NIST PQC Standards Update: On-Ramp Signatures and Global Roadmaps | RWPQC 2026, Session 5

Added: 2026-05-28

[00:00:05][music] The first morning session uh is another really good session. We're going to kick things off today with Dustin Moody from NIST. Um Dustin needs really no introduction, so I'm not going to introduce him.

[00:00:20][applause] I'm glad it's 9:00 a.m. and not they put me at 1:00 in the afternoon and then, you know, we'd all be asleep. But, um, yeah, I'll just give an update on NIS general, you know, where we're at with all the PQC related efforts, give some updates, and happy to answer questions at the end for any particular details that I didn't cover and that people have. By now, you're probably familiar with a lot of what NIS does.

[00:00:50]Um, besides our standards, we do a lot of research. We do validation, testing, other things. Um, hopefully you're familiar with the NPQC processes. It's occurred over the past decade or more.

[00:01:02]Um, I don't need to go through all the different past the past rounds. Other than just to say again, NIST is very grateful for the participation of all the people in the PQC process. There's tons of submitters, tons of people who have done research, cryp analysis, performance benchmarking, and that's really helpful to us at DIST, and we're we're grateful for it.

[00:01:26]Um, back in 2024, we were excited to reach the milestone where we were able to publish the first PQC standards.

[00:01:34]These were released as as FIPS, uh, government speak, federal information processing standards. the the first three were published with one CAM and with two signatures. So we had MLCM, MLDDSA and SLHDSA um which you know people are starting to implement and start migrating and get those into their products. The fourth one we announced back in 2022 is part of our set of four.

[00:02:02]I've been asked many times, you know, where is it? That's an excellent question. Um we have drafted it up. We worked on the other ones first because they were a little bit higher priority and we also knew that Falcon is just very complex. Uh we finished writing up the draft. It's ready to go. We submitted it up the chain for approval and somehow or other it's gotten stuck there for several months and we don't know why. And because they're high enough up we can't tell them what to do or anything. So we're working on a plan B where we can still get a draft out for public comment. But um it is ready to go. We hope to get it out soon but I I can't promise any particular time frame as to when that will happen. Um and then in addition to that we selected HQC about a year ago as one of the fourth round algorithms for standardization so that we would have another chem.

[00:02:58]So just looking briefly at the chems, uh we we have two selected. We have ML Chem. We recommend that one be the default algorithm that people use for most applications. Uh especially because it's the only one right now. HQC we're writing up. It should be able to come out later this year as an initial draft and it comes out for public comment. Um, it's kind of a a backup just in case something were to ever happen to to lattises if there were some kind of attack. It is a good general purpose.

[00:03:31]Its performance isn't quite as good as the lattice schemes, but it's it's not too far behind um either. To go along with that, we were happy this last fall we were able to finish up and publish a document called special publication 800227 which deals with just chems in general.

[00:03:51]These are kind of the first ones that NIST has done. So it's got definitions, basic properties. Uh it talks about using them in certain applications and gives some advice on you know how you can combine chems in a in a safe way. So there's some some information on hybrid there.

[00:04:10]Yeah. So, HQC hopefully comes out later this year. It'll be out for public comment for three months. We'll address the comments and then hopefully be able to publish that on the digital signature site. So, we do have three that we announced. Uh again, MLDDSA we recommend to be the primary one. Um it's based on lattises, good performance. It is a little bit bigger than we're used to for that. Falcon eventually will hopefully be available with the smaller signatures just it has the trade-off of course that it's it's much more complicated to implement especially with the floatingoint arithmetic. So for certain applications that that could work other applications you know it's going to be too too hard to to make happen.

[00:04:56]Um SLHDSA is standardized. It's also available if you know if you want to use that as well.

[00:05:04]It might seem a little strange but we selected three you know three signatures and then at the same time that we did that we also said oh we're looking for more signatures.

[00:05:15]Uh the main reason for that our motivation was just that SLHDSA was kind of like the backup to lattises but its performance isn't that great. So if you were forced to use it, you know, you might have a hard time in some places.

[00:05:29]And we'd know, we had seen that there had been a lot of of research and advancing signatures and there was a lot of promising ones on the horizon. So we announced the on-ramp process um now it's been, you know, just about four years uh three and a half years and uh got a kind of a smaller competition-like process going on with with this.

[00:05:53]Currently there are 14 of these algorithms that have been in the second round. People have been looking at them, you know, studying them, attacking them.

[00:06:01]There have been lots of attacks.

[00:06:04]Primarily our again our motivation is a general purpose digital signature algorithm.

[00:06:10]We may also be interested in you know other properties small signatures fast verification that's uh very desirable.

[00:06:18]So, you know, we we could select one or two things most likely as a result of this. We have no plans to do this for chems. We're content with just having the two that we have right now. Um, of course, that could change in the future, but as of right now, this is uh the way things are.

[00:06:40]just looking at the uh the 14 candidates that are in the on-ramp. Just like in the original process, there's kind of a variety of different mathematical techniques that are involved to design these. Um in the first round, there was kind of more of all of these and now it's whittleled down to a little bit smaller numbers. One of the most interesting categories that we've seen is the MPC in the head category where there has been a lot of progress since the on-ramp started. There was some some nice techniques developed using um some threshold techniques full in the head that have made these signatures a lot more efficient and a lot smaller and it's a it's very very much uh still being worked on. So MPC in the head is a is a pretty exciting category. Uh the multivariate ones are of interest. They they typically tend to have the large public keys and small signatures fast verification. So, um, but yeah, there's there's kind of a variety of them. The second round, uh, probably can't see this and that that's okay. This is just to kind of show, you know, if you look at the performance, they have a range of characteristics.

[00:07:51]Some have big public keys, small signatures. Some have just the opposite.

[00:07:55]They've got small signatures, but big public keys, or I said that backwards, you know what I mean. Uh you can also look at their signing verifying and there's different performance profiles you know for for a variety of different use cases. The the primary thing that we're needing them to do is to for for one have better performance than SLDS SLHDSA in some way because otherwise there's there's not a need to have it. Um and that's kind of performance-wise that's the main thing. And then security-wise, it needs to be secure and there have been lots of attacks. So, [snorts] watch for the on-ramp. Uh the second round is pretty much about to end. We are writing up the report that will say which of the 14 candidates are moving on into the third round. It'll be a smaller number, you know, probably about half as many advance on to get increased focus and study.

[00:08:57]All right. All right, I want to talk now about the migration. Uh we've heard a lot yesterday. There was a lot of good, you know, guidance given, a lot of good information that was recapped.

[00:09:08]Of course, the main threat um for the key establishment site is kind of the harvest now decrypt later that motivates a lot of that and just the fact that it we know it takes a long time to migrate at N. We've seen cryptographic transitions in the past can easily take 10, 15, 20 years. You know, switching from Shaw 2 to Shaw 3 or from RSA to ECC or or things like that.

[00:09:34]Uh the US government is certainly taking steps to make sure that it will be prepared. Uh Moses gave a nice talk yesterday where he outlined a lot of these steps um in in more detail than than I will. There's a variety of different sources where it's coming from. The White House has put out national security memos. NSA has CNSA 2.0. Um, Congress has even passed a law.

[00:09:59]The main kind of theme is that agencies are being directed to act to start doing inventories to start planning to start budgeting and with the goal of 2035 is is the main target to transition as much as possible by.

[00:10:14]uh certainly know that it's not going to be completely done by that date, but it's good to have, you know, picked a date and said aim for that.

[00:10:24]Uh at NIS, we released a document to go along with, you know, some of the transition guidance. Um this is Nister, which is a report 8547.

[00:10:36]Um it came out a little over a year ago.

[00:10:39]We put it out. We received public comments. Got a lot of good feedback back.

[00:10:45]What it does is it specifically identifies which of our standards are impacted. So what are the PQC vulnerable ones which basically is any public key algorithm. So RSA, defy helman, elliptic curve. Um it points to the new PQC standards and says these are the things that you're going to need to migrate to.

[00:11:04]And then it proposes our our timeline which is in accordance with uh the date in national security memo 10. Uh a little bit of nuance the if you're at the 112bit security level you know previously NIST had recommended that you transition off of that to 128 we don't want to force anybody to do two transitions. We want you to to get to PQC. So at the 112 bit level, you're deprecated at 2030, disallowed at 2035.

[00:11:34]Don't make two transitions, just make one if if you happen to be at 112 bit.

[00:11:39]But otherwise, all the 128 bit or more the the public key algorithms, we we will disallow them in the year 2035.

[00:11:49]So that is the date to be aware of.

[00:11:52]We do also reiterate there with the symmetric key algorithms. So like AES and Shaw 2 and Shaw 3, you know, back from the beginning, people know that if you double the key length, you're at least protecting as much as we've taken a closer look. We don't feel that you need to do that right now. So we continue to approve uh AES 128, Shaw 2, Shaw 3 at their current levels as long as you have 128 bits of security. We're keeping an eye on things. If that changes, you know, we'll we'll be sure to update our guidance, but this is how uh we feel.

[00:12:29]Um so, yeah, the final version of this is ready to go. Um we keep hearing rumblings that there might be an executive order and that's delayed us just briefly just to see if that's going to come out. Otherwise, this will be coming out soon in the next month, maybe two months at most and that will finalize the the timelines.

[00:12:53]So, hybrid is is a topic that always comes up in the migration and we've heard a lot of feedback from industry and and other organizations and countries that this is a strategy that they're interested in. Um it's the idea where you can use classical and PQ PQC and other techniques you know you could use QKD or or whatever else you want combine them together we did give some guidance in 800227 uh we had existing guidance in in a document called uh special publication 856c which explains how you can do this in a way where you can still get validation through the fips 140 program at NIST. So if if you want to do hybrid, we can accommodate that. NIST is not in uh enforcing or mandating or requiring hybrid. Uh rather we we want to make it available if you want to use it, but we know that it's not going to be the right choice for everyone. So uh that's kind of been our our stance on that. Um some people like that, some people don't like that, but uh that's what we're we're sticking with.

[00:14:04]Um yeah testing and validation. So this actually uh this group was a separate group at NIST at recently in a reorg.

[00:14:14]We're now in the same kind of group. Uh the PQC algorithms have been available to be tested and validated since the first day the standards went out. We worked with the the CAVP, the CMVP to make sure they were ready to go. Um and so that is a good thing that people who have implementations and need this validation because they're selling to the government or for whatever other reason, you know, you can do that.

[00:14:42]They're also very responsive. So if you have questions, you know, you can bring them to them or I can connect you to them and they can they can uh address any questions that you have with uh testing and validation.

[00:14:54]With Falcon, it's going to be a bit more challenging because of the floating point, but we think we figured out how we can safely do that as well. So, um, you'll see that when Falcon comes out.

[00:15:05]NIST has also been running through its national and NCCE, the National Cyber Security Center of Excellence, uh, a migration to PQC project. Some of you or your organizations uh, may be a part of that.

[00:15:20]Uh there's some government agencies but mostly it's just private industry that has teamed together to you know to cooperate try and come up with good guidance try and develop tools find best practices and just really complement the standardization um effort that's been going on and we really really appreciate that. We know a lot of people are are working hard on that and we you know different people in there step up and lead different parts of it but uh it's a really good collaboration.

[00:15:51]They have produced several documents. Uh some of these are still in draft form.

[00:15:55]There are others that they're working on. Their main performance work streams.

[00:15:59]You know there's performance interoperability cryptographic discovery. um working on how to do inventory and and test things and so you can look at that. They've held webinars and and other events so that people who have questions can can get answers there. They also have a really good FAQ.

[00:16:19]Uh Bill New House, who runs this, if you haven't taken a look at it, I'd encourage you to do so. He's collected kind of things from around the world, not just at NIST, but from other governments, from other organizations, other industry, uh all in one place. So it's I use it frequently as is kind of a good source to to find where everything is posted.

[00:16:40]Uh yeah, another important report that my colleague Lily Chen kind of headed up as part of this project was a report on cryptographic agility. Uh we held a workshop and then we we worked on that report and that was uh published last year.

[00:16:58]It's a very complicated topic and there's lots of pieces to it and um not going to go into it other than just to say you know if if this is a topic that which is of interest and it should be take a look at the report and hopefully you you're able to see some good things in there.

[00:17:17]Uh NIST is cooperating a lot with other organizations.

[00:17:21]um during the process we we had talked a lot to them and for the most part they wanted to see the NIS process be successful and not try and compete with it. So that was a a nice collaborative kind of effort to focus on one thing.

[00:17:36]And now that we have the the standards out and the the algorithms, you know, now these are getting standardized in other places as well. And and we're trying to assist with that effort. Um I'm not representative of the IATF or anything. There's a lot of work going on there. You can look up a lot of that.

[00:17:53]There's several people here that are engaged in the different working groups there and we try and support that as much as possible. Um, oftentimes they'll come and say, "Hey, your standard is not clear or is there any way we can make this happen and and we definitely try and do that."

[00:18:09]Uh, ISO Lily's active with that and trying to make sure that our our algorithms are standardized. Um, they started first with the chems. I think she told me that that's just about officially done. So that that's done.

[00:18:21]Currently, they're working on the signatures to get those in there.

[00:18:26]Uh yeah, there's other working groups.

[00:18:29]Other countries are are working on standardization or recommendations. NIS has talked a lot with many other organ uh many countries and tried to align with that. Sometimes they're they're fine with just MLDDSA, MLCAM. Sometimes they want other algorithms like classic mcle or froto. Totally good with us. You know, whatever whatever you want is is fine. We've also seen a lot of convergence kind of on the 2035 date.

[00:18:55]Seems that's a a common date that people are are seeming to uh align with. So that's good in in some sense, but uh there's still tons of work. N recognizes that, you know, those those first standards are are important, but we're not done there. We need to get those and get those into protocols. We need to get them into products. And that's what a lot of you are are probably working on right now at the different different layers and levels of all this uh going on.

[00:19:25]Uh yeah, there's lots of things you can do to make sure that you're preparing.

[00:19:30]You know, you want to start your inventory. You want to make sure that you've got a team assembled that is planning and and preparing for your PQC migration, starting to test the algorithms, talking to your vendors. Um, the migration to PQC project has a lot of guidance there. NIST also put out a report with it was [snorts] NSA and SIZA that kind of just a short report that outlined a lot of the the steps that you want to do.

[00:19:56]And I just wanted to update as well a few other documents that we're updating.

[00:20:01]Uh so people know about that. I already talked about Falcon HQC. Those are under development. We're working on them. Uh the on-ramp round two again uh that's going to end. So that report will be very soon. Another document we had is 800 133. And I'm sure it's impossible to keep all these numbers in mind, but uh back when we had ML Cam and people were putting it in X-wing, there was some questions about they'd like to be able to to uh use a KDF and expand a seed and not just be able to use like a DRBG.

[00:20:41]Um so we looked at where that could best be accommodated and that was at SP800133.

[00:20:48]Few other kind of small changes in it.

[00:20:51]Um, that document is about done. So, that should be coming out. Um, it's taking a little while. Again, when we were working on 227, that was brought up a bunch.

[00:21:02]SP800 208 is a document on stateful hashbased signatures. That's a standard that's been out for a while. It was based on some uh RFC's for XMSS and LMS.

[00:21:15]uh once the the PTC standards were finalized and CNSA 2.0 came out, there was kind of a renewed interest in using some of these algorithms and industry came back to us and said, "Okay, the way the standard is is written, we have some problems. Is there any way we could we could, you know, fix that?" That has to do with key export and and making backups for things for for HSM. So, we we've been talking with industry for the past year or two about how what solution would be best.

[00:21:47]There's been a number of different ways proposed. Um, we have a team that's actively revising it. They're going to summarize uh the plan at ICMC which is in I think about a month or so. So, that'll be our next big update on that. If you can't attend, there will be slides posted and we'll share more after that. But that's another document that we expect to get out this year.

[00:22:14]And then SP800 230. Uh we had some discussion throughout the competition about Sphinx needed to allow up to 2 to the 64 signatures and a lot of people pointed out well if you lowered that you know there's applications that don't need that many signatures and if you lower that bound you can improve performance an awful lot. So we we had uh some other people Quinn worked with Scott Flor and some other people propose parameters.

[00:22:42]Back at our last workshop in September, Quinn gave a talk to kind of summarize all the feedback and propose six specific parameter sets that NIS was likely to standardize. Uh they're they're have a maximum usage of 2 to the 24 signatures. So they won't be able to be general purpose and be used everywhere but in certain places you know that will work out very well.

[00:23:06]Performance is a whole lot better and that document should come out in the in the next few months as well.

[00:23:13]Uh there are other ones we're updating.

[00:23:15]Mostly these are just kind of generalness documents that are up for revision. We're now adding in references to PQC and the migration and and pulling out you know the the vulnerable vulnerable algorithms. So you'll see just that update continually going on.

[00:23:34]Uh so with that I'll wrap up here and if you have questions on things you know our website is a great place. The PQC forum is also another great venue if you haven't signed up for it. You can ask questions there. You'll get announcements. You'll hear all the latest kind of research at times. It's also entertainment value. So it's a just a good thing I'd sign up for there. Uh so thanks again for the opportunity to to speak and I'm happy to you know take any questions if people have [applause] >> um on the uh SBA P800133 key generation. You said that you're you're releasing a draft version of that first or or is it just being revised?

[00:24:33]>> I think it'll go straight and be a final version. Um yeah, thanks.

[00:24:39]>> It's not being completely revised. It's just kind of a small portion to to allow specific things. Yeah.

[00:24:55]Um, is there any news about HQC?

[00:24:58]>> Is there >> any news about HQC?

[00:25:00]>> So, HQC, we're actively writing it. Um, we were slowed down a little bit. The US government was shut down and so forth, but we're we're actively writing it and I expect later this year that the draft will come out. Um, I say that knowing Falcon should be out and is held up for clearance. So, I suppose something like that could happen with HQC, but we're expecting later this year that the draft will come out.

[00:25:28]>> Some questions over there, Matt, on the left.

[00:25:35]>> So, you mentioned that you will finish the honor second round soon, right?

[00:25:39]>> Yes.

[00:25:39]>> So, so what is the overall timeline for the on signature? So overall timeline so the third round will probably last a year and a half two years approximately something like that. It's likely we could select algorithms at the end of the third round or it could be the case we we do a fourth round if it's needed. So for example some of the multivaried if we're interested in but they've had attacks maybe we want a little bit longer so that they stabilize or regain confidence. Um but roughly maybe in three years we could see a you know a draft standard out there five years till it's final something along those timelines.

[00:26:24]>> So 29 and uh for a draft standard perhaps for additional >> Sorry didn't hear that Mark >> was it uh 2029 for a draft standard for for additional signatures perhaps >> for the on-ramp.

[00:26:38]>> Yeah.

[00:26:39]>> Uh yeah that's roughly right. Yeah.

[00:26:42]>> Okay. Very good. Another question that you actually had in in there. So, FNDSA, did I hear correctly that seven months ago you pushed the specification out?

[00:26:52]Okay, that's a while. Yeah, it's it's it's been a while and we don't have a good answer for it. We apologize for that. We're doing what we can. We do have a plan B that we're working on so that we can release it even without getting formal approval all the way up as high as it needs to. Um, so hopefully that that will work. Very good. So um and uh we in risk five we've been waiting if we want to make floating point constant on certain instruction. So every week we have this item in our readings you know.

[00:27:22]So I guess we will do that because you say that it will in fact have floating point.

[00:27:28]>> Yeah floating point is in there. You can fix point will also be allowed but floating point is in there. That's just kind of how it was designed as well. So >> Oh that's very interesting. So fix point is allowed.

[00:27:39]>> Yes. So I'm trying to remember there's there's key gen signing verification and we go through and we talk about floating point emulated and fix point. I don't think all of them are allowed for all parts.

[00:27:50]>> Uhhuh.

[00:27:51]>> Um but we do discuss that so I can check on that and tell you exactly what it is but >> yeah affects our hardware architecture.

[00:27:59]Thank you.

[00:28:00]>> Yep.

[00:28:05]Any other questions for Dustin?

[00:28:10]All right, give Dustin a round of applause. Thank you again, Dustin, for coming. [applause] So, our next talk is from BSI. Stavos, are you are you ready?

[00:28:24]>> I think so. We got a here.

[00:28:27]>> Okay, >> without further ado, Star Wars.

[00:28:30]>> Yeah, thank you. Well, good morning everybody. Thanks for the invitation to Sophia and the organizers and the opportunity to speak here. Um the talk is split in two parts. So the first part uh I will talk about and the second part my colleague Johannes will take over. Um okay here's a short outline. Uh I would like to update you on the EU PQC road map. Then Johannes will take over and uh talk about what that does to the PS BSI PQC policy. And um just a quick check with the BSI PQC activities at the moment.

[00:29:13]Well, the EUP PQC road map I will take off from here. Last year um our colleagues here announced in the EU PQC road map. It was in a draft stage back then. a publication was planned uh mid 2025 and they said that they had some plans saying uh we want to define a timeline in Europe um raise awareness uh get the inventory process going and some other stuff and uh finally um this is the result what was announced last year it was published in June it's a coordinated implementation road map for the transition to postquantum cryptography in Europe. Um this document has been written by a team um that works in a workstream in the NIS cooperation group and it's a recommendation. Basically this slide is saying if you see the first uh deck like uh this if you Google it you sometimes end up with a recommendation by the U European Commission that says do that. So uh check for the first page. Um and the essential part is saying that uh we try to get the EU member states to uh uh have a timeline that they can work against and the timeline is as follows that we have a a first deadline by the end of this year saying that um some first steps have to be initiated. I will talk about that later. But the main achievements of that phase is that um all member states uh should have established a national PQC transition plan. That's one of the main achievements by the end of this year and some PQC transition planning and pilots for high and medium risk use cases. I will talk about that uh in the next slide what that means have been initiated. Um well the timeline will not surprise you so much but uh the next uh milestone will be end of 2030 where some next steps have to be uh implemented by all member states but the main achievements are that the PQZ transition for high-risk use cases should be completed uh transition planning and pilots for medium risk use cases should be completed and there's one building block that we try to emphasize is that We would like to have uh quantum safe software and firmware upgrades enabled by default in products across Europe.

[00:31:58]Yeah.

[00:32:00]And well surprise 2035 uh PC transition should be done. Well, we all know it will not be done, but at least we have a timeline that kind of aligns with what is being said in the US and other um countries. So, the targeted audience is mainly member states of course uh and it's applicable to critical infrastructures in in particular. Yeah.

[00:32:29]And um well, it tries to bind together all the member states to have a kind of coordinated approach to that.

[00:32:38]what the the basis of this is a risk based approach and we not we are not trying to invent the reinvent the wheel we just said that um the quantum risk score is developed uh based on what is done in the PQC migration handbook that's a publication by the Netherlands and um three factors influence the risk score of course it's the quantum weakness of the algorithms of course the impact of a successful attack stone decrypt later is um can be seen in that respect and time and effort required for the migration as a driving example PKIS for example yeah and maybe that's not readable but the risk score high risk that's three priorities needed in the short term because the expected image is large don't autocrip later think of and or the migration uh to PC expected to take a long time yeah so PKI for example yeah So that's high risk. Um okay. So this is the riskbased approach and just to give you to illustrate it a little bit more is um what are first steps. Yeah, it's um basically it's get together, identify and involve stakeholders, create dependency maps, perform your quantum risk analysis, include the supply chain, do asset management, create an awareness program, share knowledge, get involved in the EU work stream on PQC, uh develop a timeline and implementation plan. So these are some first steps that are detailed in that document.

[00:34:19]Okay. So, where are we now after that publication? There are some further publications planned in 2026.

[00:34:29]It's planned to publish some FAQs that result from um feedback that was gathered by a public consultation until September.

[00:34:39]Um, of course we expect the national PQC transition plans updates or updates on those in 2026 because it's on the timeline [snorts] and what is being right now we had a call for contributions. Um, the contributors met with the writing team. Um, they selected some topics, built working teams and defined some outcomes.

[00:35:06]And just to uh give a quick overview, the topics they selected um were sector specific guidance and case studies supported by in-depth examples.

[00:35:18]Lightweight postquantum photography was one topic that was uh selected at that meeting. Uh especially in relation to IoT and uh protocol overview focus on standardized hybrid PQT solutions.

[00:35:33]Okay, so these are some publications that we expect in 2026. Basically saying we're trying to bring people together because of Europe being a non-entralized system and let people help people. Uh maybe also kind of mimicking what NCCoE does, right? Okay.

[00:35:54]Well, that's the point that I would like to hand over to Giannis because uh he will tell you what this does to the BSIPQC policy.

[00:36:12]Okay. Hello everyone. I will now continue with some of the BSI um policies and how we are implementing the EU road map.

[00:36:29]So first thing I want to talk about is our timeline for classified information system. So in this case um it's the lowest German uh classification level called F NFD and um yeah there we have the goal to complete the PQC migration roughly in the year 2030.

[00:36:56]So from 2030 approved um CI products must have quantum safe key exchange and also signatures for soft and firmware updates.

[00:37:13]Then uh from 2031 onwards um authentication use cases that do not use a PKI should also um or must also have quantum safe signatures for um approved PKIs.

[00:37:34]Our requirements are a little bit relaxed. So the reason behind this is that we want to give yeah a realistic goal because um in PKI you usually have yeah certificates with long validity periods and also yeah the applications can be quite diverse and there are many dependencies.

[00:38:00]So for the Psis uh the requirement is that they off um at least offer quantum safe certificate from uh 2031 onwards and in the ideal case they would then only um issue quantum safe certificates.

[00:38:22]There should also be um yeah some mechanism or there should be or work should be done um to um check if classic certificates can be revoked whenever this is possible and this should be done regularly and also the subordinate CAS are then required to give reports about all uh classic certificates that are still out there.

[00:38:59]Um next I want to talk about the ESI technical guid guideline TR2102.

[00:39:10]So this guideline gives recommendations for cryptographic algorithms and although those are just recommendations um there are several German federal use cases where those recommendations are also mandatory. So at least in Germany um yeah this guideline um has some impact. So it has four parts. The first part is the general part um where recommendation for cryptographic primitives are given and then there are three parts um dealing with a cryptographic protocols TLS IPC and SSH.

[00:39:55]The targeted security level is 120 bits and all the recommendations come with a validity period um that is at most 7 years. So the goal is always to give conservatives conservative uh recommendations um so that we in the normal case should never have to um yeah withdraw recommendations ahead of schedule and the the users always have some time um yeah to to plan if they want to stay compliant with this guideline.

[00:40:38]Yeah. and it's updated every year.

[00:40:44]So now as uh to the PQC recommendations um the camps that are recommended are photochem and classic mech. So this we consider the most conservative choices and um in fact they are recommended already since 2020 when there even haven't been standard yet.

[00:41:10]Then later ML CAM was added and we also plan to recommend HQC CAM as soon as the FIPS 207 standard is finalized.

[00:41:23]And for the signature schemes, we recommend MLDDSA as well as um SLHDSA and LMS and XMSS.

[00:41:34]Um all [snorts] um for all those um algorithms um yeah we we recommend um the security strength categories three and five.

[00:41:47]Also we um we only uh recommend hybrid solutions in general um except for hashbased secret signatures. So in this case um our confidence in hashbased signatures is um high enough um that they can be used standalone.

[00:42:11]And um one of the um things that changed in this year's update was um that we announced um to to phase out the sole use of classic key agree key agreement mechanisms. So until the end of 2031 um and for signature mechanisms until the end of 2035.

[00:42:44]So parts two to four about protocols.

[00:42:48]In this case we just try to apply the general recommendations from the first part.

[00:42:55]And um at the moment most of the RFC's are still in draft stage. So we haven't put out any recommendations yet. But we already announced that we plan to recommend MLCM in hybrid mode together with a classic recommendations.

[00:43:18]And as um the sole use of classic key agreement mechanisms um is phased out.

[00:43:27]One of the consequences um this has is that um TLS 1.2 to um will also not be recommended after 2031.

[00:43:43]Now in the um last part I want to talk about some other um BSI activities relating to PQC.

[00:43:55]So um first of all um yeah BSI commissioned um um some projects.

[00:44:07]First of all there's um a study um that mon monitors the uh status of um quantum computer development. This project um has recently um has been completed um but a new one is on the way.

[00:44:29]Then BSI has also uh sponsored um integrations of PQC algorithms in the Botan library.

[00:44:39]So the all all the um new list standards have already been implemented and there's a new project um has just started where HQC um should be implemented and the usage of PQC in X5009 certificates.

[00:45:03]Then there's also project in the pipeline to um yeah support PQC in PKIS so in soft and in hardware but um yeah no tender has been released yet for this project.

[00:45:18]And finally um uh Stavros has done a project about PQC in open PGP and this resulted in the RFC draft you see here.

[00:45:36]Okay. Finally, BSI also supported some standardization efforts. So either as an author or co-editor.

[00:45:47]So first of all there are two RFC's now for stateful and stateless hbased signatures in X59 certificates.

[00:45:59]Then there's an RC draft um that deals with uh state management of stateful hashbased signatures.

[00:46:10]And finally, there is the um yeah P2C and open PGP draft that I just mentioned.

[00:46:20]And finally um the ISO or the second amendment to the ISO standard 1803-2 containing photocheml and classic meles will come out soon.

[00:46:38]Yes. So this concludes our talk and now we're happy to take questions.

[00:46:45][applause] Any questions? Okay, we got some over here. You can also go to the microphones on the stand that are Oh, we got one.

[00:47:02]Oh, >> is it Gingai first or me first?

[00:47:05]>> No, go ahead. Okay. So um um I understand that BSI is of course BSI cannot talk on behalf of the European Commission and all that just perhaps a little advertisement for my talk on Tuesday. So this PQC road map here is uh from the NIS to uh group. So there's uh basically two laws in Europe. Uh there's the NIS2 law which is for organizations.

[00:47:28]So this road map talks about how organiz so how you do inventory and organization and such for uh so forth. There's uh also Johannes is well aware of the cyber resilience act which is about uh products. So we also have product regulation where we require essentially at least commission has written this down will require postquantum cryptography in all kinds of uh consumer electronics sold in Europe. So if you have some comment on that. Uh I I should note that BSI is uh perhaps the most uh or many of the 27 uh other uh cyber security agencies in Europe have been a little bit absent in these meetings but BSI is actually there. So if you have any comments on on cyber resilience act so I have a talk on that on Tuesday.

[00:48:20]So >> I've seen you there not uh >> I'm not really uh in involved in this topic so I can't uh comment on this.

[00:48:28]>> I see. So it's a it's a little bit different group. All right. Thanks. But that's just a note.

[00:48:34]>> Okay. Okay. Thank you for the nice talk.

[00:48:36]So you you so BSI recommend four algorithms for chem right? HQC, MLKM and and broad and so in the in NIST they clearly state that they will choose LM C as the main algorithm in the state of the B side. Do you say anything like that or just people randomly choose or you have a priorities we recommend people use this first or or something like do you have anything?

[00:49:01]So I'm um yeah as as I as I said I would say for high-risk applications um we would slightly or we we prefer photochrem and classic meal um but of of course if you look at a variety of applications um yeah you also have to give some uh so it doesn't work without um MLKM.

[00:49:34]Um so I would say it depends on the on the use case but but we think that the first two candidates are more conservative.

[00:49:45]>> Here we go. Question over here.

[00:49:48]>> Uh on your uh in the list of recommendations of algorithms you said that you were going to add HQC. Um, of course there was a sort of glaring omission from that list.

[00:50:02]Uh, you didn't say you were going to add Falcon. Um, is are you not planning to add Falcon or uh or FNDSA? Uh, and prefer to stick with MLDDSA or is that something that is still on the agenda?

[00:50:19]So as of right now I I would say that we don't plan to recommend it but yeah you you never know if this assessment changes but um yeah in there are some cases where we already announce our chains and in this case yeah some very disruptive uh events would only uh change It's I think in [clears throat] this case uh yeah it should happen but uh for Falcon we don't have such a decision made yet.

[00:50:58]>> Okay. Thank you.

[00:51:01]>> Got a question down here.

[00:51:02]>> Thank you. Very clear talk. So you announced that you allow classical signatures until 2035.

[00:51:10]That's correct. Like RSA signatures will be allowed until 2035.

[00:51:18]on the other hand or did I >> 2031 >> 31 okay >> 31 yeah >> okay >> yes deprecation of RSA is in 2031 for signatures >> yes so at least the the sole use it can after that it can still be used in hybrid mode together with um >> okay so >> with a PQC algorithm >> but still if I would bring out now a new product and I want to get it certified with the UCCC, I need RSA at least 2,999 bits will not be enough. Can you explain that why this is even product now which will be for at least three or four years I have to go above 3,000 bits. What is the scientific validation of this?

[00:52:05]So certification um is another use case.

[00:52:08]So I I I was talking about classified um products. So if you want to get an as a vendor approval in Germany um then yeah you won't get um approval for RSA uh usage after 2031 in in this case and how how the certification will deal with it um I can't tell yet but our so our technical guidelines gives the the general recommendations.

[00:52:50]But of course, we have to to wait and see what will happen in 2031. I mean, it's not uh so much time until then. And um if you ask me personally, I I think there there will be RSA products uh still out there and just have to deal with it. But at least in in our federal and high-risk uh use cases um this yeah the migration will will happen until then. So >> thank you.

[00:53:27]>> We got another question.

[00:53:28]>> I have an answer and a question Mike Ellsworth. Um you asked for a scientific justification. I think the scientific justification is once we assume quantum computers, the gap between RSA 2000 and RSA 3000 becomes very narrow. I think that's a fair statement. Like RSA 3072 doesn't live that much longer than RSA 2048.

[00:53:51]Correct. You would agree with that?

[00:53:55]I think that was the scientific answer.

[00:53:56]My question, um, you're talking about 2030, 2031, 2035. I think you mentioned this, but could you clarify if these are recommendations meant for information purposes or if these are requirements and if they're requirements which sectors have to comply with them?

[00:54:18]So the dates I mentioned um about the PSI technical guidelines those are recommendations in in general and there we had the dates end of 2031 and end of uh 2035.

[00:54:37]So now there may be some German use cases um like federal projects where this becomes an requirement um but um other than that it isn't an requirement and the first timeline I was talking about this is for um approvals for um classified information solutions and yeah in in this case the the timeline for a key agreement is one year earlier and in this case it is mandatory but it only uh affects yeah vendors that provide those solutions.

[00:55:30]>> Hello. Okay. So uh I guess we should view these BSI recommendations since they are for restricted or classified systems similarly to CNSA 2.0 that is only for uh German government itself or mainly for German government itself. Uh I can I can say that on European level we have a on pan European single market we have a slightly different uh rules and systems. So we I I fully expect Falcon to be there for example.

[00:55:57]So if you want to comment on that, should we view this as the BSI recommendations? Of course, they are also for German industry, but uh they they are mainly for confident or restricted uh classified data, right?

[00:56:15]>> I I I think the the reach of the technical guideline is is um is still somewhat broader. Um but yes for um for this restricted level um it is also the baseline.

[00:56:35]>> Yeah thank you. These are very good documents. Of course we will reference those and you know Europe will do that.

[00:56:43]>> Are there any other questions?

[00:56:47]I have one last question because we have a couple minutes left. This one always spurs some conversation. So I I hope I do this in good faith, but um you guys um are looking at hybrid implementations and I guess the the million-dollar question is really do you see the hybrid state as a viable end state or are you going to encourage folks to go to a pure quantum or pure postquantum?

[00:57:14]Well, that's a good question. Um I'm not sure if I can really answer that. So um at the moment I think we are pushing for hybrids and it will stay that way I guess. Uh I never know. So I don't think that we as BSI know what will happen in 10 years. Um what I can say um is that uh well there are two reasons for pushing for hybrids. the conceptual stuff, new algorithms, okay, let them hang a little uh and the other one is the implementation attacks. And uh in the beginning, a couple of years ago, I think it was more uh the conceptual viewpoint that motivated hybrid, but that shifted a little in the last years to uh say that okay, maybe it's more the reason that we want to prevent implementation attacks. So if you think that through that it might say that at some point you might say okay uh the implementations are ripe enough to stay on their own but that might take a while. Yeah. So uh yeah so I cannot give you a definite answer so sorry but it's great. Yeah.

[00:58:37]>> Okay. And any other questions that you might have? um find these guys during the break. Um otherwise, if we can get our next speaker to come up, give the give Stavos and Johannes a big round of applause. Thank you guys. [applause] >> And for our uh last talk of the this first morning session, we have Jin Typing.

[00:59:03]>> Uh good morning. Um first again I would like to thank the organizer in particular Matt for giving me the opportunity to talk about here. So this talk is slightly different. It's a bit technical. Um the main point of the talk is I would like to explain to you the status of the classical crypto analysis or security analysis of the latis schemes. Okay. Uh let me start. Um yeah so as we all know or Dustin already explained the main PQC schemes are latis scheme. So uh let's start with the definition of latis. So what is a lattice? A lattice is something very simple. So you have the n m dimensional space and then you just p pick a few vectors first for example b 0 to b and n one linearly independent and then you do integer linear combinations and they form what is called a free subgroup or free group and then you want to be discrete which means they don't converge to any point and this is a lattice okay so this is a definition and then um the first lattice scheme is actually entrew And of course now the most popular one is LWE. And I can simply explain the basic idea of this. Uh I mean like we know for ISA the security relies are integer factoration which means I give you a composite number you have to find the uh factor. So in the case of latis scheme the idea is very simple. We have many many bases. Okay which means you are given a random basis. Okay. Or you are given the good basis and the good basis is the secret key and the random basis is the public key. So that's it. That's the basic idea of the design. Okay. And of course latice are good schemes related to the average case worst case reduction and so on. So why not go over it and this is just example of a latice. Okay. This is two dimensional latis. Those are discrete points. You can see we have B 0 B1 they form a basis. They are pretty long. And then you have short vectors like V 0. Okay. This give you some idea.

[01:01:12]And the fundamental problem we're relying on are two problem SVP and CVP.

[01:01:17]Basically we want to find a short vector. Okay. And then for this definition you can see the gamma n.

[01:01:22]Gamma n is called the approximate factor. If it's a one then it's a shortest vector problem. And what do we use is a polinomial factor in front.

[01:01:29]Okay. Then I would like to say about the latis security. Okay. So latis schemes has a very strong security claim. It claim it's probe secure. But if you look at the definition very clearly by prove secure doesn't mean we prove secure.

[01:01:45]What do we prove that given a family of crypto system if you can break this family you can solve a hard mathematic problem. Okay, that's a pro secure.

[01:01:56]Okay, and then if you look at MLKM also delithium and you realize hm something's not right because if you want some scheme to satisfy proven security requirement the parameters must satisfy certain condition and you notice that none of them satisfy this condition.

[01:02:16]Why? Because if you want scheme satisfy those condition they are not usable practically. So therefore we first prove it's secure and then we completely ignore the conditional pro security and then we just choose parameters which are usable practically.

[01:02:31]Then you would ask yourself how do we know it's secure? In this case we would like to call some use something called a practical security which means we find all the best attack algorithms make sure the complexity is above certain numbers and that's it. So therefore the security really relies on so-called practical security. Okay. So this is what we have now.

[01:02:55]Okay. In theory we know SVP is NP hard.

[01:02:58]Let me repeat what we use is FW. FW belong belong to this problem. F relies on this problem called approximate shortest vector problem. And this is not MP hard. And what it is is we don't really know. Okay. And we believe it's hard. Okay. And then to find the shortest vector form the first known is called LL. This is called L reduction.

[01:03:20]Okay. And the LL reduction has a approximate factor 2 to the n power.

[01:03:24]Therefore not a polinomial. So it's a exponential approximate factor. Okay.

[01:03:30]For this kind of algorithm we design what is called root factor. So what is root method? Given the algorithm if you find a vector and if you write the vector length into the into the formula I hf to the nth power time number one.

[01:03:41]So therefore the root homie is the is the factor in front of the number one.

[01:03:45]Lambda one is the length of shortest vector. Okay. And then one thing extremely interesting happened in the in the case of L theoretically we prove that the approximate factor should be one point uh the root factor should be 1.075 and then if you run the experiment magically it's 1.02. What does it mean?

[01:04:08]It means LL argument runs much better than theoretically predicted.

[01:04:15]It give you a much better vector than we thought.

[01:04:19]And you would ask why? No idea. By now we have no idea why theoretically argue why it happens. Okay. There's some very interesting theoretical work actually um done a few years ago by uh vect. This is a photo medalist and uh his student son Kim who is not Cincinnati now. Okay.

[01:04:40]Turns out that given a latis if you do statistical analysis and they can prove when n goes to infinity all of all of uh almost all of the LL bases are belong to the category 1.05.

[01:04:57]So which means when it goes to infinity the measure of the bet basis bet error basis basically is equal to one nevertheless the L always finds this 1.07 1.02 02. Okay. Then later we try to improve this. We use what you call BKZ.

[01:05:16]So what's the trick of BKZ? BKZ basically is LL and in the middle you call SVP which means you call a ve algorithm to find the shortest vector but much smaller dimension. Okay. So this is what a BKZ and BKZ. Okay. So therefore if you think about it all the security analysis relies on in the end on SVP problem. Okay. Therefore, SVP is okay. And you should understand actually the good basis and bad basis has a very interesting geometric meaning good basis normally they the bases are also each other because when we do latice reduction the volume does not change.

[01:05:55]Okay. Once the vector becomes shorter the angle must become bigger as okay. So this is essentially the the basic properties. Okay. And I already said it before. Okay. for L algorithm that's what happened but the L algorithm already doing a very good job make the bases what are almost orthogonal which means the angle between the elements of the bases are pretty good and this is will always be our starting point this is almost like a processing point okay and if you look at the BKZ so BK what the BKZ does is you do what is called Gianid and then you do what is called SVP on locally projected letters of block size beta See the size of beta in the end determines the uh the uh the how good the algorithm is. Okay. Yeah. So this is what happened. Now let's look at how to find SVP.

[01:06:49]At the very beginning we do something very simple called enumeration.

[01:06:52]Enumeration basically put to for search which mean you find a relatively good basis and you fix the range of the coefficients and then you just search among this. And despite the fact that it's a very stupid algorithm, it was the best algorithm for a long time until 2018.

[01:07:09]Okay, this is an enumeration method. And later we have something new called the safing method, the user. Okay, the saving method is actually also very simple. It's different from boot first search. Instead, it will first sample two to the alpha n points, which means you within certain range inside a sphere. Okay, actually the most on uh most on the boundary of a sphere and then you do what is called sething. What is seing? Seing is extremely simple. You just do addition or subtraction two vectors. You keep the shorter ones and throw your long ones and then you shrink the size of the sphere step by step. In the end, you pray you will find the shortest fact. That's how it works.

[01:07:51]Okay. And now let's look at practical security. Okay. And we have been working on this for a while. And then in the end we choose MMK 512. Of course in accord requirement you should satisfy at least two to the 143 attack complexity. And if you do seatic analysis number is very very close and in the end okay um we made such such a claim because you need a two to the alpha n points. This is a huge number of points. Therefore many memory access is very costly. So therefore we argue that it should give at least 10 uh 10 10 gates more. Therefore we can argue that the security of kyber 512 is around 160 or higher. Therefore the memory becomes very very important in terms the security support for mmk 512 and one question is it really true? So this is what we did. Okay. And I give you a background of what is going on here.

[01:08:47]Okay. And in dumpstart okay they set up what is called SVP challenge. So these are um a list of um basis of uh latis okay from dimension 130 and so on. If you solve it, you send an email to them and they announce announce it, you are the world record keeper. Okay, this is the progress we have been doing in the last um 15 years. So the first one is 2013 and the dimensions of 130. We suddenly climb up up the the important point is at the beginning is all enumeration and then 2018 we start to do sething. So seeing beat enumeration.

[01:09:26]Okay. So this is by 2021 we have dimension 180. Okay. And as you move on you realize ah memory become a bottleneck.

[01:09:35]So after 2021 we more or less stuck.

[01:09:38]Okay. And uh if you look at the theoretical analysis the attack complexity in terms of computation also goes down. Okay. These are the the names are the names in front are the different safing method. Okay, there's there's one mental block which is this number one half log 2 3 over2 which is 0.292 but theoretically we haven't been able to find a way to argue the security level will go belong two to the 02.92.

[01:10:05]So this is a good assurance in some form this is related to the internet strategy. Okay. And then we we made a few um improvements algorithm itself in the last few years for example pro program progress sething pre-processing dimension for free etc. So I will not give more details. Okay. So if you look at the diamond star challenge, it's very interesting. They set up a challenge up to dimension 200. This is 2013. So which means in 2013 we more or less believe dimension 200 200 is impossible to reach.

[01:10:38]Okay. If you look at the analysis and the number the memory should be 10 terabyte. So you have to run something on 10 terabyte. We could not do that.

[01:10:47]Okay. So we tried to solve this problem.

[01:10:49]That's what we did. Okay. And um we found out something very interesting. So if you look at the list I showed you before, there are two seeking method. One is BDGL which has claim has the highest competition uh most efficient competition efficient claim. But there's one more is BG. This stands for Becca, GMA and Jew. I think GMA is here. He gave a talk yesterday.

[01:11:15]So this is their um um this is the status. What we realize that if you look at the BG BG um saving method carefully, it is possible. Okay, you can do stream memory access to do saving. Therefore, jump over the memory block. So this is what we realize and then we start to implement it. Okay. And then let me jump over this. Okay. And um so let me repeat. Okay. The seing method in the seing method the most expensive part is the reducing pairs do the seing yeah right yeah to do the computation so therefore the computation is very simple just addition vectors that's all okay and then what do we do here so um one very advanced techniques is that instead of doing everything on the whole space saving on the whole space you start to divide uh divide the vectors into what is called bucket okay and if you look at geometrically the bucket is very easy to understand basically you you have at the initial safing you have a bunch of vectors. They are all on the boundary of the sphere. Okay. And uh those um vectors we would like divide them into groups. Okay. And then do algorithm on those groups. Okay. This is called a bucket. So intuitively understanding the bucket is nothing but if you have a a sphere and you would like find nice cap caps. Okay. Small caps. It's more or less like the the top layer of a comb.

[01:12:42]And then you want those small caps overlapping covering the whole sphere.

[01:12:46]And then you would like to run the algorithm on the small cap. That's the basic idea. Okay. So this is u what we do called a bucket. The BDJL tried it already. So BGL [clears throat] do some kind of bucket and then and then one thing unfortunately is they have too many buckets on one layer and they run and run everything on this and the buckets even you have to jump over the buckets do things. Okay, this is not nice. So this is what happened at BG and this is the most important slides today.

[01:13:17]So what do we do? So we have the main database which means we have two to vectors. Okay, we use first filter. We filter in two but smaller bucket B1 to B and zero and then I apply the filter again layered. So this difference between BG and BDJL is that this BG is they propose to use layered bucket.

[01:13:39]Okay, you have a big database, you do layered in the end the last layer is the the buckets with much much smaller size and then you run what you run your safing only on those little buckets whose memory is much smaller and then therefore you can run it much efficiently. So this is basically what we did. Okay. And uh two two important points right is no communication between those sub is necessary. So you don't jump over what the buckets anymore. This is very important. Okay. Therefore we can do data do the data movement can be streamed which means we put everything in the hard drive and then we pick a bucket and move into the what the RAM and then run everything that finish put it back. So there's no mental there's no memory uh um barrier. And this is just example of 140. You have two different layers. You can see we start from from what 278 GB and then the last layer we only have 556 kilobyte and we run the what we run the algorithm on the last layer and we can put all the memory into the okay into RAM and do it. So this is what happened okay and u okay then let's jump over this. So one thing you have to be very careful is in order to run the algorithm efficiently you do some little bit cheating which means you don't what at the beginning you have the vectors those the numbers are pretty large you only remember eight eight bits okay you don't run them you do some kind of approximation but then you have to be very careful it's um um this seeing algorithm is not numerically stable so you have to do some normalization if you're not careful you will not get what you want so this is one thing uh very important. Okay. So this normalization is very important. And then um one more thing very important is those um uh filters. This filter have those coefficients. You have to be very care to fine-tune your coefficients. That's why your algorithm will not work either.

[01:15:38]Okay. So and then one more thing is some of the tricks people used before we could not use it because it affects our memory access therefore but it doesn't have much impact. And one more thing is that um I claimed earlier is basically you do what addition of subtraction vectors but choosing which one or not complete design by computing that dot product. So you must have you must have you must implement dot product very very efficiently. Okay. So the conclusion is that with this method we could easily solve SVB 2000. This is done last year. Okay.

[01:16:13]We have a machine of 16 164090 um Nvidia cards. That's all we run about two months.

[01:16:23]We solve it. Okay. So the conclusion is that in the last 10 years we more or less improve the secret message we improve attacks on latis scheme by like SVP in particular by like 1 million time fast.

[01:16:38]Okay. And and this is a um okay this is what happened. So this is what we did in 2025. We solved 200 and this is a historical development. Okay. And this is what we did this year actually just a few days ago we u we solved 210 slightly harder. Okay. One point I want to make is that every time you go to 10 dimension higher you're at cost 10 times more expense.

[01:17:07]Okay. One question you would ask me what is the impact on the practically? So you should know if you can solve SVP 400 you can defeat Kyber 500 to okay so this is the status okay and also there's a um kyber challenge actually organized by bohome by Alexander May and we also solved their highest challenge which is kyber 256 we actually just solved it a few days ago okay so this is the status about this and then come back to the uh security of kyber 512 So is this true? That's is still from what we have known that a k2 still satisfy this uh 2 to the 143 complexity. I think in our opinion it's right on the boundary. If you remove the memory cost and if you consider the progress we made it's I would say kyber is between 141 to 145 the attack complexity for now what we k 500. Okay. So uh this is the first part my talk and then I'll go to the second half. Okay good and I was asked to talk a little bit about the Chinese uh postquantum core. Okay so this is a I would like to tell you a little bit but so since I now work in China I can also hear rumors. So one more point I want to make is everything I say is my personal thing nothing official. Okay I have nothing to do with the government. Okay.

[01:18:28]So China first announced to make um postcon standard February the 5th of February 2025. Okay. Actually to do this China built a new institute. Okay. This institute's name is ICS. Basically it's something like a nest. They just build a new institute solely for the purpose of making this new uh post quantum u uh standards. Okay. They call next generation public key algorithms. Okay.

[01:18:53]And the Chinese core is a bit different in the sense they normally call for what? Not only they call for publicly crypto system, they actually call for symmetric schemes. For example, they call for hash functions and block cipher. The reason is very simple. China only has 128 bits symmetric cipher block ciphers. They even don't have 256.

[01:19:15]So therefore, they need to make 256. So therefore the Chinese cause more expens most extensive. Okay. Of course the requirement is the same. And one thing China doing this differently I mean we know we all know SMS schemes right this are secret made right they just pop up but this time China decide to what make a open call so anybody can join okay they look for global submissions and so on. So this is a the um what happened in in 2025.

[01:19:46]Okay. And uh and then if you look at the public key part the Chinese call also slight difference. They actually have one category key exchange. Okay. They separate them. They separate came and key exchange. Okay. And if you look at the text very uh carefully is the key c security models they didn't say anything specific. They say you can choose any of those models you want. So but you have to argue it which mean if you submit some key change you have to tell them which security model you have five any of those is okay they didn't even say which one they want okay and then one thing very important is that okay you are not allowed to submit the NIST algorithm again which mean if you standardize you're not allowed to submit okay but you can submit if you have significant changes okay and also very important I think from my understanding is that the ones in the N consideration for example doesn't just list all the the what in the on ramp um algorithms none of them as far as I understand not allow submit if you don't change substantial okay [clears throat] so this is um um one very important and also they from my understanding okay I think they will do two rounds of evaluation maybe more but this is a um um what it says okay and then in terms of practical terms okay um they actually require so the deadline the final deadline is the 30th of June this year so this means what we still have three four months you still can make one okay but you have to be careful this date may not be right so before you sub the final deadline there's a softer deadline I think I I in my memory is April 30th maybe it's March 30 I I forgot which one okay you have to submit something tell them you are going to submit That's why you'll be disqualified.

[01:21:39]Is it clear? So for any of you who want to submit to the Chinese one, you must I think March 30th or April 30. I I have to be very careful. I'm not sure. You have to check it. You have to go there.

[01:21:48]Even you just submit a PDF file and say I would like to do it. I think it's okay. You tell them what what you submit. So this is also uh um very interesting. Okay. And then one more interesting is about the the um uh timeline finish. So I hear different messages. Okay. There are people telling me from government in 2028. I just heard it two days ago. He told me we'll finish in 2028. But people tell me 2009. There also people tell me 2030. Okay. But there's one date China also claimed.

[01:22:20]This is I heard everyone. China would like to finish the migration by 2035 as well just like everybody else as well.

[01:22:28]What how they do it? I have no idea.

[01:22:30]Okay. And then one more interesting is the review process. Okay. And what I know is because they asked me to join them as a member of the uh international review committee and Bart here is also a member well as far as know I think multiang is a member and you spoke is a member but that's I don't know so there will be an international reviewer committee and then there will be Chinese internal committee and then we'll do the evaluation okay and one more thing is if you're on the committee you are not allowed submit so this is uh what I know about the review process itself no idea I asked many times s how you will do it not decided yet. Okay. But one thing very interesting for me okay is that China intends to in my understanding a parallel process which means the government now is actually going to give many big projects.

[01:23:19]Okay. In parallel to the to the reviewing process supposedly China quickly decide the first round. You have maybe 10 15 algorithms and then China will I as in my understanding will give out big projects do implementation testing everything simultaneously for each one in the process such [snorts] that what they want to make sure when the decision is done all the implementation everything is done at the same time. This is how I understand it.

[01:23:47]Okay. So therefore there are many big projects um expected. I mean for example China is very interested in the m migration the banking industry I'm now in involving one of the projects from the ministry of science study how banking industry doing m uh migration okay so this is um uh what happened and then um as I said before um you should be very careful in terms of uh IP as well have a very stringent I single IP requirement you should read your document very carefully I don't fully understand it I have to be careful okay uh so That's it. Uh, I think I'm running out of time and thank you very much.

[01:24:24]Thank you. [applause] >> Questions for Gent. We got about five minutes.

[01:24:38]>> Yes.

[01:24:43]>> Hi, thank you. I was just interested in the kind of last point you were making specifically on the parallel process and projects. You mentioned that there's a specific interest in the banking industry and the parallel process is more focused on implementation. Can you just expand more on what that is specifically?

[01:25:04]And if you look at the NIST process right so we we done with the standardization now all the industry are moving on doing implementations doing testing and doing everything.

[01:25:14]So um what I my understanding is that suppose you are getting to the second round or you are selected into the second round there will be project given such you do you will do exactly what we're doing now after the initial is done which you pretend it will be what it will be standardized and then you start to test in different industries and so on and you implement it to all the to do the all with so we are now here in this group we are working on what the NIST algorithms and then we do it test this indust but China would like to do simultaneously if before it is standardized they would like to do that >> so >> yes the the yes you're right the the the work in NC is I think this is my understanding okay this is just my understanding the done should be should be done to the algorithm which is not selected but in the second round or something like that okay yes okay yes so the purpose is that once algorithm is standardized then immediately what the work is ready you can do a deployment I think that's the purpose therefore you can catch up on the 2025 deadline as no way >> yes >> yeah we got another >> okay thank you for your introduction and then as far as I understand you are now decryting the new primitives not standards is that true for example >> no what what do you mean there's no there's no >> so you do not accept the digital standard for Chinese >> yeah I already explained uh no no That's you a new submissions have to be substantially different from existent.

[01:26:47]You mean that the new new primitive new one >> then depends definition new I don't think it can be that new this is my understanding because you don't have many choices >> but you have to what they say is do substantial difference but what does mean I have no idea >> I have no idea but I I'm very sure it will be aw you know if you do modular w you do k= 2 three maybe you do k equal to five maybe you can claim significant I don't know >> so so one more is if you the process is finished. What is your next plan? So the you are using only in China or internationally.

[01:27:24]>> Ah this is a very good point. Um so from what I understand the Chinese government is very interested in pushing to be standardized globally. So they are very interested in doing ISO and that's I think that's the sole motivation China would like do it openly because they realize if you don't do openly then if you push it to ISO it become difficult.

[01:27:43]I think the intention is of course you the in China you first required to use that in China but I think Chinese government intend to push it to become ISO standard this is my understanding >> if so is you have open to the everyone you know that you don't have any the the challenge of I mean that any person can propose you mean >> yes >> in the world >> yes not not but not me >> not >> because if Yeah. No, you if you're on the committee.

[01:28:15]>> Okay. Everybody can challenge it.

[01:28:17]>> Anybody [clears throat] can. Yes. Yes.

[01:28:18]>> Okay. Thank you.

[01:28:19]>> Anybody can anybody can submit. Yes.

[01:28:23]>> Yes.

[01:28:26]Do >> I see any other questions? Anybody have any other questions? The coffee is still going to be there. It's okay. [laughter] >> Okay. Okay. Gentai. Thank you very much.

[01:28:40]Thank you.