Kris Kwiatkowski is a Cryptography Engineer who focuses on problems at the intersection of cryptographic research and the implementation. Currently, at PQShield, he is responsible for implementation of post-quantum cryptographic primitives and helping organizations migrate from classical to post-quantum cryptosystems. With a career spanning over 15 years, Kris worked on a variety of topics related to cryptography, communication and software security from small embedded systems to large, distributed backend systems.
MSc in Pure Mathematics, 2006
Poznan University of Technology, Poznań, Poland
Computer System Architecture & Design, 2007
AGH University of Science and Technology, Kraków, Poland
Working as a Cryptography Engineer responsible for software implementation of cryptographic primitives.
Working as a Cryptography Engineer in Cloudflare’s Technology Research team. Most of the activities were around implementing improvements to the TLS stack as well as the implementation of Proof of Concepts in the area of post-quantum cryptography (isogeny based).
I was part of the team working on an implementation of the Trusted Execution Environment (TEE) based on ARM TrustZone technology. My responsibility was the implementation of cryptographic components and security validation of various parts of the system.
Responsible for maintaining and implementing various functionalities in the Amadeus core system security and communication framework (C++ based). Focusing mainly on security and stability of TLS connections, performance optimization, improvements to failure resilience of high-availability components.
Implementation of OpenSSL ENGINE for OpenVPN with key storage secured by ARM TrustZone
CIRCL is a collection of cryptographic primitives written in Go.
The interfaces exposed by popular cryptographic libraries are designed for general purpose computer. Those interfaces are not always suitable for constrain devices. In those devices, the secret key is often stored in the secure storage (secure element) and access to the raw key material is restricted. Namely, the application doesn’t have access to the key, but it is allowed only to perform operations with that key. Such use case changes the design of the cryptographic interface. Cryptographic interfaces designed by the GlobalPlatform (TEE Internal Core) or ARM (PSA Cryptographic API) are known to a limited audience, working on those specific topics. The goal of this presentation is to introduce the concept of handle-based cryptographic interfaces to the broader audience. The presentation mostly focuses on the design of PSA Cryptography interface. In the final part of the presentation, we will discuss changes to the PSA Cryptography interface that will be required for upcoming PQ standards.
During presentation author discusses concept and building blocks used while building cryptographic module supporting hybrid, quantum-safe TLS v1.3 key exchange. Author provides a recepie to make the construction FIPS-certifiable, even before post-quantum KEMs are FIPS-approved.
GlobalPlatform monitors activities around post-quantum cryptography. NIST has published the PQC Round 3 “final” candidates. Following the ANSSI presentation, PQShield will present an update on IETF and ETSI CYBER activities, especially considering TLS 1.3, hybrid modes and schemes in the NIST PQC Round 3.
The presentation introduces cryptographic libraries and tools useful during migration to next-gen cryptographic systems, resistant to potential attacks from quantum computers. Some basic concepts behind post-quantum cryptography are introduced during that presentation. The presentation was done in the Polish language, for the Polish Association of C++ programmers.
In this work, we first provide a simple and efficient generic construction of mKEM that can be instantiated from versatile assumptions, including post-quantum ones. We then study these mKEM instantiations at a practical level using 8 post-quantum KEMs and show that compared to the trivial solution, our mKEM offers savings of at least one order of magnitude in the bandwidth.
Reviewing submissions