The Quantum Menace: an Analysis of Postquantum TLS

The Quantum Menace: An Analysis of Postquantum TLS

Collin Berman Reid Bixler [email protected] [email protected]

Abstract key exchange allows for the two users to initi- ate a channel of communication and securely talk With the introduction of quantum comput- with one another. The authentication allows for ing, the inherent security of the TLS pro- proving that users are who they say that they are. tocol becomes endangered. Risks of los- While TLS is considered secure by todays stan- ing the privacy and integrity of communi- dards, there are actually some risks that most ei- cations over the internet are too great to ther do not realize or do not care about. That is, not consider preventative measures against the Quantum Menace. With the introduction of quantum attacks. We look at the current quantum computing, the inherent security of many key exchange protocol for TLS to deter- widespread algorithms is at risk of being broken. mine the flaws caused by quantum com- Specifically for TLS, things such as ECDH, RSA, puters. Our research focuses on analysing and DSA can be brute forced with much better ef- current alternatives that are quantum se- ficiency with a quantum algorithm known as Shors cure as well as other cryptographic meth- Algorithm. Luckily enough, quantum comput- ods that have not yet been considered for a ers are still in their early stages and some sug- post-quantum TLS. We offer final recom- gest that quantum computers will never be pow- mendations on where the TLS community erful enough to break our current level cryptogra- should go from now in order to mitigate phy. However, because we as security researchers the risk of the quantum menace. would rather focus on proactive measures rather than reactive ones, we want to find alternatives be- 1 Introduction fore there is capable quantum computing. The primary goal of the TLS protocol is to provide Specifically, we are going to focus on finding privacy and data integrity between two communi- solutions for key exchange rather than authenti- cating applications (Dierks and Rescorla, 2008). cation, because a broken key exchange allows for With TLS, clients and servers are able to securely attackers to read past communications. In terms communicate with one another with little to no of security of the communication over the inter- risk of having a third party read or alter their mes- net, focusing on privacy is more essential than data sages. TLS is used widely across the internet and integrity. In this paper, we go about analyzing a is essentially the defacto standard for secure com- number of post-quantum secure TLS implementa- munications, often even being implemented into tions as well as potential alternative cryptographic applications where an alternative protocol may be methods that have not yet been implemented into more useful. In order of priority, the makers of TLS. We finalize this analysis with a comparison TLS desire cryptographic security, interoperabil- between post-quantum TLS methods in order to ity, extensibility, and relative efficiency. The secu- determine where the security community should rity behind TLS is based off of a number of secure be heading towards. algorithms based off of hashing, symmetric cryp- 2 Post Quantum Computing tography, prime-factorization, elliptic curves, and other cryptographic methods. Quantum computing is slowly gaining traction Notably, there are essentially two portions of since it was theorized in 1982 by Richard Feyn- the TLS protocol that use these algorithms for man. It relies on quantum principles and super po- either key exchange or for authentication. The sitioning of particles to perform computational op- erations significantly faster than classical comput- on the number of signatures that can exist for a ers (Feynman, 1982). There already exist quan- generated key, even with the existence of loga- tum algorithms, which use quantum logic gates rithmically scaling Merkle trees. Also, with hash- to solve problems that were once thought com- ing, we can turn one-time hashing into multiple by putationally unsolvable. One of these algorithms, adding new public keys in each message, which is Shor’s Algorithm, is able to easily determine the also known as chaining. By doing this, the signa- prime factors of a large number (i.e. integer fac- ture of the nth message includes all n-1 previous torization) within a polynomial time (Shor, 1999). signed messages. With Merkle Trees, it is possi- Before this algorithm, integer factorization was ble to have provable reductions that say that the considered non-polynomial, also known as NP, security of the single-signing function will be the such that given a NP problem, one could verify its same security as the tree. One of the potential solutions quickly but it could not be solved within drawbacks of hashing is the fact that over time, a reasonable time, often taking longer than the ex- researchers will eventually find ways to produce pected lifespan of the universe to solve (Ladner, collisions, which can map two different inputs to 1975). This is a major problem for the security the same output. This is why the security commu- of many of today’s technologies which rely on the nity often is always looking for a new and better hardness of prime factorization. hash function. While quantum computers are only in their in- 2.2 Code-Based Cryptography fantile stage, the potential security risks behind broken encryption schemes from quantum algo- The methods often considered with code-based rithms would be unfathomable in today’s world. cryptography is McEliece and Niederreiter. With If anybody were able to obtain a quantum com- these, the public key is made up of a dt x n ma- puter capable of performing significant computa- trix K and a message m is encrypted by multiply- tions, breaking into many secure systems would ing this matrix K by m. The receiver will receive be completely feasible. As mentioned earlier, TLS a Hidden Goppa code to decrypt this message. uses ECDH, RSA, and DSA for the key exchange These cryptographic systems have extremely ef- protocol in TLS, to name a few. ECDH is reliant ficient key generation, encryption, and decryption. on elliptic curve cryptography, which requires low However, often the problem is the very long public computing power for implementation but massive keys required. amounts to brute force an attempt to break it. 2.3 Lattice-Based Cryptography However, a modified Shor’s algorithm could notably decrease the computational requirement for Lattices have gotten a lot of attention from the a brute force attempt (Sullivan, 2013). With a postquantum community and a majority of cur- working quantum computer capable of significant rent quantum-secure systems are done with lattice computation, any current and previous TLS com- cryptosystems. Lattices are reliant on the Short- munications could be viewed by attacking the key est Vector Problem and the Closest Vector Prob- exchange protocol. lem, which have not yet been reduced to a polyno- However, there still exist a number of mial time to break. There are a number of different cryptographic systems that are actually se- methods including NTRU, LWE, and BLISS. cure against quantum attacks. These include: 2.4 Multivariate-Quadratic-Equations hash-based cryptography, code-based cryptog- Cryptography raphy, lattice-based cryptography, multivariate- quadratic-equations cryptography, and secret-key These rely on a sequence of polynomials and vari- cryptography. ables with coefficients. Each polynomial is required to have a degree of at most 2, with no squared terms. Its possible to verify these signa- 2.1 Hash-Based Cryptography tures with a standard hash function, which will With hashing, when given an input x there will be result in shorter public keys. There are quite a an output y that should not be able to easily go number of current methods including: Rainbow, back to find x. Before the interest in postquan- Hidden Field Equations (HFE), and UOV Cryp- tum security, many researchers didnt focus much tosystems. One of the major problems with these on hash-based cryptography because of the limit systems is that, while efficient, the security is not fully understood and new attacks are found on a Hiltgen, Vaudenay, and Vaugnoux (Canvel et al., regular basis. 2003) were able to intercept passwords in a TLS channel by measuring differences in timing arising 2.5 Secret-Key Cryptography from whether or not a forged message authentica- Otherwise known as symmetric cryptography, tion code (MAC) is valid. This attack was possi- this uses either Stream Ciphers or Block Ci- ble even though Krawczyk (Krawczyk, 2001) had phers. These cryptosystems are widely used proven that the way MACs are validated is secure. and implemented including: Twofish, Serpent, Due to the effectiveness of these attacks, we AES (Rijndael), Blowfish, CAST5, Kuznyechik, only consider a protocol to be ready for TLS RC4, 3DES, Skipjack, Safer+/++ (Bluetooth), deployment if it has been implementing to be and IDEA. There already exist some symmet- resistant to timing attacks. Programmers typi- ric key management systems like Kerberos and cally achieve protection against timing attacks by 3GPP, which offers the benefit of already being writing constant-time programs, that is, programs widespread. whose runtime do not depend on secret day. This involves avoiding branching on secret data as de- 3 PQC in TLS scribed above, but also requires avoiding mem- 3.1 TLS Specifics ory accesses based on secret data, since recently- accessed data stored in the cache can be read faster Although many post-quantum cryptosystems have than data from main memory (Bernstein, 2005). been proposed by researchers, not all are ready for widespread deployment. Cryptographic software 4 Current Implementations needs to be carefully written to avoid so called side-channel attacks, which can introduce vulner- In this section we investigate post-quantum cryp- abilities into an otherwise secure protocol. Fur- tosystems which have implementations targeting thermore, in order for a cryptographic library to TLS. be useful to the larger programming community, In 2015, Bos, Costello, Naehrig, and Stebila it should expose a simple interface to allow easy (Bos et al., 2015) constructed TLS ciphersuites integration into software projects. with post-quantum key-exchange. Their key- exchange protocol is based on the ring learning 3.2 Criteria with errors (R-LWE) problem, which is related Although many post-quantum cryptosystems have to the shortest vector problem on lattices. The been proposed by researchers, not all are ready for authors integrate four ciphersuites targeting the widespread deployment in TLS. When developers 128-bit security level into OpenSSL. The first need to include a secure communication channel two, RLWE-ECDSA-AES128-GCM-SHA256 in their software, they use libraries that expose and RLWE-RSA-AES128-GCM-SHA256, sim- a high-level interface, rather than directly calling ply replace a classical key-exchange protocol with cryptographic primitives themselves. Therefore, a their post-quantum protocol. The other two are post-quantum key-exchange protocol is likely to hybrid ciphersuites, which combine their R-LWE be integrated into software only if is packaged protocol with elliptic curve DiffieHellman key into such a library, like OpenSSL. Furthermore, exchange. Their performance results, in HTTPS cryptography code needs to be written to be re- connections per second, are shown in Figure 1. sistant to timing attacks, which allow an adversary Later in 2015, Alkim, Ducas, Pppelmann, and to recover secret data from a cryptosystem even if Schwabe identified a number of performance and the protocol itself is theoretically secure. Attack- security problems with the BCNS protocol. By ers targeting a software implementation have ac- performing a more detailed security analysis, the cess to additional information than security proofs authors were able to optimize the parameters of model. Such vulnerabilities often arise from al- the protocol, resulting in higher efficiency and tering program control-flow based on secret data, security. Further, the authors suggest replacing for example performing a computation only when a fixed public parameter with a randomly cho- a certain bit of the secret key is set. sen one for each key exchange, avoiding Logjam- TLS implementations have been successfully style precomputation attacks (Adrian et al., 2015). exploited by timing-attacks. For example, Canvel, The authors provide a C implementation of their Figure 1: BCNS HTTPS connections per second supported by a web server (Bos et al., 2015) new protocol, NewHope, but do not integrate their ticeCrypto techniques is integrated into OpenSSL work into OpenSSL. (Microsoft, 2016). The absence of a NewHope-based TLS cipher- An alternative lattice-based cryptosystem, suite implementation did not stop Google from in- NTRU, was described by Hoffstein, Pipher, and tegrating it into their Chrome web browser (Lang- Silverman in 1998. NTRU was patented for most ley, 2016). To retain classical security, the Chrome of its lifetime, but was recently made patent-free team combined NewHope with the X25519 el- (?), enabling wider adoption of the public-key liptic curve DiffieHellman key-exchange protocol, encryption system. Recent research by Bernstein, creating a hybrid scheme they called CECPQ1. Chuengsatiansup, Lange, and van Vredendaal Because the project was only an experiment, (Bernstein et al., 2016) has improved the security CECPQ1 has since been removed from Chrome, and performance of the cryptosystem. NTRU has but the expirement was successful. Adding an ad- been integrated into the wolfSSL embedded TLS ditional key-exchange protocol to TLS resulted in library (wolfSSL, 2015). increased packet sizes and latencies, but this was Moving beyond lattice-based cryptography expected. No unexpected problems arose, show- brings us to the supersingular isogeny DiffieHell- ing that deploying NewHope in TLS is feasible. man (SIDH) key-exchange protocol. Microsoft researchers Costello, Longa, and Naehrig (Costello Because NewHope is such a new protocol, the et al., 2016a) give efficient algorithms for SIDH, Chrome engineers did not want their CECPQ1 which have been integrated into a patch for protocol to become a standard (Langley, 2016). OpenSSL (Microsoft, 2016a). This library also In fact, recent research has made improvements integrates the SIDH public-key compression algo- to the NewHope key-exchange protocol. Bos et rithms developed by Costello et al. (Costello et al. (Bos et al., 2016) suggest basing cryptosys- al., 2016b). tems on the learning with errors (LWE) problem, rather than R-LWE, developing a protocol called 5 Possible Alternatives Frodo, which they integrate into OpenSSL. Al- though R-LWE allows for more efficient proto- The protocols described in the previous section cols, the additional ring structure may introduce have implementations specifically built for TLS. new vulnerabilities. On the other hand, Longa and Many have been built for OpenSSL, providing Naehrig (Longa and Naehrig, 2016) develop new software developers an easy way to integrate algorithms which speed up NewHope by a factor these post-quantum key-exchange protocols into of up to 1.4. A library implementing these, Lat- their applications. In this section, we look at TLS-Ready Security (bits) Communication (bits) Keygen (ms) Constant Time NewHope X 199 3,872 0.31 X FRODO X 130 22,584 2.6 X LatticeCrypto X 128 3,872 0.21 X SIDH X 128 660 900 X wolfSSL NTRU 128 1,128 2.249 NTRU Prime 195 9,802 N/A X McBits 128 1,046,738 N/A X Algebraic Eraser 120 1,554 N/A Ore DiffieHellman 111 1,027,000 N/A

Table 1: Postquantum TLS Analysis post-quantum key-exchange protocols that, while based system. promising, are not ready for deployment in TLS. Code-based cryptography provides an alternative to lattice-based schemes such as NTRU and 6 PQTLS Analysis the R-LWE protocols described in the previous section. The best example of code-based cryp- In this section, we evaluate the cryptosystems sur- tography is McElieces (McEliece, 1978) hidden- veyed above. The most important factor for a pro- Goppa-code public-key encryption system. Bern- tocol is whether it is ready to be deployed for TLS stein presented a constant-time implementation of based on the existence of a constant-time SSL li- the cryptosystem in 2013. This cryptosystem sup- brary. We also analyze the performance of each ports extremely fast encryption, but the public scheme based on the communication and key gen- keys are far too large for usage in TLS. eration costs for the recommended parameters. Another alternative to lattice-based cryptogra- We collect our data in Table 1. All of the proto- phy is group-theoretic cryptography. Because the cols discussed in the current implementations sec- computational problems used in these cryptosys- tion 4 except for NTRU are ready for TLS deploy- tems have not been well-studied, interest in non- ment. Even though NTRU is implemented in wolf- commutative cryptography remains for the most SSL, the lack of constant-time protections in their part theoretical. Nonetheless, a key-exchange pro- code disqualifies them from being TLS-ready. tocol, Algebraic Eraser, has been designed for use in systems with limited computational resources Of the cryptosystems ready for use in TLS, (Anshel et al., 2006). The parameters given in the SIDH requires the least data transfer, while Lat- original article were broken by Ben-Zvi, Black- ticeCrypto provides the fastest key generation. burn, and Tsaban in 2016, but the protocol is However, while the communication cost of Lat- defined in great generality, and Anshel, Atkins, ticeCrypto is less than 6 times that of SIDH, key Goldfeld, and Gunnells (Anshel et al., 2016) were generation in SIDH takes over 4,000 times as long able to defeat the attack by giving a new instanti- as in LatticeCrypto. Therefore, we believe Lattice- ation of the system. Further research is needed to Crypto is currently the best choice for integration decide whether this protocol is secure. into TLS. As a final key-exchange alternative to lattice- Most of the schemes analyzed here target the based cryptography, we discuss multivariate- 128-bit security level. However, due to the diffi- quadratic-equations cryptography. This class of culty of estimating the post-quantum security of cryptosystems comprises for the most part public- a protocol, some authors choose conservative pa- key signature schemes, but Burger and Heinle pre- rameters, giving a comfortable margin above the sented a key-exchange protocol based on multi- 128-bit level. We also note that Algebraic Eraser variate Ore polynomials in 2014. However, this is intended for low-cost, resource-constrained de- cryptosystem has received little scrutiny by the vices. As such, the focus their attention on the 80- broader cryptography community, and uses public bit level, but they do provide parameters for 120 keys nearly as large as those in McElieces code- bits of security. 7 Conclusion 2015. Imperfect forward secrecy: How diffiehellman fails in practice. In Proceedings of the 22nd 7.1 Future Research ACM SIGSAC Conference on Computer and Com- munications Security. This analysis is meant to be a conglomeration of current knowledge on post-quantum enabled TLS. I. Anshel, M. Anshe, D. Goldfeld, and S. Lemieux. However, we have distinctly focused on looking at 2006. Key agreement, the algebraic erasertm, and key-exchange rather than authentication for all of lightweight cryptography. the research. There are a large number of inter- I. Anshel, D. Atkins, D. Goldfeld, and P. E. Gunnells. esting applications of quantum secure algorithms 2016. Defeating the ben-zvi, blackburn, and tsaban in signature schemes that would likely have much attack on the algebraic eraser. arXiv Preprint. different criteria than what we showed here. In terms of potential future research, addi- D. J. Bernstein, C. Chuengsatiansup, T. Lange, and C. van Vredendaal. 2016. Ntru prime. Cryptology tional research on current implementations could ePrint Archive, Report 2016/461. be done by running them on a single system for a better runtime analysis. As time goes on, there D. J. Bernstein. 2005. Cache-timing attacks on aes. will likely be more implementations that we did Cr.Yp.To Antiforgery. not mention, and at that time it would make sense J. W. Bos, C. Costello M. Naehrig, and D. Stebila. to compare those new ones using the same criteria 2015. Post-quantum key exchange for the tls pro- and methods. We would like to see more research tocol from the ring learning with errors problem. In done on non-lattice-based cryptosystems, simply 2015 IEEE Symposium on Security and Privacy. because the security community right now is fo- J. Bos, C. Costello, L. Ducas, I. Mironov, M. Naehrig, cusing very heavily on lattices as a means to quan- V. Nikolaenko, A. Raghunathan, and D. Stebila. tum security. 2016. Frodo: Take off the ring! practical, quantum- secure key exchange from lwe. Cryptology ePrint 7.2 Final Remarks Archive, Report 2016/659. Integrating a post-quantum key-exchange protocol B. Canvel, A. P. Hiltgen, S. Vaudenay, and M. Vuag- into TLS is necessary for preserving the privacy noux. 2003. Password interception in a ssl/tls chan- of todays internet communications. We surveyed nel. In D. Boneh (Ed.), Advances in Cryptology – CRYPTO 2003. the post-quantum cryptography literature for implementations that are ready to be deployed today, C. Costello, D. Jao, P. Longa, M. Naehrig, J. Renes, and found that Microsofts LatticeCrypto library is and D. Urbanik. 2016a. Efficient compression of the current best choice. sidh public keys. Cryptology ePrint Archive, Report 2016/963. However, future research is likely to produce new attacks against ring learning with errors key- C. Costello, P. Longa, and M. Naehrig. 2016b. Ef- exchange. It is important for the cryptographic ficient algorithms for supersingular isogeny diffie- research community to continue to investigate al- hellman. Cryptology ePrint Archive, Report 2016/413. ternative protocols. In particular, we need to develop further protocols based on problems besides T. Dierks and E. Rescorla. 2008. The transport layer lattices, in case the latter are shown to be easy security (tls) protocol version 1.2. IETF Standards solved. Supersingular isogeny DiffieHellman is Track. the most promising non-lattice protocol, but many R P. Feynman. 1982. Simulating physics with comput- other classes of cryptographic systems exist, and ers. International journal of theoretical physics. others likely remain to be discovered. Quantum computers may not be very capable H. Krawczyk. 2001. The order of encryption and au- today, but by planning ahead and integrating post- thentication for protecting communications (or: how secure is ssl?). In J. Kilian (Ed.), Proceedings of quantum security as soon as we can, we will be the 21st Annual International Cryptology Confer- ensuring the privacy and integrity of TLS. ence on Advances in Cryptology.

R E. Ladner. 1975. On the structure of polynomial References time reducibility. Journal of the ACM. D. Adrian, K. Bhargavan, Z. Durumeric, P. Gaudry, A. Langley. 2016. Cecpq1 results [blog post]. Impe- M. Green, J. A. Halderman, and P. Zimmermann. rial Violet. P. Longa and M. Naehrig. 2016. Speeding up the number theoretic transform for faster ideal lattice-based cryptography. Cryptology ePrint Archive, Report 2016/504. R. J. McEliece. 1978. A public-key cryptosystem based on algebraic coding theory. DSN Progress Re- port. Microsoft. 2016. Sidh for open ssl [computer software].

P W. Shor. 1999. Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM review.

N Sullivan. 2013. A (relatively easy to understand) primer on elliptic curve cryptography. Ars Technica. wolfSSL. 2015. Quantum-safe wolfssl [blog post]. WolfSSL Blog.