Post-Quantum Cryptography & Privacy. Andreas Hülsing

Similar documents
Post-Quantum Cryptography & Privacy. Andreas Hülsing

Post-quantum key exchange for the Internet based on lattices

Lattice-Based Cryptography

Quantum-Safe Crypto Why & How? JP Aumasson, Kudelski Security

Post-Quantum Cryptography from Lattices

An update on Hash-based Signatures. Andreas Hülsing

Hash-based signatures & Hash-and-sign without collision-resistance

Hash-based Signatures. Andreas Hülsing

Cryptography in the Quantum Era. Tomas Rosa and Jiri Pavlu Cryptology and Biometrics Competence Centre, Raiffeisen BANK International

Post-Quantum Cryptography

From NewHope to Kyber. Peter Schwabe April 7, 2017

CRYSTALS Kyber and Dilithium. Peter Schwabe February 7, 2018

Hash-based Signatures

Mitigating Multi-Target-Attacks in Hash-based Signatures. Andreas Hülsing joint work with Joost Rijneveld, Fang Song

SPHINCS: practical stateless hash-based signatures

A brief survey of post-quantum cryptography. D. J. Bernstein University of Illinois at Chicago

The Quantum Threat to Cybersecurity (for CxOs)

Quantum Computing: it s the end of the world as we know it? Giesecke+Devrient Munich, June 2018

The quantum threat to cryptography

Lattice-Based Cryptography. Chris Peikert University of Michigan. QCrypt 2016

Practical, Quantum-Secure Key Exchange from LWE

Quantum-resistant cryptography

Notes for Lecture 15

High-speed cryptography, part 3: more cryptosystems. Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven

Cryptographical Security in the Quantum Random Oracle Model

Post-quantum key exchange based on Lattices

Information Security

Public Key 9/17/2018. Symmetric Cryptography Review. Symmetric Cryptography: Shortcomings (1) Symmetric Cryptography: Analogy

Lattice Reduction Attacks on HE Schemes. Martin R. Albrecht 15/03/2018

What are we talking about when we talk about post-quantum cryptography?

Quantum Differential and Linear Cryptanalysis

Managing the quantum risk to cybersecurity. Global Risk Institute. Michele Mosca 11 April 2016

CPSC 467: Cryptography and Computer Security

POST-QUANTUM CRYPTOGRAPHY HOW WILL WE ENCRYPT TOMORROW?

Foundations of Network and Computer Security

Quantum Computing: What s the deal? Michele Mosca ICPM Discussion Forum 4 June 2017

On error distributions in ring-based LWE

The Shortest Signatures Ever

Code-based post-quantum cryptography. D. J. Bernstein University of Illinois at Chicago

Quantum Cryptography

Improving the efficiency of Generalized Birthday Attacks against certain structured cryptosystems

HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY 1 / 51

Foundations of Network and Computer Security

CPSC 467: Cryptography and Computer Security

Asymmetric Encryption

Notes for Lecture 16

Practice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017

Leakage of Signal function with reused keys in RLWE key exchange

Some Notes on Post-Quantum Cryptography

Lecture 1: Introduction to Public key cryptography

On the Complexity of the Hybrid Approach on HFEv-

Provable security. Michel Abdalla

Everything is Quantum. Our mission is to keep KPN reliable & secure and trusted by customers, partners and society part of the vital infra of NL

FPGA-BASED ACCELERATOR FOR POST-QUANTUM SIGNATURE SCHEME SPHINCS-256

How to Use Short Basis : Trapdoors for Hard Lattices and new Cryptographic Constructions

CRYPTANALYSIS OF COMPACT-LWE

Some Notes on Post-Quantum Cryptography

Side-channel analysis in code-based cryptography

Public-key Cryptography and elliptic curves

Finding Short Generators of Ideals, and Implications for Cryptography. Chris Peikert University of Michigan

Blockchain and Quantum Computing

The quantum threat to cryptography

Post Quantum Cryptography. Kenny Paterson Information Security

Multivariate Public Key Cryptography or Why is there a rainbow hidden behind fields full of oil and vinegar?

Foundations of Network and Computer Security

Quantum Technologies: Threats & Solutions to Cybersecurity

ECS 189A Final Cryptography Spring 2011

Digital Signatures. Adam O Neill based on

Daniel J. Bernstein University of Illinois at Chicago. means an algorithm that a quantum computer can run.

8 Elliptic Curve Cryptography

ALICE IN POST-QUANTUM WONDERLAND; BOB THROUGH THE DIGITAL LOOKING-GLASS

Public Key Cryptography

CIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography

Fault Attacks Against Lattice-Based Signatures

Public-key Cryptography and elliptic curves

Cryptanalysis of a public key cryptosystem based on Diophantine equations via weighted LLL reduction

Classical hardness of Learning with Errors

Message Authentication Codes (MACs)

ASYMMETRIC ENCRYPTION

Part 2 LWE-based cryptography

Hardness and advantages of Module-SIS and Module-LWE

Hidden Field Equations

Improved Parameters for the Ring-TESLA Digital Signature Scheme

ETSI/IQC QUANTUM SAFE WORKSHOP TECHNICAL TRACK

Side Channel Analysis and Protection for McEliece Implementations

Cryptography in a quantum world

Introduction to Quantum Safe Cryptography. ENISA September 2018

Report on Learning with Errors over Rings-based HILA5 and its CCA Security

Introduction to Cryptography. Lecture 8

Digital Signature Schemes and the Random Oracle Model. A. Hülsing

Gauss Sieve on GPUs. Shang-Yi Yang 1, Po-Chun Kuo 1, Bo-Yin Yang 2, and Chen-Mou Cheng 1

Errors, Eavesdroppers, and Enormous Matrices

Lattice Cryptography

An Introduction. Dr Nick Papanikolaou. Seminar on The Future of Cryptography The British Computer Society 17 September 2009

Advanced Cryptography Quantum Algorithms Christophe Petit

On the Key-collisions in the Signature Schemes

Introduction to Cryptography. Susan Hohenberger

Ideal Lattices and Ring-LWE: Overview and Open Problems. Chris Peikert Georgia Institute of Technology. ICERM 23 April 2015

Shortest Vector Problem (1982; Lenstra, Lenstra, Lovasz)

Lattice Cryptography

Transcription:

Post-Quantum Cryptography & Privacy Andreas Hülsing

Privacy?

Too abstract?

How to achieve privacy?

Under the hood... Asymmetric Crypto ECC RSA DSA Symmetric Crypto AES SHA2 SHA1... Combination of both needed!

Public-key cryptography

Main (public-key) primitives Digital signature Proof of authorship Provides: Authentication Non-repudiation Public-key encryption / key exchange Establishment of commonly known secret key Provides secrecy 8

Applications Code signing (Signatures) Software updates Software distribution Mobile code Communication security (Signatures, PKE / KEX) TLS, SSH, IPSec,... ecommerce, online banking, egovernment,... Private online communication 9

The key exchange problem Internet: 3,675,824,813 users 6,755,844,026,095,330,078 keys 6,8* 10 18 keys n*(n-1)/2 keys = O(n 2 ) [From: http://www.internetworldstats.com/stats.htm, June 30, 2016]

(Secret-)key server Key-Server The key-server knows all secret keys!

Public key cryptography Public-Key-Server The server does not know any private information!

We need symmetric and asymmetric crypto to achieve privacy!

How to build PKC (Computationally) hard problem RSA DL QR DDH PKC Scheme RSA- OAEP ECDSA DH- KE

Quantum Computing

Quantum Computing Quantum computing studies theoretical computation systems (quantum computers) that make direct use of quantum-mechanical phenomena, such as superposition and entanglement, to perform operations on data. -- Wikipedia

Qubits Qubit state: α 0 0 + α 1 1 with α i C such that α 2 0 + α 2 1 = 1 Ket: 0 = 1 0, 1 = 0 1 Qubit can be in state 0 + 1 2 = 1 2 1 1 Computing with 0 and 1 at the same time!

Quantum computers are not almighty To learn outcome one has to measure. Collapses state 1 qubit leads 1 classical bit of information Randomized process Only invertible computation. Impossible to clone (copy) quantum state.

The Quantum Threat

Shor s algorithm (1994) Quantum computers can do FFT very efficiently Can be used to find period of a function This can be exploited to factor efficiently (RSA) Shor also shows how to solve discrete log efficiently (DSA, DH, ECDSA, ECDH)

Grover s algorithm (1996) Quantum computers can search N entry DB in Θ( N) Application to symmetric crypto Nice: Grover is provably optimal (For random function) Double security parameter.

To sum up All asymmetric crypto is broken by QC No more digital signatures No more public key encryption No more key exchange Symmetric crypto survives (with doubled key size / output length) NOT ENOUGH!

Why care today?

Quantum Computing Quantum computing studies theoretical computation systems (quantum computers) that make direct use of quantum-mechanical phenomena, such as superposition and entanglement, to perform operations on data. -- Wikipedia

Bad news I will not tell you when a quantum computer will be built!

It s a question of risk assessment

Who would store all encrypted data traffic? That must be expensive!

Time to deployment Design Evaluation Selection Standardisati on Deployment Theoretical design Cryptanalysis PoC Impl. Practical Security Analysis (SCA) Competition (Broader evaluation) Commerical Impl. Integration & Certification Role-out

Example: SHA1 SHA2 2005: First weakness SHA2 already available! (Standardized) 2008: SHA2 availability in Windows (XP, Service pack 3) 2016: 2.6 % of TLS servers use certificates signed using XXX-SHA1 (https://www.trustworthyinternet.org/ssl-pulse/) 2017: First full collision for SHA1 (https://shattered.io/)

Quantum Cryptography

Why not beat em with their own weapons? QKD: Quantum Key distribution. Based on some nice quantum properties: entanglement & collapsing measurments Information theoretic security (at least in theory) -> Great! For sale today! So why don t we use this? Only short distance, point-to-point connections! Internet? No way! Longer distances require trusted-repeaters We all know where this leads...

PQCRYPTO to the rescue

Quantum-secure problems Credits: Buchmann, Bindel 2015

Conjectured quantum-secure problems Solving multivariate quadratic equations (MQproblem) -> Multivariate Crypto Bounded-distance decoding (BDD) -> Code-based crypto Short(est) and close(st) vector problem (SVP, CVP) -> Lattice-based crypto Breaking security of symmetric primitives (SHAx-, AES-, Keccak-,... problem) -> Hash-based signatures / symmetric crypto

Multivariate Crypto Credits: Buchmann, Bindel 2015

MQ-Problem Let x = (x 1,, x n ) F q n and MQ(n, m, F q ) denote the family of vectorial functions F: F q n F q m of degree 2 over F q : MQ n, m, F q = F x = (f 1 x,, f m x f s x = a i,j x i x j + b i x i, s 1, m i,j i The MQ Problem MQ(F, v) is defined as given v F q m find, if any, s F q n such that F s = v. Decisional version is NP-complete [Garey, Johnson 79]

Multivariate Signatures (trad. approach) Credits: Buchmann, Bindel 2015

Multivariate Cryptography Breaking scheme Solving MQ-Problem -> NP-complete is a worst-case notion (there might be and there are for MQ -- easy instances) -> Not a random instance Many broken proposals -> Oil-and-Vinegar, SFLASH, MQQ-Sig, (Enhanced) TTS, Enhanced STS. -> Security somewhat unclear Only signatures -> (new proposal for encryption exists but too recent) Really large keys New proposal with security reduction, small keys, but large signatures.

Coding-based cryptography - BDD Credits: Buchmann, Bindel 2015

McEliece PKE (1978) Credits: Buchmann, Bindel 2015

Code-based cryptography Breaking scheme Solving BDD -> NP-complete is a worst-case notion (there might be and there are for BDD -- easy instances) -> Not a random instance However, McEliece with binary Goppa codes survived for almost 40 years (similar situation as for e.g. AES) Using more compact codes often leads to break So far, no practical signature scheme Really large public keys

Lattice-based cryptography Basis: B = b 1, b 2 Z 2 2 ; b 1, b 2 Z 2 Lattice: Λ B = x = By y Z 2 }

Shortest vector problem (SVP)

(Worst-case) Lattice Problems SVP: Find shortest vector in lattice, given random basis. NP-hard (Ajtai 96) Approximate SVP (αsvp): Find short vector (norm < α times norm of shortest vector). Hardness depends on α (for α used in crypto not NP-hard). CVP: Given random point in underlying vectorspace (e.g. Z n ), find the closest lattice point. (Generalization of SVP, reduction from SVP) Approximate CVP (αcvp): Find a close lattice point. (Generalization of αsvp)

(Average-case) Lattice Problems Short Integer Solution (SIS) Z p n = n-dim. vectors with entries mod p ( n 3 ) Goal: Given A = a 1, a 2,, a m Z p n m Find small s = (s 1,, s m ) Z m such that As = 0 mod p Reduction from worst-case αsvp.

Hash function Set m > n log p and define f A : {0,1} m Z p n as f A x = Ax mod p Collision-resistance: Given short x 1, x 2 with Ax 1 = Ax 2 we can find a short solution as Ax 1 = Ax 2 Ax 1 Ax 2 = 0 A(x 1 x 2 ) = 0 So, z = x 1 x 2 is a solution and it is short as x 1, x 2 are short.

Lattice-based crypto SIS: Allows to construct signature schemes, hash functions,..., basically minicrypt. For more advanced applications: Learning with errors (LWE) Allows to build PKE, IBE, FHE,... Performance: Sizes can almost reach those of RSA (just small const. factor), really fast (for lattices defined using polynomials). BUT: Exact security not well accessed, yet. Especially, no good estimate for quantum computer aided attacks.

Real-world PQC: New Hope Erdem Alkim, Léo Ducas, Thomas Pöppelmann, and Peter Schwabe: Post-quantum key exchange a new hope. Usenix 2016 Lattice-based key exchange Field test by Google: New hope + X25519 used in Chrome Canary when certain Google services are accessed

Hash-based Signature Schemes [Mer89] Post quantum Only secure hash function Security well understood Fast 5-4-2017 PAGE 51

RSA DSA EC-DSA... Intractability Assumption Cryptographic hash function RSA, DH, SVP, MQ, Digital signature scheme 5-4-2017 PAGE 52

Merkle s Hash-based Signatures PK H SIG = (i=2,,,,, ) H OTS H H H H H H H H H H H H H OTS OTS OTS OTS OTS OTS OTS OTS SK 5-4-2017 PAGE 53

Hash-based signatures Only signatures Minimal security assumptions Well understood Fast & compact (2kB, few ms), but stateful, or Stateless, bigger and slower (41kB, several ms). Two Internet drafts (drafts for RFCs), one in waiting for ISRG review

Time to deployment Design Evaluation Selection Standardisati on Deploymen t Theoretical design Cryptanalysis PoC Impl. Practical Security Analysis (SCA) Competition (Broader evaluation) Commerical Impl. Integration & Certification Role-out

Official developments Feb `13: First PQC draft in IRTF s CFRG Sep `13: ETSI holds first PQC WS (afterwards annually) April `15: NIST holds conference on PQC Aug `15: NSA announces transition to PQC Feb `16: NIST announces `PQC competition Dec `16: NIST opens call for proposals Scheduled: 2024: Draft standards ready (NIST, Feb `16)

Thank you! Questions? 5-4-2017 PAGE 60

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback