Peter Gutmann - Why Quantum Cryptanalysis is Bollocks

So, bit of background history. Um, what

you see up there is something called Gustaf. It was proposed in 1935 to

Gustaf. It was proposed in 1935 to attack the Magino line, but like all government projects, it fell way behind schedule, so it wasn't ready in time.

Um, and this was the attention headline grabbing attack of about 80 odd years ago. This thing weighed 1,300 tons,

ago. This thing weighed 1,300 tons, could fire a 5-tonon shell to around 50 kilometers, and left a crater about enormously wide. And basically, this was

enormously wide. And basically, this was where all the action was. This was the cool attack of about 80 years ago and everyone who was anyone wanted to be associated with this thing.

So the the downside with this was it required a one and a half kilometer long train with 25 freight cars. Now that was just the gun and the supplies.

Everything else was separate. It took

depending on which reports you believe between 2,000 and 4 and a half thousand men to set this thing up.

Um it required twin sets of special railway tracks. So you couldn't just run

railway tracks. So you couldn't just run it down standard tracks. You had to build twin sets of tracks to run the thing. It had two entire flack

thing. It had two entire flack battalions to defend it. Um and it fired around 50 shells and again reports vary um on about five different days.

So one of these targets was for Maxim Guaki and they fired 13 shots at it.

Every one of them missed some by hundreds of meters. So the artillery geeks had actually said in advance, "This thing is not going to work. Don't

bother building it." But it was so cool that they just had to go ahead and do it anyway.

So this was actually a considerable loss for the war effort. It drew resources away from the main attack to this stupid thing which was just it was a headline grabbing attack but that was about it.

Um you could have achieved the same thing by just flying aircraft over it and bombing the thing. In fact, it had a squadron of spotter aircraft that could have been used to do a bombing that would have been more effective than the

super gun. So surely we're not still

super gun. So surely we're not still doing the same thing today.

So let's look at the threats. Um in the security field we've actually got pretty good data on what the problems are. So

that's the OOS POP 10 and they've been pretty much constant for the last 10 to 20 years. They've changed names a bit

20 years. They've changed names a bit and the classifications have changed a bit and so on, but they're pretty much the same threats. Meaning the things that attackers were doing 20 years ago that we didn't really know how to

mitigate are still the current threats.

And there's all sorts of different lists for this. For example, APIs. And again,

for this. For example, APIs. And again,

it's pretty much constant. Some things

have changed names, some have shuffled around a bit, but it's pretty much the same attacks.

and they're remarkably stable over time.

That's the 20-y year history um of some of these attacks. And again, if you really want to get geeky, that's the full breakdown of of how everything's gone. And this is widespread across lots

gone. And this is widespread across lots of different security measures. For

example, um the CRA grand challenges and trustworthy computing was 2003. These

are the things that we need to solve within the next 5 to 10 years. Grand

challenge one within a decade eradicate widespread viral spam and DOS attacks and similar ones. So, we've got 10 years starting 2003.

retrospective in 2023. So they went back and asked the people involved in these grand challenges um you know have we addressed any of these grand challenges and many participants said that a single challenge had actually been met meaning

we've got these known vulner known problems they're major problems and we still have managed to deal with them um and again just a random slide um of example threats so you've got the these

are the top the the things with the top number of CVE and most of them are complete operating systems but you look at two web browsers and these are like one single application a web browser that has more CVs than an entire

operating system. So we're really not

operating system. So we're really not doing a very good job. On the other hand, what gets all the attention in terms of attacks? If you consult the OOS top 100,000 and you look at the appendix to the addendum to the supplement to the

apocrypha volume 127, that's the stuff that gets the news. That's what you hear. That's what you hear the news

hear. That's what you hear the news stories about. And the thing they all

stories about. And the thing they all have in common is that no one ever uses them because there are about 17,000 easier attacks that everyone uses that generally don't get that much attention.

So these have been called stunt cryptography. So basically you've got a

cryptography. So basically you've got a 1,000th of a percent chance of measuring recovering two bits of plain text from a single message. On the other hand, the

single message. On the other hand, the reason why attackers use the OOS top 10 is you've got a 100% chance of recovering everything.

And people really like these headline grabbing attacks even if they're completely p practical. Um, I'm just going to do a quick survey. Does anyone

know of any cases of Roham or Poodle, anything like that? An actual attack, a legitimate attack by attackers who compromised a system using one of these stunt cryptography things.

Okay, zero hands. U, which is pretty much what's expected because it's just not worth using those attacks. So, my

argument is only once you fix the top 10 are you allowed to go for all the stunt cryptography stuff. So, there are other

cryptography stuff. So, there are other cases where we've got very good measurements. For example, this is RSA

measurements. For example, this is RSA key size factoring throughout the years.

So the first time it was sort of done seriously for crypto was around about 1990 and it's pretty much a straight line. Um so you know that if you've got

line. Um so you know that if you've got let's say a thousand bit key you go across on the graph it'll be secured till about 2040. Now the argument is okay you can break thousand bit keys today. And yes you can with something

today. And yes you can with something like that that's a supercomputer at Los Alamos. It takes around a year's work to

Alamos. It takes around a year's work to factor a thousand bit RSA key. So let's

explore this a bit. Let's say you're an NSA employee and you go to your boss and you say, "I've got this thousand bit key I'd like to factor." And the boss says, "Sure, tell me more." And you say, "Well, I need to shut down Los Alamos for an entire year just to recover this

single thousand bit key." At which point your boss looks at you like they expect a cookie to pop out of your forehead on a spring.

But, you know, to make it more applicable to individuals, um, let's say I've got a black box and it will, for example, the one on the film yesterday and it will factor a thousand bit key in one year. So, basically the same amount

one year. So, basically the same amount of effort. And to prove your dedication

of effort. And to prove your dedication to this, you have to agree to live on a desert island, no internet connection, nothing for one year while this box does its work. Um, so you get a monthly air

its work. Um, so you get a monthly air drop of baked beans, which is fine.

You're on the island by itself, so you can eat all the beans you want. Um, but

apart from that, you've got nothing to do except twiddle your thumbs for a year while this black box does its job. Would

anyone accept this offer? Does anyone

know of a thousand bit key that they'd want to break where they'd be willing to spend a year in isolation waiting for it to finish?

Okay, again, no, no hands. And that's a pretty standard response. So we don't really have any rational attacks. So

instead we've gone for numerology.

That's a table from NIST mapping a bunch of sort of imaginary numbers to other imaginary numbers. So the thing is where

imaginary numbers. So the thing is where do these figures come from? The

practical limits on achievable computation are around 2 to the 110 or so. And that's you're starting to use

so. And that's you're starting to use things like using the planetary core as a power source and can convert the entire Sahara desert worth of sand into silicon and so on. So it's pretty extreme. Um the Bitcoin hash rate at the

extreme. Um the Bitcoin hash rate at the moment is 2 to the 94 per year. So 2 to the 1 is a reasonably safe upper bound on human computation. That means the

keys for triple D's AES 128, AS 192, and AS 256 are all basically equivalent because they're all out of reach of any imaginable human computation. They pass

the 2 to the 11 event horizon. But we're

doing using numerology, so it requires that we treat them all as distinct. So

for symmetric crypto, each bit you add doubles the work factor. For asmmetric

crypto, it's not that simple. You need

these mappings into ridiculous key sizes. So to match each one of these

sizes. So to match each one of these basically irrelevant extra bits you add to a symmetric key, you need a vast number of extra bits added to the asymmetric keys. So for example, for I

asymmetric keys. So for example, for I think for AS 256, you need a 15,000 bit RSA key, even though it's no more breakable than AES 128.

But wait, there's a much better one. Um

the first quant factorization was done in 2001 and it factor the number 15.

That's not a 15-digit number. It's not

even a 15 bit number. It's 3 * 5. So you

could do the same with a dog train to bark three times. Um the next record was in 2012. This time it was 3 * 7 and you

in 2012. This time it was 3 * 7 and you can use the same dog to factor that. And

then there was another attempt in 2019 which was to factor 35 and it failed. Um

since then there have been no new factorization records using Shaw's algorithm which is the quantum algorithm you're supposed to use for this. There

have been records announced but it's I'll get into that in a minute.

So basically the scientific breakthrough in all of these cases was finding techniques to manufacture a number that you could then factor um and then claim a record on it. So the standard technique is you manufacture a small number that's relatively easy to factor

and then you figure out ways of adding more digits to it that you can factor using the same method but just you've now got much many more digits on it so you can claim a new record. Um it's been called they've been called stunt

factorizations. Uh there's a paper um

factorizations. Uh there's a paper um some of you may be familiar with replication of quantum factorization records with an 8bit at home computer an abacus and a dog um which shows yeah how to use an abacus to to do a a quantum

factorization.

So even the factorizations of 15 and 21 took advantage of special tricks. So you

know the factors in advance. So you

basically you know the factors and you work backwards and build an experiment that gives you the result you want which is the factors you already know in advance. This is not and it's called the

advance. This is not and it's called the compiled shores algorithm to mask the fact that you're basically cheating. Um

this is not a legitimate way of doing cryp analysis because the assumption is you don't know the encryption key in advance before you even start. However,

in any case, we've got two data points.

So the the factorization of those two values that we can put on a graph.

So if you extrapolate um by 4,000 AD given the current progress we can factor a thousand bit number that you can do already with a with a admittedly with Los Alamos but you know with a with a

large computer. So the thing is it makes

large computer. So the thing is it makes a highly optimistic assumption that these physics experiments scale linearly. We've got no evidence that

linearly. We've got no evidence that this is the case. We've got very little empirically evidence of of any of this stuff. In fact the evidence we have

stuff. In fact the evidence we have shown by the lack of progress is that this is not the case. Um, but in any case, possibly in 2000 years, a physics experiment can do what a standard

computer can do today. And if if you guys follow the, you know, announcements of quantum supremacy, which happen every couple of weeks, um, even though in theory it should only be a it's like it's a binary thing, but it keeps being

reannounced. And then typically what

reannounced. And then typically what happens is someone announces quantum supremacy, someone else comes along and says, "Well, actually a standard desktop PC can do that a lot better than your your quantum thing." Um, so it's it's kind of an established pattern. Now

notice I've been calling these things physics experiments. These are physics

physics experiments. These are physics experiments. They're not computers. Um

experiments. They're not computers. Um

claiming that it's a computer kind of misrepresents what we're really working with. So a computer takes input data, it

with. So a computer takes input data, it processes it, it produces output. An

experiment on the other hand, and this is a dictionary definition I found. Uh I

can't remember which dictionary it was.

A scientific procedure undertaken to make a discovery test hypothesis or demonstrate a known fact. And that's

what these experiments are doing. We've

got this known fact that we know in advance 3* 5. you construct an experiment to demonstrate that 3 * 5= 15.

Um, so these are physics experiments.

They're not computers.

Um, what this also means is that you can't pop out keys like a production line. Um, so each experiment requires a

line. Um, so each experiment requires a custom designed and assembled physics experiment to get the result you want.

So think sort of ENIAC from 1945, not a desktop PC. ENIAC took about two weeks

desktop PC. ENIAC took about two weeks by a six programmer team to set up the plugboards to wire this thing up for a particular to to calculate a particular result.

So I've never found any paper that mentions how long it takes to set up the experiment to get this result. We've got

zero data points to work from. Um the

fact that typically only a single result is produced indicates that it's a non-trivial amount of effort. Um and so you've got this, you know, the earlier problem is is there a key worth attacking? Well, if it takes a month to

attacking? Well, if it takes a month to set this thing up, you'd better be to be damn sure that key is actually worth, you know, spending a month with a physics experiment to to attack.

So, some examples of other physics based factorization techniques, something called twinkle. So, AD Shamir, who's the

called twinkle. So, AD Shamir, who's the sna and a very clever guy, um, proposed something called twinkle, which was later expanded to per to twirl, which was essentially a physics-based factoring device. Um, unfortunately, he

factoring device. Um, unfortunately, he forgot to use the word quantum in it.

does actually it's it uses LEDs so there's quantum effects but he forgot to use the word quantum in it so nobody really paid much attention to it so it's been suggested that it takes advantage of something called the

Heisenber shooting a credul effect um the word quantum sucks people's brains out and otherwise sensible people suffer from impaired reasoning although in honor of metaltorm I think it needs metal umls on it so we call it the

shooting a hazenberry credul effect so every time you see quantum computer think physics experiment which is actually what it is so here's an example of this effect in action. This is this is a news release, news story from a

couple of months ago. So, Finnish firm Blue Force, a maker of refrigerators, uh has signed a contract $300 million to purchase helium 3 from the moon. Um it's

not the script of an Iron Sky sequel.

That is a serious thing. And they're

going to they're going to um bring this stuff back between 2028 and 2037. I

assume it's a product by product of the green cheese mines, but you know, you just put quantum in it and people will just give you money for anything. So,

how does a physics experiment break crypto? Uh there's an example. Public

crypto? Uh there's an example. Public

key cryptography. You've got this sort of vague thing saying a working quantum factorization machine goes here and profit. You can apply this to lots of

profit. You can apply this to lots of things. Overpopul on earth working

things. Overpopul on earth working faster than light drive goes here profit. You want to kill Hitler, Stalin,

profit. You want to kill Hitler, Stalin, whatever. Working time machine goes here

whatever. Working time machine goes here profit.

So there was a a um quantum physics pioneer called Wolfgang Pi. Um and he would have loved this stuff. So at one point he was arguing with someone who had this very vague argument. Um and he drew this diagram. I don't know how legible the writing it is but this is to

show the world I can paint like only technical details are missing. Now if he was alive today he would say this is to show the world a quantum factorization machine only practical details are missing.

So evidence for this effect um when you say working time machine goes here as you know people laughed when I had the time machine slide then it's a joke. But

when you say working quantum factorization machine goes here it's dead serious.

So remember these records that I mentioned earlier. So they factored two

mentioned earlier. So they factored two carefully chosen numbers with the results known as advanced. These are

slight of hand numbers um and stunt factorizations which I've mentioned earlier. Uh there's never been a single

earlier. Uh there's never been a single physics experiment to date that hasn't used hasn't factored a slight of hand number. Um, for people who haven't been

number. Um, for people who haven't been exposed to the vict the 8bit computer and barking dog paper, who here knew that there's never been a single legitimate factorization of a number

with a physics experiment, very small number of hands. Yeah, but

that's okay. So now you know. Um, and

it's a stock and trade of stage magicians. So for example, you know,

magicians. So for example, you know, standard card trick, pick a card, any card. You have lots of smoke and mirrors

card. You have lots of smoke and mirrors to distract the audience. And then you ask, is it the five of spades? The

equivalent for this is pick an integer greater than 14 and less than 16. Lots

of smoke and mirrors to distract the audience. Is it 3* 5?

audience. Is it 3* 5?

And yeah, it's only ever factored slight of hand numbers. There's an extreme example. Um so D-Wave who have some very

example. Um so D-Wave who have some very contested claims about their their supposedly quantum stuff. Um they

advertised that they faced a 2,000 bit RSA number. So what they did is they

RSA number. So what they did is they chose something that differed only in a small number of bits. So you take the square root and then you guess one bit and then you've factored it. Now no RSA key ever has that form that you know the

specific they have to differ by at least 100 bits. Um so no key will ever have

100 bits. Um so no key will ever have that form. But if you're allowed to

that form. But if you're allowed to manufacture your own synthetic numbers that you can factor in in with an abacus in this case because you can do square roots on an abacus. Um then you can claim that you factored a 2000 bit RSA

number. This is the best one I've run

number. This is the best one I've run into. Um so what you do is um without

into. Um so what you do is um without sort of going into the details of how these things work but they have serious problems with errors and so typically a lot of the work involved is an error correction not in not in the maths itself. So what you do is you run the

itself. So what you do is you run the experiment and you ignore any errors and since you know the advancer in advance you keep rerunning it until eventually by random chance you get the result you want. Um and the quote with this is um

want. Um and the quote with this is um yeah to my knowledge no one's cheated at factoring in this way before. Given the

shenanigans pulled by past factoring experiments that's remarkable. Um this

is from the guy who who came up with this factoring technique.

So basically if you exclude the slight of hand factorizations, our earlier graph actually simplifies to that.

There's there is literally no data. Um

which coincidentally is the same number of data points we have for faster than light travel and Star Trek style teleporters and time travel and so on.

Now you know this is a valid result because it shows that we're not actually getting anywhere. We're not making any

getting anywhere. We're not making any progress. We have no empirical results.

progress. We have no empirical results.

So some counter arguments to this. We're

making incremental improvements on quantum factorization. So imagine you go

quantum factorization. So imagine you go to your boss and you say, "We've spent 20 years and burned through hund00 million and we haven't got anything, but we've made incremental improvements."

Which means you're now qualified to be a defense contractor.

Um, another example of these incremental improvements. So the Lio 9 Hispania,

improvements. So the Lio 9 Hispania, better known as the Ninth Legion, they vanished in about 120 AD. And we've been we've been making incremental improvements on figuring out what happened to them for about 2,000 years.

um in the same way that we've been making incremental improvements on on quantum cryp analysis for about 25 years and we've got just as far in either case. So we've got a long way to go if

case. So we've got a long way to go if we want to catch up with the ninth legion um incremental improvements.

Another thing you may have heard about is store now decrypt later or the SNDL boogeyman. So the idea behind this is

boogeyman. So the idea behind this is you store 10 xabytes of encrypted data on a USB key and then in 30 years you come along with a physics experiment and you you decrypt everything. So let's

look at this in a bit more detail. Um,

so it ignores the fact that you need to set up a fresh physics experiment for each new key used. So, um, for every new for every key exchange, you're negotiating a fresh key, which means to

recover, you know, one encrypted session or encrypted message or whatever, you need to set up a new physics experiment just for that particular exchange. So,

the last fig, latest figures I could find were 2017, there was 7 trillion symmetric keys a year used purely for web traffic alone, not for anything else that uses encryption. And that's a limiting factor. So the German

limiting factor. So the German government study estimated based on a imaginary device that doesn't exist, but they said if we had one of these, it would take about 100 days and 4 million euros in electricity to recover a single

448 bit key. So in that 100 days when you're running this physics experiment, another two trillion keys have turned up that you need to break. So we'll ignore this bit because everyone else does too.

Another problem is um everyone always claims these records for factorization, which is RSA encryption. The thing is what everything uses that you're interested in for storing decrypt later.

So TLS, CCSH, IPC, wire guard signal, just everything is not RSA. They don't

use that. They use something called the discrete logarithm problem or DLP, which no physics experiment has ever addressed because it's actually quite hard to cheat on this. So you can't claim a record on something where you can't manipulate the experiment. Um, but

again, we'llign. So they're attacking completely the wrong thing. That has

nothing to do with what you actually want to be attacking, but we'll ignore that too.

Um so the assumption is that that that you know big brother wants to read everything you've got. Well what

encrypted data from today will actually be useful in of interest in 30 years time. Pretty much everything that you

time. Pretty much everything that you encrypt today obviously there'll be state secrets and a few other things that that spooks are interested in. But

most things that are encrypted today are just not of any interest. You're not

going to spend 4 million euros to decrypt some online chat from last week.

So here's some new here's a new research topic. figure out some situations where

topic. figure out some situations where SNDL is actually a threat rather than just this phantom bogeyman that we can wave around. And it's complicated by the

wave around. And it's complicated by the fact we have no idea how to build these things. So we don't actually know what

things. So we don't actually know what we're going to use to implement this threat.

Another example is you're measuring it wrong. So apparently using the lack of

wrong. So apparently using the lack of progress in this stuff is not an accurate way to measure the lack of progress in this stuff. So one

suggestion was I should be using the claim cubit counts. But you want something where number go up and with cubit counts you can claim pretty much anything you want. Dwave being an example number go up so I should be

using that to measure progress. Um so

yeah that does fill the requirement. So

my counter suggestion was use the number of conference papers and news stories with the word quantum in the title as your metric because number go up and it measures the it's a good metric for evaluating the success of quantum and at

that point the conversation ended. Um

what if you're wrong? Well wrong about what this is this it's you know there's this it's basically just a bunch of facts. It's a line on an Irish graph.

facts. It's a line on an Irish graph.

It's counting zero results. So far, it's the weight of Gustaf, whatever. This is

just known facts. There's actually um about 10 slides of references at the end if people want to look up all the details themselves.

Um so when should we start worrying?

Well, basically whenever that turns into that um we should start worrying and there's no sign that that will ever happen.

So you've got post physics experiment cryptography. Um one option which is

cryptography. Um one option which is quite popular is latter space cryptography was proposed about 30 years ago. So, it was never used because it

ago. So, it was never used because it really just wasn't that good. It was

incredibly inefficient, vaguely interesting mathematically, but and there were sporadic papers published, but it wasn't attacked nearly as heavily as the stuff that's actually used. Um,

maybe we could use the time machine from the previous slide to go back in time and uh see if it's still okay. We're

ahead in time. It's probably secure. We

think it's secure. Um, as of late 2023, 48%, so nearly half of all the NIST round one postquantum candidates have been broken. Of the ones that survived

been broken. Of the ones that survived that, another 25% were broken. Of the

ones that survived that process and went to round three, another 36% of those were broken. So this is really, really

were broken. So this is really, really shaky stuff. And that's the publicly

shaky stuff. And that's the publicly known breaks. We don't know if the NSA

known breaks. We don't know if the NSA is sitting on half a dozen breaks that they're not going to tell anyone about.

So basically, we've got very little operational experience with it. And if

the operational history of every other public key crypto system is anything to go by, there's going to be lots of problems discovered. Um so and you know

problems discovered. Um so and you know the argument is now we've got this quantum thing to worry about. Well what

if the next time the the cryptographers come along and say we now got biological computing and we need to worry about that and and reinvent the world yet again.

So some examples of of how these are supposed to be used. The governments

prefer pure postquantum. So postquantum

only nothing else. So in effect what they're saying is we're putting all our eggs in one basket and hoping that the dial stops spinning it not broken.

Everyone else wants hybrid. So it's a mixture of postquantum and not postquantum stuff which in effect is saying we trust this stuff so little that we're requiring that you use the crypto that we claim is broken alongside it.

So why are we fixated on this? I mean at the moment we've got a physics experiment that's no one's actually managed to manage to assemble yet that's faking a solution to a problem factorization that's totally unrelated

to the one we want to solve DLP which falls two trillion keys behind for every time that every key that it actually recovers.

So this is scribble and scribble can bark five times which makes him more powerful and more capable than the world's most powerful factorization experiment but nevertheless that's been our reaction so far.

So again an analogy let's look at subprime mortgages. So you had these

subprime mortgages. So you had these things where home buyers and investors were practically given um houses so called ninja mortgages. Mortgage brokers

were earning good commissions. Fanny May

and Freddy Mack, which is the US um agencies that are designed to get people into houses. Um got plots for assisting

into houses. Um got plots for assisting low-inccome um owners into housing. Um

retail banks made money selling mortgages to investment banks and they converted liability to cash assets.

Investment banks made um bought mortgages and then bundled them up into mortgage based securities. Um MBS

investors made money um from these things and insurance companies made money because they issued these bogus credit ratings based on these bo bogus um bundled mortgages. The thing is

everybody was making money. So nobody if you look at the entire food chain from the person getting given a house all the way through to the the auditors and so on at the other end of the chain everybody was making money. So nobody

had any incentive to push the emergency stop. All the data was there. Um you

stop. All the data was there. Um you

know I was working for a large bank in the US or did some work for a large bank at the US in the US at the time and they said look at these figures look at these defaults and so on. There's going to be a crash at this point and he was off by about a week. Um, but no one had any

motivation to push the emergency stop because everyone was making money. So,

pop quiz for security people. Which one

of these would you choose? If you're an academic, would you like to publish another paper on group key management that no one will ever read? Or would you like to publish a paper on some cool new physics experiment based thing? Um, if

you're standards groups, would you want to standardize away at at some other some new TLS extension that nobody will ever care about? Or would you want to fly from one exotic location to another um and argue over which post physics

experiment is the most chromulent? If

you're a developer, do you want to audit existing code for problems? Or do you want to implement some new post physics experiment thing that's really cool and hip and everybody's talking about it? If

you're a journalist, do you want to write about this week's PHP vulnerability or do you want to announce quantum supremacy or the quantocalypse for the 17th time in a row? [snorts]

and everybody chooses B because that's the fun bit. The A bit is the old grind that you don't want to get back to. And

as with subprime mortgages, um, nobody involved has any incentive to stop the merry-go round. If the merrygo round

merry-go round. If the merrygo round stops, then everyone has to go back to doing all the boring stuff because the OOS top 10 are still waiting and we'll still be waiting.

So in the 1990s, there was this claim that um, e-commerce needs PKI to succeed and that was the argument, you know, we absolutely need to have PKI for e-commerce. Now, if you look at

e-commerce. Now, if you look at e-commerce in the 1990s, you go to a website, you enter username, password, credit card. If you look at e-commerce

credit card. If you look at e-commerce today, you go to a website, enter your username, password, and credit card. So,

it hasn't really needed PKI. So, the

corrected form of that is actually PKI needs e-commerce to succeed. Without

e-commerce to justify it, there's not much point in in PKI. Okay. And

admittedly, in 2013, the NSA gave us a second reason why it's good to have PKI with with TLS. But basically, the e-commerce argument was the argument in reverse. Quantum computing also has the

reverse. Quantum computing also has the same problem. It needs cryp analysis to

same problem. It needs cryp analysis to succeed. If you look at almost every new

succeed. If you look at almost every new quantum computing announcement, um it's either just an announcement for the announcement's sake. We've done

announcement's sake. We've done something new with bits. Um or it'll mention cryp analysis because there's really not much other application for it. In other words, there's not much

it. In other words, there's not much reason why you want to give the quantum guys a pile of money. Um because it doesn't really solve any problems. At most you get a few invented for quantum computers to solve until someone else

comes along and says well actually a standard PC can do that just as well.

So here's an example of a new story as reported by quantum and non-quantum media. This is the same news story. So

media. This is the same news story. So

the quantum magazine new quantum algorithm factors numbers with a single bit. The non-quantum magazine the

bit. The non-quantum magazine the quantum factoring algorithm that requires the energy output of stars. A

77page monument to missing the point. So

that's exactly the same news story just reported differently.

So again, as with the super guns, what this is doing is it's drawing resources away from the actual problem and devoting it to something that that really is pretty much irrelevant. Um,

you know, if you imagine if the hundreds of millions of dollars and all the expertise that was being devoted to working on these physics experiments was actually devoted to SAS tools or scanner, you know, just something where it's actually useful and where it's

going to be addressing things that the attackers are doing.

Um and so the thing with this is you know this is this is a quote from a a conference paper. So future adapt

conference paper. So future adapt adoption of these algorithms is likely inevitable even if a quantum computer is never built opening the door to decades of new research in cryp analysis. So

that's cryptographers are saying this is brilliant. This is this is a whole

brilliant. This is this is a whole career path for us. We can keep working on this stuff even if the threat never eventuates.

And so yeah software security designers, standards people but you know again everyone involved in the food chain thrives on this stuff.

So this is something you'll never see in any security protocol or standards group discussion ever. Okay, we're done now.

discussion ever. Okay, we're done now.

Um these standards, there's standards groups that have been explicitly shut down in the ITF and they just continue.

For example, Pix has gone continues under another name. PGP just keeps going and going and going and going. Um SSH

carries on as like open SSH inventions that that that that backport boughted into the standard. So getting back to the stock market analogy, you can make money when the market's going up or going down. You can't make money when

going down. You can't make money when prices are constant. So the whole stock market system is built is designed to have churn because churn allows people to make money. In crypto, churn means academics can write papers, implementers

have something to hack away at. Um

vendors have something new to sell to their customers. So churn's good for

their customers. So churn's good for everybody except people primarily concerned about security and things like the OOS top 10. Okay, this is an old saw. Um and churn is basically

saw. Um and churn is basically complexity serialized standard complexity of everything up front. If

the thing is constantly changing, then you've got never- ending complexity because you you can never catch up to this. So, it turns the already bad

this. So, it turns the already bad enough complexity problem into a red queen complexity problem. Oops.

For example, the TLS product alone has 60 RFC's. That's not an error. 60 RFC's

60 RFC's. That's not an error. 60 RFC's

for TLS versions. There's 32 further drafts in progress. So, it's just under 2,000 pages of documents, which is that if you printed it out. Now, does anyone seriously think there aren't reams of vulnerabilities hidden in this

complexity? And that complexity is

complexity? And that complexity is caused by churn. That every couple of months a new IFC comes out that you're supposed to implement that nobody has time to assess properly for vulnerabilities. And that when they get

vulnerabilities. And that when they get implemented, inevitably there will be bugs in there. So, it is the the enemy enemy of security. The more complexity you have, okay, I'm preaching to the choir here. Um and the constant churn

choir here. Um and the constant churn just adds more complexity and unexpected emergent properties. So some of the most

emergent properties. So some of the most secure systems I've audited um were actually created by nonsecurity um geek embedded systems designers. They have

barebones TCP stack TLS with one single cipher suite, one single key exchange mechanism, one single cipher.

Certificate management is done by a meme copy because you don't really need an entire PKI in there. You just need to say here is the certificate. Does it

match or not? Um and you know some of these things were designed by embedded systems guys. They had no formal

systems guys. They had no formal education in security. They basically

taught themselves a bit of crypto and that was it. And these were really, really hard to break because there was nothing there to attack. The attack

surface was essentially zero.

So, oh wow, finished early. Um, so

something similar to quantum comput analysis has already happened in in um theoretical physics. If you're familiar

theoretical physics. If you're familiar with string theory, um it's basically it's non-falsifiable. It can't generate

it's non-falsifiable. It can't generate any testable predictions. Therefore,

there's no way to say it's wrong because it's not falsifiable. And what this did is it drew significant resources away from other physics research for at least two decades. So for a while if you

two decades. So for a while if you wanted to do theoretical physics you pretty much had to follow the string theory crowd because anything else wouldn't get funded or you couldn't find a supervisor to supervise you unless silver or renegade. Um comment there

from a mathematician. It's been

spectacularly successful on one front public relations.

Quantum crypto analysis is basically the string theory of security. It's never

generated a single test. String theory

has never generated a single testable prediction. quantum crypt analysis has

prediction. quantum crypt analysis has never factored a single non-slight of hand number and um for SNDL which is the threat that everyone likes to to site this um save now decrypt later it's

never managed anything at all there's never been a single result for the actual threat that people like to site as being the justification for this quantum stuff so basically magical thinking says it's

a serious threat empirical data says it's bollocks uh there's a great quote there from Sabini Hosenfellow who um is a physicist who did who did some of stuff before getting out. You know, the reason for doing this talk is ignoring

bad ideas doesn't make them go away.

They still eat up funding and killing ideas is a necessary part of science.

Think of it as a community service. So,

what I'm trying to do here is a community service.

>> Do you know a prime factorization for the number 15?

Good girl.

Thank you.