Getting Ready for the Post-Quantum Transition

a.k.a. How to Prepare for Certain Catastrophe

2000 2002 2004 2006 2008 2010 2012 2014 2016 2018

Relative Algorithm Strength Over TimeMD5 SHA1 RSA 1024->2048 RSA->ECC PQC

1st better-than-brute-

force attack on SHA-1

1st MD5

collision1st SHA-1

collision

MSR PQC

project starts

NSA revises Suite B

& says PQC coming

Crypto SDL bans

RSA <2048

NIST announces

RSA-1024 transition

Windows blocks

RSA <1024

FLAME attack on

MS PKI

NSA announces Suite B,

starts move to ECC

MD5 (1991)

SHA-1 (1995)

RSA (1978), RSA-1024 (US/CA NT 4.0 1996)

Quantum is coming

16-May-2019 Utimaco Webinar 4

Photos courtesy of: Professor Charlie Marcus

A complete, scalable

quantum system

Contemporary CryptographyTLS-ECDHE-RSA-AES128-GCM-SHA256

Difficulty of factoringDifficulty of elliptic

curve discrete logarithms

Can be solved efficiently by a

large-scale quantum computer

(Shor’s Algorithm 1994)

RSA signaturesElliptic curve

Diffie–Hellmankey exchange

AES SHA-2

Impacted by quantum computing but we can

mitigate by increasing key sizes

(Grover’s Algorithm 1996)

16-May-2019 Utimaco Webinar 7

Resource Estimates for Shor’s Algorithm

16-May-2019 Utimaco Webinar 8

Source: Quantum Resource Estimates for Computing Elliptic Curve Discrete Logarithms, Roeteller et al., Asiacrypt 2017.

31-JAN-2019 DigiCert Security Summit 9

Hypothetical 15-Year View for PQ Crypto~ 2030

Quantum Computer Breaks Asymmetric Crypto

Dec 2017 – Dec 2023NIST PQ Standardization Process

WE ARE HERE

JAN 2015 JAN 2016 JAN 2017 JAN 2018 JAN 2019 JAN 2020 JAN 2021 JAN 2022 JAN 2023 JAN 2024 JAN 2025 JAN 2026 JAN 2027 JAN 2028 JAN 2029 Dec 2029

R&D

ROLLOUTS DECOMMISSION

PILOTS

MIGRATION

STANDARDS DISCUSSIONS

Future Quantum Computers are a Threat Today

• Even if a cryptographically-relevant quantum computer is a decade away…

• Record now, exploit later• Today’s non-PQ encryption will break in the future• What is the security lifetime of the data you and your customers are

transmitting and storing?

• Authentication, code-signing, and digital signatures• If I can break the algorithm and determine the private key, I can impersonate• For example, the Windows Update channel• What happens if an adversary can “update” the firmware on your processor?

• We’re creating more legacy every day

16-May-2019 Utimaco Webinar 10

Post-Quantum Cryptography at MicrosoftThree Parallel Workstreams

• Algorithms: 4 submissions to the NIST PQC standardization process. Ongoing work on high-performance implementations and cryptanalysis of our submissions.

• Protocols: Make commonly-used security protocols “PQ-enabled”.

• Systems: Integrate PQC into exemplary “high-value/high-risk” engineering systems and processes.

16-May-2019 Utimaco Webinar 11

NIST Post-Quantum Standardization Project

• “Competition” launched Nov 30, 2017

• Research teams from around the world responded

• 70 submissions, of which 6 already withdrawn and 9 others have apparently successful attacks

• Four candidates submitted by Microsoft & collaborators

• NIST & crypto community now engaged in cryptanalysis

• NIST expected to pick multiple “winning” algorithms

This Photo by Unknown Author is licensed under CC BY-SA

16-May-2019 Utimaco Webinar 12

NIST PQC Round 2 Candidates Announced

• NIST just announced on January 30 the algorithms selected to move forward to Round 2.• 17 key encipherment (encryption) algorithms

• 9 digital signature algorithms

• Teams had until March 15 March 30 to “tweak” their submissions.• Tweaks must be approved by NIST.

• All four MSR co-submitted proposals advanced to Round 2.

16-May-2019 Utimaco Webinar 13

16-May-2019 Utimaco Webinar 14

“Picnic”

Post-Quantum

Signatures

“qTESLA”

Post-Quantum

Signatures

“SIKE”

Supersingular Isogeny

Key Encipherment

“FrodoKEM”

Learning With Errors

Key Encipherment

FrodoKEM: Learning With Errors Key Encipherment

• Collaboration among

Microsoft (Craig Costello, Karen Easterbrook, Brian LaMacchia,

Michael Naehrig, Patrick Longa)

Google (Ilya Mironov, Ananth Raghunathan)

NXP (Joppe Bos)

CWI (Leo Ducas)

University of Waterloo (Douglas Stebila)

University of Michigan (Chris Peikert)

Ege University (Erdem Alkim)

Stanford University (Valeria Nikolaenko)

• Lattice-based encryption based on the “learning with errors” problem

• Efficiency: Fast, but relatively large keys.

16-May-2019 Utimaco Webinar 15

SIKE: Supersingular Isogeny Key Encipherment

• Collaboration among

Microsoft (Craig Costello, Brian LaMacchia, Michael Naehrig, Patrick Longa)

Amazon (Matt Campagna)

InfoSec Global (Basil Hess, Vladimir Soukharev)

Texas Instruments (Brian Koziel)

University of Waterloo (David Jao, David Urbanik)

Université de Versailles (Luca DeFeo)

Radboud University (Joost Renes)

Florida Atlantic University (Reza Azarderakhsh, Amir Jalali)

• Elliptic curve-based KEM, based on the “supersingular isogeny” problem

• Efficiency: Small keys, but relatively slow

16-May-2019 Utimaco Webinar 16

qTESLA Post-Quantum Digital Signature Scheme

• Collaboration among

Microsoft (Patrick Longa)

Isara Corporation (Edward Eaton, Gus Gutowski)

Ondokuz Mayıs University (Sedat Akleylek, Erdem Alkim)

Technische Universität Darmstadt (Nina Bindel, Johannes Buchmann, Juliane Krämer,

Harun Polat)

University of São Paulo (Jefferson Ricardini, Gustavo Zanon)

University of Washington-Tacoma (Paulo Barreto)

• Signature scheme based on Ring-LWE Fiat-Shamir w/ aborts

• Efficiency: Fast signing and verification, key and signature sizes only 4-6x greater than

RSA-4096

16-May-2019 Utimaco Webinar 17

• Collaboration among

Microsoft (Melissa Chase, Greg Zaverucha)

DFINITY (David Derler)

Aarhus University (Claudio Orlandi)

Austrian Institute of Technology (Daniel Slamanig)

Georgia Tech (Vladimir Kolesnikov)

Graz University of Technology (Sebastian Ramacher)

Northwestern University (Xiao Wang)

Princeton (Steven Goldfeder)

Technical University of Denmark (Christian Rechberger)

University of Maryland (Jonathan Katz)

• Signature scheme based on efficient zero-knowledge proofs

• Hard problems: Hash collision and preimage, block cipher key recovery

• Efficiency: Small keys, large signatures

16-May-2019 Utimaco Webinar 18

Round 2 Performance: Key Encipherment

FrodoKEMSIKE

Uncompressed Compressed

NIST

security

level

Lattice

Dimension

PK size

(bytes)

Cycles

(× 𝟏𝟎𝟔)

(enc+dec)

Prime

length

(bits)

PK size

(bytes)

Cycles

(× 𝟏𝟎𝟔)

(enc+dec)

PK size

(bytes)

Cycles

(× 𝟏𝟎𝟔)

(enc+dec)

1 640 9616 3.6 434 326 21.9 191 40.6

3 976 15632 7.0 610 458 52.8 268 96.1

5 1344 21520 11.7 751 564 88.5 330 156.1

16-May-2019 Utimaco Webinar 19

Round 2 Performance: Digital Signatures

qTESLA Picnic

NIST

security

level

Signature

size

(bytes)

PK size

(bytes)

Cycles (× 103)

(sign+verify)

Signature

size

(bytes)

PK size

(bytes)

Cycles (× 103)

(sign+verify)

1 1,376 1,504 309.7 12,850 32 330,494

3 2,848 3,104 454.0 26,226 48 881,730

5 5,920 6,432 1,190.4 42,536 64 1,734,362

16-May-2019 Utimaco Webinar 20

Bringing PQ to Industry Crypto Protocols

• The Open Quantum Safe (OQS) project provides a common API for testing and prototyping with post-quantum crypto algorithms• Multi-org OQS dev team includes University of Waterloo, Microsoft, Amazon,

SRI International

• Includes LIBOQS, an open source C library for PQ Crypto algorithms

• This lets us access and test any PQ algorithm in an OQS-enlightened protocol• To date, we have integrated Frodo/FrodoKEM, SIDH/SIKE, qTESLA, and Picnic

into OQS

• https://openquantumsafe.org/

16-May-2019 Utimaco Webinar 21

PQC Protocol Integrations using OQS

• We integrated the OQS library into protocols to provide PQC and hybrid ciphersuites• Hybrid: keep your FIPS or otherwise approved crypto, add PQ protection

• For more on hybrid PKI, see Bindel et al. 2017: https://eprint.iacr.org/2017/460.pdf

• OpenSSL, with TLS 1.2 and 1.3 support• https://github.com/open-quantum-safe/openssl

• OpenSSH• https://github.com/open-quantum-safe/openssh-portable

• OpenVPN: For securing links against “record now/exploit later” attacks.• https://github.com/Microsoft/PQCrypto-VPN

16-May-2019 Utimaco Webinar 22

PQ-VPN Demo Architecture• Making legacy applications PQ-agile can be difficult and expensive

• A PQ-VPN wrapper is a deployment option that doesn’t require updating the entire legacy stack

Browser

azuresite.com

office365.com

ssh

3rd Party

App

PQ-enabled

OpenVPN

client

PQ-protected

VPN tunnel

Azure

PQ-enabled

OpenVPN

server

3rd Party

App

Service

sshd

Office365

Internet

dnsleaktest.com

azuresite.com

TLS

TLS

TLS

TLS

TLS

Windows PC

16-May-2019 Utimaco Webinar 23

PQAP: An RPi3 PQ-VPN Appliance

• Our PQ-VPN project also includes

software and instructions for building

a PQ secure VPN appliance using a

standard Raspberry Pi 3.

• Acts as a WiFi access point, tunnels all

of its traffic over PQ-VPN to a cloud-

hosted endpoint.

• No software install needed on client

devices.

• All connected devices device get PQ

security transparently.

16-May-2019 Utimaco Webinar 24

Yeah, we changed the password on this…

Systems: Key Scenarios for Microsoft

• Public Key Infrastructure (PKI)• Both corporate and externally-facing

• Code signing for Microsoft products and services• Authenticode (e.g. Windows DLLs)

• UWP (Microsoft Store) applications

• XBOX

• Azure Cloud Computing• Key Vault

16-May-2019 Utimaco Webinar 25

PQC with a Hardware Security Module• We added support for the Picnic algorithm to an Utimaco HSM

• To the HSM simulator first, then cross-compiled to the HSM itself.

• Where possible, we replaced functions in MS software with calls to Utimacofirmware: RNG, SHA-3, ASN.1 utilities

• Goal: demonstrate three key PKI CA operations• HSM generates & stores new PQ CA key and issues self-signed cert

• HSM generates & stores new PQ EE key, CA issues cert for EE key

• User creates CSR outside the HSM for a legacy (RSA) key pair.Sends CSR to PQ CA in the HSM. CA issues PQ cert for RSA public key.

• All PQ operations use Picnic keys and signatures

16-May-2019 Utimaco Webinar 26

PQ Open Source Releases

Libraries:

• https://github.com/Microsoft/PQCrypto-LWEKE

• https://github.com/Microsoft/PQCrypto-SIKE

• https://github.com/qtesla/qTesla

• https://github.com/Microsoft/Picnic

Protocol Integrations:

• https://openquantumsafe.org/

• https://github.com/open-quantum-safe/openssl

• https://github.com/open-quantum-safe/openssh-portable

• https://github.com/Microsoft/PQCrypto-VPN

Overall project site:

• https://www.microsoft.com/en-us/research/project/post-quantum-cryptography/

16-May-2019 Utimaco Webinar 27

Summary – Preparing for a PQ future

• Quantum computers are coming – maybe not for a decade or more, but within the

protection lifetime of data we are generating and encrypting today

• We need to start planning the transition to post-quantum cryptographic algorithms now.

• To prepare for the PQ transition, all our systems need cryptographic agility

• Hybrid solutions combining classical and post-quantum primitives look promising; they provide both

traditional cryptographic guarantees as well as some PQ resistance

• Practical engineering options exist today for deploying PQ

• But it is going to take a long time to update our software stacks…

• We may already be late to transition

• Some of our customers have data with a protection lifespan of 15-20 years or more.

• IoT and critical infrastructure have devices that won’t be updated for 15+ years.

16-May-2019 Utimaco Webinar 28

Questions?

2916-May-2019 Utimaco Webinar