[00:58] The Post-Quantum Cryptography Project

Rachael: We've got Dustin Moody. He’s a mathematician in the NIST computer security division. He leads the most fascinating thing I've ever heard of, a post quantum cryptography project. It's almost a year ago, July 22nd, 2020. They announced their top three candidates, his program that started in 2016. I can't wait to talk more about this. 

Dustin: Happy to talk about post quantum cryptography.

Eric: Dustin, I am scraping every single fragment of IQ point I can for this interview. I'm just pulling it up here.

Dustin: Sounds good.

Rachael: You got your PhD about 10 years ago. It's on elliptic curves and their applications in cryptography.

Dustin: Yes. I studied math. I've always loved math and I went to graduate school and was working on a PhD. As you're getting your undergrad, you explore a lot of topics. Elliptic curves were fascinating to me. They're just described by a simple equation, but they have these cool properties. Then I found out they're not just kind of neat mathematically, but they're actually used in cryptography. It was really cool that this mathematical object I just find beautiful actually has a practical use in the real world today. That's where I got my start.

Eric: Do you almost see it as art, like when you look at it? I'm just trying to relate. Math was not my top subject in college, high school, or any other area I had to play with it.

 

Amazing and Miraculous

Dustin: There are so many things in math that you look at the patterns and what holds true with numbers, it just seems amazing and miraculous. Yes, there's beauty in it for sure.

Eric: Okay. I've heard that described before. An elliptic curve, I know all about it. But for Rachel, could you give us just a layman's description of what we're talking about?

Dustin: Yes. If you go to your high school algebra class, and you think of when you used to have to plot lines and equations. A line is given by Y=2x+3 or something like that, or you'd get a parabola that's Y=X², but the curve is given by an equation Y²=X³+3x-1. You can choose different numbers, but it's a pretty simple equation. If you plot it, it makes an interesting curve shape. But it turns out that there's a way to take two points on the elliptic curve and define a way to add them.

Dustin: You get another point on the elliptic curve. That forms in math what's called a group. When you can make this set that has this addition operation, and then you can do interesting things with the group. That's what an elliptic curve is. It's pretty easy to just visualize. I don't know who figured it out, that you could add points in this interesting way. But then once you discover that property, then you can find neat applications for that.

Eric: Because we're dealing with mathematical properties, we can then apply it to things cryptography is my guess.

Dustin: Much of the cryptography we use today is based on different mathematical structures and techniques. It's cool to see that happening.

 

Post-Quantum Cryptography Back in World War II

Eric: I'm thinking back to Alan Turing and the Ultra Project with Enigma and everything, or Joe Rochefort with Hypo. We've been doing this a long time.

Dustin: A lot of those people who were in cryptography back in World War II, a lot of them got their start in mathematics. Computers weren't around then, so they were inventing computer science at the time. But math and computer science have always gone hand in hand in cryptography.

Rachael: How did you find your way to NIST, which I think is so cool, and that you're working on this project. Did they find you?

Dustin: No. I was finishing graduate school back around 2009, 2010. That was a pretty tough economic time, unlike right now where it seems everyone is hiring. Back then, not very many people were hiring. In searching for jobs, NIST had this posting up that they were looking for someone who specializes in cryptography. That's been a subfield of elliptic curve cryptography.

Dustin: I saw that and I was like, "Well, they're looking for someone that's exactly like me."  I had no idea if I'd get it or not, but NIST is pretty well known in cryptography and other scientific areas. So I applied, and I was just what they were looking for, so I got accepted and got a good start at NIST. It was exciting.

Eric: Now, share only what you can obviously, but do you get to work on creating cryptography capability, but also breaking it? Does it go hand in hand? How does that work?

 

Designing a New Crypto System

Dustin: Yes, all of those are involved. At NIST, we work on the unclassified side of things. The NSA or other military, they do more classified things. Everything we do at NIST is unclassified. But when you are making a crypto system, you want it to be as secure as possible. Yes, you're always trying to find attacks and break ones. If someone designs a new crypto system, you'll only trust it or have confidence if it survives several years of people trying to attack it and break it.

Eric: And not be able to.
Dustin: Yes, and that just takes time. At NIST, we do research in trying to make crypto systems. Trying to make them faster, trying to find attacks, trying to break them, all that kind of thing.

Eric: That's where quantum computing and quantum resistant encryption now come into play.

Dustin: Quantum computers are this pretty cool thing. Physicists and researchers have been toying around with them and trying to build one for a long time. They recognize that if you use some of the principles of quantum physics, as opposed to a lot of what most of us think of as the physics that we learned in high school. Quantum physics has got these really counter-intuitive properties. 

Dustin: Some smart people figured out, if you find a way to harness this, you could get some really, hugely, I'm blanking on the right word. If you had a huge increase in the computing power, if you could put it into a computer. They've been making steady progress on these quantum computers. They've been getting bigger and bigger over time. I don't think they'll ever completely replace our standard, classical computing. They don't solve absolutely every problem.

 

[08:30] Quantum Computing in the Future

Dustin: They're good at certain problems, but those problems they do, they turn out to be very effective. One of those problems is that they can break some of the crypto systems that we use today. That's why cryptographers paid attention to that fact, which was discovered a couple of decades ago.

Eric: We had episode 83 with Steve Grobman, the CTO of McAfee. We got onto quantum computing, and he raised something that I had just never even thought of in cybersecurity. I've got a cybersecurity background, but he said all of the encryption we have today will be able to be broken by quantum computing in the future. That's scary.

Dustin: It is. To qualify that just a little bit, there's different types of cryptosystems we use today. It's broken into two families. One family is called public key or asymmetric cryptography, and another part is called symmetric or secret-key cryptography. These quantum computers will completely break everything used for public-key cryptography, just completely smash it. Symmetric AES, they will be impacted, but we can correct for it without having to scrap the whole lot of them. We just have to use a longer key. For example, right now a lot of people use AES and they use 128-bit length keys.

Eric: Or 256, yes.

Dustin: If you go up to 256, you'll provide at least the same protection that AES 128 provides. There's an impact, but it's easier to deal with on the symmetric-key side. It's the public-key side that we have to really do something about.

 

The Goal of Post-Quantum Cryptography

Eric: I don't think most IT professionals even think about it. If it's FIPs 140-2? Check the box, we're good whether they met the capability or not. They're just like, "Encrypted, check the box." But the reality is, what you think is encrypted and protected today may not be tomorrow with the advent of quantum computing. That just blew my mind. How do you protect secrets down the road? That's crazy.

Rachael: Wasn't that what you're working on, Dustin, as part of the post quantum project?

Dustin: That's the goal. The goal of post quantum cryptography is to get crypto systems that will protect against these quantum computers. It really is crazy that even if a quantum computer gets built, Google and Microsoft, and IBM, these companies, they've got small ones. But they're not big enough to threaten any cyber security at all. But if you just think of the fact that somebody might just copy down your data. It's encrypted, so they can't read it, but they just copy it and hold onto it.

Dustin: Maybe they wait 10, 15 years until there is a quantum computer, and they'll get access to your information. That might be sooner than you’d like. You could be at risk from a quantum attack 10, 15 years in the future that you're not even thinking about today.

Eric: That's what blew my mind right there, then I started thinking, "Okay, so what is the lifespan of sensitive information? Is there any way to even categorize that?" Obviously, it depends on what the information is, but what is that lifespan that you need to protect? It's probably, in many cases, longer than the time it will take a quantum computer to decrypt something. That's where he got me concerned.
 

You Have a Problem NOW

Dustin: Yes, and that's certainly true. It will depend on the organization. National security things might be 30 years or longer, financial regulations maybe they're a little bit shorter, seven years, 10 years, something like that. But since we don't know when a quantum computer will be built, it's hard to judge that risk for sure.

Eric: But if it's within that time, you've got a problem, and you may not even be thinking about it today as an IT manager or a business owner. You've got a problem now.

Dustin: You potentially have a problem. You need to know which crypto systems you're using to encrypt your data. Good news is, most of the time data at rest is encrypted using symmetric algorithms like AES. That should be somewhat protected. But if you created your key public-key cryptography, which is often the case, that might still be a vulnerability there that you have to be aware of.

Rachael: Now, I'm so fascinated how far in the future we're talking here. You're trying to look at these algorithms today and come up with a standard, which is no easy task. But we talk about quantum the next 10, 15 years, that this nut could be cracked. How do you plan that far ahead for what's going to be? Obviously, very smart people like you, but my head's exploding just trying to think how you can figure that out so far in advance.

Dustin: It certainly takes the effort of a lot of people. I have a background in math, but it takes a whole team that we have at NIST, and just the whole crypto community in general. There's so many different aspects that people are preparing for and starting to figure out.

 

Selecting the Algorithm

Dustin: It's selecting the algorithm, but then it's also looking at the internet protocols like TLS and internet-key exchange to make sure that those protocols will be able to handle the new algorithms. There's just a whole lot of different pieces. Luckily, there's a lot of people that are working on this so everything doesn't go completely broke.

Rachael: It could take some time for folks to then get the technology and to deploy it. It’s the other piece that I read.

Dustin: Yes, certainly. Transitions are slow, especially cryptography transitions. We've had some in the past where people have switched from using one type of cryptosystem, like RSA, and that can take 5, 10, 15 years to get all the new cryptosystems into the products. It's expensive and it can take time. Even if you know that this issue's out there. And even if we will standardize some new algorithms and you know those, it will still take time to get that transition to occur.

Eric: I'm thinking about IPV4 to IPV6. I've been working on that for at least 15 years, and maybe we haven't had that pressing demand to go to IPV6. But we're finally starting as we run out of classy addresses, finally starting to see people implement it. But it's been at least 15 years. The other problem we have is something stolen today that has been encrypted in a lower-level encryption scheme or mechanism. That could be decrypted five, 10 years from now, and if it was stolen today, the end-user who created, or contained, or owned that information can't do anything about it. That's the scary piece to me.

 

[14:49] Symmetric Key Post Quantum Cryptography

Dustin: Yes, to some extent. There are things you can do. If you encrypt it with symmetric-key cryptography in at least 256 bits, a quantum computer won't be able to touch that for several decades, if ever. There are some things you can do to get ready and protect. But you have to be aware of that threat and take those steps.

Eric: And that's costly today.

Dustin: Most organizations don't know all the different crypto systems that they're using in all their different applications. That would be a first step to just do this initial analysis to see what you are using and all your different pieces. Make sure that the people know what the threat is and that this change is going to need to happen. Yes, that takes time, effort, and money.

Eric:  Recognizing that NIST has some of the best experts in the world, yourself included in that, if I'm an IT manager at let's say treasury, I'll just pick on an agency right now. And I have concerns about protecting information into the future, what do I do? Can I go to NIST and look up some publications? Do I have a NIST conduit of some sort that I can work with to ensure that my high-risk, high-value information that needs to be encrypted can be protected today, or protected in the best manner possible?

Dustin: Yes, you do. I would start with saying, before even worrying with algorithms and in the quantum threat, make sure you're using the best practice that is out there today. NIST has several standards and guidelines letting you know what are the best cryptosystems to use and the best way to do that.

 

The Quantum Threat

Dustin: I would start with that. I’d certainly want you to be aware of the quantum threat. You don't need to panic yet. There's still time to prepare and take action. We've been working on our algorithms for several years. We're going to announce the algorithms that we'll standardize roughly by the end of this year. In not very long at all, you'll have algorithms that you'll be able to transition to that will provide protection from attacks against a quantum computer. If you have any questions as well about any of that, you can contact us and we're happy to talk to you directly.

Eric: Now, does an industry have to adopt those algorithms in their products in order to get them out and make it easy for users?

Dustin: Yes. Extensively, NIST just provides recommendations to the federal government. But we know that those get picked up by private industry in the United States, as well as around the world. We have definitely seen the industry paying attention, even participating in our standardization projects in many companies: Google, Microsoft, IBM, Intel. They all have researchers that are on some of the teams that have designed these algorithms and are attending the workshops and giving us feedback. They're aware of what's going on for sure.

Eric: Really, you've got a true government agency, private partnership that's working and has been.

Dustin: We always love getting more feedback about these algorithms that we're looking at, if they will fit in your applications and if they're going to cause any problems so that we know that before we select the algorithms. But we've been happy with the participation and feedback from industry that we've been getting.

 

 

The First Country to Figure Out Post Quantum Cryptography

Dustin: It's a good, united effort from the government, from industry, and not just in the United States. This has been going on around the world as well. It's been a pretty cooperative effort.

Eric: Which is good.

Rachael: You think about quantum, is this the next space race, kind of, the first country to figure it out? But to figure this out, it would take global cooperation and a lot of different minds to come at. Are there countries that you guys have been partners with for a long time? Anything in that realm that you can share?

Dustin: Yes. The way NIST has done some of these larger projects where we do an international competition. Where we invite submissions from around the world to send in cryptosystems. Then we run the process that helps evaluate them and select and standardize them. We've had great cooperation from around the world. Europe, in particular, has been very active. They have a lot of strong cryptographers there. Japan, South Korea, we do see other countries that I'd say have participated a little bit less. Russia typically does their own thing with regards to standardization.

Dustin: I have seen some presentations that they are aware of the quantum threat. They're coming up with their own internal standards. Similarly, China is doing that as well, where they did their own internal competition-like process and selected some algorithms. They have participated in our process a little bit, but they want their own standards for their own national security regions. But otherwise, I’d say European countries like Germany, and Netherlands, and France, Japan, South Korea, Canada, Great Britain. Those are some of the countries that have a lot of researchers participating in this effort.

 

One Encryption Protocol

Eric: What happens if we don't have that standardization? My thought is you can choose one encryption protocol. It's really difficult to do more than one in a given capability or need.
Dustin: Yes, we want to keep the number of options down to as little as possible. We want to have more than one so that if something gets broken, you have a backup that you can turn to. But otherwise, to help adoption, you want to have a small number of algorithms to potentially implement.

Eric: If not, it's the wild, wild west. You've got this fragmented set of encryption protocols out there. Some try to support one, they don't support the other. You can't decrypt it. It makes for a lot of friction in the business.

Dustin: That's exactly why we have standards in general, but also in cryptography for this purpose. So that if you want to encrypt something and you want to talk to your bank, they're going to use the same encryption algorithm that your browser uses, and it will all work behind the scenes. By using a standardized algorithm, you can trust that it's an algorithm that's been vetted for security properties, and so that it should be reliable.

Rachael: Will we ever get to a universal standard then, one global crypto standard? Let's say it's for consumer devices. I'm making this up. Obviously, I'm not a quantum-crypto person, but like the USB or whatever. I know that's impossible to get to. You look at regulations coming out state by state or country by country. It gets really complicated.

 

[21:32] Worrying About Post=Quantum Cryptography

Dustin: Yes, there's a lot of different algorithms out there. Even without worrying about post quantum, if you look at encryption, there are countries that start to dominate. AES I would say is used by pretty much everyone around the world. But before AES, there was an algorithm called DES and triple DES. We still see implementations of it out in the wild. Encryption is not the only crypto capability that's out there. There's also things like digital signatures, and there's hash functions.

Dustin: There's different algorithms for these. I don't think you'll ever have just one algorithm that does everything right. But we do want to have just the main algorithms that people tend to use like AES. They're safe, they're secure, they're efficient, and that you can turn to, and everybody else is using them as well. For post quantum, we hope to keep that up. We haven't selected the algorithm, so we can't say exactly how it will turn out. But that's the goal that we're looking for, yes.

Eric: When do you think you'll select the algorithm, in a couple of years?

Dustin: This process started in 2016 when we announced it. We initially received about 80 different cryptosystems that were sent to us. Since then, we've been evaluating it in a series of rounds and whittling it down. At the end of the first round, got it down to 26 algorithms. Then in the third round, we got it down to 15 algorithms. We think that we'll finish the third round at the end of this year. We expect to announce it at the end of 2021 or maybe early 2022. The algorithms that will be for encryption as well as digital signatures that will provide protection from quantum attacks.

 

Standardization

Rachael: That's exciting.

Eric: How many will you get down to when we talk about standardization?

Dustin: Good question. We talked already about wanting to have a small number. For encryption, we'll have at least one, but it'll be more than one in the same for digital signatures. It'll likely end up being two or three. For security reasons, we don't want to put all our eggs in one basket. So, we always want to have something else. But it turns out that some of these post quantum algorithms are a little bit bigger than what we currently use.

Dustin: There's different performance trade-offs you can make. For some applications, one algorithm might be tailored a little bit better. There'll be a few options that potentially are better for different applications as well. But I'd anticipate two to three algorithms for encryption and two to three for signatures.

Eric: What you're really saying with that from an efficiency perspective is, something is less costly to implement from using the encryption. It's faster, but it potentially has less capability. It's less secure because it's faster.

Dustin: Not so much security. We don't want to standardize anything unless we fully are confident of security. But for example, one of the algorithms is known as classic McCleese. It has a public-key size, that's about a megabyte in size. That bandwidth, that has low resources. It has a very small cipher text, but its public key is huge. In comparison, there's a lattice space system called Kyber. Its public key and cipher texts are both around 1000 bytes. So, a little bit smaller.

Eric: A lot smaller.

Dustin: Yes. Maybe you can handle that one easier if you have low resources compared to classic McCleese.

 

Security Properties Involved

Eric: Why wouldn't you just go with that then?

Dustin: Well, classical McCleese has much smaller cipher text size. So maybe your application needs the cyber text size to be as small as possible. There can be security properties involved. Classic McCleese is an algorithm that's been around for 40 years. So maybe you have a little bit more confidence in its security. Whereas some of the lattice base algorithms we're looking at have been around 10, 20 years. We fully believe they're secure. But maybe if you want it to be ultra-conservative, you'd want to go with an algorithm that's been around even longer.

Eric: Does NIST do work to then educate the end-users, the community, to help them understand the pros and cons of these different algorithms?

Dustin: A little bit. In our documents where we standardize them, we do provide some recommendations and explanations. But for the most part, I would say the end-users themselves probably won't get that directly from NIST. We do have reports that explain things. But end-users typically don't need to select their own cryptosystems. It's built. If they want to find that information, they can, but I'd say for the most part they don't need to.

Eric: My experience, and I'm certainly not an expert in this area, somebody gets it into the FAR, the Federal Acquisition Regulations. This level of encryption is required in these types of products. All of a sudden, the vendors go out and say, "Okay, we need to do X, Y, and Z," if they aren't doing it already. It may lead in the commercial space sometimes.

 

Post-Quantum Cryptography Is a Very Hot Topic

Eric: All of a sudden now, as a vendor to the US federal government at least, but a lot of times 5I's governments too. You've got to meet a specific encryption requirement, whatever it may be. Who really drives it then? NIST does all the work and says, "This is the quantum proof or quantum capable encryption." How do you get it out there?

Dustin: Well, we're publicizing it as much as we can. It's probably not 100s yet. But I've given dozens of talks to different organizations and agencies and industries. Post quantum cryptography is a very hot topic in cryptography. I'm sure that certainly not everyone's aware yet. But we're just trying to get it out there as much as possible so that you're aware of the threat. Then once you start asking questions, you can usually start finding some resources of what you should do about that.

Rachael: Yes, I've been reading so much about it. I feel like in the last year, it seems to really become top of mind, which is wonderful. Something like this is so complex, there's a huge education component, I imagine.

Dustin: Yes, there is, especially when you start talking about quantum computers. I'm not a quantum physicist. There's guys on our team that understand it way better than I do, but this all goes so over your head. It feels so complex and confusing. There's new math that's involved if you're using lattices. You have no idea what that is, but the basic idea is just there's going to be new cryptosystems that you're going to need. There will be implementations out there.

 

 

[28:26]The Basic Idea

Dustin: NIST will provide guidance as to when you need to transition and things like that. But the basic idea I think you can understand, even if you can't wrap your head around all the different math and the complexities.

Eric: Well, I think that's the important part. We want to elevate the game because I could see a picture where you've got an E4 in the army who's working on a project, and his commanding officer says, "Are we using encryption?" "Yes ma'am, we are," and that's the end of the story. That's the extent they understand. They don't know what we are dealing with here.

Dustin: Yep. Hopefully they get to the next level where they say, "Is that encryption quantum resistant? Is it protected from quantum attacks?" That would be a great next question.
Eric: Yes, I was in E4 in 1994. I would've said, "Okay." I suspect the system will have to work to drive this technology out, but it's absolutely needed as you said, Rachel.

Rachael: Now that you'll have your top folks for the digital signature encryption algorithm standards. Then what? You've worked all these years to get to a standard, and then what's the next phase after that?

Dustin: Well, there's always new things in cryptography. We hope to get these first standards out for quantum resistant algorithms. But in the field itself, there continues to be new research. We are paying attention to that. We're seeing if there's any new algorithms that come along that would be better. Once you've got an algorithm out there that's been implemented in products, it's hard to switch. But we want to keep track if there are better algorithms out there that could be used, new ideas.

 

New Functionalities and Cryptography

Dustin: We have to maintain these documents. We have to keep up with them if there's new attacks, so that we're always revising them. Then there's always just new functionalities and cryptography to work on. There is fully homomorphic encryption. There's privacy, preserving techniques using sophisticated projects that we'll have to work on.

Eric: Fascinating. It's always evolving.

Rachael: It really is. I can't imagine being part of a profession where the next 20, 30 years you know you've got a job. It's so critical, what they're working on.

Eric: It's like mortuary sciences. You'll always have a job. It's just constantly evolving. Somebody breaks the encryption, you need stronger encryption. Stronger encryption, someone's got to keep trying to break it.

Rachael: I don't know if it was a great question, but it's always so interesting how these things that start out so incredibly complex, and it truly takes a village and decades to crack the code. Then once you crack the code, the next 30, 50 years, does this post quantum cryptography become kind of a plug and play application? Where you're like, "Oh, hey the new Madden game just launched. Hey, there's a new crypto that just launched. I'm going to just plug it into my quantum laptop and away we go." Is that where we might get to? And is that even possible?

Eric: I'll defer to Dustin on that. I have seen technology where you get to choose the level of encryption. So, you can choose how you want to encrypt the data or the transaction or whatever. Going back to DES, triple DES, the AES, the level of AES. I've definitely seen that. I've talked to developers and organizations I've worked at where we've certainly had the ability to choose different crypto libraries and the like, and determine one, what we would implement. But two, where the customer could also just select what they wanted to do. I think it's getting easier, but I deferred to Dustin for that.

Dustin: It would hopefully be the direction that we do head into. The term for that in the past years is known as crypto agility, where you can do exactly what you described. That's what makes these transitions so hard right now, is we do not have that capability. You're using cryptography in many applications. You don't know where it is.

 

Post-Quantum Cryptography Transition

Dustin: You can't just take it out of something easily. That's some of the recommendations that we give to others right now. When designing your new systems, make them as agile as possible so you could do that. So that when there is a crypto transition, you can plug and play just like you described with the Madden game. You'll be so much better for it.

Eric: Yes, I found in some places you can choose the level of encryption you want to use in the application. But I'll tell you, email's the one that still kills me. It is so difficult to send an encrypted email to somebody today. Because public/private key, you would think we would have solved that one by now. I know, Dustin, that's not your problem to solve.

Dustin: But I'm in cryptography. I don't have to send encrypted emails very often, but when I do, I still have to look up, "How do I do this?" Yes, it has not yet been made user-friendly so it just works seamlessly.

Eric: On the surface, I just want to send something to Rachel that nobody else can read no matter what. It seems so easy, but it's not. It's really hard even for me. You think of somebody's grandmother who wants to send something. It's not happening, ever.

Dustin: Well, when you send an email to your bank and you use the secure messaging inside the app or the browser, it should be encrypted and it should be okay there.

Eric: To me, that's a workaround aside from using Outlook or talking to somebody's grandmother’s aol.com.

Dustin: That's true.

Eric: Here you go, Mr. Banker. Here's my secret password.

Rachael: What about like Signal or Confide? I have Signal.

 

The Apps that Provide Encryption

Dustin: Those apps can provide encryption, yes. 

Eric: Not leveraging Signal. It's just not easy.

Rachael: Well because the message disappears too.

Eric: Now you're hooked on Snapchat or something.

Dustin: We're just going to have to go back to Morse code and start tapping out everything in Morse code. Then we'll have to do it that way.

Rachael: Exactly. Well, I think we just need to unplug, Dustin. We need to go back to the stone age.

Eric: Well, if it doesn't exist, it's definitely safe.

Dustin: Or if you want to go super secure, you can use what's called the one-time pad. Where you roll dice to get perfect random numbers, convert it all to zeros and ones. If you only use it one time, perfectly secure. You can prove that, but it's very inefficient to make that happen in practice.

Eric: You know, it's funny. We had one-time pads in the army, and that was a pain in the ass. It was slow, Rachel. We use them all the time now.

Rachael: I'm just trying to imagine you rolling dice.

Eric: We didn't have dice.

Rachael: I love that visual though. That's much more fun.

Eric: Yes. I'm out in the field getting shot at. We're rolling dice trying to get the message out as quickly as we can. There was a lot of memorization though. You had to be able to destroy, whether you were going to eat it or burn it or whatever, the key basically.

Dustin: That's why it's one time. Yes, you use it more than once and you can lose security.

Eric: Exactly. Fascinating conversation.

 

[36:50] Is Post-Quantum Cryptography the Next Interest?

Rachael: I know we're coming on time, and my favorite question. There's two question options here today. First one, do you have optimism for the cyber path ahead? Or option two, I would love your prediction for next year. What do you see evolving? It could be in cryptography or quantum. It could be on anything.

Eric: Next year?

Rachael: Yes. What do you see being really of interest next year in the cyber realm, in the crypto realm?

Dustin: Well, I do have optimism. I think this post quantum project will still have a very high visibility and importance next year. We'll have named the algorithms; we'll be writing up the standard and getting public feedback on that. Post quantum cryptography is going to continue to be of interest, but in cryptography, there are other topics. One of the really interesting ones is called fully homomorphic encryption, which is a fascinating idea of how you can take your data. You can encrypt it, you can put it up in the cloud.

Dustin: You can do computations on it while it's encrypted, get out your answer. Do whatever data processing you want to do, get the result back to you. It's still encrypted. Then you decrypt the results, and no one else sees what you were looking for. There've been some cool mathematical techniques using lattices, which are also used in post quantum cryptography. Someone found a way to do this using lattices. People are working on that now. It's going to take a while before it's ever efficient, if ever, but there's all sorts of cool topics that would provide amazing functionality. Cryptographers got plenty of work for the next while.

 

 

Naming the Algorithms

Rachael: I bet. So, coming back to one other thing you said, the naming of these algorithms. Are you going to have a public call for names? I've seen them do that on Twitter all the time, when there's a new hippo born at the zoo. Are you guys going to have anything like that? Or is it going to be some super official, government-sounding name?

Dustin: Well, in the past, NIST has made up some of the names. AES stands for Advanced Encryption Standard. We did a hash function competition. The winner's now called SHA3 which stands for secure hash algorithm. We haven't, so far, came up with any official name like that. Each of the cryptosystems that was sent in has its own name that the designers chose. A lot of them have very Star Wars-type names. We've got Kyber, Saber, and Dilithium.

Dustin: It could be that we just ended up going with those as the names of the algorithms. You'll have a cool way to remember them besides just a boring name.

Rachael: Yes, because we do our acronyms here.

Eric: We certainly do.

Rachael: The longer, the better.

Dustin: I'll come up with some new ones for you then.

Rachael: That'd be wonderful. Well, thank you so much Dustin for joining us today. This has been a fascinating conversation. Appreciate your time.

Dustin: Thanks for having me. It's a fascinating topic.

Eric: Keep working hard. We need the best encryption we can get.

Dustin: All right, I'll do that.

Rachael: All right everyone, until next time. Be sure to subscribe. Get a fresh episode every week and we will talk to you in a week.

 

About Our Guest

Dustin Moody is a mathematician in the NIST Computer Security Division. Dustin leads the post-quantum cryptography project at NIST. He received his Ph.D. from the University of Washington in 2009. His area of research deals with elliptic curves and their applications in cryptography.