introduction to post-quantum...
TRANSCRIPT
8/30/17
1
IntroductiontoPost-QuantumCryptography
CERG @ GMUhttp://cryptography.gmu.edu
10 PhD students3 MS students
8/30/17
2
3
Features Required from Today’s Ciphers
FUNCTIONALITY• easy key distribution• digital signatures
STRENGTHPERFORMANCE• software• hardware
4
Secret-key (Symmetric) Ciphers
key of Alice and Bob - KAB key of Alice and Bob - KAB
Alice Bob
Network
Encryption Decryption
Most Popular Standards: AES, Triple DES
8/30/17
3
5
Features of Secret-Key Ciphers
FUNCTIONALITY• easy key distribution• digital signatures
STRENGTHPERFORMANCE• software• hardware
Best attack:Exhaustive-key search2k trials for a k-bit key
Primary Application: Bulk data encryption
6
Public-key (Asymmetric) CiphersPublic key of Bob - KB Private key of Bob - kB
Alice Bob
Network
Encryption Decryption
Most Popular Standards: RSA, Elliptic Curve Cryptography (ECC)
8/30/17
4
7
Digital Signature Schemes
Message
Hash function
Public keycipher
Alice Signature
Alice’s private key
Bob
Hash function
Alice’s public key
Hash value 1
Hash value 2
Hash value
Public key cipher
yes no
Message Signature
8
Features of Public-Key Ciphers
FUNCTIONALITY• easy key distribution• digital signatures
STRENGTHPERFORMANCE• software• hardware
Best attack:Solving the underlying math problem, such asfactoring of largeintegers:Given N=P�Q,find P and Q.
Primary Applications: Exchange of keys for secret-key ciphersDigital signatures
8/30/17
5
Five security levels & corresponding key sizes allowed by American government
NIST SP 800-56
RSA ECCSymmetricciphersLevel
IIIIIIIVV
80
112
128
192
256
160
224
256
384
512
1024
2048
3072
8192
15360
10
Threat of Quantum Computers
• First perceived by physicists (R. Feynman,D. Deutsch) in 1980s
• First significant quantum algorithms(capable of running on quantum computers only) developed in 1990s
• First practical realization in 1998(2 qubits)
• Significant technological breakthroughsduring the last 20 years
• Quantum Artificial Intelligence lab started by Google in 2013
• IBM quantum processor (16-17 qubits)in 2017Photo: Vandersypen, PQCrypto 2017
8/30/17
6
11Source: Vandersypen, PQCrypto 2017
Major advances during the last 20 years
Timeline of Quantum Computing: https://en.wikipedia.org/wiki/Timeline_of_quantum_computing
12
Effect on Secret-Key Algorithms
1996: Grover’s Algorithm, reduces the time of the exhaustive-key searchfor secret key ciphers
from 2k to 2k/2 operations, for a k-bit key, e.g., from 2128 to 264 operations, for a 128-bit key or
from 2256 to 2128 operations, for a 256-bit key
assuming a sufficiently powerful and reliable quantum computer available
Easy Countermeasure: Double the size of a key
8/30/17
7
13
Effect on Public-Key Algorithms
1994: Shor’s Algorithm, breaks major public key cryptosystems based on
factoring: RSA
discrete logarithm problem: DSA, Diffie-Hellman
Elliptic Curve discrete logarithm problem: Elliptic Curve Cryptosystems
independently of the key size assuming
a sufficiently powerful and reliable quantum computer available
No known countermeasuresNew algorithms and standards required
14
Public-key cryptographic algorithms for which there are no known attacks using quantum computers
Capable of • being implemented using any traditional methods,
including software and hardware• running efficiently on any modern computing platforms:
PCs, tablets, smartphones, servers with FPGA accelerators, etc.
Post-Quantum Cryptography
8/30/17
8
15
• New public-key cryptographic families: mid-1990s-present• D.J. Bernstein introduces the term post-quantum cryptography: 2003• Series of PQCrypto Conferences: 2006-present• NIST Workshop on Cybersecurity in a Post-Quantum World 2015• NIST announcement of standardization plans at PQCrypto 2016,
Fukuoka, Japan, Feb. 2016• NIST Call for Proposals and Request for Nominations for Public-Key
Post-Quantum Cryptographic Algorithms: Dec. 2016Deadline for submitting candidates: November 30, 2017
Post-Quantum Cryptography Efforts
16
• NIST Call for Proposals and Request for Nominations for Public-Key Post-Quantum Cryptographic Algorithms: Dec. 2016
Deadline for submitting candidates: November 30, 2017
Post-Quantum Cryptography NIST Project
Source: Moody, NIST 2017
8/30/17
9
17
Promising PQC Families
Family Encryption Signature Key Agreement
Hash-based XX
Code-based XX X
Lattice-based XX X
Multivariate X XX
Supersingular Elliptic CurveIsogeny
XX
XX – high-confidence candidates, X – medium-confidence candidates
18
Promising PQC Algorithms
Family Encryption & Key Exchange
Signature
Hash-based XMSS (2011), SPHINCS (2015)
Code-based McEliece (1978), Niederreiter (1986)
CFS (2001)
Lattice-based NTRUEncrypt (1996), Ring-LWE (2010),
NewHope (2016), Kyber (2017)
pqNTRUSign (2001-2017),BLISS (2013),
Dilithium (2017)
Multivariate PMI+ (2004), SRP (2015) Unbalanced Oil and Vinegar (1999), HFEv-, QUARTZ (2001), Rainbow (2005)
8/30/17
10
19
1. NTRUEncrypt Short Vector Encryption Scheme (SVES)fully compliant with
IEEE 1363.1 Standard Specification for Public Key Cryptographic Techniques Based on Hard Problems over Lattices
Parameter sets: • Optimized for speed• 192-bit security: ees1087ep1: p=3, q=2048, N=1087, df=dr=63• 256-bit security: ees1499ep1: p=3, q=2048, N=1499, df=dr=79
2. Multivariate Rainbow Signature Scheme
Parameter set: • (17,12)(1,12)• 80-bit security level
Algorithms Selected for a Pilot Study
20
Paving the way for the future comprehensive, fair, and efficient hardware benchmarking of PQC candidates through
1. Uniform Hardware API
2. Uniform & Efficient Development Process
Our Objectives
8/30/17
11
21
Minimum Compliance Criteria• Encryption & decryption, or
Signature generation & verification• External key generation (e.g., in software)• Permitted data port widths, etc.
Communication Protocol
Interface Timing Characteristics
Proposed Uniform Hardware API
22
Comparative Analysis of Implementation Difficulties
Feature NTRUEncrypt Rainbow SSHigh-security levels Easy to
implementChallenging toimplement
Key sizes Small Very LargeSupport for multiple parameter sets swapped at run time
Relatively easy to implement
Challenging to implement
Component operations Standard: variable rotator, hash function
Complex: Systemof Linear Equation Solver
Dependence of the execution timeon message size
Strong Weak
8/30/17
12
23
Outcomes of Our Pilot Study
• First hardware implementation of the full NTRUEncrypt-SVES scheme
• Hardware optimization for speed revealed the hash function bottleneck
• Changes in the NTRUEncrypt standards recommended to overcome this bottleneck
• State of the art implementation of the Rainbow Signature Scheme comparable to the earlier results by Tang et al.from PQCrypto 2011
• New PQC Hardware API, paving the way for the fair evaluation of candidates in the NIST standardizationprocess
24
• Complex mathematical descriptions• Large public and private keys• Security vs. feasibility & cost trade-offs• Quickly evolving algorithms and algorithm variants• Uncertainty about parameter values corresponding to a
given security level
Challenges of PQC Benchmarking
8/30/17
13
SeeQuantumComputing
&Post-QuantumCryptographyProjects