Evaluating the Security of Post-Quantum Cryptosystems

Yi-Kai Liu US National Institute of Standards and Technology (NIST)

Email: NIST PQC team: [email protected] Lily Chen Stephen Jordan Dustin Moody Rene Peralta Ray Perlner Daniel Smith  Security is hard to measure!

 Want to have a transparent justification: why is this secure?

 Continuing to use RSA is risky; is there a benefit to using PQC? ◦ Diversity/redundancy in security  What does security mean? ◦ Breaking the cryptosystem is computationally hard, e.g., requires 2256 operations

 Show security against known attacks ◦ Try all known attacks, show that they are infeasible

 How to protect against unknown attacks? ◦ New attacks, new discoveries in mathematics? ◦ Try to argue that these are “unlikely”  Security proofs (based on mathematical conjectures)  Design cryptosystems to defeat common classes of attacks  Lattice basis reduction ◦ LLL, BKZ, enumeration + extreme pruning ◦ Practical performance beats theoretical guarantees  What problem instances?  How to measure solution quality?  Tradeoffs between different algorithms

 Grobner basis reduction ◦ General algorithm for solving multivariate systems of equations  Running time may depend on special structure present in the equations

 “Learning a parallelepiped” ◦ Breaks old versions of NTRUSign ◦ NTRUSign can be repaired using perturbations; is this secure? ◦ Other lattice-based signatures are provably secure; recent work has improved their efficiency

 Differential attacks ◦ Break certain multivariate cryptosystems (e.g., SFLASH) ◦ HFE, unbalanced oil/vinegar are still ok

 Lattice reduction attacks ◦ Break some versions of McEliece using LDPC codes ◦ Standard McEliece is still ok  Estimate the complexity of the known attacks ◦ Run experiments on small instances of the problem ◦ Then extrapolate to larger problem sizes

 Adjust the cryptosystem to defeat these attacks Type of attack Complexity of attack Countermeasure

General purpose Exponential time Increase the key size algorithm Exploit some special Varies, can be Design the structure in the polynomial time cryptosystem to problem avoid that structure

Reduced efficiency  Could there be other attacks that we haven’t discovered yet?

 Faster general-purpose algorithms? ◦ Probably not…

 More specialized attacks? ◦ Attacks on ideal lattices, compact McEliece cryptosystems? ◦ (These cryptosystems have special structure, to improve efficiency)  Theoretical tools for thinking about security ◦ Security proofs ◦ Impossibility of special classes of attacks

 Why is a particular cryptosystem secure?

 Can we reason about the possible existence of attacks that haven’t been discovered?

◦ Designing a public-key cryptosystem is “harder” than designing a block cipher or a hash function

◦ Want to avoid unpleasant surprises! (e.g., new discoveries that lead to poly-time attacks)

 Goal: rule out the existence of attacks

 Method: relate the security of a cryptosystem to another problem that we understand better ◦ Factoring, discrete logs ◦ Finding short lattice vectors ◦ Solving multivariate systems of equations

 Perspective from complexity theory: ◦ Public-key cryptography requires very hard problems  Average-case instances must be hard  Need to generate hard instances efficiently  Need trapdoor one-way functions  Conjecture: “Problem Π is hard” ◦ Do we believe this conjecture?  E.g, lattice-based crypto: general lattices seem hard, b/c of connection with integer programming; situation for ideal lattices is less clear

 Theorem: “If you can break cryptosystem C, you can solve problem Π” ◦ How strong is the connection between C and Π?  E.g., lattice-based crypto: very strong connection (“worst-case to average-case reduction”)

 Have to define “security” ◦ Different notions: CPA < CCA < UC ◦ May not fully describe the real world (e.g., side channels)

 Additional assumptions are often needed, to prove security for practical cryptosystems ◦ Assume ideal lattices are hard ◦ Work in random oracle model

 Use the security proof to choose key sizes? ◦ Security proof gives a lower bound on security ◦ Bound can be very loose => not useful in practice  On the positive side…

 Security proofs help to constrain the space of possible attacks ◦ Argue that polynomial-time attacks are unlikely… (would require surprising discoveries)  Some specific attacks one might worry about ◦ Differential attacks in multivariate crypto ◦ Shor’s algorithm, hidden subgroup problems ◦ Grover’s search algorithm

 Can prove limits on the power of these attacks!  Differential attacks in multivariate crypto ◦ Find and classify all “differential invariants” ◦ Can rule out all possible differential attacks! (Perlner & Smith, 2013)

 Quantum algorithms for hidden subgroup problems ◦ Generalizations of Shor’s algorithm to other groups ◦ Unlikely to get a poly-time quantum algorithm for the symmetric group (Moore & Russell)

 Lower bounds on quantum query complexity ◦ For black-box problems, e.g., search and collision finding ◦ Known quantum algorithms are nearly optimal ◦ Rules out the possibility of a super-polynomial quantum speedup  Different approaches to evaluating security ◦ Estimating the performance of known attacks ◦ Using security proofs and formal analysis to rule out the existence of unknown attacks

 Open questions ◦ Many cryptosystems use lattices/codes/equations with special structure; how does this affect security? ◦ How to measure the complexity of a quantum attack? ◦ How well do these cryptosystems perform with other protocols in the real world?