3. Focus on secure cryptosystems. How do we know what a quantum computer will do?
|
|
- Lindsay Maxwell
- 5 years ago
- Views:
Transcription
1 Cryptographic readiness levels, and the impact of quantum computers Daniel J. Bernstein How is crypto developed? How confident are we that crypto is secure? Many stages of research from cryptographic design to real-world deployment: 1. Explore space of cryptosystems. 2. Study algorithms for the attackers. 3. Focus on secure cryptosystems. How do we know what a quantum computer will do?
2 Cryptographic readiness levels, and the impact of quantum computers Daniel J. Bernstein How is crypto developed? How confident are we that crypto is secure? How do we know what a quantum computer will do? Many stages of research from cryptographic design to real-world deployment: 1. Explore space of cryptosystems. 2. Study algorithms for the attackers. 3. Focus on secure cryptosystems. 4. Study algorithms for the users. 5. Study implementations on real hardware: e.g., software for popular CPUs.
3 aphic readiness levels, impact um computers. Bernstein crypto developed? onfident are we ypto is secure? o we know what a m computer will do? Many stages of research from cryptographic design to real-world deployment: 1. Explore space of cryptosystems. 2. Study algorithms for the attackers. 3. Focus on secure cryptosystems. 4. Study algorithms for the users. 5. Study implementations on real hardware: e.g., software for popular CPUs. 6. Study fault 7. Focus imple 8. Focus meeti requir
4 iness levels, ters veloped? re we cure? what a ter will do? Many stages of research from cryptographic design to real-world deployment: 1. Explore space of cryptosystems. 2. Study algorithms for the attackers. 3. Focus on secure cryptosystems. 4. Study algorithms for the users. 5. Study implementations on real hardware: e.g., software for popular CPUs. 6. Study side-chan fault attacks, et 7. Focus on secure implementation 8. Focus on imple meeting perform requirements.
5 ls,? Many stages of research from cryptographic design to real-world deployment: 1. Explore space of cryptosystems. 2. Study algorithms for the attackers. 3. Focus on secure cryptosystems. 4. Study algorithms for the users. 5. Study implementations on real hardware: e.g., software for popular CPUs. 6. Study side-channel attack fault attacks, etc. 7. Focus on secure, reliable implementations. 8. Focus on implementation meeting performance requirements.
6 Many stages of research from cryptographic design to real-world deployment: 1. Explore space of cryptosystems. 2. Study algorithms for the attackers. 6. Study side-channel attacks, fault attacks, etc. 7. Focus on secure, reliable implementations. 8. Focus on implementations meeting performance requirements. 3. Focus on secure cryptosystems. 4. Study algorithms for the users. 5. Study implementations on real hardware: e.g., software for popular CPUs.
7 Many stages of research from cryptographic design to real-world deployment: 1. Explore space of cryptosystems. 2. Study algorithms for the attackers. 3. Focus on secure cryptosystems. 4. Study algorithms for the users. 6. Study side-channel attacks, fault attacks, etc. 7. Focus on secure, reliable implementations. 8. Focus on implementations meeting performance requirements. 9. Integrate securely into real-world applications. 5. Study implementations on real hardware: e.g., software for popular CPUs.
8 Many stages of research from cryptographic design to real-world deployment: 1. Explore space of cryptosystems. 2. Study algorithms for the attackers. 3. Focus on secure cryptosystems. 4. Study algorithms for the users. 5. Study implementations on real hardware: e.g., software for popular CPUs. 6. Study side-channel attacks, fault attacks, etc. 7. Focus on secure, reliable implementations. 8. Focus on implementations meeting performance requirements. 9. Integrate securely into real-world applications. Getting all this right takes time: e.g., elliptic-curve cryptography (ECC) entered stage 1 in 1985.
9 ges of research ptographic design orld deployment: re space of systems. algorithms for the ers. on secure cryptosystems. algorithms for the users. implementations l hardware: e.g., are for popular CPUs. 6. Study side-channel attacks, fault attacks, etc. 7. Focus on secure, reliable implementations. 8. Focus on implementations meeting performance requirements. 9. Integrate securely into real-world applications. Getting all this right takes time: e.g., elliptic-curve cryptography (ECC) entered stage 1 in What s t Case stu famous l 2006 Silv and CVP studied f both as problems pure and physics a Best SVP by 2000: almost a
10 earch design yment: f s for the cryptosystems. s for the users. tations e: e.g., ular CPUs. 6. Study side-channel attacks, fault attacks, etc. 7. Focus on secure, reliable implementations. 8. Focus on implementations meeting performance requirements. 9. Integrate securely into real-world applications. Getting all this right takes time: e.g., elliptic-curve cryptography (ECC) entered stage 1 in What s the best at Case study: SVP, famous lattice prob 2006 Silverman: and CVP, have bee studied for more th both as intrinsic m problems and for a pure and applied m physics and crypto Best SVP algorithm by 2000: time 2 Θ( almost all dimensio
11 stems. users. s. 6. Study side-channel attacks, fault attacks, etc. 7. Focus on secure, reliable implementations. 8. Focus on implementations meeting performance requirements. 9. Integrate securely into real-world applications. Getting all this right takes time: e.g., elliptic-curve cryptography (ECC) entered stage 1 in What s the best attack algor Case study: SVP, the most famous lattice problem Silverman: Lattices, S and CVP, have been intensiv studied for more than 100 ye both as intrinsic mathematic problems and for application pure and applied mathemati physics and cryptography. Best SVP algorithms known by 2000: time 2 Θ(N log N) for almost all dimension-n lattic
12 6. Study side-channel attacks, fault attacks, etc. 7. Focus on secure, reliable implementations. 8. Focus on implementations meeting performance requirements. 9. Integrate securely into real-world applications. Getting all this right takes time: e.g., elliptic-curve cryptography (ECC) entered stage 1 in What s the best attack algorithm? Case study: SVP, the most famous lattice problem Silverman: Lattices, SVP and CVP, have been intensively studied for more than 100 years, both as intrinsic mathematical problems and for applications in pure and applied mathematics, physics and cryptography. Best SVP algorithms known by 2000: time 2 Θ(N log N) for almost all dimension-n lattices.
13 side-channel attacks, attacks, etc. on secure, reliable mentations. on implementations ng performance ements. ate securely into orld applications. ll this right takes time: tic-curve cryptography ntered stage 1 in What s the best attack algorithm? Case study: SVP, the most famous lattice problem Silverman: Lattices, SVP and CVP, have been intensively studied for more than 100 years, both as intrinsic mathematical problems and for applications in pure and applied mathematics, physics and cryptography. Best SVP algorithms known by 2000: time 2 Θ(N log N) for almost all dimension-n lattices. Best SVP today: 2 Approx c believed 0:415: 2 0:415: 2
14 nel attacks, c., reliable s. mentations ance ly into cations. ht takes time: cryptography ge 1 in What s the best attack algorithm? Case study: SVP, the most famous lattice problem Silverman: Lattices, SVP and CVP, have been intensively studied for more than 100 years, both as intrinsic mathematical problems and for applications in pure and applied mathematics, physics and cryptography. Best SVP algorithms known by 2000: time 2 Θ(N log N) for almost all dimension-n lattices. Best SVP algorithm today: 2 Θ(N). Approx c for some believed to take tim 0:415: 2008 Nguye 0:415: 2010 Micci
15 s, s me: hy 85. What s the best attack algorithm? Case study: SVP, the most famous lattice problem Silverman: Lattices, SVP and CVP, have been intensively studied for more than 100 years, both as intrinsic mathematical problems and for applications in pure and applied mathematics, physics and cryptography. Best SVP algorithms known by 2000: time 2 Θ(N log N) for almost all dimension-n lattices. Best SVP algorithms known today: 2 Θ(N). Approx c for some algorithm believed to take time 2 (c+o( 0:415: 2008 Nguyen Vidick. 0:415: 2010 Micciancio Vou
16 What s the best attack algorithm? Case study: SVP, the most famous lattice problem Silverman: Lattices, SVP and CVP, have been intensively studied for more than 100 years, both as intrinsic mathematical problems and for applications in pure and applied mathematics, physics and cryptography. Best SVP algorithms known today: 2 Θ(N). Approx c for some algorithms believed to take time 2 (c+o(1))n : 0:415: 2008 Nguyen Vidick. 0:415: 2010 Micciancio Voulgaris. Best SVP algorithms known by 2000: time 2 Θ(N log N) for almost all dimension-n lattices.
17 What s the best attack algorithm? Case study: SVP, the most famous lattice problem Silverman: Lattices, SVP and CVP, have been intensively studied for more than 100 years, both as intrinsic mathematical problems and for applications in pure and applied mathematics, physics and cryptography. Best SVP algorithms known today: 2 Θ(N). Approx c for some algorithms believed to take time 2 (c+o(1))n : 0:415: 2008 Nguyen Vidick. 0:415: 2010 Micciancio Voulgaris. 0:384: 2011 Wang Liu Tian Bi. Best SVP algorithms known by 2000: time 2 Θ(N log N) for almost all dimension-n lattices.
18 What s the best attack algorithm? Case study: SVP, the most famous lattice problem Silverman: Lattices, SVP and CVP, have been intensively studied for more than 100 years, both as intrinsic mathematical problems and for applications in pure and applied mathematics, physics and cryptography. Best SVP algorithms known today: 2 Θ(N). Approx c for some algorithms believed to take time 2 (c+o(1))n : 0:415: 2008 Nguyen Vidick. 0:415: 2010 Micciancio Voulgaris. 0:384: 2011 Wang Liu Tian Bi. 0:378: 2013 Zhang Pan Hu. Best SVP algorithms known by 2000: time 2 Θ(N log N) for almost all dimension-n lattices.
19 What s the best attack algorithm? Case study: SVP, the most famous lattice problem Silverman: Lattices, SVP and CVP, have been intensively studied for more than 100 years, both as intrinsic mathematical problems and for applications in pure and applied mathematics, physics and cryptography. Best SVP algorithms known today: 2 Θ(N). Approx c for some algorithms believed to take time 2 (c+o(1))n : 0:415: 2008 Nguyen Vidick. 0:415: 2010 Micciancio Voulgaris. 0:384: 2011 Wang Liu Tian Bi. 0:378: 2013 Zhang Pan Hu. 0:337: 2014 Laarhoven. Best SVP algorithms known by 2000: time 2 Θ(N log N) for almost all dimension-n lattices.
20 What s the best attack algorithm? Case study: SVP, the most famous lattice problem Silverman: Lattices, SVP and CVP, have been intensively studied for more than 100 years, both as intrinsic mathematical problems and for applications in pure and applied mathematics, physics and cryptography. Best SVP algorithms known by 2000: time 2 Θ(N log N) for almost all dimension-n lattices. Best SVP algorithms known today: 2 Θ(N). Approx c for some algorithms believed to take time 2 (c+o(1))n : 0:415: 2008 Nguyen Vidick. 0:415: 2010 Micciancio Voulgaris. 0:384: 2011 Wang Liu Tian Bi. 0:378: 2013 Zhang Pan Hu. 0:337: 2014 Laarhoven. 0:298: 2015 Laarhoven de Weger. 0:292: 2015 Becker Ducas Gama Laarhoven.
21 What s the best attack algorithm? Case study: SVP, the most famous lattice problem Silverman: Lattices, SVP and CVP, have been intensively studied for more than 100 years, both as intrinsic mathematical problems and for applications in pure and applied mathematics, physics and cryptography. Best SVP algorithms known by 2000: time 2 Θ(N log N) for almost all dimension-n lattices. Best SVP algorithms known today: 2 Θ(N). Approx c for some algorithms believed to take time 2 (c+o(1))n : 0:415: 2008 Nguyen Vidick. 0:415: 2010 Micciancio Voulgaris. 0:384: 2011 Wang Liu Tian Bi. 0:378: 2013 Zhang Pan Hu. 0:337: 2014 Laarhoven. 0:298: 2015 Laarhoven de Weger. 0:292: 2015 Becker Ducas Gama Laarhoven. Lattice crypto: more attack avenues; even less understanding.
22 he best attack algorithm? dy: SVP, the most attice problem. erman: Lattices, SVP, have been intensively or more than 100 years, intrinsic mathematical and for applications in applied mathematics, nd cryptography. algorithms known time 2 Θ(N log N) for ll dimension-n lattices. Best SVP algorithms known today: 2 Θ(N). Approx c for some algorithms believed to take time 2 (c+o(1))n : 0:415: 2008 Nguyen Vidick. 0:415: 2010 Micciancio Voulgaris. 0:384: 2011 Wang Liu Tian Bi. 0:378: 2013 Zhang Pan Hu. 0:337: 2014 Laarhoven. 0:298: 2015 Laarhoven de Weger. 0:292: 2015 Becker Ducas Gama Laarhoven. Lattice crypto: more attack avenues; even less understanding. Code-ba Some pa against Pra 1981 Om 1988 Lee 1988 Leo 1989 Kro 1989 Ste 1989 Du 1990 Co 1990 van 1991 Du 1991 Co
23 tack algorithm? the most lem. Lattices, SVP n intensively an 100 years, athematical pplications in athematics, graphy. s known N log N) for n-n lattices. Best SVP algorithms known today: 2 Θ(N). Approx c for some algorithms believed to take time 2 (c+o(1))n : 0:415: 2008 Nguyen Vidick. 0:415: 2010 Micciancio Voulgaris. 0:384: 2011 Wang Liu Tian Bi. 0:378: 2013 Zhang Pan Hu. 0:337: 2014 Laarhoven. 0:298: 2015 Laarhoven de Weger. 0:292: 2015 Becker Ducas Gama Laarhoven. Lattice crypto: more attack avenues; even less understanding. Code-based crypto Some papers study against 1978 McEl 1962 Prange Omura Lee Brickell Leon Krouk Stern Dumer Coffey Good 1990 van Tilburg Dumer Coffey Good
24 ithm? VP ely ars, al s in cs, es. Best SVP algorithms known today: 2 Θ(N). Approx c for some algorithms believed to take time 2 (c+o(1))n : 0:415: 2008 Nguyen Vidick. 0:415: 2010 Micciancio Voulgaris. 0:384: 2011 Wang Liu Tian Bi. 0:378: 2013 Zhang Pan Hu. 0:337: 2014 Laarhoven. 0:298: 2015 Laarhoven de Weger. 0:292: 2015 Becker Ducas Gama Laarhoven. Lattice crypto: more attack avenues; even less understanding. Code-based cryptography Some papers studying attack against 1978 McEliece system 1962 Prange Omura Lee Brickell Leon Krouk Stern Dumer Coffey Goodman van Tilburg Dumer Coffey Goodman Farre
25 Best SVP algorithms known today: 2 Θ(N). Approx c for some algorithms believed to take time 2 (c+o(1))n : 0:415: 2008 Nguyen Vidick. 0:415: 2010 Micciancio Voulgaris. 0:384: 2011 Wang Liu Tian Bi. 0:378: 2013 Zhang Pan Hu. 0:337: 2014 Laarhoven. 0:298: 2015 Laarhoven de Weger. 0:292: 2015 Becker Ducas Gama Laarhoven. Lattice crypto: more attack avenues; even less understanding. Code-based cryptography Some papers studying attacks against 1978 McEliece system: 1962 Prange Omura Lee Brickell Leon Krouk Stern Dumer Coffey Goodman van Tilburg Dumer Coffey Goodman Farrell.
26 algorithms known Θ(N). for some algorithms to take time 2 (c+o(1))n : 008 Nguyen Vidick. 010 Micciancio Voulgaris. 011 Wang Liu Tian Bi. 013 Zhang Pan Hu. 014 Laarhoven. 015 Laarhoven de Weger. 015 Becker Ducas ama Laarhoven. rypto: more attack even less understanding. Code-based cryptography Some papers studying attacks against 1978 McEliece system: 1962 Prange Omura Lee Brickell Leon Krouk Stern Dumer Coffey Goodman van Tilburg Dumer Coffey Goodman Farrell Ch 1993 Ch 1994 van 1994 Ca 1998 Ca 1998 Ca 2008 Be 2009 Be van 2009 Be 2009 Fin 2010 Be 2011 Ma 2011 Be 2012 Be
27 s known algorithms e 2 (c+o(1))n : n Vidick. ancio Voulgaris. Liu Tian Bi. Pan Hu. oven. oven de Weger. r Ducas hoven. re attack understanding. Code-based cryptography Some papers studying attacks against 1978 McEliece system: 1962 Prange Omura Lee Brickell Leon Krouk Stern Dumer Coffey Goodman van Tilburg Dumer Coffey Goodman Farrell Chabanne C 1993 Chabaud van Tilburg Canteaut Ch 1998 Canteaut Ch 1998 Canteaut Se 2008 Bernstein La 2009 Bernstein La van Tilborg Bernstein (po 2009 Finiasz Send 2010 Bernstein La 2011 May Meurer 2011 Becker Coro 2012 Becker Joux
28 s 1))N : lgaris.. Bi. eger. ding. Code-based cryptography Some papers studying attacks against 1978 McEliece system: 1962 Prange Omura Lee Brickell Leon Krouk Stern Dumer Coffey Goodman van Tilburg Dumer Coffey Goodman Farrell Chabanne Courteau Chabaud van Tilburg Canteaut Chabanne Canteaut Chabaud Canteaut Sendrier Bernstein Lange Peter 2009 Bernstein Lange Peter van Tilborg Bernstein (post-quantu 2009 Finiasz Sendrier Bernstein Lange Peter 2011 May Meurer Thomae Becker Coron Joux Becker Joux May Meu
29 Code-based cryptography Some papers studying attacks against 1978 McEliece system: 1962 Prange Omura Lee Brickell Leon Krouk Stern Dumer Coffey Goodman van Tilburg Dumer Coffey Goodman Farrell Chabanne Courteau Chabaud van Tilburg Canteaut Chabanne Canteaut Chabaud Canteaut Sendrier Bernstein Lange Peters Bernstein Lange Peters van Tilborg Bernstein (post-quantum) Finiasz Sendrier Bernstein Lange Peters May Meurer Thomae Becker Coron Joux Becker Joux May Meurer.
30 sed cryptography pers studying attacks 978 McEliece system: nge. ura. Brickell. n. uk. rn. mer. ffey Goodman. Tilburg. mer. ffey Goodman Farrell Chabanne Courteau Chabaud van Tilburg Canteaut Chabanne Canteaut Chabaud Canteaut Sendrier Bernstein Lange Peters Bernstein Lange Peters van Tilborg Bernstein (post-quantum) Finiasz Sendrier Bernstein Lange Peters May Meurer Thomae Becker Coron Joux Becker Joux May Meurer Be Me 2015 Ma
31 graphy ing attacks iece system: man. man Farrell Chabanne Courteau Chabaud van Tilburg Canteaut Chabanne Canteaut Chabaud Canteaut Sendrier Bernstein Lange Peters Bernstein Lange Peters van Tilborg Bernstein (post-quantum) Finiasz Sendrier Bernstein Lange Peters May Meurer Thomae Becker Coron Joux Becker Joux May Meurer Bernstein Je Meurer (post 2015 May Ozerov.
32 s : ll Chabanne Courteau Chabaud van Tilburg Canteaut Chabanne Canteaut Chabaud Canteaut Sendrier Bernstein Lange Peters Bernstein Lange Peters van Tilborg Bernstein (post-quantum) Finiasz Sendrier Bernstein Lange Peters May Meurer Thomae Becker Coron Joux Becker Joux May Meurer Bernstein Jeffery Lang Meurer (post-quantum 2015 May Ozerov.
33 1993 Chabanne Courteau Chabaud van Tilburg Canteaut Chabanne Canteaut Chabaud Canteaut Sendrier Bernstein Lange Peters Bernstein Lange Peters van Tilborg Bernstein (post-quantum) Finiasz Sendrier Bernstein Lange Peters May Meurer Thomae Becker Coron Joux Becker Joux May Meurer Bernstein Jeffery Lange Meurer (post-quantum) May Ozerov.
34 1993 Chabanne Courteau Chabaud van Tilburg Canteaut Chabanne Canteaut Chabaud Canteaut Sendrier Bernstein Lange Peters Bernstein Lange Peters van Tilborg Bernstein (post-quantum) Finiasz Sendrier Bernstein Lange Peters May Meurer Thomae Becker Coron Joux Becker Joux May Meurer Bernstein Jeffery Lange Meurer (post-quantum) May Ozerov. Key size needed for 2 b security vs. best attack known in 1978: (C 0 + o(1))b 2 (lg b) 2. Here C 0 0:
35 1993 Chabanne Courteau Chabaud van Tilburg Canteaut Chabanne Canteaut Chabaud Canteaut Sendrier Bernstein Lange Peters Bernstein Lange Peters van Tilborg Bernstein (post-quantum) Finiasz Sendrier Bernstein Lange Peters May Meurer Thomae Becker Coron Joux Becker Joux May Meurer Bernstein Jeffery Lange Meurer (post-quantum) May Ozerov. Key size needed for 2 b security vs. best attack known in 1978: (C 0 + o(1))b 2 (lg b) 2. Here C 0 0: Key size needed for 2 b security vs. best pre-quantum attack known today: (C 0 + o(1))b 2 (lg b) 2.
36 1993 Chabanne Courteau Chabaud van Tilburg Canteaut Chabanne Canteaut Chabaud Canteaut Sendrier Bernstein Lange Peters Bernstein Lange Peters van Tilborg Bernstein (post-quantum) Finiasz Sendrier Bernstein Lange Peters May Meurer Thomae Becker Coron Joux Becker Joux May Meurer Bernstein Jeffery Lange Meurer (post-quantum) May Ozerov. Key size needed for 2 b security vs. best attack known in 1978: (C 0 + o(1))b 2 (lg b) 2. Here C 0 0: Key size needed for 2 b security vs. best pre-quantum attack known today: (C 0 + o(1))b 2 (lg b) 2. Key size needed for 2 b security vs. best quantum attack known today: (4C 0 + o(1))b 2 (lg b) 2.
37 abanne Courteau. abaud. Tilburg. nteaut Chabanne. nteaut Chabaud. nteaut Sendrier. rnstein Lange Peters. rnstein Lange Peters Tilborg. rnstein (post-quantum). iasz Sendrier. rnstein Lange Peters. y Meurer Thomae. cker Coron Joux. cker Joux May Meurer Bernstein Jeffery Lange Meurer (post-quantum) May Ozerov. Key size needed for 2 b security vs. best attack known in 1978: (C 0 + o(1))b 2 (lg b) 2. Here C 0 0: Key size needed for 2 b security vs. best pre-quantum attack known today: (C 0 + o(1))b 2 (lg b) 2. Key size needed for 2 b security vs. best quantum attack known today: (4C 0 + o(1))b 2 (lg b) 2. What is Quantum stores m can effic Hadam controll Making is the m comput Combine to comp : : : Sim : : : Sho : : : Gro
38 ourteau. abanne. abaud. ndrier. nge Peters. nge Peters st-quantum). rier. nge Peters. Thomae. n Joux. May Meurer Bernstein Jeffery Lange Meurer (post-quantum) May Ozerov. Key size needed for 2 b security vs. best attack known in 1978: (C 0 + o(1))b 2 (lg b) 2. Here C 0 0: Key size needed for 2 b security vs. best pre-quantum attack known today: (C 0 + o(1))b 2 (lg b) 2. Key size needed for 2 b security vs. best quantum attack known today: (4C 0 + o(1))b 2 (lg b) 2. What is a quantum Quantum compute stores many qubi can efficiently perf Hadamard gate, controlled NOT g Making these ins is the main goal computer engine Combine these ins to compute Toffo : : : Simon s algor : : : Shor s algorit : : : Grover s algo
39 s. s m). s. rer Bernstein Jeffery Lange Meurer (post-quantum) May Ozerov. Key size needed for 2 b security vs. best attack known in 1978: (C 0 + o(1))b 2 (lg b) 2. Here C 0 0: Key size needed for 2 b security vs. best pre-quantum attack known today: (C 0 + o(1))b 2 (lg b) 2. Key size needed for 2 b security vs. best quantum attack known today: (4C 0 + o(1))b 2 (lg b) 2. What is a quantum compute Quantum computer type 1 ( stores many qubits ; can efficiently perform Hadamard gate, T gate controlled NOT gate. Making these instructions is the main goal of quantu computer engineering. Combine these instructions to compute Toffoli gate ; : : : Simon s algorithm ; : : : Shor s algorithm ; : : : Grover s algorithm ; et
40 2013 Bernstein Jeffery Lange Meurer (post-quantum) May Ozerov. Key size needed for 2 b security vs. best attack known in 1978: (C 0 + o(1))b 2 (lg b) 2. Here C 0 0: Key size needed for 2 b security vs. best pre-quantum attack known today: (C 0 + o(1))b 2 (lg b) 2. Key size needed for 2 b security vs. best quantum attack known today: (4C 0 + o(1))b 2 (lg b) 2. What is a quantum computer? Quantum computer type 1 (QC1): stores many qubits ; can efficiently perform Hadamard gate, T gate, controlled NOT gate. Making these instructions work is the main goal of quantumcomputer engineering. Combine these instructions to compute Toffoli gate ; : : : Simon s algorithm ; : : : Shor s algorithm ; : : : Grover s algorithm ; etc.
41 rnstein Jeffery Lange urer (post-quantum). y Ozerov. needed for 2 b security attack known in 1978: 1))b 2 (lg b) 2. 0: needed for 2 b security pre-quantum attack day: 1))b 2 (lg b) 2. needed for 2 b security quantum attack known 4C 0 + o(1))b 2 (lg b) 2. What is a quantum computer? Quantum computer type 1 (QC1): stores many qubits ; can efficiently perform Hadamard gate, T gate, controlled NOT gate. Making these instructions work is the main goal of quantumcomputer engineering. Combine these instructions to compute Toffoli gate ; : : : Simon s algorithm ; : : : Shor s algorithm ; : : : Grover s algorithm ; etc. Quantum stores a efficientl laws of q with as m This is t quantum by 1982 physics w
42 ffery Lange -quantum). r 2 b security wn in 1978: ) r 2 b security m attack ) 2. r 2 b security ttack known ))b 2 (lg b) 2. What is a quantum computer? Quantum computer type 1 (QC1): stores many qubits ; can efficiently perform Hadamard gate, T gate, controlled NOT gate. Making these instructions work is the main goal of quantumcomputer engineering. Combine these instructions to compute Toffoli gate ; : : : Simon s algorithm ; : : : Shor s algorithm ; : : : Grover s algorithm ; etc. Quantum compute stores a simulated efficiently simulate laws of quantum p with as much accu This is the original quantum compute by 1982 Feynman physics with comp
43 e ). ity 8: ity ity wn 2. What is a quantum computer? Quantum computer type 1 (QC1): stores many qubits ; can efficiently perform Hadamard gate, T gate, controlled NOT gate. Making these instructions work is the main goal of quantumcomputer engineering. Combine these instructions to compute Toffoli gate ; : : : Simon s algorithm ; : : : Shor s algorithm ; : : : Grover s algorithm ; etc. Quantum computer type 2 ( stores a simulated universe; efficiently simulates the laws of quantum physics with as much accuracy as de This is the original concept o quantum computers introduc by 1982 Feynman Simulatin physics with computers.
44 What is a quantum computer? Quantum computer type 1 (QC1): stores many qubits ; can efficiently perform Hadamard gate, T gate, controlled NOT gate. Making these instructions work is the main goal of quantumcomputer engineering. Quantum computer type 2 (QC2): stores a simulated universe; efficiently simulates the laws of quantum physics with as much accuracy as desired. This is the original concept of quantum computers introduced by 1982 Feynman Simulating physics with computers. Combine these instructions to compute Toffoli gate ; : : : Simon s algorithm ; : : : Shor s algorithm ; : : : Grover s algorithm ; etc.
45 What is a quantum computer? Quantum computer type 1 (QC1): stores many qubits ; can efficiently perform Hadamard gate, T gate, controlled NOT gate. Making these instructions work is the main goal of quantumcomputer engineering. Combine these instructions to compute Toffoli gate ; : : : Simon s algorithm ; : : : Shor s algorithm ; : : : Grover s algorithm ; etc. Quantum computer type 2 (QC2): stores a simulated universe; efficiently simulates the laws of quantum physics with as much accuracy as desired. This is the original concept of quantum computers introduced by 1982 Feynman Simulating physics with computers. General belief: any QC1 is a QC2. Partial proof: see, e.g., 2011 Jordan Lee Preskill Quantum algorithms for quantum field theories.
46 a quantum computer? computer type 1 (QC1): any qubits ; iently perform ard gate, T gate, ed NOT gate. these instructions work ain goal of quantumer engineering. these instructions ute Toffoli gate ; on s algorithm ; r s algorithm ; ver s algorithm ; etc. Quantum computer type 2 (QC2): stores a simulated universe; efficiently simulates the laws of quantum physics with as much accuracy as desired. This is the original concept of quantum computers introduced by 1982 Feynman Simulating physics with computers. General belief: any QC1 is a QC2. Partial proof: see, e.g., 2011 Jordan Lee Preskill Quantum algorithms for quantum field theories. Quantum efficientl that any can com
47 computer? r type 1 (QC1): ts ; orm T gate, ate. tructions work of quantumering. tructions li gate ; ithm ; hm ; rithm ; etc. Quantum computer type 2 (QC2): stores a simulated universe; efficiently simulates the laws of quantum physics with as much accuracy as desired. This is the original concept of quantum computers introduced by 1982 Feynman Simulating physics with computers. General belief: any QC1 is a QC2. Partial proof: see, e.g., 2011 Jordan Lee Preskill Quantum algorithms for quantum field theories. Quantum compute efficiently compute that any physical c can compute effici
48 r? QC1):, work m- c. Quantum computer type 2 (QC2): stores a simulated universe; efficiently simulates the laws of quantum physics with as much accuracy as desired. This is the original concept of quantum computers introduced by 1982 Feynman Simulating physics with computers. General belief: any QC1 is a QC2. Partial proof: see, e.g., 2011 Jordan Lee Preskill Quantum algorithms for quantum field theories. Quantum computer type 3 ( efficiently computes anything that any physical computer can compute efficiently.
49 Quantum computer type 2 (QC2): stores a simulated universe; efficiently simulates the laws of quantum physics with as much accuracy as desired. Quantum computer type 3 (QC3): efficiently computes anything that any physical computer can compute efficiently. This is the original concept of quantum computers introduced by 1982 Feynman Simulating physics with computers. General belief: any QC1 is a QC2. Partial proof: see, e.g., 2011 Jordan Lee Preskill Quantum algorithms for quantum field theories.
50 Quantum computer type 2 (QC2): stores a simulated universe; efficiently simulates the laws of quantum physics with as much accuracy as desired. This is the original concept of quantum computers introduced by 1982 Feynman Simulating physics with computers. General belief: any QC1 is a QC2. Partial proof: see, e.g., 2011 Jordan Lee Preskill Quantum algorithms for quantum field theories. Quantum computer type 3 (QC3): efficiently computes anything that any physical computer can compute efficiently. General belief: any QC2 is a QC3. Argument for belief: any physical computer must follow the laws of quantum physics, so a QC2 can efficiently simulate any physical computer.
51 Quantum computer type 2 (QC2): stores a simulated universe; efficiently simulates the laws of quantum physics with as much accuracy as desired. This is the original concept of quantum computers introduced by 1982 Feynman Simulating physics with computers. General belief: any QC1 is a QC2. Partial proof: see, e.g., 2011 Jordan Lee Preskill Quantum algorithms for quantum field theories. Quantum computer type 3 (QC3): efficiently computes anything that any physical computer can compute efficiently. General belief: any QC2 is a QC3. Argument for belief: any physical computer must follow the laws of quantum physics, so a QC2 can efficiently simulate any physical computer. General belief: any QC3 is a QC1. Argument for belief: look, we re building a QC1.
Objectives. McBits: fast constant-time code-based cryptography. Set new speed records for public-key cryptography.
McBits: fast constant-time code-based cryptography D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Objectives Set new speed records for public-key cryptography. Joint
More informationPost-Quantum Cryptography
Post-Quantum Cryptography Code-Based Cryptography Tanja Lange with some slides by Tung Chou and Christiane Peters Technische Universiteit Eindhoven ASCrypto Summer School: 18 September 2017 Error correction
More informationDaniel J. Bernstein University of Illinois at Chicago. means an algorithm that a quantum computer can run.
Quantum algorithms 1 Daniel J. Bernstein University of Illinois at Chicago Quantum algorithm means an algorithm that a quantum computer can run. i.e. a sequence of instructions, where each instruction
More informationAdvances in code-based public-key cryptography. D. J. Bernstein University of Illinois at Chicago
Advances in code-based public-key cryptography D. J. Bernstein University of Illinois at Chicago Advertisements 1. pqcrypto.org: Post-quantum cryptography hash-based, lattice-based, code-based, multivariate
More informationShort generators without quantum computers: the case of multiquadratics
Short generators without quantum computers: the case of multiquadratics Daniel J. Bernstein University of Illinois at Chicago 31 July 2017 https://multiquad.cr.yp.to Joint work with: Jens Bauch & Henry
More informationCode-based post-quantum cryptography. D. J. Bernstein University of Illinois at Chicago
Code-based post-quantum cryptography D. J. Bernstein University of Illinois at Chicago Once the enormous energy boost that quantum computers are expected to provide hits the street, most encryption security
More informationShort generators without quantum computers: the case of multiquadratics
Short generators without quantum computers: the case of multiquadratics Daniel J. Bernstein & Christine van Vredendaal University of Illinois at Chicago Technische Universiteit Eindhoven 19 January 2017
More informationCode-Based Cryptography
Code-Based Cryptography Tanja Lange with some slides by Tung Chou and Christiane Peters Technische Universiteit Eindhoven Australian Summer School on Embedded Cryptography 11 December 2018 Error correction
More informationAttacking and defending the McEliece cryptosystem
Attacking and defending the McEliece cryptosystem (Joint work with Daniel J. Bernstein and Tanja Lange) Christiane Peters Technische Universiteit Eindhoven PQCrypto 2nd Workshop on Postquantum Cryptography
More informationIntroduction to Quantum Safe Cryptography. ENISA September 2018
Introduction to Quantum Safe Cryptography ENISA September 2018 Introduction This talk will introduce the mathematical background of the most popular PQC primitives Code-based Lattice-based Multivariate
More informationBall-collision decoding
Ball-collision decoding Christiane Peters Technische Universiteit Eindhoven joint work with Daniel J. Bernstein and Tanja Lange Oberseminar Cryptography and Computer Algebra TU Darmstadt November 8, 200
More informationHigh-speed cryptography, part 3: more cryptosystems. Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven
High-speed cryptography, part 3: more cryptosystems Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Cryptographers Working systems Cryptanalytic algorithm designers
More informationCode Based Cryptology at TU/e
Code Based Cryptology at TU/e Ruud Pellikaan g.r.pellikaan@tue.nl University Indonesia, Depok, Nov. 2 University Padjadjaran, Bandung, Nov. 6 Institute Technology Bandung, Bandung, Nov. 6 University Gadjah
More informationImproving the efficiency of Generalized Birthday Attacks against certain structured cryptosystems
Improving the efficiency of Generalized Birthday Attacks against certain structured cryptosystems Robert Niebuhr 1, Pierre-Louis Cayrel 2, and Johannes Buchmann 1,2 1 Technische Universität Darmstadt Fachbereich
More informationSmaller Decoding Exponents: Ball-Collision Decoding
Smaller Decoding Exponents: Ball-Collision Decoding Daniel J. Bernstein 1,TanjaLange 2, and Christiane Peters 2 1 Department of Computer Science University of Illinois at Chicago, Chicago, IL 60607 7045,
More informationCode Based Cryptography
Code Based Cryptography Alain Couvreur INRIA & LIX, École Polytechnique École de Printemps Post Scryptum 2018 A. Couvreur Code Based Crypto Post scryptum 2018 1 / 66 Outline 1 Introduction 2 A bit coding
More informationHow to improve information set decoding exploiting that = 0 mod 2
How to improve information set decoding exploiting that 1 + 1 = 0 mod 2 Anja Becker Postdoc at EPFL Seminar CCA January 11, 2013, Paris Representation Find unique solution to hard problem in cryptography
More informationShort generators without quantum computers: the case of multiquadratics
Short generators without quantum computers: the case of multiquadratics Christine van Vredendaal Technische Universiteit Eindhoven 1 May 2017 Joint work with: Jens Bauch & Daniel J. Bernstein & Henry de
More informationDecoding One Out of Many
Decoding One Out of Many Nicolas Sendrier INRIA Paris-Rocquencourt, équipe-projet SECRET Code-based Cryptography Workshop 11-12 May 2011, Eindhoven, The Netherlands Computational Syndrome Decoding Problem:
More informationCRYPTANALYSE EN TEMPS POLYNOMIAL DU SCHÉMA DE MCELIECE BASÉ SUR LES CODES
POLYNOMIAL DU SCHÉMA CODES GÉOMÉTRIQUES A. COUVREUR 1 I. MÁRQUEZ-CORBELLA 1 R. PELLIKAAN 2 1 INRIA Saclay & LIX 2 Department of Mathematics and Computing Science, TU/e. Journées Codage et Cryptographie
More informationPost-Quantum Cryptography & Privacy. Andreas Hülsing
Post-Quantum Cryptography & Privacy Andreas Hülsing Privacy? Too abstract? How to achieve privacy? Under the hood... Asymmetric Crypto ECC RSA DSA Symmetric Crypto AES SHA2 SHA1... Combination of both
More informationA brief survey of post-quantum cryptography. D. J. Bernstein University of Illinois at Chicago
A brief survey of post-quantum cryptography D. J. Bernstein University of Illinois at Chicago Once the enormous energy boost that quantum computers are expected to provide hits the street, most encryption
More informationThe quantum threat to cryptography
The quantum threat to cryptography Ashley Montanaro School of Mathematics, University of Bristol 20 October 2016 Quantum computers University of Bristol IBM UCSB / Google University of Oxford Experimental
More informationDecoding Random Binary Linear Codes in 2 n/20 : How 1+1=0Improves Information Set Decoding
Decoding Random Binary Linear Codes in n/0 : How 1+1=0Improves Information Set Decoding Anja Becker 1, Antoine Joux 1,, Alexander May 3,, and Alexander Meurer 3, 1 Université de Versailles Saint-Quentin,
More informationLogic gates. Quantum logic gates. α β 0 1 X = 1 0. Quantum NOT gate (X gate) Classical NOT gate NOT A. Matrix form representation
Quantum logic gates Logic gates Classical NOT gate Quantum NOT gate (X gate) A NOT A α 0 + β 1 X α 1 + β 0 A N O T A 0 1 1 0 Matrix form representation 0 1 X = 1 0 The only non-trivial single bit gate
More informationA Provably Secure Group Signature Scheme from Code-Based Assumptions
A Provably Secure Group Signature Scheme from Code-Based Assumptions Martianus Frederic Ezerman, Hyung Tae Lee, San Ling, Khoa Nguyen, Huaxiong Wang NTU, Singapore ASIACRYPT 15-01/12/15 Group Signatures
More informationComputational algebraic number theory tackles lattice-based cryptography
Computational algebraic number theory tackles lattice-based cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Moving to the left Moving to the right
More informationPost-Quantum Cryptography & Privacy. Andreas Hülsing
Post-Quantum Cryptography & Privacy Andreas Hülsing Privacy? Too abstract? How to achieve privacy? Under the hood... Public-key crypto ECC RSA DSA Secret-key crypto AES SHA2 SHA1... Combination of both
More informationChallenges in Quantum Information Science. Umesh V. Vazirani U. C. Berkeley
Challenges in Quantum Information Science Umesh V. Vazirani U. C. Berkeley 1 st quantum revolution - Understanding physical world: periodic table, chemical reactions electronic wavefunctions underlying
More informationComputational algebraic number theory tackles lattice-based cryptography
Computational algebraic number theory tackles lattice-based cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Moving to the left Moving to the right
More informationQuantum-resistant cryptography
Quantum-resistant cryptography Background: In quantum computers, states are represented as vectors in a Hilbert space. Quantum gates act on the space and allow us to manipulate quantum states with combination
More informationThe quantum threat to cryptography
The quantum threat to cryptography Michele Mosca 8 May 2016 Vienna, Austria Cryptography in the context of quantum computers E. Lucero, D. Mariantoni, and M. Mariantoni Harald Ritsch Y. Colombe/NIST How
More informationPOST-QUANTUM CRYPTOGRAPHY HOW WILL WE ENCRYPT TOMORROW?
POST-QUANTUM CRYPTOGRAPHY HOW WILL WE ENCRYPT TOMORROW? Hanno Böck https://hboeck.de 1 INTRODUCTION Hanno Böck, freelance journalist and hacker. Writing for Golem.de and others. Fuzzing Project, funded
More informationFinding shortest lattice vectors faster using quantum search
Finding shortest lattice vectors faster using quantum search Thijs Laarhoven Michele Mosca Joop van de Pol Abstract By applying a quantum search algorithm to various heuristic and provable sieve algorithms
More informationA Key Recovery Attack on MDPC with CCA Security Using Decoding Errors
A Key Recovery Attack on MDPC with CCA Security Using Decoding Errors Qian Guo Thomas Johansson Paul Stankovski Dept. of Electrical and Information Technology, Lund University ASIACRYPT 2016 Dec 8th, 2016
More informationCryptography in the Quantum Era. Tomas Rosa and Jiri Pavlu Cryptology and Biometrics Competence Centre, Raiffeisen BANK International
Cryptography in the Quantum Era Tomas Rosa and Jiri Pavlu Cryptology and Biometrics Competence Centre, Raiffeisen BANK International Postulate #1: Qubit state belongs to Hilbert space of dimension 2 ψ
More information1500 AMD Opteron processor (2.2 GHz with 2 GB RAM)
NICT 2019 2019 2 7 1 RSA RSA 2 3 (1) exp $ 64/9 + *(1) (ln 0) 1/2 (ln ln 0) 3/2 (2) 2009 12 768 (232 ) 1500 AMD Opteron processor (2.2 GHz with 2 GB RAM) 4 (3) 18 2 (1) (2) (3) 5 CRYPTREC 1. 2. 3. 1024,
More informationA Fuzzy Sketch with Trapdoor
A Fuzzy Sketch with Trapdoor Julien Bringer 1, Hervé Chabanne 1, Quoc Dung Do 2 1 SAGEM Défense Sécurité, 2 Ecole Polytechnique, ENST Paris. Abstract In 1999, Juels and Wattenberg introduce an effective
More informationPost-Quantum Cryptography
Post-Quantum Cryptography Sebastian Schmittner Institute for Theoretical Physics University of Cologne 2015-10-26 Talk @ U23 @ CCC Cologne This work is licensed under a Creative Commons Attribution-ShareAlike
More informationA Fast Phase-Based Enumeration Algorithm for SVP Challenge through y-sparse Representations of Short Lattice Vectors
A Fast Phase-Based Enumeration Algorithm for SVP Challenge through y-sparse Representations of Short Lattice Vectors Dan Ding 1, Guizhen Zhu 2, Yang Yu 1, Zhongxiang Zheng 1 1 Department of Computer Science
More informationCode-based Cryptography
Code-based Cryptography PQCRYPTO Summer School on Post-Quantum Cryptography 2017 TU Eindhoven Nicolas Sendrier Linear Codes for Telecommunication data k linear expansion codeword n > k noisy channel data?
More informationAttacking the ECDLP with Quantum Computing
Attacking the ECDLP with Quantum Computing Sam Green and Can Kizilkale sam.green@cs.ucsb.edu, cankizilkale@cs.ucsb.edu December 7, 015 CS 90g Fall Term 015 Attacking the ECDLP with Quantum Computing 1
More informationFinding shortest lattice vectors faster using quantum search
Des. Codes Cryptogr. (2015) 77:375 400 DOI 10.1007/s10623-015-0067-5 Finding shortest lattice vectors faster using quantum search Thijs Laarhoven 1 Michele Mosca 2,3,4 Joop van de Pol 5 Received: 15 October
More informationCode-based Cryptography
Code-based Cryptography Codes correcteurs d erreurs et applications à la cryptographie MPRI 2014/2015-2.13.2 Nicolas Sendrier Linear Codes for Telecommunication data k linear expansion codeword n > k noisy
More informationVulnerabilities of McEliece in the World of Escher
Vulnerabilities of McEliece in the World of Escher Dustin Moody and Ray Perlner National Institute of Standards and Technology, Gaithersburg, Maryland, USA dustin.moody@nist.gov, ray.perlner@nist.gov Abstract.
More informationOn the Security of Some Cryptosystems Based on Error-correcting Codes
On the Security of Some Cryptosystems Based on Error-correcting Codes Florent Chabaud * Florent.Chabaud~ens.fr Laboratoire d'informatique de FENS ** 45, rue d'ulm 75230 Paris Cedex 05 FRANCE Abstract.
More informationQuantum Computers. Peter Shor MIT
Quantum Computers Peter Shor MIT 1 What is the difference between a computer and a physics experiment? 2 One answer: A computer answers mathematical questions. A physics experiment answers physical questions.
More informationLattice Reduction Algorithms: Theory and Practice
Lattice Reduction Algorithms: Theory and Practice Phong Q. Nguyen INRIA and ENS, Département d informatique, 45 rue d Ulm, 75005 Paris, France http://www.di.ens.fr/~pnguyen/ Abstract. Lattice reduction
More informationUniversity of Illinois at Chicago. Prelude: What is the fastest algorithm to sort an array?
Challenges in quantum algorithms for integer factorization 1 D. J. Bernstein University of Illinois at Chicago Prelude: What is the fastest algorithm to sort an array? def blindsort(x): while not issorted(x):
More informationSome Notes on Post-Quantum Cryptography
Some Notes on Post-Quantum Cryptography J. Maurice Rojas Texas A&M University October 9, 2013 150 B.C.E.: Reference to Śyena=Garuda =a Bird-like Hindu divinity in India 150 B.C.E.:...Garuda in India 100
More informationSome Notes on Post-Quantum Cryptography
Some Notes on Post-Quantum Cryptography J. Maurice Rojas Texas A&M University March 27, 2014 Historical Context... Flight 150 B.C.E.: Reference to Śyena=Garuda =a Bird-like Hindu divinity in India Historical
More informationPost-Quantum Cryptography from Lattices
Post-Quantum Cryptography from Lattices Léo Ducas 1 CWI, Amsterdam, The Netherlands CWI Scientific Meeting, November 2016. 1 Funded by a PPP Grant, between NXP and CWI. Cryptography Cryptography in everyday
More informationOpen problems in lattice-based cryptography
University of Auckland, New Zealand Plan Goal: Highlight some hot topics in cryptography, and good targets for mathematical cryptanalysis. Approximate GCD Homomorphic encryption NTRU and Ring-LWE Multi-linear
More informationAttacks in code based cryptography: a survey, new results and open problems
Attacks in code based cryptography: a survey, new results and open problems J.-P. Tillich Inria, team-project SECRET April 9, 2018 1. Code based cryptography introduction Difficult problem in coding theory
More informationEverything is Quantum The EU Quantum Flagship
Everything is Quantum The EU Quantum Flagship Our mission is to keep KPN reliable & secure and trusted by customers, partners and society part of the vital infra of NL Contents Whats the problem? What
More informationCode-Based Cryptography McEliece Cryptosystem
Code-Based Cryptography McEliece Cryptosystem I. Márquez-Corbella 0 . McEliece Cryptosystem 1. Formal Definition. Security-Reduction Proof 3. McEliece Assumptions 4. Notions of Security 5. Critical Attacks
More informationConcepts and Algorithms of Scientific and Visual Computing Advanced Computation Models. CS448J, Autumn 2015, Stanford University Dominik L.
Concepts and Algorithms of Scientific and Visual Computing Advanced Computation Models CS448J, Autumn 2015, Stanford University Dominik L. Michels Advanced Computation Models There is a variety of advanced
More informationSide-channel analysis in code-based cryptography
1 Side-channel analysis in code-based cryptography Tania RICHMOND IMATH Laboratory University of Toulon SoSySec Seminar Rennes, April 5, 2017 Outline McEliece cryptosystem Timing Attack Power consumption
More informationA Fast Provably Secure Cryptographic Hash Function
A Fast Provably Secure Cryptographic Hash Function Daniel Augot, Matthieu Finiasz, and Nicolas Sendrier Projet Codes, INRIA Rocquencourt BP 15, 78153 Le Chesnay - Cedex, France [DanielAugot,MatthieuFiniasz,NicolasSendrier]@inriafr
More informationEverything is Quantum. Our mission is to keep KPN reliable & secure and trusted by customers, partners and society part of the vital infra of NL
Everything is Quantum Our mission is to keep KPN reliable & secure and trusted by customers, partners and society part of the vital infra of NL Contents Whats the problem? Surveillance Problem / Weak Crypto
More informationLattice-Based Cryptography
Liljana Babinkostova Department of Mathematics Computing Colloquium Series Detecting Sensor-hijack Attacks in Wearable Medical Systems Krishna Venkatasubramanian Worcester Polytechnic Institute Quantum
More informationQIC 891 Topics in Quantum Safe Cryptography Module 1: Post-Quantum Cryptography. Lecture 4
QIC 891 Topics in Quantum Safe Cryptography Module 1: Post-Quantum Cryptography Lecture 4 Lecturer: Fang Song May 19, 2016 Review. PKE from trapdoor functions. Direct constructions: e.g., Regev s PKE.
More informationT h e C S E T I P r o j e c t
T h e P r o j e c t T H E P R O J E C T T A B L E O F C O N T E N T S A r t i c l e P a g e C o m p r e h e n s i v e A s s es s m e n t o f t h e U F O / E T I P h e n o m e n o n M a y 1 9 9 1 1 E T
More informationCentrum Wiskunde & Informatica, Amsterdam, The Netherlands
Logarithmic Lattices Léo Ducas Centrum Wiskunde & Informatica, Amsterdam, The Netherlands Workshop: Computational Challenges in the Theory of Lattices ICERM, Brown University, Providence, RI, USA, April
More informationWhat are we talking about when we talk about post-quantum cryptography?
PQC Asia Forum Seoul, 2016 What are we talking about when we talk about post-quantum cryptography? Fang Song Portland State University PQC Asia Forum Seoul, 2016 A personal view on postquantum cryptography
More informationQuantum Information Set Decoding Algorithms
Quantum Information Set Decoding Algorithms Ghazal Kachigar 1 and Jean-Pierre Tillich 1 Institut de Mathématiques de Bordeaux Université de Bordeaux Talence Cedex F-33405, France ghazal.kachigar@u-bordeaux.fr
More informationP a g e 3 6 of R e p o r t P B 4 / 0 9
P a g e 3 6 of R e p o r t P B 4 / 0 9 p r o t e c t h um a n h e a l t h a n d p r o p e r t y fr om t h e d a n g e rs i n h e r e n t i n m i n i n g o p e r a t i o n s s u c h a s a q u a r r y. J
More informationCryptography in a quantum world
T School of Informatics, University of Edinburgh 25th October 2016 E H U N I V E R S I T Y O H F R G E D I N B U Outline What is quantum computation Why should we care if quantum computers are constructed?
More informationQuantum Effect or HPC without FLOPS. Lugano March 23, 2016
Quantum Effect or HPC without FLOPS Lugano March 23, 2016 Electronics April 19, 1965 2016 D-Wave Systems Inc. All Rights Reserved 2 Moore s Law 2016 D-Wave Systems Inc. All Rights Reserved 3 www.economist.com/technology-quarterly/2016-03-12/aftermoores-law
More informationCode-based Cryptography
a Hands-On Introduction Daniel Loebenberger Ηράκλειο, September 27, 2018 Post-Quantum Cryptography Various flavours: Lattice-based cryptography Hash-based cryptography Code-based
More informationPost Quantum Cryptography
Malaysian Journal of Mathematical Sciences 11(S) August: 1-28 (2017) Special Issue: The 5th International Cryptology and Information Security Conference (New Ideas in Cryptology) MALAYSIAN JOURNAL OF MATHEMATICAL
More informationWild McEliece Incognito
Wild McEliece Incognito Christiane Peters Technische Universiteit Eindhoven joint work with Daniel J. Bernstein and Tanja Lange Seminaire de Cryptographie Rennes April 1, 2011 Bad news Quantum computers
More informationSieving for shortest vectors in lattices using angular locality-sensitive hashing
Sieving for shortest vectors in lattices using angular locality-sensitive hashing Thijs Laarhoven Department of Mathematics and Computer Science Eindhoven University of Technology, Eindhoven, The Netherlands
More informationIntroduction to Quantum Computing
Introduction to Quantum Computing Petros Wallden Lecture 1: Introduction 18th September 2017 School of Informatics, University of Edinburgh Resources 1. Quantum Computation and Quantum Information by Michael
More informationQuantum secret sharing based on quantum error-correcting codes
Quantum secret sharing based on quantum error-correcting codes Zhang Zu-Rong( ), Liu Wei-Tao( ), and Li Cheng-Zu( ) Department of Physics, School of Science, National University of Defense Technology,
More informationIntroduction to Quantum Information Processing QIC 710 / CS 768 / PH 767 / CO 681 / AM 871
Introduction to Quantum Information Processing QIC 710 / CS 768 / PH 767 / CO 681 / AM 871 Lecture 1 (2017) Jon Yard QNC 3126 jyard@uwaterloo.ca TAs Nitica Sakharwade nsakharwade@perimeterinstitute.ca
More informationAdvanced Cryptography Quantum Algorithms Christophe Petit
The threat of quantum computers Advanced Cryptography Quantum Algorithms Christophe Petit University of Oxford Christophe Petit -Advanced Cryptography 1 Christophe Petit -Advanced Cryptography 2 The threat
More informationThe Support Splitting Algorithm and its Application to Code-based Cryptography
The Support Splitting Algorithm and its Application to Code-based Cryptography Dimitris E. Simos (joint work with Nicolas Sendrier) Project-Team SECRET INRIA Paris-Rocquencourt May 9, 2012 3rd Code-based
More informationA Note on the Density of the Multiple Subset Sum Problems
A Note on the Density of the Multiple Subset Sum Problems Yanbin Pan and Feng Zhang Key Laboratory of Mathematics Mechanization, Academy of Mathematics and Systems Science, Chinese Academy of Sciences,
More informationOn the Use of Structured Codes in Code Based Cryptography 1. Nicolas Sendrier
On the Use of Structured Codes in Code Based Cryptography 1 Nicolas Sendrier INRIA, CRI Paris-Rocquencourt, Project-Team SECRET Email: Nicolas.Sendrier@inria.fr WWW: http://www-roc.inria.fr/secret/nicolas.sendrier/
More informationShort Stickelberger Class Relations and application to Ideal-SVP
Short Stickelberger Class Relations and application to Ideal-SVP Ronald Cramer Léo Ducas Benjamin Wesolowski Leiden University, The Netherlands CWI, Amsterdam, The Netherlands EPFL, Lausanne, Switzerland
More informationA Smart Card Implementation of the McEliece PKC
A Smart Card Implementation of the McEliece PKC Falko Strenzke 1 1 FlexSecure GmbH, Germany, strenzke@flexsecure.de 2 Cryptography and Computeralgebra, Department of Computer Science, Technische Universität
More informationEfficient One-Time Signatures from Quasi-Cyclic Codes: A Full Treatment
cryptography Article Efficient One-Time Signatures from Quasi-Cyclic Codes: A Full Treatment Edoardo Persichetti Department of Mathematical Sciences, Florida Atlantic University, Boca Raton, FL 33431,
More informationarxiv: v1 [cs.cr] 25 Jan 2013
Solving the Shortest Vector Problem in Lattices Faster Using Quantum Search Thijs Laarhoven 1, Michele Mosca 2, and Joop van de Pol 3 arxiv:1301.6176v1 [cs.cr] 25 Jan 2013 1 Dept. of Mathematics and Computer
More informationPost-Quantum Code-Based Cryptography
Big Data Photonics UCLA Post-Quantum Code-Based Cryptography 03-25-2016 Valérie Gauthier Umaña Assistant Professor valeriee.gauthier@urosario.edu.co Cryptography Alice 1 Cryptography Alice Bob 1 Cryptography
More informationTable of C on t en t s Global Campus 21 in N umbe r s R e g ional Capac it y D e v e lopme nt in E-L e ar ning Structure a n d C o m p o n en ts R ea
G Blended L ea r ni ng P r o g r a m R eg i o na l C a p a c i t y D ev elo p m ent i n E -L ea r ni ng H R K C r o s s o r d e r u c a t i o n a n d v e l o p m e n t C o p e r a t i o n 3 0 6 0 7 0 5
More informationPractical Analysis of Key Recovery Attack against Search-LWE Problem
Practical Analysis of Key Recovery Attack against Search-LWE Problem The 11 th International Workshop on Security, Sep. 13 th 2016 Momonari Kudo, Junpei Yamaguchi, Yang Guo and Masaya Yasuda 1 Graduate
More informationAn Introduction. Dr Nick Papanikolaou. Seminar on The Future of Cryptography The British Computer Society 17 September 2009
An Dr Nick Papanikolaou Research Fellow, e-security Group International Digital Laboratory University of Warwick http://go.warwick.ac.uk/nikos Seminar on The Future of Cryptography The British Computer
More informationIntroduction to Quantum Computing
Introduction to Quantum Computing Part I Emma Strubell http://cs.umaine.edu/~ema/quantum_tutorial.pdf April 12, 2011 Overview Outline What is quantum computing? Background Caveats Fundamental differences
More informationIntroduction to Quantum Computing
Introduction to Quantum Computing Stephen Casey NASA Slide template creator Krysta Svore Bloch Sphere Hadamard basis θ φ Quantum Hardware Technologies Quantum dots Superconductors Ion traps Nitrogen
More informationCRYSTALS Kyber and Dilithium. Peter Schwabe February 7, 2018
CRYSTALS Kyber and Dilithium Peter Schwabe peter@cryptojedi.org https://cryptojedi.org February 7, 2018 Crypto today 5 building blocks for a secure channel Symmetric crypto Block or stream cipher (e.g.,
More informationThe Generalized Sieve Kernel
The Generalized Sieve Kernel The Algorithmic Ant and the Sandpile Léo Ducas 1 Based on joint work in progress with M. Albrecht, E. Postlethwaite, G. Herold, E. Kirshanova, M. Stevens Cryptology Group,
More informationA Digital Signature Scheme based on CVP
A Digital Signature Scheme based on CVP Thomas Plantard Willy Susilo Khin Than Win Centre for Computer and Information Security Research Universiy Of Wollongong http://www.uow.edu.au/ thomaspl thomaspl@uow.edu.au
More informationImproved Information Set Decoding Decoding Random Linear Codes in O(20.054n)
Imroved Information Set Decoding Decoding Random Linear Codes in O(2.54n) Alexander May, Alexander Meurer, Enrico Thomae ASIACRYPT 211, Seoul HORST GÖRTZ INSTITUTE FOR IT-SECURITY FACULTY OF MATHEMATICS
More informationPh 219b/CS 219b. Exercises Due: Wednesday 4 December 2013
1 Ph 219b/CS 219b Exercises Due: Wednesday 4 December 2013 4.1 The peak in the Fourier transform In the period finding algorithm we prepared the periodic state A 1 1 x 0 + jr, (1) A j=0 where A is the
More informationA Lattice-Based Threshold Ring Signature Scheme (TRSS-L)
A Lattice-Based Threshold Ring Signature Scheme (TRSS-L) Pierre-Louis Cayrel 1 Richard Lindner 2 Markus Rückert 2 Rosemberg Silva 3 1 Center for Advanced Security Research Darmstadt (CASED) 2 Technische
More informationLow-Density Attack Revisited
Low-Density Attack Revisited Tetsuya Izu Jun Kogure Takeshi Koshiba Takeshi Shimoyama Secure Comuting Laboratory, FUJITSU LABORATORIES Ltd., 4-1-1, Kamikodanaka, Nakahara-ku, Kawasaki 211-8588, Japan.
More informationEfficient Finite Field Multiplication for Isogeny Based Post Quantum Cryptography
Efficient Finite Field Multiplication for Isogeny Based Post Quantum Cryptography Angshuman Karmakar 1 Sujoy Sinha Roy 1 Frederik Vercauteren 1,2 Ingrid Verbauwhede 1 1 COSIC, ESAT KU Leuven and iminds
More informationSYND: a Fast Code-Based Stream Cipher with a Security Reduction
SYND: a Fast Code-Based Stream Cipher with a Security Reduction Philippe Gaborit XLIM-DMI, Université de Limoges 13 av. Albert Thomas 87000, Limoges, France gaborit@unilim.fr Cedric Lauradoux INRIA Rocquencourt,
More informationAn Introduction to Quantum Information and Applications
An Introduction to Quantum Information and Applications Iordanis Kerenidis CNRS LIAFA-Univ Paris-Diderot Quantum information and computation Quantum information and computation How is information encoded
More information