POST-QUANTUM CRYPTOGRAPHY HOW WILL WE ENCRYPT TOMORROW?

Similar documents
Everything is Quantum The EU Quantum Flagship

Public Key Cryptography

Lecture 1: Introduction to Public key cryptography

The Quantum Threat to Cybersecurity (for CxOs)

Lattice-Based Cryptography

Post-Quantum Cryptography & Privacy. Andreas Hülsing

CIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography

CRYSTALS Kyber and Dilithium. Peter Schwabe February 7, 2018

From NewHope to Kyber. Peter Schwabe April 7, 2017

Cryptography in the Quantum Era. Tomas Rosa and Jiri Pavlu Cryptology and Biometrics Competence Centre, Raiffeisen BANK International

Post-Quantum Cryptography & Privacy. Andreas Hülsing

Post-quantum key exchange for the Internet based on lattices

Public Key 9/17/2018. Symmetric Cryptography Review. Symmetric Cryptography: Shortcomings (1) Symmetric Cryptography: Analogy

L7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015

Quantum-resistant cryptography

Picnic Post-Quantum Signatures from Zero Knowledge Proofs

Everything is Quantum. Our mission is to keep KPN reliable & secure and trusted by customers, partners and society part of the vital infra of NL

Quantum-Safe Crypto Why & How? JP Aumasson, Kudelski Security

Cryptography in a quantum world

Post-quantum key exchange based on Lattices

Asymmetric Encryption

QUANTUM COMPUTING & CRYPTO: HYPE VS. REALITY ABHISHEK PARAKH UNIVERSITY OF NEBRASKA AT OMAHA

Selecting Elliptic Curves for Cryptography Real World Issues

Information Security

Quantum Computing: What s the deal? Michele Mosca ICPM Discussion Forum 4 June 2017

Cyber Security in the Quantum Era

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

Public-key Cryptography and elliptic curves

Practical, Quantum-Secure Key Exchange from LWE

What are we talking about when we talk about post-quantum cryptography?

Notes for Lecture 17

8 Elliptic Curve Cryptography

The quantum threat to cryptography

CPSC 467: Cryptography and Computer Security

Post-Quantum Cryptography

A brief survey of post-quantum cryptography. D. J. Bernstein University of Illinois at Chicago

CPSC 467b: Cryptography and Computer Security

Cryptographical Security in the Quantum Random Oracle Model


Introduction to Cryptography. Lecture 8

Public Key Algorithms

ETSI/IQC QUANTUM SAFE WORKSHOP TECHNICAL TRACK

Other Public-Key Cryptosystems

CRYPTANALYSIS OF COMPACT-LWE

FPGA-BASED ACCELERATOR FOR POST-QUANTUM SIGNATURE SCHEME SPHINCS-256

Foundations of Network and Computer Security

Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography

Other Public-Key Cryptosystems

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

Quantum Cryptography

MATH 158 FINAL EXAM 20 DECEMBER 2016

Post Quantum Cryptography. Kenny Paterson Information Security

Public-key Cryptography and elliptic curves

Quantum Wireless Sensor Networks

Chapter 8 Public-key Cryptography and Digital Signatures

Public-Key Cryptosystems CHAPTER 4

An Introduction to Pairings in Cryptography

ECS 189A Final Cryptography Spring 2011

2. Cryptography 2.5. ElGamal cryptosystems and Discrete logarithms

Cryptography and RSA. Group (1854, Cayley) Upcoming Interview? Outline. Commutative or Abelian Groups

The quantum threat to cryptography

Lecture 28: Public-key Cryptography. Public-key Cryptography

The Elliptic Curve in https

Foundations of Network and Computer Security

Blockchain and Quantum Computing

Quantum threat...and quantum solutions

PQ Crypto Panel. Bart Preneel Professor, imec-cosic KU Leuven. Adi Shamir Borman Professor of Computer Science, The Weizmann Institute, Israel

SPHINCS: practical stateless hash-based signatures

Introduction to Quantum Computing

Mathematics of Public Key Cryptography

Great Theoretical Ideas in Computer Science

Number Theory in Cryptography

Post-Quantum Cryptography from Lattices

5th March Unconditional Security of Quantum Key Distribution With Practical Devices. Hermen Jan Hupkes

ALICE IN POST-QUANTUM WONDERLAND; BOB THROUGH THE DIGITAL LOOKING-GLASS

Blind Collective Signature Protocol

Errors, Eavesdroppers, and Enormous Matrices

Managing the quantum risk to cybersecurity. Global Risk Institute. Michele Mosca 11 April 2016

Number Theory: Applications. Number Theory Applications. Hash Functions II. Hash Functions III. Pseudorandom Numbers

Lecture Notes, Week 6

Quantum Technologies for Cryptography

Quantum Technologies: Threats & Solutions to Cybersecurity

NewHope for ARM Cortex-M

Introduction to Modern Cryptography Lecture 11

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Lecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures

Definition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University

McBits: fast constant-time code-based cryptography. (to appear at CHES 2013)

High-speed cryptography, part 3: more cryptosystems. Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven

The odd couple: MQV and HMQV

Cryptography IV: Asymmetric Ciphers

Daniel J. Bernstein University of Illinois at Chicago. means an algorithm that a quantum computer can run.

Fault Attacks Against Lattice-Based Signatures

Overview. Background / Context. CSC 580 Cryptography and Computer Security. March 21, 2017

HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY 1 / 51

Fundamentals of Modern Cryptography

SIGNATURE SCHEMES & CRYPTOGRAPHIC HASH FUNCTIONS. CIS 400/628 Spring 2005 Introduction to Cryptography

Information Security in the Age of Quantum Technologies

A Small Subgroup Attack on Arazi s Key Agreement Protocol

Sharing a Secret in Plain Sight. Gregory Quenell

Transcription:

POST-QUANTUM CRYPTOGRAPHY HOW WILL WE ENCRYPT TOMORROW? Hanno Böck https://hboeck.de 1

INTRODUCTION Hanno Böck, freelance journalist and hacker. Writing for Golem.de and others. Fuzzing Project, funded by Linux Foundation's Core Infrastructure Initiative. Author of monthly Bulletproof TLS Newsletter. 2

1982 Richard Feynman presents idea of a quantum computer CC by-sa 3.0, Tamiko Thiel, Wikimedia Commons 3

1994 Peter Shor shows quantum computers could break public key cryptography CC sa 1.0, Peter Shor, Wikimedia Commons 4

QUANTUM COMPUTERS Well understood theory, but hard to engineer. Some researchers give timeframes of 10-15 years for scalable quantum computers. 5

POST-QUANTUM CRYPTOGRAPHY Algorithms that we believe to be resistant to quantum attacks. Development still in early stages. 6

SYMMETRIC POST-QUANTUM CRYPTOGRAPHY Hash functions (SHA-2, SHA-3) and symmetric encryption (AES) are the easy part. Just use larger keys (256 bit is fine). 7

PUBLIC KEY CRYPTOGRAPHY Encryption with separate public and private key Signatures Key exchanges 8

UNDERLYING PROBLEMS OF PUBLIC KEY CRYPTOGRAPHY Factoring-based (RSA) Discrete-logarithm-based (Diffie Hellman, DSA, ElGamal) Elliptic-curve-based (ECDSA, ECDH, X25519, Ed25519) Quantum computers break all three. 9

CRYPTO IS BROKEN Almost every crypto so ware and protocol today uses these algorithms. TLS/SSL, SSH, OpenPGP/GnuPG, Signal, Whatsapp, OTR, OMEMO,... Quantum computers break practically everything using crypto. 10

CANDIDATES FOR POST-QUANTUM CRYPTOGRAPHY Code-based cryptography Lattice-based cryptography Isogeny-based cryptography Hash-based signatures Multivariate cryptography 11

CONSERVATIVE, SAFE CHOICES EU PQCRYPTO recommendations 12

MCELIECE / MCBITS McEliece: Code-based encryption. Parameters from 2013). McBits paper (Bernstein, Chou, Schwabe, Good: old, well researched Bad: large keys (~1 MB) 13

HASH-BASED SIGNATURES Good: as secure as the hash function XMSS: needs internal state SPHINCS: no state, but large signatures 14

LATTICES Ntru, Ring-Learning-With-Errors, BLISS, Tesla#. New Hope, Ntru prime, Pro: Practical, fast, relatively small keys. Con: Patents, conflicts over security estimates. Most likely candidate for early deployments. 15

SUPERSINGULAR ISOGENIES OF ELLIPTIC CURVES SIDH - Diffie-Hellman-alike key exchange. Pro: Very similar workflow to Diffie Hellman, small keys. Con: Not that fast, very new, needs more research. 16

POST-QUANTUM CRYPTOGRAPHY TODAY We have the choice between very impractical and experimental algorithms. 17

IMPLEMENTATION CONSIDERATIONGS 18

ATTACKS ON OLD CRYPTO Logjam, FREAK, DROWN, SWEET32 19

DEPRECATION IS HARD It o en takes decades to deprecate old crypto. Windows-XPcompatibility is still a concern for some. If quantum computers come in 10-15 years then the transition will be rough. 20

IT'S NOT JUST THE ALGORITHMS Secure algorithms can be used in insecure ways. October 2016: Three research papers on potential backdoors and security issues with Diffie Hellman. If we don't even know how to use the oldest public key algorithm safely, how should we know how to use entirely new algorithms? 21

STORE NOW, DECRYPT LATER Attackers could store large amounts of encrypted communication today and decrypt it once a quantum computer is available. Strong argument for fast deployment. 22

HYBRID MODES No confidence in practical postquantum schemes. Combine experimental postquantum algorithm with well researched prequantum algorithm. Example: X25519 (elliptic curve) and New Hope (latticebased) key exchange. 23

CECPQ1 Google deployed New Hope / X25519 hybrid in Chrome/BoringSSL and on some servers. 24

REBELALLIANCE Hybrid New Hope / X25519 key exchange for tor. 25

QUANTUM MYTHBUSTING 26

WHEN WILL I HAVE A QUANTUM Maybe never. COMPUTER ON MY DESK? 27

QUANTUM ALGORITHMS Quantum computers don't magically make everything faster, they're faster for very specific problems (factoring, physical simulations). Even if possible: It's not clear if there's a need for home quantum computers. Possible scenario: Quantum computers are run by universities and companies, one can rent computing time. 28

D-WAVE The D-Wave quantum computer can't run Shor's algorithm. It's not clear if D-Wave quantum computers can do anything useful. But they are almost certainly irrelevant for cryptography. 29

QUANTUM CRYPTOGRAPHY Image public domain, Wikimedia Commons 30

CLARIFICATION OF VOCABULARY Quantum computing: Using quantum effects to solve mathematical problems that can't efficiently be solved on normal computers. Post-Quantum cryptography: Cryptography that resists attacks with quantum computers. Quantum cryptography / quantum key distribution: Using physical channels to exchange cryptographic keys. 31

QUANTUM CRYPTOGRAPHY / QKD Idea: cryptography that is secure based on the laws of physics. Send single particles with polarized encoding, exchange polarization filter configuration. This has major drawbacks and solves nothing. 32

HUGE HYPE Latest trend: Talk about Quantum Internet. 33

LIMITATIONS Very likely limited distances (tens or hundreds of kilometers). Or maybe this is good? 34

But they can only function over distances up to 300 km [...] Instead, repeaters based on trusted nodes or fully quantum devices, possibly involving satellites, are needed to reach global distances. The advantage of trusted-node schemes is that they provide access for lawful intercept, as required by many nation states Source: EU Quantum Manifesto 35

TRUSTED INTERMEDIATES? 36

QUANTUM INTERNET? Let's say I want to send an encrypted message from Berlin to Sydney. Trusted intermediates in Poland, Ukraine, Russia, Kazakhstan, China, India, Burma, Thailand, Malaysia, Indonesia, Australia. 37

NOT WIRELESS QKD needs a physical connection between endpoints. No Wifi No mobile Internet 38

QUANTUM HACKING Quantum cryptography provides perfect security. However regularly commercial QKD devices get broken. How's that even possible? 39

QKD: SECURE IN THEORY The big argument for QKD: It's perfectly secure - based on the laws of physics! However that's only true for an idealized version of QKD, not for any real system. 40

PROBLEMS OF HARDWARE-BASED SECURITY If you have a bug in your encryption so ware you can install an update (hopefully). If you have a bug in your encryption hardware you need to buy new hardware. 41

QKD NEEDS AUTHENTICATION All QKD systems need an authenticated channel. QKD depends on the cryptography its proponents claim it should replace. This limitation is rarely mentioned, but it's significant. It means QKD can't solve the problems created by quantum computers. 42

"It is a well-established fact that all QKE protocols require that the parties have access to an authentic channel. Without this authenticated link, QKE is vulnerable to man-in-the-middle attacks. Overlooking this fact results in exaggerated claims and/or false expectations about the potential impact of QKE." ( Paterson, Piper, Schack, 2004) 43

QUANTUM CRYPTOGRAPHY Extremely overhyped with outragerous claims ("Quantum Internet"). Entirely unclear which problems it should solve. Definitely not a solution for the problems created by quantum computers. That solution is Post-Quantum cryptography. 44

CONCLUSIONS Quantum computers may come pretty soon (or not at all). We need to be prepared. Post-Quantum cryptography is still in its early stages. We're already too late. Be wary of overhyped claims about quantum cryptography, which likely won't solve anything 45

MORE INFO pqcrypto.org pqcrypto.eu.org - EU PQCRYPTO research project csrc.nist.gov/groups/st/post-quantum-crypto/ - NIST standardization effort Questions? 46

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback