Introduction to post-quantum cryptography and learning with errors Douglas Stebila Funding acknowledgements: Summer School on real-world crypto and privacy • Šibenik, Croatia • June 11, 2018 https://www.douglas.stebila.ca/research/presentations Stebila • Intro to PQ crypto & LWE Summer school on real-world crypto & privacy • 2018-06-11 2 Summary • Intro to post-quantum cryptography • Learning with errors problems • LWE, Ring-LWE, Module-LWE, Learning with Rounding, NTRU • Search, decision • With uniform secrets, with short secrets • Public key encryption from LWE • Regev • Lindner–Peikert • Security of LWE • Lattice problems – GapSVP • KEMs and key agreement from LWE • Other applications of LWE • PQ security models • Transitioning to PQ crypto Stebila • Intro to PQ crypto & LWE Summer school on real-world crypto & privacy • 2018-06-11 3 Authenticated key exchange + symmetric encyrption vk skA Authenticated using A vkB RSA digital signatures skB Key established using Diffie–Hellman key exchange key key Internet AES AES msg cipher Encrypt(k, m) text Decrypt(k, c) Secure channel e.g. TLS Stebila • Intro to PQ crypto & LWE Summer school on real-world crypto & privacy • 2018-06-11 4 Cryptographic building blocks Public-key Symmetric cryptography cryptography Elliptic curve AES HMAC SHA-256 RSA signatures Diffie–Hellman encryption integrity key exchange difficulty of elliptic difficulty of curve discrete factoring Cannot be much more efficiently logarithms solved by a quantum computer* Can be solved efficiently by a large-scale quantum computer Stebila • Intro to PQ crypto & LWE Summer school on real-world crypto & privacy • 2018-06-11 5 When will a large-scale quantum computer be built? Devoret, Schoelkopf. Science 339:1169–1174, March 2013. Stebila • Intro to PQ crypto & LWE Summer school on real-world crypto & privacy • 2018-06-11 6 When will a large-scale quantum computer be built? Devoret, Schoelkopf. Science 339:1169–1174, March 2013. Stebila • Intro to PQ crypto & LWE Summer school on real-world crypto & privacy • 2018-06-11 7 When will a large-scale quantum computer be built? “I estimate a 1/7 chance of breaking RSA-2048 by 2026 and a 1/2 chance by 2031.” — Michele Mosca, November 2015 https://eprint.iacr.org/2015/1075 Stebila • Intro to PQ crypto & LWE Summer school on real-world crypto & privacy • 2018-06-11 8 When will a large-scale quantum computer be built? http://qurope.eu/system/files/u7/93056_Quantum%20Manifesto_WEB.pdf Stebila • Intro to PQ crypto & LWE Summer school on real-world crypto & privacy • 2018-06-11 9 Post-quantum cryptography in academia Conference series • PQCrypto 2006 • PQCrypto 2008 • PQCrypto 2010 • PQCrypto 2011 • PQCrypto 2013 • PQCrypto 2014 • PQCrypto 2016 • PQCrypto 2017 • PQCrypto 2018 2009 Stebila • Intro to PQ crypto & LWE Summer school on real-world crypto & privacy • 2018-06-11 10 Post-quantum cryptography in government “IAD will initiate a transition to quantum resistant algorithms in the not too distant future.” – NSA Information Assurance Directorate, Aug. 2015 Aug. 2015 (Jan. 2016) Apr. 2016 Stebila • Intro to PQ crypto & LWE Summer school on real-world crypto & privacy • 2018-06-11 11 NIST Post-quantum Crypto Project timeline http://www.nist.gov/pqcrypto December 2016 Formal call for proposals November 2017 Deadline for submissions 69 submissions 1/3 signatures, 2/3 KEM/PKE 3–5 years Analysis phase 2 years later (2023–2025) Draft standards ready Stebila • Intro to PQ crypto & LWE Summer school on real-world crypto & privacy • 2018-06-11 12 NIST Post-quantum Crypto Project http://www.nist.gov/pqcrypto "Our intention is to select a couple of options for more immediate standardization, as well as to eliminate some submissions as unsuitable. … The goal of the process is not primarily to pick a winner, but to document the strengths and weaknesses of the different options, and to analyze the possible tradeoffs among them." http://csrc.nist.gov/groups/ST/post-quantum-crypto/faq.html#Q7 Stebila • Intro to PQ crypto & LWE Summer school on real-world crypto & privacy • 2018-06-11 13 Timeline SHA-1 SHA-1 EU commission standardized weakened – universal quantum SHA-2 Start PQ Submission Standards computer standardized Crypto deadline ready project 1995 2001 2005 2016Jan. Aug. Nov. 2023-25 2026 2031 2035 201720172017 Browsers stop accepting Mosca – 1/7 chance SHA-1 certificates of breaking RSA-2048 Mosca – 1/2 chance 16 years First full SHA-1 collision of breaking RSA-2048 Stebila • Intro to PQ crypto & LWE Summer school on real-world crypto & privacy • 2018-06-11 14 Post-quantum crypto Classical crypto with no known exponential quantum speedup Hash- & Code-based Multivariate Lattice- Isogenies symmetric- based based • McEliece • multivariate • NTRU • supersingular • Merkle • Niederreiter quadratic • learning with elliptic curve signatures errors isogenies • Sphincs • ring-LWE, … • Picnic • LWrounding Stebila • Intro to PQ crypto & LWE Summer school on real-world crypto & privacy • 2018-06-11 15 Quantum-resistant crypto Quantum-safe crypto Classical post-quantum crypto Quantum crypto Quantum key distribution Hash- & Code-based Multivariate Lattice- Isogenies Symmetric- based Quantum random number based generators • McEliece • multivariate • NTRU • supersingular • Merkle • Niederreiter quadratic • learning elliptic curve signatures with errors isogenies • Sphincs • ring-LWE, Quantum channels • Picnic … • LWrounding Quantum blind computation Stebila • Intro to PQ crypto & LWE Summer school on real-world crypto & privacy • 2018-06-11 16 Families of post-quantum cryptography Hash- & symmetric-based Code-based Multivariate quadratic • Can only be used to make • Long-studied cryptosystems with • Variety of systems with various signatures, not public key moderately high confidence for levels of confidence and trade-offs encryption some code families • Very high confidence in hash- • Challenges in communication based signatures, but large sizes signatures required for many signature-systems Lattice-based Elliptic curve isogenies • High level of academic interest in • Specialized but promising this field, flexible constructions technique • Can achieve reasonable • Small communication, slower communication sizes computation • Developing confidence Stebila • Intro to PQ crypto & LWE Summer school on real-world crypto & privacy • 2018-06-11 17 Learning with errors problems Stebila • Intro to PQ crypto & LWE Summer school on real-world crypto & privacy • 2018-06-11 18 Solving systems of linear equations secret 4 1 11 10 4 5 5 9 5 8 × = 3 9 0 10 1 1 3 3 2 10 12 7 3 4 4 6 5 11 4 12 3 3 5 0 9 Linear system problem: given blue, find red Stebila • Intro to PQ crypto & LWE Solving systems of linearSummer school on real-worldequations crypto & privacy • 2018-06-11 19 secret 4 1 11 10 5 5 9 5 6 3 9 9 g 0 10 × d usin 1 solve n 4 3 Easily11 inatio 3 2 n elim 12 ussia 101) = 8 7 Ga 11 lgebra 3 4 near A 6 (Li 1 5 11 4 Easily solved using 10 3 3 Gaussian elimination 5 0 (Linear Algebra 101) 4 Linear system problem: 12 9 given blue , find red Stebila • Intro to PQ crypto & LWE Summer school on real-world crypto & privacy • 2018-06-11 20 Learning with errors problem random secret small noise 4 1 11 10 6 0 4 5 5 9 5 9 -1 7 × + = 3 9 0 10 11 1 2 1 3 3 2 11 1 11 12 7 3 4 1 5 6 5 11 4 0 12 3 3 5 0 -1 8 Stebila • Intro to PQ crypto & LWE Summer school on real-world crypto & privacy • 2018-06-11 21 Learning with errors problem random secret small noise 4 1 11 10 4 5 5 9 5 7 × + = 3 9 0 10 2 1 3 3 2 11 12 7 3 4 5 6 5 11 4 12 3 3 5 0 8 Search LWE problem: given blue, find red Stebila • Intro to PQ crypto & LWE Summer school on real-world crypto & privacy • 2018-06-11 22 Search LWE problem [Regev STOC 2005] Stebila • Intro to PQ crypto & LWE Summer school on real-world crypto & privacy • 2018-06-11 23 Decision learning with errors problem random secret small noise looks random 4 1 11 10 4 5 5 9 5 7 × + = 3 9 0 10 2 1 3 3 2 11 12 7 3 4 5 6 5 11 4 12 3 3 5 0 8 Decision LWE problem: given blue, distinguish green from random Stebila • Intro to PQ crypto & LWE Summer school on real-world crypto & privacy • 2018-06-11 24 Decision LWE problem Stebila • Intro to PQ crypto & LWE Summer school on real-world crypto & privacy • 2018-06-11 25 Search-decision equivalence • Easy fact: If the search LWE problem is easy, then the decision LWE problem is easy. • Fact: If the decision LWE problem is easy, then the search LWE problem is easy. • Requires calls to decision oracle • Intuition: test the each value for the first component of the secret, then move on to the next one, and so on. [Regev STOC 2005] Stebila • Intro to PQ crypto & LWE Summer school on real-world crypto & privacy • 2018-06-11 26 Choice of error distribution • Usually a discrete Gaussian distribution of width for error rate • Define the Gaussian function • The continuous Gaussian distribution has probability density function Stebila • Intro to PQ crypto & LWE Summer school on real-world crypto & privacy • 2018-06-11 27 Short secrets • The secret distribution was originally taken to be the uniform distribution • Short secrets: use • There's a tight reduction showing that LWE with short secrets is hard if LWE with uniform secrets is hard. [Applebaum et al., CRYPTO 2009] Stebila • Intro to PQ crypto & LWE Summer school on real-world crypto & privacy • 2018-06-11 28 Toy example versus real-world example 4 1 11 10 8 5 5 9 5 2738 3842 3345 2979 … 3 9 0 10 2896 595 3607 1 3 3 2 640 377 1575 12 7 3 4 2760 6 5 11 4 … 3 3 5 0 640 × 8 × 15 bits = 9.4 KiB Stebila • Intro to PQ crypto & LWE Summer school on real-world crypto & privacy • 2018-06-11 29 Ring learning with errors problem random 4 1 11 10 Each row is the cyclic 10 4 1 11 shift of the row above 11 10 4 1 1 11 10 4 4 1 11 10 10 4 1 11 11 10 4 1 Stebila • Intro to PQ crypto & LWE Summer school on real-world crypto & privacy • 2018-06-11 30 Ring learning with errors problem random 4 1 11 10 Each row is the cyclic 3 4 1 11 shift of the row above … 2 3 4 1 with a special wrapping rule: 12 2 3 4 x wraps to –x mod 13.