Getting Post-Quantum Crypto Algorithms Ready for Deployment End of - PowerPoint PPT Presentation

Getting Post-Quantum Crypto Algorithms Ready for Deployment End of ECRYPT II Event: Crypto for 2020 Tim Güneysu Hardware Security Group Horst Görtz Institute for IT-Security, Bochum 1/24/2013

Outline • Introduction • Alternative Public-Key Cryptosystems (APKC) • Practical Considerations of APKCs • Case Studies on Lattice-based Cryptography • Conclusions

Public-Key Crypto – Situation Today • PKCs used in practice are in fact RSA and ECC • Underlying problems (factorization/dlog) are both closely related • As learned from Tanja‘s talk yesterday, both are dead when quantum-computing comes into play

Public-Key Crypto – A Wishlist • Add some alternative PK- cryptosystems to our basket • Security reductions based on known hard problems • No possible poly-time attack algorithms (e.g., Shor) with quantum computers • Efficiency in implementations comparable to RSA and ECC

Outline • Introduction • Alternative Public-Key Cryptosystems (APKC) • Practical Considerations of APKCs • Case Studies on Lattice-based Cryptography • Conclusions

Alternative Public-Key Cryptography • Four main branches of post-quantum crypto: – Code-based – Hash-based – Multivariate-quadratic – Lattice-based • Can potentially provide PK encryption and/or signature schemes

Alternative Public-Key Cryptography (APKC) • But: Why haven‘t we seen any APKC in real-world systems yet? – Many constructions are too novel and hardly analyzed/not mature enough – Potential of possible attacks is not fully captured yet – No concrete instances/parameters given – Implementations of „ secure “ instances seem to be much too huge and/or slow – Skeptics still like to keep ECC/RSA or just don‘t believe in quantum computers

Alternative Public-Key Cryptography (APKC) • How to get APKCs ready for deployment? – Pick APKCs for which sufficient confidence of security and defined instances/parameters exist – Make sure their description is comprehensible for implementers – Evaluate efficiency of APKC implementations in particular on constrained embedded devices – Disseminate APKCs to crypto libraries and (international) standards

Outline • Introduction • Alternative Public-Key Cryptosystems (APKC) • Practical Considerations of APKCs – Code-based Cryptography – Hash-based Cryptography – Multivariate-Quadratic-based Cryptography – Lattice-based Cryptography • Conclusions

Disclaimer Slide A Word of Warning…  The following overview on PQC systems does not claim to be complete.  It rather focusses on selected systems that are suitable to provide evidence on • Activities within each PQC branch • Good and (some) bad constructions • Constructions that provide concrete instances or only “some” parameters • Constructions that provide efficient instances  Some (important) parameters are also omitted from some slides  See http://pqcrypto.org for more works and definitions

Code-based Cryptography – Basics  Hard problem(s): decoding a syndrome/random linear code  Principle: • Hide the code generating matrix G by multiplication with permutation P and a scrambling matrix S (remark: the latter is not required in all cases)  Public Key G’=SGP • Add errors e during cryptographic operation • Decoding is only efficiently possible if the generator matrix is known  Secret Key G  The general concept of “decoding with errors” is also picked up by other constructions (e.g., in lattice-based crypto)

Taxonomy of Code-based Encryption Code-based Encryption Schemes McEliece [M78] Niederreiter [N86] Goppa Generalized Concatenated Elliptic Reed-Solomon Turbo/LDCP/MDCP Reed Muller Srivastava

Taxonomy of Code-based Encryption Code-based Encryption Schemes McEliece [M78] Niederreiter [N86] Goppa Generalized Concatenated Elliptic Reed-Solomon Turbo/LDCP/MDCP Reed Muller Srivastava

Taxonomy of Code-based Encryption Code-based Encryption Schemes Key sizes for ≈ 80 -bit equivalent symmetric security. McEliece [M78] Niederreiter [N86] PK: 63 kB SK: 2.5 kB Goppa Generalized Concatenated Elliptic Reed-Solomon Turbo/LDCP/MDCP Reed Muller Srivastava PK: 0.6 kB SK: 180 B PK: 2.5 kB SK: 1.5 kB

Taxonomy of Code-based Signatures Code-based Signature Schemes Courtois, Finiasz, Sendrier (CFS) Signatures Parallel CFS [F10] Original [CFS01]

Taxonomy of Code-based Signatures Code-based Signature Schemes Courtois, Finiasz, Sendrier (CFS) Signatures Parallel CFS [F10] Original [CFS01]

Taxonomy of Code-based Signatures Key sizes for ≈ 80 -bit Code-based Signature Schemes equivalent symmetric security. Courtois, Finiasz, Sendrier (CFS) Signatures Parallel CFS [F10] Original [CFS01] PK: 5 MB SK: few kB Sig: < 0.5 KB

Key Aspects of Code-based Systems  Focus on encryption, signature schemes are less efficient  Selection of underlying code is the most critical issue • Structures in codes reduce key sizes, but often enable also attacks • Encoding is a very fast operation on most platforms (matrix multiplication) • Decoding is typically a more complex process (fast decoders are available)  Reasonably small public and private keys for encryption  Additional computational efforts on constant weight encoding algorithm for Niederreiter’s scheme  Encryption schemes are quite mature (McEliece proposed in ’78, Niederreiter ‘83)  CCA2-conversion available

Hints on Efficiency: McEliece vs. Niederreiter  McEliece (using binary Goppa codes, 80 bit equiv. security) • Existing implementations: • PC (HyMES ‘08) : 140 cycles/bit enc. 2714 cycles/bit dec. • AVR µC [EGH09] : 7200 cycles/bit enc. 11300 cycles/bit dec. • FPGA [SWM+09] : 160 cycles/bit enc. 446 cycles/bit dec.  Niederreiter (using binary Goppa codes, 80 bit equiv. security) • Existing implementations: • PC (public domain) : returns a segfault (?) • AVR µC [H11] : 267 cycles/bit enc 30000 cycles/bit dec. • FPGA : see next slide

Implementation Results • Results on FPGAs for roughly 80 bit of equivalent symmetric security • Parameter set (n=2048, k=1751, t=27) using Goppa codes [enc] Niederreiter [dec] [enc] McEliece [dec] Niederreiter [enc] [dec] [enc] McEliece [dec] Niederreiter [enc] [dec]

Outline • Introduction • Alternative Public-Key Cryptosystems (APKC) • Practical Considerations of APKCs – Code-based Cryptography – Hash-based Cryptography – Multivariate-Quadratic-based Cryptography – Lattice-based Cryptography • Conclusions

Hash-based Cryptography – Basics  Hard problem: find (second) preimages of cryptographic hash functions  Build OTS scheme using a cryptographic hash function  A Hash tree reduces many OTS public keys to a single root

Taxonomy of Hash-based Signatures Hash-based Signature Schemes Merkle Signature Scheme GMSS [BDK+07] XMSS [BDH11] MSS [Mer89] CMSS [BCD+06] SPR-MSS [DOTV08] W-OTS [Mer89, LD-OTS [LD79] DSS05, RED+08]

Taxonomy of Hash-based Signatures Hash-based Signature Schemes Key sizes for ≈ 80 -bit equivalent symmetric security (≈ 1M #Sigs) H=20 H=20 PK: 46 Byte PK: 0.93 kB MSS [Mer89] GMSS [BDK+07] XMSS [BDH11] SK: 1.86 kB SK: 152 Bit Sig: 7 kB Sig: 8.31 kB H=16 H=20 PK: 16 Byte PK: 0.91 kB SK: 1.4 kB CMSS [BCD+06] SPR-MSS [DOTV08] SK: 152 Bit Sig: 2.29 kB Sig: 2.39 kB W-OTS LD-OTS [LD79] [Mer89,DSS05]

Taxonomy of Hash-based Encryption Hash-based Encryption Schemes { }

Key Aspects of Hash-based Systems  Only signature schemes available , no encryption  Moderate requirements for implementations • Second preimage (older schemes: collision) resistant hash function • Pseudorandom functions for OTS (XMSS)  Hard limitation on the number of signatures per tree • Height of the tree determines max. # of signatures (issue with DoS attacks for real-world systems) • Requires track record of signatures already used (critical in untrusted environments!) • Increasing tree height increases memory requirements and computational complexity

Implementation Results  Lots of hash functions available, but not many implementations of hash-based crypto Results for XMSS with H=20 [BDH11] presented on PQCrypto 2011 Platform: Intel Core i5 M540@2.53GHz; Figure marked with (*) uses AES NI

Outline • Introduction • Alternative Public-Key Cryptosystems (APKC) • Practical Considerations of APKCs – Code-based Cryptography – Hash-based Cryptography – Multivariate-Quadratic-based Cryptography – Lattice-based Cryptography • Case Studies on Lattice-based Cryptography • Conclusions

Multivariate-quadratic Cryptography – Basics  Hard problem: Find the solution for a set of MQ equations  Given F and P MQ maps and two linear maps S and T  P has no special structure and is large, therefore hard to invert  A special (secret) structure in F is necessary to allow easy inversion  This secret structure is hidden by mappings S and T

Taxonomy of Multivariate-Quadratic Signatures MQ-based Signature Schemes Oil and Vinegar Matsumoto-Imai A Original OV (C)UOV [KPG99, [Pat97] PTBW11] MIA C* Flash/SFlash [IM85] [MI88] Hidden-Field [PGC01] Equations Stepwise Triangular Systems (STS) HFE(F) HFE± HFEv HFEv- [Pat96] (Quartz) (enhanced) Tractable Rainbow TTS Rational Maps