![Page 1: Post-Quantum Cryptography - NLUUGModern post-quantum crypto „Users using cryptography on conventional computers facing quantum adversaries ^ Adds questions like •How to argue security?](https://reader033.vdocuments.site/reader033/viewer/2022052014/602ab7bd11ae6b304451c3d1/html5/thumbnails/1.jpg)
Post-Quantum Cryptography
Andreas Hülsing
TU Eindhoven
![Page 2: Post-Quantum Cryptography - NLUUGModern post-quantum crypto „Users using cryptography on conventional computers facing quantum adversaries ^ Adds questions like •How to argue security?](https://reader033.vdocuments.site/reader033/viewer/2022052014/602ab7bd11ae6b304451c3d1/html5/thumbnails/2.jpg)
Quantum kills the Internet
11/21/2019 Andreas Hülsing https://huelsing.net 2
![Page 3: Post-Quantum Cryptography - NLUUGModern post-quantum crypto „Users using cryptography on conventional computers facing quantum adversaries ^ Adds questions like •How to argue security?](https://reader033.vdocuments.site/reader033/viewer/2022052014/602ab7bd11ae6b304451c3d1/html5/thumbnails/3.jpg)
Background:Cryptography
11/21/2019 Andreas Hülsing https://huelsing.net 3
![Page 4: Post-Quantum Cryptography - NLUUGModern post-quantum crypto „Users using cryptography on conventional computers facing quantum adversaries ^ Adds questions like •How to argue security?](https://reader033.vdocuments.site/reader033/viewer/2022052014/602ab7bd11ae6b304451c3d1/html5/thumbnails/4.jpg)
Secret key encryption (SKE)
01/07/2019 https://huelsing.net 4
plaintext
Sdkfj
kj
djd
fj
djf
jkj
plaintext
Key k Key k
SKE.Enc SKE.Dec
![Page 5: Post-Quantum Cryptography - NLUUGModern post-quantum crypto „Users using cryptography on conventional computers facing quantum adversaries ^ Adds questions like •How to argue security?](https://reader033.vdocuments.site/reader033/viewer/2022052014/602ab7bd11ae6b304451c3d1/html5/thumbnails/5.jpg)
Message authentication (MAC)
01/07/2019 https://huelsing.net 5
plaintext
Key k Key k
MAC.Tag MAC.Vrfyplaintext
![Page 6: Post-Quantum Cryptography - NLUUGModern post-quantum crypto „Users using cryptography on conventional computers facing quantum adversaries ^ Adds questions like •How to argue security?](https://reader033.vdocuments.site/reader033/viewer/2022052014/602ab7bd11ae6b304451c3d1/html5/thumbnails/6.jpg)
How to build secret key crypto?
• Random function sufficient (we need one-wayness)
• Attacks ≈ unstructured search
• How to build random behaving function?
11/21/2019 Andreas Hülsing https://huelsing.net 6
Engineering*
* Disclaimer: Massive simplification
Spoiler: Killed by quantum? Not that we know.
(but weakened)*
![Page 7: Post-Quantum Cryptography - NLUUGModern post-quantum crypto „Users using cryptography on conventional computers facing quantum adversaries ^ Adds questions like •How to argue security?](https://reader033.vdocuments.site/reader033/viewer/2022052014/602ab7bd11ae6b304451c3d1/html5/thumbnails/7.jpg)
How does Bob learn shared key k?
11/21/2019 Andreas Hülsing https://huelsing.net 7
![Page 8: Post-Quantum Cryptography - NLUUGModern post-quantum crypto „Users using cryptography on conventional computers facing quantum adversaries ^ Adds questions like •How to argue security?](https://reader033.vdocuments.site/reader033/viewer/2022052014/602ab7bd11ae6b304451c3d1/html5/thumbnails/8.jpg)
Public key encryption (PKE)
01/07/2019 https://huelsing.net 8
plaintext
Sdkfj
kj
djd
fj
djf
jkj
plaintext
Bob’s pkBob’s sk
PKE.Enc PKE.Dec
![Page 9: Post-Quantum Cryptography - NLUUGModern post-quantum crypto „Users using cryptography on conventional computers facing quantum adversaries ^ Adds questions like •How to argue security?](https://reader033.vdocuments.site/reader033/viewer/2022052014/602ab7bd11ae6b304451c3d1/html5/thumbnails/9.jpg)
Digital Signature (DSig)
01/07/2019 https://huelsing.net 9
plaintext
Alice’s pk
DSig.Sign DSig.Vrfyplaintext
Alice’s sk
![Page 10: Post-Quantum Cryptography - NLUUGModern post-quantum crypto „Users using cryptography on conventional computers facing quantum adversaries ^ Adds questions like •How to argue security?](https://reader033.vdocuments.site/reader033/viewer/2022052014/602ab7bd11ae6b304451c3d1/html5/thumbnails/10.jpg)
Applications
• Code signing (DSIG)• Software updates
• Software distribution
• Mobile code
• Communication security (DSIG, PKE / KEX /KEM)• TLS, SSH, IPSec, ...
• eCommerce, online banking, eGovernment, ...
• Private online communication
11/21/2019 Andreas Hülsing https://huelsing.net 11
![Page 11: Post-Quantum Cryptography - NLUUGModern post-quantum crypto „Users using cryptography on conventional computers facing quantum adversaries ^ Adds questions like •How to argue security?](https://reader033.vdocuments.site/reader033/viewer/2022052014/602ab7bd11ae6b304451c3d1/html5/thumbnails/11.jpg)
Communication security (simplified)
Hi
pk, Cert(pk belongs to shop)
PKC to establish shared secret sk
SKC secured communication using sk
11/21/2019 Andreas Hülsing https://huelsing.net 12
![Page 12: Post-Quantum Cryptography - NLUUGModern post-quantum crypto „Users using cryptography on conventional computers facing quantum adversaries ^ Adds questions like •How to argue security?](https://reader033.vdocuments.site/reader033/viewer/2022052014/602ab7bd11ae6b304451c3d1/html5/thumbnails/12.jpg)
How to build PKC
(Computationally)
hard problemRSA
DL
QR DDH
PKC SchemeRSA-OAEP
ECDSA DH-KE
11/21/2019 Andreas Hülsing https://huelsing.net 13
![Page 13: Post-Quantum Cryptography - NLUUGModern post-quantum crypto „Users using cryptography on conventional computers facing quantum adversaries ^ Adds questions like •How to argue security?](https://reader033.vdocuments.site/reader033/viewer/2022052014/602ab7bd11ae6b304451c3d1/html5/thumbnails/13.jpg)
The Quantum Threat
![Page 14: Post-Quantum Cryptography - NLUUGModern post-quantum crypto „Users using cryptography on conventional computers facing quantum adversaries ^ Adds questions like •How to argue security?](https://reader033.vdocuments.site/reader033/viewer/2022052014/602ab7bd11ae6b304451c3d1/html5/thumbnails/14.jpg)
Shor‘s algorithm (1994)
• Quantum computers can do FFT very efficiently
• Can be used to find period of a function
• This can be exploited to factor efficiently (RSA)
• Shor also shows how to solve discrete log efficiently (DSA, DH, ECDSA, ECDH)
![Page 15: Post-Quantum Cryptography - NLUUGModern post-quantum crypto „Users using cryptography on conventional computers facing quantum adversaries ^ Adds questions like •How to argue security?](https://reader033.vdocuments.site/reader033/viewer/2022052014/602ab7bd11ae6b304451c3d1/html5/thumbnails/15.jpg)
Grover‘s algorithm (1996)
• Quantum computers can search 𝑁 entry DB in Θ( 𝑁)
• Application to symmetric crypto
• Nice: Grover is provably optimal (For random function)
• Double security parameter.
![Page 16: Post-Quantum Cryptography - NLUUGModern post-quantum crypto „Users using cryptography on conventional computers facing quantum adversaries ^ Adds questions like •How to argue security?](https://reader033.vdocuments.site/reader033/viewer/2022052014/602ab7bd11ae6b304451c3d1/html5/thumbnails/16.jpg)
How to build PKC
(Computationally)
hard problemRSA
DL
QR DDH
PKC SchemeRSA-OAEP
ECDSA DH-KE
11/21/2019 Andreas Hülsing https://huelsing.net 17
![Page 17: Post-Quantum Cryptography - NLUUGModern post-quantum crypto „Users using cryptography on conventional computers facing quantum adversaries ^ Adds questions like •How to argue security?](https://reader033.vdocuments.site/reader033/viewer/2022052014/602ab7bd11ae6b304451c3d1/html5/thumbnails/17.jpg)
Communication security (simplified)
Hi
pk, Cert(pk belongs to shop)
PKC to establish shared secret sk
SKC secured communication using sk
11/21/2019 Andreas Hülsing https://huelsing.net 18
![Page 18: Post-Quantum Cryptography - NLUUGModern post-quantum crypto „Users using cryptography on conventional computers facing quantum adversaries ^ Adds questions like •How to argue security?](https://reader033.vdocuments.site/reader033/viewer/2022052014/602ab7bd11ae6b304451c3d1/html5/thumbnails/18.jpg)
Why care today
• EU launched a one billion Euro project on quantum technologies
• Similar range is spent in China
• US administration passed a bill on spending $1.275 billion US dollar on quantum computing research
• Google, IBM, Microsoft, Alibaba, and others run their own research programs.
21.11.2019 https://huelsing.net 19
![Page 19: Post-Quantum Cryptography - NLUUGModern post-quantum crypto „Users using cryptography on conventional computers facing quantum adversaries ^ Adds questions like •How to argue security?](https://reader033.vdocuments.site/reader033/viewer/2022052014/602ab7bd11ae6b304451c3d1/html5/thumbnails/19.jpg)
It‘s a question of risk assessment
21.11.2019 https://huelsing.net 20
![Page 20: Post-Quantum Cryptography - NLUUGModern post-quantum crypto „Users using cryptography on conventional computers facing quantum adversaries ^ Adds questions like •How to argue security?](https://reader033.vdocuments.site/reader033/viewer/2022052014/602ab7bd11ae6b304451c3d1/html5/thumbnails/20.jpg)
Real world cryptography development
Develop systems Analyze securityImplement
systems
Analyze implementation
security
Select best systems and standardize
them
Integrate systems into products & protocols
Role out secure products
21.11.2019 21https://huelsing.net
![Page 21: Post-Quantum Cryptography - NLUUGModern post-quantum crypto „Users using cryptography on conventional computers facing quantum adversaries ^ Adds questions like •How to argue security?](https://reader033.vdocuments.site/reader033/viewer/2022052014/602ab7bd11ae6b304451c3d1/html5/thumbnails/21.jpg)
Who would store all encrypted data traffic? That must be expensive!
21.11.2019 https://huelsing.net 22
![Page 22: Post-Quantum Cryptography - NLUUGModern post-quantum crypto „Users using cryptography on conventional computers facing quantum adversaries ^ Adds questions like •How to argue security?](https://reader033.vdocuments.site/reader033/viewer/2022052014/602ab7bd11ae6b304451c3d1/html5/thumbnails/22.jpg)
Long-lived systems
• Development time easily 10+ years
• Lifetime easily 10+ years
• At least make sure you got a secure update channel!
21.11.2019 https://huelsing.net 23
![Page 23: Post-Quantum Cryptography - NLUUGModern post-quantum crypto „Users using cryptography on conventional computers facing quantum adversaries ^ Adds questions like •How to argue security?](https://reader033.vdocuments.site/reader033/viewer/2022052014/602ab7bd11ae6b304451c3d1/html5/thumbnails/23.jpg)
What about QKD?
11/21/2019 Andreas Hülsing https://huelsing.net 24
![Page 24: Post-Quantum Cryptography - NLUUGModern post-quantum crypto „Users using cryptography on conventional computers facing quantum adversaries ^ Adds questions like •How to argue security?](https://reader033.vdocuments.site/reader033/viewer/2022052014/602ab7bd11ae6b304451c3d1/html5/thumbnails/24.jpg)
Recall:Communication security (simplified)
Hi
pk, Cert(pk belongs to shop)
PKC to establish shared secret sk
SKC secured communication using sk
11/21/2019 Andreas Hülsing https://huelsing.net 25
![Page 25: Post-Quantum Cryptography - NLUUGModern post-quantum crypto „Users using cryptography on conventional computers facing quantum adversaries ^ Adds questions like •How to argue security?](https://reader033.vdocuments.site/reader033/viewer/2022052014/602ab7bd11ae6b304451c3d1/html5/thumbnails/25.jpg)
The problem solved by QKD
Given
• a shared classical secret,
• a physical channel between parties that supports QKD
• compatible QKD devices on both ends of the channel
It is possible to
• generate a longer shared classical secret.
11/21/2019 Andreas Hülsing https://huelsing.net 26
“Key growing”(≠ “Key establishment“)
![Page 26: Post-Quantum Cryptography - NLUUGModern post-quantum crypto „Users using cryptography on conventional computers facing quantum adversaries ^ Adds questions like •How to argue security?](https://reader033.vdocuments.site/reader033/viewer/2022052014/602ab7bd11ae6b304451c3d1/html5/thumbnails/26.jpg)
Solution to the problem caused by Shor?Post-quantum cryptography
11/21/2019 Andreas Hülsing https://huelsing.net 27
![Page 27: Post-Quantum Cryptography - NLUUGModern post-quantum crypto „Users using cryptography on conventional computers facing quantum adversaries ^ Adds questions like •How to argue security?](https://reader033.vdocuments.site/reader033/viewer/2022052014/602ab7bd11ae6b304451c3d1/html5/thumbnails/27.jpg)
How to build PKC
(Computationally)
hard problemRSA
DL
QR DDH
PKC SchemeRSA-OAEP
ECDSA DH-KE
11/21/2019 Andreas Hülsing https://huelsing.net 28
(computationally)
Quantum-hard Problem
![Page 28: Post-Quantum Cryptography - NLUUGModern post-quantum crypto „Users using cryptography on conventional computers facing quantum adversaries ^ Adds questions like •How to argue security?](https://reader033.vdocuments.site/reader033/viewer/2022052014/602ab7bd11ae6b304451c3d1/html5/thumbnails/28.jpg)
Early post-quantum crypto
„Cryptography based on problems that are conjectured to be hard even for quantum computers.“
...
1
3
14232
2
32
34121
2
11
y
xxxxxxy
xxxxxxy
Lattice-based: SVP / CVP Hash-based: CR / SPR / ...
Code-based: SD Multivariate: MQ
11/21/2019 Andreas Hülsing https://huelsing.net 29
![Page 29: Post-Quantum Cryptography - NLUUGModern post-quantum crypto „Users using cryptography on conventional computers facing quantum adversaries ^ Adds questions like •How to argue security?](https://reader033.vdocuments.site/reader033/viewer/2022052014/602ab7bd11ae6b304451c3d1/html5/thumbnails/29.jpg)
Modern post-quantum crypto
„Users using cryptography on conventional computers facing quantum adversaries“
Adds questions like
• How to argue security?
• Are our security models sound?
• What is the complexity of actual quantum attacks?
11/21/2019 Andreas Hülsing https://huelsing.net 30
![Page 30: Post-Quantum Cryptography - NLUUGModern post-quantum crypto „Users using cryptography on conventional computers facing quantum adversaries ^ Adds questions like •How to argue security?](https://reader033.vdocuments.site/reader033/viewer/2022052014/602ab7bd11ae6b304451c3d1/html5/thumbnails/30.jpg)
NIST Competition
11/21/2019 Andreas Hülsing https://huelsing.net 35
“We see our role as managing a process of achieving community consensus in a transparent and timely manner” NIST’s Dustin Moody 2018
![Page 31: Post-Quantum Cryptography - NLUUGModern post-quantum crypto „Users using cryptography on conventional computers facing quantum adversaries ^ Adds questions like •How to argue security?](https://reader033.vdocuments.site/reader033/viewer/2022052014/602ab7bd11ae6b304451c3d1/html5/thumbnails/31.jpg)
Status of the competition
• Nov 2017: 82 submissions collected
• Dec 2017: 69 “complete & proper” proposals published• -> Starts round 1 (of 2 or 3 rounds)
• Jan 2019: 26 proposals selected for 2nd round. • 17 KEM, 9 Signature
• 2022 – 2024 Draft standards exist
11/21/2019 Andreas Hülsing https://huelsing.net 36
![Page 32: Post-Quantum Cryptography - NLUUGModern post-quantum crypto „Users using cryptography on conventional computers facing quantum adversaries ^ Adds questions like •How to argue security?](https://reader033.vdocuments.site/reader033/viewer/2022052014/602ab7bd11ae6b304451c3d1/html5/thumbnails/32.jpg)
General conflict
11/21/2019 Andreas Hülsing https://huelsing.net 37
Security Performance
![Page 33: Post-Quantum Cryptography - NLUUGModern post-quantum crypto „Users using cryptography on conventional computers facing quantum adversaries ^ Adds questions like •How to argue security?](https://reader033.vdocuments.site/reader033/viewer/2022052014/602ab7bd11ae6b304451c3d1/html5/thumbnails/33.jpg)
Open questions
11/21/2019 Andreas Hülsing https://huelsing.net 38
![Page 34: Post-Quantum Cryptography - NLUUGModern post-quantum crypto „Users using cryptography on conventional computers facing quantum adversaries ^ Adds questions like •How to argue security?](https://reader033.vdocuments.site/reader033/viewer/2022052014/602ab7bd11ae6b304451c3d1/html5/thumbnails/34.jpg)
Proofs are complicated
11/21/2019 Andreas Hülsing https://huelsing.net 39
![Page 35: Post-Quantum Cryptography - NLUUGModern post-quantum crypto „Users using cryptography on conventional computers facing quantum adversaries ^ Adds questions like •How to argue security?](https://reader033.vdocuments.site/reader033/viewer/2022052014/602ab7bd11ae6b304451c3d1/html5/thumbnails/35.jpg)
Possible issues with “proofs“
“Security proof“ = proof that breaking scheme is as hard as solving hard math problem
• Some proofs are in the wrong models
• Some proofs are massively loose
• Some proofs are just wrong
In PQC we have to deal with new math, new models of computation & security!
11/21/2019 Andreas Hülsing https://huelsing.net 40
![Page 36: Post-Quantum Cryptography - NLUUGModern post-quantum crypto „Users using cryptography on conventional computers facing quantum adversaries ^ Adds questions like •How to argue security?](https://reader033.vdocuments.site/reader033/viewer/2022052014/602ab7bd11ae6b304451c3d1/html5/thumbnails/36.jpg)
Way out?
• Reviewing is hard, time-consuming, and not rewarding
• Possible solution: Computer-verified proofs
11/21/2019 Andreas Hülsing https://huelsing.net 41
![Page 37: Post-Quantum Cryptography - NLUUGModern post-quantum crypto „Users using cryptography on conventional computers facing quantum adversaries ^ Adds questions like •How to argue security?](https://reader033.vdocuments.site/reader033/viewer/2022052014/602ab7bd11ae6b304451c3d1/html5/thumbnails/37.jpg)
Protocol integration
11/21/2019 Andreas Hülsing https://huelsing.net 42
![Page 38: Post-Quantum Cryptography - NLUUGModern post-quantum crypto „Users using cryptography on conventional computers facing quantum adversaries ^ Adds questions like •How to argue security?](https://reader033.vdocuments.site/reader033/viewer/2022052014/602ab7bd11ae6b304451c3d1/html5/thumbnails/38.jpg)
11/21/2019 Andreas Hülsing https://huelsing.net 43
Plug‘n‘play?
• Today‘s protocols are built around DH
• NIST selects KEM and DSig
• Performance gap between SKC and PKC widens
• Efficient schemes are less mature than today‘s crypto
• Requires new protocol design
![Page 39: Post-Quantum Cryptography - NLUUGModern post-quantum crypto „Users using cryptography on conventional computers facing quantum adversaries ^ Adds questions like •How to argue security?](https://reader033.vdocuments.site/reader033/viewer/2022052014/602ab7bd11ae6b304451c3d1/html5/thumbnails/39.jpg)
Conclusion
• When large-scale QC are built, we need new PKC
• It remains a question of risk assessment
• We are making progress to standardize PQC but we still need time• (For applications with long-term secrecy requirements
you can move now at the price of higher costs)
11/21/2019 Andreas Hülsing https://huelsing.net 44
![Page 40: Post-Quantum Cryptography - NLUUGModern post-quantum crypto „Users using cryptography on conventional computers facing quantum adversaries ^ Adds questions like •How to argue security?](https://reader033.vdocuments.site/reader033/viewer/2022052014/602ab7bd11ae6b304451c3d1/html5/thumbnails/40.jpg)
Resources
• PQ Summer School: http://www.pqcschool.org/
• NIST PQC Standardization Project: https://csrc.nist.gov/Projects/Post-Quantum-Cryptography
11/21/2019 Andreas Hülsing https://huelsing.net 45
![Page 41: Post-Quantum Cryptography - NLUUGModern post-quantum crypto „Users using cryptography on conventional computers facing quantum adversaries ^ Adds questions like •How to argue security?](https://reader033.vdocuments.site/reader033/viewer/2022052014/602ab7bd11ae6b304451c3d1/html5/thumbnails/41.jpg)
Thank you!
Questions?
11/21/2019 Andreas Hülsing https://huelsing.net 46