rafael misoczki, phd cryptographer at intel labs, oregon, usa · rafael misoczki 2/13 quantum...
TRANSCRIPT
Rafael Misoczki, PhD
Cryptographer at Intel Labs, Oregon, USA
Rafael Misoczki 1
Legal Disclaimers
• Intel provides these materials as-is, with no express or implied warranties. • All products, dates, and figures specified are preliminary, based on current expectations, and are subject to
change without notice. • Intel processors, chipsets, and desktop boards may contain design defects or errors known as errata, which may
cause the product to deviate from published specifications. Current characterized errata are available on request. • Intel technologies' features and benefits depend on system configuration and may require enabled hardware,
software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at http://intel.com.
• Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.
• Intel and the Intel logo are trademarks of Intel Corporation in the United States and other countries.• *Other names and brands may be claimed as the property of others.© Intel Corporation 2019
Rafael Misoczki 2/13
Quantum Computers
Quantum computers will solve currently-intractable computational problems
Quantum Physics Simulation [Fey’82], Number-theory [Sho’94], Database search [Gro’96], Chemistry Simulations [AL’99], …
Grover’s Algorithm:
Find a good item among 2𝑛 unordered items
𝑓: 0,1 𝑛 → 0,1𝑓 𝑎 = 1,𝑓 𝑥 = 0, ∀𝑥 ≠ 𝑎
It can be used to invert one-way functions
Takes 𝑶(𝟐𝒏
𝟐) instead of 𝑂 2𝑛 steps (still exponential)
Shor’s Algorithm:
Find period 𝑟 of function 𝑓(𝑥) in polynomial time (Quantum Fourier Transform):
𝑓 𝑥 = 𝑓 𝑥 + 𝑟
It’s used to factor integers and solve discrete log
Runs in polynomial-time instead of exponential
Breaks some symmetric ciphers (AES128, SHA256) Breaks all traditional public key crypto (RSA/ECC) [Sho’94]
Rafael Misoczki
Mitigations for Quantum Attacks
• Public Key Cryptography:
• Replace all algorithms: Digital Signatures, Key exchange, Public Key Encryption
Quantum Cryptography:
• Uses quantum physics to achieve higher security
• Requires quantum infrastructure
• Restricted to Key Exchange (e.g., [BB84])
• No standards at all
Post-Quantum Cryptography:
• Based on harder math problems
• Can be implemented in current infrastructure
• Offers all required features (Digital Signatures, Key Exchange and Encryption)
• Some PQC algorithms are more efficient than traditional crypto algorithms
• Standards under development
• Symmetric Cryptography:
• Increase parameters of algorithms (Ex.: AES128 → AES256)
3/13
Rafael Misoczki
Post-Quantum Cryptography FamiliesM
ore
Ma
ture
Le
ss M
atu
re
3/13
Hash Based Signatures
• Security: relies only on symmetric crypto
• Functionalities: Digital Signatures
Code Based Cryptography
• Security: relies on symmetric crypto + (possibly well-known) problems from coding-theory
• Functionalities: Encryption, Key Exchange, Digital Signatures
Lattice Based Cryptography
• Security: relies on symmetric crypto + (possibly well-known) problems from lattice-theory
• Functionalities: Encryption, Key Exchange, Digital Signatures
Isogeny-Based Cryptography
• Security: relies on symmetric crypto + other problems from isogenies of supersingular ECC
• Functionalities: Key Exchange, Digital Signatures
Multivariate Based Cryptography
• Security: relies on symmetric crypto + other problems from multivar. quadratic equations
• Functionalities: Digital Signatures
Rafael Misoczki
Standardization Processes on PQCA
dv
an
ced
Sta
ge
Ea
rly
Sta
ge
4/13
IETF (Internet Engineering Task Force):• Scope: Hash-Based Signatures• Status: XMSS (RFC-8391) and LMS (RFC8554) published• Our contribution: Reviewers of the drafts
NIST Competition on Post-Quantum Cryptography Standardization:• Scope: Key Encapsulation, Asymmetric Encryption and Stateless Signatures• Status: 82 submissions, only 26 selected for 2nd Round, Standards by 2022-2024• Our Contribution: Leading BIKE and co-authoring Classic McEliece (2nd Round finalists)
ISO/IEC (JC1 SC27 WG2): ISO/IEC 14888-4• Scope: Stateful Hash-Based Signatures• Status: October 2019, ISO/IEC approved creation of ISO 14888-4 covering HBS• Our Contribution: Rafael Misoczki is the Editor of ISO 14888-4
Rafael Misoczki
Post-Quantum Digital Signatures
Hash-Based Signatures (HBS)
• Security: Post-Quantum Secure (security relies on hash functions)
• Efficiency: code size smaller than RSA/ECC & lightweight operations (hash calls)
• Standard: IETF has already published XMSS & LMS RFCs
Digital signatures are critical for Secure Update, Secure Boot, Attestation, …
One-Time Hash-Based Signatures
7/13
1 signing key1 signature
1 verification key
Multi-Time Hash-Based Signatures
A private key must only sign a single message
A private key can sign multiple messages
Rafael Misoczki 8/13
Key generation:Hash applied 𝑵 times
- Hash functions are irreversible- 𝒑𝒓𝒊𝒗𝒌𝒆𝒚: 𝑛 bits at random- 𝑚: message- N: public parameter
𝒑𝒓𝒊𝒗𝒌𝒆𝒚 𝐻(𝑝𝑟𝑖𝑣𝑘𝑒𝑦) 𝐻(𝐻 𝑝𝑟𝑖𝑣𝑘𝑒𝑦 ) ………………… H … 𝐻 𝑝𝑟𝑖𝑣𝑘𝑒𝑦 … = 𝒑𝒖𝒃𝒌𝒆𝒚
Signing:Hash applied 𝒎 times
Verifying:Hash applied (N −𝒎) times
Success: 𝑝𝑢𝑏𝑘𝑒𝑦′ = 𝑝𝑢𝑏𝑘𝑒𝑦
One-Time Hash-Based SignaturesSimplified Winternitz OTS Scheme description based on 1 chain (real signature has 67 chains)
Hashed N times
𝐻(𝑝𝑟𝑖𝑣𝑘𝑒𝑦) … 𝒔𝒊𝒈𝒏𝒂𝒕𝒖𝒓𝒆𝒑𝒓𝒊𝒗𝒌𝒆𝒚
Hashed 𝒎 times
𝒑𝒖𝒃𝒌𝒆𝒚′𝒔𝒊𝒈𝒏𝒂𝒕𝒖𝒓𝒆 …
Hashed (N −𝒎) times
Rafael Misoczki 9/13
Multi-Time (Merkle) Hash-Based Signatures
Key pair:• Public-key: Root of the tree• Private key: Seed (to generate one-time keys)
Authentication path:• Nodes required to recompute the root
Signature is valid iff:• Recomputed root == public-key
Drawbacks:• Stateful: private-key changes• Key Generation might be costly
Goal: Bind 2ℎ one-time key pairs into a single multi-time key pair
Rafael Misoczki 10/10
Modern HBS Schemes
• XMSS Scheme (RFC8391)
• eXtendable Merkle Signature Scheme
• Security Proof Model: Standard (no random oracles)
• Improvement: Requires only Target-Collision Resistance
• LMS Scheme (RFC8554)
• Leighton and Micali Signature Scheme
• Security Proof Model: Random Oracle Model
• Improvement: Requires only 2nd Preimage Resistance
Rafael Misoczki
Code-Based Crypto in a Nutshell
Code-Based Cryptography
▪ Security based on well-understood (NP-Complete) problems
▪ Potentially faster than number-theory counterparts
▪ Require very simple arithmetic (addition/product of binary matrices/vectors)
▪ Easy to implement
▪ No efficient quantum attack is known
12
Rafael Misoczki
Coding-Theory
Techniques to efficiently transmit data through channels subject to noise
Desirable properties:
• Error detection
• Error correction
http://bikesuite.org –[email protected]
13
Rafael Misoczki
Linear Codes with Efficient Decoding
There are many linear code families that offer very efficient decoding
▪ LDPC codes
▪ Goppa codes
▪ Reed-Solomon codes
▪ BCH codes
▪ …
McEliece insight [McE78]:
▪ Private key: a specific code description that allows for efficient decoding
▪ Public key: any other code description which looks random
http://bikesuite.org –[email protected]
16
Linear codes that belong to these families admit one specific basis that allow for efficient decoding
Rafael Misoczki
Selecting Codes for Cryptography
Selecting code families for crypto is a tricky task:
▪ Binary Goppa (1978)
▪ Generalized Reed-Solomon (1986) broken
▪ Rank-metric Gabidulin (1991) broken
▪ Reed-Muller (1994) weakened
▪ Algebraic-Geometric (1996) broken
▪ Quasi-Cyclic Alternant (2009) broken
▪ Quasi-Dyadic Goppa (2009) weakened
▪ …
Problem: too much algebraic structure
▪ Question: can we build decodable linear codes from purely random structures?
http://bikesuite.org –[email protected]
17
Rafael Misoczki
MDPC Codes for the Win!
Low-Density Parity-Check codes [Gal63]:
▪ Widely-used in telecommunications
▪ Parity-check matrix is built simply as a sparse random matrix
▪ Decoding: brute force approach that converges quickly given sparsity of parity-check matrix
▪ LDPC codes are not suitable for crypto since key security is too low
Moderate-Density Parity Check (MDPC) codes[MTSB’12]:
▪ Poor error correction in general (not suitable for telecommunications)
▪ Parity-check is built as a denser LDPC parity-check
▪ Decoding happens as for LDPC, slightly slower
▪ The higher density equalizes the key security to the message security
http://bikesuite.org –[email protected]
18
Rafael Misoczki
BIKE Suite: BIKE-1, BIKE-2, BIKE-3
19
Design rationale:• Security:
• Based on well-known coding problems (MDPC approximates distinguishing to decoding problem)
• Ephemeral keys defeat recent reaction-attacks against probabilistic decoding [GJS16]
• Efficiency:
• Quasi-cyclic property: ensures small public keys
• Simple operations: product and addition of binary polynomials/vector
• Decoding: bit-flipping decoding techniques
• Several trade-offs were possible, thus we decided to submit a cipher suite with 3 variants
Ingredients:
• McEliece encryption framework
• QC-MDPC Codes [MTSB’12]
• CAKE [BGGM17]
• Ouroboros [DGZ17]
• Ephemeral keys
http://bikesuite.org
Download:
Rafael Misoczki
BIKE Suite: Message Protocol
20
Alice Bob
1. Generate Ephemeral QC-MDPC key pair (𝑠𝑘, 𝑝𝑘)
3. Generate sparse error vector 𝑒
4. Derive symmetric key K from error vector 𝑒
5. Encrypt 𝑒 using 𝑝𝑘 to produce ciphertext 𝑐𝑡
2. Send (𝑝𝑘)
6. Send (𝑐𝑡)
7. Decrypt 𝑐𝑡 using 𝑠𝑘 to recover 𝑒 or ⊥
8. Derive symmetric key K from error vector 𝑒
Rafael Misoczki
Competitive Performance
Intel Confidential - Internal Use Only
21/10
Reference implementation measured on Intel® CoreTM
i5-6260U CPU @1.80GHz. Additional implementation measured on Intel® CoreTM Intel® Xeon® Platinum
8124M CPU @3GHz.
Performance in millions of cycles. Implementation uses NTL Library.
Rafael Misoczki
BIKE Adoption
Intel Confidential - Internal Use Only
22/10
• Amazon Web Services (AWS) has recently integrated BIKE in their s2n lib [AWS’19]
• S2n: SSL/TLS implementation handling 100% of traffic of S3 (Simple Storage Service)
• Open Quantum Safe Library
• Implements BIKE since release May, 2018
• https://openquantumsafe.org/
• IETF Draft on Hybrid Key Exchange
• Hybrid scheme: Classical + PQC (ECDH + BIKE/SIKE)
• https://tools.ietf.org/html/draft-campagna-tls-bike-sike-hybrid-01
Rafael Misoczki
Conclusion
• Quantum computers expected to bring new security challenges
• Public Key Cryptography needs to be fully replaced
• Symmetric cryptography requires larger parameters
• Why should we care now?
• Malicious actors might be harvesting encrypted data nowto attack it later (once large quantum computers are built)
• Data might still be equally valuable in the future
• Standardization and public scrutiny are essential to developing post-quantum cryptography solutions
Quantum to Threaten the Entire Security Stack
Rafael Misoczki
Cryptography Research at Intel
• Intel Labs
• Group: Security & Privacy Research
• Team: IoT and Automotive Security
• Based in Hillsboro, OR, USA
• Cryptographic Research in Industry
• Publication is not the only success metric
• Create robust cryptographic technology is the main goal
• Robustness depends on multiple factors and areas of expertise
• Cryptography, protocols, HW/FW/SW implementation, side-channel countermeasures, privacy of users, IP, standards compliance, …
Intel Confidential - Internal Use Only
Rafael Misoczki
References • [BIKE’17]: N. Aragon, P. Barreto, S. Bettaieb, L. Bidoux, O. Blazy, J-C. Deneuville, P. Gaborit, S. Gueron, T. Güneysu, C. Melchor, R. Misoczki, E. Persichetti, N. Sendrier, J-P.
Tillich, G. Zémor. BIKE – Bit Flipping Key Encapsulation. Proposal to NIST Standardization Competition.
• [AL’99]: Daniel S. Abrams and Seth Lloyd. “Quantum Algorithm Providing Exponential Speed Increase for Finding Eigenvalues and Eigenvectors”. Phys. Lett. 83, 5162. 1999.
• [AWS’19]: Add hybrid ECDHE BIKE support. AWS s2n GitHub Project. https://github.com/awslabs/s2n/pull/1084
• [Fey’82]: R. Feynman, “Simulating physics with computers,” International Journal of Theoretical Physics, Vol. 21, No. 6/7, pp. 467-488 (1982).
• [Gro’96]: Grover, Lov K. "A fast quantum mechanical algorithm for database search." Proceedings of the 28th annual ACM symposium on Theory of computing. ACM, 1996.
• [IETF’18]: Hülsing, Andreas, et al. XMSS: extended hash-based signatures. Internet Draft draft-irtf-cfrg-xmss-hash-based-signatures-10, 24 July 2017.
• [ISO’19]: Rafael Misoczki is a USA expert member of ISO/IEC JC1 SC27 Working Group 2. Not public yet. 2019.
• [McE’78]: Robert J. McEliece. "A Public-Key Cryptosystem Based On Algebraic Coding Theory" (PDF). DSN Progress Report. 44: 114–116.
• [Misoczki et al, 2012]: MDPC-McEliece: New McEliece variants from Moderate Density Parity-Check codes. R. Misoczki, J-P. Tillich, N. Sendrier, P. Barreto. IEEE ISIT’2013.
• [NIST’16]: Moody, Dustin (NIST). “Post-Quantum Cryptography: NIST’s Plan for the Future”. Invited Talk at The 7th International Conference on Post-Quantum Cryptography (PQCrypto 2016). Slides available at: https://pqcrypto2016.jp/data/pqc2016_nist_announcement.pdf
• [NIST’18]: Moody, Dustin (NIST). “Let’s Get Ready to Rumble: The NIST PQC “Competition” Invited Talk at The 9th International Conference on Post-Quantum Cryptography (PQCrypto 2018). Slides available at: https://drive.google.com/file/d/15nSozBxhGjpEZ8PnnoTo2L545suM-Qi7/view
• [Sho’92]: Shor, Peter W. "Algorithms for quantum computation: Discrete logarithms and factoring." Foundations of Computer Science, 1994 Proceedings., 35th Annual Symposium on. IEEE, 1994.
Intel Confidential - Internal Use Only 27/10