DOCSLIB.ORG

Post-Quantum Cryptography Daniel J

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Post-Quantum Cryptography Daniel J Post-Quantum Cryptography Daniel J. Bernstein · Johannes Buchmann Erik Dahmen Editors Post-Quantum Cryptography ABC Editors Daniel J. Bernstein Johannes Buchmann Department of Computer Science Erik Dahmen University of Illinois, Chicago Technische Universität Darmstadt 851 S. Morgan St. Department of Computer Science Chicago IL 60607-7053 Hochschulstr. 10 USA 64289 Darmstadt [email protected] Germany [email protected] [email protected] ISBN: 978-3-540-88701-0 e-ISBN: 978-3-540-88702-7 Library of Congress Control Number: 2008937466 Mathematics Subject Classification Numbers (2000): 94A60 c 2009 Springer-Verlag Berlin Heidelberg This work is subject to copyright. All rights are reserved, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilm or in any other way, and storage in data banks. Duplication of this publication or parts thereof is permitted only under the provisions of the German Copyright Law of September 9, 1965, in its current version, and permission for use must always be obtained from Springer. Violations are liable to prosecution under the German Copyright Law. The use of general descriptive names, registered names, trademarks, etc. in this publication does not imply, even in the absence of a specific statement, that such names are exempt from the relevant protective laws and regulations and therefore free for general use. Cover design: WMX Design GmbH, Heidelberg Printed on acid-free paper springer.com Preface The first International Workshop on Post-Quantum Cryptography took place at the Katholieke Universiteit Leuven in 2006. Scientists from all over the world gave talks on the state of the art of quantum computers and on cryp- tographic schemes that may be able to resist attacks by quantum computers. The speakers and the audience agreed that post-quantum cryptography is a fascinating research challenge and that, if large quantum computers are built, post-quantum cryptography will be critical for the future of the Internet. So, during one of the coffee breaks, we decided to edit a book on this subject. Springer-Verlag promptly agreed to publish such a volume. We approached leading scientists in the respective fields and received favorable answers from all of them. We are now very happy to present this book. We hope that it serves as an introduction to the field, as an overview of the state of the art, and as an encouragement for many more scientists to join us in investigating post-quantum cryptography. We would like to thank the contributors to this volume for their smooth collaboration. We would also like to thank Springer-Verlag, and in particular Ruth Allewelt and Martin Peters, for their support. The first editor would like to additionally thank Tanja Lange for many illuminating discussions regarding post-quantum cryptography and for initiating the Post-Quantum Cryptogra- phy workshop series in the first place. Chicago and Darmstadt, Daniel J. Bernstein December 2008 Johannes A. Buchmann Erik Dahmen Contents Introduction to post-quantum cryptography Daniel J. Bernstein .............................................. 1 1 Is cryptography dead? . 1 2 A taste of post-quantum cryptography . 6 3 Challenges in post-quantum cryptography . 11 4 Comparison to quantum cryptography . 13 Quantum computing Sean Hallgren, Ulrich Vollmer .................................... 15 1 Classical cryptography and quantum computing . 15 2 The computational model . 19 3 ThequantumFouriertransform ............................... 22 4 Thehiddensubgroupproblem ................................. 25 5 Searchalgorithms............................................ 29 6 Outlook..................................................... 31 References...................................................... 32 Hash-based Digital Signature Schemes Johannes Buchmann, Erik Dahmen, Michael Szydlo ................. 35 1 Hashbasedone-timesignatureschemes ......................... 36 2 Merkle’streeauthenticationscheme ............................ 40 3 One-timekey-pairgenerationusinganPRNG.................... 44 4 Authentication path computation . 46 5 Treechaining................................................ 69 6 Distributedsignaturegeneration ............................... 73 7 SecurityoftheMerkleSignatureScheme........................ 81 References...................................................... 91 Code-based cryptography Raphael Overbeck, Nicolas Sendrier ................................ 95 1 Introduction................................................. 95 2 Cryptosystems............................................... 96 VIII Contents 3 The security of computing syndromes as one-way function . 106 4 Codesandstructures .........................................116 5 Practicalaspects.............................................127 6 Annex......................................................137 References......................................................141 Lattice-based Cryptography Daniele Micciancio, Oded Regev ...................................147 1 Introduction.................................................147 2 Preliminaries ................................................152 3 Finding Short Vectors in Random q-ary Lattices . 154 4 HashFunctions ..............................................157 5 PublicKeyEncryptionSchemes................................165 6 DigitalSignatureSchemes.....................................180 7 Other Cryptographic Primitives . 185 8 OpenQuestions..............................................186 References......................................................187 Multivariate Public Key Cryptography Jintai Ding, Bo-Yin Yang .........................................193 1 Introduction.................................................193 2 TheBasicsofMultivariatePKCs...............................194 3 ExamplesofMultivariatePKCs................................198 4 BasicConstructionsandVariations.............................202 5 Standard Attacks . 215 6 TheFuture..................................................229 References......................................................234 Index ..........................................................243 List of Contributors Daniel J. Bernstein Raphael Overbeck University of Illinois at Chicago EPFL, I&C, LASEC [email protected] [email protected] Johannes Buchmann Oded Regev Technische Universität Darmstadt Tel-Aviv University [email protected]. tu-darmstadt.de Nicolas Sendrier Erik Dahmen INRIA Rocquencourt Technische Universität Darmstadt [email protected] [email protected]. tu-darmstadt.de Michael Szydlo Akamai Technologies Jintai Ding [email protected] University of Cincinnati [email protected] Ulrich Vollmer Sean Hallgren Berlin, Germany The Pennsylvania State University [email protected] Daniele Micciancio Bo-Yin Yang University of California, San Diego Academia Sinica [email protected] [email protected].
Load more

Recommended publications
  • Practical Forward Secure Signatures Using Minimal Security Assumptions
    Practical Forward Secure Signatures using Minimal Security Assumptions Vom Fachbereich Informatik der Technischen Universit¨atDarmstadt genehmigte Dissertation zur Erlangung des Grades Doktor rerum naturalium (Dr. rer. nat.) von Dipl.-Inform. Andreas H¨ulsing geboren in Karlsruhe. Referenten: Prof. Dr. Johannes Buchmann Prof. Dr. Tanja Lange Tag der Einreichung: 07. August 2013 Tag der m¨undlichen Pr¨ufung: 23. September 2013 Hochschulkennziffer: D 17 Darmstadt 2013 List of Publications [1] Johannes Buchmann, Erik Dahmen, Sarah Ereth, Andreas H¨ulsing,and Markus R¨uckert. On the security of the Winternitz one-time signature scheme. In A. Ni- taj and D. Pointcheval, editors, Africacrypt 2011, volume 6737 of Lecture Notes in Computer Science, pages 363{378. Springer Berlin / Heidelberg, 2011. Cited on page 17. [2] Johannes Buchmann, Erik Dahmen, and Andreas H¨ulsing.XMSS - a practical forward secure signature scheme based on minimal security assumptions. In Bo- Yin Yang, editor, Post-Quantum Cryptography, volume 7071 of Lecture Notes in Computer Science, pages 117{129. Springer Berlin / Heidelberg, 2011. Cited on pages 41, 73, and 81. [3] Andreas H¨ulsing,Albrecht Petzoldt, Michael Schneider, and Sidi Mohamed El Yousfi Alaoui. Postquantum Signaturverfahren Heute. In Ulrich Waldmann, editor, 22. SIT-Smartcard Workshop 2012, IHK Darmstadt, Feb 2012. Fraun- hofer Verlag Stuttgart. [4] Andreas H¨ulsing,Christoph Busold, and Johannes Buchmann. Forward secure signatures on smart cards. In Lars R. Knudsen and Huapeng Wu, editors, Se- lected Areas in Cryptography, volume 7707 of Lecture Notes in Computer Science, pages 66{80. Springer Berlin Heidelberg, 2013. Cited on pages 63, 73, and 81. [5] Johannes Braun, Andreas H¨ulsing,Alex Wiesmaier, Martin A.G.
    [Show full text]
  • Editors' Biographies
    Digital Enlightenment Yearbook 2013 295 M. Hildebrandt et al. (Eds.) IOS Press, 2013 © 2013 The authors. doi:10.3233/978-1-61499-295-0-295 Editors’ Biographies Mireille Hildebrandt Mireille Hildebrandt is one of the Founding Members of the Digital Enlightenment Fo- rum. She holds the Chair of Smart Environments, Data Protection and the Rule of Law at the institute of Computing and Information Sciences (iCIS) at Radboud University Nijmegen; she is an Associate Professor of Jurisprudence at the Erasmus School of Law, Rotterdam and a senior researcher at the centre for Law Science Technology & Society at Vrije Universiteit Brussel. The focus of her research is the nexus of philoso- phy of law and of technology, investigating the implications of smart environments for democracy and the Rule of Law. She co-edited Profiling the European Citizen. Cross- Disciplinary Perspectives (2008) with Serge Gutwirth; Law, Human Agency and Auto- nomic Computing (2011) with Antoinette Rouvroy; Privacy and Due Process after the Computational Turn (2013) with Katja de Vries; and Human Law and Computer Law (2013) with Jeanne Gaakeer. Her roots reside in cultural anthropology, law, and the philosophy and history of criminal law. Kieron O’Hara Kieron O’Hara is a senior research fellow in electronics and computer science at the University of Southampton. His research interests are the philosophy and politics of technology, in particular the World Wide Web and the Semantic Web. He writes on privacy, trust and memory, and has a particular interest in transparency and open data. As a political philosopher, he has also written extensively on the philosophy of conser- vatism, and is a research fellow at the Centre for Policy Studies.
    [Show full text]
  • Hash-Based Signatures: an Outline for a New Standard
    Hash-based Signatures: An Outline for a New Standard Andreas Hülsing∗, Stefan-Lukas Gazdag†, Denis Butin‡ and Johannes Buchmann‡ ∗Department of Mathematics and Computer Science Technische Universiteit Eindhoven P.O. Box 513, 5600 MB Eindhoven, The Netherlands [email protected] †genua mbh Domagkstrasse 7, 85551 Kirchheim bei Muenchen, Germany [email protected] †TU Darmstadt Hochschulstrasse 10, 64289 Darmstadt, Germany {dbutin,buchmann}@cdc.informatik.tu-darmstadt.de Abstract. Hash-based signatures are quantum- and runtimes, present security reductions, present safe and well understood. This paper presents an implementations, and finally lower the security as- outline for a new standard extending the recent sumptions on the used hash function, i.e. provide Internet-Draft by McGrew & Curcio. The goals of this new standard are twofold: collision resilience. • To extend the existing draft to include XMSS Recently, McGrew and Curcio published an and its multi-tree version; Internet-Draft [19] for a hash-based signature scheme. • To prepare for possible extensions to cover stateless schemes. Their draft essentially covers the scheme proposed by Merkle at the end of the 1970s. The advantage Keywords: Hash-based signatures, Standard- of this scheme over newer ones is that Merkle was ization, Merkle trees, XMSS. granted a patent on this basic scheme that already expired. Hence, there cannot be any IPR claims for I. Introduction this scheme. However, to the best of our knowledge, there are no active or pending patents on XMSS and Hash-based signatures recently gained a lot of its variants. On the downside, the scheme in [19] has attention as a potential replacement for today’s large signatures, relatively slow runtimes compared to signature schemes when large-scale quantum com- other alternatives (especially for key generation), an puters are built.
    [Show full text]
  • Information Technology for Peace and Security Christian Reuter Editor
    Information Technology for Peace and Security Christian Reuter Editor Information Technology for Peace and Security IT Applications and Infrastructures in Conflicts, Crises, War, and Peace Editor Christian Reuter Science and Technology for Peace and Security (PEASEC) Department of Computer Science Technische Universität Darmstadt Darmstadt, Germany ISBN 978-3-658-25651-7 ISBN 978-3-658-25652-4 (eBook) https://doi.org/10.1007/978-3-658-25652-4 Library of Congress Control Number: 2019936168 Springer Vieweg © Springer Fachmedien Wiesbaden GmbH, ein Teil von Springer Nature 2019 This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission or information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed. The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication does not imply, even in the absence of a specific statement, that such names are exempt from the relevant protective laws and regulations and therefore free for general use. The publisher, the authors and the editors are safe to assume that the advice and information in this book are believed to be true and accurate at the date of publication. Neither the publisher nor the authors or the editors give a warranty, expressed or implied, with respect to the material contained herein or for any errors or omissions that may have been made. The publisher remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
    [Show full text]
  • Securely Instantiating Cryptographic Schemes Based on the Learning with Errors Assumption
    Securely Instantiating Cryptographic Schemes Based on the Learning with Errors Assumption Vom Fachbereich Informatik der Technischen Universit¨atDarmstadt genehmigte Dissertation zur Erlangung des Grades Doktor rerum naturalium (Dr. rer. nat.) von Dipl.-Math. Florian G¨opfert geboren in W¨urzburg. Referenten: Prof. Dr. Johannes Buchmann Prof. Dr. Jintai Ding Tag der Einreichung: 11.08.2016 Tag der m¨undlichen Pr¨ufung: 22.09.2016 Hochschulkennziffer: D 17 Darmstadt 2016 August 11, 2016 Abstract Since its proposal by Regev in 2005 [Reg05], the Learning With Errors (LWE) problem was used as the underlying problem for a great variety of schemes. Its applications are many-fold, reaching from basic and highly practical primitives like key exchange [ADPS16], public-key encryption [LP11, LPR10], and signature schemes [ABBD15, DDLL13] to very advanced solutions like fully homomorphic encryption [BV14, BGV11], group signatures [LLLS13], and identity based encryp- tion [ABV+11]. One of the underlying reasons for this fertility is the flexibility with that LWE can be instantiated. Unfortunately, this comes at a cost: It makes selecting parameters for cryptographic applications complicated. When selecting parameters for a new LWE-based primitive, a researcher has to take the influence of several parameters on the efficiency of the scheme and the runtime of a variety of attacks into consideration. In fact, the missing trust in the concrete hardness of LWE is one of the main problems to overcome to bring LWE-based schemes to practice. This thesis aims at closing the gap between the theoretical knowledge of the hardness of LWE, and the concrete problem of selecting parameters for an LWE- based scheme.
    [Show full text]
  • Progress Report 2018
    Progress Report 2018 18 Academic Affairs The new biomedical engineering degree course is very popular. TU Darmstadt has attracted Goethe University Frankfurt as a partner. 4 Summary by Executive Board 14 Academic Affairs 17 Tricky tasks 18 Run on biomedical engineering degree course 20 Demanding from the very start 22 Comprehensive protection 23 Settling in quickly 24 Generous opening hours 25 Courses offered by TU Darmstadt 26 Facts and figures 30 Research 33 Top positions in German Research Foundation ranking 34 Major projects with a promising future 35 Machine learning for agriculture 36 From human to artificial intelligence 38 Recipe against the power of quantum computers 39 Pros and cons from noise 40 Health data under lock and key 41 Faster DNA synthesis 42 The insect perfume trick 43 Innovations for waterways and buildings 44 Overcoming subject boundaries 46 Top-Level Research 43 Research Environmental engineers design special lifts 50 Why I study here to make waterways passable for fish throughout. 60 Cooperation and transfer 63 50 years of partnership with Lyon 64 Energy-efficient ETA factory 65 Side by side with SMEs 66 From the laboratory into practice 68 Ground mission in the lecture hall 69 Clean water 70 The mobility of the future 71 3D scanner for insects 72 New tools 73 Awakening inquiring minds with Merck 77 Life on campus Open laboratories and exciting 74 Life on campus research were to be discovered 77 Thousands were wide awake at the “hellwach!” (“wide awake!”) 78 Urban quality science day of TU Darmstadt. 80 Climate-friendly
    [Show full text]
  • Acatech STUDIE September 2012 Titel
    > Internet Privacy Eine multidisziplinäre Bestandsaufnahme/ A multidisciplinary analysis Johannes Buchmann (Hrsg.) acatech STUDIE September 2012 Titel Herausgeber: Prof. Dr. Dr. h.c. Johannes Buchmann Technische Universität Darmstadt, Fachbereich Informatik Hochschulstraße 10 64289 Darmstadt E-Mail: [email protected] Reihenherausgeber: acatech – Deutsche Akademie der Technikwissenschaften, 2012 Geschäftsstelle Hauptstadtbüro Brüssel-Büro Residenz München Unter den Linden 14 Rue du Commerce / Handelsstraat 31 Hofgartenstraße 2 10117 Berlin 1000 Brüssel 80539 München Belgien T +49 (0) 89 / 5 20 30 90 T +49 (0) 30 / 2 06 30 96 10 T + 32 (0) 2 / 5 04 60 60 F +49 (0) 89 / 5 20 30 99 F +49 (0) 30 / 2 06 30 96 11 F + 32 (0) 2 / 5 04 60 69 E-Mail: [email protected] Internet: www.acatech.de Koordination: Dr. Karin-Irene Eiermann Redaktion: Linda Tönskötter, Dr. Grit Zacharias Layout-Konzeption: acatech Konvertierung und Satz: Fraunhofer-Institut für Intelligente Analyse- und Informationssysteme IAIS, Sankt Augustin Die Originalfassung der Publikation ist verfügbar auf www.springer.com KolumnentitelInhalt > INHALT VORWORT 9 PREFACE 11 PROjekt 13 1 UN/FAIRE INFORMatiONspraktikeN: INTERNET PrivaCY aus sOZIALWisseNSCHAFTLICHER Perspektive 15 Zusammenfassung 15 Abstract 15 1.1 Einführung 16 1.2 Privatheit als Thema der Sozialwissenschaften 17 1.2.1 Charakteristika sozialwissenschaft licher Privatheitstheorien 18 1.2.2 Zusammenfassung und Folgerungen 27 1.3 Internet Privacy: Privatheit soziotechnisch 28 1.4 Entwurf der Forschungsheuristik
    [Show full text]