An Upda te on Post Qua ntum Cr yptog r a phy Mike Bro wn, CT O - PowerPoint PPT Presentation

An Upda te on Post Qua ntum Cr yptog r a phy Mike Bro wn, CT O & Co -fo unde r, ISARA Co rpo ra tio n

ounde d | 2015 F He a dqua rte rs | Wa te rlo o , Onta rio , Ca na da unding from Qua ntum Va lle y Inve stme nts| $11.5M Initia l F Se rie s A from Sha sta Ve nture s | $10M unding (April 2019) | $5.5M Ca na dia n Gove rnme nt Stra te g ic F ull- time e mploye e s | 33 (9 PhDs) F Visionary Maste r Prac titione rs, Standards- base d L e ade rship T e am Quantum- safe E xpe rts Approac h Co mb ine d 150+ ye a rs Spe c ia lize in Co lla b o ra tive ly se tting e xpe rie nc e a nd qua ntum- sa fe c rypto . sta nda rds with E T SI, IT U- T , e xte nsive g lo b a l b usine ss De e p kno wle dg e o f . X9, IE T F , a nd NIST e xpe rie nc e a nd lig htwe ig ht c rypto fo r Io T . ne two rks.

WHAT IS QUANT UM COMPUT ING? Quantum computing harnesses the unique Ma jo r properties of quantum physics to break barriers Ind ustry Pla ye rs currently limiting the speed of today’s “classical” computers, as they’re now called. Quantum computing will not replace current computers; you won’t have a quantum computer smartphone in your pocket. They will, however, be able to solve very specific, hard problems that even the fastest supercomputers couldn’t solve in a reasonable amount of time today. The first real use for them will likely be in advancements in areas such as material design, pharmaceuticals, and optimizing the power grid.

T HE QUANT UM RACE IS ON

POSIT IVE DISRUPT IONS MAT E RIAL DE SIGN DRUG DE SIGN CHE MICAL DISCOVE RY OPT IMIZAT ION MACHINE L E ARNING SE ARCH/ BIG DAT A

T ime line to Quantum ANAL OG QC NOISY QC UNIVE RSAL QC

T he Quantum E ffe c t on Public Ke y Cr yptogr aphy Ke y Stre ngth Ke y Stre ngth T ype Algorithm Quantum Attac k Classic (bits) Quantum (bits) RSA 2048 112 RSA 3072 128 Sho r’ s Asymme tric 0 Alg o rithm E CC 256 128 E CC 521 256 AE S 128 128 64 Symme tric Gro ve r’ s Alg o rithm AE S 256 256 128

MIT IGAT ING AN UNPRE CE DE NT E D T HRE AT T o da y, da ta b re a c he s o c c ur o utside o f c rypto g ra phy, a nd the c o sts o f tho se b re a c he s is gr owing . A c o mple te b re a k o f pub lic ke y c rypto g ra phy is unpr e c e de nte d. I n o ur c o nne c te d wo rld, e ve rything tha t pr ote c ts data, author ize s or authe ntic ate s must be update d to b e q ua ntum-sa fe . T his ma g nitude o f c ha ng e ha s ne ve r b e e n re q uire d on suc h a lar ge sc ale .

IBM = L e ss tha n 20 ye a rs Mic rosoft = L e ss tha n 11 ye a rs E T SI = L e ss tha n 10 ye a rs E urope an Commission NIST = So me time = L e ss tha n a fte r 2025 11 ye a rs By 2026, the risk be c ome s T he dawn of large - sc ale quantum c ompute rs too high to ignore

T he be st time to star t is now How many years does the connected device need to be PKI Migrations secured for? If 7+ years, you need to start preparing Long-term Data 7+ year confidentiality Confidentiality today obligation at risk Development Durable Connected How long does the information Life of an Average Vehicle = 11.5 years 2 - 4 years Devices need to remain confidential? Y2Q Range If 7+ years, you need to start preparing Modern cryptography today broken. Does the device require strong 2023 2026 2030 2035 Today security? (NIST, 2016)* (Mosca, IQC, 2015)* PKI and digital certificates • Hardware security modules (HSMs) • Physically embedded roots of trust • *Mosca, Michele., Institute for Quantum Computing. 2015. “Cybersecurity in an era with quantum computers: will we be ready?”. https://eprint.iacr.org/2015/1075.pdf *NIST. April 2016. “Report on Post-Quantum Cryptography”. http://dx.doi.org/10.6028/NIST.IR.8105 *https://www.popsci.com/environment/article/2009-06/next-grid

T WO PAT HS T O QUANT UM- SAF E SE CURIT Y Quantum Ke y Quantum- Safe Distr ibution Cr yptogr aphy

Ha sh- ba se d Ready to Use Today Undergoing NIST Evaluation T HE Code - ba se d “NE W” L a ttic e - ba se d MAT H Multiva r ia te - ba se d Isog e ny- ba se d

T HE MIGRAT ION CHAL L E NGE KE Y E ST ABL ISHME NT VS. AUT HE NT ICAT ION K e y e sta b lishme nt c a n b e e asily upgrade d b e c a use the c lie nt a nd se rve r ne g o tia te whic h a lg o rithm to use . he c omple xity and inte rc onne c tivity o f p ub lic ke y T 1) Use q ua ntum-sa fe ke y transport o r ke y infra struc ture d e ma nd s a c tio n to d a y in o rd e r to b e agre e me nt a lg o rithms re a d y fo r the q ua ntum a g e , a nd d iffic ult to d o 2) Use hybrid ke ys , a mix o f b o th c la ssic a nd while ma inta ining b a c kwa rd c o mp a tib ility. q ua ntum-sa fe a lg o rithms

DoD PKI MIGRAT ION E XAMPL E T he re ’ s mo re tha n 4.5 million a c tive use rs in the Do D ide ntity ma na g e me nt syste m. Cr e ating a quantum-safe duplic ate infr astr uc tur e is time -c onsuming and c ost pr ohibitive .

Br idging the Gap Using Cr ypto-Agility Hybrid- Crypto (Cur r e nt + Quantum-Safe ) Crypto- Ag ility Cur r e nt Public Ke y Quantum- safe Cr yptogr aphy Cr yptogr aphy T oday ?

HYBRID PKI & PHASE D MIGRAT ION  Hybrid Root certificates can be created today and Root CA embedded into systems today  Stateful hash-based signatures are perfectly suited for IA1 IA2 IA3 certificate signing and are ready to be used today  Code signing end systems can also be upgraded today  Communication systems are ready to be upgraded to use hybrid algorithms or leading NIST candidates Upgrade High- Value Asse ts

PKI MIGRAT ION APPROACHE S Duplic a te Infra struc ture Hybrid Infra struc ture L e gac y Upgrade d L e gac y L e gac y Upgrade d Upgrade d One ide ntity One ide ntity with c ur r e nt with quantum- c e r tific ate safe c e r tific ate One ide ntity with hybrid c e rtific ate

Hybr id and Standar ds  ITU-T  A contribution submitted by ISARA Corporation (Canada) was approved that proposes the inclusion of optional support for multiple public-key algorithms in Recommendation ITU-T X509 | ISO/IEC 9594-8  IETF  Two proposals  “Composite” – IETF draft Composite P e Pub ublic K c Keys eys and Signatur ures es (draft-pala-composite-crypto)  “Catalyst” - IETF draft Mult ltiple le P Publi lic-Key A ey Algorithm X.509 C Cer ertifica cates es (draft-truskovsky-lamps- pq-hybrid-x509)  Both expired

HIGH RISK: Authe ntic a te d Softwa re Ove r- T he - Air (OT A) Upda te s What’s at risk? What’s The Attack What’s Affected Forged software Durable connected updates by devices (IoT) with Digital Signatures quantum-enabled long in-field lives adversaries Code Signing Embedded Roots of Trust Protection: Physically embed stateful hash-based roots of trust today

Hash-Base d Cr yptogr aphy 101  Introduced by Merkle in 1979 Public Key A 0  “One-Time Signatures” Tree Height = 3  Small public key but very large private key A 1,2 A 1,2  Fast signing & verifying  Stateful A 2,1 A 2,2 A 2,3 A 2,4  Candidates:  Leighton-Micali Signatures (LMS) A 3,1 A 3,2 A 3,3 A 3,4 A 3,5 A 3,6 A 3,7 A 3,8  eXtended Merkle Signature Scheme (XMSS)  SPHINCS Verification Y 1 Y 2 Y 3 Y 4 Y 5 Y 6 Y 7 Y 8 Keys Signing X 1 X 2 X 3 X 4 X 5 X 6 X 7 X 8 Keys 20

NIST on State ful Hash-base d Signatur e s (HBS) 1. HBS schemes are good candidates for early standardization because they’re trusted, mature, and well understood 2. NIST is actively reviewing XMSS and LMS (HSS) for early approval outside their Post-Quantum Cryptography Standardization Process 3. Under consideration for specific use-cases, such as code-signing 4. The security of an HBS scheme relies on the same basis as many current NIST-approved cryptographic algorithms and protocols, and no known quantum algorithms pose a practical threat https://csrc.nist.gov/Projects/Stateful-Hash-Based-Signatures 21

State ful HBS Ope r ational Implic ations 1. Running out of keys : The private key of a stateful HBS scheme is an “exhaustible” resource, so careful planning is required 2. Growing signatures : Signature size grows as the size of the private key grows 3. New implementation considerations : Private key splitting and state management is not something the industry has had to deal with before 4. Special considerations for high-value roots : For extremely high-value root keys that don’t produce many signatures during their validity a manual process for state management may be required 22

Globa l Sta nda rds F oc us

NIST Standar dization Update  17 KEM Candidates  9 Signature Candidates  Dilithium  BIKE  Classic McEliece  Falcon  Kyber  GeMSS  Frodo  LUOV  HQC  MQDSS  LAC  Picnic  LEDAcrypt  qTESLA  NewHope  Rainbow  NTRU  NTRU Prime  SPHINCS+  NTS-KEM  ROLLO  Round5  RQC  SABER  SIKE  Three Bears

NIST Standar dization Update  Timelines  Round 2 ends June 2020  Round 3 begins after with reduced list  Final standards 2022-2024(ish)  Potential additional algorithms standardized post Round 3  Request more merging  Hybrid modes of operation  Complexity of implementation