Post-Quantum Cryptography
Johannes Buchmann and Nina Bindel
16.01.2015 | 1 Public-key cryptography
16.01.2015 | 2 Public-key encryption
plaintext encrypt ciphertext decrypt plaintext
public secret
16.01.2015 | 3 Digital signatures
document sign signature verify valid / invalid
secret public
16.01.2015 | 4 IT-security requires public-key cryptography
16.01.2015 | 5 TLS
TLS
public-key encryption digital signatures
Billions daily!
16.01.2015 | 6 Software downloads
digital signatures
16.01.2015 | 7 Number of worldwide downloads from Apple App Store July 2008 - October 2014 (in billions)
90 85
80 75
70 70
60 60
50 50
40 40 35
Downloads (in billions) (in Downloads 30 30 25
20 18 14 15 10 10 6,5 7 5 3 4 1,5 0,01 0,1 1 0 Jul '08 Sep '08 Apr '09 Jul '09 Jan '10 April '10 June Sep '10 Oct '10 Jan '11 Jun '11 Jul '11 Okt '11 Mar '12 Jun '12 Oct '12 Jan '13 May '13 Oct '13 Apr '14 Jun '14 Oct '14 '10
Source: Apple
16.01.2015 | 8 Current public-key cryptography
16.01.2015 | 9 “Generic” RSA
Public key: finite Group G, exponent e, gcd e, G�1 Secret key: |G|
�� Allows to compute: � g �g� ��� |�|,g∈G
16.01.2015 | 10 “Generic” RSA encryption
Public key: finite Group G, exponent e, gcd e, G�1 Secret key: |G|
�� Allows to compute: � g �g� ��� |�|,g∈G
plaintext encrypt ciphertext decrypt plaintext g s g s�g� g�� s
,e
16.01.2015 | 11 “Generic” RSA signature
Public key: finite Group G, exponent e, gcd e, G�1 Secret key: |G|
�� Allows to compute: � g �g� ��� |�|,g∈G Hash function h: �0,1�∗→G
document sign signature verify valid / d s invalid s�� h�d� s� �? h�d�
16.01.2015 | 12 RSA: How to keep |�| secret?
Public key: e, p, q primes, n�pq, G � ��/n��∗ Secret key: G�p�1 q�1 relies on hardness of integer factorization
only known method to keep |G| secret
16.01.2015 | 13 Factorization complexity
vn(log )uu (log log n )()1 Luvn [,] e
v Ln [0,v] = (log n) polynomial log n v Ln [1,v] = (e ) exponential
16.01.2015 | 14 Factorization progress
1984 1993 1988 1996 2009 1985 1994 2003 2012
RSA-120 RSA-130 (NFS) (QS) RSA-768 Elliptic Curve (NFS) RSA-576 Method (NFS) 21061 − 1 (NFS) Quadratic Sieve Number Field Shor L��1/2,1 � o 1� Sieve algorithm � L��1/3, 64/9] L��0, v]
16.01.2015 | 15 ElGamal encryption and signatures
Rely on Discrete Logarithm Problem: Given: Group G� g , h∈G Find: x∈�with h�g�
Choices for G: -GF�p��∗ - group of points of elliptic curves over GF�p��
16.01.2015 | 16 Algorithms for solving �� ��∗-DL
1994 1975 1992 2013 2012 2014
GF(2���·��) Number Field Sieve �·�� Joux � GF(3 ) L��1/3, 64/9] L_n�1/4, v]
Shor algorithm L��0, v]
Pollard Rho GF(3�·���) L_n�1, v]
16.01.2015 | 17 Algorithms for solving EC-DL
2000 1975 1994 2004 2009 1997 2002 2014
ECC2K-108
ECC-p-79 ECC-2-109
ECC-p-109 Secp112r1 Shor algorithm L��0, v] ECC2K-113
Pollard Rho L��1, v]
16.01.2015 | 18 The quantum computer threat
16.01.2015 | 19 Shor’s algorithm 1997
RSA and ElGamal insecure
16.01.2015 | 20 Quantum computer realistic?
16.01.2015 | 21 Quantum computer realistic
16.01.2015 | 22 16.01.2015 | 23 Post-quantum cryptography
16.01.2015 | 24 Performance requirements
Secure until Security level RSA Elliptic curve modulus/finite field size 2015 80 1248 160 2025 96 1776 192 2030 112 2493 224 2040 128 3248 256
Ecrypt recommendations
• Space for keys and signatures: a few kilobytes • Small ciphertext expansion • Times: milliseconds
16.01.2015 | 25 Post-quantum problems?
No provable quantum resistence
NP‐complete We must look here NP
Bounded-Error Factoring Quantum BQP Polynomial-Time P
16.01.2015 | 26 Candidates
• Solving non-linear equation systems over finite fields • Bounded distance decoding over finite fields NP‐complete • Short and close lattice vectors • Breaking cryptographic hash NP functions Factoring • Quantum key exchange BQP P
16.01.2015 | 27 Strategy
Crypto scheme Security level parameter set 4
Assess Optimize performance 2 3 1
hardness instance Quantum resistant problem
16.01.2015 | 28 Multivariate cryptography
16.01.2015 | 29 MQ problem
4x � x� �y�z ≡ 1 mod 13 7y� �2xz� ≡12 mod 13 x�y� � 12xz� ≡ 4 mod 13
Solution: x�15,y�29,z�45
16.01.2015 | 30 MQ-Problem
Given: n, m, p�,…,p� ∈Fx�,…,x� quadratic, F finite field
Find: y�,…,y� ∈F, such that p� y�,…,y� � … � p� y�,…,y� �0
MP is NP-complete (Garey, Johnson 1979) (decision version)
16.01.2015 | 31 Multivariate signatures
Fast P: F� →F�, easily invertible non-linear S: F� →F�,T:F� →F�, affine linear Large keys: 100 kBit for 100 bit security Public key: G�S◦P◦T, hard to invert Compared to Secret Key: S, P,T allows to compute G��T��◦P��◦S�� 1776 bit RSA modulus Signing: s�T��◦P��◦S���m� • UOV , Goubin et al., 1999 Verifying: G�s� �? m • Rainbow, Ding, et al. 2005 • pFlash, Cheng, 2007 • Gui, Ding, Petzoldt, 2015 Forging signature: Solve G s�m�0
16.01.2015 | 32 Code-based cryptography
16.01.2015 | 33 Bounded distance decoding problem
� Given: • Linear code C ⊆ F� � • y∈F� • t∈�
Find: • x∈C: dist�x,y��t
BDD is NP-complete (Berlekamp et al. 1978) (Decisional version)
16.01.2015 | 34 McEliece cryptosystem (1978)
S, G, P matrices over F Allows to G generator matrix for Goppa code solve BDD
Public key: G′ � S◦G◦P, t Secret Key: P, S, G Fast Encryption: c�mG� �z∈F� Large public keys! Decryption: x�cP�� �mSG�zP�� 500 kBits for 100 bit security Compared to 1776 bit RSA solve BDD to get y�mSG modulus decode to obtain m IND-CPA secure version
16.01.2015 | 35 Lattice-based cryptography
16.01.2015 | 36 Why lattice-based cryptography?
• Expected to resist quantum computer attacks • Worst-to-average-case reduction • Permits fully homomorphic encryption
16.01.2015 | 37 Lattice problems
n n∈�,L��b� �⋯� �b� ⊆� lattice; B = (b1, …, bn) basis
�-Shortest Vector Problem (SVP) Given: α�1, lattice L�L�B�basis B
Find: v ∈ L nonzero such that | v|�αλ��L�
�-Closest Vector Problem (CVP)
Given: α�1, lattice L�L�B�basis B, t
Find: v∈L such that t�v �α min�∈�| t � w |
16.01.2015 | 38 2-dimensional αCVP
Given: B� b�,b� ,t,α Find: CV t∈LB : t�CV t�α min ||t�w|| w∈L
t
b2 CV�t�
b1
16.01.2015 | 39 Complexity of �-CVP
Arora et al. (1997): lognc - CVP is NP - hard for all c
not NP -hard
NP-hard
n Goldreich, Goldwasser (2000):
n / logn- CVP is not NP - hard or coNP AM
16.01.2015 | 40 Practical complexity
http://www.latticechallenge.org/
16.01.2015 | 41 The idea of lattice-based cryptography
• GGH Sign 1995 • NTRU Encrypt 1996 • NTRU Sign 2003
16.01.2015 | 42 Reduced bases (Gauß 1801)
b�
1 b b � 2 �
16.01.2015 | 43 ��,�� reduced ⇒ CVP easy
t�x�b� � x�b�
CV t��x1�b� � �x2� b�
t
b 2 CV�t�
b1
16.01.2015 | 44 � � ��,�� not reduced ⇒ CVP hard
1 0 3.4 3 L = �2, B = ( , �, t � ,CVP�t� � 0 1 �2.3 �2
100 99 Another basis B’ = ( , ) 99 98 3.4 100 99 t = = −560.9 · + 566.6 · �2.3 99 98 100 99 33 3 −561 · + 567 · = � = CVP�t� 99 98 27 �2
16.01.2015 | 45 Key generation
Key generation: n∈�,L⊆�n lattice Secret key: „reduced“ basis B of L. (Allows to efficiently solve CVP.) Public key: „bad” basis B’ of L. (Does not.)
16.01.2015 | 46 Public-key encryption
Plaintext v∈L Encryption(public key, v)
n -small e ∈ � w - ciphertext w � v � e e Decryption(secret key, w): v ‐v � CV�w�
16.01.2015 | 47 Digital signature
Public: Cryptographic hash function h: 0,1 → �n Sign(secret key, document d): w � h�d� v � CV�w� w Verify(public key, v, w): v v close to w ?
16.01.2015 | 48 Learning the secret key Nguyen and Regev 2006
s1
s3
s4 s2
NTRU-251 broken using ≈ 400 signatures GGH-400 broken using ≈ 160.000 signatures
16.01.2015 | 49 Performance
• NTRU encrypt 1996: fast and small
The provable schemes to be studied more
• Bliss 2013 and Bai/Galbraith 2014 signature with improvements of Bindel: fast but large signatures
• Lindner, Peikert 2010 encryption with improvements of Göpfert: fast but ciphertext expansion
16.01.2015 | 50 Hash-based signatures
16.01.2015 | 51 Typical construction
Trapdoor one-way Collision resistant hash function function
Digital signature scheme
16.01.2015 | 52 Trapdoor one-way functions hard to construct but not required
Digital signature One-way FF scheme Naor, Yung 1989 Rompel 1990
16.01.2015 | 53 XMSS signature JB, Coronado, Dahmen, Hülsing
• Based on Merkle signature scheme
• Has minimal security requirements
Second-preimage resistant HFF One-way FF XMSS
Pseudorandom FF
16.01.2015 | 54 XMSS in practice
Trapdoor one-way Cryptographic function HFF Block Cipher DL RSA MP-Sign
Pseudorandom FF Second-preimage resistant HFF
XMSS
16.01.2015 | 55 Hash functions & Blockciphers
AES SHA-2 Blowfish SHA-3 3DES BLAKE Twofish Grøstl Threefish JH Serpent Keccak IDEA Skein RC5 VSH RC6 MCH … MSCQ SWIFFTX RFSB …
16.01.2015 | 56 XMSS performance
16.01.2015 | 57 XMSS transfer project Denis Butin, Stefan Gazdag
http://www.square-up.org/
16.01.2015 | 58 Conclusion
16.01.2015 | 59 Todos
. Standardize and integrate into standard applications: XMSS + NTRU- Encrypt/McEliece
. Provide/optimize security proofs http://www.crossing.tu-darmstadt.de . Study computational problems in the presence of modern computing architectures -> parameter selection
. Optimize schemes for secure parameters - consider side channels.
. Integrate with quantum key exchange.
16.01.2015 | 60 16.01.2015 | 61