practical post-quantum key exchange from the learning with ......chinacrypt 2017 patrick longa...

https://www.microsoft.com/en-us/research/people/plonga/

Quantum computing

ChinaCrypt 2017 Patrick Longa – Practical post-quantum cryptography from the LWE problem 1

Modeling of nature

Computational optimization

Database search

Machine learning

Quantum computing

Database search

Computational optimization

Machine learning

Breaking of cryptographic schemes


Cryptography in use today

Public-keycryptography

Symmetric-keycryptography

RSA encryption and signatures

(EC)DSA signatures

(EC)DH key-exchange

AES SHA-2/SHA-3

factoring(elliptic curve) discrete logs






(EC)DSA signatures

(EC)DH key-exchange

AES SHA-2/SHA-3


Efficiently solved by a large-scale quantum computer

(total break using Shor’s algorithm)






(EC)DSA signatures

(EC)DH key-exchange

AES SHA-2/SHA-3


Efficiently solved by a large-scale quantum computer

(total break using Shor’s algorithm)

Only square-root speedup on a large-scale quantum computer

(using Grover’s algorithm)



Primitive Keylength Classical bit-security Quantum bit-security

Symmetric-key cryptography

AES-128 128 bits 128 64 (Grover)

AES-256 256 bits 256 128 (Grover)

Public-key cryptography

RSA-2048 2048 bits 112 ~0 (Shor)

RSA-3072 3072 bits 128 ~0 (Shor)

ECC256 256 bits 128 ~0 (Shor)

ECC384 384 bits 192 ~0 (Shor)


When will a large-scale, fault-tolerant

quantum computer be built?


When will a large-scale, fault-tolerant

quantum computer be built?

I estimate a “1/6 chance of breaking RSA-2048 within 10 years”.

Michael Mosca, September 2017ETSI/IQC Workshop on Quantum-Safe Cryptography 2017

“Recent improvements in control of quantum systems make it seem feasible to finally build a quantum computer within a decade. ”

Bela Bauer et al., October 2015 – August 2016arXiv:1510.03859v2


https://arxiv.org/abs/1510.03859v2

“quantum supremacy” might be close?


What do we need to protect now?

Assuming that a large-scale, fault tolerant quantum computer has not been developed yet, but might be soon (say, in 10 years):

• Attacker records encrypted data today…

uses quantum computer to access secret data in 10 years from now.

• Integrity of authentication only matters at the time of connection• Keep using classical digital signature schemes for now


What do we need to protect now?

Assuming that a large-scale, fault tolerant quantum computer has not been developed yet, but might be soon (say, in 10 years):

• Attacker records encrypted data today…

uses quantum computer to access secret data in 10 years from now.

• Integrity of authentication only matters at the time of connection• Keep using classical digital signature schemes for now

Need quantum-resistant key agreement and encryption for long-term security


How to protect us?

• Runs on classical computers

• Algorithms are conjectured to be secure against future quantum computer attacks

Post-quantum cryptography(a.k.a. quantum-safe cryptography)

Quantum cryptography

• Exploits quantum mechanics

• Requires special hardware much more expensive

• E.g., quantum key distribution (QKD)

It is possible to combine both cryptographic tool sets


Recent PQC effort

• April 2015: NIST held a “Workshop on Cybersecurity in a Post-Quantum World”, reaching out to academia and industry to discuss potential future standardization of PQC

• August 2015: NSA announced plans to “transition to quantum resistant algorithms in the not so distant future”

• February 2016: NIST published a “Report on Post-Quantum Cryptography”, outlining NIST’s plan to “initiate a standardization effort in post-quantum cryptography”

http://nvlpubs.nist.gov/nistpubs/ir/2016/NIST.IR.8105.pdf


http://nvlpubs.nist.gov/nistpubs/ir/2016/NIST.IR.8105.pdf

NIST’s PQC standardization project

• December 2016: call for proposals

https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-Cryptography/documents/call-for-proposals-final-dec-2016.pdf

• November 30, 2017: deadline for submissions

• April 12-13, 2018: first PQC Standardization Conference (Fort Lauderdale, US)

• 3-5 years (2020-2022): analysis phase, NIST will report findings (1-2 workshops during this phase):

“The goal of this process is to select a number of acceptable candidate cryptosystems for standardization.”

(This includes: digital signatures, encryption and key encapsulation).

• 2 years later (2022-2024): Draft Standards ready


https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-Cryptography/documents/call-for-proposals-final-dec-2016.pdf

Post-quantum candidates

Code-based

Lattice-based

Hash-based

Multivariate

Isogeny-based

McEliece

NTRU, LWE-based

Merkle’s hash-tree signatures

HFEv- signature scheme

SIDH


Post-quantum candidates: in this talk…

Code-based

Lattice-based

Hash-based

Multivariate

Isogeny-based

McEliece

NTRU, LWE-based

Merkle’s hash-tree signatures

HFEv- signature scheme

SIDH


Lattices

A lattice is a set of integer linear combinations

ℒ = 𝑎1𝒃1 +⋯+ 𝑎𝑛𝒃𝑛|𝑎𝑖 ∈ ℤ

for linearly independent vectors 𝑩 = 𝒃1, … , 𝒃𝑛 in ℤ𝑛.

• 𝑩 is a basis of the lattice

• In crypto, 𝑩 = 𝒃1, … , 𝒃𝑛 ⊆ ℤ𝑞𝑛 for some integer 𝑞

𝒃1

𝒃2

𝒃1 + 𝒃2

𝐨


Lattices

A lattice is a set of integer linear combinations

ℒ = 𝑎1𝒃1 +⋯+ 𝑎𝑛𝒃𝑛|𝑎𝑖 ∈ ℤ

for linearly independent vectors 𝑩 = 𝒃1, … , 𝒃𝑛 in ℤ𝑛.

• 𝑩 is a basis of the lattice

• In crypto, 𝑩 = 𝒃1, … , 𝒃𝑛 ⊆ ℤ𝑞𝑛 for some integer 𝑞

• The smallest Euclidean distance between two vectors (i.e. the length of a shortest nonzero vector) is

λ1(ℒ):= minv∈ℒ\{0}

v

• In this talk, we represent lattices as

𝒃1

𝒃2

𝒃1 + 𝒃2

𝐨


Hard lattice problems

Assume a basis 𝑩 of an 𝑛-dimensional lattice ℒ = ℒ(𝑩).



Assume a basis 𝑩 of an 𝑛-dimensional lattice ℒ = ℒ 𝑩 .

• The shortest vector problem (SVP) problem: find v ∈ ℒ{0} for which v = λ1(ℒ)





• The approximate shortest vector (SVPγ) problem: find v ∈ ℒ{0} for which v ≤ γ(𝑛) ∙ λ1(ℒ)






• The decisional approximate shortest vector (GapSVPγ) problem: determine whether λ1 ℒ ≤1 or λ1 ℒ > γ(𝑛)







• The approximate shortest independent vectors (SIVPγ) problem: find 𝑛 linearly independent vectors {v𝑖} for which v𝑖 ≤ γ(𝑛) ∙ λ𝑛(ℒ) for all 𝑖








• The Bounded Distance Decoding (BDDγ) problem: given a target point 𝑡 ∈ ℝ𝑛 for which dist 𝑡, ℒ < 𝑑 = 𝜆1(ℒ)/2γ 𝑛 , find the unique lattice vector v such that 𝑡 − v < 𝑑








• The Bounded Distance Decoding (BDDγ) problem: given a target point 𝑡 ∈ ℝ𝑛 for which dist 𝑡, ℒ < 𝑑 = 𝜆1(ℒ)/2γ 𝑛 , find the unique lattice vector v such that 𝑡 − v < 𝑑

For γ = poly 𝑛 , solving requires either 2Ω(𝑛 log 𝑛) time, or 2Ω(𝑛) time and space


Another hard problem: LWE

Parameters: dimension 𝑛, integer 𝑚, modulus 𝑞 and error distributions 𝒳𝑠, 𝒳𝑒

Setup: Sample 𝐬՚$𝒳𝑠

𝑛 , 𝐞՚$𝒳𝑒

𝑛

𝐀՚$𝑈(ℤ𝑞

𝑛×𝑚) , 𝐛 = (𝐀 × 𝐬 + 𝐞) ∈ ℤ𝑞𝑛

Search LWE problem: given 𝐀, 𝐛 , find 𝐬

× + =

Given blue and green, find red

𝐀 𝐬 𝐞 𝐛

random

random

small

looks random

Regev’05



Parameters: dimension 𝑛, integer 𝑚, modulus 𝑞 and error distributions 𝒳𝑠, 𝒳𝑒

Setup: Sample 𝐬՚$𝒳𝑠

𝑛 , 𝐞՚$𝒳𝑒

𝑛

𝐀՚$𝑈(ℤ𝑞

𝑛×𝑚) , 𝐛 = (𝐀 × 𝐬 + 𝐞) ∈ ℤ𝑞𝑛


× + =


𝐀 𝐬 𝐞 𝐛

random

random

small

looks random

Small secrets: one can use 𝒳𝑠 = 𝒳𝑒 [ACPS’09]

Regev’05



Parameters: dimension 𝑛, integer 𝑚, modulus 𝑞 and error distributions 𝒳𝑠, 𝒳𝑒 𝒳

Setup: Sample 𝐬՚$𝒳𝑛 , 𝐞՚

$𝒳𝑛

𝐀՚$𝑈(ℤ𝑞

𝑛×𝑚) , 𝐛 = (𝐀 × 𝐬 + 𝐞) ∈ ℤ𝑞𝑛


× + =


𝐀 𝐬 𝐞 𝐛

random

random small

small

looks random

Small secrets: one can use 𝒳𝑠 = 𝒳𝑒 [ACPS’09]

Regev’05



ChinaCrypt 2017 Patrick Longa – Practical post-quantum key exchange 15

Parameters: dimension 𝑛, integer 𝑚, modulus 𝑞 and error distributions 𝒳𝑠, 𝒳𝑒 𝒳

Setup: Sample 𝐬՚$𝒳𝑛 , 𝐞՚

$𝒳𝑛

𝐀՚$𝑈(ℤ𝑞

𝑛×𝑚) , 𝐛 = 𝐀 × 𝐬 + 𝐞 ∈ ℤ𝑞𝑛

𝐛՚$𝑈(ℤ𝑞

𝑛)

Decision LWE problem: distinguish 𝐀, 𝐛 from uniform 𝐀, 𝐛

× + =

Given blue, distinguish green from yellow

𝐀 𝐬 𝐞 𝐛

random

random small

small

looks random

𝐛

Regev’05

Error sampling

• Typically uses a discrete Gaussian distribution of width 𝑠

width 𝑠, 𝑛 ≤ error ≪ 𝑞error rate 𝛼 = 𝑠/𝑞


Error sampling


• The continuous Gaussian distribution 𝐷𝑠 has probability distribution

𝑓 x = ൗ𝜌𝑠 x නℝ𝑛𝜌𝑠 z 𝑑𝑧 = Τ𝜌𝑠 x 𝑠𝑛

for the Gaussian function 𝜌𝑠 x = exp Τ−𝜋 x 2 𝑠2 .

• The discrete Gaussian distribution 𝐷ℒ,𝑠 over ℒ is defined as

ቊ𝐷𝑠 x = Τ𝜌𝑠 x 𝜌𝑠 ℒ , if x ∈ ℒ

𝐷𝑠 x = 0, otherwise

where 𝜌𝑠 ℒ = σ𝑣∈ℒ 𝜌𝑠 v is a normalization factor.



Error sampling


• The continuous Gaussian distribution 𝐷𝑠 has probability distribution

𝑓 x = ൗ𝜌𝑠 x නℝ𝑛𝜌𝑠 z 𝑑𝑧 = Τ𝜌𝑠 x 𝑠𝑛

for the Gaussian function 𝜌𝑠 x = exp Τ−𝜋 x 2 𝑠2 .

• The discrete Gaussian distribution 𝐷ℒ,𝑠 over ℒ is defined as

ቊ𝐷𝑠 x = Τ𝜌𝑠 x 𝜌𝑠 ℒ , if x ∈ ℒ

𝐷𝑠 x = 0, otherwise

where 𝜌𝑠 ℒ = σ𝑣∈ℒ 𝜌𝑠 v is a normalization factor.

• Analysis of Rényi divergence yields efficient and simple distributions



An efficient LWE instantiation: Frodo

• Basic unauthenticated LWE key agreement

• Based on Lindner–Peikert LWE PKE scheme (2010) and Ding et al.’s DH-like protocol (2012)

Bos–Costello–Ducas–Mironov–Naehrig–Nikolaenko–Raghunathan–Stebila, 2016





• 𝒳 : approximation to rounded Gaussian

• Sampling is simple and can be done in constant-time, e.g., using inversion sampling:• Table 𝑇𝒳 stores (𝑠 + 1) integers related to discrete cumulative distribution function

• Given a random value 𝑟, determine smallest index 𝑖 such that 𝑟 ≤ 𝑇𝒳 𝑖

• Output (−1)𝑏𝑖 for a random bit 𝑏






• 𝒳 : approximation to rounded Gaussian

• Sampling is simple and can be done in constant-time, e.g., using inversion sampling:• Table 𝑇𝒳 stores (𝑠 + 1) integers related to discrete cumulative distribution function

• Given a random value 𝑟, determine smallest index 𝑖 such that 𝑟 ≤ 𝑇𝒳 𝑖

• Output (−1)𝑏𝑖 for a random bit 𝑏

• Two post-quantum parameter sets: “recommended” and “paranoid”




⋮ ⋮ ⋮ ⋮ ⋮ ⋮ ⋮ ⋮

752

8∈ ℤ215

864

8

⋮ ⋮ ⋮ ⋮ ⋮ ⋮ ⋮ ⋮

RecommendedFrodo

Paranoid Frodo


error probability: 2−38.9

𝑇𝒳: 6 elements error probability: 2−33.8

𝑇𝒳: 7 elements



⋮ ⋮ ⋮ ⋮ ⋮ ⋮ ⋮ ⋮

752

8∈ ℤ215

864

8

⋮ ⋮ ⋮ ⋮ ⋮ ⋮ ⋮ ⋮

RecommendedFrodo

Paranoid Frodo

144-bit classical sec. 130-bit quantum sec.

Comm. ~11KB each way









Is it possible to improve communication bandwidth?

⋮ ⋮ ⋮ ⋮ ⋮ ⋮ ⋮ ⋮

752

8∈ ℤ215

864

8

⋮ ⋮ ⋮ ⋮ ⋮ ⋮ ⋮ ⋮

RecommendedFrodo

Paranoid Frodo










Another hard problem: R-LWE


• Use lattices with a ring structure: representation using polynomials in a ring 𝑅𝑞

Lyubashevsky–Peikert–Regev, 2010





• Efficient instantiation:

dimension 𝑛 = 2𝑘, for some integer 𝑘

prime 𝑞 ≡ 1mod2𝑛

quotient ring 𝑅𝑞 = 𝑅/𝑞𝑅 ≅ ℤ𝑞[𝑥]/(𝑥𝑛 + 1)

error distribution 𝒳






• Efficient instantiation:

dimension 𝑛 = 2𝑘, for some integer 𝑘

prime 𝑞 ≡ 1mod2𝑛

quotient ring 𝑅𝑞 = 𝑅/𝑞𝑅 ≅ ℤ𝑞[𝑥]/(𝑥𝑛 + 1)

error distribution 𝒳

• Basically, replace by

(rows are anti-cyclic rotations: need 𝒏 elements only)




Parameters: dimension 𝑛, modulus 𝑞, ring 𝑅𝑞 and error distribution 𝒳

Setup: secret 𝒔 ∈ 𝑅𝑞, sample 𝒆՚$𝒳

𝒂՚$𝑈(𝑅𝑞) , 𝒃 = (𝒂 × 𝒔 + 𝒆) ∈ 𝑅𝑞

Search R-LWE problem: given 𝒂, 𝒃 , find 𝒔

×

+

=


random

random

small

looks random

𝒂

𝒃

𝒔

𝒆




Parameters: dimension 𝑛, modulus 𝑞, ring 𝑅𝑞 and error distribution 𝒳

Setup: secret 𝒔 ∈ 𝑅𝑞, sample 𝒆՚$𝒳

𝒂՚$𝑈(𝑅𝑞) , 𝒃 = (𝒂 × 𝒔 + 𝒆) ∈ 𝑅𝑞

𝒃՚$𝑈(𝑅𝑞)

Decision R-LWE problem: distinguish 𝒂, 𝒃 from uniform 𝒂, 𝒃

×

+

=

Given blue, distinguish green from yellow

random

random

small

looks random

𝒂

𝒃

𝒔

𝒆

𝒃



An efficient R-LWE instantiation: NewHope

• Unauthenticated R-LWE key agreement

• Improves upon a passively secure KEM instantiation by Bos et al. (2015)• Improved analysis of the error probability → refined parameters

• Reduces communication bandwidth, improves speed

• Uses simple centered binomial distribution 𝜓𝑘: sample by computing σ𝑖=0𝑘 𝑏𝑖 − 𝑏𝑖

′ for uniform independent bits 𝑏𝑖 , 𝑏𝑖

′

• Error probability ≈ 2−60

Alkim–Ducas–Pöppelmann–Schwabe, 2016


An efficient R-LWE instantiation: NewHope

• Unauthenticated R-LWE key agreement

• Improves upon a passively secure KEM instantiation by Bos et al. (2015)• Improved analysis of the error probability → refined parameters

• Reduces communication bandwidth, improves speed

• Uses simple centered binomial distribution 𝜓𝑘: sample by computing σ𝑖=0𝑘 𝑏𝑖 − 𝑏𝑖

′ for uniform independent bits 𝑏𝑖 , 𝑏𝑖

′

• Error probability ≈ 2−60

• Parameters: 𝑛 = 1024, 𝑞 = 12289

• Estimated 281-bit classical security, 255-bit quantum security

• Communication: ~2KB each way

Alkim–Ducas–Pöppelmann–Schwabe, 2016


LWE versus R-LWE

• LWE relies on hardness of a problem on generic lattices

• R-LWE relies on hardness of a problem on ideal lattices


LWE versus R-LWE



• Generic lattices make LWE bigger and slower

• But ideal lattices inject additional structure…

Does this provide any advantage to attackers?


LWE versus R-LWE



• Generic lattices make LWE bigger and slower

• But ideal lattices inject additional structure…

Does this provide any advantage to attackers?

Short answer: no, so far

Long answer: there is a constant factor improvement in some R-LWE instances.

LWE remains a conservative option that offers greater security guarantees against potential future attacks.


(Unauthenticated) LWE key agreement

Alice

Secret:

Random “small” 𝐬, 𝐞՚$𝒳𝑛

Bob

Secret:

Random “small” 𝐬′, 𝐞′՚$𝒳𝑛

Public: 𝐀 ∈ ℤ𝑞𝑛×𝑛



Alice

Secret:


Bob

Secret:


𝐛 = 𝐀𝐬 + 𝐞

𝐛′ = 𝐬′𝐀+ 𝐞′




Alice

Secret:


Shared key:

𝐛′𝐬 = 𝐬′𝐀𝐬 + 𝐞′𝐬 ≈ 𝐬′𝐀𝐬

Bob

Secret:


Shared key:

𝐬′𝐛 = 𝐬′𝐀𝐬 + 𝐬′𝐞 ≈ 𝐬′𝐀𝐬


𝐛′ = 𝐬′𝐀+ 𝐞′




Alice

Secret:


Shared key:

𝐛′𝐬 = 𝐬′𝐀𝐬 + 𝐞′𝐬 ≈ 𝐬′𝐀𝐬

Bob

Secret:


Shared key:

𝐬′𝐛 = 𝐬′𝐀𝐬 + 𝐬′𝐞 ≈ 𝐬′𝐀𝐬


𝐛′ = 𝐬′𝐀+ 𝐞′

• Need rounding to achieve exact agreement• Can use reconciliation technique by Ding et al. (2012), improvements by Peikert (2014)




• But it is possible to avoid reconciliation

• Relatively small penalty:• Example: NewHope-Simple pays a 6.25% increase in ciphertext size





• NewHope/Frodo: generate fresh matrix 𝐀 each time• Alice can use a random seed as input to a XOF like SHAKE

• Send seed to Bob

• Safeguards against backdoors and “all-for-the-price-of-one” attacks








• Crucial disadvantage: only secure against passive attackers• NewHope/Frodo are IND-CPA secure, not IND-CCA secure

• Both are ephemeral key exchange schemes: must not reuse keys








• Crucial disadvantage: only secure against passive attackers• NewHope/Frodo are IND-CPA secure, not IND-CCA secure

• Both are ephemeral key exchange schemes: must not reuse keys

Derive key encapsulation mechanism (KEM) using IND-CPA to IND-CCA transformation


LWE key encapsulation

• Begin with an IND-CPA PKE• Can use a variant of Lindner–Peikert PKE scheme




• Transform it to IND-CCA KEM using a variant of Fujisaki-Okamoto (FO) transform• Original FO transforms IND-CPA PKE to IND-CCA PKE

• Variant by Targhi–Unruh achieves security in QROM

• Hofheinz–Hovelmanns–Kiltz (HHK) give explicit variant IND-CPA PKE → IND-CCA KEM




• Transform it to IND-CCA KEM using a variant of Fujisaki-Okamoto (FO) transform• Original FO transforms IND-CPA PKE to IND-CCA PKE

• Variant by Targhi–Unruh achieves security in QROM

• Hofheinz–Hovelmanns–Kiltz (HHK) give explicit variant IND-CPA PKE → IND-CCA KEM

• HHK transform is secure in both the classical and quantum ROM models


LWE KEM based on IND-CPA PKE

• IND-CPA PKE consists of tuple (KeyGen,CPA.Encrypt,CPA.Decrypt) and message space M

𝑝𝑘, 𝑠𝑘 ՚ KeyGen

(𝑐𝑡) ՚ CPA.Encrypt(𝑝𝑘,𝑚)

(𝑚) ՚ CPA.Decrypt(𝑠𝑘, 𝑐𝑡)

• IND-CCA KEM consists of tuple (KeyGen,Encaps,Decaps) and keyspace K

𝑝𝑘, 𝑠𝑘 ՚ KeyGen

(𝑠𝑠, 𝑐) ՚ Encaps(𝑝𝑘)

(𝑠𝑠) ՚ Decaps(𝑠𝑘, 𝑐)



CPA.EncryptHash𝑝𝑘

𝑚

𝑟 𝑐𝑡

𝑑

𝐾

𝑐Hash

𝑐

𝑠𝑠

CPA.Decrypt𝑠𝑠𝑘

𝑐𝑐𝑡

𝑚′ CPA.EncryptHash𝑟′𝑝𝑘 𝑐𝑡′

𝑑′

𝑑

𝑧

𝑐𝑡′, 𝑑′= (𝑐𝑡, 𝑑)

𝑠𝑠 = 𝐻(𝐾′, 𝑐)

𝑠𝑠 = 𝐻(𝑧, 𝑐)

𝑦𝑒𝑠

𝑛𝑜

𝐾′

𝒔𝒌: 𝑠𝑒𝑐𝑟𝑒𝑡 𝑘𝑒𝑡, 𝒑𝒌: 𝑝𝑢𝑏𝑙𝑖𝑐 𝑘𝑒𝑦, 𝒔𝒔: 𝑠ℎ𝑎𝑟𝑒𝑑 𝑘𝑒𝑦, 𝒄𝒕: 𝑐𝑖𝑝ℎ𝑒𝑟𝑡𝑒𝑥𝑡, 𝒎:𝑚𝑒𝑠𝑠𝑎𝑔𝑒

string concatanation string splitting

Encaps

Decaps




𝑚

𝑟 𝑐𝑡

𝑑

𝐾

𝑐Hash

𝑐

𝑠𝑠



Encaps




𝑚

𝑟 𝑐𝑡

𝑑

𝐾

𝑐Hash

𝑐

𝑠𝑠

Pick random message 𝑚


Encaps





𝑚

𝑟 𝑐𝑡

𝑑

𝐾

𝑐Hash

𝑐

𝑠𝑠


Generate key 𝑟 = 𝑓(𝑝𝑘,𝑚) and encrypt 𝑚Encaps






𝑚

𝑟 𝑐𝑡

𝑑

𝐾

𝑐Hash

𝑐

𝑠𝑠

Compute shared key 𝑠𝑠 = 𝑔(𝑐𝑡, 𝑝𝑘,𝑚)


Generate key 𝑟 = 𝑓(𝑝𝑘,𝑚) and encrypt 𝑚Encaps






𝑐𝑐𝑡


𝑑′

𝑑

𝑧

𝑐𝑡′, 𝑑′= (𝑐𝑡, 𝑑)

𝑠𝑠 = 𝐻(𝐾′, 𝑐)


𝑦𝑒𝑠

𝑛𝑜

𝐾′



Decaps




𝑐𝑐𝑡


𝑑′

𝑑

𝑧

𝑐𝑡′, 𝑑′= (𝑐𝑡, 𝑑)

𝑠𝑠 = 𝐻(𝐾′, 𝑐)


𝑦𝑒𝑠

𝑛𝑜

𝐾′

Decrypt to recover 𝑚string concatanation string splitting

Decaps





𝑐𝑐𝑡


𝑑′

𝑑

𝑧

𝑐𝑡′, 𝑑′= (𝑐𝑡, 𝑑)

𝑠𝑠 = 𝐻(𝐾′, 𝑐)


𝑦𝑒𝑠

𝑛𝑜

𝐾′

Reproduce encryption

string concatanation string splittingDecrypt to recover 𝑚

Decaps





𝑐𝑐𝑡


𝑑′

𝑑

𝑧

𝑐𝑡′, 𝑑′= (𝑐𝑡, 𝑑)

𝑠𝑠 = 𝐻(𝐾′, 𝑐)


𝑦𝑒𝑠

𝑛𝑜

𝐾′Verify correctness

string concatanation string splittingDecrypt to recover 𝑚

Reproduce encryption

Decaps





𝑚

𝑟 𝑐𝑡

𝑑

𝐾

𝑐Hash

𝑐

𝑠𝑠


𝑐𝑐𝑡


𝑑′

𝑑

𝑧

𝑐𝑡′, 𝑑′= (𝑐𝑡, 𝑑)

𝑠𝑠 = 𝐻(𝐾′, 𝑐)


𝑦𝑒𝑠

𝑛𝑜

𝐾′


Encaps

Decaps



LWE key encapsulation: à la Kyber

KeyGen

1. Random values 𝑧, 𝑠𝐴, 𝑠𝐸՚$𝑈 0,1 256

2. Generate A using seed 𝑠𝐴3. Sample 𝑠, 𝑒 using 𝑠𝐸4. Compress 𝑏 = A𝑠 + 𝑒


LWE key encapsulation: à la Kyber

KeyGen

1. Random values 𝑧, 𝑠𝐴, 𝑠𝐸՚$𝑈 0,1 256

2. Generate A using seed 𝑠𝐴3. Sample 𝑠, 𝑒 using 𝑠𝐸4. Compress 𝑏 = A𝑠 + 𝑒

Public key: 𝑝𝑘 = (𝑠𝐴, 𝑏)

Private key: 𝑠𝑘 = (𝑠, 𝑧, 𝑠𝐴, 𝑏)


LWE key encapsulation: à la KyberEncaps

1. message 𝑚՚$𝑈 0,1 256

2. 𝐾, 𝑟, 𝑑 ՚ 𝐺 𝑝𝑘,𝑚

3. Generate A using seed 𝑠𝐴4. Sample 𝑠′, 𝑒′, 𝑒′′ using seed 𝑟

5. Compress 𝑐1 = 𝐴𝑇𝑠′ + 𝑒′

6. Compress 𝑐2 = 𝑏𝑇𝑠′ + 𝑒′′ + Enc(𝑚)

Shared key: 𝑠𝑠 = 𝐻(𝐾, 𝑐)





1. message 𝑚՚$𝑈 0,1 256

2. 𝐾, 𝑟, 𝑑 ՚ 𝐺 𝑝𝑘,𝑚








encryption


1. message 𝑚՚$𝑈 0,1 256

2. 𝐾, 𝑟, 𝑑 ՚ 𝐺 𝑝𝑘,𝑚





𝑐 = (𝑐1, 𝑐2, 𝑑)

Decaps

1. Generate A using seed 𝑠𝐴2.𝑚′ = Compress(𝑐2 − 𝑠𝑇𝑐1)

3. 𝐾′, 𝑟′, 𝑑′ ՚ 𝐺 𝑝𝑘,𝑚′

4. Sample 𝑠′, 𝑒′, 𝑒′′ using seed 𝑟′

5. Compress 𝑐1′ = 𝐴𝑇𝑠′ + 𝑒′

6. Compress 𝑐2′ = 𝑏𝑇𝑠′ + 𝑒′′ + Enc(𝑚′)

7. If 𝑐1′ , 𝑐2

′ , 𝑑 = 𝑐 then

𝑠𝑠 = 𝐻(𝐾′, 𝑐)

Else 𝑠𝑠 = 𝐻(𝑧, 𝑐)




encryption


1. message 𝑚՚$𝑈 0,1 256

2. 𝐾, 𝑟, 𝑑 ՚ 𝐺 𝑝𝑘,𝑚





𝑐 = (𝑐1, 𝑐2, 𝑑)

Decaps


3. 𝐾′, 𝑟′, 𝑑′ ՚ 𝐺 𝑝𝑘,𝑚′




7. If 𝑐1′ , 𝑐2


𝑠𝑠 = 𝐻(𝐾′, 𝑐)





encryption

decryption


1. message 𝑚՚$𝑈 0,1 256

2. 𝐾, 𝑟, 𝑑 ՚ 𝐺 𝑝𝑘,𝑚





𝑐 = (𝑐1, 𝑐2, 𝑑)

Decaps


3. 𝐾′, 𝑟′, 𝑑′ ՚ 𝐺 𝑝𝑘,𝑚′




7. If 𝑐1′ , 𝑐2


𝑠𝑠 = 𝐻(𝐾′, 𝑐)





encryption

encryption

decryption


1. message 𝑚՚$𝑈 0,1 256

2. 𝐾, 𝑟, 𝑑 ՚ 𝐺 𝑝𝑘,𝑚





Decaps


3. 𝐾′, 𝑟′, 𝑑′ ՚ 𝐺 𝑝𝑘,𝑚′




7. If 𝑐1′ , 𝑐2


𝑠𝑠 = 𝐻(𝐾′, 𝑐)




In Kyber:

• 𝐺, 𝐻 are instantiated with SHAKE-128

• Expansion of private and public seeds is done with cSHAKE-128


𝑐 = (𝑐1, 𝑐2, 𝑑)

LWE key encapsulation: recent proposals

• Kyber (Bos–Ducas–Kiltz–Schwabe–Stehlé, 2017) https://eprint.iacr.org/2017/634.pdf

• Based on hardness of a problem in module lattices (M-LWE)

• Increases module dimension, which makes some recent lattice attacks inapplicable

• HILA5 (Saarinen, 2017) https://github.com/mjosaarinen/hila5

• Based on hardness of a problem in ring lattices (R-LWE)

• Improved reconciliation technique based on Peikert’s technique + efficient error correction

• ThreeBears (Hamburg, 2017) https://www.shiftleft.org/papers/threebears

• Based on hardness of a problem in module lattices (M-LWE)

• Replaces polynomial ring for a pseudo-Mersenne prime field

• Based on Kyber’s design, and exploits Melas BCH error correcting technique


https://eprint.iacr.org/2017/634.pdf

https://github.com/mjosaarinen/hila5

https://www.shiftleft.org/papers/threebears


• FrodoKEM (Alkim–Bos–Ducas–Longa–Mironov–Naehrig–Nikolaenko–Peikert–Raghunathan–Stebila, 2017)• Conservative Frodo adapted to IND-CCA KEM

• Based on hardness of a problem in generic lattices (LWE)

• New improved parameters: supporting reduction from worst-case BDD variant

• New improved implementation



• FrodoKEM (Alkim–Bos–Ducas–Longa–Mironov–Naehrig–Nikolaenko–Peikert–Raghunathan–Stebila, 2017)• Conservative Frodo adapted to IND-CCA KEM

• Based on hardness of a problem in generic lattices (LWE)

• New improved parameters: supporting reduction from worst-case BDD variant

• New improved implementation

Software and full details coming soon!


very small large

Performance of post-quantum KEMs

Primitive Quantum sec. Problem Speed Comm.

Classical

RSA 3072 ~0 bits factoring 4.6 ms 0.8 KB

ECDH NIST P-256 ~0 bits EC dlog 1.4 ms 0.1 KB

Passively secure KEMs (IND-CPA)

NewHope 206 bits R-LWE 0.06 ms 3.8 KB

Frodo 130 bits LWE 1.4 ms 22 KB

IND-CCA secure KEMs

NTRU-KEM 123 bits NTRU 0.03 ms 1.3 KB

Kyber 161 bits M-LWE 0.07 ms 1.2 KB

FrodoKEM 103–150 bits LWE 1.2–2.3 ms 9.5–15.4 KB

SIDH 84–125 bits isogenies 10–30 ms 0.4–0.6 KB

very fast slow


Summary

• Learning with Errors supports highly flexible and efficient cryptographic schemes that are conjectured to be quantum resistant


Summary


• While ring and module LWE offer great speed performance and reduced bandwidth, they introduce additional structure into the underlying lattices


Summary



• Frodo (FrodoKEM), based on generic lattices, offers a very conservative yet reasonably efficient PQ alternative


Summary



• Frodo (FrodoKEM), based on generic lattices, offers a very conservative yet reasonably efficient PQ alternative

• More cryptanalysis is needed to fully understand security implications of many design decisions


References

• E. Alkim, L. Ducas, T. Pöppelmann, P. Schwabe. Post-quantum key exchange - a new hope, USENIX Security, 2015.

• J.W. Bos, C. Costello, L. Ducas, I. Mironov, M. Naehrig, V. Nikolaenko, A. Raghunathan, D. Stebila, Frodo: Take off the Ring! Practical, Quantum-Secure Key Exchange from LWE, ACM CCS 2016.

• J.W. Bos, C. Costello, M. Naehrig, D. Stebila, Post-Quantum Key Exchange for the TLS Protocol from the Ring Learning with Errors Problem, IEEE Symposium on Security and Privacy 2015.

• J.W. Bos, L. Ducas, E. Kiltz, T. Lepoint, V. Lyubashevsky, J.M. Schanck, P. Schwabe, D. Stehlé,CRYSTALS - Kyber: a CCA-secure module-lattice-based KEM, Cryptology ePrint Archive, Report 2017/634.

• J. Ding, X. Xie, X. Lin. A simple provably secure key exchange scheme based on the learning with errors problem, Cryptology ePrint Archive, Report 2012/688.

• R. Lindner and C. Peikert. Better key sizes (and attacks) for LWE-based encryption, CT-RSA 2011.

• V. Lyubashevsky, C. Peikert, O. Regev. On ideal lattices and learning with errors over rings, Eurocrypt2010.

• C. Peikert. Lattice cryptography for the Internet, PQCrypto 2014.

• O. Regev. On lattices, learning with errors, random linear codes, and cryptography, STOC 2005.


https://www.microsoft.com/en-us/research/people/plonga/

practical post-quantum key exchange from the learning with ......chinacrypt 2017 patrick longa...

Documents