# Post-Quantum Cryptography with Nick Sullivan and Adam Langley

Nick Sullivan, and Adam Langley join Melanie and Mark to provide a pragmatic view on post-quantum cryptography and what it means to research security for the potential of quantum computing. Post-quantum cryptography is about developing algorithms that are resistant to quantum computers in conjunction with “classical” computers. It’s about looking at the full picture of potential threats and planning on how to address them using a diversity of types of mathematics in the research. Adam and Nick help clarify the different terminology and techniques that are applied in the research and give a practical understanding of what to expect from a security perspective.

##### Nick Sullivan

Nick Sullivan runs the cryptography team at Cloudflare, an internet security and performance company.

##### Adam Langley

Adam Langley is a Principal Software Engineer at Google, responsible for a variety of cryptography-related efforts.

##### Cool things of the week

- Google IO site & IO Extended Events site
- App Engine Turns 10 blog
- Introducing Stackdriver APM & Stackdriver Profiler blog & article
- Smart Parking story:
- Cloud-native architecture with serverless microservices blog part1
- Implementing an event-driven architecture on serverless blog part2
- What we learned doing serverless blog part3
- Episode 102 Smart Parking and IoT Core with Brian Granatir podcast

##### Interview

- Quantum Computing simple wiki & wiki
- Post-Quantum Cryptography wiki & site
- Chrome post-quantum algorithm experiment 2016 blog & wired article & results
- Imperial Violet by Adam Langley blog
- Post-quantum confidentiality for TLS blog

- Cloudflare Blog by Nick Sullivan blog
- National Institute of Standards and Technology (NIST) site & round 1 submissions
- PQ Crypto Conference site

Additional References / Resources:

- Quantum Cryptography wiki & article
- Quantum Supremacy wiki and arXiv paper
- Lattice-based Cryptography wiki & resources
- RSA algorithm wiki
- Symmetric and Asymmetric (Public key) Encription explanation
- Confidentiality and Integrity explanation
- Schrodinger’s cat wiki
- Shor’s algorithm wiki
- Quest for the Quantum Computer book
- Meet the meQuanics - Quantum Computing Discussions site & podcast

##### Question of the week

How to stream realtime coding?

- Lessons for my First Year Live Coding on Twitch - Suz Hinton blog
- Get a good microphone
- Open Broadcast Software
- Twitch TV
- Mark’s Twitch Site

##### Where can you find us next?

- San Francisco

##### Transcript

show full transcript
**MARK:**
Hi, and welcome to episode number 123 of the weekly "Google Cloud Platform Podcast." I'm Mark Mandel and I'm here with my colleague, as always, Melanie Warrick. How are you doing today, Melanie?

**MELANIE:**
I'm good. How are you doing, Mark?

**MARK:**
I'm slowly still getting over this cold. It's not 100% gone.

**MELANIE:**
A never ending illness.

**MARK:**
Yeah, pretty much. But it's been going around.

**MELANIE:**
But you're hanging in there.

**MARK:**
I am, I am. We have some cool people coming to chat with us today.

**MELANIE:**
We do. We are going to be talking about quantum security, quantum computing security, in particular. And we're talking with Nick and Adam, which will be fun to hear about.

But before we get into that, we'll dive into our cool things of the week. And of course, as always, we have our question of the week that comes at the end, and the question this week is, how do I stream real time when I'm coding? Like, how do I do real time coding?

**MARK:**
I've been doing that, so I might have an answer.

**MELANIE:**
I think you might.

**MARK:**
OK, cool.

**MELANIE:**
Anyway, cool things of the week. Some may have heard of an event called Google IO, and that's coming up May 8th through the 10th. Done it a few times now. It's quite a popular event. That's in Mountain View. Since tickets are out, there will actually be the opportunity if you want to help do extended events. And there's a link we'll provide in the show notes, where you can apply, if you want to, and make it an official thing, and we provide resources on how to stream live the actual event and organize with others who are interested in watching. So yeah, we will include that, and that's coming.

**MARK:**
Yeah. And if you are not local, and you want to go to an extended event, there's a map on the extended event page. It has a huge number of events already set up and ready to go. So if you don't want to go to all the trouble of setting something up, then it's probably one you can already go to.

**MELANIE:**
You can go to someone else's that sounds like a good one.

**MARK:**
Yeah, exactly.

**MELANIE:**
All right, and we also want to announce, apparently, App Engine turned 10.

**MARK:**
Yeah. So there's a really great blog post on the Google Cloud blog, just reflecting on our 10 year App Engine journey.

**MELANIE:**
Looking back.

**MARK:**
Looking back in time.

**MELANIE:**
All the memories.

**MARK:**
Yeah, this is your life.

**MELANIE:**
And how do you feel about that?

**MARK:**
Yeah, exactly. So actually, they've got a really nice, little interactive image that you can click on and see, at different times, sort of big highlights about fun things. I did not know this. I'm just clicking on it now. 2011, William and Kate's royal wedding website on GAE.

**MELANIE:**
Hey.

**MARK:**
Did not know that.

**MELANIE:**
We're part of the wedding somehow. That's awesome.

**MARK:**
So yeah, have a quick read. It's a nice nostalgia.

**MELANIE:**
Cool. The other cool of the week is that we wanted to mention how Stackdriver APM and Stackdriver Profiler are our two new products that we have out there as part of the Stackdriver Suite. So the Stackdriver APM is using Stackdriver Trace and Debugger. And they've put that together in the APM tooling to allow you to debug applications while they're running production without impacting user experience in any way, which is huge, and always is a challenge that you're up against, especially in the DevOps space.

But the new tool in this is the Stackdriver Profiler, and that's letting you profile and explore how your code actually executes in production to optimize performance and reduce cost of computation. There is one other thing, too, that we're going to include in the blog post on this. There's an integration between Stackdriver Debugger, and GitHub Enterprise, and GitLab. And so that's adding to their existing code, mirroring functionality for GitHub, Bitbucket, Google Cloud Repositories, as well as locally-stored source code.

So lots of great functionality for profiling and debugging and solving issues that you have in your production environment, in your code, which is always necessary and much needed, especially in distributed environments.

**MARK:**
Yeah, and the Profiler makes pretty flame graphs.

**MELANIE:**
Ooh, yay.

**MARK:**
Pretty flame graphs, yeah. That's what's important.

**MELANIE:**
I know, and they got a nice example of it in the post.

**MARK:**
Nice. So I've got a series of blog posts, actually, which I think are really nice. If you remember back to November of last year, we did a wonderful episode on Smart Parking and IoT Core with Brian Granatir. He talked all about event-driven systems and using Cloud functions, and Pub/Sub and Datastore, and BigQuery, and all that stuff.

So he has written, and we've published on the Google Cloud blog, a three-part series, where he goes way into the weeds on all the technical stuff that they have done at Smart Parking to create this system, and how it's all running, and that stuff. And if you listened to the podcast previously, it is definitely written in a Brian Granatir style. I can hear his voice all the way through it, which means it's fun and exciting and a really good read.

**MELANIE:**
Yes, definitely agree. All right, Mark. Let's go talk with Adam and Nick.

**MARK:**
Let's do it.

**MELANIE:**
All right, on this week's podcast, we are excited to have Nick Sullivan, who's from Cloudflare, and Adam Langley, who works on Chrome. We're going to talk about post-quantum security, or post-quantum cryptography.

Thank you, guys, for joining.

**ADAM:**
You're very welcome.

**NICK:**
Yeah, thanks for having us.

**MELANIE:**
So Adam and Nick, can you take a minute and tell us a little bit more about yourself and what you work on? Nick, why don't you start.

**NICK:**
Sure. So I work at Cloudflare, which is a service that helps protect websites and accelerate them, as well as any sort of service that's on the web, and I'm responsible for the cryptography team. So we look into different cryptographic technologies to help protect traffic between folks who are browsing the internet and websites and web services that they're going to be visiting. This means making sure that it's confidential, making sure that this data is authenticated.

**MELANIE:**
Great.

**ADAM:**
I'm Adam Langley. So I manage the team at Google, who is responsible for most front-end cryptography. So that means cryptography between Google servers and its uses. And mostly, we work in Chrome and, obviously, on our servers, and then also dipping in occasionally to Android, and wherever around the company that we can be useful.

**MELANIE:**
Nice. And so, I know, Adam, Nick and you have worked a little bit in the past together and have worked from the security standpoint. For today's interview, of course, we're diving more specifically into quantum and post-quantum security. Can you guys give us a little bit of an understanding of what is quantum computing, before we dive into the security element of it?

**ADAM:**
So computing, as we have known it for decades now, since Turing's time, has all been based on classical physics, more or less, although down at the very depths of how a CPU is made, there are quantum effects. What we're trying to build is a computer that deals with 1's and 0's. And you could have worked out, in theory, how these computers work in the 1800s, if you wanted.

A quantum computer is a computer that's obviously not just made in the quantum universe, but uses effects of quantum physics. And it's difficult to convey quite what that means, but there are certain problems where the ability in quantum physics to have states that are a mixture of 1's and 0's, and to use the fact that, in quantum physics, probabilities are the square roots of sums of squares, rather than the sums and things, where those abilities allow you to solve some problems significantly faster, and many problems quite a lot faster.

**MELANIE:**
Nice. Nick, was there anything you wanted to add?

**NICK:**
Yeah. So quantum computing is something that involves, as Adam said, quantum physics and quantum interactions. And the more classical way of thinking about this is you know the idea of Schrodinger's cat, where you have a cat. It's inside an enclosed region, and it can be in a superposition of, is the cat alive, or is the cat dead? So because you can't see it and you can't interact with it, quantum effects allow multiple states of being to exist simultaneously. And the first time that you actually interact with it or look at it, it immediately crystallizes as one specific state, whether the cat is alive or the cat is dead.

So this idea of interactions between superpositions of different states is one of the key components of quantum computing. And it's not something that you can do classically with bits-- 1's and 0's-- as Adam mentioned. Classical computers involve a whole series of ons and offs, and then they can interact together with one on turns another one off, turns another one on. And you can build classical math with this. You can add things by representing numbers in binary.

With quantum computers, or quantum computing, you can do something slightly more complex, which is you can have switches that are both on and off simultaneously and intertwined in a way that, once you finally look at it or interact with it, it gets stabilized and crystallized in one specific state.

**MARK:**
Adam, you said something interesting. You said quantum computing allows you to solve certain problems faster. Why is that?

**ADAM:**
So there's one, let's say, set of problems where quantum computing essentially gives you a square root speed up. So the classical example here is unstructured search. If you have an unordered list of numbers and you want to find a number, in a classical world, the only thing you can do there is look through the numbers one by one, and you expect to find what you're looking for, on average, in half the numbers you have.

Now, with a quantum computer, somewhat mind-bendingly, you can do it in only the square root of the numbers you have. And I have no good way to give an intuitive explanation of why that is so, but it involves the way that probabilities evolve. Probabilities in the quantum world are always squared.

So in a classical world, if you check one number, you expect a 1 over n chance of having found the one you're looking for. And in a quantum world, you get a 1 over square root of n chance each time you look. And so, in a quantum world, once you've looked at the square root of n, then you've got a fraction that's approaching 1. And it is important that you solve exponential problems faster than exponentially. So the square root of 2 to the n is still an exponential problem.

However, there is a set of problems where they're not exponential problems, but we don't-- well, some of them are-- we don't know any classical, efficient way to solve them. But we do know an efficient way to solve them on quantum computers. And the effects there is much bigger than the square roots. It's going from a small exponent, say, to just a polynomial.

And so, for these problems, quantum computers make a huge difference. And unfortunately, that sort of problems includes all the problems on which we base public key cryptography on today.

**MELANIE:**
Part of the reason why we wanted to do this discussion was because we know quantum computing is becoming more mainstream, in terms that people are aware of it, and then they hear, well, that's going to break all the codes once we've achieved it. So the question on many people's minds is, what are the security issues? What's the reality of quantum computing?

**NICK:**
Yeah. So one thing that people think about when you talk about quantum computing is, wow, you have all these bits and you can do an infinite number of things together at once and compute these massively difficult problems that you can't normally do. This actually is not the case. Quantum computing is useful for speeding up a very small set of problems, one of which is searching through an unordered list. Others would be simulating quantum interactions. So if you're in physics and you want to understand how different photons interact together, quantum computing is an interesting way to simulate that.

And the other one is, interestingly enough, factoring numbers. So if you have a number and you want to know what the prime factors are, what quantum computers allow you to do via an algorithm called Shor's algorithm. We don't have to go into it, but it allows you to take a big number and find out what its prime factors are quickly. It also is useful for related problems around that field.

But the interesting part is that factoring numbers and being able to do what's called a discrete logarithm, which is almost equivalent to factoring numbers, lets you break almost all modern cryptography. You have a big enough quantum computer that has enough bits that you can intertwine together. You can actually take any modern cryptographic algorithm that we use and figure out what the key is.

So this is somewhat scary, you could say, to how we communicate online and how we share information. Cryptography is pervasive. If you're accessing Gmail, or you're accessing any sort of website on the internet, or sending chats to your friends, we use modern cryptography all the time for this. So with a sufficiently large quantum computer, there's risks that this cryptography can be undone.

**MELANIE:**
So should we be panicking about security?

**ADAM:**
No.

**MELANIE:**
I'm pretty much trying to lead to that answer. So don't panic.

**ADAM:**
There may be a deep reason why quantum computing causes us so many problems. We've based our cryptography on problems that we don't have enough structure to solve efficiently with classical computers, but they have enough structure to be quick and to be small. And so we've huddled up against this boundary of what we could previously solve efficiently. And now quantum computers are moving that boundary out a little bit. So there's two reasons in which we shouldn't panic.

Firstly, discussions like-- many groups are now building quantum computers, small quantum computers, but quantum computers none the less. They have quite high error rates. It's very difficult to build a quantum computer because the rest of the universe tends to leak in and cause decoherence and messes up your quantum states and everything goes wrong. And when that happens, the quantum computer will produce the wrong answer.

And so the error rates we have at the moment are quite high. We believe that, given enough quantum bits with a low enough error rate, we can run error correcting codes, and so produce a theoretically perfect quantum bits out of real quantum bits. But it takes a lot of them. So it is not the case that, if you see that some group has a quantum computer with some dozens of bits, then, once that number reaches 2,048 or some other number you may have heard of relation to cryptography, that everything is gone and broken. It depends on the technology, but perhaps 100,000 to a million raw qubits to make just one functional one.

**MELANIE:**
Is that quantum supremacy that you're referencing? I've heard that term before, in terms of number of bits.

**NICK:**
Quantum supremacy is sort of an artificial concept. Quantum supremacy is the idea that there is an algorithm out there that a quantum computer can demonstrably solve faster than a classical computer. And we haven't hit that point yet. And as I mentioned earlier, some of the more interesting ideas of things you want to do with quantum computers involve simulating physics situations.

And so the target that people have for quantum supremacy is this algorithm called sampling, where you take a lot of bits and you scramble them up together, and they supposedly represent a certain random, but structured random association of probabilities. And once you actually look at them, they decohere and you say, OK, this fits a specific distribution, whether it's a Gaussian distribution or a poisson distribution, or something like that, some statistical representation.

So the idea is that the first time that you can get to a point where a quantum computer can simulate a random pattern, or a random distribution, faster than a classical computer, then it's somewhat supreme. There's some type of supremacy. So that's the idea of when a quantum computer can beat a classical computer at one specific point.

This is not really related to cryptography. These problems that people solve with quantum supremacy, or to demonstrate quantum supremacy, are really niche problems that aren't really applicable to breaking modern cryptography. So even if this were to happen next year, or in the next five years, it wouldn't cause the collapse of our financial system or everyone to lose their privacy. It really takes a lot more to find the point in which cryptography can be broken.

**MELANIE:**
That's great to hear. And Adam, I know you were saying that the error rate is really high, so that's why this is not as much of a concern. Was there anything else that you wanted to add around that, in terms of why quantum computing is still far off in the distance for us for breaking all the codes?

**ADAM:**
I mean, I think we've chatted about how hard it is to build these quantum computers, and how important it is to consider the error rates, and don't just think that n bit quantum computer is going to be able to solve n bit problems. There's a huge difference between raw physical qubits and the theoretical qubits that we want to build out of many, many raw ones.

And the second reason for don't panic is that-- I said that we have huddled against this border of what we can solve and how much structure we put in our problems to make them efficient. We can back away from that border a bit and we can still have cryptography that is robust in the face of a quantum adversary. And we don't need to resort to what is called quantum cryptography to do that.

So quantum cryptography is putting expensive boxes of optics on the end of fiber optic cables and using quantum phenomenon to guarantee confidentiality, and so forth. And that's exciting, interesting, but it's not what Nick and I are looking at, because we're not going to have dedicated fiber optic links between everything on the internet. We'd like to be able to use the internet we've got. And we can do that. We can use different problems of public key cryptography that resists quantum computers. And it's just normal software that runs on normal computers and runs over the internet, as we know and love it.

**MELANIE:**
Great. So in terms of quantum security, what are you looking at? What are the things that you're assessing when you think about long-term, what this looks like?

**NICK:**
Right now, as I mentioned, a lot of cryptography is based on these number theoretic algorithms, like factoring. So RSA, this is the standard way that cryptography has been done. This was the first algorithm for public key cryptography since 1977. And RSA involves these numbers that you scramble up and can encrypt to another person, and that person can decrypt it. So being able to break this requires you to factor large numbers.

With quantum computers, it is potentially possible to do this. So RSA becomes something that's less safe if there are large scale quantum computers. And whether that's going to happen in the next 10 or 15 years, we don't really know. There's some very small quantum computers that are happening right now, but they can't necessarily break something like RSA.

So one thing that we're looking at, as Adam mentioned, is different cryptographic algorithms that are potentially resistant to the types of things that quantum computers can do. So quantum computers, as we mentioned, only have a few things that they can do better than classical computers. In actuality, some computations are actually worse than regular classical computers.

So what we're looking at right now is finding algorithms that are resistant to these quantum computers, or that are resistant to all known quantum algorithms, as well as being resistant to the classical traditional computers. As the years progress, computers still get faster. Computers get stronger. People figure out better algorithms to solve classical things.

So this class of algorithms, to do cryptography that is resistant to quantum computers, is called post-quantum cryptography. And many folks around the world are looking at actually how to figure out what the right post-quantum cryptography algorithms are. And there are several different possibilities in different fields of research and mathematics that have promising answers for what a quantum resistant, or post-quantum cryptography algorithm would look like.

**MELANIE:**
And you told me about NIST, which I know is running this large scale assessment. Is it a competition that they're doing, the National Institute of Standards and Technology?

**ADAM:**
So NIST referred to it as a process. So NIST is a US government body, which have been involved in standardizing cryptography for a long time. They standardized PSTAR and AES, and a number of other acronyms that people would have heard of if they're paying attention in this space. So they're currently running what they call a process, and they call it a process to distinguish it from a competition, I think, because they expect to have more than one "winner," in quotes, i.e. they will be selecting a portfolio of possibilities. And they have a timeline that stretches out, I don't recall precisely, but some five or six years from now.

So they invited groups around the world to submit proposals. And that the end of 2017, there were-- I'm not sure-- like close to 70 proposals submitted from different groups for candidate post-quantum algorithms. And NIST has published, all of these. And so people are now going through these round 1 submissions and breaking some of them, and analyzing others, and whittling them down a little bit. And then, at some point, NIST will publish the shortlist for round 2, and that will continue for a few years to come.

**MELANIE:**
That's great. And in terms of this process, do you use some of the algorithms that you see coming from NIST in experiment with them?

**ADAM:**
Chrome, in 2016, did do an experiment with one post-quantum algorithm. So if you used Chrome in 2016, you may well have used a post-quantum algorithm when connecting to Google servers. And we did that both to raise the profile of this subject in general, and also to check the viability.

It appears consequences of post-quantum algorithms is that they will be less efficient, either in terms of speed or in terms of size. And we had simply never tried running a key agreement algorithm that large over the internet. And the internet is very complicated. You don't always know what's going to happen. And so we did this experiment. It looks at latency impacts and impacts on error rates, and it all went pretty well.

**MARK:**
So you actually touched on one small thing, but I'd love to learn more about, what are the characteristics, or the differences between what's current cryptography and what cryptography would look like in a post-quantum world?

**NICK:**
Cryptography right now uses several different primitives that provide different security features. There is symmetric cryptography. This is cryptography in which both parties already have the same key and you are making sure that the data is confidential so that only the person with the exact same key can decrypt it. This is symmetric encryption.

There's also something called integrity that you can add on top of that. Message authentication codes, MACs, are one of those. And this also requires symmetric keys. So both people have the exact same keys. So you can send information across the internet or across any untrusted medium. As long as both parties have the same key, you can communicate.

Now, these keys nowadays are around 128 bits long. That's considered to be the smallest possible key that will give you a long-term amount of security in a post-quantum world because of the square root level advances in being able to search through a list. The only real difference is that these keys go from 128 bits to 256 bits. So this is something that we're used to and this is something that we can do.

The bigger differences come in these so-called asymmetric algorithms, the ideas of public key encryption-- RSA that I mentioned. These allow you to, as an individual, have a private key as well as a public key. And your public key is shared with the world and anyone can encrypt data so that only you can decrypt it using your public key. So you take data, you take the public key, you scramble up the data, and only the person with the associated private key can decrypt it.

Similarly, there's the idea of digital signatures, where you can take that private key and associate it with a piece of data so that anyone in the world with your public key can then verify that only the person with the private key was able to digitally sign that data. So these both provide ways for folks to agree on symmetric keys. So you go from public key, asymmetric cryptography, to sharing a key and being able to communicate across the internet.

Each one of these different pieces, whether it's symmetric key cryptography, whether it's digital signatures, or public key cryptography, has a quantum resistant post-quantum component to it. And as Adam mentioned, these typically do not have the same performance characteristics, in terms of computing. So it's either going to cost a lot more of CPU to compute these operations, so it might take milliseconds longer than it would usually, or the key sizes are much bigger.

And as I mentioned, symmetric keys have a 128-bit key size. They go up to 256. Typically, right now for public key cryptography, if you're using a elliptic curves, which is very popular, you have 256-bit numbers. RSA, it's about 2,000 48-bit numbers. When you're talking about post-quantum cryptography, these keys can get up into the 10,000-bits range, or for some NIST proposals, the 100,000-bit ranges. And for some joke NIST proposals, you can have to use as large as a terabyte.

**MELANIE:**
How does one test for quantum computing when the quantum computers are still in development?

**ADAM:**
So as in theory, essentially, it is the case that all of our classical cryptography, we don't know that there aren't efficient algorithms to break it on a classical computer. Our only basis for believing that there aren't is that we've looked real hard and we've never found one. And so it remains with quantum computers.

So Peter Shor was able to come up with Shor's algorithm for factoring long before any quantum computer existed, because we know, in theory, the physics. And so we can theorize about, given this problem, can we come up with a quantum algorithm that efficiently solves it? And if the answer is no, then we hypothesize that it is post-quantum secure.

But just like classical cryptography, we have no proof that there isn't an efficient algorithm out there that nobody's just found yet. But that's a situation we're relatively comfortable with because it's always been that way.

**MELANIE:**
Interesting. You had listed that you're interested in diving into a little bit is-- what is the difference between confidentiality versus authenticity?

**NICK:**
So this is also a very important point, when speaking about the different types of things that cryptography provides. I mentioned asymmetric cryptography is sending a message and making sure that only the person that it's intended for can decrypt it. This is confidentiality. This is how you keep your information confidential.

The other piece is integrity, which is, how do you make sure that someone didn't change that message? Even if they didn't see what it was, how are you sure that this messages in the right order, that it's exactly the message that the person sent? And in a scenario where somebody is trying to attack your cryptography, these have different timelines.

So if you have the ability to break an integrity algorithm, if someone's already sent the message, that doesn't really help you. If someone's already received the message, it doesn't help you at all, because the message is sent. It's been received, it's been checked. So if you have the ability to break integrity, you have to be there right now and intercepting communication and changing it and modifying it before it gets to the person that you're talking to.

When it comes to confidentiality, you have to be prepared for attackers in the future. So if you're communicating with someone right now and saying something that you want to be secure for 30 years, and you're sending it over an insecure channel, then you want to make sure that the confidentiality algorithm that you're using is going to be able to not be broken for those 30 years.

So sometime in the future, if someone's collected it, they break that algorithm, they can reveal what it is you said. And this is actually the more pressing point for quantum cryptography. If we're talking right now about digital signatures, it's not so important that we get a digital signature right now, with respect to quantum security. Because in the next five years, or the next 10 years, there's not going to be a large scale quantum computer. But in the next 25 years or the next 30 years, there's potentially a chance. Technology moves rather quickly and 25 years is a long time.

So the main focus of what the Chrome's experiment was and what we're looking at right now for post-quantum cryptography is, how do we do this key agreement? How do we make sure that the confidentiality of communication is actually quantum-resistant? So having a post-quantum key agreement algorithm is very, very important now. Because everything that you say on the internet, although encrypted right now, in the future, with a quantum computer, someone should be able to eventually decrypt it if they have a copy.

**ADAM:**
Sorry. I was just going to add one point to that, which is that, when we do these experiments with post-quantum algorithms, going back to how I said that we have no proof of security for them, or the cryptography we currently use, we combine them. Because it's quite possible that our supposed post-quantum algorithm might not only fall to a quantum computer, it may fall to a classical computer.

And so when we add them, we don't replace the current cryptography. We augment it and run both, and then mix the outputs together so that the combination is as strong as the weakest of the two. And therefore, at least by using a supposedly post-quantum algorithm, we're at least not making things any worse.

**MELANIE:**
Is there any specific resources or places that you'd recommend if people are interested in better understanding post-quantum security, post-quantum cryptography outside of NIST?

**NICK:**
I mean, there are various websites. For cutting edge research, there's an annual conference called the PQCrypto Conference, and this is where the latest and greatest from the academic research comes out. But a lot of this is very, very new and very ongoing. And it's rapidly changing. So every year, something that was considered to be post-quantum secure last year, gets broken. And this is especially true with the NIST process.

So there's a number of websites and resources for getting up-to-date with post-quantum cryptography. But I think waiting for the end of the NIST competition/process to happen is probably where people want to get more involved and more interested in this, because, otherwise, you may be overwhelmed with the rapid rate of change. I think this is a resource that someone needs to build, is an accessible list of links about joining the post-quantum. I know there's one website, Adam, on his website.

**ADAM:**
I wrote an introduction on lattice-based once upon a time. It's a bit narrow, though.

**MELANIE:**
We'll look for that. And speaking of the post-quantum crypto conference, my understanding is that was last week. Nick, were you at that conference?

**NICK:**
Yeah, I made it to the post-quantum conference last week and we saw a bunch of interesting proposals that move the state-of-the-art even more past the algorithms that were submitted to the NIST contest, which is kind of surprising, but kind of not. It was even less than half a year ago that the final proposals were due for the NIST process. But several of them have been broken in interesting ways. Several of them have been modified in interesting ways. And there is even brand new proposals that have yet to be cryptoanalyzed.

So when you talk about what the new standards are going to be for post-quantum cryptography, I think what comes through the first NIST processes are not going to be the final ones that people use. I think there's just so many different arenas of research so active right now that we'll be discovering new algorithms for a long time going forward.

And from an implementer's point of view, this is, perhaps, frustrating, right? Because you want to pick a standard and stick to it and make sure that people have implemented it correctly and safely. I'm looking forward to more cryptography that's oriented towards safe and secure implementation and deployment, as well as security against quantum machines.

**MELANIE:**
Anything specific that comes to your mind that you're most excited to see or you found most interesting from that conference?

**NICK:**
The main thing that resonated with me was the diversity of types of mathematics that were involved. So a field of cryptography that I haven't studied very much is called code-based cryptography. And this uses things like error correcting codes to build cryptosystems. So rather than using mathematical properties, like prime numbers and whatnot, it uses these codes that are used in communication. And you can build cryptosystems on this. And in fact, one of the first quantum-resistant algorithms is based on this type of thing.

So there's cryptography everywhere. You can build interesting cryptosystems from a lot of different arenas. And it's just fascinating to see it all evolve and tumble together. So code-based cryptography perhaps has some issues where you have encryption failures once in a while. So you have these modes in which cryptography, as you're used to it, is supposed to work 100% of the time. You lose that in some of these new constructions.

So I think some of what is most interesting to me is cryptographic algorithms that most closely represent the intuition that we have from current cryptography, and that help fit into our current system so that people can actually deploy them and make use of them on the internet.

**MELANIE:**
Is there something you think would be great if we could bring these types of insights, or these types of expertise, that could potentially help expand post-quantum cryptography research?

**ADAM:**
One of the things I would like to see with post-quantum would be some lessons learned from earlier cryptography. A lot of the cryptography we use today was developed and standardized in the 1990s. And I think there were some things that, as a world, we just got wrong there. We made things that were overly complicated and overly configurable and difficult to implement correctly. And the consequences of that have not been good, right? The consequences of those problems are bugs and security issues.

And so I think we are now a lot better at recognizing these issues and recognizing, what is a sensible level of complexity and what are the areas that implementations are likely to make? And then we think about, how do we structure these designs to avoid these errors? So while I think we're better, I would most like to see post-quantum cryptography really embracing that more practical concern.

But that has to come down the road, in some cases, because we are still at the theoretical point in many of these algorithms. They are still in development, and in some cases, quite rapid evolution. But if we didn't repeat the mistakes of the past in the next cycle, that would be very nice.

**MARK:**
Adam, Nick, we are definitely running out of time, unfortunately, as much as this a great conversation. So I'd like to say thank you to you both for spending time with us and talking about post-quantum security and quantum cryptography.

**ADAM:**
You're very welcome.

**MELANIE:**
Yes, thank you both. And just to give you a chance, is there any last things that you wanted to plug?

**NICK:**
Keep an eye on this space, and folks will be exploring these quantum-resistant algorithms more and more in the coming years. And don't panic.

**MARK:**
Wonderful. Thank you so much.

**MELANIE:**
Thank you again. Well, thank you, Adam and Nick. That was very insightful and we really appreciate you coming on the show to talk to us about quantum security.

**MARK:**
And now I actually have a bit of an idea of what those words mean.

**MELANIE:**
That's fabulous.

**MARK:**
Yeah, I had no idea.

**MELANIE:**
Now we will quiz you.

**MARK:**
Please don't do that.

**MELANIE:**
It's a life or death matter. All right, so Mark, the question of the week. So you've been coding in real time and streaming this coding experience. How do you do that, if you wanted to do that, if one would want to do this?

**MARK:**
If one would want to do this?

**MELANIE:**
Yes.

**MARK:**
Not related to Google Cloud at all, but possibly still interesting. So it's actually really fun and really cool and I really like doing it, and it's remarkably simple. You can find all sorts of really great resources on the internet and, in fact, I will link to a particular blog post that I first read that I found particularly useful by someone. I'm going to probably mess up their name-- Suz Hinton. She wrote a blog post called "Lessons From My First Year of Life Coding on Twitch," where they talk all the way through the tools and how they do it. I pretty much lifted that and spoke to some of my teammates about how they do it.

But the short answer is I've been streaming and growing this development, so doing stuff with Kubernetes, basically, on Twitch. So Twitch is really easy to set up. You can go there, twitch.tv, and just get an account. But the real two pieces to this. One is getting yourself a decent microphone so that you have good audio. Doing it on your laptop, bad. Don't do that. Blue Yeti will do it in a pinch. RODE Podcasters are really nice as well. I've been using the ones we have that are nice, expensive mics from the podcast, so I get the advantage of that.

But the other thing that you should use that's really awesome is a piece of open source software called OBS Studio. Runs on Windows, Mac, Linux. Pretty much everyone uses it. It's kind of amazing, actually, what it does. You can do picture in picture. You can put your webcam in one spot, something else in another, switch between scenes. So I'll show a picture of my dog while I'm waiting to get the stream started, and then switch to me, and that kind of stuff. And it'll record locally, and that kind of thing, too, so that you can push that video up to YouTube, or anything like that. OBS Studio is magic. It's really amazing.

But other than, that get yourself on Twitch. Write some code. Try and do it on a regular basis, and it's pretty easy to get started.

**MELANIE:**
And if you have any accounts that you're working off of, I know one of the things we were talking about is how you should probably create a fake account to use while you're coding.

**MARK:**
Try not to show things you're not meant to.

**MELANIE:**
So you're not showing your account/your passwords, or anything like that, if possible. So consider that, also, when you're working this.

**MARK:**
If you run a clipboard, like a clipboard manager of any kind, just clear that out before you start, that kind of stuff. You can go as far as starting a whole new browser profile, and that kind of stuff, too. I may not do that.

**MELANIE:**
And you've heard it here first, folks, so if you want to find out more about Mark's coding. And we should add the link to where you're live coding as well.

**MARK:**
Yeah, yeah. We should definitely put that in the show notes.

**MELANIE:**
So Mark, if anybody wanted to get in touch with us, how would they do that?

**MARK:**
That is a great question. We haven't done this in a while.

**MELANIE:**
Yes.

**MARK:**
Cool. All right, so let's go through the things.

**MELANIE:**
If they want to email us, they would email us at hello@gcppodcast.com.

**MARK:**
Yup. If they want to reach out to us on Reddit, it's /r/gcppodcast.

**MELANIE:**
If they want to tweet at us, we're @gcppodcast.

**MARK:**
If they want to reach out to us on Google+, +gcppodcast.

**MELANIE:**
And we're on Slack, and you can request an invite to the Google Cloud Slack community and join the hashtag podcast channel.

**MARK:**
Bit.ly/gcp-slack.

**MELANIE:**
Mark, are you going anywhere anytime soon?

**MARK:**
I really am not.

**MELANIE:**
You were like flattened by the-- you had GDC. You had [? Gigatas. ?] Now, you're just like--

**MARK:**
Last year was really busy.

**MELANIE:**
Rest of the year, you're just going to take a nap.

**MARK:**
I don't know, it's going to be fine. But yeah, you can find me on Twitch. I'm on there quite regularly, and I'll be regularly streaming at 9:
00 AM on Tuesdays. But follow me on Twitter and on Twitch so you can find other stuff I'm doing.

**MELANIE:**
Nice.

**MARK:**
Yourself?

**MELANIE:**
Well, I'm not going anywhere else for the rest of the month, so I'll be around.

**MARK:**
Cool. I guess it means we get to hang out more.

**MELANIE:**
Oh no. We do have a lot of interviews coming up. All right, well.

**MARK:**
Melanie, thank you very much for joining me for yet another week.

**MELANIE:**
Thank you.

**MARK:**
And thank you all for listening and we'll see you all next week.

##### Hosts

Mark Mandel and Melanie Warrick

##### Continue the conversation

Leave us a comment on Reddit