AWS re:Inforce 2024 - Explorations of cryptography research (SEC204-INT)

00:00

Please welcome to the stage

00:01

Principal SA, Security, AWS, Peter O’Donnell.

00:05

[music playing]

00:10

Hi.

00:13

Really excited to have everybody here today.

00:16

Working with customers for my nine years here at Amazon Web Services,

00:20

I know very well that many of you, perhaps all of you,

00:24

are very interested in protecting your data.

00:27

And cryptography is at the basis of that for most of our customers,

00:30

providing cryptography not only at rest but in transit

00:33

but also to identify and assure software, connections to servers.

00:40

My name is Peter O’Donnell.

00:41

I’m a Principal Solutions Architect.

00:42

I’ve been here for nine years working with some of our largest

00:46

and most challenging customers.

00:48

And what I know is that when I’m in the room with you,

00:51

I’m the cryptography expert.

00:53

But the truth is, as a Solutions Architect,

00:56

I get to say we a lot.

00:58

We invented the Nitro System.

01:00

We have designed S3 to be durable.

01:03

But of course that was never my work.

01:06

So it is my great privilege and pleasure to bring to the stage

01:10

three cryptographers that have worked together

01:12

for decades on cutting-edge cryptographic research

01:16

that is finally now becoming a reality.

01:19

And we’re excited to bring this innovation to you

01:22

and talk to you a little bit about their research,

01:24

what can be done with it, what is being done with it,

01:27

and what someday will be done with it.

01:30

So, let me please introduce Hugo Krawczyk, Tal Rabin and Shai Halevi.

01:39

Hugo is a cryptographer best known for co-creating the HMAC algorithm.

01:45

Shai Halevi is a cryptographer

01:48

working on advanced cryptographic techniques,

01:51

including homomorphic encryption.

01:54

And Tal Rabin is best known for her work

01:56

with multi-party computation and threshold cryptography.

02:00

All of them have received commendations and awards

02:03

over the years and are members of all of the relevant bodies in the world.

02:08

These are three of our most premier cryptographers,

02:10

and they’ve come to Amazon Web Services as of last summer.

02:13

So let’s get into it.

02:14

Thank you all for being here.

02:15

Thank you for having us.

02:16

Thank you.

02:18

All right, so let’s start at a high level,

02:20

what brought you to Amazon Web Services?

02:23

The three of us have been together for a long time, for over 20 years.

02:28

We started our career together at IBM Research,

02:33

where we mostly did theoretical work with some applications

02:38

to more things that are being run in the internet,

02:42

Hugo has a lot of work on these things.

02:44

And from IBM Research, we decided to go on a little adventure together.

02:52

Our WhatsApp group in fact is called The Adventure.

02:55

And that adventure was to start a foundation

03:03

related to a cryptocurrency called Algorand.

03:06

And we were there for three years,

03:09

but at some point we decided that we want to do something different,

03:15

that we really want to take the advanced techniques

03:17

which we’ve worked on and developed for over 30 years and to take them

03:23

and to move them into practice, that people will actually use them.

03:28

And we thought a lot of what would be a great place in order to do it,

03:33

what would be a company that also it would have a lot of impact

03:36

due to the size of the company

03:38

but also that it would be a company that would be willing

03:42

and have the vision in order to apply these things.

03:47

And we decided about AWS.

03:50

AWS is very customer-oriented and focused, and that’s the goal.

03:56

And these techniques bring more security

03:59

and more privacy for customers.

04:01

So AWS seemed like a very great place to be.

04:06

And luckily for us, AWS thought the same thing.

04:10

So here we are.

04:11

That’s right.

04:13

So let’s talk a little bit more.

04:14

We know that security is our top priority here at Amazon.

04:17

Believe me, that is not a marketing slogan, that is how we operate.

04:20

Hugo, can you tell me a little bit

04:22

more about the vision for the future here?

04:23

What are the outcomes you’re looking for?

04:26

We are trying to bring state-of-the-art

04:30

cryptographic techniques,

04:32

those that have been invented in the last 30 years

04:36

and hopefully new ones that we and others will invent.

04:40

And the idea is to use these techniques to raise the bar

04:44

for security, for our customers,

04:48

both at the level of hardening the infrastructure

04:50

but also enabling new services

04:54

that these new techniques enable

04:58

and before were not possible.

05:01

Examples of such techniques

05:03

are what we call threshold cryptography,

05:05

that we may expand on it a little bit later,

05:09

secure multi-party computation, and what we call crypto computing,

05:16

you can think of it as a computing on encrypted data.

05:21

These are technology that enables new ways

05:26

for people to interact with the cloud

05:29

and maybe most importantly to collaborate with each other.

05:36

We bring this level of defense in depth

05:41

and also helping customers

05:44

to reach their requirements and responsibilities.

05:51

Traditional encryption, while being very good

05:54

for protecting data in storage or in transit,

06:00

is not good enough for these kind of applications,

06:03

so we need new techniques.

06:05

So the idea is to bring this stuff to our customers in AWS.

06:10

That’s awesome.

06:11

Shai, Hugo mentioned this idea of cryptographic computing,

06:15

computing over cryptographic data.

06:16

Tell us more about that.

06:18

Generally, cryptographic computing refers

06:21

to the ability of processing data without ever seeing it in the clear.

06:25

One example of that is homomorphic encryption,

06:27

where data is encrypted and being processed in encrypted form

06:32

without ever decrypting it,

06:33

without even having the decryption key.

06:35

Other forms of it are distributed computing,

06:40

where each participant in that computation

06:43

only sees bits that seems meaningless when you see them in their own

06:48

but among all of them they still can process the data.

06:54

This can be used, as Hugo was saying,

06:56

both to do private outsourcing of customer’s data to the cloud,

07:02

where the cloud can process it without seeing the data in the clear,

07:07

or private collaboration, where there are multiple customers

07:11

all want to pool their resources together,

07:14

have the cloud do the processing for them,

07:17

but they don’t trust each other or the cloud

07:19

seeing their data in the clear.

07:22

Some examples that you can think of are private queries to ML models.

07:27

The cloud may have a model, you may want to query that model,

07:32

well, you may not want the cloud to see what you’re querying for.

07:35

So you can do that processing in this way.

07:38

Other examples would be still in the realm of ML.

07:44

You want to do federated learning

07:46

where multiple parties there want to collaborate

07:49

on establishing the model or on developing the model but again,

07:54

each with their own data.

07:55

Again, these techniques are useful there.

07:59

And also, Tal, I know that a lot of your work

08:01

has been around threshold cryptography.

08:04

What is threshold cryptography?

08:07

Threshold cryptography is one of these advanced techniques.

08:11

The goal of threshold cryptography

08:14

is to eliminate single points of failures in relation to keys.

08:20

For example, if you have a signature scheme,

08:24

you have a secret key which signs messages.

08:28

And this key is very, very important.

08:30

But if you store it on a single server,

08:33

even if you secure that server,

08:36

there would be a mistake that an operator does

08:39

when they come to serve the server.

08:42

And by mistake they do a memory dump.

08:45

Now your key is in the clear.

08:47

And this is what we refer to when we say a single point of failure.

08:52

Threshold cryptography techniques come to eliminate this vulnerability.

08:57

And how do they do it?

08:59

Let’s say, just an example,

09:01

that you’re signing key is the number 11.

09:04

If you store it on the server, the number 11 is there.

09:08

But, since we said we wanted to eliminate this point of failure,

09:13

we will take the number 11

09:14

and we’ll split it randomly into two numbers, seven and four.

09:19

Seven and four equal 11.

09:21

But these are random numbers.

09:23

And we’ll put seven on one server

09:25

and we’ll put the four on another server.

09:28

Now you can see immediately

09:30

that I’ve eliminated the single point of failure.

09:32

Because if there is a memory dump,

09:35

say on the server that has the number four, nothing has happened.

09:39

This four has no connection to the number 11.

09:42

Somebody who sees that value still does not know

09:45

what the signing key is.

09:47

But we’ve introduced a problem.

09:50

Now we have a seven and we have a four.

09:52

How do we sign?

09:54

The purpose of this scheme was to sign.

09:57

In fact, threshold crypto also offers

10:01

the mechanism to sign from these distributed pieces.

10:06

From the seven and from the four,

10:09

each server acting on their own may be communicating somewhat.

10:14

It can generate the signature.

10:17

Now, the interesting thing is that we’ve raised the bar on security,

10:23

yet for an outsider, the signature looks exactly the same.

10:28

They don’t know what happened on the back end.

10:32

So we really are offering something that improves the security

10:38

for anybody who uses these systems,

10:41

while preserving the external simplicity of the signature

10:46

and not interrupting it.

10:47

Such a scheme, as you say,

10:49

not only would reduce the single point of failure

10:51

were there to be a compromise of one of these instances

10:54

but also there’s an availability angle to this as well, right?

10:57

A hundred percent.

10:58

I gave a very simple example

11:01

because I wanted to be able to speak about it here.

11:04

But the schemes in fact are more sophisticated.

11:08

You can take, we call this splitting of the key, splitting it into shares.

11:14

We can split these shares in a sophisticated manner.

11:18

Maybe you want two out of three pieces to create the signature.

11:24

You split it into three pieces, and any two can create the signature.

11:30

You can set the parameters whichever way you want it.

11:33

But I’m going with-

11:34

You could scale it to a large number of servers.

11:35

Whatever you want, whatever suits your system.

11:38

But let’s say we do two out of three, it does increase availability also.

11:43

Because even if one of the shares is lost, we can recover.

11:48

But also, let’s say we did two out of five.

11:52

Any two could sign in parallel.

11:53

That also increases availability in that way as well.

11:58

It’s a very versatile technique which can offer a lot of amazing features.

12:03

And of course it depends on the application of what you need.

12:07

So not just, say, disaster recovery but disaster tolerance in some way.

12:11

A hundred percent.

12:12

That’s awesome.

12:14

So we know that this idea of crypto computing over a large body of data,

12:20

but there’s also some theoretical background to this, is that right,

12:23

Hugo, this idea of proof that you can actually know

12:26

that the system is working correctly?

12:29

Yes, designing a cryptographic schemes,

12:32

systems, protocols, is not easy.

12:37

Or what I always say, it’s not very hard

12:39

but it’s much easier to design it wrong.

12:44

When do we know that actually what we design is secure?

12:49

In cryptography, there are no simulations or tests

12:55

that you can do for the security.

12:58

Actually, it’s only theoretical tools that we have.

13:03

We refer to them usually as proofs.

13:07

We proof mathematically that the system is secure,

13:11

usually in cryptography under some assumptions.

13:15

And there are ways of doing proofs by hand,

13:20

as have been done for hundreds of years,

13:23

but these days we also have automated proofs,

13:26

having machines that help us reason about these systems.

13:33

A cryptographic system that has not been proven

13:39

in most cases is an insecure system.

13:43

That’s right.

13:46

Thinking about our long-term view,

13:48

Amazon is a place for long-term thinking and long-term ownership,

13:51

tell us more about what you’re working on

13:54

right now to benefit our customers.

13:57

Should I speak? Sure.

13:58

Okay.

14:00

This mechanism of threshold cryptography,

14:06

we decided to look at various Amazon systems.

14:12

And one of the first systems that we looked at is IAM,

14:16

which is identity access management.

14:20

We looked at the back end, which holds the keys

14:26

used for authentication of all our customers.

14:28

If you’re our customers, you are using this system,

14:34

and it’s providing you assurance.

14:36

A billion requests per second IAM, every day,

14:40

doing trillions of authenticated requests.

14:45

The question is, what could we do, of course.

14:47

Amazon has an eye on security

14:51

and the systems are secure as they are,

14:54

but we wanted to offer defense in depth,

14:57

to try and find how we harden the system.

15:01

Because attackers are becoming more sophisticated,

15:04

more things can happen,

15:06

we want to really have more than one layer of security.

15:10

So we approached IAM,

15:16

and in fact they will be introducing

15:20

this threshold cryptography into their system.

15:25

They’re going to start building it soon

15:28

and hopefully it’ll be available.

15:30

And of course, again, as I said about threshold crypto, you as customers,

15:35

you won’t even know that we have done this on your behalf

15:39

and that the system really is more secure.

15:42

For you, everything is going to stay the same,

15:44

the speed, the availability, and so on.

15:48

But the system will in fact, the security will have been hardened.

15:53

And I want to say one more thing.

15:55

We’re new, we just came, and we approached these people,

16:00

but you could see the philosophy in AWS,

16:05

the enthusiasm with which this group

16:09

received what we were saying.

16:13

And the interest in doing it were really, in fact, for us,

16:16

quite amazing that it was so accepted and which was wonderful to see.

16:22

That’s cool to hear.

16:24

AWS IAM, obviously one of our oldest services,

16:27

today operating at a bonkers scale.

16:30

We’ve invested a lot in this service over time.

16:33

Doctor Neha Rungta is giving a talk either later today

16:36

or tomorrow about our innovations

16:39

in proving the correctness of this system.

16:43

And so I always want to emphasize to customers,

16:45

even the old stuff, right?

16:47

Obviously, we’re creating new services every day,

16:49

really a lot of innovation there,

16:51

but the level of innovation and investment in the old stuff,

16:55

the things that will never change,

16:57

is certainly one of our main focuses here at Amazon.

17:01

Speaking about research, Hugo,

17:04

I know we’d kind of talked about an application in the contemporary area,

17:08

I know that advertisement is a critical area

17:11

where multi-party computation comes to bear.

17:13

Is that right? Yes, yes.

17:16

First, this notion of secure multi-party computation

17:20

is a type of solutions or protocols

17:25

that allow a set of parties to compute in

17:29

a collaborative way some function, and I’ll give some examples,

17:37

in a way that everyone brings their own input, their own data,

17:41

but the only thing that is learned is the output of the function.

17:44

No one learns anything about the input

17:46

except for what can be derived from the output of the function.

17:51

The idea is similar to think that if you have a trusted third party

17:55

where everyone gives their inputs

17:56

and that trusted third party computes the function

18:00

and gives out the output.

18:03

But now you don’t have that trusted party,

18:06

so you run this secure multi-party computation to achieve

18:11

that form of functionality without the trusted party.

18:17

One example, also something that we have been working in the last year,

18:23

is in the area of advertisement.

18:27

In advertisement, people run campaigns

18:31

and then they have to measure the success of these campaigns.

18:34

People have used for a long time third-party cookies,

18:39

for example, for doing that at the level of web browser,

18:44

but now it’s being discontinued.

18:48

And the advertisers need to check with different publishers

18:54

and publishers

18:56

don’t want to give all the information that they have,

18:58

and the advertisers also don’t want to give all their data.

19:04

You want to build a protocol that all the providers bring the data

19:08

and at the end you learn some statistics.

19:11

In particular, we were working on the problem

19:14

of computing two statistical functions,

19:17

frequency rich is how many users have seen an ad and frequency

19:23

is how many of them saw one time the ad, two times, three times, etc.

19:31

We are building this together with the world federation of advertisers,

19:38

which Amazon is part of it.

19:42

It’s a project with different companies.

19:45

But we built a multi-party solution for that problem

19:49

that is being implemented.

19:54

That’s an interesting angle there where,

19:59

we are going to talk about some future stuff, it’s genuinely spooky,

20:02

but this is an example of a system that’s been in place for a long time

20:06

but prevailing culture and even some pressure from stakeholders

20:10

that it really needs to become more private

20:13

and that these techniques and this advanced research

20:15

allows an existing computing capability to raise the bar

20:19

not only on security but privacy.

20:22

Shai, tell us about this idea of homomorphic encryption?

20:26

What is homomorphic and why does that improve the overall privacy angle

20:31

for things like storing sensitive data in a database?

20:35

Homomorphic encryption is a somewhat new player

20:38

in this secure computation game.

20:42

Homomorphic encryption is a specific type of encryption

20:45

that allows you to process data in an encrypted form,

20:49

as I said before, without even having the decryption key.

20:55

We speculated on the ability to do that for many years,

20:58

but the first example of encryption scheme

21:01

that actually enable that are only 15 years old.

21:05

So it’s a relatively new technology,

21:08

but it is coming into maturity these days.

21:12

We expect to have hardware acceleration

21:15

for homomorphic encryption coming up within the next year or so.

21:19

In AWS, we’re trying to see where

21:23

we can provide this technology

21:26

to our customers to improve their security posture,

21:31

to improve their privacy posture.

21:35

Right now, the thing that we’re doing internally

21:37

is a relatively large-scale study of capability together

21:43

with many industry partners, for example,

21:45

the producers of these future accelerators or parties

21:50

that have their own technology.

21:52

And we’re running studies to assess this technology

21:55

and see what we can do with them.

21:58

But again, it’s a 15-year-old technology.

21:59

Imagine inventing the transistor 15 years ago

22:04

and trying to come up with an idea of what it can do today.

22:08

This is where we are right now.

22:09

A few things that I believe are possible or will be possible soon,

22:16

checking if two pictures are pictures of the same person

22:20

when these pictures are encrypted.

22:23

Or, as I said, doing private queries to certain machine learning models.

22:29

Other things that you can do, private set intersection.

22:32

Hugo talked about advertisers.

22:34

The advertiser has a list, or the publisher has a list,

22:37

they want to see if anybody that visited this publisher site

22:40

actually bought something on the advertiser.

22:43

So each of them have a list,

22:45

they want to know who is in both lists

22:47

without revealing the list to each other.

22:50

Private information retrieval, I have a key value store,

22:54

I want to fetch a value by key

22:57

without the store being told what the key was,

23:01

these kinds of things.

23:03

Those are all possible with today’s technology,

23:06

and we’re expecting a lot more things to be possible

23:10

once these accelerators come.

23:13

We’re currently in the process of trying to see

23:18

what the technology can do and trying to take existing workloads

23:24

that AWS currently has, for example,

23:26

this picture matching service that we already have,

23:30

and enable it on encrypted data

23:33

so that the customer doesn’t need to do much.

23:35

All you need is to check the box saying,

23:36

“Well, I want this data to remain encrypted end to end”

23:40

and then the process will be run on encrypted data

23:43

instead of the plain text data.

23:45

And this idea of a one-click adoption,

23:47

of course it’s really important to our customers,

23:49

and it’s also really important for how we design services.

23:52

Make it easier to do the right thing and harder to do the wrong thing.

23:56

Now, I want to quickly come back to this idea of hardware acceleration.

23:59

I’m old enough to remember putting SSL accelerator cards

24:02

in my web servers 20 years ago.

24:04

Because some of this, most of this cryptography,

24:07

is predicated on hard problems that involve a lot of math.

24:10

Can you say more about the role of a hardware accelerator

24:14

in enabling adoption without compromising performance or latency?

24:20

One problem with cryptography computing,

24:23

as with any other technology, it has a real cost.

24:26

The hardware accelerator is crucial in making that cost tolerable

24:31

so that customers can deploy these workloads with the added security

24:36

or maybe deploy new workloads that were impossible before

24:40

because of security or privacy concerns

24:42

without having to pay too much.

24:46

It’s crucial, and in addition to the cryptographic techniques

24:51

that we bring there is of course

24:54

always the system engineering part of it.

24:57

Because once you have the accelerator,

24:58

well, you need to route these workloads to these hosts

25:02

that actually have the accelerator.

25:04

So there are a lot of work in front of us, but we’re getting there.

25:08

And I’m sort of optimistic that we will have news for you

25:11

within the next few years about that.

25:13

That’s awesome.

25:15

Hugo, I know you’ve also been involved in some other cryptographic

25:18

designs for other systems here at Amazon.

25:20

Tell us about the constellation.

25:23

We have been doing also work on the more traditional cryptography,

25:28

bringing our knowledge and expertise to share with Amazon teams.

25:35

We’ve been involved with problems

25:39

related to key agreement,

25:42

key management, even password protocols.

25:49

One example is a design of key agreement

25:52

for the Kuiper satellite project.

25:58

Another thing is doing end-to-end security,

26:02

where customers can back up their keys with AWS

26:06

and still keep full ownership of these keys.

26:10

And some other things, hopefully things that we will be able

26:14

to talk more in future re:Inforce meetings.

26:20

Yeah, we are doing the more advanced stuff

26:25

but not forgetting also the core basis of [INDISCERNIBLE].

26:30

And of course, if you’re a bunch of crypto nerds, as I assume you are,

26:34

my people, obviously top of mind for a lot of folks

26:37

these days is post-quantum cryptography.

26:39

What does it mean that in a possible future

26:44

that a sufficiently powerful quantum computer could come to existence,

26:48

it means that some of the hard problems,

26:50

this idea of the assumptions on which classical cryptography is predicated,

26:54

maybe stop being hard problems.

26:57

Tal, tell us about where we are with PQ?

27:01

First of all, as you said, all our cryptography is based on assumptions.

27:08

Except for a one-time pad, we don’t have a single system

27:12

where there isn’t an underlying assumption.

27:14

And if this underlying assumption is broken, then the system is broken.

27:19

For example, RSA, if we figure out how to factor numbers

27:25

on a classical machine, RSA will be broken.

27:29

So we still don’t know how to factor on the classical machine.

27:33

But we do know how to factor on a quantum computer.

27:38

Now, just so you don’t run out of here immediately and say,

27:42

“Okay, it’s broken,”

27:44

in order to break a 1024-bit RSA modulus,

27:51

which is the product of the two primes,

27:53

you need a minimum of 1024 good qubits.

27:58

Most likely you need even ten times more than that.

28:02

And currently we are not there.

28:05

I don’t want to say when we will there because I don’t know.

28:08

But there are experts that range from ten years to never.

28:15

It could be anywhere in that range.

28:20

So, given that we know that

28:24

if a quantum computer exists

28:28

RSA will be broken, what do we do?

28:31

NIST was very proactive and saw this coming

28:35

and put a competition in place for which people

28:40

designed post-quantum encryption signature schemes.

28:48

There was a competition to decide which one is the best.

28:51

What does it mean that it’s post-quantum?

28:53

It’s based on different assumptions.

28:56

It can’t be based on factoring, of course, it has to be based

29:00

on what we call some lattice assumptions.

29:03

And this competition ran for quite a few years,

29:06

and candidates were chosen about a year ago,

29:11

maybe, a little bit more.

29:13

And these are the protocols

29:18

which NSA is requiring to use,

29:22

and they have some time timeline of when to deploy them.

29:26

I want to say something, I said systems for signatures

29:30

and for encryption.

29:32

Signature and encryption are not the same

29:35

as they relate to post-quantum.

29:38

And why?

29:40

If you encrypt something today with a class,

29:47

old assumptions, factoring or discrete log,

29:51

somebody might harvest your encryption from today,

29:56

and later on when the quantum computer is available

30:00

they would be able to decrypt your message.

30:04

I don’t know, I’m not important,

30:06

my messages probably are not being harvested,

30:09

though if they would be people would be very interested at the end.

30:14

But of course, big secrets that need to last for a long time

30:18

might be harvested.

30:20

Signatures, however, are not the same.

30:23

Signatures, even if you harvest the signature

30:28

now it doesn’t help you much that you’ll be able to break it later.

30:32

So there’s a difference between encryption and signatures

30:37

when it comes to when you should be deploying post-quantum.

30:41

That’s interesting, and we of course have been investing in PQ

30:44

for a very long time here at Amazon Web Services.

30:47

Today, we have a hybrid scheme available on the TLS

30:52

endpoints for KMS, Secrets Manager, and our file transfer products.

30:57

This is important to understand the word hybrid.

30:59

Because these are new algorithms, it would be terrible

31:03

if these new algorithms introduced a classical vulnerability.

31:07

So what we have today are hybrid schemes

31:10

that use a mix of classical cryptography

31:12

and post-quantum cryptography that you can experiment with today.

31:16

Are they suitable for prod?

31:18

Conceivably.

31:19

Are they worth the latency trade off?

31:20

Maybe not today because you likely

31:23

don’t have that store and harvest threat model.

31:26

And if you do, you’ve probably got a lot

31:28

of defense and depth around that anyway.

31:31

But you can search online, find our post-quantum website,

31:34

and stay up to date with everything we’re doing.

31:36

It’s a lot of really fascinating research.

31:38

Hugo, can you tell us a little bit more about the store

31:40

and harvest thing in the context of maybe the life cycle of the data?

31:44

You could imagine that encrypting a quarterly earnings report,

31:49

the durability of that cryptography has a timeline to it.

31:53

So if you could break it in six months

31:54

but it’s only secret for three months,

31:56

well, then maybe that’s not a big deal.

31:58

But you could imagine longer-term data

32:00

sets like health data that need to be safe forever.

32:06

Yes, it’s a very important point here about the post-quantum to understand

32:12

that the encrypted data is not in danger today.

32:18

We are talking about that it may be in danger in X years,

32:21

and as Tal said, people have different guesses for what X is

32:27

and how many years until we have a very powerful quantum computer

32:33

to actually break cryptography.

32:37

The data that is in danger is the data that is very sensitive

32:42

for long term

32:43

and such that the adversary is willing to harvest now.

32:48

Because in order to break it in 30 years,

32:51

you will need a ciphertext that was created now.

32:55

Only data of that high sensitivity will probably be targeted.

33:03

There is definitely a set of data that is important to protect already.

33:08

What I always like to remind ourselves

33:12

is that there are many other things that may be more risky for data

33:17

if you don’t manage the security well enough.

33:21

For example, there are voices in the industry

33:25

that want to eliminate or at least have the option

33:31

of eliminating forward security from TLS 1.3.

33:36

Forward security is an element

33:38

that provides a very, very high level of security.

33:43

So the point is that you need to follow the best practices

33:47

even with traditional cryptography not only with post-quantum.

33:52

You mentioned TLS 1.3, which is interesting,

33:54

and if I can embarrass Hugo for a second,

33:56

your SIGMA protocol is at the heart of key agreement in TLS 1.3.

34:01

But TLS 1.3, a lot of customers, I get the question a lot,

34:04

“What do I need to do about PQ? What do I do?”

34:08

The simplest answer is adopt 1.3.

34:11

When NIST finally finalizes these standards,

34:14

they’re not going to come to 1.2.

34:17

The simplest, shortest answer I can give customers

34:20

about preparing for a PQ future is adopt 1.3.

34:25

Let me make that clear.

34:27

We’ve talked a lot about our innovations

34:29

and this incredible research from my colleagues here for the long term.

34:34

But we need your help.

34:35

Almost everything we’ve built here at Amazon Web Services,

34:38

easily nine in ten, we’ve built because customers asked for it.

34:43

That’s true for Elastic Transcoder a decade ago

34:46

to things like SageMaker and Bedrock today.

34:49

Customers asked us to solve some hard problems.

34:52

Shai, tell our customers how they can help us help them.

34:59

The short answer is come tell us where it hurts.

35:05

This is a very good time to have an impact

35:07

on where do these techniques come in, what kind of problems comes you,

35:13

the customers, or maybe your customers,

35:16

encounter that makes it hurt to bring data to the cloud?

35:22

Because most likely there are cryptographic techniques

35:26

that allow you to mitigate these pain points

35:29

and do it with a reasonable price.

35:31

But as we said, we are new to AWS,

35:35

and this entire idea of crypto computing is maybe ten years old.

35:40

It’s still getting in the process of making it to mainstream computing.

35:46

So we really, really need your input on where these things have impact.

35:53

In the examples of homomorphic encryption,

35:57

what workloads do you really want to run on encrypted data?

36:01

In the context of federated learning,

36:06

where are the places where it really hurts to join the data

36:12

in order to do the learning?

36:14

All of these things, we really need your input on it.

36:18

There’s one thing that I want to say about something that already exists.

36:23

Tomorrow, there is a session in the developer session,

36:26

BAT251 if I remember correctly,

36:29

where there is one example

36:31

that already is integrated into Amazon Clean Room.

36:35

So if you want to go to that session, you’ll hear about it.

36:38

These are things that slowly start to appear in production.

36:43

But now it really is crucial for us to understand what do customers want.

36:47

When are these techniques just good to have?

36:50

When are these techniques a necessity in order

36:53

to be able to process things in the cloud?

36:55

So please find us outside here in the halls,

36:59

or if you’re watching it online, through your AWS representative.

37:03

Find us, give us feedback.

37:05

This is the time to really make an impact

37:07

on where these techniques are used.

37:10

That’s right, at Amazon we use this very particular phrase,

37:14

customer obsession.

37:16

Tal at the beginning talked about why they came here.

37:19

It’s because this is a place where we can build for our customers

37:23

and on behalf of our customers.

37:26

I want to add, in addition to the fully homomorphic, as Hugo described,

37:31

there are also techniques that are multi-party

37:34

that maybe you don’t want just to be processing on the cloud

37:39

but you need to collaborate with other organizations.

37:43

For example, maybe you’re a health organization

37:46

and you need to share data with another health organization

37:51

and you’re prohibited by HIPAA

37:53

but you still want to do some processing on the data.

37:56

These things, the multi-party computation techniques,

38:00

also help with that.

38:01

Of course, also the level of threshold cryptography,

38:05

which we said hardens the security,

38:08

gives you another layer of defense for your most sensitive keys.

38:13

We can help with those techniques as well.

38:16

That’s awesome.

38:17

At Amazon we use this phrase, day one.

38:19

We’re still just getting started.

38:21

So this feedback that we need from our customers to influence

38:23

the research and the product development,

38:25

it’s foundational to what we do here.

38:27

With that, really want to thank everybody for their time today.

38:30

We’re going to wrap up here.

38:31

Folks on the live stream, we’re going to transition to some

38:33

Q&A in the room.

38:35

But I really want to thank our panelists here.

38:37

Thank you so much, let’s do some Q&A.

38:39

[music playing]