transitioning to a quantum-resistent public key...
TRANSCRIPT
![Page 1: TRANSITIONING TO A QUANTUM-RESISTENT PUBLIC KEY …2017.pqcrypto.org/.../Bindel_Transition_to_a_quantum_resistant_PKI.… · Universal quantum computer (Quantum Manifesto) 18 years](https://reader034.vdocuments.us/reader034/viewer/2022051810/60197321bf03bb17ec078fa9/html5/thumbnails/1.jpg)
TRANSITIONING TO A QUANTUM-RESISTENT PUBLIC KEY INFRASTRUCTURE
Nina Bindel
Udyani Herath
Matthew McKague
Douglas Stebila
PQCrypto 2017
Utrecht, The Nederlands
06/26/2017
![Page 2: TRANSITIONING TO A QUANTUM-RESISTENT PUBLIC KEY …2017.pqcrypto.org/.../Bindel_Transition_to_a_quantum_resistant_PKI.… · Universal quantum computer (Quantum Manifesto) 18 years](https://reader034.vdocuments.us/reader034/viewer/2022051810/60197321bf03bb17ec078fa9/html5/thumbnails/2.jpg)
Start
PQ project
2
Today 2035
Universal quantum computer(Quantum Manifesto)
18 years
Best: start transition now
Nov.
2017
2016
1
7chance of breaking RSA-2048
(Michele Mosca – Nov 2015)
1
2chance of breaking RSA-2048
(Michele Mosca – Nov 2015)
2026 20312002 Jan.
2017
MS started to
stopp support of
SHA-1
15 years
?
![Page 3: TRANSITIONING TO A QUANTUM-RESISTENT PUBLIC KEY …2017.pqcrypto.org/.../Bindel_Transition_to_a_quantum_resistant_PKI.… · Universal quantum computer (Quantum Manifesto) 18 years](https://reader034.vdocuments.us/reader034/viewer/2022051810/60197321bf03bb17ec078fa9/html5/thumbnails/3.jpg)
BIT-HARDNESS ESTIMATIONS WITH LWE-ESTIMATOR[APS15]
3
71
62 61 6058
48
0
10
20
30
40
50
60
70
80
Jan 2015 Jun 2015 Jan 2016 Jun 2016 Jan 2017 Jun 2017
Log
ha
rdness
Difference of
~20 bit in 2.5 years
LWE Instance - Regev(128)
n=128, q=16411, 𝜎=29.6
![Page 4: TRANSITIONING TO A QUANTUM-RESISTENT PUBLIC KEY …2017.pqcrypto.org/.../Bindel_Transition_to_a_quantum_resistant_PKI.… · Universal quantum computer (Quantum Manifesto) 18 years](https://reader034.vdocuments.us/reader034/viewer/2022051810/60197321bf03bb17ec078fa9/html5/thumbnails/4.jpg)
CURRENT SITUATION
4
Quantum threat against
RSA- and discrete log
Unstable hardness
estimations of “PQ
assumptions“
![Page 5: TRANSITIONING TO A QUANTUM-RESISTENT PUBLIC KEY …2017.pqcrypto.org/.../Bindel_Transition_to_a_quantum_resistant_PKI.… · Universal quantum computer (Quantum Manifesto) 18 years](https://reader034.vdocuments.us/reader034/viewer/2022051810/60197321bf03bb17ec078fa9/html5/thumbnails/5.jpg)
HYBRID SIGNATURE SCHEMES
5
Given: Σ1 and Σ2Construct: ΣC s.t. ΣC is secure if Σ1 or Σ2 secure
• What means “secure“?
• How to construct Σ𝐶?
• Can we use hybrids in current protocols and standards?
Example:
• Σ1 PQ scheme and Σ2 classical scheme
• 2 PQ schemes based on different assumptions
Q
![Page 6: TRANSITIONING TO A QUANTUM-RESISTENT PUBLIC KEY …2017.pqcrypto.org/.../Bindel_Transition_to_a_quantum_resistant_PKI.… · Universal quantum computer (Quantum Manifesto) 18 years](https://reader034.vdocuments.us/reader034/viewer/2022051810/60197321bf03bb17ec078fa9/html5/thumbnails/6.jpg)
SECURITY DEFINITION
6
Intuition:
• eUF-CMA with 2-stage adversary A = (𝐴1, 𝐴2)
• 𝐴1, 𝐴2 different access to quantum computer
• 𝐴1 classical/quantum access to sign oracle
![Page 7: TRANSITIONING TO A QUANTUM-RESISTENT PUBLIC KEY …2017.pqcrypto.org/.../Bindel_Transition_to_a_quantum_resistant_PKI.… · Universal quantum computer (Quantum Manifesto) 18 years](https://reader034.vdocuments.us/reader034/viewer/2022051810/60197321bf03bb17ec078fa9/html5/thumbnails/7.jpg)
EXPTΣEUF−CMA(A):
7
Σ. KeyGen()
qs ← 0
sk, vk
m1, σ1 , … , (mqs+1, σqs+1)ΟS
qs ← qs + 1If Σ. Verify vk,mi, σi = 1
Return 1
Else
Return 0
A(vk)
![Page 8: TRANSITIONING TO A QUANTUM-RESISTENT PUBLIC KEY …2017.pqcrypto.org/.../Bindel_Transition_to_a_quantum_resistant_PKI.… · Universal quantum computer (Quantum Manifesto) 18 years](https://reader034.vdocuments.us/reader034/viewer/2022051810/60197321bf03bb17ec078fa9/html5/thumbnails/8.jpg)
EXPTΣEUF−CMA(A):
8
A1, A2 :
Σ. KeyGen()
qs ← 0
sk, vk
m1, σ1 , … , (mqs+1, σqs+1)
ΟSqs ← qs + 1
If Σ. Verify vk,mi, σi = 1Return 1
Else
Return 0
A1(vk)
A2(st)
st
010…1/ ?
010…1/ ?
010…1/ ?
![Page 9: TRANSITIONING TO A QUANTUM-RESISTENT PUBLIC KEY …2017.pqcrypto.org/.../Bindel_Transition_to_a_quantum_resistant_PKI.… · Universal quantum computer (Quantum Manifesto) 18 years](https://reader034.vdocuments.us/reader034/viewer/2022051810/60197321bf03bb17ec078fa9/html5/thumbnails/9.jpg)
• 𝐴1 classical
• Access to ΟS classical
• 𝐴2 classical
ADVERSARY MODEL
9
𝐂𝐜𝐂 - Fully classical (eUF-CMA)
𝐂𝐜𝐐 - Future quantum
𝐐𝐜𝐐 - Quantum adversary
𝐐𝐪𝐐 - Fully quantum (also in [BZ13])
𝐂𝐜𝐂𝐂𝐜𝐐𝐐𝐜𝐐𝐐𝐪𝐐
THEOREM
• 𝐴2:
• 𝐴1:
• 𝐴2:• 𝐴1:
• 𝐴2:
• Access ΟS:
![Page 10: TRANSITIONING TO A QUANTUM-RESISTENT PUBLIC KEY …2017.pqcrypto.org/.../Bindel_Transition_to_a_quantum_resistant_PKI.… · Universal quantum computer (Quantum Manifesto) 18 years](https://reader034.vdocuments.us/reader034/viewer/2022051810/60197321bf03bb17ec078fa9/html5/thumbnails/10.jpg)
EXAMPLES OF HYBRID SIGNATURES
10
Combiner 𝛔 = (𝛔𝟏, 𝛔𝟐) Unforgeability
C|| σ1 ← Sign1 mσ2 ← Sign2 m
max{XyZ, UvW}
Cnest σ1 ← Sign1 mσ2 ← Sign2 m, σ1
max{XyZ, UvW}
Cdual−nest σ1 ← Sign1 m1
σ2 ← Sign2 m1, σ1, m2
XyZwrt tom1,UvW
Σ1 XyZ-secure
Σ2 UvW-secure
![Page 11: TRANSITIONING TO A QUANTUM-RESISTENT PUBLIC KEY …2017.pqcrypto.org/.../Bindel_Transition_to_a_quantum_resistant_PKI.… · Universal quantum computer (Quantum Manifesto) 18 years](https://reader034.vdocuments.us/reader034/viewer/2022051810/60197321bf03bb17ec078fa9/html5/thumbnails/11.jpg)
APPLICABLE TO CURRENT PKI?
11
Q(1) How can hybrid combiners be used in current standards?
(2) What about backwards-compatibility?
(3) Do large key and siganture size raise problems?
• Certificates: X.509v3
• Secure channels: TLS
• Secure email: S/MIME
![Page 12: TRANSITIONING TO A QUANTUM-RESISTENT PUBLIC KEY …2017.pqcrypto.org/.../Bindel_Transition_to_a_quantum_resistant_PKI.… · Universal quantum computer (Quantum Manifesto) 18 years](https://reader034.vdocuments.us/reader034/viewer/2022051810/60197321bf03bb17ec078fa9/html5/thumbnails/12.jpg)
HYBRID SIGNATURE IN S/MIME EMAIL
12
Idea:
• Use concatenation combiner
• S/MIME data structures allow multiple
parallel signatures
• Disadvantage: Verification of all
signatures
backwards-compatibility?
2nd Idea:
• Use nested combiner
• Use optional attributes
![Page 13: TRANSITIONING TO A QUANTUM-RESISTENT PUBLIC KEY …2017.pqcrypto.org/.../Bindel_Transition_to_a_quantum_resistant_PKI.… · Universal quantum computer (Quantum Manifesto) 18 years](https://reader034.vdocuments.us/reader034/viewer/2022051810/60197321bf03bb17ec078fa9/html5/thumbnails/13.jpg)
HYBRID SIGNATURES IN X.509V3 CERT
13
skPQCA , vkPQ
CA , skRSACA , vkRSA
CA ← KeyGendual−nest
skPQSub, vkPQ
Sub , skRSASub , vkRSA
Sub ← KeyGendual−nest
Certificate c2 (RSA)
tbsCertificate m2:
CA, subject, vkRSASub
c2 = SignRSA(skRSACA , (m2,vkRSA
Sub , c1, m1))
Extensions:
Ext. id. = non-critical
Certificate c1 (PQ)
tbsCertificate m1:
CA, subject, vkPQSub
c1 = SignPQ(skPQCA , ( m1, vkPQ
Sub))
Idea:
• Use dual nested combiner
• PQ cert = extension of RSA cert
• Hybrid software recognizes and
processes PQ cert and RSA cert
• Older softeware ignores non-critical ext.
![Page 14: TRANSITIONING TO A QUANTUM-RESISTENT PUBLIC KEY …2017.pqcrypto.org/.../Bindel_Transition_to_a_quantum_resistant_PKI.… · Universal quantum computer (Quantum Manifesto) 18 years](https://reader034.vdocuments.us/reader034/viewer/2022051810/60197321bf03bb17ec078fa9/html5/thumbnails/14.jpg)
COMPATIBILITY OF HYBRID X.509V3 CERTS
14
Application Extension size [KB]
1.5 3.5 9.0 43.0 1333.0
GnuTLS
Java SE
mbedTLS
NSS
OpenSSL
Apple Safari
Google Chrome
MS Edge
MS IE
Mozilla Firefox
Opera
Lib
rari
es
Web
bro
wse
rs
![Page 15: TRANSITIONING TO A QUANTUM-RESISTENT PUBLIC KEY …2017.pqcrypto.org/.../Bindel_Transition_to_a_quantum_resistant_PKI.… · Universal quantum computer (Quantum Manifesto) 18 years](https://reader034.vdocuments.us/reader034/viewer/2022051810/60197321bf03bb17ec078fa9/html5/thumbnails/15.jpg)
15
SUMMARY
THANKS
• Security experiment with 2-stage adversary
• Adversary model with respect to quantum power
• Construction of hybrid signature schemes
• Compatibility of with current PKI:
• Nested single message in S/MIME
• Nested dual message in X.509 cert in applications
• Left out: non-separability