PQ Crypto Panel. Bart Preneel Professor, imec-cosic KU Leuven. Adi Shamir Borman Professor of Computer Science, The Weizmann Institute, Israel

Similar documents
Managing the quantum risk to cybersecurity. Global Risk Institute. Michele Mosca 11 April 2016

Quantum Computing: What s the deal? Michele Mosca ICPM Discussion Forum 4 June 2017

The quantum threat to cryptography

The Quantum Threat to Cybersecurity (for CxOs)

The science behind these computers originates in

Evolution of Cryptography April 25 th 2017

Quantum Technologies: Threats & Solutions to Cybersecurity

Cryptographical Security in the Quantum Random Oracle Model

ETSI/IQC QUANTUM SAFE WORKSHOP TECHNICAL TRACK

Quantum Computing: it s the end of the world as we know it? Giesecke+Devrient Munich, June 2018

Quantum Wireless Sensor Networks

ALICE IN POST-QUANTUM WONDERLAND; BOB THROUGH THE DIGITAL LOOKING-GLASS

Further progress in hashing cryptanalysis

Quantum Computing and the Possible Effects on Modern Security Practices

Quantum threat...and quantum solutions

Cryptography in the Quantum Era. Tomas Rosa and Jiri Pavlu Cryptology and Biometrics Competence Centre, Raiffeisen BANK International

Post-Quantum Cryptography & Privacy. Andreas Hülsing

Cryptographic Hash Functions

Risk management and the quantum threat

Post-Quantum Cryptography & Privacy. Andreas Hülsing

POST-QUANTUM CRYPTOGRAPHY HOW WILL WE ENCRYPT TOMORROW?

Quantum-Safe Crypto Why & How? JP Aumasson, Kudelski Security

A brief survey of post-quantum cryptography. D. J. Bernstein University of Illinois at Chicago

A brief survey on quantum computing

Reassessing Grover s Algorithm

Lecture 1: Introduction to Public key cryptography

Quantum Preimage and Collision Attacks on CubeHash

What are we talking about when we talk about post-quantum cryptography?

1500 AMD Opteron processor (2.2 GHz with 2 GB RAM)

CPSC 467: Cryptography and Computer Security

Post Quantum Cryptography. Kenny Paterson Information Security

Errors, Eavesdroppers, and Enormous Matrices

Information Security in the Age of Quantum Technologies

Information Security

ETSI GUIDE CYBER; Quantum Computing Impact on security of ICT Systems; Recommendations on Business Continuity and Algorithm Selection

Lecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures

On error distributions in ring-based LWE

Quantum Cryptography

Introduction to Modern Cryptography. Benny Chor

A FEW E-COMMERCE APPLICATIONS. CIS 400/628 Spring 2005 Introduction to Cryptography. This is based on Chapter 9 of Trappe and Washington

Theme : Cryptography. Instructor : Prof. C Pandu Rangan. Speaker : Arun Moorthy CS

Overview. Public Key Algorithms II

Everything is Quantum. Our mission is to keep KPN reliable & secure and trusted by customers, partners and society part of the vital infra of NL

Definition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University

Public-key Cryptography and elliptic curves

Analysis - "Post-Quantum Security of Fiat-Shamir" by Dominic Unruh

ASYMMETRIC ENCRYPTION

Random Number Generation Is Getting Harder It s Time to Pay Attention

Number Theory in Cryptography

WHITE PAPER ON QUANTUM COMPUTING AND QUANTUM COMMUNICATION

White paper Quantum computing in financial services

From NewHope to Kyber. Peter Schwabe April 7, 2017

Selecting Elliptic Curves for Cryptography Real World Issues

8 Elliptic Curve Cryptography

Mathematics of Public Key Cryptography

A Quick Look at some Mathematics and Cryptography A Talk for CLIR at UConn

Fundamentals of Modern Cryptography

THE RANK METHOD AND APPLICATIONS TO POST- QUANTUM CRYPTOGRAPHY

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

CPSC 467: Cryptography and Computer Security

Public Key Algorithms

Private Key Cryptography. Fermat s Little Theorem. One Time Pads. Public Key Cryptography

Cryptography in a quantum world

CPSC 467: Cryptography and Computer Security

CIS 551 / TCOM 401 Computer and Network Security

Lattice-Based Cryptography

Introduction to Cryptography. Susan Hohenberger

Slides by Kent Seamons and Tim van der Horst Last Updated: Oct 1, 2013

9 Knapsack Cryptography

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security

QUANTUM COMPUTING & CRYPTO: HYPE VS. REALITY ABHISHEK PARAKH UNIVERSITY OF NEBRASKA AT OMAHA

Public Key Cryptography

HASH FUNCTIONS. Mihir Bellare UCSD 1

Lecture V : Public Key Cryptography

CS-E4320 Cryptography and Data Security Lecture 11: Key Management, Secret Sharing

Code-based post-quantum cryptography. D. J. Bernstein University of Illinois at Chicago

Implementation Tutorial on RSA

Algorithmic Number Theory and Public-key Cryptography

HIMMO. Oscar Garcia-Morchon, Ronald Rietman, Ludo Tolhuizen. July PHILIPS RESEARCH

Mechanizing Elliptic Curve Associativity

CPSC 467: Cryptography and Computer Security

Cyber Security in the Quantum Era

Lecture 10. Public Key Cryptography: Encryption + Signatures. Identification

Quantum Cryptography. Marshall Roth March 9, 2007

SIGNATURE SCHEMES & CRYPTOGRAPHIC HASH FUNCTIONS. CIS 400/628 Spring 2005 Introduction to Cryptography

CRYPTANALYSIS OF COMPACT-LWE

Remote Timing Attacks are Practical

Practical, Quantum-Secure Key Exchange from LWE

Public Key 9/17/2018. Symmetric Cryptography Review. Symmetric Cryptography: Shortcomings (1) Symmetric Cryptography: Analogy

Quantum Cryptography

ABHELSINKI UNIVERSITY OF TECHNOLOGY

CLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD

Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography

1 Number Theory Basics

6.080/6.089 GITCS Apr 15, Lecture 17

The quantum threat to cryptography

Instructor: Daniele Venturi. Master Degree in Data Science Sapienza University of Rome Academic Year

Outline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security

Advanced Cryptography Quantum Algorithms Christophe Petit

Alternative Approaches: Bounded Storage Model

Transcription:

#RSAC SESSION ID: CRYP-W10 PQ Crypto Panel MODERATOR: Bart Preneel Professor, imec-cosic KU Leuven PANELISTS: Dr. Dan Boneh Professor, Stanford University Michele Mosca Professor, UWaterloo and evolutionq Inc. Scott Fluhrer Technical Leader, Engineering Security and Trust (STO) Organization, Cisco Systems Adi Shamir Borman Professor of Computer Science, The Weizmann Institute, Israel

Why do we need to worry now? X = security shelf-life (required security time horizon) Y = migration time (planning and full implementation) Z = collapse time (time to development of quantum capability) Theorem : If X + Y > Z, then worry. Org A 2017 2018 2019 2020 2021 2022 2023 2024 2025 2026 2027 2029 2030 2031 Y=Implementation (5 yrs) X=Security Time Horizon (5 yrs) Z = Time to Invention Org B Y=Implementation (10 yrs) X=Security Time Horizon (20++ Years) *M. Mosca: e-proceedings of 1 st ETSI Quantum-Safe Cryptography Workshop, 2013. Also http://eprint.iacr.org/2015/1075

How large of a quantum computer is needed? https://qsoft.iqc.uwaterloo.ca/

https://arxiv.org/pdf/1603.09383.pdf https://arxiv.org/abs/1602.05973 https://qsoft.iqc.uwaterloo.ca/

What is z? Mosca: [Oxford] 1996: 20 qubits in 20 years [NIST April 2015, ISACA September 2015]: 1/7 chance of breaking RSA-2048 by 2026, ½ chance by 2031 Microsoft Research [October 2015]: Recent improvements in control of quantum systems make it seem feasible to finally build a quantum computer within a decade. Use of a quantum computer enables much larger and more accurate simulations than with any known classical algorithm, and will allow many open questions in quantum materials to be resolved once a small quantum computer with around one hundred logical qubits becomes available.

Leverage existing Managing risk mitigation y policies, procedures, and processes. Manage community and technical challenges to deploying quantum-safe cryptography. openquantumsafe.org openquantumsafe.org http://eprint.iacr.org/2016/1017

Quantum Risk Assessment Methodology http://www.evolutionq.com/methodology-for-qra.html Phase 1- Identify and document assets, and their current cryptographic protection. Phase 2- Establish awareness of the state of emerging quantum technologies, and the timelines for availability of quantum computers. Phase 3- Identify and document threat actors, and estimate their time to access quantum technology z. Phase 4- Identify the lifetime of your assets x, and the time required to migrate the organizations technical infrastructure to a quantum-safe state y. Phase 5- Determine quantum risk by calculating whether business assets will become vulnerable before the organization can move to protect them. (x+ y> z?) Phase 6- Identify and prioritize the activities required to maintain awareness, and to migrate the organizations technology to a quantum-safe state.

Quantum Computers What is the threat? Scott Fluhrer Cisco Systems sfluhrer@cisco.com

Is the threat of Quantum Computers real?

Is the threat of Quantum Computers real? What should we do, given that QCs might become real? Given no one knows if (or when) a real Quantum Computer will be built, it would be prudent to act conservatively. Building a Quantum Computer may be more like the moon landing (very difficult, but achievable) than fusion power ( 20 years in the future for the past 60 years ) I advocate acting as if someone will have a working Quantum Computer in 10 years.

Threat 1: decrypting stored traffic More urgent: we need this in 10 years MINUS the time the data will be sensitive. Issue: there is no single PKEncryption/Key Exchange that we really trust Recommendation: we design things to use several in parallel; we re secure if any are.

Threat 2: authentication We have more time: authentication can t be attacked unless someone has a real QC at the time of the exchange. However, it ll be harder to upgrade

Upgrade Issues: what's involved with privacy Lets do this new ciphersuite I also support it; lets do it For privacy, we need to upgrade both sides of the connection We can do incremental deployment

Upgrade Issues: authentication CA Certificate For authentication, we also need to upgrade the CA Look ma, no negotiation

Chicken and Egg CA vendors won t support postquantum certificates unless the clients accept them. Browser vendors aren t likely to support postquantum certificates until they actually see them.

Which postquantum signature algorithm? Unlike PKEncryption, we have signature algorithms we trust: Hash Based Signatures Plus: we believe in the quantum security of hash functions Minuses: signature size, state management I would claim that the implementation details of working with state management and signature size is easier than dealing with is Bliss really quantum secure?

Summary We need to work on post quantum security. No need to panic; we should work now so we don t need to panic later Secure encryption/key exchange isn t the only issue that needs to be addressed.

#RSAC

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback