Talk Overview
This was my first talk at Gophercon UK. It’s a wonderful conference, and one I’ve attended as a delegate before, but this was my first time speaking. I couldn’t have been more excited.
The sides for Let’s Go Quauntum are available from Google Slides.
Talk Summary
Introduction to Quantum Computing
I began with an introduction to quantum computing not entirely dissimilar to my shorter Go Quantum talk at London Gophers. Although most of the conference talk was new material about Post-Quantum Cryptography, the opening section was based on the shorter usergroup talk from last year.
We covered what quantum computers are, the current state of the art, and what software offerings are available.
Post-Quantum Cryptography - Breaking News
Two days before the conference started, Go 1.23 was released. NIST published their finalised standard for Post-Quantum Cryptography, with some changes. It was a busy day for anyone about to go on stage and talk about PQC in Go, and bits of the talk were frantically rewritten at the last minute.
Having investigated the changes in the NIST standard, and contacted various clever people to make sure I wasn’t mistaken, I said that the Go 1.23 implementation of X25519Kyber768Draft00 offered the same level of security as the updated NIST standard. There would likely be changes to the implementation down the line, but in Go’s case there were no issues with the security of the current implementation.
Store Now, Decrypt Later
The talk went on to cover the ‘store-now-decrypt-later’ threat model, which is the reason improvements are being made now to key encapsulation mechanisms. Certificates, symmetric key cryptography, and hashing algorithms can all wait, for various reasons, but KEM’s need PQC now, so this is what is being added to Go.
Lattice-Based Cryptography
Lattice-based public key cryptography was introduced, and the basic idea behind it covered without too much linear algebra detail for a software engineering conference. It was contrasted to elliptic curve cryptography and RSA, with particular regard to the implications of quantum computing.
PQC and Hybrid Crypto
There was an overview of the X25519Kyber768Draft00 spec, whose name the audience found hillarious. I talked about Cloudflare’s fork of Go. Dr Bas Westerbaan has contributed a standard offering the time-honoured security of elliptic curve cryptography and the quantum computing immunity of MLKEM, and we reviewed its implications.
Detecting PQC in the Browser
We had a quick look at how to check in Google Chrome what ciphersuite you are using to communicate with a website. This enables you to compile caddy with Cloudflare’s fork of Go, then check it’s working. You can also write a webserver in Go 1.23, then see from the browser that your connection is using PQC.
What’s New in Go 1.23
Looking through the release notes for Go 1.23, there isn’t much said about the new feature beyond this:
“The experimental post-quantum key exchange mechanism X25519Kyber768Draft00 is now enabled by default when Config.CurvePreferences is nil. The default can be reverted by adding tlskyber=0 to the GODEBUG environment variable.”
Expanding on that, the talk discussed the implications of the new TLS functionality being unexported, the fact of it being the default TLS ‘curve’, and differences between this implementation of the draft spec and the finalised version of the NIST standard that dropped the same day. I reassured the audience that the Go implementation offers the same level of security as the finalised standard, and said you can - and should - upgrade to Go 1.23 now and use the new cryptographic functionality in the TLS package provided. Credit goes to Filippo Valsora for the implementation.
Possible Future Developments
I mentioned a couple of things that might happen, vaguely in order of when they might happen:
- Increased uptake of the NIST standard
- Implementation of the finalised version of the NIST MLKEM standard in Go 1.something
- Exporting the PQC crypto functionality in the TLS package in Go
- Kyber only (i.e. not hybrid PQC/traditional elliptic curve) TLS one day?
- With KEM’s basically sorted, we could see an increased focus on certificates and digital signing next.
Afterword about Gophercon UK
Gophercon UK is perhaps my favourite conference on the scene. It’s always wonderful to see old friends and make new ones in the community, and I can’t think of a better place to do that. I’d love to go back next year.