Rafael Misoczki, PhD

Cryptographer at Intel Labs, Oregon, USA

Rafael Misoczki 1

Legal Disclaimers

• Intel provides these materials as-is, with no express or implied warranties. • All products, dates, and figures specified are preliminary, based on current expectations, and are subject to

change without notice. • Intel processors, chipsets, and desktop boards may contain design defects or errors known as errata, which may

cause the product to deviate from published specifications. Current characterized errata are available on request. • Intel technologies' features and benefits depend on system configuration and may require enabled hardware,

software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at http://intel.com.

• Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

• Intel and the Intel logo are trademarks of Intel Corporation in the United States and other countries.• *Other names and brands may be claimed as the property of others.© Intel Corporation 2019

Rafael Misoczki 2/13

Quantum Computers

Quantum computers will solve currently-intractable computational problems

Quantum Physics Simulation [Fey’82], Number-theory [Sho’94], Database search [Gro’96], Chemistry Simulations [AL’99], …

Grover’s Algorithm:

Find a good item among 2𝑛 unordered items

𝑓: 0,1 𝑛 → 0,1𝑓 𝑎 = 1,𝑓 𝑥 = 0, ∀𝑥 ≠ 𝑎

It can be used to invert one-way functions

Takes 𝑶(𝟐𝒏

𝟐) instead of 𝑂 2𝑛 steps (still exponential)

Shor’s Algorithm:

Find period 𝑟 of function 𝑓(𝑥) in polynomial time (Quantum Fourier Transform):

𝑓 𝑥 = 𝑓 𝑥 + 𝑟

It’s used to factor integers and solve discrete log

Runs in polynomial-time instead of exponential

Breaks some symmetric ciphers (AES128, SHA256) Breaks all traditional public key crypto (RSA/ECC) [Sho’94]

Rafael Misoczki

Mitigations for Quantum Attacks

• Public Key Cryptography:

• Replace all algorithms: Digital Signatures, Key exchange, Public Key Encryption

Quantum Cryptography:

• Uses quantum physics to achieve higher security

• Requires quantum infrastructure

• Restricted to Key Exchange (e.g., [BB84])

• No standards at all

Post-Quantum Cryptography:

• Based on harder math problems

• Can be implemented in current infrastructure

• Offers all required features (Digital Signatures, Key Exchange and Encryption)

• Some PQC algorithms are more efficient than traditional crypto algorithms

• Standards under development

• Symmetric Cryptography:

• Increase parameters of algorithms (Ex.: AES128 → AES256)

3/13

Rafael Misoczki

Post-Quantum Cryptography FamiliesM

ore

Ma

ture

Le

ss M

atu

re

3/13

Hash Based Signatures

• Security: relies only on symmetric crypto

• Functionalities: Digital Signatures

Code Based Cryptography

• Security: relies on symmetric crypto + (possibly well-known) problems from coding-theory

• Functionalities: Encryption, Key Exchange, Digital Signatures

Lattice Based Cryptography

• Security: relies on symmetric crypto + (possibly well-known) problems from lattice-theory

• Functionalities: Encryption, Key Exchange, Digital Signatures

Isogeny-Based Cryptography

• Security: relies on symmetric crypto + other problems from isogenies of supersingular ECC

• Functionalities: Key Exchange, Digital Signatures

Multivariate Based Cryptography

• Security: relies on symmetric crypto + other problems from multivar. quadratic equations

• Functionalities: Digital Signatures

Rafael Misoczki

Standardization Processes on PQCA

dv

an

ced

Sta

ge

Ea

rly

Sta

ge

4/13

IETF (Internet Engineering Task Force):• Scope: Hash-Based Signatures• Status: XMSS (RFC-8391) and LMS (RFC8554) published• Our contribution: Reviewers of the drafts

NIST Competition on Post-Quantum Cryptography Standardization:• Scope: Key Encapsulation, Asymmetric Encryption and Stateless Signatures• Status: 82 submissions, only 26 selected for 2nd Round, Standards by 2022-2024• Our Contribution: Leading BIKE and co-authoring Classic McEliece (2nd Round finalists)

ISO/IEC (JC1 SC27 WG2): ISO/IEC 14888-4• Scope: Stateful Hash-Based Signatures• Status: October 2019, ISO/IEC approved creation of ISO 14888-4 covering HBS• Our Contribution: Rafael Misoczki is the Editor of ISO 14888-4

Rafael Misoczki

Post-Quantum Digital Signatures

Hash-Based Signatures (HBS)

• Security: Post-Quantum Secure (security relies on hash functions)

• Efficiency: code size smaller than RSA/ECC & lightweight operations (hash calls)

• Standard: IETF has already published XMSS & LMS RFCs

Digital signatures are critical for Secure Update, Secure Boot, Attestation, …

One-Time Hash-Based Signatures

7/13

1 signing key1 signature

1 verification key

Multi-Time Hash-Based Signatures

A private key must only sign a single message

A private key can sign multiple messages

Rafael Misoczki 8/13

Key generation:Hash applied 𝑵 times

- Hash functions are irreversible- 𝒑𝒓𝒊𝒗𝒌𝒆𝒚: 𝑛 bits at random- 𝑚: message- N: public parameter

𝒑𝒓𝒊𝒗𝒌𝒆𝒚 𝐻(𝑝𝑟𝑖𝑣𝑘𝑒𝑦) 𝐻(𝐻 𝑝𝑟𝑖𝑣𝑘𝑒𝑦 ) ………………… H … 𝐻 𝑝𝑟𝑖𝑣𝑘𝑒𝑦 … = 𝒑𝒖𝒃𝒌𝒆𝒚

Signing:Hash applied 𝒎 times

Verifying:Hash applied (N −𝒎) times

Success: 𝑝𝑢𝑏𝑘𝑒𝑦′ = 𝑝𝑢𝑏𝑘𝑒𝑦

One-Time Hash-Based SignaturesSimplified Winternitz OTS Scheme description based on 1 chain (real signature has 67 chains)

Hashed N times

𝐻(𝑝𝑟𝑖𝑣𝑘𝑒𝑦) … 𝒔𝒊𝒈𝒏𝒂𝒕𝒖𝒓𝒆𝒑𝒓𝒊𝒗𝒌𝒆𝒚

Hashed 𝒎 times

𝒑𝒖𝒃𝒌𝒆𝒚′𝒔𝒊𝒈𝒏𝒂𝒕𝒖𝒓𝒆 …

Hashed (N −𝒎) times

Rafael Misoczki 9/13

Multi-Time (Merkle) Hash-Based Signatures

Key pair:• Public-key: Root of the tree• Private key: Seed (to generate one-time keys)

Authentication path:• Nodes required to recompute the root

Signature is valid iff:• Recomputed root == public-key

Drawbacks:• Stateful: private-key changes• Key Generation might be costly

Goal: Bind 2ℎ one-time key pairs into a single multi-time key pair

Rafael Misoczki 10/10

Modern HBS Schemes

• XMSS Scheme (RFC8391)

• eXtendable Merkle Signature Scheme

• Security Proof Model: Standard (no random oracles)

• Improvement: Requires only Target-Collision Resistance

• LMS Scheme (RFC8554)

• Leighton and Micali Signature Scheme

• Security Proof Model: Random Oracle Model

• Improvement: Requires only 2nd Preimage Resistance

Rafael Misoczki

Code-Based Crypto in a Nutshell

Code-Based Cryptography

▪ Security based on well-understood (NP-Complete) problems

▪ Potentially faster than number-theory counterparts

▪ Require very simple arithmetic (addition/product of binary matrices/vectors)

▪ Easy to implement

▪ No efficient quantum attack is known

12

Rafael Misoczki

Coding-Theory

Techniques to efficiently transmit data through channels subject to noise

Desirable properties:

• Error detection

• Error correction

http://bikesuite.org –team@bikesuite.org

13

Rafael Misoczki

Coding-Theory

http://bikesuite.org –team@bikesuite.org

14

Rafael Misoczki

The (random) Decoding Problem is Hard

http://bikesuite.org –team@bikesuite.org

15

Rafael Misoczki

Linear Codes with Efficient Decoding

There are many linear code families that offer very efficient decoding

▪ LDPC codes

▪ Goppa codes

▪ Reed-Solomon codes

▪ BCH codes

▪ …

McEliece insight [McE78]:

▪ Private key: a specific code description that allows for efficient decoding

▪ Public key: any other code description which looks random

http://bikesuite.org –team@bikesuite.org

16

Linear codes that belong to these families admit one specific basis that allow for efficient decoding

Rafael Misoczki

Selecting Codes for Cryptography

Selecting code families for crypto is a tricky task:

▪ Binary Goppa (1978)

▪ Generalized Reed-Solomon (1986) broken

▪ Rank-metric Gabidulin (1991) broken

▪ Reed-Muller (1994) weakened

▪ Algebraic-Geometric (1996) broken

▪ Quasi-Cyclic Alternant (2009) broken

▪ Quasi-Dyadic Goppa (2009) weakened

▪ …

Problem: too much algebraic structure

▪ Question: can we build decodable linear codes from purely random structures?

http://bikesuite.org –team@bikesuite.org

17

Rafael Misoczki

MDPC Codes for the Win!

Low-Density Parity-Check codes [Gal63]:

▪ Widely-used in telecommunications

▪ Parity-check matrix is built simply as a sparse random matrix

▪ Decoding: brute force approach that converges quickly given sparsity of parity-check matrix

▪ LDPC codes are not suitable for crypto since key security is too low

Moderate-Density Parity Check (MDPC) codes[MTSB’12]:

▪ Poor error correction in general (not suitable for telecommunications)

▪ Parity-check is built as a denser LDPC parity-check

▪ Decoding happens as for LDPC, slightly slower

▪ The higher density equalizes the key security to the message security

http://bikesuite.org –team@bikesuite.org

18

Rafael Misoczki

BIKE Suite: BIKE-1, BIKE-2, BIKE-3

19

Design rationale:• Security:

• Based on well-known coding problems (MDPC approximates distinguishing to decoding problem)

• Ephemeral keys defeat recent reaction-attacks against probabilistic decoding [GJS16]

• Efficiency:

• Quasi-cyclic property: ensures small public keys

• Simple operations: product and addition of binary polynomials/vector

• Decoding: bit-flipping decoding techniques

• Several trade-offs were possible, thus we decided to submit a cipher suite with 3 variants

Ingredients:

• McEliece encryption framework

• QC-MDPC Codes [MTSB’12]

• CAKE [BGGM17]

• Ouroboros [DGZ17]

• Ephemeral keys

http://bikesuite.org

Download:

Rafael Misoczki

BIKE Suite: Message Protocol

20

Alice Bob

1. Generate Ephemeral QC-MDPC key pair (𝑠𝑘, 𝑝𝑘)

3. Generate sparse error vector 𝑒

4. Derive symmetric key K from error vector 𝑒

5. Encrypt 𝑒 using 𝑝𝑘 to produce ciphertext 𝑐𝑡

2. Send (𝑝𝑘)

6. Send (𝑐𝑡)

7. Decrypt 𝑐𝑡 using 𝑠𝑘 to recover 𝑒 or ⊥

8. Derive symmetric key K from error vector 𝑒

Rafael Misoczki

Competitive Performance

Intel Confidential - Internal Use Only

21/10

Reference implementation measured on Intel® CoreTM

i5-6260U CPU @1.80GHz. Additional implementation measured on Intel® CoreTM Intel® Xeon® Platinum

8124M CPU @3GHz.

Performance in millions of cycles. Implementation uses NTL Library.

Rafael Misoczki

BIKE Adoption

Intel Confidential - Internal Use Only

22/10

• Amazon Web Services (AWS) has recently integrated BIKE in their s2n lib [AWS’19]

• S2n: SSL/TLS implementation handling 100% of traffic of S3 (Simple Storage Service)

• Open Quantum Safe Library

• Implements BIKE since release May, 2018

• https://openquantumsafe.org/

• IETF Draft on Hybrid Key Exchange

• Hybrid scheme: Classical + PQC (ECDH + BIKE/SIKE)

• https://tools.ietf.org/html/draft-campagna-tls-bike-sike-hybrid-01

Rafael Misoczki

Conclusion

• Quantum computers expected to bring new security challenges

• Public Key Cryptography needs to be fully replaced

• Symmetric cryptography requires larger parameters

• Why should we care now?

• Malicious actors might be harvesting encrypted data nowto attack it later (once large quantum computers are built)

• Data might still be equally valuable in the future

• Standardization and public scrutiny are essential to developing post-quantum cryptography solutions

Quantum to Threaten the Entire Security Stack

Rafael Misoczki

Cryptography Research at Intel

• Intel Labs

• Group: Security & Privacy Research

• Team: IoT and Automotive Security

• Based in Hillsboro, OR, USA

• Cryptographic Research in Industry

• Publication is not the only success metric

• Create robust cryptographic technology is the main goal

• Robustness depends on multiple factors and areas of expertise

• Cryptography, protocols, HW/FW/SW implementation, side-channel countermeasures, privacy of users, IP, standards compliance, …

Intel Confidential - Internal Use Only

Rafael.Misoczki@intel.com

Rafael Misoczki

References • [BIKE’17]: N. Aragon, P. Barreto, S. Bettaieb, L. Bidoux, O. Blazy, J-C. Deneuville, P. Gaborit, S. Gueron, T. Güneysu, C. Melchor, R. Misoczki, E. Persichetti, N. Sendrier, J-P.

Tillich, G. Zémor. BIKE – Bit Flipping Key Encapsulation. Proposal to NIST Standardization Competition.

• [AL’99]: Daniel S. Abrams and Seth Lloyd. “Quantum Algorithm Providing Exponential Speed Increase for Finding Eigenvalues and Eigenvectors”. Phys. Lett. 83, 5162. 1999.

• [AWS’19]: Add hybrid ECDHE BIKE support. AWS s2n GitHub Project. https://github.com/awslabs/s2n/pull/1084

• [Fey’82]: R. Feynman, “Simulating physics with computers,” International Journal of Theoretical Physics, Vol. 21, No. 6/7, pp. 467-488 (1982).

• [Gro’96]: Grover, Lov K. "A fast quantum mechanical algorithm for database search." Proceedings of the 28th annual ACM symposium on Theory of computing. ACM, 1996.

• [IETF’18]: Hülsing, Andreas, et al. XMSS: extended hash-based signatures. Internet Draft draft-irtf-cfrg-xmss-hash-based-signatures-10, 24 July 2017.

• [ISO’19]: Rafael Misoczki is a USA expert member of ISO/IEC JC1 SC27 Working Group 2. Not public yet. 2019.

• [McE’78]: Robert J. McEliece. "A Public-Key Cryptosystem Based On Algebraic Coding Theory" (PDF). DSN Progress Report. 44: 114–116.

• [Misoczki et al, 2012]: MDPC-McEliece: New McEliece variants from Moderate Density Parity-Check codes. R. Misoczki, J-P. Tillich, N. Sendrier, P. Barreto. IEEE ISIT’2013.

• [NIST’16]: Moody, Dustin (NIST). “Post-Quantum Cryptography: NIST’s Plan for the Future”. Invited Talk at The 7th International Conference on Post-Quantum Cryptography (PQCrypto 2016). Slides available at: https://pqcrypto2016.jp/data/pqc2016_nist_announcement.pdf

• [NIST’18]: Moody, Dustin (NIST). “Let’s Get Ready to Rumble: The NIST PQC “Competition” Invited Talk at The 9th International Conference on Post-Quantum Cryptography (PQCrypto 2018). Slides available at: https://drive.google.com/file/d/15nSozBxhGjpEZ8PnnoTo2L545suM-Qi7/view

• [Sho’92]: Shor, Peter W. "Algorithms for quantum computation: Discrete logarithms and factoring." Foundations of Computer Science, 1994 Proceedings., 35th Annual Symposium on. IEEE, 1994.

Intel Confidential - Internal Use Only 27/10