getting post-quantum crypto algorithms ready for deployment · 2013-03-25 · code-based...
TRANSCRIPT
Tim Güneysu Hardware Security Group Horst Görtz Institute for IT-Security, Bochum
1/24/2013
Getting Post-Quantum Crypto Algorithms Ready for Deployment
End of ECRYPT II Event: Crypto for 2020
Outline
• Introduction
• Alternative Public-Key Cryptosystems (APKC)
• Practical Considerations of APKCs
• Case Studies on Lattice-based Cryptography
• Conclusions
Public-Key Crypto – Situation Today
• PKCs used in practice are in fact RSA and ECC
• Underlying problems (factorization/dlog) are both closely related
• As learned from Tanja‘s talk yesterday, both are dead when quantum-computing comes into play
Public-Key Crypto – A Wishlist
• Add some alternative PK-cryptosystems to our basket
• Security reductions based on known hard problems
• No possible poly-time attack algorithms (e.g., Shor) with quantum computers
• Efficiency in implementations comparable to RSA and ECC
Outline
• Introduction
• Alternative Public-Key Cryptosystems (APKC)
• Practical Considerations of APKCs
• Case Studies on Lattice-based Cryptography
• Conclusions
Alternative Public-Key Cryptography
• Four main branches of post-quantum crypto:
– Code-based
– Hash-based
– Multivariate-quadratic
– Lattice-based
• Can potentially provide PK encryption
and/or signature schemes
Alternative Public-Key Cryptography (APKC)
• But: Why haven‘t we seen any APKC in real-world systems yet?
– Many constructions are too novel and hardly analyzed/not mature enough
– Potential of possible attacks is not fully captured yet
– No concrete instances/parameters given
– Implementations of „secure“ instances seem to be much too huge and/or slow
– Skeptics still like to keep ECC/RSA or just don‘t believe in quantum computers
Alternative Public-Key Cryptography (APKC)
• How to get APKCs ready for deployment?
– Pick APKCs for which sufficient confidence of security and defined instances/parameters exist
– Make sure their description is comprehensible for implementers
– Evaluate efficiency of APKC implementations in particular on constrained embedded devices
– Disseminate APKCs to crypto libraries and (international) standards
Outline
• Introduction
• Alternative Public-Key Cryptosystems (APKC)
• Practical Considerations of APKCs
– Code-based Cryptography
– Hash-based Cryptography
– Multivariate-Quadratic-based Cryptography
– Lattice-based Cryptography
• Conclusions
Disclaimer Slide
A Word of Warning…
The following overview on PQC systems does not claim to be complete.
It rather focusses on selected systems that are suitable to provide evidence on • Activities within each PQC branch
• Good and (some) bad constructions
• Constructions that provide concrete instances or only “some” parameters
• Constructions that provide efficient instances
Some (important) parameters are also omitted from some slides
See http://pqcrypto.org for more works and definitions
Code-based Cryptography – Basics
Hard problem(s): decoding a syndrome/random linear code
Principle:
• Hide the code generating matrix G by multiplication with permutation P and a scrambling matrix S (remark: the latter is not required in all cases) Public Key G’=SGP
• Add errors e during cryptographic operation
• Decoding is only efficiently possible if the generator matrix is known Secret Key G
The general concept of “decoding with errors” is also picked up by other constructions (e.g., in lattice-based crypto)
Code-based Encryption Schemes
McEliece [M78] Niederreiter [N86]
Taxonomy of Code-based Encryption
Generalized Reed-Solomon
Goppa
Reed Muller
Concatenated
Turbo/LDCP/MDCP Srivastava
Elliptic
Code-based Encryption Schemes
McEliece [M78] Niederreiter [N86]
Taxonomy of Code-based Encryption
Generalized Reed-Solomon
Goppa
Reed Muller
Concatenated
Srivastava
Elliptic
Turbo/LDCP/MDCP
Code-based Encryption Schemes
McEliece [M78] Niederreiter [N86]
Taxonomy of Code-based Encryption
Key sizes for ≈ 80-bit equivalent symmetric security.
Generalized Reed-Solomon
Goppa
Reed Muller
Concatenated
Srivastava
Elliptic
Turbo/LDCP/MDCP PK: 0.6 kB SK: 180 B
PK: 63 kB SK: 2.5 kB
PK: 2.5 kB SK: 1.5 kB
Code-based Signature Schemes
Courtois, Finiasz, Sendrier (CFS) Signatures
Taxonomy of Code-based Signatures
Original [CFS01] Parallel CFS [F10]
Code-based Signature Schemes
Courtois, Finiasz, Sendrier (CFS) Signatures
Taxonomy of Code-based Signatures
Original [CFS01] Parallel CFS [F10]
Code-based Signature Schemes
Courtois, Finiasz, Sendrier (CFS) Signatures
Taxonomy of Code-based Signatures
Original [CFS01] Parallel CFS [F10]
PK: 5 MB SK: few kB Sig: < 0.5 KB
Key sizes for ≈ 80-bit equivalent symmetric security.
Key Aspects of Code-based Systems
Focus on encryption, signature schemes are less efficient Selection of underlying code is the most critical issue
• Structures in codes reduce key sizes, but often enable also attacks • Encoding is a very fast operation on most platforms (matrix multiplication) • Decoding is typically a more complex process (fast decoders are available)
Reasonably small public and private keys for encryption
Additional computational efforts on constant weight encoding algorithm for Niederreiter’s scheme
Encryption schemes are quite mature (McEliece proposed in ’78, Niederreiter ‘83) CCA2-conversion available
Hints on Efficiency: McEliece vs. Niederreiter
McEliece (using binary Goppa codes, 80 bit equiv. security)
• Existing implementations:
• PC (HyMES ‘08) : 140 cycles/bit enc. 2714 cycles/bit dec.
• AVR µC [EGH09] : 7200 cycles/bit enc. 11300 cycles/bit dec.
• FPGA [SWM+09] : 160 cycles/bit enc. 446 cycles/bit dec.
Niederreiter (using binary Goppa codes, 80 bit equiv. security)
• Existing implementations:
• PC (public domain) : returns a segfault (?)
• AVR µC [H11] : 267 cycles/bit enc 30000 cycles/bit dec.
• FPGA : see next slide
Implementation Results
Niederreiter
McEliece
[enc] [dec]
[enc] [dec]
Niederreiter [enc] [dec]
McEliece [enc] [dec]
Niederreiter [enc] [dec]
• Results on FPGAs for roughly 80 bit of equivalent symmetric security
• Parameter set (n=2048, k=1751, t=27) using Goppa codes
Outline
• Introduction
• Alternative Public-Key Cryptosystems (APKC)
• Practical Considerations of APKCs
– Code-based Cryptography
– Hash-based Cryptography
– Multivariate-Quadratic-based Cryptography
– Lattice-based Cryptography
• Conclusions
Hash-based Cryptography – Basics
Hard problem: find (second) preimages of cryptographic hash functions
Build OTS scheme using a cryptographic hash function
A Hash tree reduces many OTS public keys to a single root
Hash-based Signature Schemes
Merkle Signature Scheme MSS [Mer89]
CMSS [BCD+06]
W-OTS [Mer89, DSS05, RED+08]
LD-OTS [LD79]
XMSS [BDH11]
Taxonomy of Hash-based Signatures
GMSS [BDK+07]
SPR-MSS [DOTV08]
Hash-based Signature Schemes
MSS [Mer89]
CMSS [BCD+06]
W-OTS [Mer89,DSS05]
LD-OTS [LD79]
XMSS [BDH11]
Taxonomy of Hash-based Signatures
GMSS [BDK+07]
SPR-MSS [DOTV08]
Key sizes for ≈ 80-bit equivalent symmetric security (≈ 1M #Sigs)
H=16 PK: 16 Byte SK: 1.4 kB Sig: 2.29 kB
H=20 PK: 46 Byte SK: 1.86 kB Sig: 7 kB
H=20 PK: 0.93 kB SK: 152 Bit Sig: 8.31 kB
H=20 PK: 0.91 kB SK: 152 Bit Sig: 2.39 kB
Hash-based Encryption Schemes
Taxonomy of Hash-based Encryption
{ }
Key Aspects of Hash-based Systems
Only signature schemes available, no encryption
Moderate requirements for implementations • Second preimage (older schemes: collision) resistant hash function
• Pseudorandom functions for OTS (XMSS)
Hard limitation on the number of signatures per tree • Height of the tree determines max. # of signatures
(issue with DoS attacks for real-world systems)
• Requires track record of signatures already used (critical in untrusted environments!)
• Increasing tree height increases memory requirements and computational complexity
Implementation Results
Lots of hash functions available, but not many implementations of hash-based crypto
Results for XMSS with H=20 [BDH11] presented on PQCrypto 2011 Platform: Intel Core i5 [email protected]; Figure marked with (*) uses AES NI
Outline
• Introduction
• Alternative Public-Key Cryptosystems (APKC)
• Practical Considerations of APKCs
– Code-based Cryptography
– Hash-based Cryptography
– Multivariate-Quadratic-based Cryptography
– Lattice-based Cryptography
• Case Studies on Lattice-based Cryptography
• Conclusions
Multivariate-quadratic Cryptography – Basics
Hard problem: Find the solution for a set of MQ equations
Given F and P MQ maps and two linear maps S and T
P has no special structure and is large, therefore hard to invert
A special (secret) structure in F is necessary to allow easy inversion
This secret structure is hidden by mappings S and T
MQ-based Signature Schemes
Oil and Vinegar
Stepwise Triangular Systems (STS)
(C)UOV [KPG99, PTBW11]
Original OV [Pat97]
Hidden-Field Equations
Taxonomy of Multivariate-Quadratic Signatures
Matsumoto-Imai A
HFE(F) [Pat96]
HFE± HFEv HFEv- (Quartz)
(enhanced) TTS
Tractable Rational Maps
Rainbow
MIA [IM85]
C* [MI88]
Flash/SFlash [PGC01]
MQ-based Signature Schemes
Oil and Vinegar
Stepwise Triangular Systems (STS)
(C)UOV [KPG99, PTBW11]
Original OV [Pat97]
Hidden-Field Equations
Taxonomy of Multivariate-Quadratic Signatures
Matsumoto-Imai A
HFE(F) [Pat96]
HFE± HFEv HFEv- (Quartz)
(enhanced) TTS
Tractable Rational Maps
Rainbow
MIA [IM85]
C* [MI88]
Flash/SFlash [PGC01]
MQ-based Signature Schemes
Oil and Vinegar
Stepwise Triangular Systems (STS)
(C)UOV [PTBW11] Original OV [Pat97]
Hidden-Field Equations
Taxonomy of Multivariate-Quadratic Signatures
Matsumoto-Imai A
HFE(F) [Pat96]
HFE± HFEv HFEv- (Quartz)
(enhanced) TTS
Tractable Rational Maps
Rainbow
MIA [IM85]
C* [MI88]
Flash/SFlash [PGC01]
PK: 27.9 kB SK: 19.6 kB Sig: 256 Bit
Key sizes for ≈ 80-bit eqivalent symmetric security.
PK: 3.9 kB SK: 71 kB Sig: 128 Bit
PK: 8.9 kB SK: 75.3kB Sig: 624 Bit
PK: 49.6 kB SK: 4.5 kB Sig: 256 Bit
MQ Encryption Schemes
Taxonomy of Multivariate-Quadratic Encryption
{ }
Key Aspects of MQ-based Systems
Only signature schemes available, no encryption
Basic operations are efficient
• Mainly linear operations over finite field (e.g., Gaussian elimination)
• Operations are simple to implement on any platform
Large public and private key (but the latter is certainly more critical)
• Embedded microcontrollers/smart cards have <16 KB internal Flash
• High number of memory accesses required
• Extra external (permanent) memory for keys required
Sign
Verify
Some implementations of an 80-bit level of equivalent security targeting
an AVR microcontroller:
Comparison with
ECC/RSA on the
same platform
Implementation Results
Outline
• Introduction
• Alternative Public-Key Cryptosystems (APKC)
• Practical Considerations of APKCs
– Multivariate-Quadratic-based Cryptography
– Hash-based Cryptography
– Code-based Cryptography
– Lattice-based Cryptography
• Conclusions
Lattice-based Cryptography – Basics
• Hard problem: Shortest/Closest Vector Problem (SVP/CVP) in the worst case
• Typically thought to be – Unpractical but provably secure – Practical but without proof
(GGH/NTRU) – Lately: Ideal lattices can potentially combine both
• More constructions feasible beyond classical PKC: hash functions, PRFs, identity-based encryption, homomorphic encryption
Lattice-based Signature Schemes
Taxonomy of Lattice-based Signatures
NTRU Sign/GGH
Hash-and-sign
[GPV08]
[HPS01]
[HHGP+03] [GGH97]
Fiat-Shamir [FS86]
[Lyu09]
[Lyu12] [GLP12] [MP12]
Lattice-based Signature Schemes
Taxonomy of Lattice-based Signatures
NTRU Sign/GGH
Hash-and-sign
[GPV08]
[HPS01]
[HHGP+03]
[GS02]
[NR09]
[GGH97]
Fiat-Shamir
[Lyu09]
[Lyu12] [GLP12] [MP12]
Lattice-based Signature Schemes
Taxonomy of Lattice-based Signatures
NTRU Sign/GGH
Hash-and-sign
[GPV08]
[HPS01]
[HHGP+03]
[GS02]
[NR09]
[GGH97]
Fiat-Shamir
[Lyu09]
[Lyu12] [GLP12] [MP12]
PK: 44.1 kB
PK: 2 kB SK: 2 kB Sig: 6 kB
PK: 1.5 kB SK: 0.2 kB Sig: 1 kB
PK: 362 kB SK: 831 kB Sig: 2.3 kB
Note: Most proposed signatures do not come with parameters
Key sizes for medium security (roughly 128-bit?)
Lattice-based Encryption Schemes
Taxonomy of Lattice-based Encryption
NTRU
[HHHW09] [HPS98]
LWE-[Reg05]
Micciancio-Regev
[MR08]
Lindner-Peikert [LP10]
(R)-LWE
NTRU-Variant [SS11]
Standard Lattices
Ideal Lattices
Lattice-based Encryption Schemes
Taxonomy of Lattice-based Encryption
NTRU
[HHHW09] [HPS98]
LWE-[Reg05]
Micciancio-Regev
[MR08]
Lindner-Peikert [LP10]
(R)-LWE
NTRU-Variant [SS11]
Standard Lattices
Ideal Lattices
Lattice-based Encryption Schemes
Taxonomy of Lattice-based Encryption
NTRU
[HHHW09] [HPS98]
LWE-[Reg05]
Micciancio-Regev
[MR08]
Lindner-Peikert [LP10]
(R)-LWE
NTRU-Variant [SS11]
Standard Lattices
Ideal Lattices
x
Lattice-based Encryption Schemes
Taxonomy of Lattice-based Encryption
NTRU
[HHHW09] [HPS98]
LWE-[Reg05]
Micciancio-Regev
[MR08]
Lindner-Peikert [LP10]
(R)-LWE
NTRU-Variant [SS11]
Standard Lattices
Ideal Lattices
Key sizes for medium security (roughly 128-bit?)
x Standard: PK: 48 kB Msg: 0.5 kB Ideal: PK: 0.4 kB Msg: 0.81 kB
Standard: PK: 732 kB Msg: 0.3 kB
PK: 1.5 kB SK: 1.8 kB Msg: 1.5 kB
Key Aspects of Lattice-based Systems
Encryption and signature systems are both feasible • Undesired message expansion for LWE encryption • Rare decryption error probability in LWE encryption
Random Sampling not only from uniform but also from Gaussian
distributions (not trivial)
Most underlying operations are efficient and parallizable • (Ideal lattices) Make use of FFT for polynomial multiplication • (Standard lattices) Matrix-vector arithmetic
Reasonably large public and private keys • True for encryption/signatures constructions • Unclear for more complex services such as homomorphic/IBE
Outline
• Introduction
• Alternative Public-Key Cryptosystems (APKC)
• Practical Considerations of APKCs
• Case Studies on Lattice-based Cryptography
• Conclusions
Case Study #1: LWE-Encryption
CPA-secure public key encryption scheme for standard and ideal lattices introduced by Lindner and Peikert in 2010.
GEN(a): KeyGen(a): Choose 𝑟1, 𝑟2 ← 𝜒 from a small Gaussian distribution and let 𝑝 = 𝑟1 − 𝑎 ∙ 𝑟2. Public key 𝒑 and secret key 𝒓𝟐.
ENC(a,p,m): choose 𝑒1, 𝑒2, 𝑒3 ← 𝜒. Let 𝑚 = encode(𝑚) in 𝑅𝑝. The ciphertext is 𝑐1 = 𝑎 ∙ 𝑒1+ 𝑒2, 𝑐2 = 𝑝 ∙ 𝑒1+ 𝑒3+𝑚
DEC((c1,c2),r2): output decode(c1 ∙ r2+c2)
Review of Operations: - Polynomial multiplication - Gaussian sampling
Implementation Aspects and Results
One message bit is encoded using a threshhold scheme into one coefficient (𝟎 ⇒ 𝟎, 𝟏 ⇒ q/2) (rare) probability of (yet unhandled) decryption errors
Performance results for LWE-Encryption [GFSHB12]
• Intel/AMD Core 2 [email protected] GHz: • 195ms keygen/ 1.52ms enc/ 0.57 ms dec reasonably fast (but uses only NTL)
• Hardware (using a very very expensive FPGAs): • Virtex-7 2000T: 320816 LUTs/ 143396 registers/ ~8µs enc
Virtex-7 2000T: 124265LUTs/ 65174 registers/ ~8µs dec much too costly
Case Study #2: An Improved Signature Schemes on Ideal Lattices
• Signature scheme by Lyubashevsky [Lyu12] provable secure in random oracle model (ROM)
• Efficiency improvement by a different hardness assumption: (Decisional) Ring-LWE with “aggressive” parameters
• Internal values s1,s2 only have -1/0/1 coefficients instead of using a Gaussian distribution (like in [LPR10]), for other values uniform distributions are sufficient
Signing and Verification [GLP12]
• GEN
1. Pick a from 𝑅 = 𝑍𝑝[𝑥]/(xn+1) and s1,s2 from subset R1. Compute t = as1+s2
2. Secret key sk = (s1,s2), Public key pk = (a, t)
• SIGN(m,sk)
1. Pick y1,y2 from uniformly sampled distribution 𝑅𝑘 from [-k,k]
2. c=H(Transform(r=ay1+y2),m)
3. z1=s1c+y1, z2=s2c+y2
4. If z1, z2 not in 𝑅k-32 goto 1.
5. z2‘=Compress(ay1+y2-z2,z2,p, k-32)
6. Return σ=(z1, z2‘, c)
Review of Operations: - Polynomial multiplication
in steps 2,3 (sign), 2 (verify)
- Aggressive signature size reduction by
- Hashing of high-order bits (transform/compress)
- Rejection step (only for signing)
• VER(σ=(z1,z2‘,c),pk=(a,t), m)
1. If z1,z2‘ not in Rk-32 reject
2. If c=H(Transform(az1+z2‘-tc), m)
then accept
else reject
Implementation Results
Lattice-based Signature [GLP12]
Implementations on reconfigurable hardware
Parameters (p=8383489, n=512, k=214)
Lattice-based -Cryptography: Research Directions and Future Work
More cryptanalysis on lattice-based constructions
FFT/NTT techniques to accelerate polynomial multiplication
in 𝑅 = 𝑍𝑝[𝑥]/(xn+1) (required by many lattice-based schemes)
High-speed implementations targeting specific processor instruction sets (vector units, FFT/MAC instructions)
Efficient Gaussian sampling on constrained devices
Implementation and acceleration of high-level constructions like homomorphic encryption or IBE
CCA2-secure conversions for encryption schemes
Outline
• Introduction
• Alternative Public-Key Cryptosystems (APKC)
• Practical Considerations of APKCs
• Case Studies on Lattice-based Cryptography
• Conclusions
Conclusions
• Looking back at the four branches of PQC…
– Code-based encryption schemes are the most mature and practical APKCs today
– But lattice-based cryptography looks very promising
• For deployment in real-world systems, we need to
– Need many more (solid) implementations for efficiency evaluation
– Investigate physical security aspects of PQC
– Standardize parameters and instances
Tim Güneysu Hardware Security Group Horst Görtz Institute for IT-Security, Bochum
1/24/2013
Getting Post-Quantum Crypto Algorithms Ready for Deployment
End of ECRYPT II Event: Crypto for 2020
Questions?