Root Causes 438: PQC Is an Existential Requirement

Hosted by

Tim Callan

Chief Compliance Officer

Jason Soroko

Fellow

Original broadcast date

November 12, 2024

Repeat guest Bruno Couillard argues that cryptography is part of the foundational fabric of our lives and that the transition to PQC is an existential requirement.

Podcast Transcript

Tim CallanHow you doing today, Jason?

Jason SorokoI'm doing particularly great because we have a guest.

Tim CallanYes. We say two industry veterans, but it's really three industry veterans because we have our return guest, Bruno Couillard. We always love talking to you. Welcome, Bruno.

Bruno CouillardGentlemen, thank you so much for having me on your podcast. A pleasure.

Tim CallanSo and Bruno, of course, I should mention you're the founder of Crypto4A. And we were talking before this episode, before this recording, about a really interesting idea, and we thought we'd cover it here. And for this, you have to take us all the way back to 1994 is that right?

Bruno CouillardCorrect. Yes. I think this is a walk through memory lane here, if you want to think 30 years ago, pretty much. Actually, it is pretty much November, 1994 if I'm not mistaken.

Tim CallanAlmost exactly 30 years ago.

Bruno CouillardNetscape was born, and Netscape came with this concept of a padlock. If you guys recall, there was the notion that you can now all of a sudden – and I think Jason in a previous podcast, I heard you talk about this magical thing behind the scene. This magical thing that all of a sudden, anyone in the world could connect with any servers in the world. And magic would happen that you would trust that you are indeed connected to a bank or connected to a system that you're going to share either your credit card or your personal information, and you can trust that this connection is real because there was this magical padlock that appeared and that gave you confidence that, hey, we can start using these capabilities for much more than just checking out the websites of companies. There's more to it than just exchange of information.

Tim CallanI can buy a book. I can check my bank account balance. Those are two very early ones.

Bruno CouillardAnd if you look, if you only look at today's largest companies in the world, they were all born - the book one, as you're just describing - the origin of Amazon. Google didn't exist before the padlock existed. Microsoft certainly gained quite a boost by being able to transact over the internet.

Tim CallanSame for Apple.

Bruno CouillardYes. All of these companies have become the monsters that they are, or the amazing companies that they have become, in the last 30 years. And all of this is again predicated on this magic that happens behind the scene. A few years before 1994, like in the 90s, in the 70s, there were some smart people that invented some creative, very cool mathematical challenges, RSA and Diffie Hellman, and then later on, elliptic curve. And it was Taher El-Gamal, I guess that assembled all of these concepts and tricks into a protocol called SSL.
And then, with the use of PKI behind the scene that could issue certificates. And you guys know exactly that business, and you know where it's been. And then behind that PKI was a box, a black box somewhere in the cupboards or somewhere in a closet that would secure that digital cryptography key. The HSMs. And when you look at the stack of how this has evolved, and that still to this day, gives us the ability to transact on this global network fabric where we have established digital trust, and we can confidently go and build the economy of today. Like today's economy pretty much has a third of it riding on this internet fabric that we built in 30 years. It's amazing. I mean, I don't think we've ever built something that fast in humanity, in man time on this planet. It's just massive.

Tim CallanAnd it's part of everything. This is something that you and I have touched in the past, Jason, it's like, think about anything that you do, that you that doesn't ultimately depend on that network. Like I have a two-seater automobile I bought in the 1990s that I still have, and I'd say, well, that's fine. There's no network in that car. That car doesn't depend on this, but absolutely it does, because I can't get gasoline for it. Because the pumps are completely dependent. The pumps wouldn't run without the internet and the distribution system wouldn't run without the internet, and, my ability to purchase with my credit card wouldn't run without the Internet. So it's just foundational to everything we do all day long, all the time.

Jason SorokoTim, I recall a podcast we did - Tim's Digital Haircut - that was Episode 197. That was an example of something that was just so absolutely normal and mundane that you weren't able to complete, or were having difficulty to complete, because there was a digital component that was down. And I think this is where Bruno is going, is, this digital transformation is moving faster and faster and faster. I think even at that time we did that podcast, things weren't even as digitized as they are now. And so the dependencies, Bruno, on these utterly ubiquitous systems that rely on these 30-plus-year-old technologies is just more and more. There is no going back.

Bruno CouillardNo. Absolutely not. Every time I think of the of the omnipresence of cryptography and key management and PKI and so on, I keep thinking of this movie title that came out a few years ago. Everything everywhere all at once. It's how I feel about cryptography. It's everywhere. It's in everything, and it's all at once. None of us now can extricate our lives from a cryptographic operation happening somehow around us, just making our cars safer to drive, or ensuring that our office space is nice and warm and comfy and on and on and on. Everything we do now has somehow a connection to the internet. And it used to be that for many years, we had sort of kept offline our critical infrastructure, the operational technology. We've done a fairly good job to maintain these systems not connected, given their critical nature and the importance of not having those systems connected and hacked into. But I think we've given up on that possibility. We are now connecting all of these systems at rates that I've never seen before. 5G and low Earth orbit satellites is actually improving the ability to connect everything, anywhere, all at once on this planet. You don't have to be near a big city anymore. You don't have to have fiber optics anymore. You can actually get very decent connectivity just about anywhere on this planet, and that causes the world to be faster integrated than ever before. And it's all living, and it's all possible because we have this notion of a digital trust. We can trust that those connections are guarded by people like you guys, providing certificates under a proper review process, and that you do not issue certificates unless you've given it a check, and that the entities exist and on and on, and that you protect the private keys you use signing these certificates. Everything is all intertwined into the system that we've built. It's a massive issue and it’s amazing.

Tim CallanAnd it's a foundational assumption. So at the end of the day, for all of this stuff to work, it really depends on that identity being phenomenally reliable.
Like so reliable that for our purposes, we can just call it complete and total. And you know that I can go to any random merchant anywhere on the planet and take my particular credit card, or any other individual could take their particular credit card, regardless of the bank or where they live or anything else, and put it in and know that the identity is going to be correct for every step of that process. Like the amount of complexity that goes behind that simple act - stick my credit card into a terminal is absolutely vast - in every step of the way without completely reliable identity every step of the way, the whole thing crashes down.

Bruno CouillardAnd the funny thing is, today, when you look back, and you step back and you look at, you zoom out, over the timeline, say, go from 1950 to 2024. We'll go with today. And you see this weird thing happening in 1994 because all of a sudden we have the ability to establish credible identity and trust those identities to be valid. And then we somehow, all of a sudden have a new creation that we expand in massive, massive speed. But cryptography has existed since back in the 50s, back in the 1900s there were ways of doing cryptography.
Symmetric cryptography has been around for many, many 10s of years. The change here is not the ability to encrypt, but it's the ability to authenticate and be able to identify and have trust. And that is when the inflection point comes about in that big line that you look at. That moment in 1994 causes a complete turn of events. Now we have, without having to establish a physical connection, and to know a person in a like handshake with someone in a parking lot to exchange some keys, you can actually create a relationship, a digital trust relationship, without ever having to meet those person. Those other entities. That is the inflection point of 1994.
So today, I guess why I'm kind of talking about this concept or this idea is, when you look at what could quantum computers do, quantum computers has the ability to completely destroy the ability for us to establish a digital trust that we have been relying for the last 30 years. We're still able to establish keys. Man, I was in the forces. I was in the military before, and I know how we can send keying material from base to base and establish secure connections. That was done well before the internet. But digital trust does not happen if you don't have public key cryptography that you can rely on and all the systems that are behind it, like your PKI, your HSMs and everything that needs to be present in order for this entire setup to provide you the trust that you need to exchange your credit card and send money and so on. So that that is a that's what quantum computing is all about.
I think if it has the ability to demolish that capability we have built and make it obsolete - man, we've lost 30 years of expansion, and we're going back to ‘94 and prior.

Tim CallanBack to pen and paper and mailed letters and fax machines. Yes.

Bruno CouillardAnd the sad part is, all our old means of communication have been pretty much taken over by IP networks and secure networks. So even those networks don't exist anymore.

Tim CallanActually, that's absolutely right. That's another thing we talk about with people when we talk about this, is you can't even go back to where we were in 1990 because that stuff's gone. It's ripped out.

Bruno CouillardI've often mentioned to people like, if you live in a city, if you've been in a city for long enough, and you've seen the slow erosion of, say, the small corner stores at the profit of the larger corporation that have, like the Costco or Walmarts or these types of major stores that have amazing logistic systems behind them, which is again, because they have access to secure connectivity behind the scene, they have been able to make it just in time delivery of food and so on. If you pull the plug in that logistics system, we're having to go back to the corner stores. But they don't exist anymore, though.
A loaf of bread is not going to be delivered tomorrow. It changes the world we live in. I think the notion of existential threat is not a bad term for what that could cause.

Tim CallanSo hypothetically, and you're framing this in terms of post- quantum cryptography, which I think is the best way to frame it. But hypothetically, if all the digital identity stopped working, let's even set aside encryption, because to your point, I think the identity is the important part. If all the digital identity just stopped working, I mean, like the impact on society, basic societal impact, would be just devastating. It would be things like food, and it would be things like operating utilities, like having heat in the winter and medical care, like stuff at that level, like the stuff on the bottom of Maslow's pyramid would fall apart.

Bruno CouillardYour entire transport system, your logistics systems, your food.

Tim CallanAny kind of commerce, any kind of tracking of financials without which everything else falls apart because people aren't just going to give these things away for free. Absolutely.

Jason SorokoBruno, you've described a binary world. I would like to hear your vision for what is realistically in the cards for all of us into the 2030 timeframe, and even a little bit beyond where we may be living in a world - - I'll set you up, and then I'd love to hear your vision. We might be living in a world where we have operating systems. We have systems that are still doing some level of cryptography. The problem is that that cryptography is breakable.
And only some systems gradually will be upgraded to being quantum resistant, and therefore, a first class citizen like they are today, in terms of most of our systems, from that time we saw that, that lock box in our browser, we knew we had reliable encryption and privacy. I'm wondering, Bruno, what's the world going to look like when we have a patchwork of systems that are legacy, breakable, but operating and working alongside newly quantum resistant systems? I think it's an interesting world, Bruno.

Bruno CouillardI completely agree. I think there will be the effort that we globally have to tackle is a very significant one. And another dimension to this which really amplifies the need for anyone in our field and in our ecosystem to take this seriously. There's no time to be wasted here. We need to be migrating. We need to be exploring how we do it. There are solutions out there, but one of the additional challenges, if you wish, is the fact that a lot of the expertise that lives on the planet today who has been around long enough is getting closer to retirement than the beginning of their career. A lot of the bright minds that are coming out of school these days have basically gone off to AI or quantum computing because key management and cryptography has been solved back in the 90s, and for the most part, I mean there's been some tweaks and changes. Some of us have stuck around long enough to see the entire process, but many people have decided to leave the field because the challenges were very plentiful outside. Now we need to bring as many brains as we can to help us resolve this exact issue you're bringing up, Jason, in that we have to build we have to rebuild the entire system while it's running, while it actually provides us with what we need as a society. And we need to rebuild it without breaking it in parallel of making sure that it ends up being fully quantum safe at the end of this process. It is a magnificent challenge.
If I were to start a career today, I would definitely go in that field, because it will bring lots of cool challenges, lots of very major, you will be dealing with issues that no one has ever solved before.
I would send out a call here, if anyone is listening to our podcast, if you feel that cyber security is not a sexy or it's not a fun place to be, man, I can tell you that this is the most amazing place to be these days, and it's going to be a very challenging field for many years to come.

Tim CallanAnd Bruno, you've touched a couple things that Jason and I also have covered in the past that are worth bringing up. One of which is that, this is really the first time in the history of having this ubiquitous digital network society that we have where we've had to do something this major.
When we established all these things were built, and there was no cryptography, and then there was none and we decided on RSA, and we decided on Internet Protocol, and we decided on these things, and we built this technology stack, and we did all that, but we did that when the whole thing was kind of a science experiment.
And where it was used by a very, very, very small percentage of our society, which was overwhelmingly technically savvy. And very localized geographically, and it just wasn't even remotely the same thing. The stakes were so much lower compared to how it is now. Or even a few minutes of outage causes massive problems.
And like you said, we've got a whole generation of IT professionals who have never known anything else.
Like this has been from the time they were old enough to know what a computer was, there have been certain baseline assumptions that were just built in. Like, we use RSA.

Bruno CouillardThat’s it.

Tim CallanAnd suddenly we don't anymore. And so this is unique. This is the first time in history that this particular adventure has been embarked on by people.

Bruno CouillardCorrect. And it makes me smile when you brought up RSA. The other day, I was on a conference call, and someone was describing a discovery tool that they've ran against their internal systems. And they came out with a very nice graphical representation of on, if you wish, on the vertical axis, the different algorithm that they were able to find. And horizontally, they had this bar that would indicate the number of instances of each algorithms. And as you can think of it, if you want to portray it, the top bar was RSA, and it goes from the left to the right, and it covers the entire graph. And then the next one below is a much smaller bar, and the rest of it is just tapering off very quickly into almost nothing. And I was sitting there laughing in my head, in the sense that one other sad thing about RSA is that it was such a phenomenal tool that we could use for key exchange, for authentication, for signatures, for all sorts of roles. Never asking ourselves, what should we be using here? It just came naturally, oh, we'll use RSA. We'll use RSA. We'll use RSA. And now you have these 1000s and 1000s of instances of using RSA. Now we have to reverse engineer the whole thing, and ask ourselves, okay, is this one going to be replaced with MLDSA? Will it be ML-KEM? Should we go to LMS because we need a very sturdy Root of Trust? And on and on. And every one of those is almost a debate in itself.

Tim CallanAnd now, another point where this is different as an adventure is that once you're working with things that are established and are very difficult to move. So if you're if you're building a road across an open plain, if you want to build the road here, or you want to build the road 50 feet to the right, isn't a very important decision. But now wait until a city develops around it and if you decide you need to move the road 50 feet to the right, it's ridiculously expensive. And so this a road that we built, this digital interstate, as they used to call it. Or this digital highway. This road that we built, at the time, was across an open plain. So there were some basic things. Here's how RSA works. Well then we'll spec things around it.
nd now, all of the sudden, we're trying to move our road 50 feet through the middle of not just any city, but the world's most congested city.

Bruno CouillardExactly. You're using the roads. I may have used it with you guys in the past, but I've always liked the Boston Big Dig analogy to what we're trying to do here. If you've ever been in Boston in the mid-90s and they decided to take their highway and put it underground, they had this massive piece of infrastructure that was critical, crucial to the survival of the city. So they could not just demolish and then reinstate the new version. They needed to keep it running while they were digging underneath it. And they had to do this, I think it took 15 years and was very expensive. What we're trying to do in a digital space is identical to that, but we're doing it in every single city that exists on the face of this planet.

Tim CallanAnd we don't have 15 years.

Bruno CouillardNo. And we don't have enough horsepower, or manpower I should call it, to actually achieve it. So it's a very, very, very cool challenge we have ahead of ourselves. I'm almost feeling like, or I'm kind of sounding as if I'm negative, but I'm very hopeful like humans are phenomenal when they get together and they decide to tackle a problem. I know it's going to be done. But it's a big one. It is a very challenging one, and I think we need to take this one very seriously, and the time for debating whether it's real or not behind a let’s move. Let's move to tackle the challenge that we have. Let's do it as a collective. Every single one of us have to work as a collection of strong minded people, but at the same time we have to collaborate to ensure that we survive this process.
In the end, we need to all be very happy in the end that we fixed all these problems that you were alluding to, Jason, a second ago there.
It will be a collaboration effort in every dimension to make this possible.

Tim CallanWell, it'll be a collaboration effort, and it's also just going to be, we're gonna need a lot of shoulders on this wheel. Like all the shoulders.

Bruno CouillardBut anyway, so I thought this was a topic that I was - -

Tim CallanIt’s good. What's interesting, Bruno, is, when you put it in these terms, it highlights for me - and this is something that maybe we're all intellectually aware of, but we just get going with our day and you don't act on it - but it highlights, to me, the disparity between the scope and importance of this task and the amount of attention that it gets.
When we were trying to get to the moon, everybody knew we were trying to get to the moon, and everybody was rooting for it, and this is like a moonshot that most people aren't aware is going on and don't really care about and even people who were kind of in the industry aren't that aware about it and don't really care about it that much. And I think that's an interesting disparity, and maybe one that isn't in our best interest.

Bruno CouillardI completely couldn't agree more. I think some players in our industry are not paying attention to what is going on. I don't think they're seeing their role as being that critical, or whether they feel it's not critical, or they just prefer not to tackle the job at hand. It's really dangerous to have this laissez faire attitude. You cannot just sit back and enjoy the show. This one is everybody needs to sit up and contribute to solving this challenge that we have. And it will take every possible hands and brains, the task here. So being complacent is not a solution. Trying to play marketing tricks and just using some marketing jiu jitsu to pretend that you're ready doesn't work. You have to actually do the work, and it's real work. You can't just pretend it's done. And I hope that hopefully some of the folks that listen to your podcast, if they're paying attention, the idea here is that everyone needs to put the shoulder to the wheel, as you said, Tim, because it's really critical that we all get in the action, and we all work hard because it's not going to be a one company solution. This is everyone in the game has to work.

Jason SorokoI'll take this one of the final comments here, guys, but just listening in, the reality is, I think most people who are not paying attention to this problem, who hopefully will soon, part of the reason why they're not paying attention to the problem is they are so optimized, and that optimization of doing their daily day job is keeping them blinkered to what's going on right beside them and around them. And folks, it's time to take the blinkers off, listen to what Bruno just told you, and realize that big changes are coming and Bruno, thank you so much for joining us today on this podcast.

Tim CallanI agree.

Bruno CouillardThat was such a pleasure. Thank you for inviting me again. Looking forward to the next one. Take care.

Tim CallanThank you for being here, Bruno. Thank you, Jason. This has been Root Causes.

Stay informed with expert insights

Subscribe to Root Causes for engaging discussions on PKI, digital security, and best practices for protecting your organization's critical assets. Don’t miss an episode!