vlad gheorghiu open quantum safe - liboqs · [email protected] [email protected] etsi-iqc...
TRANSCRIPT
OPEN QUANTUM SAFE - LIBOQSVLAD GHEORGHIU
[email protected] [email protected]
ETSI-IQC 6th Quantum Safe Workshop, Nov. 8, Beijing, China1Institute for Quantum Computing, 2evolutionQ Inc., 3softwareQ Inc.
1,2,3
© COPYRIGHT 2018 VLAD GHEORGHIU, ALL RIGHTS RESERVED
QUANTUM COMPUTING - BOTH A BLESSING AND A CURSEPowerful new quantum technologies are emerging, which promise tremendous benefits…
…but also pose serious threats to our
communications, control and information security.
�2
© COPYRIGHT 2018 VLAD GHEORGHIU, ALL RIGHTS RESERVED
TODAY - PUBLIC KEY CRYPTOGRAPHY IS SAFE
▸ Cyber criminals look for poor design, configuration errors, user mistakes or poor practices. It’s practically impossible to attack the underlying mathematics.
506680360140974948323 = ???????????? x
???????????? Codebreaking is
HARD!
3967241 x 5289737
20985661505617Encrypting is EASY
�3
© COPYRIGHT 2018 VLAD GHEORGHIU, ALL RIGHTS RESERVED
TOMORROW - PUBLIC KEY CRYPTOGRAPHY IS BROKEN
▸ Quantum computers will easily solve the mathematical problems at the core of today’s public-key cryptography
3967241 x 5289737
20985661505617Encrypting is EASY
506680360140974948323 = 13561998077
x 37360303199 Codebreaking is EASY!
�4
© COPYRIGHT 2018 VLAD GHEORGHIU, ALL RIGHTS RESERVED
WHAT WILL BE AFFECTED?▸ Products, services, business
functions that rely on security products will either stop functioning or not provide the expected levels of security
▸ Not everything is broken: symmetric cryptography (e.g. AES, hash functions etc.) are only weakened
Double key sizes! Clouding computing Payment systems Internet IoT eHealth
RSA, DSA, DH, ECDH, ECDSA,AES, 3-DES, SHA, …
Secure Web Browsing - TLS/SSL Auto-Updates – Digital Signatures VPN - IPSec Secure email -S/MIME PKI
�5
© COPYRIGHT 2018 VLAD GHEORGHIU, ALL RIGHTS RESERVED
WHAT CAN WE DO NOW TO PROTECT?
▸ Be proactive and don’t wait!
▸ Use a hybrid approach, post-quantum cryptography + currently deployed cryptography
▸ Experiment with various solutions
�6
© COPYRIGHT 2018 VLAD GHEORGHIU, ALL RIGHTS RESERVED
LIBOQS – HTTPS://GITHUB.COM/OPEN-QUANTUM-SAFE/LIBOQS
�8
© COPYRIGHT 2018 VLAD GHEORGHIU, ALL RIGHTS RESERVED
LIBOQS
▸ Open source, runs on UNIX/Linux/Windows/ARM etc.
▸ Collaborative effort. Project leaders: Michele Mosca and Douglas Stebila (University of Waterloo).
▸ Prototype post-quantum cryptography in protocols and applications
▸ Incorporates and adapts a variety of open source cryptographic software
▸ Testing new algorithms (allows algorithm switching both at compile-time and run-time)
▸ Benchmarking suite, continuous integration
▸ Long term goal: support the development and prototyping of quantum-resistant cryptography (NIST submissions etc.)
�9
© COPYRIGHT 2018 VLAD GHEORGHIU, ALL RIGHTS RESERVED
DETAILS▸ 2 main branches (2 ”philosophies”): master and nist-branch
▸ master: more selective, algorithms need to be unbroken and meet certain security criteria; we will possibly make changes to implementations' source code, including improvements from static analysis and other quality improvements. We aim to make releases of liboqs master branch every 2 to 3 months. Plans for each individual release can be found on our Github projects board.
▸ nist-branch: incorporate submissions to the NIST Post-Quantum Cryptography for purposes of benchmarking and integration into a common API. Use for experimentation, not for production-ready code. Aims to incorporate as many NIST submissions as possible; we will not be selective, will aim to make no changes to implementations' code, and will make no promises about quality of algorithms or implementations.
▸ "light touch" approach to incorporation
▸ source code from a NIST submission will be included ideally with no changes, in an "upstream" subdirectory
▸ a thin wrapper will be written to provide the implementation using the liboqs API
▸ if an algorithm in nist-branch is found to be insecure in month $X$, a compile-time warning will be added in the tagged snapshot for month $X+1$, and it may be removed in month $X+2$
�10
© COPYRIGHT 2018 VLAD GHEORGHIU, ALL RIGHTS RESERVED
SELECTION CRITERIA▸ Algorithmic requirements:
▸ The algorithm must be submitted to the NIST Post-Quantum Cryptography project, or posted as update to an existing algorithm, and must be present in the current round
▸ Algorithms whose security is considered effectively broken are not eligible for addition; see the Lifecycle section below for conditions on their removal
▸ KEMs can be IND-CPA or IND-CCA-secure, at any NIST security level
▸ Signature schemes can be EUF-CMA-secure, at any NIST security level
▸ Targets:
▸ Operating systems: The code must build on Linux and macOS, add Windows in the future
▸ Architecture: The code must build at least on x64. Targets are currently provided for x86. We plan to add an AVX2 target, and possibly others.
▸ Quality control: Continuous integration (Travis-CI), AppVeyor
�11
© COPYRIGHT 2018 VLAD GHEORGHIU, ALL RIGHTS RESERVED
SELECTION CRITERIA
▸ Source code requirements:
▸ The source code can be from the original submission, or can be an updated version
▸ License: Source code licensed under the MIT License, the BSD license, or in the public domain can be directly incorporated into the repository. GPL code will not be included in the repository, but a wrapper to the OQS API may be included, as well as a script that downloads and compiles in GPL code if the algorithm is requested at compile-time.
▸ Code quality: Given the "light touch" philosophy of nist-branch, we have no requirements on source code quality, other than that it compile on the targets
�12
© COPYRIGHT 2018 VLAD GHEORGHIU, ALL RIGHTS RESERVED
CURRENTLY SUPPORTED KEY EXCHANGE ALGORITHMS AND SIGNATURES
▸ Learning with errors (LWE)
▸ FrodoKEM
▸ Ring learning with errors (RLWE)
▸ NewHopeNIST
▸ Supersingular isogeny Diffie-Hellman (SIDH)
▸ SIKE, SIDH
▸ Code-based
▸ BIKE
▸ Signatures
▸ Picnic (hash-based), qTesla (decisional RLWE)
MASTER BRANCH
�13
© COPYRIGHT 2018 VLAD GHEORGHIU, ALL RIGHTS RESERVED
CURRENTLY SUPPORTED KEY EXCHANGE ALGORITHMS AND SIGNATURES
▸ Learning with errors (LWE)
▸ FrodoKEM
▸ Ring learning with errors (RLWE)
▸ NewHopeNIST, LIMA,
▸ Module learning with errors (MLWE)
▸ BIG QUAKE, CRYSTALS-KYBER, SABER, Dilithium (also based on Module-Short Integer Solution (M-SIS))
▸ Middle-product learning with errors (MP-LWE)
▸ Titanium CCA
NIST BRANCH
�14
▸ Supersingular isogeny Diffie-Hellman (SIDH)
▸ SIKE, SIDH
▸ Code-based
▸ BIKE (Quasi Cyclic Syndrom Decoding), LedaKEM (Niederreiter)
▸ Signatures
▸ Picnic (hash-based), qTesla (decisional RLWE)
THANK YOUVlad Gheorghiu
Post-doctoral fellow Institute for Quantum Computing, University of Waterloo
Co-Founder and CEO softwareQ Inc. www.softwareq.ca
Quantum Risk Researcher at evolutionQ Inc. www.evolutionq.com