From NewHope to Kyber. Peter Schwabe April 7, 2017

Similar documents
CRYSTALS Kyber and Dilithium. Peter Schwabe February 7, 2018

Post-quantum key exchange for the Internet based on lattices

NewHope for ARM Cortex-M

Practical, Quantum-Secure Key Exchange from LWE

Post-quantum key exchange based on Lattices


Part 2 LWE-based cryptography

CRYPTANALYSIS OF COMPACT-LWE

A Generic Hybrid Encryption Construction in the Quantum Random Oracle Model

Analysis of Error-Correcting Codes for Lattice-Based Key Exchange

Lattice-Based Cryptography

Markku-Juhani O. Saarinen

Report on Learning with Errors over Rings-based HILA5 and its CCA Security

A Lattice-based AKE on ARM Cortex-M4

Lattice-Based Cryptography. Chris Peikert University of Michigan. QCrypt 2016

Leakage of Signal function with reused keys in RLWE key exchange

Practical CCA2-Secure and Masked Ring-LWE Implementation

Jintai Ding*, Saraswathy RV. Lin Li, Jiqiang Liu

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 30 October 2018

Post-Quantum Cryptography & Privacy. Andreas Hülsing

Public Key Cryptography

Lecture 28: Public-key Cryptography. Public-key Cryptography

CIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography

Number "Not" Used Once - Key Recovery Fault Attacks on LWE Based Lattice Cryptographic Schemes

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

Outline Proxy Re-Encryption NTRU NTRUReEncrypt PS-NTRUReEncrypt Experimental results Conclusions. NTRUReEncrypt

Lattice Based Crypto: Answering Questions You Don't Understand

Introduction to Cybersecurity Cryptography (Part 4)

The Elliptic Curve in https

Introduction to Cybersecurity Cryptography (Part 4)

FrodoKEM Learning With Errors Key Encapsulation. Algorithm Specifications And Supporting Documentation

Introduction to Cryptography. Lecture 8

The Cramer-Shoup Cryptosystem

High-speed key encapsulation from NTRU

Improved Parameters for the Ring-TESLA Digital Signature Scheme

HILA5 Pindakaas: On the CCA security of lattice-based encryption with error correction

1 Number Theory Basics

Public Key 9/17/2018. Symmetric Cryptography Review. Symmetric Cryptography: Shortcomings (1) Symmetric Cryptography: Analogy

Introduction to Elliptic Curve Cryptography

ENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

POST-QUANTUM CRYPTOGRAPHY HOW WILL WE ENCRYPT TOMORROW?

How to Use Short Basis : Trapdoors for Hard Lattices and new Cryptographic Constructions

CPSC 467: Cryptography and Computer Security

Public-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange

Titanium: Post-Quantum Lattice-Based Public-Key Encryption balancing Security Risk and Practicality

L7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015

Lizard: Cut off the Tail! Practical Post-Quantum Public-Key Encryption from LWE and LWR

8 Elliptic Curve Cryptography

Applied cryptography

Parameter selection in Ring-LWE-based cryptography

Open problems in lattice-based cryptography

Post-Quantum Cryptography & Privacy. Andreas Hülsing

Fully Homomorphic Encryption over the Integers

Lossy Trapdoor Functions and Their Applications

CHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security

Hybrid Key Encapsulation Mechanisms and Authenticated Key Exchange

Mathematics of Public Key Cryptography

Shai Halevi IBM August 2013

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Friday 25 January 2019

Asymmetric Encryption

Post-quantum security models for authenticated encryption

Lecture V : Public Key Cryptography

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Chapter 8 Public-key Cryptography and Digital Signatures

Picnic Post-Quantum Signatures from Zero Knowledge Proofs

General Impossibility of Group Homomorphic Encryption in the Quantum World

Some security bounds for the DGHV scheme

Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography

Cryptology. Scribe: Fabrice Mouhartem M2IF

Cryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev

Digital Signatures. Adam O Neill based on

Implementing Ring-LWE cryptosystems

Network Security Technology Spring, 2018 Tutorial 3, Week 4 (March 23) Due Date: March 30

Practice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017

MATH 158 FINAL EXAM 20 DECEMBER 2016

Hardness and advantages of Module-SIS and Module-LWE

ECS 189A Final Cryptography Spring 2011

Cryptanalysis of Compact-LWE

Question: Total Points: Score:

1 Public-key encryption

Post-Quantum Cryptography

Information Security

Great Theoretical Ideas in Computer Science

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

Fully Homomorphic Encryption over the Integers

A Key Recovery Attack on MDPC with CCA Security Using Decoding Errors

Definition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University

Public-key Cryptography and elliptic curves

Noisy Diffie-Hellman protocols

Post-Quantum Cryptography from Lattices

2. Cryptography 2.5. ElGamal cryptosystems and Discrete logarithms

Peculiar Properties of Lattice-Based Encryption. Chris Peikert Georgia Institute of Technology

Lecture 1: Introduction to Public key cryptography

Titanium: Proposal for a NIST Post-Quantum Public-key Encryption and KEM Standard

Notes for Lecture 17

Message Authentication Codes (MACs)

Integer Module LWE key exchange and encryption: The three bears

Lecture Note 3 Date:

Transcription:

From NewHope to Kyber Peter Schwabe peter@cryptojedi.org https://cryptojedi.org April 7, 2017

In the past, people have said, maybe it s 50 years away, it s a dream, maybe it ll happen sometime. I used to think it was 50. Now I m thinking like it s 15 or a little more. It s within reach. It s within our lifetime. It s going to happen. Mark Ketchen (IBM), Feb. 2012, about quantum computers 1

The end of crypto as we know it Shor s algorithm (1994) Factor integers in polynomial time Compute discrete logarithms in polynomial time Complete break of RSA, ElGamal, DSA, Diffie-Hellman Complete break of elliptic-curve variants (ECSDA, ECDH,... ) 2

The end of crypto as we know it Shor s algorithm (1994) Factor integers in polynomial time Compute discrete logarithms in polynomial time Complete break of RSA, ElGamal, DSA, Diffie-Hellman Complete break of elliptic-curve variants (ECSDA, ECDH,... ) Forward-secure post-quantum crypto Threatening today: Attacker records encrypted messages now Uses quantum computer in 1-2 decades to break encryption 2

The end of crypto as we know it Shor s algorithm (1994) Factor integers in polynomial time Compute discrete logarithms in polynomial time Complete break of RSA, ElGamal, DSA, Diffie-Hellman Complete break of elliptic-curve variants (ECSDA, ECDH,... ) Forward-secure post-quantum crypto Threatening today: Attacker records encrypted messages now Uses quantum computer in 1-2 decades to break encryption Perfect forward secrecy (PFS) does not help Countermeasure against key compromise Not a countermeasure against cryptographic break 2

The end of crypto as we know it Shor s algorithm (1994) Factor integers in polynomial time Compute discrete logarithms in polynomial time Complete break of RSA, ElGamal, DSA, Diffie-Hellman Complete break of elliptic-curve variants (ECSDA, ECDH,... ) Forward-secure post-quantum crypto Threatening today: Attacker records encrypted messages now Uses quantum computer in 1-2 decades to break encryption Perfect forward secrecy (PFS) does not help Countermeasure against key compromise Not a countermeasure against cryptographic break Consequence: Want post-quantum PFS crypto today 2

Ring-Learning-with-errors (RLWE) Let R q = Z q [X ]/(X n + 1) Let χ be an error distribution on R q Let s R q be secret Attacker is given pairs (a, as + e) with a uniformly random from R q e sampled from χ Task for the attacker: find s 3

Ring-Learning-with-errors (RLWE) Let R q = Z q [X ]/(X n + 1) Let χ be an error distribution on R q Let s R q be secret Attacker is given pairs (a, as + e) with a uniformly random from R q e sampled from χ Task for the attacker: find s Common choice for χ: discrete Gaussian Common optimization for protocols: fix a 3

RLWE-based Encryption, KEM, KEX Alice (server) Bob (client) s, e $ χ s, e $ χ b as + e b u as + e u Alice has t = us = ass + e s Bob has t = bs = ass + es Secret and noise polynomials s, s, e, e are small t and t are approximately the same 4

USENIX Security 2016: NewHope Improve IEEE S&P 2015 results by Bos, Costello, Naehrig, Stebila (BCNS) Use reconcilation to go from approximate agreement to agreement Originally proposed by Ding (2012) Improvements by Peikert (2014) More improvements in NewHope 6

USENIX Security 2016: NewHope Improve IEEE S&P 2015 results by Bos, Costello, Naehrig, Stebila (BCNS) Use reconcilation to go from approximate agreement to agreement Originally proposed by Ding (2012) Improvements by Peikert (2014) More improvements in NewHope NewHope-Simple (2016): Scrap complex reconciliation (pay 6.25% increase in ciphertext size) 6

USENIX Security 2016: NewHope Improve IEEE S&P 2015 results by Bos, Costello, Naehrig, Stebila (BCNS) Use reconcilation to go from approximate agreement to agreement Originally proposed by Ding (2012) Improvements by Peikert (2014) More improvements in NewHope NewHope-Simple (2016): Scrap complex reconciliation (pay 6.25% increase in ciphertext size) Very conservative parameters (n = 1024, q = 12289) Centered binomial noise ψ k (HW(a) HW(b) for k-bit a, b) Achieve 256 bits of post-quantum security according to very conservative analysis Higher security, shorter messages, and > 10 speedup 6

USENIX Security 2016: NewHope Improve IEEE S&P 2015 results by Bos, Costello, Naehrig, Stebila (BCNS) Use reconcilation to go from approximate agreement to agreement Originally proposed by Ding (2012) Improvements by Peikert (2014) More improvements in NewHope NewHope-Simple (2016): Scrap complex reconciliation (pay 6.25% increase in ciphertext size) Very conservative parameters (n = 1024, q = 12289) Centered binomial noise ψ k (HW(a) HW(b) for k-bit a, b) Achieve 256 bits of post-quantum security according to very conservative analysis Higher security, shorter messages, and > 10 speedup 6

USENIX Security 2016: NewHope Improve IEEE S&P 2015 results by Bos, Costello, Naehrig, Stebila (BCNS) Use reconcilation to go from approximate agreement to agreement Originally proposed by Ding (2012) Improvements by Peikert (2014) More improvements in NewHope NewHope-Simple (2016): Scrap complex reconciliation (pay 6.25% increase in ciphertext size) Very conservative parameters (n = 1024, q = 12289) Centered binomial noise ψ k (HW(a) HW(b) for k-bit a, b) Achieve 256 bits of post-quantum security according to very conservative analysis Higher security, shorter messages, and > 10 speedup Choose a fresh parameter a for every protocol run 6

USENIX Security 2016: NewHope Improve IEEE S&P 2015 results by Bos, Costello, Naehrig, Stebila (BCNS) Use reconcilation to go from approximate agreement to agreement Originally proposed by Ding (2012) Improvements by Peikert (2014) More improvements in NewHope NewHope-Simple (2016): Scrap complex reconciliation (pay 6.25% increase in ciphertext size) Very conservative parameters (n = 1024, q = 12289) Centered binomial noise ψ k (HW(a) HW(b) for k-bit a, b) Achieve 256 bits of post-quantum security according to very conservative analysis Higher security, shorter messages, and > 10 speedup Choose a fresh parameter a for every protocol run Encode polynomials in NTT domain 6

USENIX Security 2016: NewHope Improve IEEE S&P 2015 results by Bos, Costello, Naehrig, Stebila (BCNS) Use reconcilation to go from approximate agreement to agreement Originally proposed by Ding (2012) Improvements by Peikert (2014) More improvements in NewHope NewHope-Simple (2016): Scrap complex reconciliation (pay 6.25% increase in ciphertext size) Very conservative parameters (n = 1024, q = 12289) Centered binomial noise ψ k (HW(a) HW(b) for k-bit a, b) Achieve 256 bits of post-quantum security according to very conservative analysis Higher security, shorter messages, and > 10 speedup Choose a fresh parameter a for every protocol run Encode polynomials in NTT domain Multiple implementations 6

NewHope in the real world July 7, 2016, Google announces 2-year post-quantum experiment NewHope+X25519 (CECPQ1) in BoringSSL for Chrome Canary Used in access to select Google services 7

NewHope in the real world July 7, 2016, Google announces 2-year post-quantum experiment NewHope+X25519 (CECPQ1) in BoringSSL for Chrome Canary Used in access to select Google services November 28, 2016: At this point the experiment is concluded. 7

Conclusions for Google s experiment [... ] we did not find any unexpected impediment to deploying something like NewHope. There were no reported problems caused by enabling it. 8

Conclusions for Google s experiment [... ] if the need arose, it would be practical to quickly deploy NewHope in TLS 1.2. (TLS 1.3 makes things a little more complex and we did not test with CECPQ1 with it.) 8

Conclusions for Google s experiment Although the median connection latency only increased by a millisecond, the latency for the slowest 5% increased by 20ms and, for the slowest 1%, by 150ms. Since NewHope is computationally inexpensive, we re assuming that this is caused entirely by the increased message sizes. Since connection latencies compound on the web (because subresource discovery is delayed), the data requirement of NewHope is moderately expensive for people on slower connections. 8

Are we done? Is the Internet safe again? 9

Are we done? Is the Internet safe again? Disadvantages of NewHope Security analysis assumes that we have an LWE instance Structure of RLWE is ignored 9

Are we done? Is the Internet safe again? Disadvantages of NewHope Security analysis assumes that we have an LWE instance Structure of RLWE is ignored Somewhat large messages ( 2KB each way) Maybe overly conservative security...? 9

Are we done? Is the Internet safe again? Disadvantages of NewHope Security analysis assumes that we have an LWE instance Structure of RLWE is ignored Somewhat large messages ( 2KB each way) Maybe overly conservative security...? Only does ephemeral key exchange Must not reuse keys/noise No CCA security 9

Are we done? Is the Internet safe again? Disadvantages of NewHope Security analysis assumes that we have an LWE instance Structure of RLWE is ignored Somewhat large messages ( 2KB each way) Maybe overly conservative security...? Only does ephemeral key exchange Must not reuse keys/noise No CCA security (Message format depends on multiplication algorithm) 9

Are we done? Is the Internet safe again? Disadvantages of NewHope Security analysis assumes that we have an LWE instance Structure of RLWE is ignored Somewhat large messages ( 2KB each way) Maybe overly conservative security...? Only does ephemeral key exchange Must not reuse keys/noise No CCA security (Message format depends on multiplication algorithm) Back to the drawing board! 9

K Y B E R The KEM Shi Bai Joppe Bos Léo Ducas Eike Kiltz Tancrède Lepoint Vadim Lyubashevsky John M. Schanck Peter Schwabe Damien Stehlé 10

The design of Kyber (WiP) Use Module-Lattices and MLWE RLWE: large polynomials (e.g., n = 1024) LWE: matrices of integers with large dimension (e.g., 752 752, 752 8) MLWE: matrices of smaller polynomials (e.g., n = 256) of small dimension (e.g., 3 3, 3 1) Less structure than RLWE, more efficient than LWE 11

The design of Kyber (WiP) Use Module-Lattices and MLWE RLWE: large polynomials (e.g., n = 1024) LWE: matrices of integers with large dimension (e.g., 752 752, 752 8) MLWE: matrices of smaller polynomials (e.g., n = 256) of small dimension (e.g., 3 3, 3 1) Less structure than RLWE, more efficient than LWE First construct IND-CPA-secure encryption of 256-bit messages 11

The design of Kyber (WiP) Use Module-Lattices and MLWE RLWE: large polynomials (e.g., n = 1024) LWE: matrices of integers with large dimension (e.g., 752 752, 752 8) MLWE: matrices of smaller polynomials (e.g., n = 256) of small dimension (e.g., 3 3, 3 1) Less structure than RLWE, more efficient than LWE First construct IND-CPA-secure encryption of 256-bit messages Use Targhi-Unruh CCA transform to build CCA-secure KEM Can be used just like NewHope (but can cache keys!) Can also be used for KEM-DEM to encrypt messages Can be used in authenticated key exchange (without signatures) 11

The design of Kyber (WiP) Use Module-Lattices and MLWE RLWE: large polynomials (e.g., n = 1024) LWE: matrices of integers with large dimension (e.g., 752 752, 752 8) MLWE: matrices of smaller polynomials (e.g., n = 256) of small dimension (e.g., 3 3, 3 1) Less structure than RLWE, more efficient than LWE First construct IND-CPA-secure encryption of 256-bit messages Use Targhi-Unruh CCA transform to build CCA-secure KEM Can be used just like NewHope (but can cache keys!) Can also be used for KEM-DEM to encrypt messages Can be used in authenticated key exchange (without signatures) Choose d = 3, n = 256, q = 7681 for very conservative security 11

The design of Kyber (WiP) Use Module-Lattices and MLWE RLWE: large polynomials (e.g., n = 1024) LWE: matrices of integers with large dimension (e.g., 752 752, 752 8) MLWE: matrices of smaller polynomials (e.g., n = 256) of small dimension (e.g., 3 3, 3 1) Less structure than RLWE, more efficient than LWE First construct IND-CPA-secure encryption of 256-bit messages Use Targhi-Unruh CCA transform to build CCA-secure KEM Can be used just like NewHope (but can cache keys!) Can also be used for KEM-DEM to encrypt messages Can be used in authenticated key exchange (without signatures) Choose d = 3, n = 256, q = 7681 for very conservative security Messages in standard format Still depend on NTT (sampling of matrix A) Possibility for further compression of keys and ciphertext (WiP) 11

The design of Kyber (WiP) Use Module-Lattices and MLWE RLWE: large polynomials (e.g., n = 1024) LWE: matrices of integers with large dimension (e.g., 752 752, 752 8) MLWE: matrices of smaller polynomials (e.g., n = 256) of small dimension (e.g., 3 3, 3 1) Less structure than RLWE, more efficient than LWE First construct IND-CPA-secure encryption of 256-bit messages Use Targhi-Unruh CCA transform to build CCA-secure KEM Can be used just like NewHope (but can cache keys!) Can also be used for KEM-DEM to encrypt messages Can be used in authenticated key exchange (without signatures) Choose d = 3, n = 256, q = 7681 for very conservative security Messages in standard format Still depend on NTT (sampling of matrix A) Possibility for further compression of keys and ciphertext (WiP) Easy to scale security by changing d 11

Kyber s encryption scheme q = 7681, n = 256, d = 3 We work with matrices of polynomials in Z 7681 [x]/(x 256 + 1) of dim. d = 3 and a distribution of poly with binomial coeffs. Ψ 4 KeyGen(): seed {0,..., 255} 32 a 11 a 12 a 13 A = a 21 a 22 a 23 SHAKE(seed) a 31 a 32 a 33 s, e Ψ d 4 b = A s + e Define pk = (seed, b) and sk = s 12

Kyber s encryption scheme q = 7681, n = 256, d = 3 We work with matrices of polynomials in Z 7681 [x]/(x 256 + 1) of dim. d = 3 and a distribution of poly with binomial coeffs. Ψ 4 Encrypt(pk, m {0, 1} 256, coins): seed, b pk A = SHAKE(seed) s Ψ d 4(coins, 1) e Ψ d 4(coins, 2) e Ψ 4(coins, 3) u = (s ) t A + e v = b, s + e + q/2 i m ix i Output (u, v) Decrypt(sk, (u, v)): w = v u, s for i { {0,..., 255}, 1 if w i ( q m i, 3 q ) 4 4 0 otherwise Output (m 0,..., m 255) 13

Idea of the CCA transformation Alice (Server) Bob (Client) Gen(): Enc(seed, b): pk, sk KeyGen() x {0,..., 255} 32 seed, b pk Dec(s, (u, v)): x Decrypt(s, (u, v)) k, coins, q SHAKE(x, 768) u, v Encrypt((seed, b), x, coins ) verify if (u, v, q ) = (u, v, q) seed,b x SHAKE(x, 512) u,v,q k, coins, q SHAKE(x, 768) u, v Encrypt((seed, b), x, coins) 14

Idea of the CCA transformation Alice (Server) Bob (Client) Gen(): Enc(seed, b): pk, sk KeyGen() x {0,..., 255} 32 seed, b pk Dec(s, (u, v)): x Decrypt(s, (u, v)) k, coins, q SHAKE(x, 768) u, v Encrypt((seed, b), x, coins ) verify if (u, v, q ) = (u, v, q) Additionally: seed,b x SHAKE(x, 512) u,v,q Hash the public key into x Multi-target protection (for coins) Turn into contributory KEM Hash the ciphertext into the final key k, coins, q SHAKE(x, 768) u, v Encrypt((seed, b), x, coins) 14

Kyber performance guesstimates NewHope Kyber public-key bytes 1 824 1 088 ciphertext bytes 2 048 1 152 Gen cycles 258 246 296 016 Enc cycles 384 994 395 948 Dec cycles 86 280 460 164 Cycles are for C reference implementation on Haswell Optimized implementations for Kyber will follow 15

Stay tuned http://pq-crystals.org/kyber 16

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback