getting post-quantum crypto algorithms ready for deployment · 2013-03-25 · code-based...

Tim Güneysu Hardware Security Group Horst Görtz Institute for IT-Security, Bochum

1/24/2013

Getting Post-Quantum Crypto Algorithms Ready for Deployment

End of ECRYPT II Event: Crypto for 2020

Outline

• Introduction

• Alternative Public-Key Cryptosystems (APKC)

• Practical Considerations of APKCs

• Case Studies on Lattice-based Cryptography

• Conclusions

Public-Key Crypto – Situation Today

• PKCs used in practice are in fact RSA and ECC

• Underlying problems (factorization/dlog) are both closely related

• As learned from Tanja‘s talk yesterday, both are dead when quantum-computing comes into play

Public-Key Crypto – A Wishlist

• Add some alternative PK-cryptosystems to our basket

• Security reductions based on known hard problems

• No possible poly-time attack algorithms (e.g., Shor) with quantum computers

• Efficiency in implementations comparable to RSA and ECC

Outline

• Introduction




• Conclusions

Alternative Public-Key Cryptography

• Four main branches of post-quantum crypto:

– Code-based

– Hash-based

– Multivariate-quadratic

– Lattice-based

• Can potentially provide PK encryption

and/or signature schemes

Alternative Public-Key Cryptography (APKC)

• But: Why haven‘t we seen any APKC in real-world systems yet?

– Many constructions are too novel and hardly analyzed/not mature enough

– Potential of possible attacks is not fully captured yet

– No concrete instances/parameters given

– Implementations of „secure“ instances seem to be much too huge and/or slow

– Skeptics still like to keep ECC/RSA or just don‘t believe in quantum computers

Alternative Public-Key Cryptography (APKC)

• How to get APKCs ready for deployment?

– Pick APKCs for which sufficient confidence of security and defined instances/parameters exist

– Make sure their description is comprehensible for implementers

– Evaluate efficiency of APKC implementations in particular on constrained embedded devices

– Disseminate APKCs to crypto libraries and (international) standards

Outline

• Introduction



– Code-based Cryptography

– Hash-based Cryptography

– Multivariate-Quadratic-based Cryptography

– Lattice-based Cryptography

• Conclusions

Disclaimer Slide

A Word of Warning…

The following overview on PQC systems does not claim to be complete.

It rather focusses on selected systems that are suitable to provide evidence on • Activities within each PQC branch

• Good and (some) bad constructions

• Constructions that provide concrete instances or only “some” parameters

• Constructions that provide efficient instances

Some (important) parameters are also omitted from some slides

See http://pqcrypto.org for more works and definitions

http://pqcrypto.org/

Code-based Cryptography – Basics

Hard problem(s): decoding a syndrome/random linear code

Principle:

• Hide the code generating matrix G by multiplication with permutation P and a scrambling matrix S (remark: the latter is not required in all cases) Public Key G’=SGP

• Add errors e during cryptographic operation

• Decoding is only efficiently possible if the generator matrix is known Secret Key G

The general concept of “decoding with errors” is also picked up by other constructions (e.g., in lattice-based crypto)

Code-based Encryption Schemes

McEliece [M78] Niederreiter [N86]

Taxonomy of Code-based Encryption

Generalized Reed-Solomon

Goppa

Reed Muller

Concatenated

Turbo/LDCP/MDCP Srivastava

Elliptic





Goppa

Reed Muller

Concatenated

Srivastava

Elliptic

Turbo/LDCP/MDCP




Key sizes for ≈ 80-bit equivalent symmetric security.


Goppa

Reed Muller

Concatenated

Srivastava

Elliptic

Turbo/LDCP/MDCP PK: 0.6 kB SK: 180 B

PK: 63 kB SK: 2.5 kB

PK: 2.5 kB SK: 1.5 kB

Code-based Signature Schemes

Courtois, Finiasz, Sendrier (CFS) Signatures

Taxonomy of Code-based Signatures

Original [CFS01] Parallel CFS [F10]

Code-based Signature Schemes

Courtois, Finiasz, Sendrier (CFS) Signatures

Taxonomy of Code-based Signatures

Original [CFS01] Parallel CFS [F10]

PK: 5 MB SK: few kB Sig: < 0.5 KB

Key sizes for ≈ 80-bit equivalent symmetric security.

Key Aspects of Code-based Systems

Focus on encryption, signature schemes are less efficient Selection of underlying code is the most critical issue

• Structures in codes reduce key sizes, but often enable also attacks • Encoding is a very fast operation on most platforms (matrix multiplication) • Decoding is typically a more complex process (fast decoders are available)

Reasonably small public and private keys for encryption

Additional computational efforts on constant weight encoding algorithm for Niederreiter’s scheme

Encryption schemes are quite mature (McEliece proposed in ’78, Niederreiter ‘83) CCA2-conversion available

Hints on Efficiency: McEliece vs. Niederreiter

McEliece (using binary Goppa codes, 80 bit equiv. security)

• Existing implementations:

• PC (HyMES ‘08) : 140 cycles/bit enc. 2714 cycles/bit dec.

• AVR µC [EGH09] : 7200 cycles/bit enc. 11300 cycles/bit dec.

• FPGA [SWM+09] : 160 cycles/bit enc. 446 cycles/bit dec.

Niederreiter (using binary Goppa codes, 80 bit equiv. security)

• Existing implementations:

• PC (public domain) : returns a segfault (?)

• AVR µC [H11] : 267 cycles/bit enc 30000 cycles/bit dec.

• FPGA : see next slide

Implementation Results

Niederreiter

McEliece

[enc] [dec]

[enc] [dec]

Niederreiter [enc] [dec]

McEliece [enc] [dec]

Niederreiter [enc] [dec]

• Results on FPGAs for roughly 80 bit of equivalent symmetric security

• Parameter set (n=2048, k=1751, t=27) using Goppa codes

Outline

• Introduction







• Conclusions

Hash-based Cryptography – Basics

Hard problem: find (second) preimages of cryptographic hash functions

Build OTS scheme using a cryptographic hash function

A Hash tree reduces many OTS public keys to a single root

Hash-based Signature Schemes

Merkle Signature Scheme MSS [Mer89]

CMSS [BCD+06]

W-OTS [Mer89, DSS05, RED+08]

LD-OTS [LD79]

XMSS [BDH11]

Taxonomy of Hash-based Signatures

GMSS [BDK+07]

SPR-MSS [DOTV08]

Hash-based Signature Schemes

MSS [Mer89]

CMSS [BCD+06]

W-OTS [Mer89,DSS05]

LD-OTS [LD79]

XMSS [BDH11]

Taxonomy of Hash-based Signatures

GMSS [BDK+07]

SPR-MSS [DOTV08]

Key sizes for ≈ 80-bit equivalent symmetric security (≈ 1M #Sigs)

H=16 PK: 16 Byte SK: 1.4 kB Sig: 2.29 kB

H=20 PK: 46 Byte SK: 1.86 kB Sig: 7 kB

H=20 PK: 0.93 kB SK: 152 Bit Sig: 8.31 kB

H=20 PK: 0.91 kB SK: 152 Bit Sig: 2.39 kB

Hash-based Encryption Schemes

Taxonomy of Hash-based Encryption

{ }

Key Aspects of Hash-based Systems

Only signature schemes available, no encryption

Moderate requirements for implementations • Second preimage (older schemes: collision) resistant hash function

• Pseudorandom functions for OTS (XMSS)

Hard limitation on the number of signatures per tree • Height of the tree determines max. # of signatures

(issue with DoS attacks for real-world systems)

• Requires track record of signatures already used (critical in untrusted environments!)

• Increasing tree height increases memory requirements and computational complexity


Lots of hash functions available, but not many implementations of hash-based crypto

Results for XMSS with H=20 [BDH11] presented on PQCrypto 2011 Platform: Intel Core i5 [email protected]; Figure marked with (*) uses AES NI

Outline

• Introduction








• Conclusions

Multivariate-quadratic Cryptography – Basics

Hard problem: Find the solution for a set of MQ equations

Given F and P MQ maps and two linear maps S and T

P has no special structure and is large, therefore hard to invert

A special (secret) structure in F is necessary to allow easy inversion

This secret structure is hidden by mappings S and T

MQ-based Signature Schemes

Oil and Vinegar

Stepwise Triangular Systems (STS)

(C)UOV [KPG99, PTBW11]

Original OV [Pat97]

Hidden-Field Equations

Taxonomy of Multivariate-Quadratic Signatures

Matsumoto-Imai A

HFE(F) [Pat96]

HFE± HFEv HFEv- (Quartz)

(enhanced) TTS

Tractable Rational Maps

Rainbow

MIA [IM85]

C* [MI88]

Flash/SFlash [PGC01]

MQ-based Signature Schemes

Oil and Vinegar

Stepwise Triangular Systems (STS)

(C)UOV [PTBW11] Original OV [Pat97]

Hidden-Field Equations

Taxonomy of Multivariate-Quadratic Signatures

Matsumoto-Imai A

HFE(F) [Pat96]

HFE± HFEv HFEv- (Quartz)

(enhanced) TTS

Tractable Rational Maps

Rainbow

MIA [IM85]

C* [MI88]

Flash/SFlash [PGC01]

PK: 27.9 kB SK: 19.6 kB Sig: 256 Bit

Key sizes for ≈ 80-bit eqivalent symmetric security.

PK: 3.9 kB SK: 71 kB Sig: 128 Bit

PK: 8.9 kB SK: 75.3kB Sig: 624 Bit

PK: 49.6 kB SK: 4.5 kB Sig: 256 Bit

MQ Encryption Schemes

Taxonomy of Multivariate-Quadratic Encryption

{ }

Key Aspects of MQ-based Systems

Only signature schemes available, no encryption

Basic operations are efficient

• Mainly linear operations over finite field (e.g., Gaussian elimination)

• Operations are simple to implement on any platform

Large public and private key (but the latter is certainly more critical)

• Embedded microcontrollers/smart cards have <16 KB internal Flash

• High number of memory accesses required

• Extra external (permanent) memory for keys required

Sign

Verify

Some implementations of an 80-bit level of equivalent security targeting

an AVR microcontroller:

Comparison with

ECC/RSA on the

same platform


Outline

• Introduction







• Conclusions

Lattice-based Cryptography – Basics

• Hard problem: Shortest/Closest Vector Problem (SVP/CVP) in the worst case

• Typically thought to be – Unpractical but provably secure – Practical but without proof

(GGH/NTRU) – Lately: Ideal lattices can potentially combine both

• More constructions feasible beyond classical PKC: hash functions, PRFs, identity-based encryption, homomorphic encryption

Lattice-based Signature Schemes

Taxonomy of Lattice-based Signatures

NTRU Sign/GGH

Hash-and-sign

[GPV08]

[HPS01]

[HHGP+03] [GGH97]

Fiat-Shamir [FS86]

[Lyu09]

[Lyu12] [GLP12] [MP12]



NTRU Sign/GGH

Hash-and-sign

[GPV08]

[HPS01]

[HHGP+03]

[GS02]

[NR09]

[GGH97]

Fiat-Shamir

[Lyu09]

[Lyu12] [GLP12] [MP12]



NTRU Sign/GGH

Hash-and-sign

[GPV08]

[HPS01]

[HHGP+03]

[GS02]

[NR09]

[GGH97]

Fiat-Shamir

[Lyu09]

[Lyu12] [GLP12] [MP12]

PK: 44.1 kB

PK: 2 kB SK: 2 kB Sig: 6 kB

PK: 1.5 kB SK: 0.2 kB Sig: 1 kB

PK: 362 kB SK: 831 kB Sig: 2.3 kB

Note: Most proposed signatures do not come with parameters

Key sizes for medium security (roughly 128-bit?)

Lattice-based Encryption Schemes

Taxonomy of Lattice-based Encryption

NTRU

[HHHW09] [HPS98]

LWE-[Reg05]

Micciancio-Regev

[MR08]

Lindner-Peikert [LP10]

(R)-LWE

NTRU-Variant [SS11]

Standard Lattices

Ideal Lattices



NTRU

[HHHW09] [HPS98]

LWE-[Reg05]

Micciancio-Regev

[MR08]


(R)-LWE

NTRU-Variant [SS11]

Standard Lattices

Ideal Lattices

x



NTRU

[HHHW09] [HPS98]

LWE-[Reg05]

Micciancio-Regev

[MR08]


(R)-LWE

NTRU-Variant [SS11]

Standard Lattices

Ideal Lattices

Key sizes for medium security (roughly 128-bit?)

x Standard: PK: 48 kB Msg: 0.5 kB Ideal: PK: 0.4 kB Msg: 0.81 kB

Standard: PK: 732 kB Msg: 0.3 kB

PK: 1.5 kB SK: 1.8 kB Msg: 1.5 kB

Key Aspects of Lattice-based Systems

Encryption and signature systems are both feasible • Undesired message expansion for LWE encryption • Rare decryption error probability in LWE encryption

Random Sampling not only from uniform but also from Gaussian

distributions (not trivial)

Most underlying operations are efficient and parallizable • (Ideal lattices) Make use of FFT for polynomial multiplication • (Standard lattices) Matrix-vector arithmetic

Reasonably large public and private keys • True for encryption/signatures constructions • Unclear for more complex services such as homomorphic/IBE

Outline

• Introduction




• Conclusions

Case Study #1: LWE-Encryption

CPA-secure public key encryption scheme for standard and ideal lattices introduced by Lindner and Peikert in 2010.

GEN(a): KeyGen(a): Choose 𝑟1, 𝑟2 ← 𝜒 from a small Gaussian distribution and let 𝑝 = 𝑟1 − 𝑎 ∙ 𝑟2. Public key 𝒑 and secret key 𝒓𝟐.

ENC(a,p,m): choose 𝑒1, 𝑒2, 𝑒3 ← 𝜒. Let 𝑚 = encode(𝑚) in 𝑅𝑝. The ciphertext is 𝑐1 = 𝑎 ∙ 𝑒1+ 𝑒2, 𝑐2 = 𝑝 ∙ 𝑒1+ 𝑒3+𝑚

DEC((c1,c2),r2): output decode(c1 ∙ r2+c2)

Review of Operations: - Polynomial multiplication - Gaussian sampling

Implementation Aspects and Results

One message bit is encoded using a threshhold scheme into one coefficient (𝟎 ⇒ 𝟎, 𝟏 ⇒ q/2) (rare) probability of (yet unhandled) decryption errors

Performance results for LWE-Encryption [GFSHB12]

• Intel/AMD Core 2 [email protected] GHz: • 195ms keygen/ 1.52ms enc/ 0.57 ms dec reasonably fast (but uses only NTL)

• Hardware (using a very very expensive FPGAs): • Virtex-7 2000T: 320816 LUTs/ 143396 registers/ ~8µs enc

Virtex-7 2000T: 124265LUTs/ 65174 registers/ ~8µs dec much too costly

Case Study #2: An Improved Signature Schemes on Ideal Lattices

• Signature scheme by Lyubashevsky [Lyu12] provable secure in random oracle model (ROM)

• Efficiency improvement by a different hardness assumption: (Decisional) Ring-LWE with “aggressive” parameters

• Internal values s1,s2 only have -1/0/1 coefficients instead of using a Gaussian distribution (like in [LPR10]), for other values uniform distributions are sufficient

Signing and Verification [GLP12]

• GEN

1. Pick a from 𝑅 = 𝑍𝑝[𝑥]/(xn+1) and s1,s2 from subset R1. Compute t = as1+s2

2. Secret key sk = (s1,s2), Public key pk = (a, t)

• SIGN(m,sk)

1. Pick y1,y2 from uniformly sampled distribution 𝑅𝑘 from [-k,k]

2. c=H(Transform(r=ay1+y2),m)

3. z1=s1c+y1, z2=s2c+y2

4. If z1, z2 not in 𝑅k-32 goto 1.

5. z2‘=Compress(ay1+y2-z2,z2,p, k-32)

6. Return σ=(z1, z2‘, c)

Review of Operations: - Polynomial multiplication

in steps 2,3 (sign), 2 (verify)

- Aggressive signature size reduction by

- Hashing of high-order bits (transform/compress)

- Rejection step (only for signing)

• VER(σ=(z1,z2‘,c),pk=(a,t), m)

1. If z1,z2‘ not in Rk-32 reject

2. If c=H(Transform(az1+z2‘-tc), m)

then accept

else reject


Lattice-based Signature [GLP12]

Implementations on reconfigurable hardware

Parameters (p=8383489, n=512, k=214)

Lattice-based -Cryptography: Research Directions and Future Work

More cryptanalysis on lattice-based constructions

FFT/NTT techniques to accelerate polynomial multiplication

in 𝑅 = 𝑍𝑝[𝑥]/(xn+1) (required by many lattice-based schemes)

High-speed implementations targeting specific processor instruction sets (vector units, FFT/MAC instructions)

Efficient Gaussian sampling on constrained devices

Implementation and acceleration of high-level constructions like homomorphic encryption or IBE

CCA2-secure conversions for encryption schemes

Outline

• Introduction




• Conclusions

Conclusions

• Looking back at the four branches of PQC…

– Code-based encryption schemes are the most mature and practical APKCs today

– But lattice-based cryptography looks very promising

• For deployment in real-world systems, we need to

– Need many more (solid) implementations for efficiency evaluation

– Investigate physical security aspects of PQC

– Standardize parameters and instances

Tim Güneysu Hardware Security Group Horst Görtz Institute for IT-Security, Bochum

1/24/2013

Getting Post-Quantum Crypto Algorithms Ready for Deployment

End of ECRYPT II Event: Crypto for 2020

Questions?

getting post-quantum crypto algorithms ready for deployment · 2013-03-25 · code-based...

Documents