![Page 1: Post-Quantum Cryptography in ARM Processors · 2019-10-07 · Open Questions about Post-Quantum Cryptography •Design better post-quantum cryptosystems •Improve classical and quantum](https://reader030.vdocuments.us/reader030/viewer/2022040214/5ec6b3f463a53b6c3429a23d/html5/thumbnails/1.jpg)
Reza Azarderakhsh, Ph.D.
Florida Atlantic University and PQSecure Technologies
ARM Research Summit
Austin, TX
Sept. 2019
Post-Quantum Cryptography in ARM Processors
![Page 2: Post-Quantum Cryptography in ARM Processors · 2019-10-07 · Open Questions about Post-Quantum Cryptography •Design better post-quantum cryptosystems •Improve classical and quantum](https://reader030.vdocuments.us/reader030/viewer/2022040214/5ec6b3f463a53b6c3429a23d/html5/thumbnails/2.jpg)
Quantum Threat to Information Security
Large-scale quantumcomputers could break some encryption schemes
Need to migrate encryption to quantum-resistant algorithms
When we should start the process?
Questions:• When will quantum computers arrive?• When will they be a threat?• When do we switch?• How do we have live and agile transition?• What do we transition to?• …
“In 25 years we’ll be working on quantum resistant crypto standardization
based on elliptic curves in some way!”
─Dustin Moody, NIST (NSF CCC Workshop 2019)
![Page 3: Post-Quantum Cryptography in ARM Processors · 2019-10-07 · Open Questions about Post-Quantum Cryptography •Design better post-quantum cryptosystems •Improve classical and quantum](https://reader030.vdocuments.us/reader030/viewer/2022040214/5ec6b3f463a53b6c3429a23d/html5/thumbnails/3.jpg)
Universalquantumcomputeravailable
2016
2017
2022? 2031
PQCproject
start
Round 1 begin Dec
Standardsready
2026
Mosca – 1/7 chance breaking
RSA-2048
Mosca – ½ chance breaking
RSA-2048
2035
All systems transitioned toquantum-safe
Round 2begin Jan
2019
2020
Round 3 begin June
(69 Candidates)
(17 KEM + 9 DSA) “more than one”
Retroactive decryption: Record encrypted communication now,
Decrypt once quantum computers are available
![Page 4: Post-Quantum Cryptography in ARM Processors · 2019-10-07 · Open Questions about Post-Quantum Cryptography •Design better post-quantum cryptosystems •Improve classical and quantum](https://reader030.vdocuments.us/reader030/viewer/2022040214/5ec6b3f463a53b6c3429a23d/html5/thumbnails/4.jpg)
Open Questions about Post-Quantum Cryptography
• Design better post-quantum cryptosystems
• Improve classical and quantum attacks
• Pick parameter sizes
• Develop fast, efficient, and secure implementations
• Integrate them into the existing infrastructures
![Page 5: Post-Quantum Cryptography in ARM Processors · 2019-10-07 · Open Questions about Post-Quantum Cryptography •Design better post-quantum cryptosystems •Improve classical and quantum](https://reader030.vdocuments.us/reader030/viewer/2022040214/5ec6b3f463a53b6c3429a23d/html5/thumbnails/5.jpg)
Post-Quantum Key-Exchange
Code-based
Lattice-based
Isogeny-based
Hash-based
Lattice-based
Zero-Knowledgebased
Multivariate-based
Post-Quantum Signatures
![Page 6: Post-Quantum Cryptography in ARM Processors · 2019-10-07 · Open Questions about Post-Quantum Cryptography •Design better post-quantum cryptosystems •Improve classical and quantum](https://reader030.vdocuments.us/reader030/viewer/2022040214/5ec6b3f463a53b6c3429a23d/html5/thumbnails/6.jpg)
Quick Overview
• [2006]: Birth of a supersingular isogeny-based cryptosystem• Charles – Goren – Lauter
• built hash function from supersingular isogeny graph
• [2011]: Supersingular isogeny key exchange • Jao – De Feo
• [2017]: Supersingular isogeny key encapsulation• SIKE Team
![Page 7: Post-Quantum Cryptography in ARM Processors · 2019-10-07 · Open Questions about Post-Quantum Cryptography •Design better post-quantum cryptosystems •Improve classical and quantum](https://reader030.vdocuments.us/reader030/viewer/2022040214/5ec6b3f463a53b6c3429a23d/html5/thumbnails/7.jpg)
SIKE Team
![Page 8: Post-Quantum Cryptography in ARM Processors · 2019-10-07 · Open Questions about Post-Quantum Cryptography •Design better post-quantum cryptosystems •Improve classical and quantum](https://reader030.vdocuments.us/reader030/viewer/2022040214/5ec6b3f463a53b6c3429a23d/html5/thumbnails/8.jpg)
Isogeny-Based Cryptography
• Isogeny-based cryptography is constructed on a set of curves.
• Given two curve 𝐸 and 𝐸′ = 𝜙(𝐸) find 𝜙?
![Page 9: Post-Quantum Cryptography in ARM Processors · 2019-10-07 · Open Questions about Post-Quantum Cryptography •Design better post-quantum cryptosystems •Improve classical and quantum](https://reader030.vdocuments.us/reader030/viewer/2022040214/5ec6b3f463a53b6c3429a23d/html5/thumbnails/9.jpg)
Supersingular Isomorphism Classes
• We are interested in the set of supersingularcurves (up to isomorphism) over a specific field
• Prime 𝑝 = 2𝑒𝐴 ∙ 3𝑒𝐵 ∙ 𝑓 ± 1
• Elliptic curves over 𝔽𝑝2, #𝐸 = 𝑝 ∓ 1 2
• Supersingular 𝑗-invariants: #𝑆𝑝2 ≈𝑝
12(isogenous elliptic curves)
40
17
48
0
41
24
66
Prime p = 23 ∙ 32 − 1 = 71, #𝐸 = 722, #𝑆𝑝2 = 7
![Page 10: Post-Quantum Cryptography in ARM Processors · 2019-10-07 · Open Questions about Post-Quantum Cryptography •Design better post-quantum cryptosystems •Improve classical and quantum](https://reader030.vdocuments.us/reader030/viewer/2022040214/5ec6b3f463a53b6c3429a23d/html5/thumbnails/10.jpg)
Isogeny Graphs
With isogeny of degree ℓ, we get a connected (ℓ + 1)-regular graph.
Vertices: All isogenous elliptic curves over 𝔽𝑝2.
Edges: Isogenies of degree ℓ
40
17
48
0
41
24
66
40
17
48
0
41
24
66
2-isogeny graph 3-isogeny graph
![Page 11: Post-Quantum Cryptography in ARM Processors · 2019-10-07 · Open Questions about Post-Quantum Cryptography •Design better post-quantum cryptosystems •Improve classical and quantum](https://reader030.vdocuments.us/reader030/viewer/2022040214/5ec6b3f463a53b6c3429a23d/html5/thumbnails/11.jpg)
Key Exchange based on Isogeny Graphs
40
17
48
0
41
24
66
40
17
48
0
41
24
66
2-isogeny graph 3-isogeny graph
Alice Bob
![Page 12: Post-Quantum Cryptography in ARM Processors · 2019-10-07 · Open Questions about Post-Quantum Cryptography •Design better post-quantum cryptosystems •Improve classical and quantum](https://reader030.vdocuments.us/reader030/viewer/2022040214/5ec6b3f463a53b6c3429a23d/html5/thumbnails/12.jpg)
Public Parameters
𝐸0/𝔽𝑝2
𝑃𝐴, 𝑄𝐴 ∈ 𝐸0[2𝑒𝐴]
𝑃𝐵, 𝑄𝐵 ∈ 𝐸0[3𝑒𝐵]
𝑃𝐴 = 53, 55
𝑄𝐴 = 18, 27𝑤 + 44
𝑃𝐵 = 7𝑤 + 20, 31𝑤 + 50
𝑄𝐵 = 21𝑤 + 64, 38𝑤 + 13
40
17
48
0
41
24
66
40
17
48
0
41
24
66
Alice Bob
𝐸0: 𝑦2 = 𝑥3 + 𝑥
![Page 13: Post-Quantum Cryptography in ARM Processors · 2019-10-07 · Open Questions about Post-Quantum Cryptography •Design better post-quantum cryptosystems •Improve classical and quantum](https://reader030.vdocuments.us/reader030/viewer/2022040214/5ec6b3f463a53b6c3429a23d/html5/thumbnails/13.jpg)
Secret Key
𝑠𝐴 = 6 𝑠𝐵 = 3
𝑠𝐴 ∈ 0,2𝑒𝐴
𝑠𝐵 ∈ 0,3𝑒𝐵
40
17
48
0
41
24
66
40
17
48
0
41
24
66
Alice Bob
![Page 14: Post-Quantum Cryptography in ARM Processors · 2019-10-07 · Open Questions about Post-Quantum Cryptography •Design better post-quantum cryptosystems •Improve classical and quantum](https://reader030.vdocuments.us/reader030/viewer/2022040214/5ec6b3f463a53b6c3429a23d/html5/thumbnails/14.jpg)
Public Key Generation
40
17
48
0
41
24
66
40
17
48
0
41
24
66
Alice Bob
𝐸0: 𝑦2 = 𝑥3 + 𝑥 𝐸0: 𝑦
2 = 𝑥3 + 𝑥
𝐸0
![Page 15: Post-Quantum Cryptography in ARM Processors · 2019-10-07 · Open Questions about Post-Quantum Cryptography •Design better post-quantum cryptosystems •Improve classical and quantum](https://reader030.vdocuments.us/reader030/viewer/2022040214/5ec6b3f463a53b6c3429a23d/html5/thumbnails/15.jpg)
Public Key Generation
40
17
48
0
41
24
66
40
17
48
0
41
24
66
Alice Bob
𝐸0: 𝑦2 = 𝑥3 + 𝑥 𝐸0: 𝑦
2 = 𝑥3 + 𝑥
𝜙𝐴: 𝐸0 → 𝐸𝐴 𝜙𝐵: 𝐸0 → 𝐸𝐵
𝐸0
p = 23 ∙ 32 − 1 = 71
![Page 16: Post-Quantum Cryptography in ARM Processors · 2019-10-07 · Open Questions about Post-Quantum Cryptography •Design better post-quantum cryptosystems •Improve classical and quantum](https://reader030.vdocuments.us/reader030/viewer/2022040214/5ec6b3f463a53b6c3429a23d/html5/thumbnails/16.jpg)
Public Key Generation
40
17
48
0
41
24
66
40
17
48
0
41
24
66
Alice Bob
𝐸0: 𝑦2 = 𝑥3 + 𝑥 𝐸0: 𝑦
2 = 𝑥3 + 𝑥
𝜙𝐴: 𝐸0 → 𝐸𝐴
𝐸𝐴: 𝑦2 = 𝑥3 + 22𝑥 + 35
𝜙𝐵: 𝐸0 → 𝐸𝐵
𝐸𝐵: 𝑦2 = 𝑥3 +63𝑥 + (55𝑤 + 16)
𝐸0
𝐸𝐴 = 𝐸0/ 𝐴 𝐸𝐵 = 𝐸0/ 𝐵
𝑅𝐴, 𝑆𝐴 = 𝜙𝐴 𝑃𝐵 , 𝜙𝐴 𝑄𝐵 𝑅𝐵, 𝑆𝐵 = 𝜙𝐵 𝑃𝐴 , 𝜙𝐵 𝑄𝐴
![Page 17: Post-Quantum Cryptography in ARM Processors · 2019-10-07 · Open Questions about Post-Quantum Cryptography •Design better post-quantum cryptosystems •Improve classical and quantum](https://reader030.vdocuments.us/reader030/viewer/2022040214/5ec6b3f463a53b6c3429a23d/html5/thumbnails/17.jpg)
Key Exchange
40
17
48
0
41
24
66
40
17
48
0
41
24
66
Alice Bob
𝐸0: 𝑦2 = 𝑥3 + 𝑥 𝐸0: 𝑦
2 = 𝑥3 + 𝑥
𝜙𝐴: 𝐸0 → 𝐸𝐴
𝐸𝐴: 𝑦2 = 𝑥3 + 22𝑥 + 35
𝜙𝐵: 𝐸0 → 𝐸𝐵
𝐸𝐵: 𝑦2 = 𝑥3 +63𝑥 + (55𝑤 + 16)
𝐸0
𝐸𝐴 = 𝐸0/ 𝐴 𝐸𝐵 = 𝐸0/ 𝐵
𝑅𝐴, 𝑆𝐴 = 𝜙𝐴 𝑃𝐵 , 𝜙𝐴 𝑄𝐵 𝑅𝐵, 𝑆𝐵 = 𝜙𝐵 𝑃𝐴 , 𝜙𝐵 𝑄𝐴
![Page 18: Post-Quantum Cryptography in ARM Processors · 2019-10-07 · Open Questions about Post-Quantum Cryptography •Design better post-quantum cryptosystems •Improve classical and quantum](https://reader030.vdocuments.us/reader030/viewer/2022040214/5ec6b3f463a53b6c3429a23d/html5/thumbnails/18.jpg)
Shared Secret Generation 𝐸0
𝐸𝐴 = 𝐸0/ 𝐴 𝐸𝐵 = 𝐸0/ 𝐵
𝑅𝐴, 𝑆𝐴 = 𝜙𝐴 𝑃𝐵 , 𝜙𝐴 𝑄𝐵 𝑅𝐵, 𝑆𝐵 = 𝜙𝐵 𝑃𝐴 , 𝜙𝐵 𝑄𝐴
40
17
48
0
41
24
66
40
17
48
0
41
24
66
Alice Bob
𝐸𝐵: 𝑦2 = 𝑥3 +63𝑥 + (55𝑤 + 16) 𝐸𝐴: 𝑦
2 = 𝑥3 + 22𝑥 + 35
![Page 19: Post-Quantum Cryptography in ARM Processors · 2019-10-07 · Open Questions about Post-Quantum Cryptography •Design better post-quantum cryptosystems •Improve classical and quantum](https://reader030.vdocuments.us/reader030/viewer/2022040214/5ec6b3f463a53b6c3429a23d/html5/thumbnails/19.jpg)
Shared Secret Generation 𝐸0
𝐸𝐴 = 𝐸0/ 𝐴 𝐸𝐵 = 𝐸0/ 𝐵
𝑅𝐴, 𝑆𝐴 = 𝜙𝐴 𝑃𝐵 , 𝜙𝐴 𝑄𝐵 𝑅𝐵, 𝑆𝐵 = 𝜙𝐵 𝑃𝐴 , 𝜙𝐵 𝑄𝐴
40
17
48
0
41
24
66
40
17
48
0
41
24
66
Alice Bob
𝐸𝐵: 𝑦2 = 𝑥3 +63𝑥 + (55𝑤 + 16) 𝐸𝐴: 𝑦
2 = 𝑥3 + 22𝑥 + 35
𝜙𝐴𝐵:𝐸𝐵 → 𝐸𝐴𝐵 𝜙𝐵𝐴: 𝐸𝐴 → 𝐸𝐵𝐴
![Page 20: Post-Quantum Cryptography in ARM Processors · 2019-10-07 · Open Questions about Post-Quantum Cryptography •Design better post-quantum cryptosystems •Improve classical and quantum](https://reader030.vdocuments.us/reader030/viewer/2022040214/5ec6b3f463a53b6c3429a23d/html5/thumbnails/20.jpg)
Shared Secret Generation 𝐸0
𝐸𝐴 = 𝐸0/ 𝐴 𝐸𝐵 = 𝐸0/ 𝐵
𝑅𝐴, 𝑆𝐴 = 𝜙𝐴 𝑃𝐵 , 𝜙𝐴 𝑄𝐵 𝑅𝐵, 𝑆𝐵 = 𝜙𝐵 𝑃𝐴 , 𝜙𝐵 𝑄𝐴
𝐸𝐴𝐵 = 𝐸𝐵/⟨𝐴′⟩ ≅ 𝐸𝐴/⟨𝐵
′⟩ = 𝐸𝐵𝐴
40
17
48
0
41
24
66
40
17
48
0
41
24
66
Alice Bob
𝐸𝐵: 𝑦2 = 𝑥3 +63𝑥 + (55𝑤 + 16) 𝐸𝐴: 𝑦
2 = 𝑥3 + 22𝑥 + 35
𝜙𝐴𝐵:𝐸𝐵 → 𝐸𝐴𝐵
𝐸𝐴𝐵: 𝑦2 = 𝑥3 + 21𝑤 + 14 𝑥 + (57𝑤 + 21)
𝜙𝐵𝐴: 𝐸𝐴 → 𝐸𝐵𝐴
𝐸𝐵𝐴: 𝑦2 = 𝑥3 + 21𝑤 + 14 𝑥 + (57𝑤 + 21)
![Page 21: Post-Quantum Cryptography in ARM Processors · 2019-10-07 · Open Questions about Post-Quantum Cryptography •Design better post-quantum cryptosystems •Improve classical and quantum](https://reader030.vdocuments.us/reader030/viewer/2022040214/5ec6b3f463a53b6c3429a23d/html5/thumbnails/21.jpg)
Shared Secret Generation
40
17
48
0
41
24
66
40
17
48
0
41
24
66
Alice Bob
Shared Secret
𝐸0
𝐸𝐴 = 𝐸0/ 𝐴 𝐸𝐵 = 𝐸0/ 𝐵
𝑅𝐴, 𝑆𝐴 = 𝜙𝐴 𝑃𝐵 , 𝜙𝐴 𝑄𝐵 𝑅𝐵, 𝑆𝐵 = 𝜙𝐵 𝑃𝐴 , 𝜙𝐵 𝑄𝐴
𝐸𝐴𝐵 = 𝐸𝐵/⟨𝐴′⟩ ≅ 𝐸𝐴/⟨𝐵
′⟩ = 𝐸𝐵𝐴
![Page 22: Post-Quantum Cryptography in ARM Processors · 2019-10-07 · Open Questions about Post-Quantum Cryptography •Design better post-quantum cryptosystems •Improve classical and quantum](https://reader030.vdocuments.us/reader030/viewer/2022040214/5ec6b3f463a53b6c3429a23d/html5/thumbnails/22.jpg)
22
SIKE Key sizes
NIST Level Prime size (bits)
Prime Public key size (bytes)
CompressedPK size (bytes)
1 434 22163137 − 1 330 196
2 503 22503159 − 1 378 224
3 610 23053192 − 1 462 273
5 751 23723239 − 1 564 331
![Page 23: Post-Quantum Cryptography in ARM Processors · 2019-10-07 · Open Questions about Post-Quantum Cryptography •Design better post-quantum cryptosystems •Improve classical and quantum](https://reader030.vdocuments.us/reader030/viewer/2022040214/5ec6b3f463a53b6c3429a23d/html5/thumbnails/23.jpg)
SIDH Computations
𝐹𝑝 Arithmetic
𝐹𝑝2 Arithmetic
Group ops
Extendedgroup ops
PQCprotocols
Addition Mult. Inversion
Addition Mult. InversionSquaring
Point Addition Point Doubling
Double Point Multiplication
Isogeny Evaluation and Computation
SIDH/ SIKE
Large Degree Isogeny Comput
![Page 24: Post-Quantum Cryptography in ARM Processors · 2019-10-07 · Open Questions about Post-Quantum Cryptography •Design better post-quantum cryptosystems •Improve classical and quantum](https://reader030.vdocuments.us/reader030/viewer/2022040214/5ec6b3f463a53b6c3429a23d/html5/thumbnails/24.jpg)
Comparisons
Public Key vs Ciphertext Size Speed vs Size
![Page 25: Post-Quantum Cryptography in ARM Processors · 2019-10-07 · Open Questions about Post-Quantum Cryptography •Design better post-quantum cryptosystems •Improve classical and quantum](https://reader030.vdocuments.us/reader030/viewer/2022040214/5ec6b3f463a53b6c3429a23d/html5/thumbnails/25.jpg)
Post-quantum on Small Devices
• STM32F4DISCOVERY
• Recommended by NIST for PQC evaluation
• ARM Cortex-M4
• 32-bit, ARMv7E-M
• 192 KiB RAM, 168 MHZ
![Page 26: Post-Quantum Cryptography in ARM Processors · 2019-10-07 · Open Questions about Post-Quantum Cryptography •Design better post-quantum cryptosystems •Improve classical and quantum](https://reader030.vdocuments.us/reader030/viewer/2022040214/5ec6b3f463a53b6c3429a23d/html5/thumbnails/26.jpg)
SIKE: Results for NIST level 1
0
200
400
600
800
1000
1200
1400
1600
1800
2000
Software Hardware
Mili
seco
nd
s
SIKE Total Running Time
ARM Cortex-M4 Artix-7 FPGA
~3K Slices only
ARM Cortex-A53 Artix-7 FPGA
Target: Resource-constrained IoTTarget: High Performance Edge
0
10
20
30
40
50
60
70
Software Hardware
Mili
seco
nd
s
SIKE Total Running Time
~10K Slices
![Page 27: Post-Quantum Cryptography in ARM Processors · 2019-10-07 · Open Questions about Post-Quantum Cryptography •Design better post-quantum cryptosystems •Improve classical and quantum](https://reader030.vdocuments.us/reader030/viewer/2022040214/5ec6b3f463a53b6c3429a23d/html5/thumbnails/27.jpg)
Hybrid Key Exchange and Signatures
•Hybrid → combine multiple cryptosystems at once
• Classical PKC still in use
• Classical is Smaller/Faster/Efficient
• PQC still being studied: i.e. may be broken
• Multiple choices for different environments
•Goal: Leverage risk among multiple schemes
•Example:
• Hash shared secret from multiple cryptosystems to get private key for AES
BROKEN if ECDH is broken
BROKEN if ECDH, SIKE, AND Frodo are broken
![Page 28: Post-Quantum Cryptography in ARM Processors · 2019-10-07 · Open Questions about Post-Quantum Cryptography •Design better post-quantum cryptosystems •Improve classical and quantum](https://reader030.vdocuments.us/reader030/viewer/2022040214/5ec6b3f463a53b6c3429a23d/html5/thumbnails/28.jpg)
The case for SIKE
• The post-quantum landscape is uncharted territory:• The smallest scheme is the slowest, and the fastest scheme is the largest.
• Compare with traditional cryptography, where the fastest scheme (ECC) is also the smallest.
• This situation introduces a new set of tradeoffs.• SIKE's advantages will become more pronounced over time.
• SIKE's disadvantages will become less pronounced over time.
![Page 29: Post-Quantum Cryptography in ARM Processors · 2019-10-07 · Open Questions about Post-Quantum Cryptography •Design better post-quantum cryptosystems •Improve classical and quantum](https://reader030.vdocuments.us/reader030/viewer/2022040214/5ec6b3f463a53b6c3429a23d/html5/thumbnails/29.jpg)
The future of SIKE: Computational Costs
• Hardware gets faster over time.
• Software also gets faster over time.
• The above happens naturally, without effort or expenditure.
• An across-the-board performance increase reduces the performance penalty of SIKE (in absolute terms).
• We can also spend more money for faster hardware.
• Certain expenditures (e.g. hardware acceleration) provide good value per unit cost.
![Page 30: Post-Quantum Cryptography in ARM Processors · 2019-10-07 · Open Questions about Post-Quantum Cryptography •Design better post-quantum cryptosystems •Improve classical and quantum](https://reader030.vdocuments.us/reader030/viewer/2022040214/5ec6b3f463a53b6c3429a23d/html5/thumbnails/30.jpg)
The future of SIKE: Communication Costs
• As hardware and software gets faster, attacks get faster.
• Faster attacks require larger keys to counteract.
• An across-the-board key size increase enlarges the communication cost benefits of SIKE (in absolute terms).
• Variance in communication channels is much higher than variance in cycle counts. SIKE already wins today on desktop browsers when including variance.
![Page 31: Post-Quantum Cryptography in ARM Processors · 2019-10-07 · Open Questions about Post-Quantum Cryptography •Design better post-quantum cryptosystems •Improve classical and quantum](https://reader030.vdocuments.us/reader030/viewer/2022040214/5ec6b3f463a53b6c3429a23d/html5/thumbnails/31.jpg)
Thank you!Questions?