct calls to PKC libraries or code: • Use QR-algos: ~3-2 years • HTTP Certs, other DevOps stuff (not an expert): same applies WHAT SHOULD I DO NOW?
  • 52. Tech people: Security • This responsibility is part of your JD ;) • Read more about these topics • Get acquainted with new attack vectors on PKC • Check the 4 NIST algorithms and their usage • Try them out! openquantumsafe.org • Warning Horizon: now! WHAT SHOULD I DO NOW?
  • 53. Cryptocurrency user 1. Panic 2. Stay updated with your exchanges/chain(s)' work towards using QR-PKC 3. If their timeline doesn’t look good, move the assets to other QR-exchanges/chains • Some big ones are doing it already, but there is a lot of misinformation/blogspam. • DYOR WHAT SHOULD I DO NOW?
  • 54. Information Classification: CONFIDENTIAL (sensitivebusiness information, the level of protection is dictated by legal agreements) Closing notes …those were a lot of slides!
  • 55. CLOSING NOTES Thank you all! • We can see now that Code Reviews are useful right? Remember Suweta? ^^ • Very interesting but complicated topic, hope I picked your curiosity to delve deeper into the issue. • Questions, comments?