post-quantum cryptography...post-quantum cryptography 1/22/2020 andreas hülsing 20. how to build...

Post-Quantum Cryptography

Andreas Hülsing

TU Eindhoven

Quantum kills the Internet

1/22/2020 Andreas Hülsing https://huelsing.net 2

Background:Cryptography


Secret key encryption (SKE)

01/07/2019 https://huelsing.net 4

plaintext

Sdkfj

kj

djd

fj

djf

jkj

plaintext

Key k Key k

SKE.Enc SKE.Dec

Message authentication (MAC)


plaintext

Key k Key k

MAC.Tag MAC.Vrfyplaintext

How to build secret key crypto?

• Random function sufficient (we need one-wayness)

• Attacks ≈ unstructured search

• How to build random behaving function?


Engineering*

* Disclaimer: Massive simplification

Spoiler: Killed by quantum? Not that we know.

(but weakened)*

How does Bob learn shared key k?


Public key encryption (PKE)


plaintext

Sdkfj

kj

djd

fj

djf

jkj

plaintext

Bob’s pkBob’s sk

PKE.Enc PKE.Dec

Digital Signature (DSig)


plaintext

Alice’s pk

DSig.Sign DSig.Vrfyplaintext

Alice’s sk

Applications

• Code signing (DSIG)• Software updates

• Software distribution

• Mobile code

• Communication security (DSIG, PKE / KEX /KEM)• TLS, SSH, IPSec, ...

• eCommerce, online banking, eGovernment, ...

• Private online communication


Communication security (simplified)

Hi

pk, Cert(pk belongs to shop)

PKC to establish shared secret sk

SKC secured communication using sk


How to build PKC

(Computationally)

hard problemRSA

DL

QR DDH

PKC SchemeRSA-OAEP

ECDSA DH-KE


The Quantum Threat

Shor‘s algorithm (1994)

• Quantum computers can do FFT very efficiently

• Can be used to find period of a function

• This can be exploited to factor efficiently (RSA)

• Shor also shows how to solve discrete log efficiently (DSA, DH, ECDSA, ECDH)

Grover‘s algorithm (1996)

• Quantum computers can search 𝑁 entry DB in Θ( 𝑁)

• Application to symmetric crypto

• Nice: Grover is provably optimal (For random function)

• Double security parameter.

What is the problem that QKD solves?


Recall:Communication security (simplified)

Hi

pk, Cert(pk belongs to shop)

PKC to establish shared secret sk

SKC secured communication using sk


The problem solved by QKD

Given

• a shared classical secret,

• a physical channel between parties that supports QKD

• compatible QKD devices on both ends of the channel

It is possible to

• generate a longer shared classical secret.


“Key growing”(≠ “Key establishment“)

Solution to the problem caused by Shor?Post-quantum cryptography


How to build PKC

(Computationally)

hard problemRSA

DL

QR DDH

PKC SchemeRSA-OAEP

ECDSA DH-KE


(computationally)

Quantum-hard Problem

Early post-quantum crypto

„Cryptography based on problems that are conjectured to be hard even for quantum computers.“

...

1

3

14232

2

32

34121

2

11

y

xxxxxxy

xxxxxxy

Lattice-based: SVP / CVP Hash-based: CR / SPR / ...

Code-based: SD Multivariate: MQ


Conjectured quantum-hardproblems• Solving multivariate quadratic equations (MQ-problem)

-> Multivariate Crypto

• Syndrom decoding problem (SD) -> Code-based crypto

• Short(est) and close(st) vector problem (SVP, CVP) -> Lattice-based crypto

• Breaking security of symmetric primitives (SHAx-, AES-, Keccak-,... problem)-> Hash-based signatures / symmetric crypto

• (Finding isogenies between supersingular elliptic curves-> SIDH / CSIDH)


MQ-ProblemLet 𝒙 = (𝑥1, … , 𝑥𝑛) ∈ 𝔽 𝑞

𝑛 and MQ(𝑛,𝑚, 𝔽𝑞) denote the family of vectorial

functions 𝑭: 𝔽 𝑞𝑛⟶ 𝔽 𝑞

𝑚 of degree 2 over 𝔽𝑞:

MQ 𝑛,𝑚, 𝔽𝑞

= 𝑭 𝒙 = 𝑓1 𝒙 ,… , 𝑓𝑚 𝒙 𝑓𝑠 𝒙 =

𝑖,𝑗

𝑎𝑖,𝑗𝑥𝑖𝑥𝑗 +

𝑖

𝑏𝑖𝑥𝑖 ,


Syndrom Decoding Problem

Given a matrix 𝐺 ∈ 𝔽𝑞𝑘×𝑛 of rank 𝑘, the set 𝐶 ≔ {𝑚𝐺 ∶ 𝑚 ∈ 𝔽𝑞

𝑘} is called a linear

code with generator matrix 𝐺. If 𝐶 = 𝑐 ∈ 𝔽𝑞𝑛 ∶ 𝐻𝑐𝑡 = 0 we call 𝐻 the parity

check matrix.

Syndrom Decoding Problem

Given:

• Linear Code 𝐶 ⊆ 𝔽𝑞𝑛,

• Syndrom 𝑠 ⊆ 𝔽𝑞𝑘 ,

• and error bound 𝑏 ∈ ℕ

Return:

• 𝑒 ∈ 𝔽𝑞𝑛 of weight ≤ 𝑏 such that 𝐻𝑒𝑡 = 𝑠

Decision version is NP-hard (Berlekamp, McEliece & v.Tilborg ‘78; Barg ‘94)


Lattice-based cryptography

Basis: 𝐵 = 𝑏1, 𝑏2 ∈ ℤ2×2; 𝑏1, 𝑏2 ∈ ℤ

2

Lattice: Λ 𝐵 = 𝑥 = 𝐵𝑦 𝑦 ∈ ℤ2}


Shortest vector problem (SVP)


(Worst-case) Lattice Problems

• SVP: Find shortest vector in lattice, given random basis. NP-hard (Ajtai’96)

• Approximate SVP (𝜶SVP): Find short vector (norm < 𝛼 times norm of shortest vector). Hardness depends on 𝛼 (for 𝛼 used in crypto not NP-hard).

• CVP: Given random point in underlying vectorspace (e.g. ℤ𝑛), find the closest lattice point. (Generalization of SVP, reduction from SVP)

• Approximate CVP (𝜶CVP): Find a „close“ lattice point. (Generalization of 𝛼SVP)


MQ, lattice & codes

• Average-case versions of NP-hard problems

• Best known quantum attacks: ”Quantizations” of classical attacks

• Need “structured versions” for efficiency• More structure -> often easier break

• Still only quantum attacks on “overstretched parameters“

• Theoretically, signatures & PKE/KEM possible


(Hash) functions

ℎ = {0,1}𝑛× {0,1}𝑙 𝑛 → {0,1}𝑛

ℎ 𝑘,𝑚 = ℎ𝑘 𝑚

𝑙(𝑛) ≥ 𝑛,

„efficient“

ℎ𝑘

{0,1}𝑙 𝑛

{0,1}𝑛

Preimage resistance (PRE)

𝑃𝑟[𝑘 ←𝑅 0,1𝑛, 𝑥 ←𝑅 0,1

𝑙 𝑛 , 𝑦 ← ℎ𝑘 𝑥 ,

𝑥′ ← 𝐴 𝑘, 𝑦 : ℎ𝑘 𝑥′ = 𝑦]

𝑦𝑐 , 𝑘 𝑥∗

Collision resistance (CR)

𝑘 (𝑥1∗, 𝑥2∗)

𝑃𝑟[𝑘 ←𝑅 0,1𝑛, 𝑥1, 𝑥2 ← 𝐴 𝑘 :

ℎ𝑘 𝑥1 = ℎ𝑘 𝑥2 ∧ 𝑥1 ≠ 𝑥2 ]

Second-preimage resistance (SPR)

𝑃𝑟[𝑘 ←𝑅 0,1𝑛, 𝑥 ←𝑅 0,1

𝑙 𝑛 , 𝑥′ ← 𝐴 𝑘, 𝑥 :

ℎ𝑘 𝑥 = ℎ𝑘 𝑥′ ∧ 𝑥 ≠ 𝑥′ ]

𝑥𝑐 , 𝑘 𝑥∗

Hash-based signatures

• Based on security of hash-functions

• Only signature schemes possible

• Quantum attacks:• Random function: average case unstructured search (=

Grover)• Upper & lower bounds for generic attacks (Zhandry ‘15,

Huelsing, Song & Rijneveld ‘16)

• PRE, SPR: Θ(𝑞2

2𝑛), CR: Θ(

𝑞3

2𝑛)

• Costs in more realistic models are worse (e.g. Bernstein & Souza Banegas ‘17)

• Actual hash-function: hardness of distinguishing construction from random


Isogeny-based crypto

• Problem: find isogeny between two given elliptic curves.

• New kid on the block / Late to the party

• Sexy for old-school crypto people: Can reuse knowledge about elliptic curves

• Only area that allows for “non-interactive key exchange“ (NIKE)


CSIDH (Castryck, Lange, Martindale, Renes, Panny)• Classical world: Diffie-Hellman key exchange

operation very special

• Only real post-quantum replacement for DH

• Subexponential time quantum attacks (Kuperberg‘s algorithm)

• Not my speciality -> ask the experts in the room


Modern post-quantum crypto

„Users using cryptography on conventional computers facing quantum adversaries“

Adds questions like

• How to argue security?

• Are our security models sound?

• What is the complexity of actual quantum attacks?


QS0: Classical security


01010101110110

1101010101110110

1101010101110110

1100010100010110

QS1: Post-quantum security


01010101110110

1101010101110110

1101010101110110

0 1 0 1 0 1 0 1 1 1 0 1 1 0

QS2: Quantum security


0 1 0 1 0 1 0 1 1 1 0 1 1 0

0 1 0 1 0 1 0 1 1 1 0 1 1 0

0 1 0 1 0 1 0 1 1 1 0 1 1 0

0 1 0 1 0 1 0 1 1 1 0 1 1 0

For practical applications we care about QS1


NIST Competition


“We see our role as managing a process of achieving community consensus in a transparent and timely manner” NIST’s Dustin Moody 2018

Status of the competition

• Nov 2017: 82 submissions collected

• Dec 2017: 69 “complete & proper” proposals published• -> Starts round 1 (of 2 or 3 rounds)

• 6 proposals with involvement from Eindhoven

• Jan 2019: 26 proposals selected for 2nd round. • 17 KEM, 9 Signature

• TU/e: 4 KEM, 2 Signature in 2nd round!

• 2022 – 2024 Draft standards exist


Implementation security


Side-channel attacks

• Implementations leak information:• Timing

• Power-consumption

• EM-radiation

• ...

• Implementations have to ensure that leak non-critical

• New mathematical problems = new basic operations


Gaussian sampling


Resources

• PQ Summer School: http://www.pqcschool.org/

• NIST PQC Standardization Project: https://csrc.nist.gov/Projects/Post-Quantum-Cryptography


http://www.pqcschool.org/

https://csrc.nist.gov/Projects/Post-Quantum-Cryptography

Thank you!

Questions?


post-quantum cryptography...post-quantum cryptography 1/22/2020 andreas hülsing 20. how to build...

Documents