post-quantum cryptography...post-quantum cryptography 1/22/2020 andreas hülsing 20. how to build...
TRANSCRIPT
Post-Quantum Cryptography
Andreas Hülsing
TU Eindhoven
Quantum kills the Internet
1/22/2020 Andreas Hülsing https://huelsing.net 2
Background:Cryptography
1/22/2020 Andreas Hülsing https://huelsing.net 3
Secret key encryption (SKE)
01/07/2019 https://huelsing.net 4
plaintext
Sdkfj
kj
djd
fj
djf
jkj
plaintext
Key k Key k
SKE.Enc SKE.Dec
Message authentication (MAC)
01/07/2019 https://huelsing.net 5
plaintext
Key k Key k
MAC.Tag MAC.Vrfyplaintext
How to build secret key crypto?
• Random function sufficient (we need one-wayness)
• Attacks ≈ unstructured search
• How to build random behaving function?
1/22/2020 Andreas Hülsing https://huelsing.net 6
Engineering*
* Disclaimer: Massive simplification
Spoiler: Killed by quantum? Not that we know.
(but weakened)*
How does Bob learn shared key k?
1/22/2020 Andreas Hülsing https://huelsing.net 7
Public key encryption (PKE)
01/07/2019 https://huelsing.net 8
plaintext
Sdkfj
kj
djd
fj
djf
jkj
plaintext
Bob’s pkBob’s sk
PKE.Enc PKE.Dec
Digital Signature (DSig)
01/07/2019 https://huelsing.net 9
plaintext
Alice’s pk
DSig.Sign DSig.Vrfyplaintext
Alice’s sk
Applications
• Code signing (DSIG)• Software updates
• Software distribution
• Mobile code
• Communication security (DSIG, PKE / KEX /KEM)• TLS, SSH, IPSec, ...
• eCommerce, online banking, eGovernment, ...
• Private online communication
1/22/2020 Andreas Hülsing https://huelsing.net 11
Communication security (simplified)
Hi
pk, Cert(pk belongs to shop)
PKC to establish shared secret sk
SKC secured communication using sk
1/22/2020 Andreas Hülsing https://huelsing.net 12
How to build PKC
(Computationally)
hard problemRSA
DL
QR DDH
PKC SchemeRSA-OAEP
ECDSA DH-KE
1/22/2020 Andreas Hülsing https://huelsing.net 13
The Quantum Threat
Shor‘s algorithm (1994)
• Quantum computers can do FFT very efficiently
• Can be used to find period of a function
• This can be exploited to factor efficiently (RSA)
• Shor also shows how to solve discrete log efficiently (DSA, DH, ECDSA, ECDH)
Grover‘s algorithm (1996)
• Quantum computers can search 𝑁 entry DB in Θ( 𝑁)
• Application to symmetric crypto
• Nice: Grover is provably optimal (For random function)
• Double security parameter.
What is the problem that QKD solves?
1/22/2020 Andreas Hülsing https://huelsing.net 17
Recall:Communication security (simplified)
Hi
pk, Cert(pk belongs to shop)
PKC to establish shared secret sk
SKC secured communication using sk
1/22/2020 Andreas Hülsing https://huelsing.net 18
The problem solved by QKD
Given
• a shared classical secret,
• a physical channel between parties that supports QKD
• compatible QKD devices on both ends of the channel
It is possible to
• generate a longer shared classical secret.
1/22/2020 Andreas Hülsing https://huelsing.net 19
“Key growing”(≠ “Key establishment“)
Solution to the problem caused by Shor?Post-quantum cryptography
1/22/2020 Andreas Hülsing https://huelsing.net 20
How to build PKC
(Computationally)
hard problemRSA
DL
QR DDH
PKC SchemeRSA-OAEP
ECDSA DH-KE
1/22/2020 Andreas Hülsing https://huelsing.net 21
(computationally)
Quantum-hard Problem
Early post-quantum crypto
„Cryptography based on problems that are conjectured to be hard even for quantum computers.“
...
1
3
14232
2
32
34121
2
11
y
xxxxxxy
xxxxxxy
Lattice-based: SVP / CVP Hash-based: CR / SPR / ...
Code-based: SD Multivariate: MQ
1/22/2020 Andreas Hülsing https://huelsing.net 22
Conjectured quantum-hardproblems• Solving multivariate quadratic equations (MQ-problem)
-> Multivariate Crypto
• Syndrom decoding problem (SD) -> Code-based crypto
• Short(est) and close(st) vector problem (SVP, CVP) -> Lattice-based crypto
• Breaking security of symmetric primitives (SHAx-, AES-, Keccak-,... problem)-> Hash-based signatures / symmetric crypto
• (Finding isogenies between supersingular elliptic curves-> SIDH / CSIDH)
1/22/2020 Andreas Hülsing https://huelsing.net 23
MQ-ProblemLet 𝒙 = (𝑥1, … , 𝑥𝑛) ∈ 𝔽 𝑞
𝑛 and MQ(𝑛,𝑚, 𝔽𝑞) denote the family of vectorial
functions 𝑭: 𝔽 𝑞𝑛⟶ 𝔽 𝑞
𝑚 of degree 2 over 𝔽𝑞:
MQ 𝑛,𝑚, 𝔽𝑞
= 𝑭 𝒙 = 𝑓1 𝒙 ,… , 𝑓𝑚 𝒙 𝑓𝑠 𝒙 =
𝑖,𝑗
𝑎𝑖,𝑗𝑥𝑖𝑥𝑗 +
𝑖
𝑏𝑖𝑥𝑖 ,
1/22/2020 Andreas Hülsing https://huelsing.net 24
Syndrom Decoding Problem
Given a matrix 𝐺 ∈ 𝔽𝑞𝑘×𝑛 of rank 𝑘, the set 𝐶 ≔ {𝑚𝐺 ∶ 𝑚 ∈ 𝔽𝑞
𝑘} is called a linear
code with generator matrix 𝐺. If 𝐶 = 𝑐 ∈ 𝔽𝑞𝑛 ∶ 𝐻𝑐𝑡 = 0 we call 𝐻 the parity
check matrix.
Syndrom Decoding Problem
Given:
• Linear Code 𝐶 ⊆ 𝔽𝑞𝑛,
• Syndrom 𝑠 ⊆ 𝔽𝑞𝑘 ,
• and error bound 𝑏 ∈ ℕ
Return:
• 𝑒 ∈ 𝔽𝑞𝑛 of weight ≤ 𝑏 such that 𝐻𝑒𝑡 = 𝑠
Decision version is NP-hard (Berlekamp, McEliece & v.Tilborg ‘78; Barg ‘94)
1/22/2020 Andreas Hülsing https://huelsing.net 26
Lattice-based cryptography
Basis: 𝐵 = 𝑏1, 𝑏2 ∈ ℤ2×2; 𝑏1, 𝑏2 ∈ ℤ
2
Lattice: Λ 𝐵 = 𝑥 = 𝐵𝑦 𝑦 ∈ ℤ2}
1/22/2020 Andreas Hülsing https://huelsing.net 28
Shortest vector problem (SVP)
1/22/2020 Andreas Hülsing https://huelsing.net 29
(Worst-case) Lattice Problems
• SVP: Find shortest vector in lattice, given random basis. NP-hard (Ajtai’96)
• Approximate SVP (𝜶SVP): Find short vector (norm < 𝛼 times norm of shortest vector). Hardness depends on 𝛼 (for 𝛼 used in crypto not NP-hard).
• CVP: Given random point in underlying vectorspace (e.g. ℤ𝑛), find the closest lattice point. (Generalization of SVP, reduction from SVP)
• Approximate CVP (𝜶CVP): Find a „close“ lattice point. (Generalization of 𝛼SVP)
1/22/2020 Andreas Hülsing https://huelsing.net 30
MQ, lattice & codes
• Average-case versions of NP-hard problems
• Best known quantum attacks: ”Quantizations” of classical attacks
• Need “structured versions” for efficiency• More structure -> often easier break
• Still only quantum attacks on “overstretched parameters“
• Theoretically, signatures & PKE/KEM possible
1/22/2020 Andreas Hülsing https://huelsing.net 32
(Hash) functions
ℎ = {0,1}𝑛× {0,1}𝑙 𝑛 → {0,1}𝑛
ℎ 𝑘,𝑚 = ℎ𝑘 𝑚
𝑙(𝑛) ≥ 𝑛,
„efficient“
ℎ𝑘
{0,1}𝑙 𝑛
{0,1}𝑛
Preimage resistance (PRE)
𝑃𝑟[𝑘 ←𝑅 0,1𝑛, 𝑥 ←𝑅 0,1
𝑙 𝑛 , 𝑦 ← ℎ𝑘 𝑥 ,
𝑥′ ← 𝐴 𝑘, 𝑦 : ℎ𝑘 𝑥′ = 𝑦]
𝑦𝑐 , 𝑘 𝑥∗
Collision resistance (CR)
𝑘 (𝑥1∗, 𝑥2∗)
𝑃𝑟[𝑘 ←𝑅 0,1𝑛, 𝑥1, 𝑥2 ← 𝐴 𝑘 :
ℎ𝑘 𝑥1 = ℎ𝑘 𝑥2 ∧ 𝑥1 ≠ 𝑥2 ]
Second-preimage resistance (SPR)
𝑃𝑟[𝑘 ←𝑅 0,1𝑛, 𝑥 ←𝑅 0,1
𝑙 𝑛 , 𝑥′ ← 𝐴 𝑘, 𝑥 :
ℎ𝑘 𝑥 = ℎ𝑘 𝑥′ ∧ 𝑥 ≠ 𝑥′ ]
𝑥𝑐 , 𝑘 𝑥∗
Hash-based signatures
• Based on security of hash-functions
• Only signature schemes possible
• Quantum attacks:• Random function: average case unstructured search (=
Grover)• Upper & lower bounds for generic attacks (Zhandry ‘15,
Huelsing, Song & Rijneveld ‘16)
• PRE, SPR: Θ(𝑞2
2𝑛), CR: Θ(
𝑞3
2𝑛)
• Costs in more realistic models are worse (e.g. Bernstein & Souza Banegas ‘17)
• Actual hash-function: hardness of distinguishing construction from random
1/22/2020 Andreas Hülsing https://huelsing.net 37
Isogeny-based crypto
• Problem: find isogeny between two given elliptic curves.
• New kid on the block / Late to the party
• Sexy for old-school crypto people: Can reuse knowledge about elliptic curves
• Only area that allows for “non-interactive key exchange“ (NIKE)
1/22/2020 Andreas Hülsing https://huelsing.net 39
1/22/2020 Andreas Hülsing https://huelsing.net 40
CSIDH (Castryck, Lange, Martindale, Renes, Panny)• Classical world: Diffie-Hellman key exchange
operation very special
• Only real post-quantum replacement for DH
• Subexponential time quantum attacks (Kuperberg‘s algorithm)
• Not my speciality -> ask the experts in the room
1/22/2020 Andreas Hülsing https://huelsing.net 41
Modern post-quantum crypto
„Users using cryptography on conventional computers facing quantum adversaries“
Adds questions like
• How to argue security?
• Are our security models sound?
• What is the complexity of actual quantum attacks?
1/22/2020 Andreas Hülsing https://huelsing.net 42
QS0: Classical security
01/07/2019 https://huelsing.net 43
01010101110110
1101010101110110
1101010101110110
1100010100010110
QS1: Post-quantum security
01/07/2019 https://huelsing.net 44
01010101110110
1101010101110110
1101010101110110
0 1 0 1 0 1 0 1 1 1 0 1 1 0
QS2: Quantum security
01/07/2019 https://huelsing.net 45
0 1 0 1 0 1 0 1 1 1 0 1 1 0
0 1 0 1 0 1 0 1 1 1 0 1 1 0
0 1 0 1 0 1 0 1 1 1 0 1 1 0
0 1 0 1 0 1 0 1 1 1 0 1 1 0
For practical applications we care about QS1
01/07/2019 https://huelsing.net 46
NIST Competition
1/22/2020 Andreas Hülsing https://huelsing.net 47
“We see our role as managing a process of achieving community consensus in a transparent and timely manner” NIST’s Dustin Moody 2018
Status of the competition
• Nov 2017: 82 submissions collected
• Dec 2017: 69 “complete & proper” proposals published• -> Starts round 1 (of 2 or 3 rounds)
• 6 proposals with involvement from Eindhoven
• Jan 2019: 26 proposals selected for 2nd round. • 17 KEM, 9 Signature
• TU/e: 4 KEM, 2 Signature in 2nd round!
• 2022 – 2024 Draft standards exist
1/22/2020 Andreas Hülsing https://huelsing.net 48
Implementation security
1/22/2020 Andreas Hülsing https://huelsing.net 49
Side-channel attacks
• Implementations leak information:• Timing
• Power-consumption
• EM-radiation
• ...
• Implementations have to ensure that leak non-critical
• New mathematical problems = new basic operations
1/22/2020 Andreas Hülsing https://huelsing.net 50
Gaussian sampling
1/22/2020 Andreas Hülsing https://huelsing.net 51
Resources
• PQ Summer School: http://www.pqcschool.org/
• NIST PQC Standardization Project: https://csrc.nist.gov/Projects/Post-Quantum-Cryptography
1/22/2020 Andreas Hülsing https://huelsing.net 52
Thank you!
Questions?
1/22/2020 Andreas Hülsing https://huelsing.net 53