Gonzalo Álvarez Marañón

In the early 20th Century, when calculators, computers and smartphones did not yet exist, scientists and engineers used tables of logarithms compiled in thick volumes for their calculations. For example, a shortcut for multiplying two large numbers is to look up their logarithms in the tables, add them together (adding is easier than multiplying, isn't it?) and then look up the anti-logarithm of the result in the tables. In the 1930s, physicist Frank Benford worked as a researcher at General Electric. One day, Benford noticed that the first pages of the logarithm books were more worn than the last ones. This mystery could only have one explanation: his colleagues were looking for numbers starting with smaller digits more often than those starting with larger digits. [1] As a good scientist, he asked himself: why did he and his colleagues find such a distribution of numbers in his work? Intuitively we think that the first digit of any number should follow a uniform distribution, i.e. the probability of any number starting with 1, 2, 3, ... Up to 9 should be the same and equal to 1/9 = 11,111...%. But no! Frequency of digit occurrence Benford was puzzled to see how the frequency of occurrence of digits in the numbers of many natural phenomena follows a logarithmic distribution. Intrigued by this discovery, Benford sampled data from various sources (from river lengths to population censuses) and observed that the probability of the first digit of any number being equal to d is given by the following logarithmic law: Pr( d ) = log( d + 1 ) – log( d ) = log ( ( d + 1 ) / d ) = log( 1 + 1 / d ) The following table lists all the values of P( d ) from 1 to 9. Probabilities (in percent) of the first significant digit of numbers that follow Benford's Law. On the Testing Benford's Law page you will find numerous examples of datasets that follow this law, such as the number of followers on Twitter or the user reputation on Stack Overflow. Screenshot of Testing Benford's Law page. Why digits form this distribution The explanation of why they form this distribution is (relatively) simple. Look at the following logarithmic scale bar. If you pick random points on this bar, 30.1% of the values will fall between 1 and 2; 17.6% will fall between 2 and 3; and so on, until you find that only 4.6% of the values will fall between 9 and 10. Therefore, in a numerical series following a logarithmic distribution, there will be more numbers starting with 1 than with another higher digit (2, 3, ...), there will be more numbers starting with 2 than with another higher digit (3,4, ...), and so forth. Logarithmic sacale bar. But we are not going to stop here, are we? The next interesting question that arises is: how can one identify data sets that normally conform to Benford's law? To understand the answer, we need to travel with our imagination to two very different countries: Mediocreland and Extremeland. AI OF THINGS Women who changed Mathematics March 9, 2023 In Extremeland, Benford's law rules Lining up all the employees in your organisation and measuring their heights, you will get a normal distribution: most people will be of average height; a few will be rather tall and a few will be rather short; and a couple of people will be very tall and a couple of people will be very short. If an employee arrives late to the measurement session, when we add his or her height to the rest, it will not significantly alter the group average, regardless of how tall or short he or she is. If instead of measuring height you record weight or calories consumed each day or shoe size, you will get similar results. In all cases, you will get a curve similar to the following one. Normal distribution. Now that you have them all together, you could write down the wealth of each one. What a difference! Now the majority will have rather meagre total capital, a much smaller group will have accumulated decent capital, a small group will have a small fortune and a very few will enjoy outrageous fortunes. And if the CEO arrives late and we add his wealth to that of the group, his impact is likely to be brutal on the average. And if you measure the number of Instagram followers of your colleagues and there is a celebrity among them, you will get similar results. Graphically represented, all these results will have a shape similar to the following. Potential distribution As you can see, not all random distributions are the same. In fact, there is a great variety among them. We could group them into two broad categories: those following (approximately) normal distributions and those following (approximately) potential distributions. Nicholas Nassim Taleb describes them very graphically in his famous book The Black Swan as two countries: Mediocristan, where individual events do not contribute much when considered one at a time, but only collectively. Extremistan, where inequalities are such that a single observation can disproportionately influence the total. So to answer the question of which data sets fit Benford's law, we are clearly talking about data in the country of Extremistan: large data sets comprising multiple orders of magnitude in values and exhibiting scale invariance. The latter concept means that you can measure your data using a range of different scales: feet/metres, euros/dollars, gallons/millilitres, etc. If the digit Frequency Law is true, it must be true for all scales. There is no reason why only one scale of measurement, the one you happen to choose, should be correct. A couple of additional restrictions for a dataset to follow Benford's Law are that it consists of positive numbers, that it is free of minimum or maximum values, that it is not composed of assigned numbers (such as telephone numbers or postcodes), and that the data is transactional (sales, refunds, etc.). Under these conditions, it is possible, but not necessary, for the dataset to follow this law. OK, so you have a dataset that is perfectly in line with Benford's law. What good does it do you? Well, it is useful, for example, to detect fraud, manipulation and network attacks. Let's see how. CYBER SECURITY Artificial Intelligence, ChatGPT, and Cyber Security February 15, 2023 How to apply Benford's Law to fight cybercrime The pioneer of anti-fraud law enforcement was Mark Nigrini, who recounts in his book Benford’s Law: Applications for Forensic Accounting, Auditing, and Fraud Detection a multitude of fascinating examples of how he caught fraudsters and scammers. Nigrini explains, for example, that many aspects of financial accounts follow Benford's Law, such as: Expense claims. Credit card transactions. Orders. Loans. Customer balances. Journal entries. Stock prices. Inventory prices. Customer refunds. And so on. It proposes special tests, which it calls digital analysis, to detect fraudulent or erroneous data that deviates from the law when it has been fabricated. I found it particularly revealing how it unmasks Ponzi schemes such as the Madoff scam because of financial results that, when fabricated, did not follow Benford's Law and set off all the alarm bells. The method is not infallible, but it works so well that these tests have been integrated into the audit software used by auditors, such as Caseware IDEA o ACL. Screenshot of the Benford analysis of the Caseware IDEA program. In another paper, the authors showed that images in the Discrete Cosine Transform (DCT) domain closely follow a generalisation of Benford's law and used this property for image steganalysis, i.e. to detect whether a given image carries a hidden message. Benford's law can also be used to detect anomalies in: Economic and social data collected in surveys. Election data. Cryptocurrency transactions. The keystroke dynamics of different users. Detect errors or manipulations in drug discovery data. In the Benford Online Bibliography you will find a non-commercial, open-access database of articles, books and other resources related to Benford's law. Another use case of Benford's law is the detection of Internet traffic anomalies, such as DDoS attacks. It has been known for many years that packet inter-arrival times exhibit a potential distribution, which follows Benford's law. In contrast, DDoS attacks, being flooding attacks, break any normality of traffic behaviour in a network. In particular, packet inter-arrival times are not long enough and appear as noticeable deviations from Benford's law, as can be seen in the following div. Benford's analysis of packet inter-arrival times reveals four DDoS attacks. The best thing about this anomaly-based DoS attack detection method is that, unlike other approaches, "it requires no learning, no deep packet inspection, it is hard to fool and it works even if the packet content is encrypted. Benford's future in cyber security Biometrics, steganalysis, fraud, network attacks,... The world of cybersecurity is beginning to incorporate the analysis of the probability distribution of logarithmic laws with very promising results. It is a flexible technique, consumes hardly any resources, is very fast and requires no training. It does require, however, that the normal data set meets sufficient conditions to conform to Benford's law. Next time you are faced with a dataset, ask yourself if the first digit of each number follows Benford's law. You may find unexpected anomalies. ___ [1] In fact, this same observation was made in 1881 by the astronomer and mathematician Simon Newcomb. He published a paper on it, but it went unnoticed. Featured photo: This is Engineering RAEng / Unsplash

— Here are the exact coordinates of each operative deployed in the combat zone. — How much? — 100.000. — That is too much. — And a code that displays on screen the updated position of each and every enemy soldier. — Deal! Video games are a very serious business. They move a market worth many billions of euros worldwide and attract all kinds of criminals. For example, in an online multiplayer video game, each device needs to know the position of all objects on the ground in order to render them correctly in 3D. In addition, it needs to know the positions of other players, to render them if they are in sight of the local player or not to render them if they are hidden behind walls or rocks. The server faces a classic dilemma: if it provides the positions of the players to the other players, they can cheat; but if it does not provide them, the game will not know when to show the hidden players. Instead of providing exact coordinates, it would be ideal to be able to provide information on whether or not a target is in view of the local player, but without revealing its position. This was hardly possible until the invention of functional cryptography. Functional Cryptography, A Step Beyond Conventional Public-Key Cryptography Despite all its benefits and wonders, public key cryptography has some practical limitations: It provides all-or-nothing access to the encrypted data: either you decrypt the full plaintext, or you get no information about the plaintext at all. Once the data is encrypted with the public key, there is only one private key capable of decrypting it. In 2011, D. Boneh, A. Sahai and B. Waters proposed to go beyond conventional asymmetric encryption with their functional cryptography: a new approach to public-key encryption in which different decryption keys allow access to functions on the data in clear. In other words, functional cryptography makes it possible to deliberately leak information about the encrypted data to specific users. In a functional encryption scheme, a public key, pk, is generated. Any user can encrypt a secret message, m, with it, so that c = E(pk, m). And here comes the twist: instead of using a conventional decryption key, a master secret key, msk, is created, known only by a central authority. When this authority receives the description of a function, f, it derives from msk, a functional decryption key, dk [f], associated with f. Anyone using dk[f] to decrypt the encrypted data, c, will instead get the result of applying the function f to the data in clear, f(m), but no additional information about m. That is, D(dk[f], c) = f(m). Conventional public key cryptography is a particular case of functional cryptography where f is the identity function: f(m) = m. Applications of Functional Encryption A multitude of use cases can be devised for functional encryption, anywhere encrypted data is required to be operated on, but not seen: Spam filtering: A user does not trust his mail provider but wants it to clean up his spam messages. The user can implement a functional encryption system: he encrypts all his messages with pk and provides the server with a functional decryption key, dk[f], where f is a spam filtering function that returns 1 if a message m is spam and 0 otherwise. The server will use dk[f] to check if an encrypted message is spam, but without obtaining any additional information about the message itself. Database searches: a cloud service stores billions of encrypted images. The police want to find all images containing a suspect's face. The server provides a functional decryption key that decrypts the images containing the target face but does not reveal anything about other images. Big data analytics: Consider a hospital that records its patients' medical data and wants to make it available to the scientific community for research purposes. The hospital can delegate the encrypted storage of its sensitive patient data to a public cloud. It can then generate functional decryption keys that it distributes to researchers, enabling them to calculate different statistical functions on the data, without ever revealing individual patient records. Machine Learning on encrypted data: after training a classifier on a clear dataset, a functional decryption key associated with this classifier can be generated and used to classify a set of encrypted data, so that in the end only the classification result is revealed, without filtering anything about the data in the set. Access control: In a large organisation you want to share data between users according to different access policies. Each user can encrypt x = (P, m), where m is the data the user wants to share, and P is the access policy that describes how the user wants to share it. The functional decryption key dk[f] will check if the user's credentials or attributes match the policy and reveal m only if they do. For example, policy P = ("ACCOUNTING" OR "IT") AND "MAIN BUILDING" would return m to an accounting department or an IT department with an office in the organisation's main building. Differences Compared to Fully Homomorphic Encryption (FHE) If you are familiar with the concept of the fully homomorphic encryption (FHE), you may have thought of it when reading about functional encryption. The difference between the two is crucial: fully homomorphic encryption (FHE) performs operations on the encrypted data and the result is still encrypted. To access the result of the computation on the encrypted data, decryption is needed, which can be inconvenient in certain use cases. The following schematic representation will help to visualise the difference between the two encryption schemas. In the case of fully homomorphic encryption (FHE), the function f is computed on the encrypted data and the result is encrypted: E(m1), E(m2), …, E(mn) --> E(f(m1, m2, …, mn)) Whereas with functional encryption, the result is directly accessible after the calculation of f: E(m1), E(m2), …, E(mn) --> f(m1, m2, …, mn) Another important difference is that in the case of FHE, anyone can perform the calculations on the encrypted data, so given the encrypted text of the result, there is no guarantee that the calculations have been performed correctly. FHE requires the use of zero-knowledge proof to verify that the correct function was evaluated. On the other hand, in functional cryptography, only the holder of the functional decryption key can perform the calculations, which provides greater guarantees of correctness. Functional Encryption Security There is a wide variety of functional encryption schemas, based on different and very complex mathematical tricks. To simplify a lot, a functional encryption is considered secure if an adversary cannot obtain more information about m than f(m). Even if n parties in possession of the keys dk[f1], dk[f2], …, dk[fn], agree to attack m in a collusion attack, they will not obtain more information than f1(m), f2(m), …, fn(m). The level of information about m revealed is fully controlled by whoever generates the functional decryption keys. Super-Vitaminised And Super-Mineralised Public Key Cryptography for A Future in The Cloud Functional encryption is still a very young discipline, which is receiving strong research momentum for its endless applications in cloud services and IoT. A particularly interesting application enhanced by the European FENTEC project is the possibility of moving the decision-making process based on end-to-end encrypted data from back-end systems to some gateways in complex networks, which is called local decision-making. Being capable of enabling gateways to perform such local decision-making is a big step forward in securing IoT and other highly decentralised networks that might want to implement end-to-end encryption, without losing too much decision-making capabilities at the gateway level. If you want to try functional cryptography, you can do so thanks to several libraries published by the researchers of the FENTEC project. You can go directly to Github and start playing with CiFEr, a C implementation, and GoFE, implemented in Go. You can even try it out in your browser using WASM. Functional encryption represents a further step towards a more powerful and versatile cryptography, capable of protecting users' privacy in use cases that were previously unthinkable with conventional cryptography.

Google's Titan Security Key or YubiKey from Yubico are the ultimate trend in multi-factor authentication security. According to Google's own website: «The keys have a hardware chip with firmware designed by Google to verify that no one has tampered with them. These chips are designed to resist physical attacks that seek to extract the key's firmware and secret material». In other words, a Titan or YubiKey key stores your private key and it should be impossible to extract it from the device. It should be. Because to be honest, you can, as several NinjaLab researchers proved it in January in a titanic work (ok, yes, that was a bad joke). How did they achieve it? Using a side-channel attack. How Do Side Channel Attacks Work What happens when mathematical algorithms leave the blackboards of cryptographers and are programmed into Real World™ chips? In the crude physical world, far away from ideal platonic bodies, a bit has no choice but to be represented as an electric current passing ("1") or not passing ("0") through a transistor. And, however subtly it flows, an electric current inevitably produces effects around it: a small electromagnetic radiation, a small variation in temperature, a small rise in energy consumption, a small displacement of air, an imperceptible sound, ... If you are able to measure these effects, you are able to read keys, intermediate states, memory.... In short, to extract enough information to circumvent the mathematical algorithm. No matter how secure your cryptography is, if the hardware implementation allows a side-channel attack, it will come to nothing. Figure 1. Traditional (ideal) cryptographic model versus (real) side-channel cryptographic model. Cryptanalysts have discovered since the birth of mechanical cryptography that every cryptographic device "snitch" on what is going on inside it. Instead of attacking the algorithms, side-channel attacks attack the implementation of the algorithms. In short: if hardware is involved, there will be a side-channel leaking information. It is pure physics. Let's look at it with an example. Power Analysis Attack On RSA In a previous article, I explained mathematical attacks against the popular RSA public key encryption algorithm, although I only briefly mentioned the possibility of side-channel attacks. As you know, to encrypt with RSA, the following operation is performed on the public key, e and n: c = me mod n while the private d key is used for decryption: m = cd mod n The attacker's goal is to extract this private key, d, from the device. As you can see, the way RSA works is based on the exponentiation operation. Since RSA uses very, very large integers, mathematicians looked for shortcuts to make the calculation of these operations fast. More precisely, the exponentiation by squaring algorithm, also known as square and multiply, is often used. It is very simple to understand. To calculate 34 = 11100 you can do the following operations: 32 = 9 (square) 92 = 81 (square) To calculate this result, it was enough to square it twice in a row. Let's see what happens with another exponent. For 35 = 11101 the algorithm works like this: 32 = 9 (square) 92 = 81 (square) 81 × 3 = 243 (multiply) In this case, two squares and one multiplication have been performed. Finally, consider 312 = 111100: 32 = 9 (square) 9 × 3 = 27 (multiply) 272 = 729 (square) 2792 = 531.441 (square) By now, you will have realised how the algorithm works: after ignoring the first "1" in the exponent, if you encounter a "1", do a square and a multiplication; if you encounter a "0", do just a square. No matter how big the base and exponent are, you can always exponentiate by these two operations in a remarkably efficient way. In short, always square and only multiply if the exponent bit to be processed is 1. Now, as you can imagine, square and multiplication are two operations that will take much longer than just square. If you could see how long a circuit is taking to operate, you would div out what operation it is performing, and therefore what the private exponent, d, is. And the reality is that it is as simple as looking at the power consumption of the device, as shown in the div below: Figure 2. Consumption analysis of a chip operating with RSA (source: Understanding Cryptography: A textbook for students). From the observation of the trace, it is clear that the secret key is: operations: S SM SM S SM S S SM SM SM S SM … primate key: 0 1 1 0 1 0 0 1 1 1 0 1 … Of course, this attack works for keys of any length. Similarly, other encryption algorithms leak information in other ways, but unfortunately, they all leak something. And when the power analysis does not leak the information needed, there are many other attacks. Types of Side-Channel Attacks In addition to the side-channel attack based on power consumption, researchers have been discovering many other ways to obtain information from an operating hardware device: Attack on the cache: The cache is an almost instantaneous direct access memory, used to store heavily used data and instructions. When data is loaded into cache for the first time (cache miss) there is a delay, as opposed to when data is already in cache (cache hit), where access is instantaneous. This difference in access times leaks valuable information that can be used by an attacker to obtain sensitive data from memory. The devastating Meltdown and Spectre attacks are examples of this type of attack. Time attack: this is carried out by measuring the time it takes for different instructions of a cryptographic algorithm to execute according to various parameters. Time variations allow information to be extracted from the key. Consumption monitoring attack: not all operations performed by an algorithm are equally complex. In general, the greater the complexity, the greater the consumption. By measuring these variations in consumption, information can be extracted on the algorithm's arguments, as in the example seen for RSA. Electromagnetic attack: any electronic device leaks electromagnetic radiation, which can directly provide the content of sensitive information. These measurements can be used to infer cryptographic keys using techniques equivalent to power analysis or can be used in non-cryptographic attacks, e.g. TEMPEST, which allows the information on a monitor to be replayed from another room. Sound attack: it is possible to div out the operation of a device's processor and break its cryptography by listening with a conventional smartphone to the sound of its capacitors and coils as they operate. There are also non-cryptographic attacks that exploit the sound emitted by the keys on a keyboard when entering a password or the noise of the heads of an ink-jet printer when printing. Differential failure analysis: when hardware is intentionally induced to fail, unexpected responses from the execution of an algorithm can be used to obtain information about its data. The padding oracle attacks against RSA or the length extension attack, based on this technique, are very famous. Cryptography Does Not Run On Paper, But On Hardware However, secure an algorithm may be on paper, when executed on hardware it opens the door to side-channel attacks. Although they have been known since the early 20th century, they have gone relatively unnoticed because they require physical proximity to the attacker to carry them out. But thanks to smartphones and drones, it is now easy to implant microphones and sensors anywhere to launch side-channel attacks against victims. Over time, such attacks will become easier and cheaper. Even quantum key distribution is not immune to side-channel attacks. In addition to those mentioned above, new attacks are continually being discovered: cold boot, software-based, error message-based, optical, etc. There are many countermeasures that can be added to hardware designs to counter these attacks: injecting randomness, adding noise, deleting data, etc. It is a race in which the attackers are always one step ahead of the engineers and which, sadly has apparently no end.

When the secret police arrested Andrea at the airport checkpoint, she thought it was a mere formality reserved for all foreign citizens. When they searched her luggage and found the USB disk with all the names and addresses of the political dissidents she was helping to flee the country, she was relieved: the disk was encrypted with a 256-bit AES key, and even a supercomputer would not crack it in a billion years. When she was strapped naked to a grill and received the first shock of 1000 volts, her nerves and muscles convulsed in panic. How long could she hold out before revealing the secret key? If she spoke, how many more people would be tortured and killed? Is there any point in cryptography if you can be made to reveal the key? Indeed, even the best encryption algorithm in the world will not resist rubber-hose cryptanalysis: so why bother mathematically attacking an encryption algorithm, when through extortion, bribery or torture the keys of the people who use or manage it can be extracted? It would be wonderful to be able to encrypt the information so that, if you reveal the encryption key under duress, the original sensitive information is not decrypted with it, but rather a decoy. Fortunately, this amazing form of cryptography exist; it is called plausibly deniable encryption. Plausibly Deniable Encryption to Decrypt One Message or Another Depending on The Scenario For instance, an encryption algorithm (E) receives as inputs a sensitive message to be protected (the clear text, m) and a short random string of bits (the key, k) and produces as an output a random-looking set of bits (the encrypted text, c) of approximately the same length as the message: c = Ek( m ) The same message m encrypted with the same key k produces the same encrypted text c. For the sake of simplicity, in this article we will leave aside the randomly filled-in encryption that precisely avoids this determinism. Likewise, the same encrypted text c decrypted with the same k key produces the same clear text m using the corresponding decryption algorithm (D): m = Dk( Ek( m ) ) It is in this sense that it is affirmed that encryption compromises: once you have encrypted a text m with a key k and shared the c encrypted text, the three values are indissolubly linked. If under duress you reveal k, from c you will obtain the original text m, perfectly legible by everyone. If instead of revealing the true key k, you invent any k value , then the result of decrypting c with it will be a random text and, therefore, illegible, so everyone will know that you did not confess the real key: k. Therefore, they will be able to keep coercing you until you reveal the real k. Furthermore, the mere fact of storing or transmitting encrypted messages is in itself incriminating, depending on the scenario. To a repressive government, a bloodthirsty criminal or a jealous partner, possessing or sending encrypted information will make them suspect that there is something they want to hide. Encryption protects the confidentiality of the message but does not hide its existence. How do you get out of the way if an adversary intercepts your encrypted information and demands that you decrypt it? You neither want to reveal the encrypted information, nor can you decrypt it with a wrong key that returns unreadable text. The aim of plausibly deniable encryption is that the same c encrypted text can be decrypted with two different keys, k1 and k2, resulting in two different clear texts, m1 and m2, both perfectly readable, but with a fascinating twist: m1 is the sensitive text whose confidentiality you really want to protect, while m2 is a readable and plausible text, which acts as a decoy, and which you can happily display to the satisfaction of your adversary. Both created from the same c! How To Achieve Rudimentary Deniable Encryption Using XOR Encryption If you think that plausibly deniable encryption is a matter of magic, you will see how a rudimentary version can be achieved through a simple example based on the one-time use notebook. Simply by using XOR operation, also known as sum module 2, which we will represent by (+). In this algorithm, it is encrypted and decrypted as follows: Encryption à c = m (+) k Decryption à m = c (+) k = m (+) k (+) k = m since the XOR of a value with itself is equal to 0. We start with two messages, the sensitive m1 and the decoy m2, and a secret key, k1, as long as the longest message. The encrypted text c is calculated as: c = m1 (+) k1 k2 key is calculated as k2 = c (+) m2 If c is decrypted with k1, m1 is obtained: c (+) k1 = m1 (+) k1 (+) k1 = m1 While if c is decrypted with k2, m2 is obtained: c (+) k2 = c (+) c (+) m2 = m2 Deniable encryption works! The adversary has no way of knowing whether m2 was the authentic message or a fake one. Hopefully, he will be satisfied and leave the victim alone. Obviously, you can calculate as many keys and alternative messages from c as you like. Another scenario of using deniable encryption that has nothing to do with protection against duress is to send different instructions to different recipients, but all of them contained in the same encrypted text! All recipients openly receive the same cipher text c. However, each recipient is given a different ki key that will decode a different mi message from the same c. Recipient 1 will get the m1 message if he/she decrypts c with the k1key, recipient 2 will get the m2 message if he/she decrypts c with the k2 key and so on. None will be able to read the other's message. Moreover, they will not even suspect its existence. Of course, this version would be impractical, as it requires keys as long as the messages themselves. So the cryptographers had to develop more efficient algorithms. The Gradual Improvement of Deniable Encryption Over the Years The first operational deniable encryption algorithm was proposed in 1997 by R. Canetti, C. Dwork, M. Naor and R. Ostrovsky, based on the following ingenious idea: imagine that the sender (Alice) and the receiver (Bob) have agreed on a certain method that allows Alice to choose in a domain an element either totally randomly or in a pseudo-random way, so that Bob can distinguish the random from the pseudo-random choice. When Alice wants to transmit a 1, she sends a pseudo-random chain; while to transmit a 0, she sends a truly random chain. Since the adversary cannot distinguish the pseudo-random element from the random one, Alice can pretend to have sent any kind of message. Over the years, numerous deniable encryption schemes have been proposed, both for public and secret keys. These last ones can be used to encrypt large volumes of data, such as entire hard disks. A good example of these deniable encryption systems applied to disks is the multi-platform tool Truecrypt, with its volumes hidden within encrypted volumes. It is based on the pioneering work developed in 1997 by the cryptopunks Julian Assange (yes, the one from Wikileaks) and Ralf Weinmann, precisely named Rubberhose File System, in reference to the above-mentioned cryptanalysis method. Tools for deniable encryption of Android smartphone content have also been launched, such as Mobiflage or MobiCeal. The BestCrypt app provides the widest coverage, as it works on Windows, MacOS, Linux and Android. Be Careful with Deniable Encryption, Which Can Give You Away However, deniable encryption is not exempt from very serious risks. If your adversary is sufficiently well versed in cryptography, the mere suspicion that you are using a deniable encryption system will motivate him to continue extracting keys from you. Suppose you have used Truecrypt to encrypt the information on your disk, data that you cannot hide from a basic digital forensic investigation. Will your adversary be satisfied with the first key you reveal to him? Possibly he will continue to coerce you, with rubber-hose or other means, to reveal a second key. And a third. And a fourth... How will your adversary know that he has extracted your last key and you are not hiding another one? Deniable encryption can turn against you in a rubber-hose cryptanalysis scenario because it could incite to never stop. In short, plausibly deniable encryption is yet another tool that cryptography places at the service of civil liberties and rights. However, in circumstances of real danger of duress, it must be used with caution.

The chronicles of the kings of Norway has it that King Olaf Haraldsson the Saint disputed the possession of the Hísing island with his neighbour the King of Sweden. They decided to settle the dispute peacefully with a game of dice. After agreeing that the winner would be the one with the highest score, the King of Sweden threw the dice first. –Twelve! I won! No need to throw the dice, King Olaf. As he shook the dice in his hands, Olaf the Saint replied: –There are still two sixes left in the dice and it will not be difficult for God, my Lord, to make them appear again on my behalf. The dice flew and two sixes came out again. Once more, the king of Sweden rolled the dice and again he rolled two sixes. When it was Olaf the Saint's turn, one of the dice rolled broke in two, one half showing a 6 and the other a 1, making a total of 13. As a result, the ownership of the island was awarded to Norway and both kings remained friends. Randomness plays a fundamental role in all games of chance. And what might surprise you most: cryptography could not exist without randomness. In this article you will discover how randomness is used in cryptography and how to obtain random numbers, a task, as you will see, not easy at all. What is Randomness? There are so many definitions of randomness that we could fill a book with them. In cryptography the following interpretation is common, which I quote from Bruce Scheneier: Randomness refers to the result of a probabilistic process that produces independent, evenly distributed and unpredictable values that cannot be reliably reproduced. I would like to highlight the following three ingredients that every randomness generator must exhibit in order to be used with guarantee in "cryptographic salads": Independence of values: there is no correlation between the values generated. For example, if you toss a coin (without trickery) into the air and it comes up heads nine times in a row, what is more likely, heads or tails on the tenth toss? Well, the probability is still 1/2, because the result of one toss is independent of the previous toss. Unpredictability: even if you get bored looking at values and more values, you can't predict the next value with a higher probability than random, no matter how long the preceding sequence was. Again, coins, dice and roulettes are excellent random generators because, no matter how many theories you come up with, you won't know what's going to happen next (assuming they're not loaded). Uniform distribution: I'm sure that while you were reading the chronicle of King Olaf the Saint you were thinking: "Impossible! How can two sixes go out four times in a row? And you are right to doubt, because the probability of this sequence is (1/36)-(1/36)-(1/36)-(1/36) = (1/36)4 = 0.00000059537... or 1 in 1.67 million. It is not likely that this sequence will occur, but it is possible. In fact, if you roll the dice a billion times it would appear about 600 times on average. Randomness as we imagine it manifests itself in large numbers, not in small numbers. The more values generated, the more we expect to see all possible sequences, distributed evenly, without any kind of bias. The problem with randomness is that you're never sure. Were the dice of the Nordic kings loaded? Did it happen, just by chance, that an improbable sequence happened that day? There is evidence of randomness that dictates with very high confidence whether or not a generator is random, but you can never be absolutely sure. In fact, there is a wide range of statistical test sets (NIST, Test01, Diehard, ENT, etc.) that try to rule out sequences that do not verify certain statistical properties, although they cannot guarantee perfect randomness. How Are Random Numbers Generated? Yes, but how do you generate random numbers on a computer? In order not to complicate things, let's limit ourselves to two approaches: True Random Number Generator (TRNG): require a natural source of randomness. Designing a hardware device or software program to exploit this randomness and produce a number sequence free of bias and correlation is a difficult task. For example, thermal noise from a resistor is known to be a good source of randomness. TRNGs can also collect entropy in a running operating system through the use of connected sensors, E/S devices, network or disk activity, system registers, running processes, and user activities such as keystrokes and mouse movements. These system- and human-generated activities can function as a good source of entropy but can be fragile and manipulated by an attacker. In addition, they are slow to produce random numbers. Pseudo-random number generators (PRNG): unfortunately, most natural sources are not practical due to the inherent slowness of process sampling and the difficulty of ensuring that an opponent does not observe the process. Moreover, it would be impossible to reproduce, which would require two copies of the same sequence: one for Alice and one for Bob, which entails the almost insurmountable difficulty of getting them to both. Therefore, a method is required to generate randomness that can be implemented in software and that is easily reproducible, as many times as necessary. The answer lies in pseudo-random number generators: an efficient and deterministic mathematical algorithm to transform a short and uniform string of k length, called the seed, into a longer, uniform-looking (or pseudo-random) output string of l >> k length. In other words: “A pseudo-randomness generator uses a small amount of true randomness to generate a large amount of pseudo-randomness” What Is the Use of Randomness in Cryptography? Randomness is difficult to generate and difficult to measure. Nevertheless, it is a key ingredient for the success of any cryptographic algorithm. Look at the different roles that randomness can play in making cryptography secure: Encryption keys: to encrypt a message you need an encryption key, both for secret key algorithms and public key algorithms. If this key is easy to guess, what a rip-off! A fundamental requirement for the secure use of any encryption algorithm is that the key is selected randomly (or as randomly as possible). In fact, one problem faced by ransomware is how to generate random keys to encrypt victims' files. The best encryption algorithm in the world is worthless if the key is revealed. It is recommended to use a hardware device to generate them, such as the TPM on Windows systems or an HSM. Initialization Vectors: Block cipher algorithms use a random initial value, called the initialization vector (IV), to start the cipher of the first block and ensure that the same message encrypted with the same key will never yield the same value, as long as a different IV is used. This value can be known, but not predictable. Again, it is therefore critical to use random (and unpredictable) values to avoid repetition. And once again, it is recommended to use hardware devices to generate them. Nonces: a nonce is a number used once in a secure communication protocol. And what use can these fleeting nonces be? In a similar way to that explained with the initialisation vectors, nonces ensure that even if the same messages are transmitted during a communication, they will be encrypted in a completely different way, which avoids reproduction or reinjection attacks. In fact, nonces usually work as IVs: a nonce is generated and encrypted with the secret key to create the IV. They are also used in authentication protocols, such as in HTTPS, or for proof of work systems, such as in Bitcoin. Salts: salt is another random value commonly used when storing passwords in a database. As you may know, passwords should never be stored in clear: any attacker who accesses the user table would see the passwords! The password hash could be stored instead. But what if two passwords are the same? They will be given the same hash! If an attacker steals the database and sees many identical password hashes, bingo! He knows that they are easy passwords, the ones everyone chooses when they are not careful. On the other hand, you can pre-compute huge tables of known password hashes and search for those hashes in the stolen database. To avoid these problems, a random value is added: salt. From now on, the password hash will not be saved, but the salt and the password hash concatenated with the salt: H( password || salt). Therefore, two identical passwords will result in two different hashes as long as the salt is random. Likewise, attacks that pre-calculated hashes of known passwords are no longer useful. Like nonces, salts don't have to be secret, but they do have to be random. Another typical application of salts is in key derivation functions from passwords (KDF). A very simple scheme consists of repeating n times the hash of a password and a salt: key = Hn( password || salt ) Filling: the famous RSA public key encryption algorithm is deterministic, i.e. the same message encrypted with the same key will always yield the same cipher text. That can't be! It is necessary to randomise the message in clear. How? By adding random bits very carefully, in what is known as the OAEP scheme, which transforms traditional RSA into a probabilistic scheme. Similarly, to avoid the malleability of RSA encryption in digital signatures, the PSS scheme adds randomness. Blind signatures: to get a person to digitally sign a document, but without being able to see the content of the signed document, random values that "blind" the signer are also used, hiding the content of the message to be signed. Subsequently, once the random value is known, the value of the signature can be verified. This is the digital equivalent of signing a document by placing a tracing paper over it: it prevents the document to be signed from being seen, but perfectly transfers the signature to the document. And who would want to sign something without seeing it first? These blind signature protocols are used, for example, in electronic voting and digital money applications. Without Randomness There Is No Security Random numbers are of critical importance in cryptography: they are the very basis of security. Cryptography cannot be incorporated into products and services without random numbers. An inadequate random number generator can easily compromise the security of the entire system, as confirmed by the long list of vulnerabilities due to poor randomness. Therefore, the choice of the random generator must be taken carefully when designing any security solution. Without good randomness there is no security.

Have you ever played rock, paper, scissors? I bet you have. Well, let's put the tin lid on it: how would you play through the phone? One thing is clear: the first one to reveal his choice loses for sure. If you shout "rock", the other will say "paper" and you will lose again and again. The question is: how do you get both of you to commit to a value without revealing it to the other party? In real life, paper envelopes and boxes are used to stick to a value without revealing it. For example, a judge of a jury writes his verdict on a piece of paper and puts it in a sealed envelope. When the envelopes are opened, you can no longer back out. Can cryptography create an even more secure envelope or digital box? What a question, of course! Let's see how we can play rock, paper, scissors over the phone thanks to cryptography. Creating Commitment Schemes Through Cryptographic Protocols In cryptography, a commitment scheme allows one to stick to a value that will remain hidden until the moment it must be revealed and there will be no going back. Using the box analogy: you keep your message in a locked box and give the box to someone else. Without the key, they cannot read your message. Even you cannot change it, because the box is in their possession. When you give them the key, they will open the box and then, yes, they could read the message. As you can see from this simple example, a commitment scheme consists of two phases: The commitment phase: you keep the message under lock in a box and send the box. The disclosure phase: the receiver of the box opens it with your key and reads the message Mathematically, this scheme can be represented as follows: c = C (r, m) In other words, commitment c is the result of applying a public C function to a random value r and a message m. When the sender subsequently discloses the values of r and m, the receiver can recalculate c and, if it matches the original, will know that there has been no cheating. To consider it safe, any commitment scheme must satisfy the following two requirements: Secrecy (or concealment): at the end of the first phase, the receiver does not obtain any information about the committed value. This requirement must be met even if the recipient is cheating. Concealment protects the interests of the sender. Unambiguous (or linked): given the message committed in the first phase, the receiver will find the same value in the second phase after the legal "opening" of the commitment. This requirement must be met even if the sender is cheating. Linking protects the interests of the receiver. A simple way to perform this scheme digitally is by using cryptographically secure hash functions as a C-commitment function. Imagine that our good old friends Alice and Bob want to play rock, paper, scissors on the phone. They can send each other the following information using the generic H hash functionand a random value rA, as shown in the picture: At the end of the protocol, Bob needs to verify that the value of the hA hash sent by Alice is equal to the H ( rA || "rock" ) value calculated by himself. If both values match, he knows that Alice has not cheated. The result of this protocol is that Alice loses the game because paper wraps rock. Let's follow the above protocol from Alice's perspective. She first commits to the "rock" value by sending Bob the hA hash value. For his part, Bob will not yet be able to determine that Alice has committed to that value, as Bob doesn't know the random rA value used and Bob is unable to reverse the hash function. The fact that Bob cannot determine which value has been committed is the "secret" (or "hidden") property of the commitment scheme. As soon as Bob sends his own "paper" value to Alice, she knows that she has lost, but she is unable to cheat, since for tricking Bob she would have to invent a different value for the random rA value, let's say rA’, that meets H( rA’ || "scissors" ) = H( rA || "rock" ). But this fraud would imply that Alice can find collisions in the hash function, which is considered (computationally) impossible (technically, the hash function is required to be resistant to the second preview). This is the "unambiguous" (or "linking") property of the commitment scheme: that Alice cannot change her mind after the disclosure phase. The use of hashes as a commitment function is the simplest way to implement a commitment scheme. However, in real applications, the commitment may be required to exhibit some special properties, such as homomorphism, which require more sophisticated mathematical functions, based on variants of Diffie-Hellman, ElGamal or Schnorr. One of the best known examples is Pedersen commitment, which is very simple and has the following property, which is very useful in many situations: if you have committed two messages m1 and m2 m1 to the c1 and c2 values, respectively, then the product of the two commitments, c1 × c2, is equal to the commitment of the sum of the m1 + m2 messages. Applications of Commitment Schemes Commitment schemes are experiencing new applications thanks to the recent development of new cryptographic protocols: Just as we started the article by playing rock, paper, scissors over the phone, we could use versions of the commitment schemes for any other game of chance played remotely: from flipping a coin to playing mental poker and others. Another application of the commitment schemes together with the Zero-Knowledge Proof is the construction of zero knowledge databases, in which queries can be made that only reveal whether a property consulted is true or not, such as whether a person is of age or has a sufficient balance in his account, but without revealing either his age or his balance. In this application a special scheme called mercurial commitment is used. The commitment schemes are also a key part of a verifiable secrecy sharing scheme: the distribution of secrecy among several individuals is accompanied by commitments of the parts of the secret held by each. The commitments do not reveal anything that could help a dishonest party, but after the commitments of the parties have been revealed, each individual can verify whether the parties are correct. Commitment schemes are also being used in optimal and credible auctions, where the bidder must commit to the value of a bid without the possibility of backing out. Polyswarm uses commitment schemes along with smart contracts at Ethereum. Polyswarm is a decentralised threat intelligence marketplace where threat detection is encouraged by putting money into the game - NCT. Different manufacturers' engines can bet money based on trust in their own detections. They commit their verdict by calculating the Keccak hash on the sample of potential malware along with a random number. This hash represents their commitment on the artefact. After an engine has been pronounced, there is no turning back. Once the commitment window has been closed, during which the engines could make their predictions, they reveal their original verdict and their random number. Those who made correct evaluations are rewarded, while those who failed in their prediction lose their bets. In this way, Polyswarm rewards honest market participation, encouraging quality and unique malware detection. Online auctions, Internet gambling, smart contract signing, secure database searches, secure multiparty computing, Zero-Knowledge Proof, ... there are many applications that require information to be securely hidden until it can be revealed. As interest in public computing environments, such as blockchain, grows, commitment schemes will continue to provide confidence and encourage new secure technologies to flourish.

A business is considered agile if it is able to respond quickly to market changes, adapt to maintain stability. However, without cryptography there is no security and without security there is no business. So, ultimately, the agility of a business will be conditioned by its crypto-agility. And what does a business need to be crypto-agile? To be able to adopt an alternative to the encryption method in use when the this proves to be vulnerable, with the minimum impact on the organisation's infrastructure. The faster and more automated the process of replacing a cryptographic algorithm (or its parameters), the greater the crypto-agility of the system. In Cryptography No Algorithm Is Totally "Safe", At Most It Is "Acceptable". The definition of security in cryptography is incidental. When it is claimed that an algorithm is considered secure, what it actually means is that no security risk is currently known when used in accordance with the appropriate guidelines. The key word here is "currently", because what is considered secure today will most likely not be secure tomorrow. And this is due to advances in computing (do I hear quantum computer?), advances in cryptanalysis, advances in hardware and advances in mathematics. In other words, an algorithm is considered safe if it is computationally unfeasible to break it today. The discovery of vulnerabilities in cryptosystems and the removal of the affected algorithms becomes inevitable over time. That's why you need to be crypto-agile: to be able to update the encryption methods used within the protocols, systems and technologies you use as soon as new vulnerabilities are discovered... or even before they appear! And it is not just vulnerabilities that need to be considered. In the Real World™, cryptography must comply with regulations and standards, which in many cases will require changes in encryption algorithms and communications protocols. How to Find Crypto-Agility The worst time to evaluate your cryptography is after a compromise has occurred with everyone running around like a headless chicken. Being crypto-agile implies complete control over the cryptographic mechanisms and processes in your organisation. Gaining this control is not easy because, as Gartner points out in his report Better Safe Than Sorry: Preparing for Crypto-Agility: Cryptographic algorithms break "suddenly", at least from the end-user's point of view. Despite the fact that there are chronicles of a death foretold, like the one in SHA-1, there are organisations that do not even know about it until the incident occurs, when it is too late to change the algorithm for another one that does not impact the organisation. Most organisations do not know their cryptography: the type of encryption they use, what applications they use or how they use it. Developers often remain blind to the details of cryptographic function libraries, so they program cryptographic dependencies while ignoring the flexibility of the libraries. This can make patching or response difficult or unpredictable in case of an incident. Open source algorithms are generally considered safe because anyone can audit them, but reviews of their real application are rare. In this context, every organisation should prepare for the worst. How? According to Gartner, this preparation involves: Include by design the crypto-agility in the development of applications or in the workflow of acquisition of applications from third parties. Any software created internally must comply with the cryptographic security standards accepted by the industry, such as Suite B or FIPS 140-3; or with current regulations and standards, such as the GDPR. It is advisable to use development frameworks, such as JCA or .NET, which abstract cryptography, facilitating the replacement of some algorithms by others without altering the code. Likewise, there are other languages and libraries that favour the reuse and rapid replacement of cryptographic code, which should be given priority over less flexible alternatives. When purchasing third-party applications, make sure that the provider follows the above guidelines. All software and firmware should include the latest cryptographic algorithms and techniques that are considered safe. Compiled an inventory with the applications that use cryptography and identify and evaluate their dependence on the algorithms. Pay special attention to identity and access management systems, public key infrastructures (PKI) in use in your organisation and how keys are managed. This work will make it easier for you to assess the impact of a cryptographic breach and allow you to determine the risk to specific applications and prioritise incident response plans. Include cryptographic alternatives and an algorithm exchange procedure in your incident response plans. For instance, the identification and replacement of algorithms, extension or modification of key lengths, and re-certification of some types of applications. For hardware devices, ask the manufacturer how they handle key and algorithm changes. Be prepared in case you need to decrypt private data with an obsolete key or algorithm to re-encrypt it with a new key or algorithm if compromise happens. And do not forget to include IoT devices in your inventory, because some come with pre-loaded keys and little cryptographic flexibility and are deployed in the field for many years. Vulnerabilities, regulations, quantum computers, ... Cryptographic change is lurking around every corner. Applying these improvements will increase your crypto-agility to react quickly to cyberthreats.

Imagine you were such a modern person, that all your money was in cryptocurrency instead of in a traditional bank. If you have ever handled cryptocurrencies, you will know that they are usually managed through cryptocurrency wallet apps. Their mission is to facilitate the typical operations of making transactions and consulting balances, but they do not store cryptocurrencies. Above all, they have the crucial mission of signing with your private key. So basically, what is a cryptocurrency wallet? An interface to your private key! Yes, that private key is like the keys to the Kingdom: it gives access to all your money. Anyone who knows it will be able to pick in your pockets. If you lose it, you will not be able to get your capital back. Therefore, you will have to protect it very well, and that is not an easy task! In this article, I will review traditional and new alternatives that are emerging to ensure the security of digital signatures. Now, to avoid getting into mathematical detail, I will use a simple analogy throughout the article. Imagine that each cryptocurrency unit is protected inside a strong-box with a lock that can only be opened with the key of the owner of that cryptocurrency. Cryptocurrencies do not actually move between boxes but is always in its own strong-box. When you transfer coins from one to another, instead of sending them, what it actually happens is that you only swap the locks from one box to another. For example, when Alice transfers money to Bob, she only removes her lock from the box by opening it with her key and puts Bob's lock in its place. Bob can remove it later with his key and so on. Imagine that each person has an infinite number of locks, so that anyone can put anyone else's lock on a box, but only the owner of the lock can open it with his or her key. Got it? Here we go! Me, Myself and I: Duplicate of Keys The simplest and most widespread solution to secure your key today is to make many copies of your key and store them in many different places, so you can be sure you won't lose them. The obvious problem is that the more copies you make of your key, the greater the chance that an attacker will get hold of one of them. You could entrust copies of your key to other people, I'm sure your brother-in-law will offer to keep it for you. But if you think about it, the only thing you are doing is to move the problem. First, how much can you trust their honesty? Second, no matter how well intentioned he is, how much can you trust his good practices? No, it seems like duplication it not a good idea after all. Picture 1: Traditional strong-box: one lock, one key Sharing Is Caring: Multisig Another, more promising approach is to share responsibility for holding the key and unlocking the lock among several people. Instead of the box having a single lock, the new box will have several locks and each authorized person will receive a different key, each for their lock. From now on, several keys will be needed to open the various locks of the box. This is known as multi-signature or Multisig. Multisig avoids the previous single point of failure because, by protecting the box with several locks, it will be more difficult to be compromised: one key is no longer enough, several are needed to open the box. To make operations more flexible, M-of-N schemes are usually used: N locks are placed on the box with the peculiarity that to unlock it you only need to open M, where M is less than or equal to N. It is magic, isn’t it? For example: Together with your partner you can use a 1-of-2 multisig so that either of you can open the box. If one loses the key, the other can still open the box. But if an attacker steals either key, he or she can also open it. And if your partner is a spendthrift, there is nothing to stop him/her from emptying the account! With a 2-of-2 multisig, now both of you have to open the box. This protects you from each other and an attacker will have to steal both keys, as one key will not open the box. These Multisigs also work for multifactor authentication: you could have one key on your computer and another on your smartphone. Without access to both devices, the box will not open. With 2-of-3 multisig, if you have a child, you can give him/her a key and the parents keep the other two. The child will need either of you to open the box, since with his or her key alone the box will not open. With a 4-of-7 scheme, several people in a team or committee will have to cooperate to open the box. They are very suitable for deploying corporate policies. And all the possible scenarios you can imagine. The problem with Multisig is that it requires a larger box to accommodate several locks and also anyone passing by will notice unusual protection measures: "Hmm, what could it be inside? Let's track it down". On the other hand, the cost of transactions also increases because the information of each signatory must be added to the block chain. Picture 2: Multisig strong-box: two locks, two keys Little by Little: Shamir's Secret Sharing Scheme (SSSS) Here too, the responsibility for the custody of the keys and for opening the boxes is shared, but instead of creating several locks that are each opened with their own key, a single, normal lock is created and it is the key that is divided into parts that are given to each of the participants. In addition, the lock has a peculiarity: it can be opened with a number M of parts of the key lower than the total number N of parts into which it was divided when it was forged. Technically, it uses what is known as Shamir's Secret Sharing Scheme (SSSS). Shamir's Secret Sharing Scheme is also used to operate M-de-N schemes, to make access more flexible, as with Multisig. The box now looks normal from the outside, as it is protected by a single lock. The problem is that, before opening the box, the participants reconstruct the key by putting each part together. At this point, just as the key has been reconstructed, it becomes vulnerable of theft. On the other hand, in SSSS someone has to create the key first and then break it into small pieces and hand it out. There appears another window of opportunity for an attacker to steal the key before it is divided. Moreover, this third party must be trusted, because who can guarantee that he/she does not keep a copy of the whole key? Picture 3: SSSS strong-box: one lock, one key divided in two Signing on the threshold And couldn't it be a single lock with multiple different keys? Doesn´t it exist some method that combines the best thing of Multisig with the virtues of SSSS? Yes, it does. They are called Threshold Signature Schemes (TSS), based on threshold cryptography, a sub-discipline of secure multi-part computing. In the threshold signature scheme, each user creates their own key (which no one else knows) and then they get together to forge a completely normal looking lock. The trick is that this special lock can be opened when each of the N keys (or a subset M of them) turns the lock a little at a time, until they all manage to turn it completely around. A big advantage of TSS is that the keys are never put together, so SSSS theft opportunity windows are avoided. Another additional security feature is "refreshing": every now and again, the keys are refreshed to prevent an attacker from stealing one by one of the N keys created and with the M's opening the lock. Another advantage of threshold signature is that keys can be revoked or new ones created without changing the lock, for those situations where new participants enter or leave the group, a typical situation in corporate environments. As a counterpart, TSS requires all parties to be present when the lock is forged and opened, so this protocol cannot be executed asynchronously. It is also still very green, cryptographic proposals are still being made and there has even been a successful attack on one of the proposals. Picture 4: TSS strong-box: one lock, two keys The Future in Digital Signatures Is Already Here The discipline of threshold signatures is a recent field, with numerous proposals, still far from reaching the maturity of conventional signature schemes, such as ECDSA. TSS is currently providing users with two-factor security for access to private keys or sharing the ability to sign between several devices so that a single compromised device does not put all your money at risk. In the case of companies, TSS makes it possible to implement access control policies that prevent both insiders and outsiders from stealing corporate funds. Thanks to threshold signatures, the private key will no longer be a single flaw point.

In the Renaissance Italy, duels between mathematicians were common, but not by crossing steels, but by solving difficult problems. One of the hardest bones to crack at the time was the cubic equations. Knowing the method for their resolution conferred an enormous advantage in these duels, in which the two mathematicians played not only their prestige but also juicy rewards and sometimes even the professorship. One of the most famous confrontations was between the mathematicians Niccolo Fontana, nicknamed Tartaglia because of his stutter, and Girolamo Cardano. In 1535, Tartaglia, in a duel against another mathematician, Antonio Maria del Fiore, crushed his rival after solving 30 questions related to cubic equations, while del Fiore did not solve a single one of his 30 problems. It was clear beyond all reasonable doubt, that Tartaglia knew a method for solving cubic equations without having revealed the method itself. Impressed by his victory, Cardano offered Tartaglia to find him a patron if he would reveal the precious method of solving cubic equations. Tartaglia agreed in 1539, under the promise that he would never publish it. Six years later, Cardano published it in his work Ars Magna, claiming that he had learned it from another mathematician, Scipione del Ferro, and triggering Tartaglia's anger. He then challenged Cardano to a mathematical duel, which was attended by his disciple, Lodovico Ferrari, who defeated Tartaglia. As a result, Tartaglia ended up with no prestige and completely broke. In the world of information security, a multitude of similar scenarios arise in which one entity knows a secret and needs to prove to another entity that it knows it, but it is not appropriate for it to reveal the secret or any partial information about the secret: Who earns more money, you or your brother-in-law? How can you prove it to the satisfaction of the whole family without either of you revealing the amount? How to prove the legitimacy of a transaction in a public Blockchain without revealing either the sender, the receiver or the value transferred? How can you prove to an app installed on your smartphone that you know the password to authenticate yourself to a website without providing the password itself to that app, to your smartphone, or even to the website? How can you prove that you are not underage to access an adult service without revealing your age? How can you prove that you are an EU citizen to access an EU health service without disclosing your nationality? How can you convince a payment app that you have sufficient funds in your account for a transaction without disclosing your balance? How can a country convince others that it has destroyed its nuclear military arsenal without letting neutral inspectors into their facilities? How do you vote electronically so that your vote is counted without knowing who you voted for? How do you prove that a theorem is correct without providing its mathematical proof? How to prove that you know the solution to the most complicated sudoku in the world without revealing it? Fortunately, cryptography provides an answer to these and many other similar dilemmas: the Zero-Knowledge Proof (ZKP). Let's see with two mundane examples how these proof work. Interactive and Non-Interactive Zero-Knowledge Proof Your brother-in-law claims to be able to distinguish Lourdes' holy water from tap water at a glance, but the truth is that you don't trust his mystical powers very much. Imagine that you have two glasses full of water, one from Lourdes and one from the tap. How can your brother-in-law prove to you that he knows which is which without even revealing which is which? Very easy! Just follow these steps: You blindfold him and flip a coin. If it comes out heads, you exchange the position of the glasses; if it comes out tails, you leave them as they are. You remove the blinders and ask him if the glasses have been exchanged or are still in the same place. Obviously, it's not enough to challenge your brother-in-law just once, as he might get it right by pure chance 50% of the time. But if he is truly clairvoyant, he will be right 100% of the time. Therefore, if you repeat the two steps of the test n times, the probability that your brother-in-law always gets it right by pure chance is reduced to p = (1/2)n. For example, if it's New Year's Eve and there's nothing on TV, you could repeat the test 100 times, what it would be p = 7,38×10‒31 practically zero. This protocol for identifying the glasses is an example of an interactive proving system: a tester (your brother-in-law) and a verifier (you) exchange multiple messages (challenges and answers), typically dependent on random numbers (ideally, the results of untricked coin tosses), until the tester convinces (tests the verifier) of the truth of a statement, with an overwhelming probability. One problem (or advantage, depending on how you look at it) with these interactive proofs is that only the verifier is convinced by the proof. Your sister may think that you and your brother-in-law have conspired to cheer the New Year's Eve dinner up and have agreed in advance on the exchange of glasses. The only way for the tester to proof another person who knows the secret is for that other person to act as a tester, proposing random glass exchanges. And so on with each and every person your brother-in-law wants to convince that he knows the secret. That sounds exhausting, right? So, how to convince everyone at once in one step? There are other, more efficient protocols that allow the proving of knowledge of secrecy in a single step and to the satisfaction of an arbitrary number of observers. These are known as non-interactive zero-knowledge proofs. For example, imagine that a million-dollar prize is offered for solving a sudoku and you have solved it already! But your brother-in-law, who is after glory more than money, is willing to pay you double for the solution. How can you prove to him and all his relatives that you know the solution without showing them before paying? Do you have some deck of cards? Then it's easy! In a sudoku there are nine rows, nine columns and nine boxes. In each of these groups the nine values from 1 to 9 must appear. In total, each number appears 9 times. If you have seven identical decks you can select 27 cards for each number, regardless of suit: 27 aces, 27 twos, ..., 27 nines, a total of 243 cards. You draw with indelible marker on the grandmother's tablecloth the sudoku of the competition, so that on each given number (they are the clues or known numbers) you place three cards face up of the corresponding value. You ask everyone to leave the room and secretly place three cards with the appropriate value face down on each square to be solved. Once all the piles of three cards have been laid, you ask everyone to come in again and the magic begins! First, you remove one card from each row and make nine piles with the nine cards in each row. Then you take a card from each column and make nine piles with the nine cards in each column. Finally, you make nine piles with the nine cards in each box. You shuffle each of the 27 piles separately and lay the cards from each pile face up on the table. If you knew the solution to sudoku, each of the 27 piles will contain nine cards from 1 to 9! Overjoyed, your brother-in-law pays his debt and Grandma forgets the mishap with the tablecloth. This example shows how a non-interactive zero-knowledge proof works in practice. Crucial when you want a large number of testers to efficiently verify a proof. All this is good fun for entertaining the family on New Year's Eve, but how can we apply it in the real world? The idea of ZKP was proposed more than 30 years ago by the cryptographers Goldwasser, Micali and Rackoff of MIT. It was considered so revolutionary that it won the first Gödel Prize in 1993 and the Turing Prize in 2012. However, it saw no practical application in industry - until today! ZKP was for decades a powerful hammer in search of nails and finally nails are appearing with the progressive decentralisation of services thanks to block chains (blockchain). Block Chains and Zero-Knowledge Proofs in the Real World No, Bitcoin, Litecoin, Ethereum, even Monero, are not anonymous like cash, but pseudo-anonymous, meaning that the transactions leave a trail in the public block chain. However, not all cryptocurrencies are pseudo-anonymous: the most prominent use of ZKP so far is ZCash, one of the most popular cryptocurrencies, which allows anonymous transactions. Specifically, ZCash uses Zero-Knowledge Succinct Non-Interactive ARguments of Knowledge (zkSNARK) which allows the knowledge of a secret to be proofed in milliseconds by means of a single message sent by the tester to the verifier. Thanks to zkSNARK, the only information recorded in ZCash after a payment, is that a valid transaction has been made: no information remains about the sender, the recipient or the amount. Ethereum has also begun to integrate the zkSNARK, specifically in the form of pre-compiled contracts. A smart contract is basically a deposit of funds that is activated once a certain task is performed. For example, your brother-in-law puts 100 ETH into a smart contract with you, so that when you complete the agreed task, you get the 100 ETH from the smart contract. But what if the task you have to do is confidential and you don't want to reveal its details to your brother-in-law? Thanks to zkSNARK, Ethereum proves that the smart contract task has been completed without revealing its details. For a start, zkSNARK can be applied to any type of blockchain, in a security layer of zero-knowledge (ZSL), useful in many cases for any company. One of the most interesting ones is the decentralised identity. Blockchain, Decentralized Identity and Zero-Knowledge Proof Our personal data has become a commodity for the technological giants to trade with in order to manipulate our behaviour through advertising and social networks. The zkSNARK and Blockchain can work very well together, providing privacy, security and transparency when exchanging and verifying information, in areas such as health care, communications and finance The trick is identity solutions based on block chains. Traditionally, a myriad of servers belonging to public or private organisations store and share your data, such as your ID card, date of birth, bank account balance, password (or hash), degree of disability, nationality, contacts, phone number, etc In a decentralised solution, on the other hand, verifiable credentials are stored: they allow simple operations to be carried out on them, but without seeing their value. For example: Are you an adult? Can you park in the disabled parking space? Do you have funds for this payment? Can you fly to this country? Do you know the password to log in? And so on. In this way, the service does not gain any knowledge about yourself, because your personal information is not sent at any time! Therefore, it cannot be stolen, it cannot be illegally shared, it cannot be traded. You are the owner and master of your data. Corda by R3 is a good example of the work being done in this line. Consolidating the Future of the ZKP Don't think that all that glitters is gold. The zkSNARK also have their weaknesses, among them, the three biggest are the following ones: They depend on an initial configuration of trust between tester and verifier: a set of public parameters is required to build the zero-knowledge proofs and, therefore, private transactions. These parameters are so critical that they are usually generated by a very small group in which absolute trust is placed, creating a potential centralisation problem. For example, in Zcash this initial configuration phase is known as The Ceremony. The scalability of zkSNARK can be improved: as the execution time increases, the time needed to generate increases does too, especially for verifying the proofs. The underlying cryptography is based on elliptic curves, which makes them vulnerable to quantum computing. These weaknesses were overcome in 2018 by cryptographer Eli-Ben Sasson, the inventor of the Zero-Knowledge Scalable Transparent ARguments of Knowledge (zkSTARK). These proofs are transparent in the sense that they do not require an initial configuration of confidence because they are based on simpler cryptography through collision-resistant hash functions. This approach is also computationally less expensive and therefore more scalable. And it is also resistant to attacks from future quantum computers because it relies on post-quantum cryptography. One of its drawbacks is that the size of the prooft is larger, which could be limiting depending on which applications. Sasson has founded a company around the zkSTARK, STARKWARE, to improve the scalability and privacy of block chain technologies. Of course, block chains are not the only scope of application of the zero-knowledge proof. ZKProof, an open initiative bringing together academia and industry, was recently established to promote the safe, efficient and interoperable use of zero-knowledge proving technologies. Its main mission is to standardise protocols to facilitate their implementation by industry. Data Finally Under the Control of the User Zero-knowledge proofs hold immense potential to put people back in control of their data, allowing others to verify certain attributes of that data without revealing the data itself. There is no doubt that current and future ZKPs will have a huge impact on finance, health care and other industries by allowing all types of transactions while safeguarding data privacy.

When you sign up for a new social network, such as WhatsApp, you are often asked if you want to find out who among your contacts is already part of that social network (contact discovery). But if you don't want to provide your full list of contacts, how do you know if any of them is on the social network without sharing your address book? Countries around the world are developing apps to track COVID-19 infections down. In Spain, for example, the pilot COVID Radar was launched in the island of La Gomera at the end of June. These apps arouse many misgivings about privacy. Would it be possible to find out if you have been in contact with any infected person without either you or the server knowing exactly who it is? Or imagine that a laboratory has discovered a drug against COVID-19 that works only with people who have certain genes. How can the laboratory know if you have those genes without you revealing your whole genome or the laboratory revealing what those specific genes are? What Is Happening? Big Data and cloud computing are giving rise to a multitude of situations where two parties each have a set of data that they want to share with the other part in order to find the intersection between the two sets. But only by revealing the data in common. This is an old problem of cryptography known as Private Set Intersection (PSI) that is experiencing a strong resurgence. In addition to the three scenarios already mentioned, there are many other use cases: A company develops a remote diagnostic app for the COVID-19 with extraordinary accuracy from a list of symptoms provided by the patient. The patient does not wish to reveal his symptoms to the company, nor does the company wish to reveal to anyone what symptoms it uses for diagnosis. The same person receives medical care in different locations. Different administrations want to know which patients have visited health centres in other communities without disclosing their list of patients to each other. In order to conduct an international operation, several national cybersecurity agencies want to find the intersection between their criminal IP databases without revealing their complete lists of IPs to each other. An advertising agency sends an online ad to a group of users. Some of these users subsequently buy the product in a physical shop. The agency wants to find the intersection between the group of users who saw the product ad and those who bought it in physical shops (online-to-offline ad conversions). One healthy food company serves meals to many employees of another company, which performs medical tests on them twice a year. The catering company wants to know if employees who have lowered their cholesterol in the last year consumed their food, but the other company does not want to (and should not) disclose its employees' health data. The more traction the cloud and Big Data gain, bigger the amount of new use cases arising every day: detection of botnets, identification of cheats in online games, sharing of locations, discovery of compromised credentials, etc The need to make this intersection of sets in a private way has become crystal clear, but the question is: how do we achieve that? Cryptography offered numerous PSI techniques, from the hash-functioning naive solution to semi-confidential third-party protocols and protocols involving only two parties. Let's have a quick look at how they work. The Naïve Solution With Hash Functions It consists of comparing the hashes of each element of both sets. If two hashes match, then an adjustment has been made. This approach, which was used by WhatsApp at the time, is simple and fast, but it is not safe because with a small data set or low entropy, such as telephone numbers, it is perfectly feasible to perform a brute-force attack, calculating the hashes of all possible elements. In this way, structured with the list of hashes of all the phones, WhastApp would not only know the contacts you share, but the phone numbers of all your contacts! In the same way, this approach is not suitable for comparing ID cards, simple identifiers, names, etc. It only provides security when the data to be compared is random or have a high entropy. PSI Based On Semi-Confidential Third Parties Another, more solid approach is to pass each element of the assemblies through the same HMAC function with a secret key that the two parties, Alice and Bob, have agreed upon in advance. They send their randomised data to the third party, Trent, who returns the intersection set to each of them. Since Alice and Bob have each kept a private table with the outputs of the HMAC function for each data of their respective sets, they can search this table for settings and determine which elements they share. The maximum information filtered to Trent is the cardinality of the intersection set, this is to say, how many elements Alice and Bob have in common; and the cardinality of Alice and Bob´s sets, since Trent will know whether Alice has more elements in her set than Bob or vice versa. Of course, Trent could turn out to be malicious and try to deceive Alice and Bob, for example, by returning a different intersection set to the real one. Fortunately, there are simple adjustments to this protocol to avoid this type of manipulation by Trent. What you will never discover is Alice and Bob's data. PSI Based On Two Parties What if you don't want to depend on a third party? No problem. There are many alternative approaches in which only the two parties involved who want to find the intersection between their sets interact. One of the first and conceptually simpler approaches proposed is based on the cryptographic premises of the famous Diffie-Hellman protocol for agreeing session keys between two parties through an insecure channel. In this case, Alice and Bob apply the DH protocol to share one session key for each data in their respective sets. Any shared key found in both sets indicates that the corresponding element is a member of the original sets of both parties. Let's see how this works in detail: Alice and Bob agree on a large prime number, p, using a public channel Alice randomly generates a private key, a. Alice calculates the hash, gi, of each of the values of her original set. In fact, this step is a bit more complicated, since the hash must be repeated until g is a primitive root mod p, but we won't go into the mathematical details. For each of these gi values, Alice calculates the gia value mod p. Alice sends these values to Bob. Bob randomly generates a private key, b. Bob repeatedly calculates the hash, hi, of each of the values of his original set, until they are primitive roots mod p. For each of these hash values, Bob calcula hib mod p. Bob calculates the shared keys corresponding to each element of Alice's original set, raising the values received from Alice to the power of his private key, this is to say, giab mod p. Bob sends his calculated values, hib mod p, to Alice, as well as the calculated shared keys corresponding to the elements of Alice's original set, giab mod p. Alice calculates the shared keys corresponding to each element of Bob's original set by raising the values received from Bob to the power of his private key, this is to say, hiba = hiab mod p, for each of the values received from Bob. Alice compares the shared keys calculated from the elements of her own original set, giab, with the shared keys calculated with the elements of Bob, hiab. The intersection consists of those elements of Alice's original set whose shared key can also be found in the set of shared keys calculated from the elements of Bob's original set, giab = hiab. Since the publication of this protocol, dozens of alternatives using increasingly sophisticated cryptographic primitives have appeared. Highly elaborate protocols based on other public key algorithms have been proposed, such as blind RSA operations; based on Bloom filters; on fully homomorphic encryption; on oblivious transfer (OT) to transmit set data; or on variants of Yao's Garbled Circuit, capable of simulating any mathematical function with a Boolean circuit using only AND and XOR logic gates. Security Challenges and PSI Scalability The security and scalability challenges faced by all these protocols in calculating the private intersection of sets are varied: The most efficient protocols work for small sets of a few hundred or thousands of elements. However, in many real applications, sets of billions of data need to be compared, which requires finding faster alternatives. In addition to requiring only few operations to function, it is important to minimise communications for data exchange between the parties. Not all agents involved will play by the rules. In secure multiparty computing, two types of opponents are considered: semihonest (or passive) and malicious (or active). The semihonest opponent tries to obtain as much information as possible from the execution of a certain protocol, without drifting from the steps of the protocol. More dangerous and realistic is the malicious opponent, because he arbitrarily drifts away from the protocol steps to take advantage and obtain more information than the others. PSI protocols that are resistant to malicious opponents are considerably heavier and less efficient than protocols that are resistant to semihonest opponents. The simplest PSI approaches filter information: at a least, the number of elements in each set and the number of elements in the intersection set. In applications where it is not even acceptable to filter this information, more secure protocols are required, which unfortunately require more operations and more bandwidth. The More the Cloud and Big Data Advance, the Greater the Demand for PSIs As data protection laws and regulations evolve in an effort to safeguard the private sphere of citizens' lives, the private intersection of sets will enable public and private organisations to continue to generate knowledge from the Big Data that benefits the citizen, while satisfying privacy regulations. In June 2019, Google announced a tool to perform operations on the intersection of sets called Private Join and Compute. According to the press release: Using this cryptographic protocol, two parties can encrypt their identifiers and associated data and then join them in a consultation. They can then make certain types of calculations on the overlapping data set to obtain useful information from both data sets together. All entries (identifiers and their associated data) remain fully encrypted and unreadable throughout the process. None of the parties ever reveals their raw data, but they can still answer the questions raised using the calculation output. This result is the only thing that is decoded and shared in the form of aggregated statistics such as a count, sum or average of the data from both sets. Private Join and Compute combines the private intersection of sets with full homomorphic encryption to protect individual data. The following video gives an idea of how it works: PSI represents the intersection between the voracity of data from large organisations and the right to privacy of citizens. Technological giants such as Google, Microsoft or Baidu are investing enormous amounts of money and cryptographic neurons in these technologies. In the coming months we will see where mass data analysis applications turn, whether to favour citizens with better services or to further reduce their battered privacy. After all, as the cryptographer Phil Rogaway said: “Surveillance that preserves privacy is still surveillance.”

If you're reading this article from an internet browser, take a close look at the little lock at the top of the address bar. Click on it. Now click on "Certificates”. Finally, select the 'Certificate details' tab. Notice the value "Public Key", what do you see? RSA, maybe DSA or even ECDSA. Well, in a few years, you'll stop seeing those algorithms. Why? Because the quantum computers will have wiped them off the map. Look now at other secure communication protocols: TLS, responsible for the little lock that protects web pages and practically protects everything; the end-to-end encryption of WhatsApp or Zoom, etc. Think about digital signatures: contract validation, identification of software authorship, identity verification, guarantee of ownership in blockchain, etc. Those same algorithms (RSA, DSA, ECDSA) are everywhere, but their days are numbered: 10 or 15 years, at most. Will it be the end of privacy? No more secrets? Luckily, no. There is cryptographic life beyond RSA and DSA and ECDSA. Welcome to the post-quantum future! Hello, Quantum Computers. Goodbye, Classic Cryptography Quantum computing is more efficient than classical computing in some tasks, such as solving the mathematical problems on which rest the security of the public key algorithms that we use today for encryption and digital signature: RSA, DSA, ECDSA, ECC, DH, etc. In a world of quantum computers, cryptography requires algorithms based on mathematical problems that are impervious to advances in quantum computing. Fortunately, such cryptographic algorithms have existed for decades. They are collectively known as post-quantum cryptography (PQC). The three best studied alternatives to date are: Hash-based cryptography: as the name suggests, they use secure hash functions, which resist quantum algorithms. Their disadvantage is that they generate relatively long signatures, which limits their use scenarios. Leighton-Micali Signature Scheme (LMSS) or Merkle signature schemes are among the strongest candidates to replace RSA and ECDSA. Code-based cryptography: Code theory is a mathematical specialty that deals with the laws of information coding. Some coding systems are very difficult to decode, even requiring exponential time for a quantum computer. The best studied cryptosystem to date is that of McEliece, another promising candidate for key exchange. Its drawback: keys millions of bits long. Lattice-based cryptography: possibly the most active field of research in post-quantum cryptography. A lattice is a discrete set of points in space with the property that the sum of two points of the lattice is also in the lattice. A difficult problem is to find the shortest vector in a given lattice. For their resolution, all classical algorithms require time that grows exponentially with the size of the lattice and it is believed that the same will happen with quantum algorithms. Currently there are numerous cryptosystems based on the Shortest Vector Problem. The example that has perhaps attracted the most interest is the NTRU public key encryption system. So, if we already have substitutes for RSA, DSA, ECDSA, why not continue with the old algorithms until the first quantum computers capable of breaking them appear, and then switch with a click to the post-quantum ones? In Cryptography, Births Are Long and Painful There are four powerful reasons to start working now on the transition to post-quantum cryptography: We need time to improve the efficiency of post-quantum cryptography: to give you an idea, to achieve the security provided by b-bit keys in ECC, post-quantum algorithms may require keys between b2 and b3 bits, so do the math. Efficiency improvement is especially critical when thinking about constrained devices, widely used in IoT applications, and main targets of the PQC. We need time to build confidence in post-quantum cryptography: NIST has initiated a process to request, evaluate, and standardize one or more PQC algorithms for digital signature, public key encryption, and session keying. The IRTF Crypto Forum Research Group has completed standardisation of two hash-based signature algorithms, XMSS and LMS, which are also expected to be standardised by NIST. We need time to improve the usability of post-quantum cryptography: these standards should be incorporated into the cryptographic libraries used by the most popular programming languages and by the cryptographic chips and hardware modules. The Open Quantum Safe (OQS) project is working on liboqs, an open source C library for PQC algorithms. These will then have to be integrated into cryptographic standards and protocols, such as TLS, X.509, IKEv2, JOSE, etc. OQS is also working on liboqs integrations into OpenSSL and OpenSSH. Then, these standards and protocols should be included by all vendors in their products: from hardware manufacturers, to software manufacturers. We need to protect some secrets for a long time: there is very valuable data that has a long life span: employee records, health records, financial records, etc. In the military and industrial field the need to secure secrets for a long time is even greater. For example, design plans for new military weapons or commercial aircraft could be stolen today, encrypted with classic algorithms, waiting for quantum computers to decipher them even decades after the theft. In short, we are not yet ready for the world to switch to post-quantum cryptography at the touch of a button. Will Quantum Cryptography Be The Best Weapon Against Quantum Computers? Quantum cryptography today boils down to quantum key distribution (QKD): exchanging a random key between two unauthenticated ends with the certainty that any interception attempt will be detected. This key can then be used to encrypt confidential information using Vernam's algorithm to ensure perfect secrecy, even in the face of an attack from a quantum computer. Not so fast! Unfortunately, QKD has many practical drawbacks that make its adoption inadvisable, at least in the near future: Since QKD protocols do not provide authentication, they are vulnerable to man-in-the-middle attacks in which an adversary can agree to individual secret keys shared with two parties who believe they are communicating with each other. QKD requires specialised and extremely expensive hardware. The distances at which QKD can transmit keys are currently modest, in the range of a few thousand kilometres with very delicate experimental prototypes, far from commercially viable. QKD is used to agree on keys, but not to digitally sign information. Cryptography goes far beyond symmetrical encryption. In short, for most real-world communications systems out there, PQC will provide an antidote to quantum computing that is more effective and efficient than QKD. Where Will We See Applications of PQC In The Near Future? According to the report Post-Quantum Cryptography (PQC): A Revenue Assessment released on the 25th June by the quantum technology analyst firm Inside Quantum Technology, the market for post-quantum cryptography software and chips will soar to $9.5 billion by 2029. While PQC's capabilities will be incorporated into numerous devices and environments, according to the report, PQC's revenues will be concentrated in web browsers, IoT, 5G, law enforcement (police, military, intelligence), financial services, health services and the cybersecurity industry itself. If everyone is aware of the shadow of quantum computing over classical cryptography, why aren't they investing more resources in PQC right now? Because all the players are waiting for the NIST (National Institute of Standards and Technology) to complete Round 3 of its PQC standards, which will happen in 2023. From that date, services offered by the cybersecurity industry will include NIST-standardised PQC algorithms. For example, Inside Quantum Technology believes that manufacturers will provide PQC offerings as a service for email and VPN. In addition, the cybersecurity industry will recommend, develop, and implement PQC software for their customers. They predict that by 2029 the revenue from PQC-related cybersecurity offerings will likely reach $1.6 billion. Make The Leap to PQC Before It's Too Late If your organization is currently handling encrypted information whose confidentiality needs to be guaranteed for more than 10 years, you'd better take a look at the PQC product offering. In the meantime, you may want to take a look at the commercial solutions available to your organization to see if they can be put into production. Since you will have to make the leap to PQC sooner or later, it's best to calmly examine strategies for reducing the costs of technology changeover and preparing for the transition. Because you can be sure of one thing: the day of the PQC will come.

Did you know that there is a 100% secure encryption algorithm? It is known as Vernam cipher (or one-time pad). In 1949, Claude Shannon proved mathematically that this algorithm achieves the perfect secret. And did you know that it is (almost) never used? Well, maybe things will change after a group of Chinese researchers has broken the record for quantum transmission of keys between two stations separated by 1120 km. We are one step closer to reaching the Holy Grail of cryptography. The Paradox of Perfect Encryption That Cannot Be Used in Practice How is it possible that the only 100% secure encryption is not used? In cryptography things are never simple. To begin with, Vernam's cipher is 100% secure as long as these four conditions are met: The encryption key is generated in a truly random way. The key is as long as the message to be encrypted. The key is never reused. The key is kept secret, being known only by the sender and receiver. Let us look at the first condition. A truly random bit generator requires a natural source of randomness. The problem is that designing a hardware device to exploit this randomness and produce a bit sequence free of biases and correlations is a very difficult task. Then, another even more formidable challenge arises: How to securely share keys as long as the message to be encrypted? Think about it, if you need to encrypt information it is because you do not trust the communication channel. So, which channel can you trust to send the encryption key? You could encrypt it in turn, but with what key? And how do you share it? We get into an endless loop. The Key to Perfect Security Lies in Quantum Mechanics Quantum key distribution brilliantly solves all Vernam cipher issues at one stroke: It allows you creating random keys of the desired length without any attacker being able to intercept them. Let us see how it does it. As you may remember from your physics lessons at school, light is an electromagnetic radiation composed of photons. These photons travel vibrating with a certain intensity, wavelength and one or many directions of polarisation. If you are a photography enthusiast, you may have heard of polarising filters. Their function is to eliminate all the oscillation directions of the light except one, as explained in the following div: Now you get into the physics laboratory and send one by one photons that can be polarised in one of four different directions: Vertical (|), horizontal (-), diagonal to the left (\) or diagonal to the right (/). These four polarisations form two orthogonal bases: On the one hand, | and -, which we will call base (+); and, on the other, / and \, which we will call (×). The receiver of your photons uses a filter, for example, vertical (|). It is clear that vertically-polarised photons will pass as they are, while horizontally-polarised photons, and therefore perpendicular to the filter, will not pass. Surprisingly, half of the diagonally-polarised ones will pass through the vertical filter and be reoriented vertically! Therefore, if a photon is sent and passes through the filter, it cannot be known whether it had vertical or diagonal polarization, both \ and /. Similarly, if it does not pass, it cannot be said to be horizontally or diagonally polarised. In both cases, a diagonally-polarised photon might or might not pass with equal probability. And the paradoxes of the quantum world do not end here. The Spooky Action at a Distance That Einstein Abhorred Quantum entanglement occurs when a pair of particles, like two photons, interact physically. A laser beam fired through a certain type of crystal can cause individual photons A and B to split into pairs of entangled photons. Both photons can be separated by a great distance, as great as you want. And here comes the good part: When photon A adopts a direction of polarisation, the photon B entangled with A adopts the same state as photon A, no matter how far away it is from A. This is the phenomenon that Albert Einstein sceptically called "spooky action at a distance ". In 1991, the physicist Artur Ekert thought of using this quantum property of entanglement to devise a system for transmitting random keys that would be impossible for an attacker to intercept without being detected. Quantum Key Distribution Using Quantum Entanglement Let us suppose that Alice and Bob want to agree on a random encryption key as long as the message, n bits long. First, they need to agree on a convention to represent the ones and zeros of the key using the polarisation directions of the photons, for example: State/Base + x0–/1|\ Step 1: A sequence of entangled photons is generated and sent, so that Alice and Bob receive the photons of each pair one by one. Anyone can generate this sequence: Alice, Bob or even a third party (trusted or not). Step 2: Alice and Bob choose a random sequence of measurement bases, + or x, and measure the polarisation state of the photons coming, no matter who measures first. When Alice or Bob measure the polarization state of a photon, its state correlates perfectly with that of its entangled partner. From this moment on, both are observing the same photon. Step 3: Alice and Bob publicly compare which bases they have used and keep only those bits that were measured on the same base. If everything has worked well, Alice and Bob share exactly the same key: as each pair of measured photons are entangled, they must necessarily obtain the same result if they both measure by using the same base. On average, the measurement bases will have matched 50% of the times. Therefore, the key obtained will be of length n/2. The following would be an example of the scheme of the procedure: Step 1Position in sequence123456789101112 Step 2Alice's random basesXX++X+X++X+XAlice's remarks/\||/–\|–\–/Bob's random basesX++XX++++XX+Bob's remarks/–|//–||–\\– Step 3Matching basesSíNo SíNo SíSí NoSíSíSíNo No Key obtained0 1 00 101 But what if an attacker was intercepting these photons? Wouldn't he or she also know the secret key generated and distributed? What if there are transmission errors and the photons are disentangled along the way? To solve these issues, Alice and Bob randomly select half of the bits from the obtained key and compare them publicly. If they match, then they know there has been no error. They discard these bits and assume that the rest of the bits obtained are valid, meaning that a final n/4-bit long key has been agreed upon. If a considerable part does not match, then either there were too many random transmission errors, or an attacker intercepted the photons and measured them on his or her own. In either case, the whole sequence is discarded, and they must start again. As observed, if the message is n bits long, on average 4n entangled photons must be generated and sent so that the key is the same length. And couldn't an attacker measure a photon and resend it without being noticed? Impossible because, once measured, it is in a defined state, not an overlapping state. If he or she sends it out after observing it, it will no longer be a quantum object, but a classic definite-state object. As a result, the receiver will correctly measure the state value only 50% of the times. Thanks to the key reconciliation mechanism just described, the presence of an attacker within the channel can be detected. In the quantum world, it is impossible to observe without leaving a trace. It goes without saying that Ekert's original protocol is more sophisticated, but with this simplified description the experiment conducted by Chinese researchers in collaboration with Ekert himself can be understood. China Beats Record for Quantum Key Distribution The Chinese research team led by Jian-Wei Pan succeeded in distributing keys at 1120 km using entangled photons. This feat represents another major step in the race towards a totally secure quantum Internet for long distances. So far, experiments on quantum key distribution have been carried out through fibre optics at distances of just over 100 km. The most obvious alternative, i.e. sending them through the air from a satellite, is not an easy task, as water and dust particles in the atmosphere quickly disentangle the photons. Conventional methods could not get more than one in six million photons from the satellite to the ground-based telescope, clearly not enough to transmit keys. In contrast, the system created by the Chinese research team at Hefei University of Science and Technology managed to transmit a key at a speed of 0.12 bits per second between two stations 1120 km apart. Since the satellite can view both stations simultaneously for 285 seconds a day, it can transmit keys to them using the quantum entanglement method at a rate of 34 bits/day and an error rate of 0.045. This is a modest div, but a promising development, considering that it improves previous efficiency by 11 orders of magnitude. According to Ekert's own words: "Entanglement provides almost ultimate security". The next step is to overcome all the technological barriers. The race to build an attack-proof quantum information Internet has only just begun, with China leading the challenge and well ahead of the pack.

Governments and health authorities worldwide are launching infection tracing apps. Moreover, within an unprecedented partnership, Apple and Google joined forces to create an API that makes it easier to develop this app. Scientists agree that the adoption of these types of apps by as many citizens as possible will help curb the spread of Covid-19. According to a rough estimate, if 80% of mobile users with iOS or Android install them, this would be equivalent to 56% of the total population, a div sufficient to contribute significantly to curbing the pandemic. Unfortunately, since the launch of these apps was announced, all kinds of hoaxes and fake news have been spreading lies about conspiracy spying scenarios. This groundless fear can lead many people not to use the app when it is available in their country, so in this post we will explain how its cryptography works to ensure the privacy of users. Cryptography of Apps Based on Apple's and Google's API If the health authorities of your country or region have created an app, you can download it from Apple Store or Play Store, depending on whether your device is iOS or Android, respectively. Although you can have more than one app installed on your device that uses exposure notifications, only one can be active at a time. If you choose to voluntarily install the app authorised in your region or country, this will ask your permission to collect and share random identifiers. To protect your privacy, the app uses a Cryptographically Secure Pseudorandom Number Generator to independently and randomly generate a Temporary Exposure Key (ExpKey) every 24 hours. From it, an encryption key is derived through a HDKF function to generate the Rolling Proximity Keys (RPIKey) and an Associated Encrypted Metadata Key (AEMKey) to encrypt additional metadata in case you later test positive. RPIKey = HKDF(ExpKey, NULL, UTF8(“EN-RPIK”), 16) AEMKey = HKDF(ExpKey, NULL, UTF8(“EN-AEMK”), 16) Specifications for Bluetooth Low Energy (BLE) assume that your device's MAC address changes every 15-20 minutes to prevent tracking. Every time your MAC address changes, the app generates a new Rolling Proximity ID (RPID) obtained by encrypting, via AES-128 with the previous RPIKey, the value of the new 10-minute time window, Ti. RPID = AES128(RPIKey, UTF8(“EN-RPI”) || 0x000000000000 || Ti) On the other hand, the associated metadata are encrypted with AES128-CTR using as key the previous AEMKey and as IV, the RPID. AEM = AES128−CTR(AEMKey, RPID, Metadata) Figure 1. Key Schedule for Exposure Notification (Source: Exposure Notification Cryptography Specification) This metadata includes the date, the estimated duration of exposure and the strength of the Bluetooth signal. To further protect your privacy, the maximum estimated duration recorded is 30 minutes. The Bluetooth signal strength helps to understand the proximity of the devices. In general, the closer the devices are, the greater the recorded signal strength. Also, other devices that receive your Bluetooth identifiers will record them in a similar way and store them along with their associated metadata. As you can see, neither the Bluetooth identifiers nor the random keys on the device include information about your location or identity. Also, GPS cannot be seen, so there is no way to track your movements. Your terminal and the terminals around you work in the background, constantly exchanging this RPID information and encrypted metadata through BLE without the need to have the application open. What Happens if I Test Positive for Covid-19? If you are later diagnosed with Covid-19, your terminal uploads your last 14 temporary exposure keys (ExpKey) to a server of the health authorities of your region or country called Diagnosis Server. Its mission is to add the diagnosis keys of all the users who have tested positive and to distribute them to all the other users who take part in the exposure notification. All other devices on the system download these 14 keys, regenerate the RPIDs for the last 14 days, and compare them with the locally stored identifiers. If there is a match, the app will have access to the associated metadata (but not to the matched identifier), so it can notify you that a potential exposure has occurred and guide you on the steps to be taken based on health authorities' instructions. Depending on its design, the app may generate an exposure risk value that the government or health authorities could use to adapt the guidelines specifically for you in order to better control the pandemic. The exposure risk value is defined and calculated based on the associated metadata, as well as the transmission risk value that the government or health authorities may define for the matching device random keys. In no case will the exposure risk value or transmission risk value be shared with Apple or Google. The parameters used for this transmission risk value could include information you have provided (such as the symptoms you report or whether your diagnosis has been confirmed by a test) or other data that the government or health authorities consider could affect your risk of transmission, such as your job. The information you choose to provide to the government or health authorities is collected in accordance with the terms of the app's privacy policy and its legal obligations. Conversely, if you remain healthy and do not test positive, your Temporary Exposure Keys will not leave your device. Some Final Thoughts on the Apple and Google API and Your Privacy Given the image of Google's and Apple's Big Brother and in our collective mind, many people will not care about the cryptography of this API and will not trust these two companies. To give you more reassurance, keep in mind that: You decide whether or not you receive exposure notifications: This technology only works if you choose it. If you change your mind, you can turn it off at any time. The Exposure Notification System does not track your location: It does not collect or use the location of your device via GPS or other means. It uses Bluetooth to detect if two devices are close to each other, without disclosing their location. Neither Google, Apple nor other users can see your identity: All matches in the Exposure Notification system are processed on your device. Health authorities may request additional information from you, such as a phone number to contact you for further guidance. Only health authorities can use this system: Access to technology will be granted only to health authority applications. Their applications must meet specific criteria in terms of privacy, security, and data use. Apple and Google will disable the exposure notification system in each region when it is no longer required. Success Lies in Critical Mass Remember that these apps will only work if at least 80% of iOS and Android users install them and keep Bluetooth on when they leave home. If you disable your device's Bluetooth connection, random Bluetooth identifiers will also stop being collected and shared with other devices. This means that the app will not be able to notify you if you have been exposed to someone with Covid-19. Therefore, when making the decision whether to use these apps or not, each citizen must find the right balance in his or her conscience between the public good and the safeguard of privacy.

The confinement declared as an exceptional measure to stop the spread of the COVID-19 has forced millions of people in businesses, schools and households to interact virtually. Pushed to use group video calling apps for work, classes, or simply to be in touch with family and friends; users were faced with the daunting challenge of choosing which app to use. Typically, the prevailing criterion for choosing one has been popularity or free −without considering security or privacy. After all, if it's free and "everyone uses it", why bother? For better or worse, the most popular app among the public turned out to be Zoom. Weeks after the beginning of the quarantine, it is still at the top of the list of the most downloaded free apps for both iOS and Android, with the fabulous div of 300 million daily users. As it is well known, the more popular a program or application becomes, the more it attracts cybercriminals. Perhaps even Zoom itself couldn't imagine its overwhelming success, or maybe they didn't take security seriously from the beginning, but the truth is that they didn't come prepared. The Three Big Blows to Zoom Security Among the many security and privacy issues and scandals, three were particularly significant: Zoombombing: This attack consists of breaking into a Zoom room and sharing the screen while showing images of extreme violence, pornography or any other form of trolling. Zoombombing became popular in schools and universities, forcing teachers to suspend classes. Many education institutions went so far as to ban Zoom replacing it with other applications. Zoom learned its hard lesson and implemented numerous measures to combat zoombombing: mandatory passwords, session blocking, removing of participants, restricted screen sharing and chat operation, more visible security icon, etc. They also published a guide called Best Practices for Securing Your Virtual Classroom. Data sharing with Facebook: Like many other apps, Zoom on iOS uses a Facebook SDK to allow its users to log in through their Facebook account. This is called social login. This SDK collects some data about users, such as the device model, app version, or telephone operator. Then it sends such data to Facebook servers, even if they do not have a Facebook account and therefore do not use it to log in. It is not known how Facebook uses this information, but in response to numerous complaints, Zoom removed the Facebook SDK completely. False claims about secure end-to-end encryption: Zoom claimed on their website to be using end-to-end encryption on their connections. But it turned out that they were actually using TLS encryption to encrypt communications between clients and servers, which means that Zoom's servers have access to all video calls. The company had no choice but to retract its statement: "In light of recent interest in our encryption practices, we want to start by apologizing for the confusion we have caused by incorrectly suggesting that Zoom meetings were capable of using end-to-end encryption". 90-day Security Plan With the aim of restoring their image and user base, on April 1st Zoom surprised with a 90-day security plan. As part of this plan, on April 8 Zoom created a security board including some very prominent CISOs. On the same day, they hired Stanford's well-known cybersecurity expert Alex Stamos, a former CISO of Facebook, as a security advisor to review the platform. On April 27th, Zoom 5.0 was released, with support for AES 256-bit GCM encryption. But (and this is a huge "but") the encryption keys for each meeting are generated by Zoom servers. In other words, a cybercriminal can't spy on a conversation between two users but Zoom would if they wanted to. In contrast, other services such as Facetime, Signal or WhatsApp do use true end-to-end encryption: no one but the two users at either end of the communication can view their content because they generate the encryption keys themselves. As a result, neither the cybercriminals nor the service provider's servers can spy on the conversations. Without end-to-end encryption, Zoom could be forced to turn over meeting records to a government in response to legal requests. These requests are made all the time around the world. In fact, companies such as Apple, Google, Facebook and Microsoft publish transparency reports detailing how many user data requests they receive, from which countries and how many of them they grant. However, Zoom does not publish such transparency reports. The Keybase End-to-end Encryption That Zoom Seeks for Its Video Calls On paper, end-to-end encryption seems simple: Clients generate the temporary session keys and exchange them with the recipient's public key. Unfortunately, generating and managing all these keys to provide scalable end-to-end encryption for high-quality video calls with dozens of participants and over 300 million users connecting daily to your servers is a huge technological challenge. That's why Zoom turned to Keybase. On 7 May, they bought the messaging and file transfer company with end-to-end cryptographic protection Keybase.io, and they paid an undisclosed amount. Thanks to this help, Zoom aims to provide an end-to-end encrypted meeting mode. However, this is only for payed accounts. Furthermore, as they state: They will continue to work with users to improve the feedback mechanisms available to meeting hosts in order to report unwelcome and problematic attendees. Zoom does not and will not proactively monitor meeting content, but its security team will continue to use automated tools to search for evidence of abusive users on the basis of other available data. Zoom has not and will not develop a mechanism to decrypt live meetings for lawful interception purposes. Nor do they have a means of including their employees or other users into meetings without them being showed within the list of participants. They will not build any cryptographic backdoors to allow secret surveillance of the meetings. In short, Zoom is committed to remaining transparent and open while developing their end-to-end encryption solution. As a matter of fact, Zoom plans to release a draft detailing the cryptographic design by Friday, May 22nd. How Zoom Is Seen after the Purchase of Keybase Zoom's reaction was admirable. Far from denying criticism or suing researchers who found their vulnerabilities, Zoom's answer has been an ambitious 90-day security plan whose Holy Grail will be the end-to-end encryption provided by Keybase. Zoom made some bad security decisions in the past but seems clearly determined to become the most powerful and secure video calling app on the market. They are showing how self-criticism and transparency help to emerge strengthened from a serious security crisis.

Governments around the world are releasing Covid-19 tracing apps. Despite their laudable goal of slowing the spread of the pandemic and accelerating the return to normalcy, as expected, they arrive as a matter of controversy. As its name suggests, a "tracing" app raises questions about the threat to citizens' privacy and security. Throughout this post we list 20 of the most frequently asked questions we all have about the use of these apps. 1. What is the purpose of these apps? The aim of these apps is to stop the spread of the virus. In the past, the procedure was different: through interviews with infected people, they were asked about the people they had been in contact with. Once identified, these people were notified to be kept in quarantine or given priority for diagnostic testing. This manual method also raises privacy issues: is misleading, extremely costly in terms of time and personnel, and is limited to those contacts that can be identified by the infected person. 2. How do infection tracing apps work? It depends on each individual app, but in general they all work by constantly generating unique and changing Bluetooth codes. At the same time, they constantly monitor the phones around them, recording the codes of any other phone they find within a certain range and for how long. For example, within a radius of 2 meters for 10 minutes. When a health authority confirms that a user is infected, their app uploads to a server the anonymous codes generated during the last two weeks. If another user's app finds a match with one of their stored codes, it notifies them that this user may have been exposed and reports on the steps to follow: quarantine or diagnostic test, or whatever the health authority decides. The system uses Bluetooth LE, not GPS, is completely optional, does not collect location data from users and does not load any codes from anyone without a positive diagnosis of Covid-19. 3. What do Apple and Google have to do with this? On April 10, Apple and Google surprised with the announcement of their partnership to create a Bluetooth LE (Low Energy) based technology for contact tracing integrated into iOS and Android operating systems. The different countries will be able to develop their contact tracing applications on the functions provided by the Apple and Google APIs and platform. Both companies have developed this technology to make it easier for governments around the world to create infection tracing apps if they wish. 4. Why do these apps use Bluetooth LE and not GPS? GPS technology allows locating a person at any time, which would be a serious threat to privacy. In contrast, Bluetooth communication occurs directly between mobile devices, without recording the location where the proximity took place, and this facilitates the creation of a decentralized system. On the other hand, Bluetooth LE allows estimating more precisely the functional proximity in high-risk environments in terms of proximity: inside buildings, in vehicles and airplanes, in underground traffic, and so on. It could even be known if two people within 2 m of each other are separated by a partition by measuring the power of the Bluetooth signal and with complementary information from the terminal's sensors: whether it is inside or outside a bag or pocket, whether it is stationary or in motion, etc. 5. To what extent will my privacy and security be threatened if I install these apps? It is hard to know because each country will develop its own app, and even each region within each country, based or not on the Apple and Google platform. About 300 scientists and researchers from all over the world have signed a statement where they propose the following principles that should be adopted by any app: Contact tracing Apps must only be used to support public health measures for the containment of COVID-19. The system must not be capable of collecting, processing, or transmitting any more data than what is necessary to achieve this purpose. Any considered solution must be fully transparent. The protocols and their implementations, including any sub-components provided by companies, must be available for public analysis. The processed data and if, how, where, and for how long they are stored must be documented unambiguously. Such data collected should be minimal for the given purpose. When multiple possible options to implement a certain component or functionality of the app exist, then the most privacy-preserving option must be chosen. Deviations from this principle are only permissible if this is necessary to achieve the purpose of the app more effectively, and must be clearly justified with sunset provisions. The use of contact tracing Apps and the systems that support them must be voluntary, used with the explicit consent of the user and the systems must be designed to be able to be switched off, and all data deleted, when the current crisis is over. For their part, Apple and Google ensure that user privacy is an essential requirement in the development of their own specification: User's position is not required: any use of location will be optional. In case it is necessary to access the geolocation of the device, express consent will be required. Unique proximity identifiers will change every 15 minutes, so that it is useless to trace a person using Bluetooth. Unique proximity identifiers will be exchanged only between devices and will not be uploaded to the cloud. The user must decide if he or she wants to take part in the initiative. The user must consent if he or she wants to be identified -anonymously, always- as a person infected by Covid-19. We will have to wait for the apps deployed by the various governments to assess if they comply or not with these guidelines. 6. How effective will these apps be in curbing the pandemic? According to an analysis carried out by researchers from the Covid-Watch project, contact tracing applications need to be used by 50 to 70 percent of the population. Otherwise, symptomatic people would not know where they got the virus and asymptomatic people would continue to spread it unknowingly. As a reference, in South Korea only 10% of the population used the official app. Although Apple and Google support these applications, their penetration rate will be lower than expected. According to analysts from Counterpoint Research, about 1.5 billion users use basic phones that do not operate under Android or iOS and lack Bluetooth LE chips. Similarly, those who use smartphones that are more than five years old will not be able to install this application due to technology or operating system restrictions. On his part, Bill Gates rightly points out in a recent blog post that: "One limitation is that you don’t necessarily have to be in the same place at the same time to infect someone—you can leave the virus behind on a surface. This system would miss this kind of transmission." Finally, any effective contact tracing is useless without massive diagnostic tests, which currently are still few, expensive, and slow. In addition, diagnosed individuals need the economic freedom and space to be quarantined. Many older or low-income people, the ones who may be at greatest risk, are precisely the least likely to have smartphones capable of hosting these apps. 7. When the app warns me that someone who was near me has been infected, what guarantees do I have? It is clear that not everyone will be able to notify that they are infected because then the system would be open to all kinds of errors and abuses: from users who misdiagnose their health status to trolls flooding the system with false positives. The solution requires that the positive diagnosis be approved by a competent medical or public health authority. Other false positives can simply result from errors in proximity calculations by Bluetooth LE, particularly if it fails to detect panels, partitions, or walls. Like any detection system, tracing apps will have their rate of false positives as well as false negatives: from viruses on surfaces to contacts with people without smartphones or who choose not to activate tracing. 8. If the app warns me that I am close to an infected person, what should I do? Each country will decide how you will be alerted: through a call, a message, or a notification on your smartphone. From there, you may be advised to quarantine, visit a health centre or hospital for testing, or other options depending on your territory. 9. What personal data will the apps share and with whom? These schemes are designed not to load any data from most users (the uninfected ones) but only anonymous Bluetooth codes from infected people. Even so, when notifying the infection, a user must necessarily upload some data to the server. And no matter how anonymous they are, they may leave a trace, such as the IP address of their terminal. Whoever manages that server, probably a public health institution, could identify the phones of the people reported as positive and, therefore, their locations and identities. Similarly, prudent time limits are proposed for hosting such information and it is advised not to store communications metadata – but, again, this does not seem to be intrinsically implemented within the code, but rather appeals to the good practices of server managers. 10. Who will know if I have been infected? When an individual voluntarily shares their diagnosis, their app will upload to a server the codes generated during the previous 14 days. All the apps are downloading from the same server these code lists to check if any of them match those stored locally. Therefore, nobody will know if you have been infected, except obviously the health authority that diagnosed you. 11. What app will be suggested in Spain? Apparently, the Secretariat for Digitalisation and Artificial Intelligence is committed to a decentralised system such as the one recommended by the EU. Initially, Spain joined the Pepp-PT, but this one has modified part of its initial commitment and currently opts for a centralized system. 12. When will it start to be used? It depends on the country. In Spain, it was launched on Monday 11 May (Asistencia Covid-19 app). 13. Am I forced to use these apps? At the moment, you are not. As we have seen, the effectiveness of the system is based on its massive use, so at least 60% of the population should use it for the system to be effective. Each citizen will balance the public good with the safeguard of privacy when making the decision whether to use them or not. 14. If I have the app installed, will anyone be able to trace my movements? In principle, they will not, since contact tracing apps are based on Bluetooth LE and not on GPS. And we are saying in principle because the app developer might wish to enable the use of GPS, but that option no longer depends on the tracing platform provided by Apple and Google or other initiatives, such as DP3T. In any case, unless their servers are cyberattacked, tracing will only be available to public health authorities. 15. There are a lot of infection-tracing apps coming out all over the world, are they all the same? No, they are not. Although they are all based on Bluetooth following more or less the same scheme as described. However, they differ in who controls the data on the servers and how much personal information is stored on those servers. Those versions that most zealously protect privacy only load the keys generated by the devices, which are not personally identifiable (except for complex attacks described below). In other versions, the apps also upload the complete personal profile of the users: name, age, address, identification code, etc. Recently, the TCN Coalition has been created, a global coalition to establish the protocols for tracing the first digital contacts to fight against Covid-19. This coalition aims to join forces to develop an open and shared protocol that can be used by multiple applications to curb the pandemic while preserving privacy. 16. Do these apps breach data protection regulations? According to the European Commission's press release: "They should be fully compliant with the EU data protection and privacy rules, as put forward by the guidance presented today following consultation with the European Data Protection Board." 17. When the pandemic is over, may I be traced? This is a difficult question to answer. Jaap-Henk Hoepman, professor of Digital Security at the Radboud University Nijmegen (Netherlands) and head of the Privacy & Identity Lab, is not clear about it, as he reports in his blog. For him, the dangers of this type of system do not lie in the fact that it could actually help that future "get back to normal" phase, but in everything that could come afterwards after implementing this type of system in our mobile phones: The police could quickly see who has been close to a murder victim: simply report the victim’s phone as being ‘infected’. Some might say this is not a bug but a feature, but the same mechanism could be used to find whistleblowers, or the sources of a journalist. A company could install Bluetooth beacons equipped with this software at locations of interest. By reporting a particular beacon as ‘infected’ all phones will report that they were in the area. If you have Google Home at home, Google could use this mechanism to identify all people that have visited your place. Jealous partners could secretly install an app on the phone of their significant other, to allow them to monitor who they have been in contact with. Overzealous parents could use this spy on their children. 18. How does the cryptography of these apps work? From a more technical perspective, cryptography varies from one app to another, but they all follow similar steps: When the application is installed, a unique key associated with the device in question is generated, considering system components. The aim is to make it unpredictable and impossible to replicate, in order to ensure privacy and anonymity. In addition, it is stored locally on the device in a secure manner. From that first key, a second key is derived, which will be regenerated daily. While the Bluetooth is enabled, the communication is used to send, in the packages associated to the protocol, a proximity identifier. Terminals with Bluetooth enabled exchange these proximity identifiers with each other when they are within the predefined range. These keys change every 15 minutes and are derived from the previous daily keys. The sent and received proximity identifiers are processed and stored locally only. If one of the owners of the phone is diagnosed as positive, the health authorities assign a permission number. This person sends a request to the public database by using the permission number and its history of contact event divs. If the permission number is valid, the contact event divs are stored in the database and transmitted to all other phones. Each phone compares the published contact event divs with its own history. If there is a match, this means that they were near an infected individual and instructions are given on what to do next. 19. What attack scenarios can be designed to bypass protection measures? There are different attacks that could disclose the identity of users diagnosed as positive. Fortunately, decentralized architectures require individual tracing of users, which is very time consuming and dramatically reduces the scale of the attack. For example, an attacker could use a camera to record the face of everyone passing by while logging Bluetooth signals from their apps. In the future, if one of these passers-by reports that he or she is positive, the attacker's app will receive like any other all his or her keys from the server and will be able to match the codes that the user issued at the moment of passing in front of the camera, thus identifying a stranger as positive. Another version of this correlation attack would allow commercial tracing: an advertising company could place Bluetooth beacons in shops at street level that collect the contact tracing codes issued by customers who visit them. The company could then use the public health application to download all the keys of the people who are later diagnosed with Covid-19 and generate all their codes from the last two weeks. That method could hypothetically determine which trace of codes represented a single person and follow them from store to store. Since the system takes not only the time of exposure but also the proximity of the devices as variables, an attacker could generate false positives by amplifying their signal via hardware so that users who are at a great distance would still be notified, even though it is physically impossible for them to have been infected by that user. Perhaps the most serious issue lies in the design of the apps themselves rather than in the potential attacks. As cryptographer Moxie Marlinspike − developer of the so-called cross-platform encrypted messaging service Signal − argues on Twitter after Apple and Google's announcement due to the initial description of the Apple and Google API, each user's phone would have to download every day the keys of each person newly diagnosed with Covid-19, which would quickly translate into a significant data load: "If moderate numbers of smartphone users are infected in any given week, that's 100s of MBs for all phones to DL." One argument in favour of the centralized system is that apps could better determine who needs to download which keys by collecting GPS location data, sending users only the keys relevant to their area of movement. In this case, Google and Apple point out that if a location-tracing application wants to use GPS, it must first request user's permission, as any application does. 20. Why did Apple and Google modify the name of their proposal? In their new release of April 24, Apple and Google no longer refer to their system as "contact tracing" but as "exposure notification" because they believe this term better explains the value of their proposal. According to them, the purpose of the tool is not to "trace" users but to "notify" them when there is a possible exposure to a person infected by coronavirus. To determine the level of exposure, the software will be able to calculate the proximity between devices and the time of exposure, limited to 30 minutes.

The average level of professional talks is often so low that people prefer to work than listen. You'll see this in all kinds of meetings: by the second slide, attendees are already replying to mails or finishing a report. Fortunately, it isn’t the case for all talks: for more than 20 years, TED talks have been bringing a glimmer of hope on this bleak picture. In this entry we bring you the Top 10 TED Talks to Learn about Cybersecurity as well as the guidelines and tricks on how to improve your own presentations. 1. Bruce Schneier: The Security Mirage Security is both a feeling and a reality. The feeling and the reality of security are certainly related, but it is also true that they are not the same thing. Most of the time, when the perception of security does not match with the reality of security, it is because the perception of risk does not match with the reality of risk. We do not assess security compromises mathematically by examining the relative probabilities of different events. Instead, we use shortcuts, general rules, stereotypes and biases, generally known as heuristics. These heuristics affect how we think about risks, how we assess the probability of future events, how we consider costs and how we make trade-offs. And when those heuristics fail, our sense of security moves away from the reality of security. Cryptography guru Bruce Schneier explains some of the cognitive biases behind our poor risk assessment in cybersecurity and how to overcome them. 2. Chris Domas: The 1s and 0s Behind Cyber Warfare Cybersecurity researcher Chris Domas recounts how a 30-hour session in the lab spent deciphering a binary code led to an epiphany about a better method for humans to process that kind of data. Domas breaks down how the act of translating binary information into a visual abstraction can save researchers tons of time—and potentially save lives. 3. Caleb Barlow: Where Is Cybercrime Really Coming from? The former vice president at IBM Security proposes to respond to cybercrime with the same collective effort we apply to a health crisis like Covid-19: sharing timely information about who is infected and how the disease is spreading. According to Barlow, we need to democratize risk intelligence data. We need to get public and private organizations to open up and share their private arsenal of information. Cyberattackers are moving fast, so we need to move faster. And the best way to do that is to open up and share data about what is happening. If you don't share, then you're part of the problem. 4. Mikko Hypponen: Fighting Viruses, Defending the Internet It's been 25 years since the first PC virus (Brain A) hit the net spreading from diskette to diskette. What was once an annoyance has now become a sophisticated tool for crime and espionage. In this talk, Hypponen explains how the economy of cybercrime work. 5. Ralph Langnet: Cracking Stuxnet, a 21st-century Cyber Weapon When first discovered in 2010, the Stuxnet computer worm posed a baffling puzzle. Beyond its unusually high level of sophistication loomed a more troubling mystery: its purpose. Ralph Langner and team identified that Stuxnet was a cyberphysical attack aimed at a specific target. They identified that such target was the Iranian nuclear program (something no one wanted to believe for months) and analysed the exact details of how this attack, or more accurately these two attacks, were meant to work. In this talk you will learn how targeted attacks against critical infrastructure work. 6. Mikko Hypponen: Three Types of Online Attack There are three major groups of cyberattackers: cybercriminals (who seek to get rich by running illegal online businesses), hacktivists (who seek to protest and change political situations), and governments. Governments seek to spy on and control citizens. Yes, even in Western democracies: Your government is spying on you. 7. Avi Rubin: All Your Devices Can Be Hacked Cyberattacks go beyond computer damage and data theft. They can also kill. This talk explains how device hacking with actual impact on human lives work: medical devices, vehicles, etc. Any device with software can be vulnerable. It will contain bugs that will be exploited. We can't forget that all technology must incorporate security. 8. James Lyne: Everyday Cybercrime and What You Can Do about It Are you aware of what your devices reveal about you? How much security and privacy do you give away in exchange for convenience and usefulness? Malware works because 99% of victims don't take the most basic precautions. How does malware attack? What can happen to you? And how can you protect yourself? James Lyne will teach it to you over this talk. 9. Lorrie Faith Cranor: What's Wrong with Your Pa$$w0rd? To fight against the weaknesses of text-based passwords, both inherent and user-induced, administrators and organizations often establish a set of rules -a password policy- that users must follow when choosing a password. What should a good password look like? After studying thousands of real passwords to div out the most surprising and common user’s mistakes, Lorrie Cranor has some answers. 10. Finn Myrstad: How Tech Companies Deceive You into Giving up Your Data and Privacy What's the point of protecting your home with a lock if anyone can get in through a connected device? Even though you never read the terms and conditions, you check the box saying you did, and Boom! You agree to have your personal information collected and used. Companies put the entire burden on the consumer. Technology will only benefit society if the most basic human rights are respected, such as privacy.

In order to customize their products and services and offer increasingly better features that make them more valuable and useful, companies need to know information about their users. The more they know about them, the better for them and better (allegedly) for their users. But of course, much of this information is sensitive or confidential, which represents a serious threat to users’ privacy. So, how can a company know everything about its customers and at the same time not know anything about any particular customer? How can their products provide great features and great privacy at the same time? The answer to this paradox lies in ‘differential privacy’: learning as much as possible about a group while learning as little as possible about any individual within it. Differential privacy allows obtaining knowledge of large data sets, but with a mathematical proof that no one can obtain information about a single individual of the set. Thanks to differential privacy you can know your users without violating their privacy. First of all, let's see the threat to privacy of large data sets. Neither Anonymity nor Great Queries Ensure Privacy Imagine that a hospital keeps records of their patients and gives them to a company to make a statistical analysis of them. Of course, they delete personally identifiable information, such as name, surname, ID, address, etc. and only keep patients’ birth date, sex and zip code. What could go wrong? In 2015, the researcher Latanya Sweeney organized a re-identification attack on a set of hospital records. Hold on, because from newspapers stories she was able to personally identify (with names and surnames) 43% of the patients from the anonymized database. Actually, she claimed that 87% of the US population is uniquely identified by their birth date, gender and zip code. As you can see, the techniques of database anonymization fail miserably. In addition, the more anonymized a database is (the more personally identifiable information has been deleted), the less useful it is. And if only queries on large volumes of data and not on specific individuals are allowed? The ‘distinguishing attack’ deals with this case: let’s imagine it is known that Mr. X appears in a given medical database. We launch the following two queries: ‘How many people suffer from sickle cell anemia?’ and ‘How many people without the name X suffer from sickle cell anemia?’ Together, the answers to the two queries show the sickle cell state of Mr. X. According to the Fundamental Law of Information Recovery: ‘Overly accurate answers to too many questions will destroy privacy in a spectacular way.' And do not think that banning this pair of questions avoids distinguishing attacks, since the simple fact of rejecting a double query makes it possible information leakage. Something more is required to ensure privacy and, at the same time, to be able to do something useful with databases. There are different proposals to achieve differential privacy. Let's start with a very simple technique used by psychologists for over 50 years. Do You Want Privacy? Add Noise Imagine that I want to get the answer to an embarrassing question: have you ever scarfed a can of dog food? As it is a delicate matter, I propose answering as follows: Flip a non-trick coin. If it’s heads, flip the coin again and, whatever you get, say the truth. If it’s tails, then flip it again and say ‘yes’ if it’s heads and ‘no’ if it’s tails. Now your confidentiality is safe because no one can know if you answered the truth or if you selected a random result. Thanks to this randomization mechanism, plausible deniability has been achieved: even if your answer is seen, you can deny it and no one could prove otherwise. Actually, if you asked yourself why then the coin is flipped an extra time in the first case if it is not taken into account later, it is in order to protect you in situations where you may be watched while flipping the coin. And what about the accuracy of the study? Is it useful considering all the random data? The truth is that it is. As the statistical distribution of the results of flipping a coin is perfectly known, it may be removed from the data without any problem. Be careful! Math! Don't keep reading if you can’t stand equations. A quarter of positive responses are given by people who do not eat their dog's food and by three quarters of those who do. Therefore, if p represents the ratio of people who scarf cans of dog food, then we expect to get (1/4)(1- p)+(3/4) p positive responses. Consequently, it is possible to estimate p. And the more people are asked, the closer the calculated value of p will be to the real value. As it happens, this idea (with some additional complication) was adopted by Google in 2014 for its RAPPOR (Randomized Aggregatable Privacy-Preserving Ordinal Response) project. According to Google, "RAPPOR provides a new and modern way to learn software statistics that we can use to better safeguard the safety of our users, find errors and improve the overall user experience". Of course, while protecting users’ privacy. Or so they say. The good point is that you can examine the RAPPOR code on your own to verify it. Differential Privacy Beyond Randomized Responses Randomized responses are a simplified way to achieve differential privacy. The most powerful algorithms use Laplace distribution to spread noise throughout all data and thus increase the level of privacy. And there are many others, included in the free download book The Algorithmic Foundations of Differential Privacy. What all of them have in common, though, is the need to introduce randomness in one way or another, typically measured by a parameter ε, which may be as small as desired. The smaller ε, the greater the privacy of the analysis and the lower the accuracy of the results, since the more information you try to query your database, the more noise you need to inject in order to minimize the leakage of privacy. This way, you will be inevitably facing a fundamental compromise between accuracy and privacy, which may be a big issue when complex Machine Learning models are being trained. And what is even worse: no matter how small ε is, every query leaks information, and by each new query, the leak becomes larger. Once you cross the privacy threshold that you had preset, you cannot go ahead or you will start leaking personal information. At that point, the best solution may be to simply destroy the database and start over, which seems hardly feasible. Therefore, the price to pay for privacy is that the result of a differentially-private analysis will never be accurate, but an approximation with expiration date. You cannot have it all! Or maybe you can? Fully homomorphic encryption and secure multi-party computation allow 100% private and 100% accurate analysis. Unfortunately, these techniques are currently too inefficient for real applications of the magnitude of Google’s or Apple’s. Too Pretty to Be True: Where Is the Trick? Since in 2016 Apple announced that iOS 10 would include differential privacy, the concept has moved from cryptographers’ boards to users' pockets. Unlike Google, Apple has not released its code, so it cannot be known exactly what type of algorithm it uses or if this is used with guarantees. In any case, it seems a positive sign that giants like Google and Apple take steps, even if shy, in the right direction. Thanks to cryptography, you have at your fingertips resources to know your users and at the same time safeguard their privacy. Let us hope that the use of these algorithms will become popular and other giants, such as Amazon or Facebook, will also start to implement them.

Anyone who causes harm by forecasting should be treated as either a fool or a liar. Some forecasters cause more damage to society than criminals. —Nassim Taleb, The Black Swan, 2007 In 1957, the Sydney Opera House was expected to cost $7 million and to take 4 years to be carried out. Finally, it took 14 years to be completed for around $102 million, resulting in a cost overrun of 1,400%! Probably the highest in the whole History. Cost overruns and delays constitute a constant in engineering works: the Panama Canal, the new headquarters for the European Central Bank, the M-30 tunnels, the Madrid-Barcelona high-speed train, the Pajares turn-off (variante de Pajares), the Barajas Airport T4, the L9 of the Barcelona metro… It is an endless list. After having studied hundreds of works in 20 countries over the last 70 years, Bent Flyvbjerg −Infrastructure Policy Expert and Professor at Oxford University−, concluded that 90% of the projects were not able to meet the budget. And this does not happen only with big civil works, but also with major engineering projects: the A400M Airbus, the Australian F-100, or the Galileo project intended to replace the GPS, that has accrued 10.000 EUR million in terms of cost overruns and a 15-year delay. Imagine! What about your projects? Are they more resource-intensive than it was originally budgeted? Do they take longer than expected to be completed? Why we are so bad estimating costs and deadlines: the tension between inside and outside views Throw the first stone if you have never been over-optimistic when estimating the time and resource costs needed to complete something! The psychologists Daniel Kahneman and Amos Tversky coined the term planning fallacy to refer to this paradoxical phenomenon: although all of us have miserably failed time and again when estimating the completion time and execution budget of all type of personal and professional projects where we have been involved, the next time our planning remains absurdly optimistic! In his book Thinking, Fast and Slow, Daniel Kahneman explains how you can address a problem by using an inside view or an outside view: When you use the inside view, you focus on your specific circumstances and search for evidence in your similar experiences, including anecdotal evidences and fallacious perceptions. You imagine idyllic scenarios where everything goes according to plan. Nevertheless, in addition to all the variables that you consider on your mind, there is an incalculable volume of unknown and undeterminable variables: diseases, accidents, security incidents, breakdowns, disagreements within a team, other projects that are more relevant, firings, unforeseen exhausted funds, strikes… so many unexpected things may happen! Unfortunately, it is impossible to anticipate all of them. What is clear is that the likelihood that something goes wrong increases as the project is more ambitious. In summary, we underestimate what we don’t know. Conversely, when you use the outside view you are looking beyond yourself —beyond your own experience, beyond the details of a particular case— and paying attention to additional objective information, such as the base rate. Instead of thinking that your project is unique, you look for similar projects and check their data on average budget and duration. Unfortunately, you tend to discard, even to scorn, the outside vision. When statistical information of similar cases comes into conflict with your personal feelings, you will reject the data. After all, those projects were so long and had such a high cost because other people executed them, but you are different and the same thing might not happen to you, right? Let’s see it from a different angle, thanks to this piece of dialogue from a real conversation between two parents: “I’m going to enroll my son at the TAI School.” “Are you sure? It’s really elitist. The probability to be admitted is quite low, only 8%.” “Well, the probability of my children will be close to 100%, his grades are excellent.” This father thinks that his son has a very great probability to be admitted because, indeed, the child is quite intelligent and his grades are excellent… as the hundreds of children that apply for this school every year, of whom only 8 out of 100 are admitted. This father is only using its inside view to evaluate the situation. Sadly, the best probability estimation that his son will be admitted to that school remains 8%, that is, the base rate. To sum up, the outside view looks for similar situations that may provide a statistical basis to make a decision: Have other people faced similar problems in the past? What did it happen? Since we consider the outside view is an unnatural way of think, we prefer to believe that our situation is unique. According to Kahneman in Thinking, Fast and Slow: In the competition with the inside view, the outside view doesn’t stand a chance Welcome to Lake Wobegon, where all the children are above the average Acknowledge that your perception of events is asymmetrical. According to a high number of psychology experiments: You attribute your successes to your skills and your failures to your bad luck, exactly the opposite of how you apprehend successes and failures of others. You consider yourself more intelligent than others. You think you are a better driver than others. You think your marriage will last longer than others. In essence, you think you are special. Well, this is another thought error known as optimism bias. This bias is closely related to the illusory superiority. In other words, we believe within ourselves that we are different, when actually we are all quite similar. The optimism bias plays a critical role in the planning fallacy. As explained by the expert Bent Flyvbjerg in his study mentioned above: “In the grip of the planning fallacy, managers make decisions based on delusional optimism rather than on a rational weighting of gains, losses, and probabilities. They overestimate benefits and underestimate costs. They involuntarily spin scenarios of success and overlook the potential for mistakes and miscalculations. As a result, managers pursue initiatives that are unlikely to come in on budget or on time, or to deliver the expected returns.” Not everything is our imperfect thought's fault The optimism of planners and those who make decisions is not the only cause of these increases. In Thinking, Fast and Slow Kahneman points out other factors: “Errors in the initial budget are not always innocent. The authors of unrealistic plans are often driven by the desire to get the plan approved—whether by their superiors or by a client—supported by the knowledge that projects are rarely abandoned unfinished merely because of overruns in costs or completion times.” In order to obtain funding at all costs, overstating the returns of the coming project and easing the risks and costs is frequent. In such a way, Bent Flyvbjerg provides a formula that stresses this pernicious spiral where the projects that are best presented are the most funded ones: Underestimated costs + Overestimated benefits = Funding At the end, people don’t fund real projects, but idealized versions of them with oversized returns, while costs and problems are swept under the rug. What you can do to better plan your next project Statistical information on similar projects may save us from the planning fallacy. However optimistic you are, you may expect to find, on average, similar bottlenecks to those faced by similar projects’ teams. Bent Flyvbjerg suggested the method known as Reference class forecasting to set the optimism bias aside when forecasting projects’ completion time and cost. Reference class forecasting requires the following three steps for your particular project: Identify a relevant reference class of past projects. The class must be wide enough to be statistically significant, but also restricted enough to be truly compared with your project. Naturally, the rarer the problem you are dealing with, the more difficult this step will be. In case of common decisions (at least for others, although not for you), reference class identification is immediate. Establish a probability distribution for the selected reference class. This requires access to credible empirical data for a sufficient number of projects within the reference class in order to obtain statistically significant conclusions. Compare your project with the reference class distribution, in order to establish the most likely outcome for your project. When evaluating plans and forecasting, we tend to focus on what is different, leaving behind that the best decisions often focus on identical factors. Even if the situation you are dealing with seems to be a little different, at the moment of truth it is almost always the same. However painful it may be, let’s assume we are not as special as we think. Learn from ancient stoic philosophers to think about what may go wrong: project premortem analysis It is attributed to Seneca the meditation exercise that Stoics called premeditatio malorum: something like a reflection on what may go wrong before undertaking an enterprise. For instance, before undertaking a sea journey, what may go wrong? A storm may break, the captain may get sick, the ship may be attacked by pirates, etc. In this way, you may get yourself ready for these eventualities. And in case nothing can be done, if the worst happens, at least it will not catch you by surprise. The American psychologist Gary Klein takes this old idea up and recommends performing a premortem analysis of the project under study: “A premortem in a business setting comes at the beginning of a project rather than the end, so that the project can be improved rather than autopsied. Unlike a typical critiquing session, in which project team members are asked what might go wrong, the premortem operates on the assumption that the “patient” has died, and so asks what did go wrong. The team members’ task is to generate plausible reasons for the project’s failure.” If you wish to apply this analysis, try to give the following speech to your team: “Imagine that a year has passed. We have followed the project to the letter. The project has failed spectacularly. Over the next few minutes those in the room independently write down every reason they can think of for the failure—especially the kinds of things they ordinarily wouldn’t mention as potential problems.” The reasons that have been pointed out will show you how things might happen. After all, a premortem may be the best way to avoid a painful postmortem. Gonzalo Álvarez Marañón @gonalvmar Innovation and Labs (ElevenPaths) www.elevenpaths.com

In the first part of this article we explained how Bayesian inference works. According to Norman Fenton, author of Risk Assessment and Decision Analysis with Bayesian Networks: Bayes’ theorem is adaptive and flexible because it allows us to revise and change our predictions and diagnoses in light of new data and information. In this way if we hold a strong prior belief that some hypothesis is true and then accumulate a sufficient amount of empirical data that contradicts or fails to support this, then Bayes’ theorem will favor the alternative hypothesis that better explains the data. In this sense, it is said that Bayes’ Theorem is scientific and rational, since it forces our model to “change its mind”. The following case studies show the variety of applications of the Bayes’ Theorem to cybersecurity. Case Study 1: The success of anti-spam filters One of the first successful application cases of Bayesian inference in the field of cybersecurity were Bayesian filters (or classifiers) in the fight against spam. Determining if a message is spam (junk mail, S) or ham (legitimate mail, H) is a traditional classification problem for which Bayesian inference was especially suitable. The method is based on studying the probability that a number of words may appear on spam messages compared to legitimate messages. For example, by checking spam and ham history logs the probability that a word (P) may appear on a spam message (S) may be estimated as Pr(P|S). Nevertheless, the probability that it may appear on a legitimate message is Pr(P|H). To calculate the probability that a message will be spam if it includes such Pr(S|P) word we can use once again the useful Bayes’ equation, where Pr(S) is the base rate: the probability that a given e-mail will be spam. Statistics report that 80% of e-mails that are spread on the Internet are spam. Therefore, Pr(S) = 0.80 and Pr(H) = 1 – Pr(S) = 0.20. Typically, a threshold for Pr(S|P) is chosen, for instance 0.95. Depending on the P word included in the filter, a higher or lower probability compared to the threshold will be obtained, and consequently the message will be classified as spam or as ham. A common simplification consists in assuming the same probability that the one assumed for spam and ham: Pr(S) = Pr(H) = 0.50. Moreover, if we change the notation to represent p = Pr(S|P), p1 = Pr(P|S) and q1 = Pr(P|H), the previous formula is as follows: But of course, trusting a single world to determine if a message is spam or ham may lend itself to a high number of false positives. For this reason, many other words are usually included in what is commonly known as Naive Bayes classifier. The term “naive” comes from the assumption that searched words are independent, which constitutes an idealization of natural languages. The probability that a message is spam when containing these n words may be calculated as follows: So next time you open your e-mail inbox and this is free from spam, you must thank Mr. Bayes (and Paul Graham as well). If you wish to examine the source code of a successful anti-spam filter based on Naive Bayes classifiers, take a look at SpamAssassin. Case Study 2: Malware detection Of course, these classifiers may be applied not only to spam detection, but also to other type of threats. For instance, over last years, Bayesian inference-based malware detection solutions have gained in popularity: For Worm Malware Detection. For Android Malware Detection. For Android Malware Classification, correlating with permission requests as well. Case Study 3: Bayesian Networks Naive Bayesian Classification assumes that studied characteristics are conditionally independent. In spite of its roaring success classifying spam, malware, malicious packets, etc. the truth is that in more realistic models these characteristics are mutually interdependent. To achieve that conditional dependence, Bayesian networks were developed, which are capable of improving the efficiency of rule-based detection systems ꟷmalware, intrusions, etc. Bayesian networks are a powerful type of machine learning for helping decrease the false positive rate of these models. A Bayesian network of nodes (or vertices) that represent random variables, and arcs (edges) that represent the strength of dependence between the variables by using conditional probability. Each node calculates the posterior probability if conditions of parent nodes are true. For example, in the following div you can see a simple Bayesian network: And here you have the probability of the whole network: Pr(x1,x2,x3,x4,x5,x6) = Pr(x6|x5)Pr(x5|x3,x2)Pr(x4|x2,x1)Pr(x3|x1)Pr(x2|x1)Pr(x1) The greatest challenges for Bayesian networks are to learn the structure of this probability network and train the network, once known. The authors of Data Mining and Machine Learning in Cybersecurity present several examples of applications of Bayesian networks to cybersecurity, as the following one: In this network configuration, a file server ꟷhost 1ꟷ provides several services: File Transfer Protocol (FTP), Secure Shell (SSH), and Remote Shell (RSH) services. The firewall allows FTP, SSH and ANDRSH Traffic from a user workstation (host0) to the server 1 (host1). The two numbers in parenthesis show origin and destination host. The example addresses four common vulnerabilities: sshd buffer overflow (sshd_bof), ftp_rhosts, rsh login (rsh) and setuid local buffer overflow (Local_bof). The attack path may be explained by using node sequences. For example, an attack path may be presented as ftp_rhosts (0, 1) → rsh (0, 1) → Local_bof (1, 1). Values of conditional probability for each variable are shown in the network graphic. For instance, the Local_bof variable has a conditional probability of overflow or no overflow in user 1 with the combinational values of its parents: rsh and sshd_bof. As it may be seen: Pr(Local_bof(1,1) = Yes|rsh(0,1) = Yes,sshd_bof = Yes) = 1, Pr(Local_bof (1, 1) = No|rsh(0, 1) = No,sshd_bof(0, 1) = No) = 1. By using Bayesian networks, human experts can easily understand the structure of the network as well as the underlying relationship between the attributes among data sets. Moreover, they can modify and improve the model. Case Study 4: The CISO against a massive data breach In How to Measure Anything in Cybersecurity Risk, the authors present an example of Bayesian inference applied by a CISO. In the scenario raised, the CEO of a large organization calls his CISO because he is worried about the publication of an attack against other organization from their sector, what is the probability that they may suffer a similar cyberattack? The CISO gets on with it. What can he do to estimate the probability of suffering an attack, apart from checking the base rate (occurrence of attacks against similar companies in a given year)? He decides that performing a pentest could provide a good evidence on the possibility that there is a remotely exploitable vulnerability, that in turn would influence on the probability of suffering such attack. Based on his large experience and skills, he estimates the following probabilities: The probability that the pentest result suggests that there is a remotely exploitable vulnerability, Pr(T) = 0.01 The probability that the organization hides a remotely exploitable vulnerability in case of positive pentest, Pr(V|T) = 0.95; and in case of negative pentest Pr(V|¬T) = 0.0005 The probability of successful attack if such vulnerability exists, Pr(A|V) = 0.25; and if it does not exist Pr(A|¬V) = 0.01 These prior probabilities are his previous knowledge. Equipped with all them as well as the Bayes’ equation, now he can calculate the following probabilities, among others: The probability of successful attack: Pr(A) = 1.24% The probability of a remotely exploitable vulnerability: Pr(V) = 1.00% The probability of successful attack if the pentest provides positive results: Pr(A|T) = 23,80%; and if it provides negative results: Pr(A|¬T) = 1.01% It is clear how pentest results are critical to estimate the remaining probabilities, given that Pr(A|T) > Pr(A) > Pr(A|¬T). If a condition increases the prior probability, then its opposite should reduce it. Of course, the CISO’s real work life is much more complex. This simple example provides us a glimmer of how Bayesian inference may be applied to modify judgements according to evidences accumulated in an attempt to reduce uncertainty. Beyond classifiers: Bayesians' everyday life in cibersecurity Does this mean that since now you need to carry an Excel sheet everywhere in order to estimate prior and posterior probabilities, likelihoods, etc.? Fortunately, it doesn’t. The most important aspect of Bayes’ theorem is the concept behind Bayes’ view: getting progressively closer to the truth by constantly updating our belief in proportion to the weight of evidence. Bayes reminds us how necessary it is for you to feel comfortable with probability and uncertainty. A Bayesian cybersecurity practitioner: Has the base rate in mind: most of the people focus on the new evidence and forget the base rate (prior knowledge). It is a well-known bias that we discussed when explained the representativeness heuristic: we pay more attention to anecdotal evidence than to the base rate. This bias is usually known as base rate fallacy as well. Imagines that his model is flawed and ask himself: what may go wrong? Excessive trust in the extent of your own knowledge may lead you to very bad decisions. In a previous article we examined the confirmation bias: we tend to prioritize that information confirming our hypotheses, ideas and personal beliefs, no matter whether they are true or not. The greatest risk of this confirmation bias is that if you are looking for a single type of evidence, you will certainly find it. You need to look for both types of evidences: for the one that refutes your model as well. Updates his beliefs: the new evidence impacts on the initial belief. Changing your mind in light of a new evidence is a sign of strength, not of weakness. These changes do not have to be extreme, but incremental as evidences are accumulated in one direction or another. Riccardo Rebonato, author of Plight of the Fortune Tellers: Why We Need to Manage Financial Risk Differently, asserts: According to the Bayesian view of the world, we always start from some prior belief about the problem at hand. We then acquire new evidence. If we are Bayesians, we neither accept in full this new piece information, nor do we stick to our prior belief as if nothing had happened. Instead, we modify our initial views to a degree commensurate with the weight and reliability both of the evidence and of our prior belief. First part of the article: » How to forecast the future and reduce uncertainty thanks to Bayesian inference (I).

Imagine that you come back home from San Francisco, just arrived from the RSA Conference. You are unpacking your suitcase, open the drawer where you store your underwear and… what do you discover? A piece of underwear that is not yours! Naturally, you ask yourself: How probable is that my partner is cheating on me? Bayes' theorem to the rescue! The concept behind the Bayes' theorem is surprisingly straightforward: By updating our previous beliefs with objective new information, we get a new improved belief We could formulate this almost philosophical concept with simple math as follows: New improved belief = Previous beliefs x New objective data Bayesian inference reminds you that new evidences force you to check out your previous beliefs. Mathematicians quickly coined a term for each element of this method of reasoning: “Prior”is the probability of one’s previous beliefs. “Likelihood” is the probability of a new hypothesis based on new objective data. “Posterior” is the probability of a new examined belief. Naturally, if you apply the inference several times in a row, the new prior probability will get the value of the old posterior probability. Let’s see how Bayesian inference works through a simple example from the book Investing: The Last Liberal Art. Bayesian inference in action We have just ended several dice board games. While we are storing all pieces in their box, I roll a dice and cover it with my hand. “What is the likelihood of having a 6?” ꟷI ask you. “Easy”, ꟷyou answerꟷ “1/6”. I check carefully the number under my hand and say: “It is an even number. What is the likelihood of still having a 6?”. Then, you will update your previous hypothesis thanks to the new information provided, so you will answer that the new probability is 1/3. It has increased. But I give you more information: “It is not 4”. What is the probability now that there is a 6? Once again, you need to update your last hypothesis with the new information provided, and you will reach the conclusion that the new probability is 1/2, it has increased again. Congrats!! You have just carried out a Bayesian inference analysis!! Each new objective data has forced you to check out your original probability. Let’s analyze, armed with this formula, your partner’s supposed unfaithfulness. How to apply Bayesian inference to discover if your partner is unfaithful to you Turning to the initial question: Is my partner cheating on me? The evidence is that you have found strange underwear in your drawer (RI); the hypothesis is that you are interested to evaluate the probability that your partner is unfaithful to you (E). Bayes’ theorem may clarify this issue, provided that you know (or are ready to estimate) three quantities: What is the probability that, if your partner is cheating on you, stranger underwear may be found in your drawer, Pr(RI|E)? If your partner is indeed cheating on you, imaging how such underwear arrived at your drawer is quite easy. However, even (or maybe particularly) if your partner is unfaithful to you, you can expect your partner to be more careful. We can state that the probability that such piece of underwear appears in your drawer if your partner is being unfaithful is 50%, this is Pr(RI|E) = 0,50. What is the probability that, if your partner is faithful to you, stranger underwear may be found in your drawer, Pr(RI|¬E)? Maybe your partner buys in secret opposite-sex underwear and uses it when you are out ꟷstranger things have happened. Maybe a platonic friend of your partner, who you fully trust, has spent one night at home. Maybe it was a present for you and your partner forgot to wrap it. No one of these theories are intrinsically insupportable, although they make us remember that old pretext: “the dog ate my homework”. Jointly, a 5% probability may be attributed to them, this is Pr(RI|¬E) = 0,05. Finally, and most importantly, you need the prior probability. How much did you believe in your partner’s unfaithfulness before finding that stranger underwear in your drawer, Pr(E)? Of course, it will be difficult for you to be fully objective now that you have discovered that mysterious clothing. In an ideal scenario, the prior probability will be settled before starting to examine the evidence. Fortunately, sometimes it is possible to empirically estimate this data. Specifically, according to statistics, roughly 4% of married couples are unfaithful to their partners in a given year. This is the base rate, so you set it as your prior probability: Pr(E) = 0,04. Obviously, the probability that your partner has not been cheating on you is Pr(¬E) = 1 − Pr(E) = 0,96. Assuming a good work when estimating these values, now you only need to apply the Bayes' theorem to set the posterior probability. In order to make these calculations easier, let’s assume a group of 1,000 couples ꟷrepresented through the big green rectangle of the following image. It is easy to see that, if 40 out of 1,000 people cheat on their partner, and half of them forget their lover’s underwear in their partner’s drawer, 20 people have forgotten underwear (group 4). Furthermore, out of 960/1,000 people that don’t cheat on their partners, 5% have let underwear in their partner’s drawer by mistake, this is, 48 people (group 2). By adding both divs we have as a result 68 mysterious pieces of underwear that will have appeared spread over couples’ drawers (group 2 + group 4). Consequently, if you find a strange piece of underwear in your drawer, what is the probability that your partner is cheating on you? It will be the number of pieces of underwear found when couples are unfaithful to their partners (4) divided into the total number of pieces of underwear found, belonging to both unfaithful and faithful partners (2 + 4). There is no need to calculate anything, it jumps out at you that a strange piece of underwear is more likely due to a faithful than to an unfaithful partner. In fact, the exact value of the posterior probability is: Pr(E|RI) = 20/68 ≈ 29%. We can mathematically collect the quantities from the previous image by following the so-called Bayes’ equation: By replacing the appropriate numerical values, we obtain once again the probability that your partner is cheating on you: only 29%! How do you get this unexpectedly low result? Because you have started from a low prior probability (base rate) of unfaithfulness. Although your partner’s explanations of how that underwear has got into your drawer are rather unlikely, you started from the premise that your partner was faithful to you, and this weighed heavily on the equation. This is counterintuitive, because… Is not that piece of underwear in your drawer an evidence of your partner’s guilt? Our System I heuristics, adapted to quick and intuitive judgements, prevent us from reaching better probability conclusions based on the available evidence. In this example, we pay excessive attention to the evidence (strange piece of underwear!) and forget the base rate (only 4% of unfaithfulness). When we let ourselves to be dazzled by new objective data at the expense of previous knowledge, our decisions will be consistently suboptimal. But you are a Bayesian professional, right? So, you will give your partner the benefit of the doubt. Mind you, you could make a remark and tell your partner not to buy opposite-sex underwear, not to give you underwear, or not to invite a platonic friend to spend a night. Under these conditions, the probability that in the future a strange piece of underwear may appear in your drawer if your partner is faithful to you will be at most 1%, this is Pr(RI|¬E) = 0,01. What would it happen if a few months later you find again strange underwear in your drawer? How would it change now your certainty belief that your partner is guilty? As a new evidence appears, a Bayesian practitioner will update their initial probability estimation. The posterior probability that your partner was cheating on you the first time (29%) will become the prior probability that your partner is cheating on you this second time. Bayesian practitioners adapt their evaluation of future probability events according to the new evidence. If you reintroduce the new values in the previous formula, Pr(E) = 0,29 y Pr(RI|¬E) = 0,01, the new posterior probability that your partner is being unfaithful will be 95%. Now you have grounds for divorce! This illustrative example, from The Signal and the Noise: The Art and Science of Prediction, shows that: We let ourselves be dazzled by evidence when this is striking, vivid, and emotional. When our initial beliefs are very robust, they may be surprisingly impenetrable to the new evidence against them. In the following part of this article, we will go over several case studies where Bayesian inference is successfully applied to cybersecurity. Second part of this article: » How to forecast the future and reduce uncertainty thanks to Bayesian inference (II). Gonzalo Álvarez Marañón Innovation and Labs (ElevenPaths) gonzalo.alvarez@global.11paths.com

Before starting your workday, while your savoring your morning coffee, you open your favorite cybersecurity newsletter and an advertisement on a new Intrusion Detection System catches your attention: THIS IDS IS CAPABLE OF DETECTING 99% OF ATTACKS! “Hmmm<, not bad”, you think, while taking a new sip of coffee. You scroll down taking a look at a few more news, when you see a new IDS advertisement: THIS IDS IS CAPABLE OF DETECTING 99.9% OF ATTACKS! At first glance, which IDS is better? It seems obvious: the best will be the one which is capable of detecting a higher number of attacks, this is, the ID that detects 99.9%, against the 99% one. Or maybe not? I’m going to make it easier. Imagine that you find a third advertisement: THIS IDS IS CAPABLE OF DETECTING 100% OF ATTACKS! This IDS is definitely the bomb! It detects everything! Ok, it detects everything but… at what price? See how easy is to obtain a 100% detection rate IDS: you only have to tag every incoming packet as malicious. You will obtain 100% detection by 100% false positives. Here, a second actor comes into play −often overlooked when data on attack detection effectiveness is provided: how many times the system has raised the alarm when there was no attack? The detection problem There is high number of cybersecurity applications that address the challenge of detecting an attack, anomaly or a malicious behavior: IDSs must detect malicious packets from the legitimate traffic. Antispam filters must find the junk mail (spam) among regular mail (ham). Antiviruses must discover disguised malware among harmless files. Applications’ firewalls must separate malicious URLs from benign ones. Airport metal detectors must point out weapons and potentially dangerous metallic objects, instead of inoffensive objects. Vulnerability scanners must warn about vulnerabilities in services or codes. Cyberintelligence tools such as Aldara must know whether a conversation in social networks might become a reputational crisis, or if a Twitter account is a bot or is used by a terrorist cell. Log analysis tools must identify correlated events. Network protocol identification tools must correctly tag the packets. Lie detectors must discern if a suspect is telling the truth or lying. And many other applications. You can add more examples in the comments below. In spite of their disparity, all these systems have a common feature: they generate alerts when they consider that a True Positive (TP) has been found. Unfortunately, they are not perfect and also generate alerts even if there is no malicious or anomalous activity, which is known as False Positive (FP). The following table shows all the possible response statuses of an IDS when it faces an incident. If the system detects an incident when it has actually occurred, it is working correctly: a True Positive (TP) has taken place. However, the system is malfunctioning if the incident has occurred, but the system does not warn about it: it results in a False Negative (FN). Similarly, if there is no incident and the system identifies it inaccurately, we will be facing a False Positive (FP), while we will be dealing with a True Negative (TN) if the system does not warn in such case. False alerts are as important as detections Let’s think about any detection system. For instance, an IDS that detects 99% of attacks is capable of tagging as malicious 99% of packets that are indeed malicious. In other words, the Detection Rate (DR), also known as True Positive Rate (TPR), is 0.99. Conversely, when there is a non-malicious incoming packet, the IDS is capable of tagging it as non-malicious in 99% of cases, meaning that the False Alert Rate (FAR) −also called False Positive Rate (FPR)− is 0.01. The truth is that in a conventional network the percentage of malicious packets is extremely low compared to legitimate packets. In this case, let’s assume that 1/100,000 packet is malicious, a div quite conservative. Given these conditions, our IDS warns that one packet is malicious. What is the likelihood that it will be malicious? Don’t rush to give an answer. Think about it again. And think about it carefully once again, do you have an answer? We will reach it step by step. In the following table, you will find a list of all the data for a specific example of 10,000,000 analyzed packets. Of all of them, 1 out of 100,000 are malicious, this is: 100; 99% of them will have been correctly identified as malicious, this is: 99 packets, while 1% −a single packet− has not been detected as malicious and no alarm has been raised: such packet has slipped through the system. The first column is completed. Moreover, the remaining 9,999,900 packets are legitimate. That said, the alarm will have sounded erroneously for 1% of these packets, summing up 99,999 packets; while for the remaining 99% the system did not sound the alert, that is: it maintained silence for a total of 9,899,901 packets. The second column is ready. Obviously, rows and columns must add the total amounts showed in the table. With this table, now we are able to quickly answer the previous question: What is the likelihood that a packet will be malicious if the system has tagged it as such? The answer is provided by the first row: only 99 of the 100,098 generated alerts corresponded to malicious packets. This means that the probability for that alert to be a malicious packet is quite exiguous: only 0.0989031%! You can check the calculations. It won’t get it right even one out of the thousand times that the alarm is raised. Welcome to the false positive problem! Many people are shocked by this result: how is it possible that it fails at that point if the detection rate is 99%? Because the legitimate traffic volume is overwhelmingly higher than malicious traffic volume! The following Venn diagram help to understand better what is happening. Even if it is not to scale, it shows how legitimate traffic (¬M) is much more frequent than malicious one (M). Indeed, it is 100,000 times more frequent. The answer for our question can be found in the section between the 3) area and the whole A area. This 3) area is quite small compared to A. Consequently, the fact that an alarm is raised does not mean too much in absolute terms regarding the danger of the analyzed packet. The most paradoxical fact is that it does not matter how the Detection Rate of this hypothetical IDS improves, nothing will change until its False Alert Rate decreases. Even in an extreme case, on the assumption that DR = 1.0, if the remaining parameters are left untouched, when the IDS sounds an alarm, the probability that this alarm will correspond to a real attack will remain insignificant: 0.0999011%! As we can see, it does not reach even one per thousand. For this reason, IDSs have such a bad name: if an IDS only gets right one out of the thousand times it warns, finally you will end up ignoring all its alerts. The only solution would be to improve the False Alert Rate, approaching it to zero as far as possible. The following graphic shows how detection effectiveness evolves, in other words: how as the False Alert Rate P(A|¬M) decreases, the probability P(M|A) that there will be a real malicious activity (M) −when the system raises an alert (A)− changes. Once examined the graphic, it is evident that however much the detection rate improves, it will never overcome the possible maximum effectiveness… unless the False Alert Rate decreases. In fact, results are bleak to an extent: even with a perfect 100% Detection Rate (P(A|M) = 1.0) to reach an effectiveness higher than 50%, P(M|A) > 0.5, it would be necessary to reduce the False Alert Rate under 1,E-05, a feat not likely to be achieved. In summary, it becomes clear that the effectiveness of detection systems (malware, network attacks, malicious URLs or spam ones), does not depend so much on the system’s capability to detect intrusive behavior, but on their capability to discard false alerts.Why you cannot ignore the Base Rate when evaluating the effectiveness of a system intended to detect any type of malicious behavior When evaluating the behavior of an IDS, three variables are interconnected: Detection Rate: how well the system identifies a malicious event as such. Ideally, DR = 1.0. This information is usually highlighted by the manufacturer, particularly when it is 100%. False Alert Rate: how well the system identifies a legitimate event as such, without tagging it as malicious. Ideally, FAR = 0.0. In practice, this value is usually far from being ideal. It is common to find values between 1% and 25%. Base Rate: what percentage of events are malicious in the context of the study. The higher the value is, −in other words, the more “peligroso” the environment is−, the more efficient the IDS will be, just because there are more malicious events, so logically by tagging any event as malicious the percentage of right detections would increase. The same IDS in two different contexts, one of them with a high base rate (many backdrop attacks), and the other one with a low base rate (few malicious events) will seem to magically improve its effectiveness. Actually, all that happens is that the higher number of attacks you receive, the more times you will be right in terms of detections by tagging anything as an attack. Manufacturers tend to highlight the first value and leave out the remaining two. That said, the False Alert Rate is as important as the Detection Rate. A given organization may waste thousands of hours investigating false alerts in malware, IDSs, logs, spam, etc. Important e-mails or critical files might be kept in quarantine, or event deleted. In the worst-case scenario, when the FAR is very high, the system is so annoying and resource-intensive to validate the alerts, that may be disabled or completely ignored. You have fallen into the alarm fatigue! At a time when most of the manufacturers of this type of tools reach detection rates close to 100%, pay attention to False Positives as well. And remember that the effectiveness of any solution will be completely conditioned by the base rate. The less prevalent a problem is, the more times the system will falsely shout: “The Wolf is coming!”. Gonzalo Álvarez Marañón @gonalvmar Innovation and Labs (ElevenPaths) www.elevenpaths.com

Imagine that there have been a few robberies in two parks of your town that have got all the attention for days. This afternoon you would like to go running around the park next to your home, so these incidents will quickly come to your mind, and this fact will make you think about the probability of being a victim of a robbery (or something worse) in that park. Your mind will make the following association: Park = Danger!!! The images you have watched on the TV and the Internet will make you overestimate the probability that you may be the next victim in any other park from a different town. As a consequence, you could avoid going running around the park near your home (or any other park) until the media echo ends. Only when you stop thinking "Park = Danger!!", you will frequent parks again. It is clearly an irrational behavior. In fact, your mind is using the following heuristic: if examples of something come easily to my mind, then that “something” must be common. This way, considering that when I think of “park” violent images come to my mind, then the probability of suffering a violent attack must be high. After all, who checks official statistics on muggings in parks? If two different persons have been assaulted in parks, this means that parks are danger places, no matter what statistics show, right? Well, that’s not right. Psychologists name this sense error availability bias: the easier to remember an event is, the more probable we think it is. We tend to overestimate the frequency of sensationalist causes and underestimate the frequency of mundane causes Humans are really bad at numbers, let alone at estimating probabilities. Our risk perception seldom matches its reality. We tend to exaggerate spectacular, new, vivid, recent and emotional risks. The final result: we worry about risks that we could ignore without problems and we do not pay enough attention to those risks alerted by evidences. The following table, adapted by Bruce Scheneier from scientific literature on the subject, summarizes how people perceive risks in general terms: The availability heuristic explains most of the behaviors listed in the previous table. Similarly, we make decisions (big and small ones) in our everyday life that have direct implications for security: Do I connect to this public Wi-Fi? Do I plug my pen drive into the USB port? Do I send this confidential file as an e-mail attachment? We estimate risks automatically without paying too much conscious attention: we do not use a calculator or incident frequency rates to determine probabilities, so we let ourselves be guided by this availability heuristic: an incident related to this security challenge comes quickly to my mind? Is it not the case? Then it must be unlikely, so the risk will be low. Is it the case? Then it will be quite likely, so the risk will be high. The point is: why some events are easier to remember than other ones? The answer to this question will help us make better security decisions and do not be easily influenced by others: sellers, bloggers, press, friends, etc. Vivid stories are etched on our memory In particular, researchers from the field have identified a number of factors that make an event be longer etched on our memory than other ones: Any emotional content makes memories last longer. One of the most powerful emotions in this regard is precisely the fear. You may have noticed it in many sensationalist news and advertisements on cybersecurity. Concrete words are better remembered than abstractions such as numbers. This is why anecdotes have a higher impact than statistical stories. Even if it pains us to accept it (weren’t we rational animals?), our decisions are more affected by vivid than by pale, abstract or statistical information. Human faces tend to be easily remembered, at least if they express emotions. For this reason, the most successful advertisements and campaigns’ main characters have their own identity. Events that have taken place recently are more easily remembered than old events. Memory degrades over time. If you are driving through a road and pass close to an accident you will be very aware of the risks of suffering one, so you will slow down and drive carefully along a few kilometers… until your conversation moves towards a different subject and you forget completely the accident. Similarly, the newness of an event helps it to be etched on our memory. Everyday events go unnoticed, but extraordinary actions catch our attention. As all students must know very well, concentration and repetition help with memorization. The more times information is presented, the better such information will be retained. How well publicists know this! All these are cumulative effects. In summary, and according to the social psychologist Scott Plous: i n very general terms: (1) The more available an event is, the more frequent or probable it will seem; (2) the more vivid a piece of information is, the more easily recalled and convincing it will be; and (3) the more salient something is, the more likely it will be to appear casual. Where do you think we can find stories matching all these requirements? In the media! If you see it on the news, don’t worry! As it happens with many other biases and thought shortcuts, the availability heuristic is valid in most of our everyday situations: if many examples of something come to our minds it’s because it has actually happened many times. I’m sure that men scientists spring to mind easily than women scientists, in the same way that our thoughts go first to U.S. global franchises than to Spanish ones, or to Champions League football players from Spain rather than from Malta. This is because there are many more examples of the first category than of the second. Therefore, the availability heuristic is useful most of the time, since the ease with we remember relevant examples constitutes a good shortcut to estimate their probability or frequency. Nevertheless, this shortcut is not infallible. Some events may simply be more remarkable than others, so their availability results in a poor indicator of their probability. Negative information reported on the news is to a great extent the responsible for feeding this heuristic. By definition, an event must happen rarely to be reported on the news. In fact, it must be really prominent to catch people’s attention. That way, news report on facts that are statistically irrelevant, so biasing our perception of events’ frequency. As a result, if people evaluate risk based on the ease with they remember several dangers, they will be worried especially about these dangers reported on the media, rather than about the dangers to which less attention is paid, even if these are the same or more lethal. This is why we tend to believe that we are more likely to die from an accident than a disease, since the brutal crash of two vehicles on a bridge over a cliff has a higher media coverage than death by asthma, even though 17 more people die from diseases than from accidents. But, of course, we see news of accidents everyday while hear of deaths by asthma if it happens to a friend or a relative. What’s more, some researchers have asserted that for this heuristic to work the event must not even have occurred actually. It may be pure fiction: we only need to have watched it in a movie or series. And, of course, audiovisual media are more vivid than written ones, (and they have more human faces!). Over time, we tend to forget where we saw the event ⸺if it was at the cinema, on the news…⸺. The source of information fades out and only the example itself (whether real or fictitious) survives. How reliable the availability of an example is! According to Daniel Kahneman: the world in our heads is not a precise replica of reality; our expectations about the frequency of events are distorted by the prevalence and emotional intensity of the messages to which we are exposed. How to survive the availability heuristic in the field of cybersecurity The first step to fight a bias is to be aware of its existence. If you have reached this point, you may have a clear idea about how our availability heuristic works. Since now, what can you do? As you already know, under the availability heuristic’s influence, users tend to overestimate the probability of vivid and surprising events and they will focus on easy-to-remember information. As a security manager you may take advantage of this effect by providing the users with simple and easy-to-remember stories instead of quoting statistical information and data: for instance, by sharing with them stories about how data exfiltration of a secret prototype led to an important case of industrial espionage where an unencrypted USB device had been stolen; instead of presenting the evidence that "more than half of employees have reported that they copied confidential information to USB flash drives, although 87% of these companies had policies forbidding this practice". Use repetition: the more you repeat a message (when good examples whenever possible) the more easily such examples will spring to users’ minds and, together with them, the message itself. Take advantage of the media noise caused by security incidents and use them as spreading vectors of your security messages. Keep away from abstractions and impersonal data: anchor your message to the last example about which everybody is talking. Pay more attention to statistics than to the daily danger. Don’t base your judgements on small samples of representative cases, but on big divs. The fact that something is currently appearing a lot in the media does not mean that it is frequent or highly risked; but just that it is newsworthy, that is to say: it constitutes a good story. Don’t trust your memory either. Draw upon data before deciding on an event’s frequency or magnitude. Under this heuristic, we feel more driven to implement security countermeasures after having suffered an incident than before. Check the statistics to understand what real risks we are exposed to. Don’t wait until to be hit to protect yourself. If the risk is high, ignore the media coverage that receives the danger. Protect yourself now! We remember easily an incident than the lack of incidents. After all, each incident it’s a story itself, while the lack of them doesn’t build such an attractive story. For instance, at the casino music from fruit-machines sounds at full volume when they win a jackpot. However, those that don’t win, do not sound at all. This asymmetry will make you think that jackpot is much more frequent than actually it is. Pay attention not only to what you see, but also to what you don’t see: it is easy to remember a successful virus, but difficult to keep in mind millions of viruses that were not so successful. Surround yourself with a team having numerous experiences and points of view. The simple fact of diversity will limit the availability heuristic, since your team members will challenge each other naturally. Use your contact network beyond your organization when making decisions. Allow others to provide you with points of view that simply could not exist within your organization. Among these groups there will be other stories biasing their judgments towards different directions. Hence, next time you make a decision, pause to ask yourself: “Am I making this decision because a recent event has come to my mind, or am I really considering other factors that I cannot remember so easily?”. The better we understand our personal biases, the better will be the decisions we take. Gonzalo Álvarez Marañón @gonalvmar Innovation and Labs (ElevenPaths) www.elevenpaths.com

You’re in a coffee bar and you need to connect your smartphone to a Wi-Fi, so you check your screen and see the following options. Imagine that you know or can ask for the key, in case it were requested, which one would you choose? Depending on your security awareness level, you will choose the first one: mi38, that seems to have the best signal; or v29o, that has not such a bad signal but is secured and requests a password. Imagine now that you are in the same coffee bar, but in this case you have the following list of Wi-Fi networks on your smartphone screen. Which one would you choose now? Whether your security awareness level is high or not, I’m pretty sure that you would choose 3gk6. What has changed? They are the same Wi-Fi networks, but presented in a different manner. You are not even aware, but this presentation will have influenced your decision. Welcome to the nudge power! Those nudges that sway your decisions without your knowledge In 2008 Richard Thaler and Cass Sunstein published Nudge: Improving Decisions about Health, Wealth, and Happiness, a book that helped to popularize the " Nudge theory" and the concept of " choice architecture". In this book the authors postulate that by designing carefully the options showed to the public, as well as the way such options are presented or framed, we are subtly influencing the decision made, without limiting the choice freedom. According to the authors, a nudge is: "any aspect of the choice architecture that alters people's behavior in a predictable way without forbidding any options or significantly changing their economic incentives." This book includes dozens of success cases of nudges and choice architectures: fly images etched on urinals that reduced spillage on men bathroom floors; fruits and vegetables that had been placed in front of the self-service tape increased purchases of these fruits and veggies more than if they had been placed at the end; displays along the road showing the speed of the vehicles approaching, so making them slow down; forms presenting the organ donation as default option when somebody dies that achieve vast differences in terms of divs between countries; and I could go on. This book is really fun and illustrative. As we previously saw in articles of this set, our rationality is limited and our decisions are systematically subdued to biases and heuristics that produce undesirable results in some complex situations. Nudges are supported by the theoretical framework of two cognitive systems: System I and System II. The main feature of these nudges is that they exploit our irrationality. Over the years, the concept of nudge has been shaped out and new definitions have appeared. A particularly useful definition is the behavioral scientist P. G. Hansen’s one: "A nudge is a function of (I) any attempt at influencing people’s judgment, choice or behavior in a predictable way (II) that is motivated because of cognitive boundaries, biases, routines, and habits in individual and social decision-making posing barriers for people to perform rationally in their own self-declared interests, and which (III) works by making use of those boundaries, biases, routines, and habits as integral parts of such attempts." This definition suggests the following nudges’ features: : They produce predictable results: they influence towards a predictable direction. They fight against irrationality: they intervene when people don’t act rationally in their self-interest due to their cognitive boundaries, biases, routines and habits. They tap into irrationality: they exploit people’s cognitive boundaries, heuristics, routines and habits to influence towards a better behavior. Let’s go back to the first example presented on Wi-Fi networks. According to Hansen’s definition, we can observe how the second way used to present the network list affects as follows: It produces predictable results: more users turn to the most secure choices. It fights against irrationality: it fights against the unthinking impulse of connection, that may be satisfied by the first Wi-Fi network with good signal appearing within the list, regardless of if it is open or secured. It taps into such irrationality: green elements are seen as more secure than red ones, we privilege the first options of a list against the last ones, we pay more attention to visual cues (locks) than to textual ones, we privilege (the supposed) speed over security, etc. And all this by showing the same networks, without forbidding any option or changing users’ economic incentives. That is to say, all these biases are being tapped to display the preferable option in the first place of the list, in green, including a lock in addition to text; and prioritizing by security as the first criterion as well as by connection speed as the second one. Ultimately, biases are analyzed, and a nudge is designed to tap into them, while respecting choice freedom. Several research works have materialized this Wi-Fi networks’ experiment successfully achieving to modify users’ behaviors towards more secure choices. In all the cases, these researches reached similar conclusions: Well-designed nudges have the power to influence decisions. This capacity for modifying behavior is greater as the probability that the user shows insecure behaviors increases. The power to alter behavior raises if several types of nudges are combined, so calling Systems I and II. How to influence your employees' security behavior Every day, people within your organization are dealing with a wide range of security decisions, in addition to choose a secure Wi-Fi: If I download and install this app, will it involve a risk for my security? If I plug this USB into the laptop, will it be an input vector for viruses? If I create this short and easy-to-remember password, will I be cracked? This is why security policies exist: they guide users’ behavior by requiring them to act as securely as possible within the organization’s security context and aims. However, are there other alternatives? Is it possible to guide people’s security choices while respecting their self-determination and without limiting the options? In other words: is it achievable that they act securely without them being aware of they are being influenced and feeling that their freedom is being limited? According to R. Calo, professor specialized in cyberlaw, there are three types of behavioral intervention: Codes: they involve manipulating the environment to make the undesirable (insecure) behavior (almost) impossible. For instance, if you want your system’s users to create secure passwords, you may refuse any password that does not follow the password security policy: "at least 12 characters long including both alphanumeric and special characters as well as upper and lower cases, and non-repeated regarding last 12 passwords". By doing so, the user does not have another choice than buckle under it or they will not be able to access the system. In general, all security guidelines not leaving options are included in this category: blocking USB ports to prevent potentially dangerous devices from being connected; restricting sites to be connected to a white list; limiting the size of e-mail attachments; and many others typically foreseen within organizational security policies. Codes are really effective to modify behaviors, but they do not leave choice neither exploit limited rationality, so they cannot be considered as "nudges". In fact, many of these measures do not have success among users and may lead to search for circumventions that betray completely their purpose, such as writing complex passwords in a post-it stuck to the monitor: by doing so, users are protected against remote attacks, but in-house attacks are eased and even fostered. Nudges: they exploit cognitive biases and heuristics to influence users towards wiser (secure) behaviors. For example, going back to passwords, if you want your system’s users to create more secure passwords according your security policy guidelines previously mentioned, you can add a password strength indicator for signup forms. Users feel the need to get a stronger password, so they are more likely to keep adding characters in order to complicate it until the result is a flamboyant green "robust password". Even if the system does not forbid weak passwords, so respecting users self-determination, this simple nudge increases drastically the complexity of created passwords. Notices: they are purely informative interventions intended to cause reflection. For instance, the introductory new-password form may include a message reporting on the expected characteristics of new passwords as well as on how important are strong passwords to prevent attacks from happening, etc. Unfortunately, informative messages are really ineffective, since users tend to ignore them and often do not consider them even intelligible. These notices cannot be considered either as "nudges", since they do not exploit biases neither cognitive boundaries. Nevertheless, their efficacy can be notably increased if they are combined with a nudge: for instance, by including the message and the strength indicator in the same password creation page. These hybrid nudges are aimed to call System I, quick and fast, as well as System II, slow and thoughtful, through informative messages. Therefore, to ensure the success of a behavioral intervention it will be desirable to call both types of processes. The most effective nudges in the field of information security Hybrid nudges are the most effective ones, since they combine thought-provoking information with any other cognitive trick that exploits biases or heuristics:: Default options: provide more than an option, but always make sure that the default option is the most secure one. By doing so, even if you allow users to select a different option, most of them will not do it. (Subliminal) information: a password creation website induces users to create stronger passwords if there are images of hackers, or simply of eyes, or even if the text is modified: “enter your secret” instead of “enter your password”. Targets: present a goal to the user, for instance: a strength indicator, a percentage indicator, a progress bar, etc. Like this, they will strive to accomplish the task. This type of intervention can be categorized as a feedback as well. Feedback: provide the user with information for them to understand if each action is achieving the expected result while a task is being executed. For example, by reporting on the security level reached over the set-up process of an application or service, or on the risk level of an action before tapping on “Send”. Mind you, the language must be carefully adapted to the recipient’s skill level. For instance, in this research, thanks to the use of metaphors known as "locked doors" and "bandits" users understood better the information and consequently made better choices. In this other study, researchers confirmed how to report periodically Android users on the permissions used by installed apps, so making them to check the permissions granted. In this other study, the same researchers reported users on how their location was being used. Consequently, they limited app access to their location. In another research, the fact of reporting about how many people can view your post in social networks led a high number of users to delete the post in order to avoid regretting. Conventional behavior: show the place of each user in relation to users’ average. Nobody likes to be behind, all the people want to be over the average. For instance, following a password selection, the message “87% of your colleagues have created a strong password” make those users that had created a weak password to reflect and create a more secure one. Order: present the most secure option at the top of the list. We tend to select the first option we see. Standards: use pictographic conventions: green means “secure”, red indicates “danger”. A lock represents security, and so on. Prominence: by highlighting the most secure options you attract people’s attention over them, so you facilitate their selection. The more visible an option is, the higher is its probability to be selected. Frames: you can present an action’s result as “making a profit” or “avoiding a loss”. Loss aversion tends to be a more powerful momentum. Nudges’ ethical implications As you may imagine, this issue is not without its ethical implications, since you are creating interventions with the aim of influencing users’ behavior by exploiting cognitive processes’ holes. In summary, we may say that you are hacking users’ brains. The researchers K. Renaud and V. Zimmermann have published a full paper where they explore nudges’ ethical guidelines in its broadest sense. This way, they state a number of general principles to create ethical nudges, so before launching yourself on the design of your own organizational nudges, I recommend you to think about the following five ethical principles: Autonomy: the end user must be free to choose any of the provided offers, regardless of the direction to where the nudge is addressed. In general terms, no option will be forbidden or removed from the environment. If any option is required to be limited due to security reasons, such fact must be justified. Benefit: the nudge must only be deployed when it provides a clear benefit, so the intervention is totally justified. Justice: as many people as possible must benefit from the nudge, and not only its author. Social responsibility: both nudge’s anticipated and unanticipated results must be considered. Pro-social nudges progressing towards the common good must be always contemplated. Integrity: nudges must be designed with scientific support, whenever possible. Use nudges for Good Nudges are becoming more usual in the field of cybersecurity with the aim of influencing people in order to make them choose the option that the nudge designer consider is the best or most secure one. New choice architectures are being explored as a means for designing better security making-decision environments without drawing on restrictive policies or limiting options. Even if the neutral design is a fallacy, be cautious and ethical when designing your organizational nudges: design them to help users to overcome those biases and heuristics that endanger their decisions on privacy and security. Push your organization to achieve a greater security, always respecting people’s freedom. Gonzalo Álvarez de Marañón Innovation and Labs (ElevenPaths) gonzalo.alvarez@global.telefonica.com

Every year we have more powerful computers with a higher calculation capacity, is that fact good or bad? Think twice before giving an answer. It depends. Because if global information security is based on the computing complexity of some functions, then the fact that computers are becoming ever faster will be very bad news. In fact, the sword of Damocles is hanging over our public-key encryption systems: RSA, DSA, ECDSA. Their security relies on the difficulty of achieving certain mathematical problems currently considered as untreatable, such as factoring large integers or solving discrete logarithms. The quantum computing big promise is that these mathematical problems will be rapidly solved. Is cryptography mortally wounded? Is there a hope for the world? Will we be able to continue communicating securely after the first quantum computers? Let’s see it step by step. What do we mean when we assert that a quantum computer is faster than a classical one? In Computer science, the objective is to find the most efficient (so, the fastest) algorithm to solve a given computational problem. With the aim to compare the efficiency of different algorithms, they are needed mechanisms for classifying computational problems according to the resources required to solve them. Such classification must be capable of measuring the inherent difficulty of the problem, regardless of any particular computing model. The resources to be measured may include: time, storage space, number of processors, etc. The main approach is usually the time and, sometimes, the space as well. Unfortunately, predicting the algorithm’s exact execution time regarding any kind of input is often difficult. In such situations, this time is approximated: it is examined how algorithm’s execution time increases as the input seize scales limitlessly. To represent these execution times and make their comparison easy, the big O notation is usually used: O(f(n)). According to this asymptotic notation, if a running time is O(f(n)), then for large enough n, the running time is at most k·f(n) for some constant k, although it may, of course, grow more slowly. The f(n) function represents the worst-case running time. For having a clearer idea of efficiency, the following list of functions in asymptotic notation is ordered by slowest to fastest growing: The secret for the speed of future quantum computers will rely on quantum algorithms, which are capable of tapping into qubits superposition. As it has been said, the execution time –for both classical and quantum algorithms– is measured by the number of basic operations used per algorithm. In case of quantum computing, this efficiency may be measured by using the quantum circuit model: a quantum circuit is a sequence of basic quantum operations called quantum gates, each one applied to a small number of qubits. The nemesis of cryptography is the so-called Shor’s algorithm: the exponentially fastest quantum algorithm when calculating discrete logarithms and factoring large integers, thereby capable of breaking RSA, DSA and ECDSA. Regarding the factoring challenge, given an integer n = p × q for some prime numbers p and q, our task is to determine p and q. The best classical algorithm known, the general number field sieve, runs in time exp(O(ln n)1/3(ln ln n)2/3)), while Shor’s quantum algorithm solves this problem substantially faster, in time O((log n)3). The Grover’s algorithm is also well-known. This algorithm can speed up searches on unordered data sequences of n elements. Indeed, one of the most basic problems in computer science is unstructured search. This problem can be formalized as follows: given the ability to evaluate a function f: {0, 1} n → {0, 1}, find x such that f(x) = 1, if such x exists; otherwise, output “not found”. It is easy to see that, with no prior information about f, any classical algorithm which solves the unstructured search problem with certainty must evaluate f a total of N = 2n times in the worst case. Even if we seek a randomized algorithm which succeeds, say, with probability 1/2 in the worst case, then the number of evaluations required is of order N. However, Grover’s quantum algorithm solves this problem using O(N 1/2) evaluations of f in the worst case. As you can see, it is not as dramatically fast as the Shor’s algorithm, nor does it constitute such a serious threat, since it can be counteracted just by doubling the key size. Currently, it seems there are no more algorithms in the quantum cryptanalyst’s repertoire. So, let’s see how Shor and Grover would affect the current cryptography if they could be executed nowadays. What would happen if currently we really had a super-powerful quantum computer? In the last entry we saw that the first error-corrected quantum computers of several thousands of logical qubits are expected to be built, at least, in 10 years. What would the state of classical cryptography be when facing quantum attacks? Asymmetric-key cryptography Let’s provide a context for these data: to break a 1024-bit RSA key would require a quantum computer that has around 2,300 logical qubits and less than 4 hours of computing time. It is a matter of such seriousness that the U.S. National Institute of Standards and Technology (NIST) has launched a project called Post-Quantum Cryptography, in order to look for options that could replace the current algorithms. The selection process for candidates is expected to have ended in 5 or 6 years. Symmetric-key cryptography The current standard for symmetric encryption is the algorithm called AES-GCM (Advanced Encryption Standard-Galois/Counter Mode), that supports three variable-key sizes: 128 bits, 192 bits or 256 bits. For instance, for a 128-bit key, a brute-force attack requires trying all the possible values of the key, in other words: 2 128 combinations. The Grover’s algorithm can quadratically speed this search up, meaning that it would require 2 64 operations. Consequently, to execute it on a quantum computer would require around 3,000 qubits and more than 10 12 years, an extremely long time. Even if such quantum computer existed already, the solution would be as simple as doubling the key size, something that could be done in a practical way at any time. Of course, someone could discover a quantum algorithm much more efficient than the Grover’s. In such a case, AES-GCM would have to be replaced. Hash Hash functions are used in all type of applications: password hashing in databases, mathematical problems for bitcoin mining, building of data structures such as the Merkle three, message digests for digital signatures, password-based key derivation functions, etc. SHA256 remains the most frequently used algorithm nowadays. Current hashing algorithms are not expected to be impacted by quantum computing, since the Grover’s algorithm is considered not to be capable of breaking a hash like SHA256. However, password hashing is at a higher risk because the space of user passwords is not very large. For example, given a 100-symbol alphabet, the set of all 10-character passwords is only about 100 10 ≈ 2 66. Using Grover’s algorithm, the running time shrinks to only 2 33, so a hypothetical quantum computer may take just a few seconds. The quantum threat shadow is another reason to move towards alternatives to passwords. Examples of this are the projects on which our ElevenPaths’ Innovation and Labs team is currently working: CapaciCard, SmartPattern, PulseID or Mobile Connect. Another widespread hash application is the proof-of-work systems, used by cryptocurrencies such as Bitcoin or Ethereum. To validate a chain block, miners must solve a mathematical puzzle that involves calculating millions of hashes. Fortunately for Blockchain, a quantum computer would need more than 10 minutes to solve the current challenges, so cryptocurrencies will remain safe, at least on that side (but not on the elliptic curve cryptography’s one). Summary table on the estimations to break classical cryptographic through quantum algorithms, and potential countermeasures (Source: Quantum Computing: Progress and Prospects) The long and tortuous cryptographic migration path It can be said that modern cryptography was born in the mid-70s, with algorithms such as DES, for symmetric encryption, and Diffie-Hellman, for key establishment. Since then, there have been a handful of changeovers from an algorithm widely established to another one. Some of these migrations have been: from DES and Triple-DES to AES; from MD5 and SHA-1 to the SHA-2 family; from the RSA key transport and the Diffie-Hellman finite field to the Diffie-Hellman key exchange elliptic curve; and from the RSA and DSA certificates to the ECDSA certificates. Some of these changeovers have been successful: AES can be found almost everywhere and modern communication protocols mainly use the ECDH key exchange. However, those changeovers involving public key infrastructure have been unequally successful: browser providers and Certification Authorities have gone through a lengthy transitional period from SHA-1 to SHA-2 on certificates –with repeated delays–, the changeover to elliptic curve certificates has been even more slow and, in spite of it, most of the certificates issued for the web continue using RSA. In the medium term, it is likely we will be forced to experience a new changeover: towards the post-quantum public key cryptography. There is cryptographic life beyond RSA, DSA and ECDSA First of all, it is important to spell out that when we talk about ‘the end of RSA, DSA and ECDSA’ and ‘the end of cryptography’, we are talking about two different things. There is cryptographic life beyond RSA, DSA and ECDSA. Since the mid-80s, there have been cryptographic algorithms based on the difficulty in solving mathematical problems different from the integer factorization and the discrete logarithm. The three best-studied alternatives are: Hash-based cryptography: as its name suggests, it uses secure hash functions resisting quantum algorithms. The disadvantage is that it generates relatively long signatures, so limiting its use scenarios. Leighton-Micali Signature Scheme (LMSS) is one of the strongest candidates to replace RSA and ECDSA. Code-based cryptography: the coding theory is a mathematical specialty on information coding rules. Some coding systems are quite difficult to decode, in a manner that they often require exponential time, even for quantum computers. The best-studied cryptosystem so far has been McEliece, another bright candidate for key exchanging. Lattice-based cryptography: it might be considered the most active research field on post-quantum cryptography. A lattice is a discrete set of points in space that has the property that the sum of two points on the lattice is also on the lattice. A difficult problem is to find the Shortest Vector Problem of a given lattice. All classical algorithms require a time that growths exponentially according to the lattice size to be solved, and it is thought that the same will apply to quantum algorithms. Currently, there are several Shortest Vector Problem-based cryptosystems. Consequently, the great difficulty is not the lack of alternatives. The painful problem will be the time of transition to one of the alternatives previously described: Firstly, postquantum algorithms must be selected and standardized by institutions such as the NIST. Then, the standard must be incorporated into the cryptographic libraries currently in use by the most popular programming languages, cryptographic chips and hardware modules. Afterwards, they must be integrated within the cryptographic standards and protocols, such as PKCS#1, TLS, IPSec, etc. After that, all the sellers must include these standards and protocols in their products: from hardware manufacturers to software developers. Once all software and hardware products have been updated, it will be necessary to perform again the following actions: issue all the certificates, encrypt all the stored information, sign and distribute the code, get rid of all the old copies, etc. How long this process will be? Considering previous migrations, such as the SHA-1 and SHA-2 ones, and taking into account the additional complexity, no less than 20 years. When the first quantum computers capable of attacking RSA, DSA and ECDSA are expected to be available? Not before 15 years. This is the current outlook. Let’s hope that the changeover process will gain momentum. Nobody knows for certain how far are quantum computers. However, just in case, better to be prepared. Gonzalo Álvarez Innovation and Labs (Elevenpaths)

What would happen if a fully error corrected quantum computer of several thousands of logical qubits started working today? Public key infrastructures would fall down. The secrets of the world would be discovered. There would be chaos. How far or close that day is? How would it affect our cryptography? What to do to protect our sensitive information ahead of the forthcoming arrival of quantum computers? Scientists, politicians and businessmen from all over the world are worried about these questions as well. Last December, the publication division of the U.S. National Academies of Sciences, Engineering, and Medicine issued the first draft of the report Quantum Computing: Progress and Prospects. This document of more than 200 pages contains the consensus of the Committee on Technical Assessment of the Feasibility and Implications of Quantum Computing, whose members are several scientists and experts of the field. The report provides a judicious and scientific evidence-based exploration on what progress can be expected in the coming years, the actual threat they will represent and what strategy will need to be undertaken to be prepared for the clear arrival of the first fully functional quantum computer with thousands of qubits. However, the question is not if there would be quantum computers or not, but when they will arrive and if they will catch us off-guard. In this article I will summarize the most relevant conclusions reached by the committee. Of course, I encourage you to read the whole report. The 10 most relevant findings on the near future of Quantum Computing Key Finding 1: Given the current state of quantum computing and recent rates of progress, it is highly unexpected that a quantum computer that can compromise RSA 2048 or comparable discrete logarithm-based public key cryptosystems will be built within the next decade. Classical Computing works with bits, while Quantum Computing works with qubits. A classic bit has a well-defined value —‘1’ or ‘0’—, while a qubit is in a quantum superposition of states, that is, in a combination of both '1' and '0' at once. To achieve this, all the qubits need to be ‘entangled’, isolated from external environment and under an extremely precise control: What an engineering challenge! Noise management differs greatly from one computational model to the other one. Since a classical bit is either ‘1’ or ‘0’, it is very easy to remove the noise that may be produced on logic gates. Nevertheless, considering that a qubit can be in a combination of ‘1’ and ‘0’, removing noise from physical circuits is very hard. This way, one of the greatest design challenges is the error rate: in 2018, the error rates for 2-qubit operations on systems with 5 or more qubits were higher than 1%. Consequently, quantum error correction (QEC) algorithms are required to emulate a noise-free quantum computer (i.e. a fully error corrected quantum computer). Without QEC, it is unlikely that a complex quantum program, such as one that implements Shor’s algorithm to compromise RSA, would ever run correctly. The problem with QEC is that it requires: a higher number of physical qubits to emulate more robust and stable qubits, called “logical qubits” and... a higher number of primitive qubit operations that must be performed on physical qubits to emulate quantum operations on these logical qubits. In the short term, QEC incurs significant overheads, so we will only see ‘noisy’ computers. Furthermore, it is far from simple to convert a large amount of classical data to a qubits’ quantum state. For problems that require large data inputs, the amount of time required to create the quantum input might exceed the computational complexity of the algorithm itself, so greatly reducing (or even removing) the quantum advantage. Another challenge they face involves code debugging. Debugging methods for classical computers usually rely on memory examination, and the reading of intermediate states. However, a quantum state cannot be copied (because of the no-cloning theorem) for later examination. What if it could be directly read? Then, any measurement of a quantum state would collapse it to a specific value of classical bits, bringing computation to a halt. In other words, we are far from developing new debugging methods. In summary, to build a quantum computer capable of successfully running Shor’s algorithm in a 2048-bit RSA public key requires building a machine that is five orders of magnitude larger than current machines and has error rates about two orders of magnitude lower, as well as developing a software development environment to support this machine. Key Finding 2: If near-term quantum computers are not commercially successful, government funding may be essential to prevent a significant decline in quantum computing research and development. Since quantum computing is on everyone’s lips, some of the most powerful companies all around the world have embarked on the development of the first high-powered quantum computer. However, the current enthusiasm might wane if commercial applications for the technologies under development are not found (beyond breaking RSA in the future). If disruptive breakthroughs enabling the development of more sophisticated computers are made, the expected financial returns will stimulate more major companies and more research on the field. Nevertheless, if the first commercially useful applications required a very large number of qubits, interest would only be preserved by means of public funding. In such a case, there would be a risk to fall into the “valley of death”, as well as to see the departure of talent towards more favorable fields from both industry and academia. Key Finding 3: Research and development into practical commercial applications of noisy intermediate-scale quantum (NISQ) computers is an issue of immediate urgency for the field. The results of this work will have a profound impact on the rate of development of large-scale quantum computers and on the size and robustness of a commercial market for quantum computers. Given the overhead of QEC, the first quantum computers in the short term will certainly have errors: they will be noisy intermediate-scale quantum (NISQ) computers. Currently, there are no applications for NISQ computers. As long as commercial applications for NISQ computers are not developed, the virtuous cycle of investment will not start. Key Finding 4: Given the information available to the committee, it is still too early to be able to predict the time horizon for a scalable quantum computer. Instead, progress can be tracked in the near term by monitoring the scaling rate of physical qubits at constant average gate error rate, as evaluated using randomized benchmarking, and in the long term by monitoring the effective number of logical (error-corrected) qubits that a system represents. The committee suggests monitoring the progress in this competition by the following metrics: the error rates of the 1-qubit and 2-qubit operations, the interqubit connectivity, and the number of qubits contained within a single hardware module. Key Finding 5: The state of the field would be much easier to monitor if the research community adopted clear reporting conventions to enable comparison between devices and translation into metrics such as those proposed in this report. A set of benchmarking applications that enable comparison between different machines would help drive improvements in the efficiency of quantum software and the architecture of the underlying quantum hardware. In this regard, the committee proposes using several metrics and milestones to help monitor the development of quantum computing. These milestones are illustrated in the following div. Key Finding 6: Quantum computing is valuable for driving foundational research that will help advance humanity’s understanding of the universe. As with all foundational scientific research, discoveries in this field could lead to transformative new knowledge and applications. The work on the design of new quantum algorithms can help progress foundational research on computing. This way, we can expect that research on quantum computing will similarly lead to new advances in other fields, such as physics, chemistry, biochemistry, material science, etc. These advances may, in turn, enable future advances in technology. Key Finding 7: Although the feasibility of a large-scale quantum computer is not yet certain, the benefits of the effort to develop a practical Quantum Computer are likely to be large, and they may continue to spill over to other nearer-term applications of quantum information technology, such as qubit-based sensing. Quantum computing and information findings are believed to enhance other quantum technologies. Key Finding 8: While the United States has historically played a leading role in developing quantum technologies, quantum information science and technology is now a global field. Given the large resource commitment several non-U.S. nations have recently made, continued U.S. support is critical if the United States wants to maintain its leadership position. In fact, the U.S. is losing this leadership position, as it can be observed in the following div, based on R&D investment. Key Finding 9: An open ecosystem that enables cross-pollination of ideas and groups will accelerate rapid technology advancement. This competition for creating the first quantum computer could drive the field to be less open in publishing research results in scientific journals and forums. It is required to find a balance between the natural protection of intellectual property and the open flow of information to ensure further development in the field. Key Finding 10: Even if a quantum computer that can decrypt current cryptographic ciphers is more than a decade off, the hazard of such a machine is high enough—and the time frame for transitioning to a new security protocol is sufficiently long and uncertain—that prioritization of the development, standardization, and deployment of post-quantum cryptography is critical for minimizing the chance of a potential security and privacy disaster. A quantum computer with around 2,500 logical qubits could potentially defeat 2048-bit RSA encryption in no more than a few hours. Cryptographers have been working for decades on algorithms that are (believed to be) quantum-resistant. However, the problem is not so much the lack of alternatives to the RSA and the elliptic curves, but the transition from the old algorithms to the new ones; not to mention what would happen with those secrets intended to be confidential for many years. Since this transition may need decades to be completed, starting it must be the main priority, before the threat becomes a reality. In the next entry we will explain how quantum computing affects current cryptography, in particular: what would happen with RSA, elliptic curves, digital certificates, Bitcoin and hashes. We will also see the cryptographic alternatives that are being considered for the post-quantum age. Gonzalo Álvarez Marañón Innovation and Labs (ElevenPaths) www.elevenpaths.com