Microsoft Research Podcast - 038 - Cryptography for the Post-Quantum World with Dr. Brian LaMacchia
Episode Date: August 22, 2018You know those people who work behind the scenes to make sure nothing bad happens to you, and if they’re really good, you never know who they are because nothing bad happens to you? Well, meet one o...f those people. Dr. Brian LaMacchia is a Distinguished Engineer and he heads up the Security and Cryptography Group at Microsoft Research. It’s his job to make sure – using up-to-the-minute math – that you’re safe and secure online, both now, and in the post-quantum world to come. Today, Dr. LaMacchia gives us an inside look at the world of cryptography and the number theory behind it, explains what happens when good algorithms go bad, and tells us why, even though cryptographically relevant quantum computers are still decades away, we need to start developing quantum-resistant algorithms right now.
Transcript
Discussion (0)
we still don't really have big quantum computers.
We have very tiny toy ones.
But from being able to demonstrate theoretically
that if a new fundamental model of computation showed up,
that it would change all of our assumptions,
that's yet another example of how we have to constantly think about
what an attacker has available.
And if the attacker's resources all of a sudden change,
that means they can do more.
You're listening to the Microsoft Research Podcast,
a show that brings you closer
to the cutting edge of technology research
and the scientists behind it.
I'm your host, Gretchen Huizenga.
You know those people who work behind the scenes
to make sure nothing bad happens to you?
And if they're really good, you never know who they are because nothing bad happens to you?
We'll meet one of those people.
Dr. Brian Lamacchia is a distinguished engineer,
and he heads up the security and cryptography group at Microsoft Research.
It's his job to make sure, using up-to-the-minute math,
that you're safe and secure online,
both now and in the post-quantum world to come.
Today, Dr. Lamakia gives us an inside look at the world of cryptography and the number
theory behind it, explains what happens when good algorithms go bad, and tells us why,
even though cryptographically relevant quantum computers are still decades away, we need to start developing quantum-resistant algorithms right now.
That and much more on this episode of the Microsoft Research Podcast.
Brian Lamacchia, welcome to the podcast.
Thank you. Pleasure to be here.
You're a distinguished engineer at Microsoft Research, and you head the security and
cryptography team here, which you've called the company's center of excellence for cryptography.
What does your group do? What are the big questions you're asking,
the big problems you're tackling? What gets you up in the morning? We started a decade ago as a little cryptographic tools team looking for places within the corporate research and development group where we could add value.
And we tackled security problems and cryptographic problems for what was then grid computing and became cloud computing, our data centers and security problems all over the place.
But for the last three years, we've been focused on this
primary work on the upcoming threat of quantum computers, if they're successful. But then we
also do work on other security problems. We spend a lot of time working on the security of Internet
of Things devices, and how do we make sure that devices inside your home can't be manipulated.
We also, I have a member of my team who spends a lot of time on election security,
and how do you do verified voting, and how can we bring the best in cryptographic research
to end-to-end verifiable elections. Well, let's do a little bit of a level set as we start here
about the field of cryptography. Can you give us a brief history of cryptography?
So cryptography is the science of data encryption, and it actually goes back to
ancient times. We know that the Romans used very simple forms of ciphers. The Caesar cipher was
used to send information around. And cryptography traditionally was in the military field. And for
the longest time, it was what we call in the field symmetric key cryptography.
That is, if you and I wanted to exchange secret messages, we would agree on a secret password or
a configuration of a mechanical device or something that we used to perform encryption. And then I
would use that secret to encrypt information to you. You would get the ciphertext, the encrypted
information, and you'd use that same secret to decrypt it. So we have the same symmetric shared secret key. And of course,
in the 20th century, cryptography started being used more and more to protect wireless
communications, right? To protect radio. This is most famously was used in World War II
by all sides to protect radio communications. And your listeners probably
all know the story of the German Enigma machine, which was a mechanical encryption device,
which was broken. Initial research done by Polish mathematicians, and then it moved to
Bletchley Park, and the British did a whole bunch of work under Turing and broke the Enigma and
therefore learned information in secret about encrypted communications.
All of that's within the realm of the shared key model. And then there was a breakthrough
for what was called public key cryptography. And the difference in public key is each of us who
wants to communicate has a pair of keys that are mathematically related, a private key and a public key. And one of those
keys you can release to the world. So if I want to encrypt something to you, I go get your public
key and I encrypt it to your public key. I can't decrypt it with your public key. You can decrypt
with your private key that matches mathematically. And the same is true for me. And there's a variant
of that, which is the digital
signature problem, which is I can use a private half to digitally sign a message that anybody can
verify it could have only come from me. And we use both of those technologies today. Every time you
open a secure connection in your browser to a website, and it's an HTTPS connection, you're doing an encryption
digital signature operation. So no nefarious characters can learn your credit card number
or the email you're typing if you're talking about web email, something like that.
Let's talk about algorithms. Most people take them for granted and may even be blithely unaware that
algorithms are running their lives right now in many, many ways. And I bet if you asked anyone on the street, does math have an expiration or sell-by date, or can an algorithm go
bad? They'd just look at you like you're strange. But you've said all cryptographic algorithms
weaken, degrade, or break over time. That's correct. Talk about that. Okay. So unlike many
other parts of computer science and computer programming, cryptographic algorithms, which are number theory at their heart, naturally degrade over time as we learn more about has to put in to break an algorithm?
And as we learn more over time, the security level decredes.
And algorithms that we think are okay today are not okay tomorrow.
And that's really important when you're writing an application or a security protocol or a computer system to understand that the algorithms you're dependent upon today are going to have to change
and you can't just use them for the future. It doesn't necessarily have a sell-by date on it,
but we are constantly trying to predict what an attacker can do. And sometimes it's just more
compute power being available. And sometimes there's an academic result that all of a sudden
changes our understanding of number theory.
I guess the other thing to add is sometimes we get a prediction of when an algorithm is
going to break.
Like we will see a series of work done in academia where the attacks will come along
and they will make further and further progress until something breaks catastrophically.
Sometimes we don't get a heads up.
I can give you two stories on that if you'd like. I would. Okay. I like stories and I
bet our listeners do too. Okay. So a cryptographic hash function is a function that takes any amount
of input and hashes it down to a fixed digest size. And for a long time, we used one called MD5,
which was invented by Ron Rivest, Professor Rivest at MIT, the R and the RSA algorithm.
And we all thought it was secure.
And in 2004, at the annual U.S. Crypto Conference, Professor Xiaoyang Wang from China got up and demonstrated two messages that had the same MD5 hash value.
And you're not supposed to ever be able to do that.
And she did that. And the fact
that she could do that meant that the fundamental security property of that hash function was no
longer any good. And therefore, we had to move to another hash function because that one was busted,
as far as we care from a cryptographic perspective. But you didn't know that going in.
We didn't know that going in, but we knew when we heard it that all of a sudden we were going
to get press questions the following morning. And in fact, Josh Benelow from my team and I, we sat at the back of the room and wrote a four-page
Q&A for all the folks back at Microsoft to understand what this meant for our products
and services going forward. We transitioned to the next hash function that we had, which was
called SHA-1. But SHA-1 shared some structural properties, similarities with MD5, and we figured that it would only be
time until SHA-1 fell. And in fact, in March of last year, Mark Stevens at CWI in the Netherlands
demonstrated a SHA-1 hash collision, and now SHA-1, of course, hasn't been broken the same
way MD5 has. Talk a little bit about how you go about attacking your own stuff.
Well, first off, we assume that everything we do is out in the open. And this is a sort of a fundamental thing for my group now.
The algorithms themselves are open and published. The code that we ship is open source and available.
And from a theoretical perspective, we assume that the attacker has access to all knowledge
about the algorithm and the code and
the construction. And the only thing they don't have access to is the secret piece of the key.
Okay. So when we try to attack our own algorithms, we're hopefully using the same set of information
and it's how can we deduce the secret key without knowing it? That's part of the analysis and
thinking of new techniques and
trying them out and trying to get cost estimates for what's doable if you have a cloud computing
infrastructure at your back. And, you know, what would move on to quantum.
Okay.
This is a big topic and it's basically what you've been talking about for quite
a while, life in a post-quantum world.
And that's still a ways out, but as they say in the movie industry, it's coming to a screen
near you.
That's right.
Maybe not your screen, but somebody's.
And also maybe not right away.
But let's talk about what quantum computing is.
I know we did a podcast with Krista Svori, who's all quantum all the time, and that was her perspective.
I want to hear from a cryptographer's perspective.
What is it?
How is it fundamentally or materially different from classical computing?
And why does it matter to researchers like you, Brian?
Sure.
And first off, I should point out that actually Krista gave a great explanation of this during her podcast.
And our teams actually work together.
We sort of dovetail with each other.
But quantum computing is a fundamentally different model of computing.
And from our perspective as cryptographers, the key breakthrough in this
actually happened in 1994. And that was when Peter Shore at AT&T Bell Labs invented a quantum
factoring algorithm. That is, he demonstrated that if you had access to a big enough quantum computer,
you could solve a problem in polynomial time. That is, you could factor in polynomial
time, which we do not know how to do today or anything close to that with classical computers.
Now, Peter didn't have a quantum computer. We still don't really have big quantum computers.
We have very tiny toy ones. But from being able to demonstrate theoretically that if a new fundamental model
of computation showed up, that it would change all of our assumptions, that's yet another example of
how we have to constantly think about what an attacker has available. And if the attacker's
resources all of a sudden change, that means they can do more. So from a cryptographic
perspective, quantum computing is yet another model of computation that opens up a different
line of attack and a different set of algorithms. And for a lot of the problems that we care about
today, we know that quantum computers will make the attacks faster. And for some of the
types of cryptography we've talked about, there are easy mitigations. And for some of the things
we're using today, there aren't. And that's sort of what the concern is. You've talked about a big
enough quantum computer. Let's go there for a minute. What is big enough? Okay. Well, for your
listeners who might be interested, we actually had a paper that
appeared at Asia Crypt last December 2017, working with members of Krista's team on trying to come
up with precise estimates for how many logical qubits, logical quantum bits you need for big
enough. And what we mean by that is, when I think about how difficult it is to break a cryptographic
algorithm, I talk about that in terms of how big are the keys, what's the security parameter for the algorithm. So if I am typically
doing RSA with two kilobit keys, 2048-bit public keys, that is the modulus is the product of two
primes of each of about 1024 bits, how long does it take to factor that? And that is well beyond
anything we could do with
sort of all the compute power we have available to us today. But what our paper showed is that
if you had just over double that number of quantum bits, just over 4096 quantum bits available
in a quantum computer, and those are logical quantum bits that are stable,
you can run Shor's algorithm on it and you can factor that 2048-bit number in polynomial time. So for the types of public
key algorithms that we are using today, if we're talking about factoring, typically your RSA keys
are two to four kilobits in size, and we need double that number of quantum bits plus a little
bit extra. Basically,
from my perspective, things don't get interesting until there's at least a thousand logical quantum
bits around on a quantum computer, and really up to 10,000 logical quantum bits.
And that is what you call a cryptographically relevant quantum computer?
Cryptographically relevant. So in our world, if it's got, say, on the order of 1,000 to 10,000 logical quantum bits and you can program it, then it becomes cryptographically relevant.
Now you're going to pay attention.
And now you've got to pay attention.
That's where things get catastrophic for the public key algorithms that we're using today.
Okay.
Or things get very interesting.
But below that, there might be other interesting problems you can solve in chemistry, metallurgy,
agriculture, things like that.
But what I care about is up in the 1,000 to 10,000 quantum bit range.
Let's say quantum does make it big and becomes cryptographically relevant sooner than we think.
What's the good news and bad news about a big breakthrough in quantum computing in your
mind?
The bad news is it means a lot of systems that we use today have to get
upgraded and that the algorithms have to be replaced. And pretty much if you know that an
adversary has access to a cryptographically relevant quantum computer, every commonly used
public key encryption needs to be replaced. The good news is we've actually got a bunch of
candidate replacements.
This is work that my team's doing, other folks around the world are doing. And in fact, the U.S.
government is running a standardization activity right now to try to pick some new quantum resistant public key encryption and digital signature algorithms. These are classical
algorithms. You don't need a quantum computer to run them. These are algorithms that run on classical computers, your laptop, my phone. They can run just like RSA and Diffie-Hellman and the elliptic curve today. They're just based on different hard number theory problems for which we don't believe there is a fast quantum solution.
And an important point here is,
we don't have any proofs right now
that the quantum resistant algorithms
that we're all investigating
are guaranteed to be quantum resistant.
What we know is that there's no known quantum advantage.
It's a little bit of a subtle point,
but it's important that even for the new algorithms
that we and other people around the world are investigating, we don't believe having a cryptographically relevant
quantum computer gives you any advantage over having just a cloud full of data center servers
to help you. But it's different than saying we are guaranteed that there is no fast quantum
algorithm that we don't know yet. Right. Well, if we situate ourselves in a
post-quantum world and we're dealing with quantum resistant algorithms, who has a vested interest
in developing these and who are the players at work here? You alluded to that just now.
What's the big picture and who's all involved? So there's who's designing them and then who
uses them. And if you think about who uses them, well, it's anybody who ships an implementation of a cryptographic library or, you know, inside of an operating
system or a device. Anybody who's trying to open a secure communications channel
over the internet. You need to be able to authenticate the party at the other end,
and you need to be able to establish an encrypted channel and send encrypted information back and
forth. That's just common
practice, right? As more and more of our communications are happening on the internet
in general, we want all of those to be encrypted and private. So everybody who is involved in
shipping code like that one way or the other is going to be a customer of quantum resistant
algorithms. Who's developing it? It's academic researchers and
industry researchers, cryptographers around the world. My team's currently working on four
different algorithms right now. And each of them is an international collaboration where we have
researchers from industry and academia participating with us on each of those four.
And they're different sets. And there's some people that are working on one algorithm with us
and some on another.
And these algorithms have different pros and cons when compared.
Some are faster than others.
Some have smaller key sizes than others.
They have different engineering properties.
And it's not clear it's a one-size-fits-all sort of thing.
My guess is that when the U.S. government standardizes these
in hopefully five
years, they'll actually choose a small handful of encryption and digital signature algorithms
for different use cases. Because what you want to fit into that smart light switch in your phone
that you don't want to be taken over by somebody is very different than what you're going to go
put into your laptop. Well, let's talk about that issue right there at the U.S. government, among other governments.
There's a competition going on that I would love for you to tell us about and what it involves and what the purpose of it is.
Sure. So in 2015, NSA for a decade had been advancing the use of elliptic curve public key technology as part of a suite of commercially available algorithms that they called Suite B,
as opposed to Suite A, which are classified algorithms, that they encouraged industry to ship to meet the needs of the U.S. Department of Defense to protect up to top secret level information. NSA came out in 2015 and said,
by the way, if you haven't finished the move
to elliptic curve cryptography,
you should save your development cycles
because we're going to tell you to move
to something quantum resistant
in the not too distant future.
That caused the U.S. National Institutes
of Standards and Technology, or NIST,
which is the standard-setting body for
the United States government, not just DoD for all government, to launch a standardization process
or a selection process to come up with new algorithms. And NIST has led two very successful
public standardization efforts in cryptography in the past. And so NIST has a history of running
these types of competitions, and now they've launched this past. And so NIST has a history of running these types of
competitions. And now they've launched this competition. And in fact, my team is part of
four submissions of, I think, about 65 that made it in and are still active, although some of those
have since been broken. And what happens now is we are all approved round one candidates.
And about this time next year, NIST will announce which of those move on to round two.
And during this time, again, everyone's trying to cryptanalyze their own and everybody else's.
Sure.
And to say what they can learn about it.
And it's up to NIST to whittle it down.
And we believe that then there will be a round three.
And that, again, in about five years or so, they will announce some small subset of algorithms that will be approved, some for public key encryption, some for digital signatures.
To be implemented as the standard.
As the standard. They will make what's called a FIPS, a take that to an international standards organization such as ISO and make it an international standard.
Because we really want whatever comes out of this process that everyone around the world has contributed their intellectual horsepower to and has analyzed, you know, as much as possible to become an international standard because you need international standards for interoperability. We want everyone to basically agree on strong, safe and secure algorithms. So the U. That's right. This is all about getting algorithms in
place so that if and when cryptographically relevant quantum computers become real,
that we will have algorithms that we will already have transitioned to.
So let's talk about that timeline for a second. Realistically, I've heard from you and others that 15 years, maybe, optimistically 15
years. But why the 15-year workback plan? Why are you working on this now when you've got enough
problems in a cloud-based world and all the other things that you've referred to?
Well, so that actually is the number I started with in 2015. And what happened was I went to
Krista and her team because we had started seeing these
signals. And I said, okay, when do you all think that there's a reasonable chance that we'll have
a cryptographically relevant quantum computer? And at that time they were saying about 15 years,
which was 2030. So I thought, okay, 2030 is a long time away. And then you start thinking about
all the things that you have to do between now and 2030 to effectively upgrade the internet. Because that's really what you're talking about, right? You have to research new algorithms. You have to try to attack them. You've got to start a standardization process. You've got to prototype them. You've got to do test deployments. You've got to get them running on your own infrastructure. You've got to upgrade
all your customers using your software. And then you have to turn off and decommission
the things that will be broken. And when I look at how long it took us as an industry
to do that for the MD5 hash function after Professor Wong's break, and I look at how long it took
to do that with the SHA-1 hash function, you know, you add the pieces up, you need about 15 years.
So I didn't think we were actually starting too soon. I think we were starting kind of right on
time. And I think we're still about right on time if that 2030 number is still accurate. And it's
good to see the progress that's being made
within NIST, but I'm still encouraging people to try to move a little bit quicker and to start
taking our own prototypes and start deploying in test environments to see how flexible their
software is to handle these types of algorithms. And you can do that today.
So that leads us into the concept of cryptographic agility, which we referred to earlier. Talk about what that is and why it's
necessary. Cryptographic agility basically is an architectural principle in your software that
where you use cryptography, you do not hard code in a dependency on one or a small number of
algorithms. It's all about making it very easy
to reconfigure your software to use something else for a number of reasons. But everywhere that you
have a dependency on a cryptographic algorithm, you want to make sure that you can very easily
reconfigure it. If all of a sudden somebody steps up and tells you that they can break your hash function,
you want to be able to quickly flip everything over to use another hash function.
And if we know that quantum computers are coming and that we have to prepare for the post-quantum world,
we want to make sure that all of our software that currently uses public key cryptography
is designing in the ability to use a quantum-resistant algorithm,
even though we may not know exactly what that algorithm is yet.
Or when they're going to need it.
But we can start making sure that all our systems have that agility today.
And part of the reason that my team doesn't just do the theoretical work, but we put out these high-performance, constant-time, side-channel-res resistant implementations is so that we can actually integrate them into the commonly used security protocols today and show how those algorithms would work.
And that's why you can actually go run some of the most common algorithms like TLS or SSH or VPNs with our post-quantum algorithms in the mix.
Talk about this concept of record now, break later, or as you
phrased it, record now, exploit later. Why should we be worried about somebody getting encrypted
data that there's no way they can unencrypt right now? So this is a real worry. And in fact,
it's another reason why even without quantum computers existing today, you may want to deploy post-quantum right now.
You have to assume that if you're sending sensitive data over a public network,
that your adversary, whomever your adversary is, will record that data, has access to the public channel. That's why you're encrypting it in the first place. But data storage is cheap.
Recording is cheap. So if you and I are communicating over encrypted connection,
we have to assume that our mutual adversary
is recording that traffic and storing it away
for the day in the future when quantum computers are real,
and the adversary can come back
and use the quantum computer in the future
to learn about what you and I talked about
on the encrypted channel today.
Now, if we're exchanging recipes or something that we don't think has a lot of long-term secret value,
that may not matter. Well, mine do. Okay. Well, mine don't. Okay. But let's say that you are
a nation state and you're sending information that's classified. And those things typically
have, I understand, a 30 or 50 year or longer time horizon, a security horizon. And it's not just
national government level data. Let's say that you're in the pharmaceutical industry where some
of your research is going to have a 20 or 30 year security horizon because that's the patent
protection on the drug, or that you are in any industry where the information's got a long security horizon. If this time in which you need the information to be
protected is longer than when we think quantum computers are going to show up, you have to assume
that information's going to be recorded and broken when an attacker has access to a quantum computer.
And so your protection horizon is truncated by
the appearance of quantum computers if you're only using classical algorithms. So if you're trying to
protect data for, say, 50 years today, you should be using a combination of the best classical
schemes that we have right now and a post-quantum scheme to try to give you some protection beyond
the advent of quantum computers.
That's the safest thing. It's what we call a hybrid scheme, where you use the best classical
schemes that we have many, many decades of knowledge about from studying and add in some
new protection. Well, let's say that does scare me and I want to have that post-quantum algorithm
or quantum- quantum resistant algorithm.
Can I get it? Yeah. In fact, all of the submissions to NIST as part of the submission,
everybody had to make open source implementations available with their algorithms. In fact,
your listeners can go out to GitHub and they can go download all of our code and you can go get those libraries today and start using them. And if you happen to be a customer of OpenSSL,
a very common TLS implementation, or OpenSSH, or OpenVPN, you can run that today. We even built a
nice little demonstration device. We took a little Raspberry Pi and we turned it into a combination
Wi-Fi hotspot and post-quantum VPN endpoint. So I can take that with me anywhere in the world,
and it sets up a VPN to a Linux machine running in Azure. That is my other endpoint,
and I can connect wirelessly to the hotspot in my hotel room, and I've got a post-quantum tunnel
back to the Azure cloud. And all I've got is a Starbucks open and unsecured network.
You probably want a little bit more than that.
I probably do, but yeah, I just hang out with you more. Speaking of the things that scare me,
you gave a talk recently that you subtly titled How to Prepare for Certain Catastrophe.
And that's a perfect setup for the question I ask all my guests, which is,
is there anything that keeps you up at night? Yeah. So the thing that keeps me up at night
is that, say, Krista Svore and her team are going
to be successful sooner rather than later.
And by that, I mean that we're going to see quantum computers show up more quickly than
we anticipate.
That the qubit construction challenges and the scaling problems will get solved by the
very smart people working on them faster than we can standardize and deploy defenses.
There's this arms race going on
between the quantum computing folks
who are trying to build the quantum computers
and the post-quantum cryptographers
trying to make sure the defenses are out there
before the quantum computing people are successful.
That's what keeps me up at night,
but it's a good problem to have.
How'd you wind up doing cryptography research?
What was your path to MSR?
It started as an undergrad at MIT.
I was a co-op student at AT&T Bell Labs. And that was my jam.
And at the end of the class, I asked Shafi if she could recommend some people at Bell Labs who were
doing cryptography for my next summer assignment. And I was fortunate enough that she pointed me to
Andrew Adlizgo, who turned out to be my mentor for my master's thesis. And I was fortunate enough that she pointed me to Andrew Adlizgo,
who turned out to be my mentor for my master's thesis. And I did a couple summers and a master's
thesis at Bell Labs in breaking what were then called Knapsack cryptosystems, which are no longer
used because we've pretty much broken them completely. But they were a type of public
key cryptosystem that was being studied at the time. And that led to graduate school. Actually, my PhD was in artificial intelligence.
And I went back to Bell Labs
because they were looking for computer scientists
with an economic, legal, or social bent
to look at public policy computer science research.
But the work I was doing was interesting to Microsoft,
and I got recruited out into the product teams.
And then got recruited into a group to become a cryptographic architect for some work we were doing on trusted computing very early on. security SWAT team, basically for one of our former CTOs. And in 2009, we got reorganized
into Microsoft Research into this new applied division. And that's still kind of where I am.
And I have a mix of researchers and engineers, you know, developers, program managers on my team.
And everything that we do is both about furthering the academic field, as well as putting open
source implementations
of our algorithms and protocols out for everyone else to use.
Right. Well, and that's a beautiful segue to, as we close, give some parting advice
to researchers who are listening to this podcast, potential researchers, what might be on the
horizon for them that you think would be good, hard problems to work on from your perspective in the sort of math-intensive side of computer science research?
Well, here's the easy softball one.
If there's people out there that are interested in cryptanalysis, there's 60 targets, very easy targets in the NIST competition for people to go do cryptanalytic work, because
all of these algorithms are under consideration. And the more we know about something, the better.
One of the reasons I would not recommend that we just solely move to only post-quantum algorithms
today is that none of these algorithms have been studied as long as, say, RSA and elliptic curve
based things. So that's why I actually think for the first about decade of deployment, we're going
to do hybrid schemes where we'll use both. That probably means you end up
digitally signing things with two keys, one classical and one post quantum. So there's a
lot of cryptanalytic work there. I think we're still learning about leakage, ways in which our
implementations on software and hardware leak information that makes it easy to break. You're
not breaking the mathematics. You're effectively bypassing the mathematics by inferring bits of a
secret key through physical properties of the device. And we have to use physical devices
to work on this. And that's a very rich area. Another area that we're starting to do a little
bit of work on, but I think held a lot of promise, is in formally verified implementations.
And I think that's a very rich area to doing work on within the cryptographic application space.
So there's a lot of still fruitful areas of exploration and research.
Oh, absolutely. My team did some work back in 2008 and 2009 on distributed key management. And that's for how do you share
secrets securely among, say, every machine and every rack in a data center without having somebody
plug a USB device into every machine manually. And there's some non-trivial problems in that space.
Key management of cryptographic keys is a very important problem, and it doesn't tend to get
as much attention as it
should and i think that's another fruitful space i have to ask you one more question sure
how do you manage your passwords perfectly fine question i have a couple of what i consider very
high value passwords which are all in my head for all the typical website logins i use a password
manager so that plugs into the browser and logins, I use a password manager. So that plugs
into the browser. And then that is combined with a master password that unlocks that vault
and a physical device that I plug in. So I do two-factor authentication and everybody should.
Brian Lamacchia, thank you for talking to us today. It's been really, really interesting.
It's been my pleasure. Thank you very much for having me.
To learn more about Dr. Brian Lamacchia and how
Microsoft is working to ensure
online security and privacy in a post-quantum future,
visit Microsoft.com slash research.