POST-QUANTUM CRYPTOGRAPHY HOW WILL WE ENCRYPT TOMORROW? Hanno Böck

POST-QUANTUM CRYPTOGRAPHY HOW WILL WE ENCRYPT TOMORROW? Hanno Böck https://hboeck.de

1 INTRODUCTION Hanno Böck, freelance journalist and hacker. Writing for Golem.de and others. Fuzzing Project, funded by Linux Foundation's Core Infrastructure Initiative. Author of monthly Bulletproof TLS Newsletter.

2 1982

Richard Feynman presents idea of a quantum computer

CC by-sa 3.0, Tamiko Thiel, Wikimedia Commons

3 1994

Peter Shor shows quantum computers could break public key cryptography

CC sa 1.0, Peter Shor, Wikimedia Commons

4 QUANTUM COMPUTERS Well understood theory, but hard to engineer. Some researchers give timeframes of 10-15 years for scalable quantum computers.

5 POST-QUANTUM CRYPTOGRAPHY Algorithms that we believe to be resistant to quantum attacks. Development still in early stages.

6 SYMMETRIC POST-QUANTUM CRYPTOGRAPHY Hash functions (SHA-2, SHA-3) and symmetric encryption (AES) are the easy part. Just use larger keys (256 bit is fine).

7 PUBLIC KEY CRYPTOGRAPHY Encryption with separate public and private key Signatures Key exchanges

8 UNDERLYING PROBLEMS OF PUBLIC KEY CRYPTOGRAPHY Factoring-based (RSA) Discrete-logarithm-based (Diﬀie Hellman, DSA, ElGamal) Elliptic-curve-based (ECDSA, ECDH, X25519, Ed25519) Quantum computers break all three.

9 CRYPTO IS BROKEN Almost every crypto soware and protocol today uses these algorithms. TLS/SSL, SSH, OpenPGP/GnuPG, Signal, Whatsapp, OTR, OMEMO, ... Quantum computers break practically everything using crypto.

10 CANDIDATES FOR POST-QUANTUM CRYPTOGRAPHY Code-based cryptography Lattice-based cryptography Isogeny-based cryptography Hash-based signatures Multivariate cryptography

11 CONSERVATIVE, SAFE CHOICES EU PQCRYPTO recommendations

12 MCELIECE / MCBITS McEliece: Code-based encryption. Parameters from McBits paper (Bernstein, Chou, Schwabe, 2013). Good: old, well researched Bad: large keys (~1 MB)

13 HASH-BASED SIGNATURES Good: as secure as the hash function XMSS: needs internal state SPHINCS: no state, but large signatures

14 LATTICES Ntru, Ring-Learning-With-Errors, New Hope, Ntru prime, BLISS, Tesla#. Pro: Practical, fast, relatively small keys. Con: Patents, conflicts over security estimates. Most likely candidate for early deployments.

15 SUPERSINGULAR ISOGENIES OF ELLIPTIC CURVES SIDH - Diﬀie-Hellman-alike key exchange. Pro: Very similar workflow to Diﬀie Hellman, small keys. Con: Not that fast, very new, needs more research.

16 POST-QUANTUM CRYPTOGRAPHY TODAY We have the choice between very impractical and experimental algorithms.

17 IMPLEMENTATION CONSIDERATIONGS

18 ATTACKS ON OLD CRYPTO

Logjam, FREAK, DROWN, SWEET32

19 DEPRECATION IS HARD It oen takes decades to deprecate old crypto. Windows-XP- compatibility is still a concern for some. If quantum computers come in 10-15 years then the transition will be rough.

20 IT'S NOT JUST THE ALGORITHMS Secure algorithms can be used in insecure ways. October 2016: Three research papers on potential backdoors and security issues with Diﬀie Hellman. If we don't even know how to use the oldest public key algorithm safely, how should we know how to use entirely new algorithms?

21 STORE NOW, DECRYPT LATER Attackers could store large amounts of encrypted communication today and decrypt it once a quantum computer is available. Strong argument for fast deployment.

22 HYBRID MODES No confidence in practical postquantum schemes. Combine experimental postquantum algorithm with well researched prequantum algorithm. Example: X25519 (elliptic curve) and New Hope (lattice- based) key exchange.

23 CECPQ1 Google deployed New Hope / X25519 hybrid in Chrome/BoringSSL and on some servers.

24 REBELALLIANCE Hybrid New Hope / X25519 key exchange for tor.

25 QUANTUM MYTHBUSTING

26 WHEN WILL I HAVE A QUANTUM COMPUTER ON MY DESK? Maybe never.

27 QUANTUM ALGORITHMS Quantum computers don't magically make everything faster, they're faster for very specific problems (factoring, physical simulations). Even if possible: It's not clear if there's a need for home quantum computers. Possible scenario: Quantum computers are run by universities and companies, one can rent computing time.

28 D-WAVE The D-Wave quantum computer can't run Shor's algorithm. It's not clear if D-Wave quantum computers can do anything useful. But they are almost certainly irrelevant for cryptography.

29 QUANTUM CRYPTOGRAPHY

Image public domain, Wikimedia Commons

30 CLARIFICATION OF VOCABULARY Quantum computing: Using quantum eﬀects to solve mathematical problems that can't eﬀiciently be solved on normal computers. Post-Quantum cryptography: Cryptography that resists attacks with quantum computers. Quantum cryptography / quantum key distribution: Using physical channels to exchange cryptographic keys.

31 QUANTUM CRYPTOGRAPHY / QKD Idea: cryptography that is secure based on the laws of physics. Send single particles with polarized encoding, exchange polarization filter configuration. This has major drawbacks and solves nothing.

32 HUGE HYPE Latest trend: Talk about Quantum Internet.

33 LIMITATIONS Very likely limited distances (tens or hundreds of kilometers). Or maybe this is good?

34 But they can only function over distances up to 300 km [...] Instead, repeaters based on trusted nodes or fully quantum devices, possibly involving satellites, are needed to reach global distances. The advantage of trusted-node schemes is that they provide access for lawful intercept, as required by many nation states Source: EU Quantum Manifesto

35 TRUSTED INTERMEDIATES?

36 QUANTUM INTERNET? Let's say I want to send an encrypted message from Berlin to Sydney. Trusted intermediates in Poland, Ukraine, Russia, Kazakhstan, China, India, Burma, Thailand, Malaysia, Indonesia, Australia.

37 NOT WIRELESS QKD needs a physical connection between endpoints. No Wifi No mobile Internet

38 QUANTUM HACKING Quantum cryptography provides perfect security. However regularly commercial QKD devices get broken. How's that even possible?

39 QKD: SECURE IN THEORY The big argument for QKD: It's perfectly secure - based on the laws of physics! However that's only true for an idealized version of QKD, not for any real system.

40 PROBLEMS OF HARDWARE-BASED SECURITY If you have a bug in your encryption soware you can install an update (hopefully). If you have a bug in your encryption hardware you need to buy new hardware.

41 QKD NEEDS AUTHENTICATION All QKD systems need an authenticated channel. QKD depends on the cryptography its proponents claim it should replace. This limitation is rarely mentioned, but it's significant. It means QKD can't solve the problems created by quantum computers.

42 "It is a well-established fact that all QKE protocols require that the parties have access to an authentic channel. Without this authenticated link, QKE is vulnerable to man-in-the-middle attacks. Overlooking this fact results in exaggerated claims and/or false expectations about the potential impact of QKE." (Paterson, Piper, Schack, 2004)

43 QUANTUM CRYPTOGRAPHY Extremely overhyped with outragerous claims ("Quantum Internet"). Entirely unclear which problems it should solve. Definitely not a solution for the problems created by quantum computers. That solution is Post-Quantum cryptography.

44 CONCLUSIONS Quantum computers may come pretty soon (or not at all). We need to be prepared. Post-Quantum cryptography is still in its early stages. We're already too late. Be wary of overhyped claims about quantum cryptography, which likely won't solve anything

45 MORE INFO pqcrypto.org pqcrypto.eu.org - EU PQCRYPTO research project csrc.nist.gov/groups/ST/post-quantum-crypto/ - NIST standardization eﬀort Questions?