[MUSIC PLAYING]
MARK MANDEL: Hi, and welcome
to episode number 123
of the weekly "Google
Cloud Platform Podcast."
I'm Mark Mandel.
And I'm here with my colleague,
as always, Melanie Warrick.
How are you doing
today, Melanie?
MELANIE WARRICK: I'm good.
How are you doing, Mark?
MARK MANDEL: I'm slowly
still getting over this cold.
It's not 100% gone,
but I'm getting there.
MELANIE WARRICK: A
never-ending illness.
MARK MANDEL: Yeah, pretty much.
It's been going around.
MELANIE WARRICK: But
you're hanging in there.
MARK MANDEL: I am.
I am.
We have some cool people
coming to chat with us today.
MELANIE WARRICK: We do.
We are going to be talking
about quantum security-- quantum
computing security
in particular.
And we're talking with
Nick and Adam, which
will be fun to hear about.
But before we get
into that, we'll
dive into our cool
things of the week.
And of course, as
always, we have
our question of the week
that comes at the end.
And the question this week
is, how do I stream real time
when I'm coding?
How do I do real time coding?
MARK MANDEL: I've
been doing that,
so I might have an answer.
MELANIE WARRICK:
I think you might.
MARK MANDEL: OK, cool.
MELANIE WARRICK: Anyway,
cool things of the week.
Some may have heard of an
event called Google I/O.
And that's coming up
May 8 through the 10th.
Done it a few times now.
It's quite a popular event.
[LAUGHTER]
And that's in Mountain View.
Since tickets are out,
there will actually
be the opportunity if you want
to help do extended events.
And there's a link we'll
provide in the show notes
where you can
apply if you wanted
to make it an
official thing, and we
provide resources on how to
stream live the actual event
and organize with others who
are interested in watching.
So yeah, we will include
that, and that's coming.
MARK MANDEL: Yeah.
And if you are not
local and you want
to go to an extended
event, there's
a map on the extended
event page that
has a huge number of events
already set up and ready to go.
So if you don't want to go
to all the trouble of setting
something up, then
there's probably
one you can already go to.
MELANIE WARRICK: You can
go to someone else's.
That sounds like a good one.
MARK MANDEL: Yeah, exactly.
MELANIE WARRICK: All
right, and we also
want to announce-- apparently
App Engine turned 10.
MARK MANDEL: Yeah, so
there's a really great blog
post on the "Google
Cloud" blog just
reflecting on our 10-year
App Engine journey.
MELANIE WARRICK: Looking back.
[LAUGHS]
MARK MANDEL: Looking
back in time.
MELANIE WARRICK:
All the memories.
MARK MANDEL: Yeah,
this is your life.
[LAUGHTER]
MELANIE WARRICK: How
do you feel about that?
Anyways, yeah.
MARK MANDEL: Yeah, exactly.
So yeah, actually,
they've got a really nice
little interactive
image that you
can click on and see,
at different times,
big highlights about fun things.
I did not know this.
I'm just clicking on it now.
2011, William and Kate's
royal wedding website on GAE.
MELANIE WARRICK: Hey!
MARK MANDEL: Did not know that.
MELANIE WARRICK: We're part
of the wedding somehow.
MARK MANDEL: Yeah.
MELANIE WARRICK: That's awesome.
MARK MANDEL: So yeah,
have a quick read.
It's a nice nostalgia.
MELANIE WARRICK: Cool.
The other cool
thing of the week is
that we wanted to mention how
Stackdriver APM and Stackdriver
Profiler are our two new
products that we have out there
as part of the
Stackdriver suite.
So the Stackdriver APM is using
Stackdriver Trace and Debugger.
And they've put that
together in the APM tooling
to allow you to debug
applications while they're
running in production
without impacting
user experience in any
way, which is huge,
and always is a challenge that
you're up against, especially
in the DevOps space.
But the new tool in this is
the Stackdriver Profiler,
and that's letting you
profile and explore
how your code actually executes
in production to optimize
performance and reduce
cost of computation.
There was one other
thing, too, that we're
going to include the
blog post on this.
There's an integration between
Stackdriver Debugger and GitHub
Enterprise and GitLab.
And so that's adding
to their existing code,
mirroring functionality for
GitHub, Bitbucket, Google Cloud
Repositories, as well as
locally-stored source code.
So lots of great functionality
for profiling, and debugging,
and solving issues that you have
in your production environment
and your code, which is always
necessary and much needed,
especially in
distributed environments.
MARK MANDEL: Yeah,
and the Profiler
makes pretty flame graphs.
MELANIE WARRICK: Ooh, yay!
MARK MANDEL: Pretty
flame graphs, yeah,
that's what's important.
MELANIE WARRICK: I know.
And they got a nice
example of it in the post.
MARK MANDEL: Nice.
So I've got a series
of blog posts,
actually, which I
think are really nice.
If you remember back to
November of last year,
we did a wonderful episode
on Smart Parking and IoT Core
with Brian Granatir.
He talked all about
event-driven systems
and using Cloud
functions, and Pub/Sub,
and Datastore, and BigQuery,
and all that stuff.
So he has written-- and we've
published on the "Google Cloud"
blog--
a three-part series where
he goes way into the weeds
on all the technical stuff that
they have done at Smart Parking
to create this system,
and how it's all running
and that stuff.
And if you listened to
the podcast previously,
it is definitely written
in a Brian Granatir style.
I can hear his voice
all the way through it,
which means it's
fun, and exciting,
and a really good read.
MELANIE WARRICK: Yes,
definitely great.
All right, Mark, let's go
talk with Adam and Nick.
MARK MANDEL: Let's do it!
MELANIE WARRICK: All right,
on this week's podcast,
we are excited to have
Nick Sullivan, who's
from Cloudflare, and Adam
Langley, who works on Chrome.
We're going to talk about
post-quantum security,
or post-quantum cryptography.
Thank you guys for joining.
ADAM LANGLEY:
You're very welcome.
NICK SULLIVAN: Yeah,
thanks for having us.
MELANIE WARRICK: So Adam and
Nick, can you take a minute
and tell us a little
bit more about yourself
and what you work on?
Nick, why don't you start?
NICK SULLIVAN: Sure.
So I work at
Cloudflare, which is
a service that helps protect
websites and accelerate them,
as well as any sort of
service that's on the web.
And I'm responsible for
the cryptography team.
So we look into different
cryptographic technologies
to help protect
traffic between folks
who are browsing the internet
and websites and web services
that they're going
to be visiting.
This means making sure
that it's confidential,
making sure that this
data is authenticated
MELANIE WARRICK: Great.
ADAM LANGLEY: I'm Adam Langley.
So I manage the
team at Google who
is responsible for most
front-end cryptography.
So that means cryptography
between Google's servers
and its users.
And mostly, we work in Chrome,
and obviously on our servers,
and then also dipping in
occasionally to Android
and wherever around the
company that we can be useful.
MELANIE WARRICK: Nice.
And so I know,
Adam, Nick and you
have worked a little
bit in the past together
and have worked from
the security standpoint.
For today's
interview, of course,
we're diving more specifically
into quantum and post-quantum
security.
Could you guys give
us a little bit
of an understanding of what
is quantum computing before we
dive into the security
element of it?
ADAM LANGLEY: So computing as we
have known it for decades now,
since Turing's
time, has all been
based on classical
physics, more or less,
although down at the very
depths of how a CPU is made,
there were quantum effects.
What we're trying to build
is a computer that deals with
1's and 0's.
And you could have
worked out, in theory,
how these computers work
in the 1800s if you wanted.
A quantum computer is a computer
that's obviously not just made
in the quantum
universe, but uses
effects of quantum physics.
And it's difficult to convey
quite what that means.
But there are certain
problems where
the ability, in quantum
physics, to have states
that are a mixture of 1's
and 0's and to use the fact
that, in quantum
physics, probabilities
are the square root
of sums of squares
rather than the
sums and things--
where those abilities
allow you to solve
some problems significantly
faster, and many problems quite
a lot faster.
MELANIE WARRICK: Nice.
Nick, was there anything
you wanted to add?
NICK SULLIVAN: Yeah,
so quantum computing
is something that
involves, as Adam said,
quantum physics and
quantum interactions.
And the more classical
way of thinking about this
is-- you know the idea of
Schrodinger's cat, where
you have a cat.
It's inside an enclosed region.
And it can be in a superposition
of is the cat alive,
or is the cat dead?
So because you can't see it
and you can't interact with it,
quantum effects allow
multiple states of being
to exist simultaneously.
And the first time that you
actually interact with it
or look at it, it
immediately crystallizes
as one specific state,
whether the cat is alive
or the cat is dead.
So this idea of interactions
between superpositions
of different states is
one of the key components
of quantum computing.
And it's not something that you
can do classically with bits,
1's and 0's.
As Adam mentioned,
classical computers
involve a whole series
of ons and offs.
And then they can
interact together with one
on turns another one off,
turns another one on.
And you can build
classical math with this.
You can add things by
representing numbers in binary.
With quantum computers,
or quantum computing,
you can do something
slightly more complex,
which is you can have
switches that are both on
and off simultaneously
and intertwined in a way
that once you finally look
at it or interact with it,
it gets stabilized
and crystallized
in one specific state.
MARK MANDEL: Adam, you
said something interesting.
You said quantum computing
allows you to solve
certain problems faster.
Why is that?
ADAM LANGLEY: So there's one,
let's say, set of problems
where quantum computing
essentially gives you
a square root speed up.
So the classical example
here is unstructured search.
If you have an unordered
list of numbers
and you want to find a number,
in the classical world,
the only thing you can do there
is look through the numbers one
by one.
And you expect to
find what you're
looking for, on average, in half
the number of numbers you have.
Now, with a quantum computer,
somewhat mind-bendingly,
you can do it in only a square
root of the number of numbers
you have.
And I have no good way to give
an intuitive explanation of why
that is so, but it involves the
way that probabilities evolve.
Probabilities in the quantum
world are always squared.
So in a classical world,
if you check one number,
you expect a 1 over n
chance of having found
the one you're looking for.
And in the quantum
world, you get a 1
over square root of n
chance each time you look.
And so in the quantum
world, once you've
looked at the square
root of n, then
you've got a fraction
that's approaching 1.
So that does not--
and it is important that you
solve exponential problems
faster than exponentially.
So the square root of
2 to the n is still
an exponential problem.
However, there is a
set of problems where--
they're not
exponential problems,
but we don't-- or
some of them are.
We don't know any classical,
efficient way to solve them,
but we do know an
efficient way to solve them
on quantum computers.
And the effect there is much
bigger than the square root.
It is going from
a small exponent,
say, to just a polynomial.
And so for these problems,
quantum computers
make a huge difference.
And unfortunately,
that sort of problems
includes all the
problems on which
we base public key
cryptography on today.
MELANIE WARRICK: So then that
gets to-- part of the reason
why we wanted to do this
discussion was because we know
quantum computing is becoming
more mainstream in terms
of people are aware of it.
And then they hear,
well, that's going
to break all the codes
once we've achieved it.
So the question on
many people's minds
is, what are the
security issues?
What's the reality
of quantum computing?
NICK SULLIVAN: Yeah, so
one thing that people think
about when you talk about
quantum computing is, wow,
you have all these
bits, and you can
do an infinite number of
things together at once
and compute these massively
difficult problems
that you can't normally do.
This actually is not the case.
Quantum computing is
useful for speeding up
a very small set of
problems, one of which
is searching through
an unordered list.
Other ones would be simulating
quantum interactions.
So if you're in
physics and you want
to understand how different
photons interact together,
quantum computing is
an interesting way
to simulate that.
And the other one is,
interestingly enough,
factoring numbers.
So if you have a
number and you want
to know what the
prime factors are,
what quantum computers
allow you to do,
via an algorithm called
Shor's algorithm--
we don't have to
go into it, but it
allows you to take a big
number and find out what
its prime factors are quickly.
It also is useful for related
problems around that field.
But the interesting part
is that factoring numbers
and being able to
do what's called
a discrete logarithm, which is
almost equivalent to factoring
numbers, lets you break almost
all modern cryptography.
You have a big enough quantum
computer that has enough bits
that you can
intertwine together,
you can actually take any
modern cryptographic algorithm
that we use and figure
out what the key is.
So this is somewhat
scary, you could say,
to how we communicate online
and how we share information.
Cryptography is pervasive.
If you're accessing
Gmail or you're
accessing any sort of
website on the internet
or sending chats
to your friends,
we use modern cryptography
all the time for this.
So with a sufficiently
large quantum computer,
there's risks that this
cryptography can be undone.
MELANIE WARRICK: So should we
be panicking about security?
ADAM LANGLEY: Uh, no.
[LAUGHTER]
MELANIE WARRICK: I'm pretty much
trying to lead to that answer.
So don't panic.
ADAM LANGLEY: There
may be a deep reason
why quantum computing
causes us so many problems.
We've based our
cryptography on problems
that we don't have
enough structure
to solve efficiently
with classical computers,
but they have enough structure
to be quick and to be small.
And so we've huddled up
against this boundary of what
we could previously
solve efficiently,
and now quantum computers
are moving that boundary
out a little bit.
So there's two reasons in
which why we shouldn't panic.
Firstly, discussions
like-- many groups
are now building quantum
computers, small quantum
computers, but quantum
computers nonetheless.
They have quite
high error rates.
It's very difficult to
build a quantum computer
because the rest of
the universe tends
to leak in and
cause decoherence,
and messes up your
quantum states,
and everything goes wrong.
And when that happens,
the quantum computer
will produce the wrong answer.
And so the error rates we have
at the moment are quite high.
We believe that
given enough quantum
bits with a low
enough error rate,
we can run
error-correcting codes,
and so produce a theoretically
perfect quantum bit out
of real quantum bits.
But it takes a lot of them.
So it is not the
case that if you
see that some
group has a quantum
computer with some
dozens of bits,
then once that number reaches
2,048 or some other number
you may have heard in
relation to cryptography,
that everything is
gone and broken.
It depends on the technology,
but perhaps 100,000
to a million raw qubits to
make just one functional one.
MELANIE WARRICK: Is
that quantum supremacy
that you're referencing--
I've heard that term before--
in terms of the number of bits?
NICK SULLIVAN:
Quantum supremacy is--
it's an artificial concept.
Quantum supremacy is the idea
that there is an algorithm out
there that a quantum computer
can demonstrably solve faster
than a classical computer, and
we haven't hit that point yet.
And as I mentioned earlier, some
of the more interesting ideas
of things that you want to
do with quantum computers
involve simulating
physics situations.
And so the target that people
have for quantum supremacy
is this algorithm
called sampling,
where you take a lot of
bits, and you scramble them
up together, and they
supposedly represent
a certain random, but
structured-- random
association of probabilities.
And once you actually look
at them, they decohere.
And you say, OK, this fits
a specific distribution,
whether it's a
Gaussian distribution,
or a croissant
distribution, or something
like that, some
statistical representation.
So the idea is that
the first time that you
can get to a point where
a quantum computer can
simulate a random pattern
or a random distribution
faster than a
classical computer,
then it's somewhat supreme.
There's some type of supremacy.
So that's the idea
of when a quantum
computer can beat a classical
computer at one specific point.
This is not really
related to cryptography.
These problems that people
solve with quantum supremacy
or to demonstrate
quantum supremacy
are really niche
problems that aren't
really applicable to
breaking modern cryptography.
So even if this were
to happen next year
or in the next five
years, it wouldn't
cause the collapse of our
financial system or everyone
to lose their privacy.
It really takes a lot more
to find the point in which
cryptography can be broken.
MELANIE WARRICK:
That's great to hear.
And Adam, I know you were
saying that the error
rate is really high so that's
why this is not as much
of a concern.
Was there anything
else that you wanted
to add around that in terms of
why quantum computing is still
far off in the distance for
us for breaking all the codes?
ADAM LANGLEY: I
mean, I think we've
chatted about how hard it is to
build these quantum computers
and how important it is
to consider error rates.
And don't just think
that an n bit quantum
computer is going to be able
to solve n bit problems.
There's a huge difference
between raw physical qubits
and the theoretical qubits
that we want to build out
many, many raw ones.
And the second reason
for don't panic is that--
I said that we have huddled
against this border of what
we can solve and
how much structure
we put in our problems
to make them efficient.
We can back away from
that border a bit,
and we can still
have cryptography
that is robust in the face
of a quantum adversary.
And we don't need to resort
to what is called quantum
cryptography to do that.
So quantum cryptography
is putting expensive boxes
of optics on the end
of fiber optic cables
and using quantum phenomenon
to guarantee confidentiality
and so forth.
And that's exciting
and interesting,
but it's not what Nick and I
are looking at because we're not
going to have dedicated fiber
optic links between everything
on the internet.
We'd like to be able to
use the internet we've got.
And we can do that.
We can use different problems
with public key cryptography
that resist quantum
computers, and it's just
normal software that
runs on normal computers
and runs over the internet
as we know and love it.
MELANIE WARRICK: Great, so
in terms of quantum security,
what are you looking at?
What are the things
that you're assessing
when you think about, long
term, what this looks like?
NICK SULLIVAN: Right
now, as I mentioned,
a lot of cryptography
is based on these number
theoretic algorithms
like factoring.
So RSA-- this is
the standard way
that cryptography has been done.
This was the first algorithm
for public key cryptography
since 1977.
And RSA involves these numbers
that you scramble up and can
encrypt to another person, and
that person can decrypt it.
So being able to
break this requires
you to factor large numbers.
With quantum computers,
it is potentially possible
to do this.
So RSA becomes something
that's less safe if there are
large-scale quantum computers.
And whether that's going to
happen in the next 10 or 15
years, we don't really know.
There's very small
quantum computers
that are happening right now,
but they can't necessarily
break something like RSA.
So one thing that we're
looking at, as Adam mentioned,
is different
cryptographic algorithms
that are potentially resistant
to the types of things
that quantum computers can do.
So quantum computers,
as we mentioned,
only have a few things
that they can do better
than classical computers.
In actuality, some
computations are actually
worse than regular
classical computers.
So what we're
looking at right now
is finding algorithms that
are resistant to these quantum
computers, or that are
resistant to all known quantum
algorithms, as well as being
resistant to the classical,
traditional computers.
As the years progress,
computers still get faster.
Computers get stronger.
People figure out
better algorithms
to solve classical things.
So this class of algorithms
to do cryptography
that is resistant
to quantum computers
is called post-quantum
cryptography.
And many folks around the
world are looking at, actually,
how to figure out what the
right post-quantum cryptography
algorithms are.
And there are several
different possibilities
and different fields of
research in mathematics
that have promising answers
for what a quantum-resistant
or post-quantum cryptography
algorithm would look like.
MELANIE WARRICK: And
you told me about NIST,
which I know is running
this large-scale assessment.
Is it a competition that they're
doing, the National Institute
of Standards and Technology?
ADAM LANGLEY: So NIST
referred to it as a process.
So NIST is a US
government body which
have been involved in
standardizing cryptography
for a long time.
They standardized PSTAR, and AS,
and a number of other acronyms
that people would have
heard of if they're
paying attention in this space.
So they're currently running
what they call a process.
And they call it a
process to distinguish it
from a competition, I
think because they expect
to have more than one
"winner," in quotes, i.e,
they will be selecting a
portfolio of possibilities.
And they have a timeline
that stretches out--
I don't recall precisely--
but some five or six years
from now.
And so they invited
groups around the world
to submit proposals.
And at the end of
2017, there were--
I'm not sure-- close to
70 proposals submitted
from different groups for
candidate post-quantum
algorithms.
And NIST has published
all of these.
And so people are now
going through these Round 1
submissions, and
breaking some of them,
and analyzing others,
and whittling them
down a little bit.
And then at some point,
NIST will publish
the shortlist for Round 2.
And that will continue
for a few years to come.
MELANIE WARRICK: That's great.
And in terms of this process, do
you use some of the algorithms
that you see coming from NIST
and experiment with them?
ADAM LANGLEY: Chrome, in 2016,
did do an experiment with one
post-quantum algorithm.
So if you used
Chrome in 2016, you
may well have used a
post-quantum algorithm when
connecting to Google's service.
And we did that both to raise
the profile of this subject
in general and also to check the
viability, because one of the,
it appears, consequences
of post-quantum algorithms
is that they will be less
efficient, either in terms
of speed or in terms of size.
And we had simply never
tried running a key agreement
algorithm that large
over the internet.
And the internet's
very complicated.
You don't always know
what's going to happen.
And so we did this experiment,
looked at latency impacts
and impacts on error rates.
And it all went pretty well.
MARK MANDEL: So you actually
touched on one small thing,
but I'd love to
learn more about.
What are the characteristics
or the differences
between what's
current cryptography
and what cryptography would look
like in a post-quantum world?
NICK SULLIVAN:
Cryptography right now
uses several different
primitives that provide
different security features.
There is symmetric cryptography.
This is cryptography in
which both parties already
have the same key, and
you are making sure
that the data is
confidential so that only
the person with the exact
same key can decrypt it.
This is symmetric encryption.
There's also something
called integrity
that you can add on top of that.
Message Authentication Codes,
MACs, are one of those.
And this also requires
symmetric keys.
So both people have
the exact same key.
So you can send information
across the internet
or across any kind
of untrusted medium.
As long as both parties have the
same key, you can communicate.
Now, these keys nowadays
are around 128 bits long.
That's considered to be the
smallest possible key that
will give you a long-term
amount of security.
In a post-quantum quantum world,
because of the square root
level advances in being able
to search through a list,
the only real difference is
that these keys go from 128 bits
to 256 bits.
So this is something
that we're used to.
And this is something
that we can do.
The bigger differences come
in these so-called asymmetric
algorithms.
The ID is a public
key encryption,
RSA that I mentioned.
These allow you to, as an
individual, have a private key
as well as a public key.
And your public key is
shared with the world,
and anyone can encrypt data
so that only you can decrypt
it using your public key.
So you take data.
You take the public key.
You scramble up the
data, and only the person
with the associated
private key can decrypt it.
Similarly, there's the
idea of digital signatures,
where you can take
that private key
and associate it
with a piece of data
so that anyone in the
world with your public key
can then verify that only the
person with the private key
was able to digitally
sign that data.
So these both provide
ways for folks
to agree on symmetric keys.
So you go from public key
asymmetric cryptography
to sharing a key and
being able to communicate
across the internet.
Each one of these
different pieces,
whether it's symmetric key
cryptography, whether it's
digital signatures, or
public key cryptography,
has a quantum-resistant
post-quantum component to it.
And as Adam mentioned,
these typically
do not have the same
performance characteristics
in terms of computing.
So it's either going to cost
a lot more of CPU to compute
these operations-- so it might
take milliseconds longer than
it would usually--
or the key sizes
are much bigger.
And as I mentioned, symmetric
keys have a 128 bit key size.
They go up to 256.
Typically, right now, for
public key cryptography,
if you're using elliptic
curves, which is very popular,
you have 256 bit numbers.
RSA, it's about
2,000 48-bit numbers.
When you're talking about
post-quantum cryptography,
these keys can get up into
the 10,000 bits range,
or for some NIST proposals,
the 100,000 bit ranges.
And for some joke
NIST proposals,
you can have keys as
large as a terabyte.
MELANIE WARRICK: How does one
test for quantum computing
when the quantum computers
are still in development?
ADAM LANGLEY: So it's
in theory, essentially.
It is the case that all of
our classical cryptography, we
don't know that there
aren't efficient
algorithms to break it
on a classical computer.
Our only basis for believing
that there aren't is
that we've looked real hard
and we've never found one.
And so it remains with
quantum computers.
So Peter Shor was
able to come up
with Shor's algorithm
for factoring
long before any quantum computer
existed, because we know,
in theory, the physics.
And so we can theorize
about-- given this problem,
can we come up with
a quantum algorithm
that efficiently solves it?
And if the answer is
no, then we hypothesize
that it is post-quantum secure.
But just like
classical cryptography,
we have no proof that there
isn't an efficient algorithm
out there that nobody's
just found yet.
But that's a situation
we're relatively
comfortable with because
it's always been that way.
MELANIE WARRICK: Interesting.
You had listed that you
were interested in diving
into a little bit is--
what is the difference
between confidentiality
versus authenticity?
NICK SULLIVAN: So this is
also a very important point.
When speaking about the
different types of things
that cryptography
provides, I mentioned
symmetric cryptography
is sending a message
and making sure that only the
person that it's intended for
can decrypt it.
This is confidentiality.
This is how you keep your
information confidential.
The other piece is
integrity, which
is, how do you make
sure that someone
didn't change that message?
Even if they didn't
see what it was,
how are you sure that this
message is in the right order,
that it's exactly the
message that the person sent?
And in a scenario
where somebody is
trying to attack
your cryptography,
these have different timelines.
So if you have the ability to
break an integrity algorithm,
if someone's already
sent the message,
that doesn't really help you.
If someone's already
received the message,
it doesn't help you at all
because the message is sent.
And it's been received.
It's been checked.
So if you have the ability
to break integrity,
you have to be there right now
and intercepting communication,
and changing it, and modifying
it before it gets to the person
that you're talking to.
When it comes to
confidentiality,
you have to be prepared for
attackers in the future.
So if you're communicating
with someone right now,
and saying something that you
want to be secure for 30 years,
and you're sending it
over an insecure channel,
then you want to make sure
that the confidentiality
algorithm that
you're using is going
to be able to not be
broken for those 30 years.
So sometime in the future,
if someone's collected it,
they break that algorithm, they
can reveal what it is you said.
And this is actually
the more pressing point
for quantum cryptography.
If we're talking right now
about digital signatures,
it's not so important that we
get a digital signature right
now, with respect
to quantum security,
because in the next five
years or the next 10 years,
there's not going to be a
large-scale quantum computer.
But in the next 25 years
or the next 30 years,
there's potentially a chance.
Technology moves rather quickly,
and 25 years is a long time.
So the main focus of what
Chrome's experiment was
and what we're
looking at right now
for post-quantum
cryptography is, how do we
do this key agreement?
How do we make sure
that the confidentiality
of communication is
actually quantum-resistant?
So having a post-quantum
key agreement algorithm
is very, very important
now because everything
that you say on the internet,
although encrypted right
now, in the future,
with a quantum computer,
someone should be able
to eventually decrypt it
if they have a copy.
ADAM LANGLEY: Oh, sorry, I was
just going to add one point
to that, which is that when
we do these experiments with
post-quantum algorithms-- going
back to how I said that we have
no proof of security for them
or the cryptography we currently
use--
so we combined them
because it's quite possible
that our supposed post-quantum
algorithm might not only
fall to a quantum
computer, it may
fall to a classical computer.
And so when we add
them, we don't replace
the current cryptography.
We augment it, and
run both, and then
mix the outputs together
so that the combination is
as strong as the
weakest of the two.
And therefore, at least, by
using a supposedly, quote,
"quantum algorithm,"
we're at least not
making things any worse.
MELANIE WARRICK: Is
there any specific
resources or places
that you'd recommend
if people are interested
in better understanding
post-quantum security,
post-quantum cryptography,
outside of NIST?
NICK SULLIVAN: I mean,
there are various websites.
For cutting-edge
research, there's
an annual conference called
the PQCrypto conference.
And this is where the
latest and greatest
from the academic
research comes out.
But a lot of this is very,
very new and very ongoing,
and it's rapidly changing.
So every year,
something that was
considered to be post-quantum
secure last year gets broken.
And this is especially
true within this process.
So there's a number of
websites and resources
for getting up-to-date with
post-quantum cryptography.
But I think waiting for the end
of the NIST competition/process
to happen is
probably where people
want to get more involved
and more interested in this,
because otherwise,
you may be overwhelmed
with the rapid rate of change.
I think this is a
resource that someone
needs to build is an
accessible list of links
about joining the post-quantum.
I know there's one website--
Adam, on his website.
ADAM LANGLEY: I wrote an
introduction on lattice-based
once upon a time.
It's a bit narrow, though.
MELANIE WARRICK:
We'll look for that.
And speaking of the
Post-QuantumCrypto conference,
my understanding is
that was last week.
Nick, were you at
that conference?
NICK SULLIVAN: Yeah, I made it
to the Post-Quantum conference
last week, and we saw a bunch
of interesting proposals that
moved the state-of-the-art even
more past the algorithms that
were submitted to
the NIST contest,
which is kind of
surprising, but kind of not.
It was even less
than half a year
ago that the final proposals
were due for the NIST process,
but several of them have been
broken in interesting ways.
Several of them have been
modified in interesting ways.
And there's even brand
new proposals that
have yet to be cryptoanalyzed.
So when you talk about what
the new standards are going
to be for post-quantum
cryptography,
I think what comes through the
first NIST processes are not
going to be the final
ones that people use.
I think there's just so many
different arenas of research
so active right now that we'll
be discovering new algorithms
for a long time going forward.
And from an implementer's
point of view,
this is, perhaps,
frustrating, right?
Because you want to pick a
standard, and stick to it,
and make sure that people
have implemented it
correctly and safely.
I'm looking forward to
more cryptography that's
oriented towards safe and secure
implementation and deployment
as well as security
against quantum machines.
MELANIE WARRICK:
Anything specific
that comes to your mind that
you were most excited to see
or you found most interesting
from that conference?
NICK SULLIVAN: The
main thing that
resonated with me was
the diversity of types
of mathematics
that were involved.
So a field of cryptography
that I hadn't studied very much
is called code-based
cryptography.
And this uses things like
error-correcting codes
to build cryptosystems.
So rather than using
mathematical properties
like prime numbers
and whatnot, it
uses these codes that are
used in communication.
And you can build
cryptosystems on this.
And in fact, one of the first
quantum-resistant algorithms
is based on this type of thing.
So there's cryptography
everywhere.
You can build
interesting cryptosystems
from a lot of different arenas.
And it's just fascinating to
see it all evolve and tumble
together.
So code-based
cryptography, perhaps,
has some issues where you
have encryption failures once
in a while.
So you have these modes
in which cryptography,
as you're used to
it, is supposed
to work 100% of the time.
You lose that in some of
these new constructions.
So I think some of what
is most interesting to me
is cryptographic algorithms
that most closely represent
the intuition that we have
from current cryptography
and that help fit into
our current system
so that people can actually
deploy them and make
use of them on the internet.
MELANIE WARRICK:
Is there something
you think would be
great if we could bring
these types of insights or
this type of expertise that
could potentially help expand
post-quantum cryptography
research?
ADAM LANGLEY: One
of the things I
would like to see
with post-quantum
would be some lessons learned
from earlier cryptography.
A lot of the
cryptography we use today
was developed and
standardized in the 1990s.
And I think there were some
things that, as a world,
we just got wrong there.
We made things that were
overly complicated, and overly
configurable, and difficult
to implement correctly,
and the consequences of that
have not been good, right?
The consequences
of those problems
are bugs and security issues.
And so I think we are now
a lot better at recognizing
these issues and
recognizing, what
is a sensible level
of complexity,
and what are the errors
that implementations
are likely to make?
And then we will
think about, how
do we structure these designs
to avoid these errors?
And so while I
think we're better,
I would most like to see
post-quantum cryptography
really embracing that
more practical concern.
But that has to come down
the road in some cases
because we are still at the
theoretical point in many
of these algorithms.
They're still in development,
and in some cases, quite
rapid evolution.
But if we didn't
repeat the mistakes
of the past in the next
cycle, that'd be very nice.
MARK MANDEL: Adam, Nick, we
are definitely running out
of time, unfortunately,
as much as this
is a great conversation.
So I'd like to say thank
you to you both for spending
time with us and talking
about post-quantum security
and quantum cryptography.
ADAM LANGLEY:
You're very welcome.
MELANIE WARRICK:
Yes, thank you both.
And just to give you a chance,
was there any last things
that you wanted to plug?
NICK SULLIVAN: Keep an eye
on this space, and folks
will be exploring these
quantum-resistant algorithms
more and more in
the coming years.
And don't panic.
MARK MANDEL: Wonderful,
thank you so much.
MELANIE WARRICK:
Thank you again.
Well, thank you, Adam and Nick.
That was very
insightful, and we really
appreciate you
coming on the show
to talk to us about
quantum security.
MARK MANDEL: And
now I actually have
a bit of an idea of
what those words mean.
MELANIE WARRICK:
That's fabulous.
MARK MANDEL: Yeah, I didn't.
I had no idea.
MELANIE WARRICK: Now
we will quiz you.
MARK MANDEL: Please don't do it.
[LAUGHTER]
MELANIE WARRICK: It's
a life-or death matter.
All right, so Mark, the
question of the week.
So you've been
coding in real time
and streaming this
coding experience.
MARK MANDEL: Yes.
MELANIE WARRICK: How do you do
that, if you wanted to do that?
If one would want to do this.
MARK MANDEL: If one
would want to do this?
Not related to
Google Cloud at all,
but possibly still interesting.
So it's actually really
fun and really cool,
and I really like doing it.
And it's remarkably simple.
You can find all sorts
of really great resources
on the internet.
And in fact, I will link
to a particular blog post
that I first read that
I found particularly
useful by someone--
I'm going to probably
mess up their name--
Suz Hinton.
She wrote a blog
post called, "Lessons
From My First Year of
Live Coding on Twitch,"
where they talk all the
way through the tools
and how they do it.
I pretty much lifted
that, and then spoke
to some of my teammates
about how they do it.
But the short
answer is-- so I've
been streaming a [INAUDIBLE]
development-- so doing stuff
with Kubernetes,
basically-- on Twitch.
So Twitch is really
easy to set up.
You can go there, twitch.tv,
and just get an account.
But two pieces to this.
One is getting yourself
a decent microphone
so that you have good audio.
Doing it on your laptop-- bad.
Don't do that.
Blue Yeti will do in a pinch.
Rode Podcasters are
really nice as well.
I've been using the ones
we have that are nice,
expensive mics from the podcast,
so I get the advantage of that.
But the other thing
that you should
use that's really awesome is a
piece of open source software
called OBS Studio.
Runs on Windows, Mac, Linux.
Pretty much everyone uses it.
It's kind of amazing,
actually, what it does.
You can do picture in picture.
You can put your
webcam in one spot,
something else in another,
or switch between scenes.
So I'll show a picture
of my dog while I'm
waiting to get the stream
started, and then switch to me,
and that kind of stuff.
And it'll record locally
and that kind of thing,
too, so that you can push that
video up to YouTube or anything
like that.
OBS Studio is magic.
It's really amazing.
But yeah, other than that,
get yourself on Twitch.
Write some code.
Try and do it on
a regular basis.
And it's pretty
easy to get started.
MELANIE WARRICK:
And if you have any
accounts that you're
working off of--
I know one of the things
we were talking about
is how you should probably
create a fake account
to use while you're coding--
[LAUGHTER]
MARK MANDEL: Yeah,
try not to show things
you're not meant to.
MELANIE WARRICK: --so you're
not showing your account/your
passwords or anything
like that, if possible.
So consider that, also,
when you're working on this.
MARK MANDEL: If you run a
clipboard manager of any kind,
just clear that out before
you start, that kind of stuff.
You can go as far as starting
a whole new browser profile
and that kind of stuff, too.
I may not do that.
[LAUGHTER]
MELANIE WARRICK: And you've
heard it here first, folks.
So if you want to find out
more about Mark's coding--
and we should add
the link to where
you're live coding, as well.
MARK MANDEL: Yeah, yeah.
We should definitely put
that in the show notes.
MELANIE WARRICK:
All right, so Mark,
if anybody wanted to
get in touch with us,
how would they do that?
MARK MANDEL: Oh, that
is a great question!
We haven't done this in a while.
MELANIE WARRICK: Yes.
MARK MANDEL: Cool, all right.
So let's go through the things.
MELANIE WARRICK: If
they want to email us,
they would email us at
hello@gcppodcast.com.
MARK MANDEL: Yep.
If they want to reach out to us
on Reddit, it's r/gcppodcast.
MELANIE WARRICK: If they want to
tweet at us, we're @gcppodcast.
MARK MANDEL: If they want to
reach out to us on Google+,
it's +gcppodcast.
MELANIE WARRICK:
And we're on Slack,
and you can request an invite
to the Google Cloud Slack
community and join
the #podcast channel.
MARK MANDEL: Bit.ly/gcp-slack.
MELANIE WARRICK: Mark, are you
going anywhere anytime soon?
MARK MANDEL: I really am not.
[LAUGHTER]
MELANIE WARRICK: You were
flattened by-- you had GDC.
You had [INAUDIBLE].
Now you're just like--
MARK MANDEL: Yeah, last
year was really busy.
MELANIE WARRICK: Rest
of the year you're just
going to take a nap.
MARK MANDEL: I don't know.
It's going to be fine.
But yeah, you can
find me on Twitch.
I'm on there quite regularly.
And I'll be regularly streaming
at 9:00 AM on Tuesdays.
But follow me on
Twitter and on Twitch
so you can find other
stuff I'm doing.
MELANIE WARRICK: Nice.
MARK MANDEL: And yourself?
MELANIE WARRICK: Well, I'm
not going anywhere else
for the rest of the
month, so I'll be around.
MARK MANDEL: Cool.
Guess it means we
get to hang out more.
MELANIE WARRICK: Oh, no!
[LAUGHTER]
We do have a lot of
interviews coming up.
MARK MANDEL: Awesome.
MELANIE WARRICK:
All right, well.
MARK MANDEL: Melanie, thank
you very much for joining me
for yet another week.
MELANIE WARRICK: Thank you.
MARK MANDEL: And thank
you all for listening.
And we'll see you all next week.
[MUSIC PLAYING]
