- 9 minutes ago
The encryption currently shielding your bank accounts, medical records, and government secrets has an expiration date. Future quantum computers will possess the mathematical power to shatter most current encryption systems. This creates an immediate risk: adversaries are already stealing encrypted data today, waiting for the technology to mature so they can unlock it years from now. Moving to quantum-resistant standards is structural overhaul that requires preparation before the threat even goes live. How can we ensure our data remains safe once the locks we use today are broken? When does the cost of delay become a permanent loss of privacy?
Category
🤖
TechTranscript
00:26All good?
00:28Yeah.
00:29All right. Well, thank you, everyone, and welcome. I'm Chris O'Brien, founder and editor of the French Tech Journal,
00:33and we're here to talk about quantum computing and security, and I know there's a lot of talk about the
00:39doomsday scenarios around AI these days, and we're here to remind you that there's another apocalypse waiting for us on
00:46the horizon.
00:47But to get us started, actually, let's first have everyone introduce ourselves. And Sophie, we'll start with you just on
00:54the left, just a brief introduction about who you are and your background and what you bring to this conversation.
01:00Thank you, Chris. Hello, everybody. I'm very glad to be here.
01:04So, I am Anne-Sophie Carrez, managing partner at Elaya, in charge of the seed investment activities.
01:12Elaya Partners, we are a management company, managing funds, and we've been investing in technology startups for the past 22
01:21years.
01:21And we're a full-stack investor, coming from seed stage to venture and growth stage.
01:28And obviously, cryptography is a very important topic for our investment cities.
01:33And myself, I come from the aircraft industry.
01:37I was a rocket scientist testing aircraft engines when I started my career before joining Elaya.
01:45Fanny?
01:46Hello, I'm Fanny Bouton. I'm quantum lead at OVH Cloud.
01:49OVH Cloud is a European leader cloud provider.
01:53And I'm deploying quantum computers in the cloud, but also working on strategy about how to protect whole world data
02:01with post-quantum cryptography in the future, and maybe QKD, too.
02:07And Elise?
02:08Hello, everyone. I'm Eleni Diamanti.
02:10I'm a CNRS Research Director at Sorbonne University in Paris.
02:14I'm also a co-founder and scientific advisor of the startup company, WeLink, which deploys quantum interconnect technology.
02:22So I have been in the field of quantum technology.
02:25I'm an engineer by training.
02:27But I did my PhD even in quantum cryptography and quantum technologies back when it was not a topic that
02:33would attract a roundtable at VivaTech.
02:37So I've been seeing the field of quantum technologies growing in the last 20 years.
02:42And I'm very happy to discuss this field with you today.
02:46Okay. I need a swivel chair here to keep track of everybody.
02:49So one of the interesting things, of course, talking about this subject is it almost seems as an outsider to
02:57this world, you get sort of conflicting messages, which is quantum computing is this thing that is still somewhere over
03:06the horizon.
03:07And practically, it's not very useful right now.
03:11There's certainly developments and advances, but it's kind of still off in the distance.
03:16And yet, oh, my gosh, you should be really worried about quantum security.
03:20Here we are on a panel talking about quantum security.
03:24So it brings up the final question, why do we care now?
03:30And so maybe, Fanny, if I could start with you, what is the big misconception that people have about that
03:38topic of quantum security when we talk about it today?
03:43Why we need to be worried today is because we have the algorithm to break the cyber security that we
03:51have now.
03:52All the RSA keys can be broken one day by a quantum computer using the Shor algorithm.
04:00We know it's existing.
04:01We know mathematically it's possible.
04:04What we know also is we can store your data today and maybe read it when the quantum computer can
04:13run these algorithms and read your data.
04:17And this is what people don't understand.
04:22It can happen more faster than we expect.
04:26Even if we don't have the full quantum computer now, it's coming more real and more real.
04:31We have real quantum computer.
04:33We use it.
04:34We can have a real use case, not quantum advantage about doing new molecules, for example, not now, but to
04:42doing a quantum generation number.
04:44You use that at OVH Cloud for secure the certificate SSL and have the best random existing scientifically in the
04:54world.
04:55We can run quantum computers.
04:57We have one on the booth.
04:58You can come to see it's existing now.
05:01They are small, but they are useful.
05:05And it's when it can be available.
05:09We don't know.
05:10It can be five years or ten years.
05:11What we see a few weeks ago, it was Google announced that they can run the SHAR algorithm on 10
05:20,000 qubits.
05:21One month before, it was 500,000 qubits needs to run this algorithm.
05:28It's possible maybe now in five years and not in 10 or 20 years.
05:33And what we see also with mitos in AI or the acceleration of the hacking is we are more risk
05:42than one month ago.
05:44And we need to be aware of that and what we do with data and what we need to secure.
05:49And Sophie, then, do you think that governments, investors, the important actors are then paying attention closely to this conversation?
05:59Are there are the right people listening and acting and educating themselves on this?
06:05Yes, definitely.
06:06Yes, definitely.
06:07Because, you know, in cryptography, you have these two kinds of algorithms, symmetric cryptography, where when you encrypt and when
06:16you decrypt, you use the same key, and asymmetric cryptography, where when you encrypt, you use the public key, and
06:22when you decrypt, only one person has the private key.
06:26And what quantum computing is currently putting at risk is the asymmetric cryptography, which is the one where the use
06:38case is the most widespread for critical use cases, especially the one that defense or government are using, like authentication,
06:49identification, software to do signatures,
06:55or transport layer system, or transport layer system infrastructure.
06:58For all these use cases, today, we are using asymmetric cryptography, which is based on a mathematical theory, which is
07:11how do you factorize big parameters.
07:14And today, it's the fact that this is very complicated, and this cannot be breached by classical computers, which render
07:23RSA or ECC for asymmetric cryptography very secure.
07:28But as Fanny was saying, tomorrow, we will be able to bridge that with a show algorithm on quantum computers,
07:38which means that all these critical use cases about identification or identification will be broken.
07:44So this is why defense industry is particularly worried about that, and government, and also the fact that now with
07:55the massive use cases, people store data today.
08:00People harvest data that today they cannot decrypt, but they keep and store.
08:05And these data will become absolutely weak in the roadmap that Fanny was describing when the show algorithm enables us
08:16to decrypt this data.
08:18So there is this threat of harvests which will become decrypted.
08:24And so if we're looking at what's actually then at risk today, how would you sort of describe that?
08:31Is it a question of the data that's actually...
08:37There you go.
08:39I wasn't sure if that was you or if it was the microphone or if I could jump over.
08:42Yeah, I could feel that.
08:44Thank God it was just the microphone.
08:47You know, what kind of data is actually exposed today on Sophie?
08:52Is it...
08:53Can we actually break it down into categories or do we even...
08:57Is it one of these...
08:58I hate to use this expression.
08:59Do we even know for sure what's out there that's exposed or is it this even scarier thing that we
09:05don't really know what's out there that's exposed?
09:08Well, this is the good news.
09:09It's not all data that are equally exposed.
09:13The question is how long will you need these data to remain protected?
09:19For short-term use cases like password that you would change, like data which will be outdated, there is no
09:30risk.
09:30And this is probably the biggest part of the data.
09:33So this is good news.
09:34But the problem lies in more critical data that you will need for a duration of 5, 10, 20 years.
09:42And that you will still need at this period where quantum computing will enable us to decrypt them.
09:50And this kind of data are like medical data, genetical reports, or government data, defense data, diplomatic conversation, and also
10:04all the data used by banks or financial data.
10:08All this data, you definitely need them to remain confidential for tens of years.
10:14And the question, the paradigm is always the same.
10:18It's a multiplication of the value of this data, the duration, the sensitivity to duration, and the exposure to collection.
10:30So the question really is, on these data, identify which ones are tackled by RSA algorithms, and which ones are
10:42dealt more with symmetric cryptography, which is more resilient to quantum computing.
10:50And so, if we're talking about how to get average people to think about this, first of all, Fanny, does
10:59that even matter?
11:00I mean, is this something that the average person should be thinking about at the moment?
11:04Or, and if so, how do we get them to even care about something like this, which can seem, again,
11:11a bit abstract, especially in a world where everybody's so hyper-focused on AI at the moment?
11:18Yeah, I think everyone wants to have this data secure.
11:23Sure.
11:24Definitely, government and big companies with secret data need to protect.
11:30I think Army already have cryptography to protect from the shore algorithm.
11:37It's very important to have, for example, for health data.
11:44You don't want that company or government know when you will be sick or what you have.
11:51It's really important.
11:53Your bank account, all your data are really important.
11:56And what's important also, it's shore algorithm.
12:00It's not only to broke data that we stole.
12:02It will be, maybe, one day, if we don't change the security, broke internet, bitcoin,
12:10all what is secure by RHC key.
12:12And I think so many people don't know how it's protected, but it's a world changing.
12:18And we have a solution now to move it and to protect that really easily.
12:24Okay.
12:25Now, in case you thought I forgot about you sitting over here on my right, let me could have
12:29asked first in terms of your world, in terms of research, if I can, do you feel like this
12:36is still a priority?
12:38Is this still something that is getting the attention you feel like it should be getting
12:43in terms of research?
12:45Yes.
12:46You mean the threat of quantum computing to cybersecurity?
12:50Yeah.
12:50Yeah, absolutely.
12:51It's everywhere.
12:52So from a research point of view, so what we have been witnessing in the last few years,
12:58is of course a big acceleration in the capacities of the first quantum computing machines.
13:06So this is happening at an academic level, but also at a commercial, like at an industry level.
13:13So looking at this acceleration, it is reasonable to expect that what we call in the field the
13:20cryptographically relevant quantum computer.
13:23Okay.
13:23So this is the term that we use in the field, which is exactly what Anne-Sophie was saying.
13:28It will be the quantum computer that will have the capacity to break this type of algorithms.
13:34So we don't have this yet.
13:36Okay.
13:36This quantum computer, we can talk about it yet.
13:39It does not exist yet, but it does not mean that the threat to cybersecurity is not acute.
13:46It's absolutely acute and imminent because of the storm now, the cryptylated attack that
13:53Fanny described.
13:55So with the current pace of acceleration in quantum computing, there is no reason to believe that
14:02there will not be a cryptographically relevant quantum computer.
14:05And this is why this is not only an important research topic, but only of strategic importance.
14:12And this is why also it is extremely important to move towards the quantum safe transition,
14:16like we call it.
14:18And then again, in terms of understanding where we are in the timeline of quantum computers,
14:23we keep just saying in a very generic term, quantum computers.
14:27But of course, it's not really a homogenous topic.
14:32There are many approaches that people are developing.
14:34There's hybrid approaches.
14:37We won't go through all the different variations of that, but it's not a singular thing.
14:43It's many things within that.
14:45And they're all at different stages and different companies and different researchers.
14:49You know this well.
14:51So obviously, you can't generalize specifically that quantum computer is here.
14:57But in a general sense, you know, how are you able to sort of track all these things?
15:04And can you give us a sense of, you know, where that is in terms of its threat capacity?
15:10Sure.
15:11So quantum computing devices today, independent of the Qubit modality.
15:18So this is how we call it, right?
15:19There is several platforms, hardware platforms that can be used to perform quantum computing.
15:25And there is no real winner for the moment.
15:28And there might not be, actually.
15:29So there is quite a few physical platforms that are used successfully for quantum computing.
15:35Some of these platforms are very successful in specific examples of problems.
15:41Some appear to be more promising in other problems.
15:45I can cite maybe a few physical platforms that are used from neutral atoms to trapped ions.
15:51Okay, as you see, physical systems, right?
15:53Superconducting circuits, semiconductor dots, photonics, okay?
15:57So all of these are, this is what we call a Qubit modality.
16:01So how you encode quantum information.
16:03And so how you try to perform your quantum algorithm.
16:07And so there is also machines that can do digital quantum computing.
16:11Or there is others that can do analog quantum computing, okay?
16:14Depending on the computing model that you follow.
16:17And as you said, there is a big variety of platforms.
16:20They are all advancing towards the same goal.
16:23To increase as much as possible the number of the scale of these computing systems.
16:30So the number of Qubits that can be used that are not prone to errors.
16:35And can be, so where there is an increasing capacity of these systems to correct the errors.
16:40This is the biggest enemy in a physical system like for quantum computing.
16:46Is the fact that you have to fight the errors and correct them.
16:48And continue your algorithm and your calculation for as far as possible.
16:53To be able to perform an algorithm as interesting as possible.
16:57Including source algorithm that is relevant for cybersecurity.
17:01So I think we are now at the level where we can do.
17:05We know how to control, depending on the platform.
17:10From tens to hundreds of Qubits.
17:14I would put it in that more or less category.
17:17Which is not sufficient, as we were saying before.
17:20To break any of these algorithms.
17:22Or honestly, to demonstrate anything extremely useful, okay?
17:26So these are quantum computing machines today.
17:29Are more, are very useful for research.
17:31Very useful for some simulation of small physical systems.
17:35So we are trying to see the possibility to simulate well some physical systems.
17:41That give us an idea of what will happen when they will actually scale.
17:45When we will have to have large scale simulation for material science.
17:48And in particular, but also large scale optimization.
17:53And has been used for a few proof of principle concepts.
17:57Even in the financing.
17:58Some optimization problems can already be solved today.
18:02So we have a little bit of increasing capacity.
18:05So, but when the actual large scale quantum computer will be built.
18:09We will see the full potential beyond research and simulation tomorrow.
18:16Including for cybersecurity.
18:18This is funny maybe.
18:20Well, in that note then.
18:21And the uncertainty around these timelines.
18:23I mean, how much does that impact this discussion?
18:26I mean, you know, with any tech there is always some uncertainty.
18:30Whatever domain we are talking about.
18:31But the variable nature of that.
18:34There is many challenges to have this full quantum computers.
18:37But we have so many roads to have advantage on quantum technology.
18:42And the first one is to scale each type of qubit.
18:47And see what is the best quantum computer.
18:49Definitely.
18:50And there is many reasons to fail.
18:53But also many reasons to win.
18:56We are at the part of, we dream about Formula One.
19:00But we want, we have the possibility to have cart to start to learn to drive.
19:05This is the first thing important to understand.
19:07We learn and we prepare the future now.
19:11And if we don't be ready to pilot this Formula One, we will be in the wall or we didn't
19:17start even.
19:18It's important to start the journey and understand what's happened.
19:22What is important now also to understand, it's, and Eleni don't talk about that.
19:27But it's coming from his research.
19:30It's also the possibility to connect small quantum computers with WeLink, for example.
19:38We have different start-up and company doing that.
19:40But she co-founded WeLink.
19:42It's a company who can work on device and software to connect and pilot small quantum computers and HPC.
19:52To push this algorithm, run and have a repartition on this different type of machine.
19:58And maybe an advantage, maybe it will be not the future to have a big one quantum computers, but small
20:06one connected to quantum computers and HPC and have the results.
20:13And they're working on that.
20:14And we just signed the MOU to do that in our data center at OVH Cloud.
20:20It's R&D.
20:21But we have many roads to run this channel algorithm.
20:26And maybe it's only in two, three, five years.
20:29And it's why we know we have the attack.
20:33We don't have the weapon to use the attack.
20:35But you know how to protect also this data.
20:39And Sophia, if I could just add a question for you.
20:42So given the timeline and what we're just discussing, how difficult does it make to invest around these types of
20:50solutions in terms of understanding not just the technology, but also the timing and what the market might be for
20:58anything.
20:59And we'll get into some of the solutions in a minute.
21:01But just understanding when the market might be and what it might be.
21:07I mean, that's always difficult again in any innovation, but this seems unusually uncertain.
21:13Well, what we know for sure is that the market about cryptography will begin by hardware solutions.
21:22So as an investor, although we have looked at many, many software for cryptography and quantum software, so far we
21:30have decided to begin our investment thesis through hardware companies.
21:35And what we see here is that, well, as Eleni was saying, what you need to be able to ensure
21:45this super calculation breaking RSA is have enough physical qubits working efficiently together.
21:54So being able to correct error.
21:56So being able to correct error.
21:57And that way you will have a full throw on quantum computer.
22:00And we have to challenge that when we do our assessment before an investment.
22:07And the question is, since the past 10 years, what we thought would be the number of qubits needed to
22:18ensure this running offshore algorithm has significantly decreased from 1 billion to 1 million physical qubits to achieve one logical
22:29qubit.
22:29And thanks to this improvement, we thought it was the right time to begin to invest in quantum computing companies.
22:36And we have invested in Alice and Bob at the creation of the company.
22:41They are developing a cat qubit.
22:44We won't disclose here their roadmap, but for sure they will be in the game about breaking RSA.
22:51Will it be in five years or 10 years?
22:54But it's a timeframe which is definitely compatible with investment thesis.
23:01Great.
23:02So, and then talking about some of the solutions, let's break down at least a couple of the ones that
23:07people should know about.
23:09I'll start with you.
23:10There's an, as with everything, there's an alphabet soup of acronyms.
23:15But maybe you could start by just explaining Q, I'll get these tangled up, QKD, quantum key distribution.
23:23Sure.
23:25Yes.
23:26So this means quantum key distribution.
23:27So this is one of the flagship applications of quantum cryptography and more globally quantum technologies.
23:33So what QKD does, it allows two distant parties to exchange a secret key, where a key is a series
23:45of random bits, okay, of zero and ones, in a way that cannot be intercepted by a malevolent party, okay?
23:52So hopefully this is something you can understand.
23:55So you cannot spy on it.
23:57You cannot, if there is an attempt to intercept the communication, thanks to the physics, to the quantum physics rules,
24:06this can be detected by the legitimate parties.
24:11So the fact that you can do this, which is something that is just not impossible in the classical world,
24:18unless you make some mathematical assumption, which is what makes these algorithms prone to attacks by a quantum computer.
24:27So QKD allows for this higher degree of security in principle.
24:32So, of course, there is always assumptions in cryptography.
24:36You should, this is something that, it doesn't exist in an ideal world where there is no assumptions at all.
24:41So what is happening in QKD?
24:44So in principle, this is completely and absolutely secure.
24:48In practice, of course, it means that the two legitimate parties need to have authenticated themselves.
24:55So they need to know that they are talking to each other, okay?
24:57So you need to have before an authentication procedure.
25:00And once you have this, so there are some quantum means of doing this, but there are also other techniques
25:06of doing this that we're going to talk afterwards based on mathematical principles.
25:10And then once you have created this key with this security, you have to also perform some encryption algorithm behind
25:19so that you can actually exchange your secret message based on this random string of bits.
25:24So this is what QKD does in a few words, okay?
25:28So it's one of the very, very, very first algorithms that was even invented of the whole quantum field.
25:34Yeah.
25:34And there'll be a pop quiz afterwards.
25:36So take notes.
25:37And so for PQC, I'll let you take that one on.
25:42Yeah, PQC, it's post quantum cryptography.
25:46What is funny is we don't use quantum computing physics to do that.
25:50It's just change the cryptography with actual computing that we use today.
25:59And it's to protect through the short algorithm.
26:02It's just to change mathematically the security that we use.
26:07And it can be really easy because it's existing on our own infrastructure.
26:13It's not changing too much.
26:14And this is the first way to protect our data and doing on that.
26:20And it's protect from the quantum attacks.
26:24But with actual mathematics that we can use, it just changes the key, in fact.
26:31And it's really, it's not so easy.
26:35It's because we need to align everyone to have a new type of communication exchange security.
26:41But it's also not too expensive to deploy.
26:48And any other ones we should mention?
26:50Or are those, those are the two main ones I'm familiar with.
26:53But any other emerging?
26:56What we should mention is, there's so many things to say about this topic.
27:00But so quantum cryptography, let's say, goes beyond the field of quantum key distribution.
27:05There's many, many functionalities where you can show a concrete advantage in security, privacy,
27:11integrity of data, thanks to quantum communication.
27:14Okay.
27:14So this is one, one thing, a QKD and secure message exchange that can be quantum safe communication
27:20is the most, you know, discussed and extremely useful.
27:25But as you just point out, there is many other functionalities.
27:28And also, what we should say that there is not, there is not two separate worlds.
27:33These two can coexist.
27:34And it's one major topic in the field today.
27:37Okay.
27:37To be able to propose hybrid solutions.
27:40Okay.
27:40Between post-quantum and quantum cryptographic techniques.
27:43This requires a very rigorous security approach so that we are in line with the requirements
27:48of security agencies.
27:50Because this is a little bit an issue with quantum cryptography and the quantum safe transition
27:54is a little bit of tension.
27:55Because at the same time, you need to secure data.
27:59Like Anne-Sophie was saying before, that they need very high confidentiality.
28:03Okay.
28:04And they come from the defense industry, etc.
28:06So critical data.
28:08Let's say, on the other hand, to be able to secure this data, you need to have a very,
28:12very strong validation of your cryptographic techniques.
28:15So you need to have certification.
28:17You need to be completely sure that you have a fully, you know, secure and bulletproof cryptographic
28:26system.
28:27And so there is a little bit of, and to abide with the requirements of the security agencies,
28:32so that both this hybridization and the quantum fields need to integrate very, very carefully.
28:40So you need to, yeah, to also be very consistent and hybrid with networking and cryptographic
28:47solutions that are deployed in classical technologies today.
28:51And then in that sense, is this developed enough that there's kind of a clear playbook
28:57for this in that, is it obvious which of these solutions are the right one or what combination
29:04is the right one?
29:05So for instance, you walk into a bank and you say, okay, if you have this, if you have
29:10this, therefore, what you need is that?
29:13Or is it really, you have to go into each specific person and break it down into the most granular
29:20level and then look at the whole DNA of their position and then build it from the ground
29:28up?
29:28At this point, what we have is recommendation coming from the NIST in US.
29:35In France, we have ANSI in European Commission give also takeaways to go on and give recommendation
29:44to use certain type of certification.
29:47There was a benchmark about solution of PQC and they did, they're doing recommendations.
29:55The goal is that we can continue to communicate everywhere in the world and be aligned.
30:00What is tricky in France, for example, if you use the ANSI recommendation, they can be more
30:06high than the NIST and it's important to cut the speed of the moving on PQC.
30:17But we have this recommendation and all the company needs to have this transfer of technology
30:25and cryptography before a few years.
30:29For example, ANSI said at the beginning of the year, all the certification in 2027 will need
30:38to be PQC resistant for all the certification and all the French companies need to be aligned
30:47on that and have a roadmap.
30:50And Sophie, you were shaking your head.
30:52I mean, imagine again from the startup side, they must have some way of thinking about how
30:58they're approaching companies or how they have to talk to them about this.
31:00So how do they kind of navigate that question?
31:04Yeah.
31:05The funny thing is that we know that there is this threat, but companies and governments,
31:10they don't even know how massive their exposure is to the threat.
31:16And for large corporations, banks, telecom companies or governments or institutions, they know
31:26that they are threatened.
31:27But for small SMBs, the awareness sometimes is not even there.
31:32And the first critical question is, as we know that it will be asymmetric cryptography,
31:40which will be weak, how much are you exposed in your day-to-day business and activities to
31:48this asymmetric cryptography?
31:50Where exactly do you use RSA?
31:52And this is a major question because finally, as Fanny was saying, replacing RSA by a new
32:01post-quantum cryptography algorithm, this is not that complicated.
32:07But if you would replace all your architecture, that would take decades.
32:13And moreover, so far, as Eleni was saying, we are not even certain that the new post-quantum
32:22algorithm cryptography algorithm are as trustable as RSA was, because RSA has been used for
32:29decades.
32:30So we have a great experiment on this algorithm.
32:32And the new algorithm, the post-quantum algorithm to replace it, although they got
32:37standardization by NIST, they are sort of brand new.
32:41So what companies and governments need to do is precisely doing this audit, identifying
32:49where exactly do we use RSA.
32:52And this is the place where we'll need to begin the job of just being very agile to replace
33:00only these bricks.
33:01And this will really reduce the amount of algorithm that needs to be changed.
33:09Okay, now we've talked a little bit just at the side about some of the regulatory bodies
33:15here.
33:16Do we have more to say on that?
33:18I'm not sure if we've covered everything there.
33:21We've mentioned some of the bodies and some of the regulations.
33:23But Fanny, do you have anything you want to add that we should highlight on that?
33:27We've mentioned some of the things that have come into play.
33:30Yeah, I think it's important to follow what are the recommendations of all these organisms,
33:35because we need to be aligned on that.
33:38It's mandatory for each company to be and to follow all of the announcements.
33:45It's also important to challenge them, because sometimes they miss a few things.
33:51For example, if you put PQC now in France, but you don't verify that you can have a full
33:58exportation of about your products if they are PQC, check the legal before also following
34:06this certification.
34:08Don't choose one solution, because I want to check PQC on one thing.
34:13Is it all aligned technically, but also legally to continue to sell your solution everywhere?
34:24And it's a challenge.
34:26Can I add something?
34:27Yes.
34:27On standardization, maybe.
34:30So maybe this is, if it falls under your question.
34:33So there is a risk linked to these standardization efforts today.
34:38And I'm bringing this up because it comes really, really very often as a critical topic
34:42in both quantum and PQC in the field in general of the quantum safe transition.
34:48By the way, this is what quantum safe transition means.
34:50All these techniques that are protecting us against the threat by quantum computing.
34:55And so there is big efforts today, but there is big fragmentation between different standardization
35:02bodies.
35:02And there is a lot of political tension behind this, right?
35:05Standardization bodies are semi-open.
35:08Some of them are European, some of them are Asian.
35:10They are controlled by national authorities exactly because of their importance.
35:15Okay.
35:15And so, and often in particular in Europe, if I can say, there is lack of training of people
35:21and a lack of incentives as well to participate in this standardization effort.
35:25So this is a little bit of an alarm that we should actually get very much involved, deeply
35:31involved in the standardization efforts, at least on the industry side, because this
35:36is what can lock a technology afterwards if you don't do it, if you do it on time.
35:41And as this technology is advancing now, and I think it becomes really relevant for the
35:46field.
35:47So I guess, yes, I would think that all companies or sectors that are concerned by this
35:55threat should be looking into this.
35:57And there is also many fora and many advisory bodies, many quantum safe multi-stakeholder
36:03bodies today.
36:05I'm just thinking, for example, of the quantum safe financial forum of Europol, the NATO working
36:12group on defense and security.
36:15There is UN bodies that are now recommending and have strategies for the transition quantum
36:22safe.
36:23So depending on the level where you would like to be involved, you know, at national, European,
36:29international level, there is the right forum.
36:31So I think this is extremely important for understanding what's going on and being involved in this
36:37transition.
36:39So our time is running down here.
36:41So I'm going to kind of combine our last two questions here and then I'll put this to
36:45each of you, starting with you and Sophie.
36:47So be prepared.
36:49But in my unfortunately long experience of writing about cybersecurity over many decades,
36:57whatever technology, whatever generation we're talking about, I've found there to be two
37:02constants.
37:03One, that organizations suck at it, no matter what era we're talking about.
37:10And two, that humans are idiots.
37:13Those are true no matter what time we're talking about.
37:20So knowing so we can talk about all the future stuff and quantum and blah, blah, blah.
37:25But those fundamental things are always plaguing us, whether it's USB drives or floppy disks
37:32or the internet dial up.
37:34So if you're looking at an organization today doing an audit, what is it you're probably going
37:41to see that's going to frighten you?
37:43And what should they be doing today to actually practically get ready for this era?
37:49Yeah.
37:49I would give them three recommendations.
37:52First, do your inventory.
37:54Be aware of where you use asymmetric cryptography, where you use asymmetric cryptography.
38:00Do the mapping of your data, which ones are critical in the next 10 or 20 years and which
38:06ones are less critical.
38:08Second, test the new hybrid solution like ANSI is recommending, keeping symmetric cryptography
38:17and adding the new standardized by NIST post-quantum cryptography solution and test how agile you
38:27can be to replace your weak RSA solution.
38:32And for this kind of test, by the way, we have invested in a very smart company called
38:37CryptoSense that we sold to Sandbox Acu, which is now a major actor in cybersecurity.
38:43And their main concern is about helping institutions to identify where they have failure in cybersecurity,
38:53which really means that this is where it all begins in being able to remedy that.
38:58Fanny, same question.
38:59Yeah.
39:00I think the most important is start audit now and know where are your certification, your
39:06legacy, everything needs to...
39:10Where is your cryptography?
39:11So many companies don't know finally how they are protected and where they need to change.
39:18After it also, to have a roadmap of this deployment, product by product, few products are more important
39:27to protect now.
39:28The data that you have from a client and can be stolen now and read in a few years.
39:37And after it's also to see the budget because using this new type of cryptography, even if
39:46it's not expensive, even if it's not new device, it's also consume more servers sometimes and
39:55more calculation in other costs.
39:57And if we have this hybridization, you need to have that in the budget for the transition and don't be
40:05in
40:08problems with danger because we don't have the money to do this transition.
40:12And it's thinking about that.
40:13It's just to start now to analyze what is the way to be ready in five or ten years.
40:21Because it will be ten years, like she said, it's not in one week we can change and switch
40:28on to PQC.
40:31And?
40:32So, I need to, as an academic, start one step before what you said and say that, first
40:39of all, you should understand what you were talking about.
40:42What is the nature of the threat?
40:44What is the real situation?
40:46And engaging with scientists can actually avoid the hype.
40:50Can they give you like a bit of factual situation of where the field is going?
40:55A bit what we discussed as well in our panel today.
40:58And what is the actual threat?
41:00And then I would completely agree with them.
41:02Find the cases in your case that actually are concerned by this threat.
41:09So, analyze the cryptographic techniques that you are using and that are concerned by this
41:13data, by this threat.
41:16And then, yeah, do proof of principle.
41:19I guess start with already with some proof of principle with providers, service providers
41:24of these new cryptographic solutions that can help you, guide you through this quantum
41:29safe transition.
41:30I think this is important.
41:32Really understanding deeply the threat and the technology itself, I think will be very
41:37useful.
41:38Okay.
41:39And then one bonus lightning round question for each of you.
41:42Again, so much of the headlines is around things like mythos, anthropic, AI, the cybersecurity
41:49questions.
41:49If I'm a CIO, if I'm running a company, that's the thing that seems to be grabbing my attention.
41:55So, on a scale of 1 to 10, when we're talking about quantum security, how much should I be
42:01prioritizing that?
42:02Or should I be thinking about these as two separate threats?
42:08Is it a different thing?
42:10Do I need to prioritize one or the other?
42:12Or is it all part of the same thing?
42:15Yeah.
42:16I would put it on an eight or nine because, I mean, five years from now is a very short
42:22-term
42:23threat.
42:24So, it's massive and it's becoming bigger.
42:27The more you deploy AI, the more you become vulnerable to this kind of threat.
42:32So, it's already a nine and even increasing.
42:36And I think as my point of quantum need, I say 10, my CTO maybe say seven because we
42:43need to align all the team and there is so many things to do.
42:47But I think everyone knows now is the time to go and to start this change, definitely.
42:54I mean, now is always the time to be taking care of cybersecurity.
42:58No, but sometimes we have time.
42:59But here, we know that with AI and quantum, there is changement and we need to be aligned
43:05definitely.
43:07Yeah, I guess I'll be aligned with this.
43:09I think there is, I do find the threat quite acute.
43:12It depends a bit on the data that you're managing, right?
43:15If it's data that is not particularly prone to confidentiality or long-term security and
43:20integrity, I guess you can wait a little longer.
43:24But I think for the institutions and companies managing sensitive data, and I think it's the
43:29case for, honestly, most of them, then if you haven't started thinking about this already,
43:36it's too late.
43:38Data for clients are sensitive.
43:42All right.
43:42Well, let's stop there.
43:43I want to thank everyone for your time this afternoon.
43:45It was a great conversation.
43:47If everyone could please give them a warm round of applause.
Comments