Cybersecurity Chronicles: RWPQC to RSA

The past few months have been a bustling time for our Cybersecurity Group. From vibrant RWPQC in Toronto to the engaging sessions at RSA in San Francisco, the team has been immersed in a whirlwind of tech innovation and tracking emerging key takeaways within the cybersecurity industry.

Real World Post-Quantum Cryptography

SandboxAQ recently partnered with MITRE to host the second Real World PQC Workshop (RWPQC) in March! The workshop followed on from its successful first iteration last year in Tokyo, which was again affiliated with the IACR’s annual Real World Crypto (RWC) event.

It was a day full of innovative and insightful discussions; we are grateful to our speakers from government, academia, and industry, who presented the latest happenings in Post-Quantum Cryptography (PQC).

The full agenda can be found on the workshop website, alongside the slides for all the presentations. You can also catch the session recordings on our SandboxAQ YouTube channel.

Marc Manzano, General Manager of the Cybersecurity Group provides key highlights from RWPQC:

• Updates from experts at BSI and NCSC highlighted the need for PQC awareness, especially for future integrators of these standards, as well as the importance of cryptographic discovery in the PQC migration plan.
• Dustin Moody, NIST, updated the audience on the progress of the current PQC FIPS and further timelines for additional PQC KEM and signature standards.
• It was enlightening to see how committed CISA is in enforcing the National Security Memorandum mandating cryptographic inventories, as well as the next steps outlined by Dr. Garfield Jones in making this journey a reality.
• Rolfe Schmidt, Signal, gave a particularly enjoyable presentation. He noted how Signal’s reliance on formal verification ensures security in the protocols that they develop. A highlight in this talk was the combined use of two different formal verification tools (symbolic and computational) to analyze the protocol. One of the tools tries to prove security, while the other tries to argue absence of attacks / identify attacks. By interleaved iteration of both tools, Signal was able to pinpoint areas in the protocol that required modification in order to enable a security proof.
• During talks by industry leaders from Meta, Google, and AWS, a notable insight emerged: these companies rely on “advanced cryptographic primitives” - cryptography beyond digital signatures and KEMs. This highlights a significant gap in the field. While we do have a lot of proposals for plain signatures and KEMs, we still have to develop post-quantum alternatives for more advanced primitives such as password-authenticated key exchange and anonymous credentials.

Special thanks to our sponsors, Amazon, EvolutionQ, Crypto4A, Meta, and Google who made this day possible.

Capture the Flag Winners Announced at RWPQC

In the buildup to RWPQC, we also held our first-ever Capture the Flag contest!

For just over three weeks, numerous researchers and cybersecurity professionals participated in the opportunity to showcase their expertise in various areas of cybersecurity. The competition featured four challenges of varying complexity, focusing on vital aspects of post-quantum cryptography and privacy in various scenarios.

RSA Conference 2024

Earlier this month, our team took the opportunity to speak in person with a wide range of partners, customers, and stakeholders in an extensive programme of behind-the-scenes meetings at RSA.

David Joseph, Product Manager in the Cybersecurity Group, presented “Batch Signatures, Revisited”, a technique developed in the PQC Research team to increase throughput and compress digital signatures, with an emphasis on expediting PQC adoption. Below are his noted takeaways from the event:

• Senior Advisor, and founding member of our AQ CISO Council, Taher El Gamal gave a keynote speech at the PQC Palooza hosted by Thales and sponsored by SandboxAQ. Takeaways include that he speaks better without slides (his words not ours!), and that the scalability problems of TLS today were difficult to foresee when he was designing the first version of SSL. He designed it for encrypted point-to-point communication, and didn’t account for the use case of his fridge talking to his toothbrush 25 years later.
• The team welcomed Chris Bates for the first time in person, SandboxAQ’s new CISO and RSA veteran. Chris’s network across the CISO community will be a valuable temperature check to ensure AQtive Guard continues to tackle the most acute cryptography infrastructure problems CISO’s are facing in the wild.
• Antony Blinken, U.S. Secretary of State, highlighted the significance of the closing NIST PQC standardization process during his 15 minute keynote speech, showing the growing relevance of the coming PQC transition for diplomats and lawmakers.
• CISO burnout is a major problem. These cybersecurity leaders are struggling to cope due to budget cuts, increased legal threats, and the impetus to take proactive stances on daunting problems like encryption management.
• SandboxAQ’s Head of Product in Cybersecurity, Graham Steel, spoke on the panel “Quantum Cyber Risk: How Deep and How Wide?” with experts across Government, GSI’s, and Private Sector. With no spare money for PQC transition projects, the panel discussed the need to leverage wider digital modernization projects across organizations, and include cryptography modernization among the initiatives.

With all of the activity over the last few weeks, our Cybersecurity Group has gained insights to keep driving cybersecurity forward. As we close out these two eventful months, we’re already eager for what’s next.