PQ Crypto Panel. Bart Preneel Professor, imec-cosic KU Leuven. Adi Shamir Borman Professor of Computer Science, The Weizmann Institute, Israel

Transcription

1 #RSAC SESSION ID: CRYP-W10 PQ Crypto Panel MODERATOR: Bart Preneel Professor, imec-cosic KU Leuven PANELISTS: Dr. Dan Boneh Professor, Stanford University Michele Mosca Professor, UWaterloo and evolutionq Inc. Scott Fluhrer Technical Leader, Engineering Security and Trust (STO) Organization, Cisco Systems Adi Shamir Borman Professor of Computer Science, The Weizmann Institute, Israel

2 Why do we need to worry now? X = security shelf-life (required security time horizon) Y = migration time (planning and full implementation) Z = collapse time (time to development of quantum capability) Theorem : If X + Y > Z, then worry. Org A Y=Implementation (5 yrs) X=Security Time Horizon (5 yrs) Z = Time to Invention Org B Y=Implementation (10 yrs) X=Security Time Horizon (20++ Years) *M. Mosca: e-proceedings of 1 st ETSI Quantum-Safe Cryptography Workshop, Also

3 How large of a quantum computer is needed?

4

5

6 What is z? Mosca: [Oxford] 1996: 20 qubits in 20 years [NIST April 2015, ISACA September 2015]: 1/7 chance of breaking RSA-2048 by 2026, ½ chance by 2031 Microsoft Research [October 2015]: Recent improvements in control of quantum systems make it seem feasible to finally build a quantum computer within a decade. Use of a quantum computer enables much larger and more accurate simulations than with any known classical algorithm, and will allow many open questions in quantum materials to be resolved once a small quantum computer with around one hundred logical qubits becomes available.

7 Leverage existing Managing risk mitigation y policies, procedures, and processes. Manage community and technical challenges to deploying quantum-safe cryptography. openquantumsafe.org openquantumsafe.org

8 Quantum Risk Assessment Methodology Phase 1- Identify and document assets, and their current cryptographic protection. Phase 2- Establish awareness of the state of emerging quantum technologies, and the timelines for availability of quantum computers. Phase 3- Identify and document threat actors, and estimate their time to access quantum technology z. Phase 4- Identify the lifetime of your assets x, and the time required to migrate the organizations technical infrastructure to a quantum-safe state y. Phase 5- Determine quantum risk by calculating whether business assets will become vulnerable before the organization can move to protect them. (x+ y> z?) Phase 6- Identify and prioritize the activities required to maintain awareness, and to migrate the organizations technology to a quantum-safe state.

9 Quantum Computers What is the threat? Scott Fluhrer Cisco Systems

10 Is the threat of Quantum Computers real?

11 Is the threat of Quantum Computers real? What should we do, given that QCs might become real? Given no one knows if (or when) a real Quantum Computer will be built, it would be prudent to act conservatively. Building a Quantum Computer may be more like the moon landing (very difficult, but achievable) than fusion power ( 20 years in the future for the past 60 years ) I advocate acting as if someone will have a working Quantum Computer in 10 years.

12 Threat 1: decrypting stored traffic More urgent: we need this in 10 years MINUS the time the data will be sensitive. Issue: there is no single PKEncryption/Key Exchange that we really trust Recommendation: we design things to use several in parallel; we re secure if any are.

13 Threat 2: authentication We have more time: authentication can t be attacked unless someone has a real QC at the time of the exchange. However, it ll be harder to upgrade

14 Upgrade Issues: what's involved with privacy Lets do this new ciphersuite I also support it; lets do it For privacy, we need to upgrade both sides of the connection We can do incremental deployment

15 Upgrade Issues: authentication CA Certificate For authentication, we also need to upgrade the CA Look ma, no negotiation

16 Chicken and Egg CA vendors won t support postquantum certificates unless the clients accept them. Browser vendors aren t likely to support postquantum certificates until they actually see them.

17 Which postquantum signature algorithm? Unlike PKEncryption, we have signature algorithms we trust: Hash Based Signatures Plus: we believe in the quantum security of hash functions Minuses: signature size, state management I would claim that the implementation details of working with state management and signature size is easier than dealing with is Bliss really quantum secure?

18 Summary We need to work on post quantum security. No need to panic; we should work now so we don t need to panic later Secure encryption/key exchange isn t the only issue that needs to be addressed.

19

20 #RSAC