A brief survey of post-quantum cryptography. D. J. Bernstein University of Illinois at Chicago

Transcription

1 A brief survey of post-quantum cryptography D. J. Bernstein University of Illinois at Chicago

2 Once the enormous energy boost that quantum computers are expected to provide hits the street, most encryption security standards and any other standard based on computational difficulty will fall, experts believe. (Magiq s web site, 2008; the experts aren t named)

3 Is cryptography dead? Imagine: 15 years from now someone announces successful construction of a large quantum computer. New York Times headline: INTERNET CRYPTOGRAPHY KILLED BY PHYSICISTS. Users panic. What happens to cryptography?

4 RSA: Dead.

5 RSA: Dead. DSA: Dead. ECDSA: Dead.

6 RSA: Dead. DSA: Dead. ECDSA: Dead. ECC in general: Dead. HECC in general: Dead.

7 RSA: Dead. DSA: Dead. ECDSA: Dead. ECC in general: Dead. HECC in general: Dead. Buchmann Williams: Dead. Class groups in general: Dead.

8 RSA: Dead. DSA: Dead. ECDSA: Dead. ECC in general: Dead. HECC in general: Dead. Buchmann Williams: Dead. Class groups in general: Dead. They re all dead, Dave.

9 RSA: Dead. DSA: Dead. ECDSA: Dead. ECC in general: Dead. HECC in general: Dead. Buchmann Williams: Dead. Class groups in general: Dead. They re all dead, Dave. But we have other types of cryptographic systems! Hash-based cryptography. Example: 1979 Merkle hash-tree public-key signature system.

10 Code-based cryptography. Example: 1978 McEliece hidden-goppa-code public-key encryption system. Lattice-based cryptography. Example: 1998 NTRU. Multivariate-quadraticequations cryptography. Example: 1996 Patarin HFE v public-key signature system. Secret-key cryptography. Example: 1998 Daemen Rijmen Rijndael cipher, aka AES.

11 Nobody has figured out a way to apply Shor s algorithm to any of these systems. Grover s algorithm does have some applications, but cryptographers can easily compensate by scaling up somewhat.

12 Maybe there s a better attack! This was already a familiar risk before quantum computers. This is why the community puts tremendous effort into cryptanalysis. Results of cryptanalysis: Some systems are killed. Some systems need larger keys. Some systems inspire confidence.

13 1978 RSA paper mentions Schroeppel s linear sieve for factorization. Need 2+Ó(1) -bit RSA key for -bit security Pollard et al.: Number-field sieve. Need 3+Ó(1) -bit RSA key for -bit security. Many improvements since then, but still 3+Ó(1) against classical computers Shor: Need intolerably large RSA key for -bit security against quantum computers.

14 1978 McEliece paper mentions a decoding algorithm. Need code dimension 1+Ó(1) for -bit security. Many improvements since then, but still dimension 1+Ó(1) against classical computers. Still dimension 1+Ó(1) against quantum computers. If McEliece security is so good, why are we still using RSA? Answer: McEliece key is huge.

15 Pre-quantum cryptography: Cryptographers design systems to scramble and unscramble data. RSA, McEliece, AES, many more. Cryptanalysts break some systems using 2 classical operations. Tools: NFS, LLL, F4, etc. Unbroken systems: RSA with 3+Ó(1) bits, McEliece with dimension 1+Ó(1), AES if 256, etc. Algorithm designers and implementors find the fastest unbroken systems.

16 Post-quantum cryptography: Cryptographers design systems to scramble and unscramble data. RSA, McEliece, AES, many more. Cryptanalysts break some systems using 2 quantum operations. Tools: NFS, LLL, F4, etc. plus Shor, Grover, etc. Unbroken systems: McEliece with dimension 1+Ó(1), AES if 128, etc. Algorithm designers and implementors find the fastest unbroken systems.

17 A hash-based signature system Standardize a 256-bit hash function À. Signer s public key: 512 strings Ý 1 [0] Ý 1 [1] Ý 256 [0] Ý 256 [1], each 256 bits. Total: bits. Signature of a message Ñ: 256-bit strings Ö Ü 1 Ü 256 such that the bits ( ) of À(Ö Ñ) satisfy Ý 1 [ 1 ] = À(Ü 1 ),, Ý 256 [ 256 ] = À(Ü 256 ).

18 Signer s secret key: 512 independent uniform random 256-bit strings Ü 1 [0] Ü 1 [1] Ü 256 [0] Ü 256 [1]. Signer computes Ý 1 [0] Ý 1 [1] Ý 256 [0] Ý 256 [1] as À(Ü 1 [0]) À(Ü 1 [1]) À(Ü 256 [0]) À(Ü 256 [1]). To sign Ñ: generate uniform random Ö; À(Ö Ñ) = ( ); reveal (Ö Ü 1 [ 1 ] Ü 256 [ 256 ]); discard remaining Ü values; refuse to sign more messages.

19 This is the Lamport Diffie one-time signature system. How to sign more than one message? Easy answer: Chaining. Signer expands Ñ to include a newly generated public key that will sign next message. More advanced answers (Merkle et al.) scale logarithmically with the number of messages signed.

20 A code-based encryption system Receiver s public key: bit matrix Ã. Messages suitable for encryption: 3600-bit strings of weight 150 ; i.e., 3600-bit strings with exactly 150 nonzero bits. Encryption of Ñ is 1800-bit string ÃÑ.

21 Attacker, by linear algebra, can easily work backwards from ÃÑ to some Ú such that ÃÚ = ÃÑ. Huge number of choices of Ú. Finding weight-150 choice ( syndrome-decoding à ) seems extremely difficult for most choices of Ã. Best attacks? See next talk.

22 Receiver secretly generates public key à with a hidden Goppa code structure that allows fast decoding. Detecting this structure seems even more difficult than syndrome-decoding random Ã.

23 Receiver starts with secret monic degree-150 irreducible polynomial ¾ F 4096 [Ü] and distinct «1 «3600 ¾ F Patterson s algorithm ¼ syndrome-decodes the matrix 1 («1 ) 1 («3600 ) ½ À = «1 («1 ) «3600 («3600 ) «149 1 «149 («1 ) 3600 («3600 )

24 Receiver also has a secret invertible matrix Ë and a secret permutation matrix È. Receiver s public key à is the product ËÀÈ. Given ciphertext ÃÑ = ËÀÈ Ñ: receiver computes ÀÈ Ñ; decodes À to obtain È Ñ; computes Ñ.

25 This is 1986 Niederreiter variant of McEliece s original system. Reducing à to systematic form reduces space to bits. Many other improvements. Lattice-based cryptography: similar; more complicated; maybe more attractive! See tomorrow s talk.

26 An MQ signature system Signer s public key: polynomials È 1 È 300 ¾ F 2 [Û 1 Û 600 ]. Extra requirements on each of these polynomials: degree 2, no squares; i.e., linear combination of 1 Û 1 Û 600 Û 1 Û 2 Û 1 Û 3 Û 599 Û 600. Overall bits.

27 Signature of Ñ: a 300-bit string Ö and values Û 1 Û 600 ¾ F 2 such that À(Ö Ñ) = (È 1 (Û 1 Û 600 ) È 300 (Û 1 Û 600 )). Only 900 bits! Verifying a signature uses one evaluation of À and millions of bit operations to evaluate È 1 È 300.

28 Main challenge for attacker: find bits Û 1 Û 600 producing specified outputs (È 1 (Û 1 Û 600 ) È 300 (Û 1 Û 600 )). Random guess: on average, only chance of success. XL etc.: fewer operations, but still not practical.

29 Signer generates public key with secret HFE v structure. Standardize a degree-450 irreducible polynomial ³ ¾ F 2 [Ø]. Define Ä = F 2 [Ø] ³. Critical step in signing: finding roots of a secret polynomial in Ä[Ü] of degree at most 300.

30 Secret polynomial is chosen with all nonzero exponents of the form or 2. (So degree 288.) If Ü 0 Ü 1 Ü 449 ¾ F 2 and Ü = Ü 0 + Ü 1 Ø + + Ü 449 Ø 449 then Ü 2 = Ü 0 + Ü 1 Ø Ü 449 Ø 898, Ü 4 = Ü 0 + Ü 1 Ø Ü 449 Ø 1796, etc. In general, Ü 2 +2 is a quadratic polynomial in the variables Ü 0 Ü 449.

31 Signer s secret key: invertible matrix Ë; matrix Ì of rank 300; É ¾ Ä[Ü Ú 1 Ú 2 Ú 150 ]. Each term in É has one of the forms Ü 2 +2 with ¾ Ä, 2 2, ; Ü 2 Ú with ¾ Ä, 2 300; Ú Ú ; Ü 2 ; Ú ;.

32 To compute public key: Compute Ë(Û 1 Û 600 ) = (Ü 0 Ü 449 Ú 1 Ú 150 ). In Ä[Û 1 Û È 600 ] compute Ü = Ü Ø and Ý = É(Ü Ú 1 Ú 2 Ú 150 ) modulo Û1 2 Û 1 Û600 2 Û 600. Write Ý = Ý Ý 449 Ø 449 with Ý ¾ F 2 [Û 1 Û 600 ]. Compute (È 1 È 300 ) = Ì(Ý 0 Ý 1 Ý 449 ).

33 Sign by working backwards. Given values (È 1 È 300 ), invert Ì to obtain values (Ý 0 Ý 449 ) choices; randomize. Choose (Ú 1 Ú 150 ) randomly. Substitute into É(Ü Ú 1 Ú 150 ) to obtain É(Ü) ¾ Ä[Ü]. Solve É(Ü) = Ý for Ü ¾ Ä. If several roots, randomize. If no roots, start over. Invert Ë to obtain signature.

34 This is an HFE v example. HFE : Hidden Field Equation É(Ü) = Ý. : publish only 300 equations instead of 450. v : vinegar variables Ú 1 Ú 150. State-of-the-art attack breaks a simplified system with 0 vinegar variables, 1 term in É. Can build MQ systems in many other ways.

35 Preparing for the future When someone announces a large quantum computer we ll switch to McEliece etc. Why worry about the switch now? Answer 1: We need time to improve efficiency. Answer 2: We need time to build confidence. Answer 3: We need time to improve usability.

36 Have you implemented a public-key system? Send your software to ebats: ECRYPT Benchmarking of Asymmetric Systems. Now integrated into ebacs: ECRYPT Benchmarking of Cryptographic Systems.

37 Bernstein, sci.crypt: I m thinking about publishing a paper on post-quantum cryptography. This isn t too early to start planning ahead for the very real possibility of quantum computers Buchmann et al., Post-Quantum Signatures : We would like to thank Dan Bernstein for inventing the notion post-quantum cryptography.

38 Silverberg to Bernstein: Hey, let s run a workshop Bernstein to Silverberg: How about a workshop on post-quantum cryptography? Independently, late 2004: Wolf proposes workshop on post-quantum cryptography. Independently, late 2004: Ding proposes workshop on Cryptology in the quantum computer era.

39 Lange manages to herd Bernstein, Ding, Nguyen, Wolf, et al.; ECRYPT starts organizing PQCrypto : PQCrypto 2006 in Leuven, Belgium : PQCrypto 2008 here in Cincinnati. End of 2008: Survey book!

40

41 Bernstein: Introduction to post-quantum cryptography. Hallgren, Vollmer: Quantum computing. Buchmann, Dahmen, Szydlo: Hash-based digital signature schemes. Overbeck, Sendrier: Code-based cryptography. Micciancio, Regev: Lattice-based cryptography. Ding, Yang: Multivariate public key cryptography.