Post-quantum key exchange for the Internet based on lattices

Size: px

Start display at page:

Download "Post-quantum key exchange for the Internet based on lattices"

Jonah Willis
5 years ago
Views:

1 Post-quantum key exchange for the Internet based on lattices Craig Costello Talk at MSR India Bangalore, India December 21, 2016

2 Based on J. Bos, C. Costello, M. Naehrig, D. Stebila Post-Quantum Key Exchange for the TLS Protocol from the Ring Learning with Errors Problem. IEEE S&P 2015, pp J. Bos, C. Costello, L. Ducas, I. Mironov, M. Naehrig, V. Nikolaenko, A. Raghunathan, D. Stebila Frodo: Take off the Ring! Practical, Quantum-Secure Key Exchange from LWE. ACM-CCS pp

3 Part 1: Motivation Part 2: Lattice basics Part 3: PQ key exchange based on (R)LWE

4 Diffie-Hellman key exchange q = g a (mod q) = g = a = ; \ \ \ \ \ \ \ \ \ g ab = = g b (mod q) b = ; \ \ \ \ \ \ \ \ \ \

ECDH key exchange p = 2 256 2 224 + 2 192 + 2 96 1 p = 115792089210356248762697446949407573530086143415290314195533631308867097853951 E/F p : y 2 = x 3 3x + b #E =

36134250956749795798585127919587881956611106672985015071877198253568414405109) [a]p = (84116208261315898167593067868200525612344221886333785331584793435449501658416,

5 ECDH key exchange p = p = E/F p : y 2 = x 3 3x + b #E = P = ( , ) [a]p = ( , ) [b]p = ( , ) a = [ab]p = ( , ) b =

Quantum computers Cryptopocalypse Quantum

6 Quantum computers Cryptopocalypse Quantum computers break elliptic curves, finite fields, factoring, everything currently used for PKC Aug 2015: NSA announces plans to transition to quantum-resistant algorithms 17 Dec 2016: NIST finalizes calls for quantum-secure submissions. Deadline: Nov 30,

7 Cryptopocalypse now? x = how long information needs to be secure y = how long it takes to deploy PQ crypto z = how far away is a quantum computer if x + y > z, we re screwed!

public-key/asymmetric crypto symmetrically encrypted traffic Client symmetrically encrypted

aphy used to (1) establish a shared secret key (e.g.

8 Real-world (e.g., Internet/TLS) cryptography in one slide (oversimplified) public-key/asymmetric crypto public-key/asymmetric crypto symmetrically encrypted traffic Client symmetrically encrypted traffic Server Public-key cryptography used to (1) establish a shared secret key (e.g., Diffie-Hellman key exchange) (2) authenticate one another (e.g., digital signatures) Symmetric key cryptography uses shared secret to encrypt/authenticate the subsequent traffic (e.g., block ciphers, AES/DES, stream ciphers, MACs) Hash functions used throughout (e.g., SHA s, Keccak)

9 Post-quantum key exchange Quantum-hard problem(s) for key exchange??? This talk: lattice problems

10 Part 1: Motivation Part 2: Lattice basics Part 3: PQ key exchange based on (R)LWE

11 Lattices Basis b 1,, b n R n 2b 1 b 1 + b 2 2b 2 Lattice L = {a 1 b a n b n a i Z} b 1 b 2 2b 2 b 1 2b 2 2b 1

12 Lattices v 1 Basis b 1,, b n R n Lattice L = {a 1 b a n b n a i Z} v 2 Bases not unique L = σ a i v i e.g., b 1 = 2, 1, b 2 = 10,6 v 1 = 4, 3, v 2 = 2,4

13 Lattices v 1 Basis b 1,, b n R n Lattice L = {a 1 b a n b n a i Z} v 2 Bases not unique L = σ a i v i e.g., b 1 = 2, 1, b 2 = 10,6 v 1 = 4, 3, v 2 = 2,4 Invariant det L = det(b i ) = det(v i = b i v i det = ±1

14 Hard Lattice Problem #1: Shortest Vector Problem (SVP γ ) v 1 v 2 s SVP: Given lattice L = v 1, v 2, find short vector s γ λ L (γ = 1 means shortest vector)

15 Hard Lattice Problem #1: Shortest Vector Problem (SVP γ ) v 1 v 2 s SVP γ is NP-hard for γ = O 1 SVP γ is P for γ = 2 Ω n

16 Hard Lattice Problem #2: Closest Vector Problem (CVP d ) v 1 v 2 CVP d : Given lattice L = {v 1, v 2 } and target vector v L within distance d, find the closest lattice point

17 SVP in dimension 10 b 1 = b 10 = L = {b 1, b 10 } ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) Z 10 Shortest vector λ L = ( ) λ L = b 1 14b 2 + 2b b 5 2b 6 9b b 8 + 3b 10

18 Why are they hard? Gaussian elimination? Least-squares? What about Gram-Schmidt to reduce basis? b i b i μ ij b j 1 j i 1 μ ij = b i,b j b j 2 SVP γ NP-hard for γ = O(1): at least as hard as the hardest problems in NP (if P NP, then no polynomial time alg.)

19 e.g., GGH 97 signatures ( NTRUsign) Idea: CVP is hard, but easy with good basis secret key: b 1 b 2 message: signature: v 1 public key: v 1 v 2 v 2 b 1 b 2

20 Security reductions GGH 97 ( right idea, but) did not come with a security proof If you can solve CVP, you can obviously forge messages, but this scheme was completely broken without solving CVP We want Thm: e.g., if you can forge signatures, you can solve CVP Ajtai 96: worst-to-average-case reduction unlocks lattice-based crypto if you can break an average case, you can break the worst case

21 Part 1: Motivation Part 2: Lattice basics Part 3: PQ key exchange based on (R)LWE

22 Regev 05 Introduces the Learning with Errors (LWE) problem Uses it to construct LWE encryption Shows that breaking LWE implies (quantum) solving hard lattice problems (GapSVP β and SIVP) see his 2012 talk

23 The learning with errors (LWE) problem random secret small Z q m n Z q n 1 Z q m 1 Z q m 1 + = Search LWE problem: given blue, find red

24 The learning with errors (LWE) problem random secret small Z q m n Z q n 1 Z q m 1 Z q m 1? + = Decision LWE problem: given blue, does red exist?

25 The learning with errors (LWE) problem 4 random secret small ind. from random Z Z Z Z = LWE problem: given blue, find red

26 The learning with errors (LWE) problem 4 random secret small ind. from random Z Z Z Z = LWE problem: given blue, find red

27 Toy example versus real-world example 4 Z Z = bits = 245 kb!!

28 The learning with errors (LWE) problem 4 random secret small ind. from random Z Z Z Z = LWE problem: given blue, find red

29 The ring learning with errors (R-LWE) problem random secret small ind. from random Z Z Z Z = 11 Lyubashevsky-Peikert-Regev 10: add ring structure

30 The ring learning with errors (R-LWE) problem random secret small ind. from random Z Z Z Z =

31 The ring learning with errors (R-LWE) problem random small secret small ind. from random Z Z Z Z =

32 The ring learning with errors (R-LWE) problem random secret small ind. from random Z Z Z Z = LWE problem: given blue, find red

33 The ring learning with errors (R-LWE) problem Z Z 13 x / x x + 11x x 3 = x (4 + 1x + 11x x 3 ) = x 2 (4 + 1x + 11x x 3 ) = x 3 (4 + 1x + 11x x 3 ) Ideal lattice: lattice modulo ideal

34 The ring learning with errors (R-LWE) problem 4 + 1x + 11x x x 1x 2 + 1x 3 0 1x + 1x 2 + 1x x + 10x 2 + 7x 3 Z 13 x x R-LWE problem: given blue, find red

+ The ring learning with errors (R-LWE) problem (the 128-bit secure version) 2792930407 + + 2938465015x 1023 5 3 x + 9x 1022 1x

35 + The ring learning with errors (R-LWE) problem (the 128-bit secure version) x x + 9x x x 0x x x 1023 Z x x R-LWE problem: given blue, find (small!) red

36 R-LWE-DH: key agreement in R q = Z q x / x n + 1 secret: small e, s R q public: big a R q secret: small e, s R q a s + e a s + e s a s + e s a s s a s + e s a s

37 Approximate agreement mod q q/4 the usual ROUND function q 2 3q/4 0 ROUND x x x x x x 1023 = = = = This will work most of the time (fails 1/2 10 ), but we need exact agreement i.e., what happens if one of the coefficients is in the danger zone(s)

38 Making approximate agreement exact in Z q q/4 q 2 0 if 3q/4 or else

39 R-LWE-DH: exact key agreement secret: small e, s R q public: big a R q secret: small e, s R q a s + e a s + e and, n 0,1 n RECONCILE s a s + e,, n = ROUND s a s + e both parties now share k 0,1 n

[BCNS 15]: our implementation Implemented

40 [BCNS 15]: our implementation Implemented ring-lwe key exchange based on Peikert 14 Proof of security: if decision R-LWE is hard, then exact-ddh in our scheme is hard Constant-time software integrated into TLS (OpenSSL) Communication size: 8KiB roundtrip Runtime: ms per party (TLS handshake x slower than ECDH/ECDSA)

analysis, pseudorandom parameters, etc etc Much faster than ours,

41 Early bird may get the worm but the second mouse gets the cheese! [ADPS 16]: much better implementation, error distribution, security analysis, pseudorandom parameters, etc etc Much faster than ours, even faster than classical (ECDH) PQ just means bigger keys (no slowdown)

42 Frodo: take off the ring! Z q x / x n + 1 Z q n some highlights from Galbraith s 2016 PQcrypto keynote final slide: We need to understand Ring-LWE Final comment: PQcrypto should be about greater security, not greater efficiency

43 seed Z PRF Frodo: recommended parameters bits of randomness, Renyi div to discrete Gaussian of variance 1.75 q = 2 15 = seed PRF 130-bit quantum 144-bit classical 103-bit plausible 752 A x + e c c Z q (& seed) rec x + e A 8 Z q Z 2 64 c x = 8 K 8 K s indistinguishable from random if decision-lwe is hard! 8 K 8 = x c 43

44 Standalone performance of PQ primitives

45 TLS connection throughput (#connections/second) 1600 bigger (top) is better NewHope 1.36x Frodo 0.78x Frodo 0.87x NewHope ECDHE BCNS Frodo 600 NTRU B 1 KiB 10 KiB 100 KiB Payload size x86_64, 2.6 GHz Intel Xeon E5 (Sandy Bridge) server Google n1-standard-4, client -32 note somewhat incomparable security levels

46 References [GGH97] O. Goldreich, S. Goldwasser, S. Halevi. Public-key cryptosystems from lattice reduction problems. CRYPTO 1997: [Regev05] O. Regev. On lattices, learning with errors, random linear codes, and cryptography. STOC 2005: [LPR10] V. Lyubashevsky, C. Peikert, O. Regev. On ideal lattices and learning with errors over rings. EUROCRYPT 2010: [Peikert14] C. Peikert. Lattice Cryptography for the Internet. PQCrypto 2014: [BCNS15] J. Bos, C. Costello, M. Naehrig, D. Stebila. Post-quantum key exchange for the TLS protocol from the ring learning with errors problem. IEEE S&P 2015: [ADPS16] E. Alkim, L. Ducas, T. Poppelmann, P. Schwabe. Post-quantum key exchange a new hope. USENIX 2016: [BCD+16] J. Bos, C. Costello, L. Ducas, I. Mironov, M. Naehrig, V. Nikolaenko, A. Raghunathan. Frodo: Take off the ring! Practical, quantum-secure key exchange from LWE. ACM CCS 2016:

47 Questions?

Practical, Quantum-Secure Key Exchange from LWE

Practical, Quantum-Secure Key Exchange from LWE Douglas Stebila 4 th ETSI/IQC Workshop on Quantum-Safe Cryptography September 21, 2016 Acknowledgements Collaborators Joppe Bos Craig Costello and Michael