post quantum cryptography
play

Post-quantum cryptography Daniel J. Bernstein 1 Tanja Lange 1 Peter - PowerPoint PPT Presentation

Aug 29, 2022 •163 likes •1.34k views

Post-quantum cryptography Daniel J. Bernstein 1 Tanja Lange 1 Peter Schwabe 2 Technische Universiteit Eindhoven Radboud University 08 September 2016 Cryptography Motivation #1: Communication channels are spying on our data.

  1. Confidence-inspiring crypto takes time to build ◮ Many stages of research from cryptographic design to deployment: ◮ Explore space of cryptosystems. ◮ Study algorithms for the attackers. ◮ Focus on secure cryptosystems. ◮ Study algorithms for the users. ◮ Study implementations on real hardware. ◮ Study side-channel attacks, fault attacks, etc. ◮ Focus on secure, reliable implementations. ◮ Focus on implementations meeting performance requirements. ◮ Integrate securely into real-world applications. Daniel J. Bernstein, Tanja Lange, Peter Schwabe https://pqcrypto.eu.org Post-quantum cryptography 13

  2. Confidence-inspiring crypto takes time to build ◮ Many stages of research from cryptographic design to deployment: ◮ Explore space of cryptosystems. ◮ Study algorithms for the attackers. ◮ Focus on secure cryptosystems. ◮ Study algorithms for the users. ◮ Study implementations on real hardware. ◮ Study side-channel attacks, fault attacks, etc. ◮ Focus on secure, reliable implementations. ◮ Focus on implementations meeting performance requirements. ◮ Integrate securely into real-world applications. ◮ Example: ECC introduced 1985 ; big advantages over RSA. Robust ECC started to take over the Internet in 2015 . ◮ Can’t wait for quantum computers before finding a solution! Daniel J. Bernstein, Tanja Lange, Peter Schwabe https://pqcrypto.eu.org Post-quantum cryptography 13

  3. Daniel J. Bernstein, Tanja Lange, Peter Schwabe https://pqcrypto.eu.org Post-quantum cryptography 14

  4. Is there any hope? Yes! Post-quantum crypto is crypto that resists attacks by quantum computers. ◮ PQCrypto 2006: International Workshop on Post-Quantum Cryptography. Daniel J. Bernstein, Tanja Lange, Peter Schwabe https://pqcrypto.eu.org Post-quantum cryptography 15

  5. Is there any hope? Yes! Post-quantum crypto is crypto that resists attacks by quantum computers. ◮ PQCrypto 2006: International Workshop on Post-Quantum Cryptography. ◮ PQCrypto 2008, PQCrypto 2010, PQCrypto 2011, PQCrypto 2013. ◮ 2014 EU publishes H2020 call including post-quantum crypto as topic. ◮ PQCrypto 2014. ◮ April 2015 NIST hosts first workshop on post-quantum cryptography. ◮ August 2015 NSA wakes up . . . Daniel J. Bernstein, Tanja Lange, Peter Schwabe https://pqcrypto.eu.org Post-quantum cryptography 15

  7. NSA announcements August 11, 2015 IAD recognizes that there will be a move, in the not distant future, to a quantum resistant algorithm suite. Daniel J. Bernstein, Tanja Lange, Peter Schwabe https://pqcrypto.eu.org Post-quantum cryptography 17

  8. NSA announcements August 11, 2015 IAD recognizes that there will be a move, in the not distant future, to a quantum resistant algorithm suite. August 19, 2015 IAD will initiate a transition to quantum resistant algorithms in the not too distant future. NSA comes late to the party and botches its grand entrance. Daniel J. Bernstein, Tanja Lange, Peter Schwabe https://pqcrypto.eu.org Post-quantum cryptography 17

  9. NSA announcements August 11, 2015 IAD recognizes that there will be a move, in the not distant future, to a quantum resistant algorithm suite. August 19, 2015 IAD will initiate a transition to quantum resistant algorithms in the not too distant future. NSA comes late to the party and botches its grand entrance. Daniel J. Bernstein, Tanja Lange, Peter Schwabe https://pqcrypto.eu.org Post-quantum cryptography 17

  10. Post-quantum becoming mainstream ◮ PQCrypto 2016: 22–26 Feb in Fukuoka, Japan, with more than 200 participants ◮ PQCrypto 2017 planned, will be in Utrecht, Netherlands. ◮ NIST is calling for post-quantum proposals: 5-year competition. Daniel J. Bernstein, Tanja Lange, Peter Schwabe https://pqcrypto.eu.org Post-quantum cryptography 18

  11. Post-Quantum Cryptography for Long-term Security ◮ Project funded by EU in Horizon 2020, running 2015 – 2018. ◮ 11 partners from academia and industry, TU/e is coordinator Daniel J. Bernstein, Tanja Lange, Peter Schwabe https://pqcrypto.eu.org Post-quantum cryptography 19

  12. Work packages PQCRYPTO is designing a portfolio of high-security post-quantum public-key systems, and will improve the speed of these systems, adapting to the different performance challenges of mobile devices, the cloud, and the Internet. Technical work packages ◮ WP1: Post-quantum cryptography for small devices Leader: Tim G¨ uneysu, co-leader: Peter Schwabe ◮ WP2: Post-quantum cryptography for the Internet Leader: Daniel J. Bernstein, co-leader: Bart Preneel ◮ WP3: Post-quantum cryptography for the cloud Leader: Nicolas Sendrier, co-leader: Christian Rechberger Non-technical work packages ◮ WP4: Management and dissemination Leader: Tanja Lange ◮ WP5: Standardization Leader: Walter Fumy Daniel J. Bernstein, Tanja Lange, Peter Schwabe https://pqcrypto.eu.org Post-quantum cryptography 20

  13. Initial recommendations of long-term secure post-quantum systems Daniel Augot, Lejla Batina, Daniel J. Bernstein, Joppe Bos, Johannes Buchmann, Wouter Castryck, Orr Dunkelman, Tim G¨ uneysu, Shay Gueron, Andreas H¨ ulsing, Tanja Lange, Mohamed Saied Emam Mohamed, Christian Rechberger, Peter Schwabe, Nicolas Sendrier, Frederik Vercauteren, Bo-Yin Yang Daniel J. Bernstein, Tanja Lange, Peter Schwabe https://pqcrypto.eu.org Post-quantum cryptography 21

  14. Initial recommendations ◮ Symmetric encryption Thoroughly analyzed, 256-bit keys: ◮ AES-256 ◮ Salsa20 with a 256-bit key Evaluating: Serpent-256, . . . ◮ Symmetric authentication Information-theoretic MACs: ◮ GCM using a 96-bit nonce and a 128-bit authenticator ◮ Poly1305 ◮ Public-key encryption McEliece with binary Goppa codes: ◮ length n = 6960 , dimension k = 5413 , t = 119 errors Evaluating: QC-MDPC, Stehl´ e-Steinfeld NTRU, . . . ◮ Public-key signatures Hash-based (minimal assumptions): ◮ XMSS with any of the parameters specified in CFRG draft ◮ SPHINCS-256 Evaluating: HFEv-, . . . Daniel J. Bernstein, Tanja Lange, Peter Schwabe https://pqcrypto.eu.org Post-quantum cryptography 22

  15. Hash-based signatures ◮ Secret key s , public key p . ◮ Only one prerequisite: a good hash function, e.g. SHA3-512, . . . Hash functions map long strings to fixed-length strings. Signature schemes use hash functions in handling m . ◮ Old idea: 1979 Lamport one-time signatures. ◮ 1979 Merkle extends to more signatures. ◮ Many further improvements. ◮ Security thoroughly analyzed. Daniel J. Bernstein, Tanja Lange, Peter Schwabe https://pqcrypto.eu.org Post-quantum cryptography 23

  16. Signatures for 1 -bit messages Key generation ◮ Generate 256 -bit random values ( r 0 , r 1 ) = s (secret key) ◮ Compute ( h ( r 0 ) , h ( r 1 )) = ( p 0 , p 1 ) = p (public key) Daniel J. Bernstein, Tanja Lange, Peter Schwabe https://pqcrypto.eu.org Post-quantum cryptography 24

  17. Signatures for 1 -bit messages Key generation ◮ Generate 256 -bit random values ( r 0 , r 1 ) = s (secret key) ◮ Compute ( h ( r 0 ) , h ( r 1 )) = ( p 0 , p 1 ) = p (public key) Signing ◮ Signature for message b = 0 : σ = r 0 ◮ Signature for message b = 1 : σ = r 1 Daniel J. Bernstein, Tanja Lange, Peter Schwabe https://pqcrypto.eu.org Post-quantum cryptography 24

  18. Signatures for 1 -bit messages Key generation ◮ Generate 256 -bit random values ( r 0 , r 1 ) = s (secret key) ◮ Compute ( h ( r 0 ) , h ( r 1 )) = ( p 0 , p 1 ) = p (public key) Signing ◮ Signature for message b = 0 : σ = r 0 ◮ Signature for message b = 1 : σ = r 1 Verification Check that h ( σ ) = p b Daniel J. Bernstein, Tanja Lange, Peter Schwabe https://pqcrypto.eu.org Post-quantum cryptography 24

  19. One-time signatures for 2 -bit messages Key generation ◮ Generate 256 -bit random values ( r 0 , 0 , r 0 , 1 , r 1 , 0 , r 1 , 1 ) = s ◮ Compute ( h ( r 0 , 0 ) , h ( r 0 , 1 ) , h ( r 1 , 0 ) , h ( r 1 , 1 )) = ( p 0 , 0 , p 0 , 1 , p 1 , 0 , p 1 , 1 ) = p Daniel J. Bernstein, Tanja Lange, Peter Schwabe https://pqcrypto.eu.org Post-quantum cryptography 25

  20. One-time signatures for 2 -bit messages Key generation ◮ Generate 256 -bit random values ( r 0 , 0 , r 0 , 1 , r 1 , 0 , r 1 , 1 ) = s ◮ Compute ( h ( r 0 , 0 ) , h ( r 0 , 1 ) , h ( r 1 , 0 ) , h ( r 1 , 1 )) = ( p 0 , 0 , p 0 , 1 , p 1 , 0 , p 1 , 1 ) = p Signing ◮ Signature for message ( b 0 , b 1 ) : σ = ( σ 0 , σ 1 ) = ( r 0 ,b 0 , r 1 ,b 1 ) Daniel J. Bernstein, Tanja Lange, Peter Schwabe https://pqcrypto.eu.org Post-quantum cryptography 25

  21. One-time signatures for 2 -bit messages Key generation ◮ Generate 256 -bit random values ( r 0 , 0 , r 0 , 1 , r 1 , 0 , r 1 , 1 ) = s ◮ Compute ( h ( r 0 , 0 ) , h ( r 0 , 1 ) , h ( r 1 , 0 ) , h ( r 1 , 1 )) = ( p 0 , 0 , p 0 , 1 , p 1 , 0 , p 1 , 1 ) = p Signing ◮ Signature for message ( b 0 , b 1 ) : σ = ( σ 0 , σ 1 ) = ( r 0 ,b 0 , r 1 ,b 1 ) Verification ◮ Check that h ( σ 0 ) = p 0 ,b 0 ◮ Check that h ( σ 1 ) = p 1 ,b 1 Daniel J. Bernstein, Tanja Lange, Peter Schwabe https://pqcrypto.eu.org Post-quantum cryptography 25

  22. One-time signatures for 256 -bit messages Key generation ◮ Generate 256 -bit random values s = ( r 0 , 0 , r 0 , 1 . . . , r 255 , 0 , r 255 , 1 ) ◮ Compute p = ( h ( r 0 , 0 ) , h ( r 0 , 1 ) , . . . , h ( r 255 , 0 ) , h ( r 255 , 1 )) = ( p 0 , 0 , p 0 , 1 , . . . , p 255 , 0 , p 255 , 1 ) Daniel J. Bernstein, Tanja Lange, Peter Schwabe https://pqcrypto.eu.org Post-quantum cryptography 26

  23. One-time signatures for 256 -bit messages Key generation ◮ Generate 256 -bit random values s = ( r 0 , 0 , r 0 , 1 . . . , r 255 , 0 , r 255 , 1 ) ◮ Compute p = ( h ( r 0 , 0 ) , h ( r 0 , 1 ) , . . . , h ( r 255 , 0 ) , h ( r 255 , 1 )) = ( p 0 , 0 , p 0 , 1 , . . . , p 255 , 0 , p 255 , 1 ) Signing ◮ Signature for message ( b 0 , . . . , b 255 ) : σ = ( σ 0 , . . . , σ 255 ) = ( r 0 ,b 0 , . . . , r 255 ,b 255 ) Daniel J. Bernstein, Tanja Lange, Peter Schwabe https://pqcrypto.eu.org Post-quantum cryptography 26

  24. One-time signatures for 256 -bit messages Key generation ◮ Generate 256 -bit random values s = ( r 0 , 0 , r 0 , 1 . . . , r 255 , 0 , r 255 , 1 ) ◮ Compute p = ( h ( r 0 , 0 ) , h ( r 0 , 1 ) , . . . , h ( r 255 , 0 ) , h ( r 255 , 1 )) = ( p 0 , 0 , p 0 , 1 , . . . , p 255 , 0 , p 255 , 1 ) Signing ◮ Signature for message ( b 0 , . . . , b 255 ) : σ = ( σ 0 , . . . , σ 255 ) = ( r 0 ,b 0 , . . . , r 255 ,b 255 ) Verification ◮ Check that h ( σ 0 ) = p 0 ,b 0 ◮ . . . ◮ Check that h ( σ 255 ) = p 255 ,b 255 Daniel J. Bernstein, Tanja Lange, Peter Schwabe https://pqcrypto.eu.org Post-quantum cryptography 26

  25. Merkle Trees PK H H H H H H H H H H H H H H Y 000 Y 001 Y 010 Y 011 Y 100 Y 101 Y 110 Y 111 X 000 X 001 X 010 X 011 X 100 X 101 X 110 X 111 ◮ Merkle, 1979: Leverage one-time signatures to multiple messages ◮ Binary hash tree on top of OTS public keys

  26. Merkle Trees PK Auth for i = 001 H H H H H H H H H H H H H H Y 000 Y 001 Y 010 Y 011 Y 100 Y 101 Y 110 Y 111 X 000 X 001 X 010 X 011 X 100 X 101 X 110 X 111 ◮ Use OTS keys sequentially ◮ SIG = ( i, sign( M, X i ) , Y i , Auth) ◮ Need to remember current index ( ⇒ stateful scheme) Daniel J. Bernstein, Tanja Lange, Peter Schwabe https://pqcrypto.eu.org Post-quantum cryptography 27

  27. XMSS-T ◮ State of the art of (stateful) hash-based signatures: XMSS-T ◮ Many improvements to the “simple” Merkle-tree construction ◮ Currently being adopted by CFRG (IETF) ◮ Performance for 128 -bit post-quantum security: ◮ Public key: 64 bytes ◮ Secret key: 2.2 KB ◮ Signature: 2.9 KB ◮ Signing: 10ms (Intel Core i7 3.5GHz) ◮ Speed is from a C implementation using OpenSSL Daniel J. Bernstein, Tanja Lange, Peter Schwabe https://pqcrypto.eu.org Post-quantum cryptography 28

  28. XMSS-T ◮ State of the art of (stateful) hash-based signatures: XMSS-T ◮ Many improvements to the “simple” Merkle-tree construction ◮ Currently being adopted by CFRG (IETF) ◮ Performance for 128 -bit post-quantum security: ◮ Public key: 64 bytes ◮ Secret key: 2.2 KB ◮ Signature: 2.9 KB ◮ Signing: 10ms (Intel Core i7 3.5GHz) ◮ Speed is from a C implementation using OpenSSL ◮ Common pattern for post-quantum crypto: ◮ Not necessarily (much) slower than, say, ECC ◮ Considerably larger keys, signatures, ciphertexts, . . . Daniel J. Bernstein, Tanja Lange, Peter Schwabe https://pqcrypto.eu.org Post-quantum cryptography 28

  29. About the state ◮ Used for security : Stores index i ⇒ Prevents using one-time keys twice. ◮ Used for efficiency : Stores intermediate results for fast Auth computation. Daniel J. Bernstein, Tanja Lange, Peter Schwabe https://pqcrypto.eu.org Post-quantum cryptography 29

  30. About the state ◮ Used for security : Stores index i ⇒ Prevents using one-time keys twice. ◮ Used for efficiency : Stores intermediate results for fast Auth computation. ◮ Problems: ◮ Load-balancing ◮ Multi-threading ◮ Backups ◮ Virtual-machine images ◮ . . . Daniel J. Bernstein, Tanja Lange, Peter Schwabe https://pqcrypto.eu.org Post-quantum cryptography 29

  31. About the state ◮ Used for security : Stores index i ⇒ Prevents using one-time keys twice. ◮ Used for efficiency : Stores intermediate results for fast Auth computation. ◮ Problems: ◮ Load-balancing ◮ Multi-threading ◮ Backups ◮ Virtual-machine images ◮ . . . ◮ This is not even compatible with the definition of cryptographic signatures ◮ “Huge foot-cannon” (Adam Langley, Google) Daniel J. Bernstein, Tanja Lange, Peter Schwabe https://pqcrypto.eu.org Post-quantum cryptography 29

  32. About the state ◮ Used for security : Stores index i ⇒ Prevents using one-time keys twice. ◮ Used for efficiency : Stores intermediate results for fast Auth computation. ◮ Problems: ◮ Load-balancing ◮ Multi-threading ◮ Backups ◮ Virtual-machine images ◮ . . . ◮ This is not even compatible with the definition of cryptographic signatures ◮ “Huge foot-cannon” (Adam Langley, Google) ◮ Question: can we get rid of the state? Daniel J. Bernstein, Tanja Lange, Peter Schwabe https://pqcrypto.eu.org Post-quantum cryptography 29

  33. Stateless hash-based signatures P K = Y X Goldreich’s approach: binary tree as in Merkle, but: Y 0 Y 1 X 0 Y 00 Y 01 X 01 Y 010 Y 011 X 011 Y i ≫ 1 X i ≫ 1 Y i Y i +1 X i M Daniel J. Bernstein, Tanja Lange, Peter Schwabe https://pqcrypto.eu.org Post-quantum cryptography 30

  34. Stateless hash-based signatures P K = Y X Goldreich’s approach: binary tree as in Merkle, but: Y 0 Y 1 X 0 ◮ For security Y 00 Y 01 ◮ pick index i at random ; X 01 ◮ requires huge tree to avoid index collisions (e.g., height h = 256 ). Y 010 Y 011 X 011 Y i ≫ 1 X i ≫ 1 Y i Y i +1 X i M Daniel J. Bernstein, Tanja Lange, Peter Schwabe https://pqcrypto.eu.org Post-quantum cryptography 30

  35. Stateless hash-based signatures P K = Y X Goldreich’s approach: binary tree as in Merkle, but: Y 0 Y 1 X 0 ◮ For security Y 00 Y 01 ◮ pick index i at random ; X 01 ◮ requires huge tree to avoid index collisions (e.g., height h = 256 ). Y 010 Y 011 ◮ For efficiency: X 011 ◮ use binary certification tree of OTS; ◮ all OTS secret keys are generated Y i ≫ 1 pseudorandomly. X i ≫ 1 Y i Y i +1 X i M Daniel J. Bernstein, Tanja Lange, Peter Schwabe https://pqcrypto.eu.org Post-quantum cryptography 30

  36. It works, but s i g n a t u r e s a r e p a i n f u l l y l o n g ◮ 0.6 MB for Goldreich signature using short-public-key Winternitz-16 one-time signatures. ◮ Would dominate traffic in typical applications, and add user-visible latency on typical network connections. Daniel J. Bernstein, Tanja Lange, Peter Schwabe https://pqcrypto.eu.org Post-quantum cryptography 31

  37. It works, but s i g n a t u r e s a r e p a i n f u l l y l o n g ◮ 0.6 MB for Goldreich signature using short-public-key Winternitz-16 one-time signatures. ◮ Would dominate traffic in typical applications, and add user-visible latency on typical network connections. ◮ Example: ◮ Debian operating system is designed for frequent upgrades. ◮ At least one new signature for each upgrade. ◮ Typical upgrade: one package or just a few packages. ◮ 1.2 MB average package size. ◮ 0.08 MB median package size. Daniel J. Bernstein, Tanja Lange, Peter Schwabe https://pqcrypto.eu.org Post-quantum cryptography 31

  38. It works, but s i g n a t u r e s a r e p a i n f u l l y l o n g ◮ 0.6 MB for Goldreich signature using short-public-key Winternitz-16 one-time signatures. ◮ Would dominate traffic in typical applications, and add user-visible latency on typical network connections. ◮ Example: ◮ Debian operating system is designed for frequent upgrades. ◮ At least one new signature for each upgrade. ◮ Typical upgrade: one package or just a few packages. ◮ 1.2 MB average package size. ◮ 0.08 MB median package size. ◮ Example: ◮ HTTPS typically sends multiple signatures per page. ◮ 1.8 MB average web page in Alexa Top 1000000. Daniel J. Bernstein, Tanja Lange, Peter Schwabe https://pqcrypto.eu.org Post-quantum cryptography 31

  39. The SPHINCS approach h/d T REE d-1 σ W,d-1 T REE d-2 h/d ◮ Paper by Bernstein, Hopwood, H¨ ulsing, Lange, Niederhagen, Papachristodoulou, σ W,d-2 Schneider, Schwabe, Wilcox-O’Hearn at Eurocrypt 2015. ◮ Use a “hyper-tree” of total height h ◮ Parameter d ≥ 1 , such that d | h h/d T REE 0 ◮ Each (Merkle) tree has height h/d σ W,0 ◮ ( h/d ) -ary certification tree log t FTS σ H Daniel J. Bernstein, Tanja Lange, Peter Schwabe https://pqcrypto.eu.org Post-quantum cryptography 32

  40. The SPHINCS approach h/d T REE d-1 σ W,d-1 T REE d-2 h/d ◮ Pick index (pseudo-)randomly σ W,d-2 ◮ Messages signed with few-time signature scheme ◮ Significantly reduce total tree height ◮ Require h/d T REE 0 Pr[r-times Coll] · Pr[Forgery after r signatures] = negl(n) σ W,0 log t FTS σ H Daniel J. Bernstein, Tanja Lange, Peter Schwabe https://pqcrypto.eu.org Post-quantum cryptography 32

  41. The SPHINCS approach h/d T REE d-1 σ W,d-1 T REE d-2 h/d σ W,d-2 ◮ SPHINCS-256 for 128 -bit post-quantum security ◮ 12 trees of height 5 each ◮ 256 -bit hashes in OTS and FTS h/d T REE 0 σ W,0 log t FTS σ H Daniel J. Bernstein, Tanja Lange, Peter Schwabe https://pqcrypto.eu.org Post-quantum cryptography 32

  42. SPHINCS-256 speed and sizes SPHINCS-256 sizes ◮ ≈ 41 KB signature ( ≈ 15 × smaller than Goldreich!) ◮ ≈ 1 KB public key ◮ ≈ 1 KB private key Daniel J. Bernstein, Tanja Lange, Peter Schwabe https://pqcrypto.eu.org Post-quantum cryptography 33

  43. SPHINCS-256 speed and sizes SPHINCS-256 sizes ◮ ≈ 41 KB signature ( ≈ 15 × smaller than Goldreich!) ◮ ≈ 1 KB public key ◮ ≈ 1 KB private key High-speed implementation ◮ Target Intel Haswell with 256 -bit AVX2 vector instructions ◮ Use 8 × parallel hashing, vectorize on high level ◮ ≈ 1 . 6 cycles/byte for custom high-performance hash Daniel J. Bernstein, Tanja Lange, Peter Schwabe https://pqcrypto.eu.org Post-quantum cryptography 33

  44. SPHINCS-256 speed and sizes SPHINCS-256 sizes ◮ ≈ 41 KB signature ( ≈ 15 × smaller than Goldreich!) ◮ ≈ 1 KB public key ◮ ≈ 1 KB private key High-speed implementation ◮ Target Intel Haswell with 256 -bit AVX2 vector instructions ◮ Use 8 × parallel hashing, vectorize on high level ◮ ≈ 1 . 6 cycles/byte for custom high-performance hash SPHINCS-256 speed ◮ Signing: < 52 Mio. Haswell cycles ( > 200 sigs/sec, 4 Core, 3GHz) ◮ Verification: < 1 . 5 Mio. Haswell cycles ◮ Keygen: < 3 . 3 Mio. Haswell cycles ◮ “Fair comparison” to XMSS-T: slowdown of 30 × Daniel J. Bernstein, Tanja Lange, Peter Schwabe https://pqcrypto.eu.org Post-quantum cryptography 33

  45. More information https://sphincs.cr.yp.to/ Daniel J. Bernstein, Tanja Lange, Peter Schwabe https://pqcrypto.eu.org Post-quantum cryptography 34

  46. Post-quantum secret-key authenticated encryption � c � c � m m k k ◮ Very easy solutions if secret key k is long uniform random string: ◮ “One-time pad” for encryption. ◮ “Wegman–Carter MAC” for authentication. ◮ AES-256: Standardized method to expand 256-bit k into string indistinguishable from long k . ◮ AES introduced in 1998 by Daemen and Rijmen. Security analyzed in papers by dozens of cryptanalysts. ◮ No credible threat from quantum algorithms. Grover costs 2 128 . Daniel J. Bernstein, Tanja Lange, Peter Schwabe https://pqcrypto.eu.org Post-quantum cryptography 35

  47. � � � � Post-quantum public-key encryption: code-based � c � c � m m K k ◮ Alice uses Bob’s public key K to encrypt. ◮ Bob uses his secret key k to decrypt. ◮ Code-based crypto proposed by McEliece in 1978. ◮ Almost as old as RSA, but much stronger security history. ◮ Many further improvements. Daniel J. Bernstein, Tanja Lange, Peter Schwabe https://pqcrypto.eu.org Post-quantum cryptography 36

  48. Long-term confidentiality ◮ Attacker can break currently used encryption (ECC, RSA) with a quantum computer. ◮ Even worse, today’s encrypted communication is being stored by attackers and will be decrypted years later with quantum computers. All data can be recovered in clear from recording traffic and breaking the public key scheme. ◮ How many years are you required to keep your data secret? From whom? Daniel J. Bernstein, Tanja Lange, Peter Schwabe https://pqcrypto.eu.org Post-quantum cryptography 37

  49. Error correction ◮ Digital media is exposed to memory corruption. ◮ Many systems check whether data was corrupted in transit: ◮ ISBN numbers have check digit to detect corruption. ◮ ECC RAM detects up to two errors and can correct one error. 64 bits are stored as 72 bits: extra 8 bits for checks and recovery. ◮ In general, k bits of data get stored in n bits, adding some redundancy. ◮ If no error occurred, these n bits satisfy n − k parity check equations; else can correct errors from the error pattern. ◮ Good codes can correct many errors without blowing up storage too much; offer guarantee to correct t errors (often can correct or at least detect more). ◮ To represent these check equations we need a matrix. Daniel J. Bernstein, Tanja Lange, Peter Schwabe https://pqcrypto.eu.org Post-quantum cryptography 38

  50. Daniel J. Bernstein, Tanja Lange, Peter Schwabe https://pqcrypto.eu.org Post-quantum cryptography 39

  51. Hamming code Parity check matrix ( n = 7 , k = 4 ):   1 0 0 1 1 0 1 H = 0 1 0 1 0 1 1   0 0 1 0 1 1 1 An error-free string of 7 bits b = ( b 0 , b 1 , b 2 , b 3 , b 4 , b 5 , b 6 ) satisfies these three equations: b 0 + b 3 + b 4 + b 6 = 0 b 1 + b 3 + b 5 + b 6 = 0 b 2 + b 4 + b 5 + b 6 = 0 If one error occurred at least one of these equations will not hold. Failure pattern uniquely identifies the error location, e.g., 1 , 0 , 1 means Daniel J. Bernstein, Tanja Lange, Peter Schwabe https://pqcrypto.eu.org Post-quantum cryptography 40

  52. Hamming code Parity check matrix ( n = 7 , k = 4 ):   1 0 0 1 1 0 1 H = 0 1 0 1 0 1 1   0 0 1 0 1 1 1 An error-free string of 7 bits b = ( b 0 , b 1 , b 2 , b 3 , b 4 , b 5 , b 6 ) satisfies these three equations: b 0 + b 3 + b 4 + b 6 = 0 b 1 + b 3 + b 5 + b 6 = 0 b 2 + b 4 + b 5 + b 6 = 0 If one error occurred at least one of these equations will not hold. Failure pattern uniquely identifies the error location, e.g., 1 , 0 , 1 means b 4 flipped. Daniel J. Bernstein, Tanja Lange, Peter Schwabe https://pqcrypto.eu.org Post-quantum cryptography 40

  53. Hamming code Parity check matrix ( n = 7 , k = 4 ):   1 0 0 1 1 0 1 H = 0 1 0 1 0 1 1   0 0 1 0 1 1 1 An error-free string of 7 bits b = ( b 0 , b 1 , b 2 , b 3 , b 4 , b 5 , b 6 ) satisfies these three equations: b 0 + b 3 + b 4 + b 6 = 0 b 1 + b 3 + b 5 + b 6 = 0 b 2 + b 4 + b 5 + b 6 = 0 If one error occurred at least one of these equations will not hold. Failure pattern uniquely identifies the error location, e.g., 1 , 0 , 1 means b 4 flipped. In math notation, the failure pattern is H · b . Daniel J. Bernstein, Tanja Lange, Peter Schwabe https://pqcrypto.eu.org Post-quantum cryptography 40

  54. Coding theory ◮ Names: code word c , error vector e , received word b = c + e . ◮ Very common to transform the matrix so that the left part has just 1 on the diagonal (no need to store that part).     1 0 0 1 1 0 1 1 1 0 1 H = 0 1 0 1 0 1 1 1 0 1 1  �    0 0 1 0 1 1 1 0 1 1 1 ◮ Many special constructions discovered in 65 years of coding theory: ◮ Large matrix H . ◮ Fast decoding algorithm to find e given s = H · ( c + e ) , whenever e doesn’t have too many bits set. ◮ Given large H , usually very hard to find fast decoding algorithm. ◮ Use this difference in complexities for encryption. Daniel J. Bernstein, Tanja Lange, Peter Schwabe https://pqcrypto.eu.org Post-quantum cryptography 41

  55. Code-based encryption ◮ 1971 Goppa: Fast decoders for many matrices H . ◮ 1978 McEliece: Use Goppa codes for public-key cryptography. ◮ Original parameters designed for 2 64 security. ◮ 2008 Bernstein–Lange–Peters: broken in ≈ 2 60 cycles. ◮ Easily scale up for higher security. ◮ 1986 Niederreiter: Simplified and smaller version of McEliece. ◮ Public key: H with 1 ’s on the diagonal. This form hides the efficient way of decoding this code. ◮ Secret key: the fast Goppa decoder. ◮ Encryption: Randomly generate e with t bits set. Send H · e . ◮ Use hash of e to encrypt message with symmetric crypto (with 256 bits key). ◮ The passive attacker is facing a t -error correcting problem for the public key H , which looks like a random code. Daniel J. Bernstein, Tanja Lange, Peter Schwabe https://pqcrypto.eu.org Post-quantum cryptography 42

  56. Security analysis ◮ Some papers studying algorithms for attackers: 1962 Prange; 1981 Omura; 1988 Lee–Brickell; 1988 Leon; 1989 Krouk; 1989 Stern; 1989 Dumer; 1990 Coffey–Goodman; 1990 van Tilburg; 1991 Dumer; 1991 Coffey–Goodman–Farrell; 1993 Chabanne–Courteau; 1993 Chabaud; 1994 van Tilburg; 1994 Canteaut–Chabanne; 1998 Canteaut–Chabaud; 1998 Canteaut–Sendrier; 2008 Bernstein–Lange–Peters; 2009 Bernstein–Lange–Peters–van Tilborg; 2009 Bernstein (post-quantum); 2009 Finiasz–Sendrier; 2010 Bernstein–Lange–Peters; 2011 May–Meurer–Thomae; 2011 Becker–Coron–Joux; 2012 Becker–Joux–May–Meurer; 2013 Bernstein–Jeffery–Lange–Meurer (post-quantum); 2015 May–Ozerov. Daniel J. Bernstein, Tanja Lange, Peter Schwabe https://pqcrypto.eu.org Post-quantum cryptography 43

  57. Security analysis ◮ Some papers studying algorithms for attackers: 1962 Prange; 1981 Omura; 1988 Lee–Brickell; 1988 Leon; 1989 Krouk; 1989 Stern; 1989 Dumer; 1990 Coffey–Goodman; 1990 van Tilburg; 1991 Dumer; 1991 Coffey–Goodman–Farrell; 1993 Chabanne–Courteau; 1993 Chabaud; 1994 van Tilburg; 1994 Canteaut–Chabanne; 1998 Canteaut–Chabaud; 1998 Canteaut–Sendrier; 2008 Bernstein–Lange–Peters; 2009 Bernstein–Lange–Peters–van Tilborg; 2009 Bernstein (post-quantum); 2009 Finiasz–Sendrier; 2010 Bernstein–Lange–Peters; 2011 May–Meurer–Thomae; 2011 Becker–Coron–Joux; 2012 Becker–Joux–May–Meurer; 2013 Bernstein–Jeffery–Lange–Meurer (post-quantum); 2015 May–Ozerov. ◮ 256 KB public key for 2 146 pre-quantum security. ◮ 512 KB public key for 2 187 pre-quantum security. ◮ 1024 KB public key for 2 263 pre-quantum security. Daniel J. Bernstein, Tanja Lange, Peter Schwabe https://pqcrypto.eu.org Post-quantum cryptography 43

  58. Security analysis ◮ Some papers studying algorithms for attackers: 1962 Prange; 1981 Omura; 1988 Lee–Brickell; 1988 Leon; 1989 Krouk; 1989 Stern; 1989 Dumer; 1990 Coffey–Goodman; 1990 van Tilburg; 1991 Dumer; 1991 Coffey–Goodman–Farrell; 1993 Chabanne–Courteau; 1993 Chabaud; 1994 van Tilburg; 1994 Canteaut–Chabanne; 1998 Canteaut–Chabaud; 1998 Canteaut–Sendrier; 2008 Bernstein–Lange–Peters; 2009 Bernstein–Lange–Peters–van Tilborg; 2009 Bernstein (post-quantum); 2009 Finiasz–Sendrier; 2010 Bernstein–Lange–Peters; 2011 May–Meurer–Thomae; 2011 Becker–Coron–Joux; 2012 Becker–Joux–May–Meurer; 2013 Bernstein–Jeffery–Lange–Meurer (post-quantum); 2015 May–Ozerov. ◮ 256 KB public key for 2 146 pre-quantum security. ◮ 512 KB public key for 2 187 pre-quantum security. ◮ 1024 KB public key for 2 263 pre-quantum security. ◮ Post-quantum (Grover): below 2 263 , above 2 131 . Daniel J. Bernstein, Tanja Lange, Peter Schwabe https://pqcrypto.eu.org Post-quantum cryptography 43

  59. McBits (Bernstein, Chou, Schwabe, CHES 2013) ◮ Encryption is super fast anyways (just a vector-matrix multiplication, done with 1 + 1 = 0 ). ◮ Main step in decryption is decoding of Goppa code. The McBits software achieves this in constant time. ◮ Decoding speed at 2 128 pre-quantum security: ( n ; t ) = (4096; 41) uses 60493 Ivy Bridge cycles. ◮ Decoding speed at 2 263 pre-quantum security: ( n ; t ) = (6960; 119) uses 306102 Ivy Bridge cycles. ◮ Very fast constant-time decryption: https://binary.cr.yp.to/mcbits.html . ◮ Main time spent on public-key encryption. symmetric crypto adds very little to that. Daniel J. Bernstein, Tanja Lange, Peter Schwabe https://pqcrypto.eu.org Post-quantum cryptography 44

  61. Faster and smaller post-quantum confidentiality? Forward secrecy ◮ “Classical” public-key crypto (PKC): encrypt to long-term key ◮ Problem: key compromise breaks confidentiality of all past messages Daniel J. Bernstein, Tanja Lange, Peter Schwabe https://pqcrypto.eu.org Post-quantum cryptography 46

  62. Faster and smaller post-quantum confidentiality? Forward secrecy ◮ “Classical” public-key crypto (PKC): encrypt to long-term key ◮ Problem: key compromise breaks confidentiality of all past messages ◮ Modern PKC: use ephemeral keys for confidentiality ◮ Use long-term keys only for authentication (e.g., via signatures) ◮ This is often called (Perfect) Forward Secrecy (PFS) Daniel J. Bernstein, Tanja Lange, Peter Schwabe https://pqcrypto.eu.org Post-quantum cryptography 46

  63. Faster and smaller post-quantum confidentiality? Forward secrecy ◮ “Classical” public-key crypto (PKC): encrypt to long-term key ◮ Problem: key compromise breaks confidentiality of all past messages ◮ Modern PKC: use ephemeral keys for confidentiality ◮ Use long-term keys only for authentication (e.g., via signatures) ◮ This is often called (Perfect) Forward Secrecy (PFS) ◮ This needs ephemeral key exchange : ◮ Require fast key generation ◮ Require short public keys Daniel J. Bernstein, Tanja Lange, Peter Schwabe https://pqcrypto.eu.org Post-quantum cryptography 46

  64. Faster and smaller post-quantum confidentiality? Forward secrecy ◮ “Classical” public-key crypto (PKC): encrypt to long-term key ◮ Problem: key compromise breaks confidentiality of all past messages ◮ Modern PKC: use ephemeral keys for confidentiality ◮ Use long-term keys only for authentication (e.g., via signatures) ◮ This is often called (Perfect) Forward Secrecy (PFS) ◮ This needs ephemeral key exchange : ◮ Require fast key generation ◮ Require short public keys ◮ Different security notions, different optimization possiblities Daniel J. Bernstein, Tanja Lange, Peter Schwabe https://pqcrypto.eu.org Post-quantum cryptography 46

  65. Faster and smaller post-quantum confidentiality? Forward secrecy ◮ “Classical” public-key crypto (PKC): encrypt to long-term key ◮ Problem: key compromise breaks confidentiality of all past messages ◮ Modern PKC: use ephemeral keys for confidentiality ◮ Use long-term keys only for authentication (e.g., via signatures) ◮ This is often called (Perfect) Forward Secrecy (PFS) ◮ This needs ephemeral key exchange : ◮ Require fast key generation ◮ Require short public keys ◮ Different security notions, different optimization possiblities ◮ Note: PFS does not protect against cryptanalytical break! Daniel J. Bernstein, Tanja Lange, Peter Schwabe https://pqcrypto.eu.org Post-quantum cryptography 46

  66. Ring-Learning-with-errors (RLWE) ◮ Let R q = Z q [ X ] / ( X n + 1) ◮ Let χ be an error distribution on R q ◮ Let s ∈ R q be secret ◮ Attacker is given pairs ( a , as + e ) with ◮ a uniformly random from R q ◮ e sampled from χ ◮ Task for the attacker: find s Daniel J. Bernstein, Tanja Lange, Peter Schwabe https://pqcrypto.eu.org Post-quantum cryptography 47

  67. Ring-Learning-with-errors (RLWE) ◮ Let R q = Z q [ X ] / ( X n + 1) ◮ Let χ be an error distribution on R q ◮ Let s ∈ R q be secret ◮ Attacker is given pairs ( a , as + e ) with ◮ a uniformly random from R q ◮ e sampled from χ ◮ Task for the attacker: find s ◮ Common choice for χ : discrete Gaussian ◮ Common optimization for protocols: fix a Daniel J. Bernstein, Tanja Lange, Peter Schwabe https://pqcrypto.eu.org Post-quantum cryptography 47

  68. A bit of (R)LWE history ◮ Hoffstein, Pipher, Silverman, 1996: NTRU cryptosystem ◮ Regev, 2005: Introduce LWE-based encryption ◮ Lyubashevsky, Peikert, Regev, 2010: Ring-LWE and Ring-LWE encryption ◮ Ding, Xie, Lin, 2012: Transform to (R)LWE-based key exchange ◮ Peikert, 2014: Improved RLWE-based key exchange ◮ Bos, Costello, Naehrig, Stebila, 2015: Instantiate and implement Peikert’s key exchange in TLS: Daniel J. Bernstein, Tanja Lange, Peter Schwabe https://pqcrypto.eu.org Post-quantum cryptography 48

  69. A bit of (R)LWE history ◮ Hoffstein, Pipher, Silverman, 1996: NTRU cryptosystem ◮ Regev, 2005: Introduce LWE-based encryption ◮ Lyubashevsky, Peikert, Regev, 2010: Ring-LWE and Ring-LWE encryption ◮ Ding, Xie, Lin, 2012: Transform to (R)LWE-based key exchange ◮ Peikert, 2014: Improved RLWE-based key exchange ◮ Bos, Costello, Naehrig, Stebila, 2015: Instantiate and implement Peikert’s key exchange in TLS: ◮ R q = Z q [ X ] / ( X n + 1) ◮ n = 1024 ◮ q = 2 32 − 1 √ ◮ χ = D Z ,σ (Discrete Gaussian) with σ = 8 / 2 π ≈ 3 . 192 Daniel J. Bernstein, Tanja Lange, Peter Schwabe https://pqcrypto.eu.org Post-quantum cryptography 48

  70. A bit of (R)LWE history ◮ Hoffstein, Pipher, Silverman, 1996: NTRU cryptosystem ◮ Regev, 2005: Introduce LWE-based encryption ◮ Lyubashevsky, Peikert, Regev, 2010: Ring-LWE and Ring-LWE encryption ◮ Ding, Xie, Lin, 2012: Transform to (R)LWE-based key exchange ◮ Peikert, 2014: Improved RLWE-based key exchange ◮ Bos, Costello, Naehrig, Stebila, 2015: Instantiate and implement Peikert’s key exchange in TLS: ◮ R q = Z q [ X ] / ( X n + 1) ◮ n = 1024 ◮ q = 2 32 − 1 √ ◮ χ = D Z ,σ (Discrete Gaussian) with σ = 8 / 2 π ≈ 3 . 192 ◮ Claimed security level: 128 bits pre-quantum ◮ Failure probability: ≈ 2 − 131072 Daniel J. Bernstein, Tanja Lange, Peter Schwabe https://pqcrypto.eu.org Post-quantum cryptography 48

  71. BCNS key exchange Parameters: q = 2 32 − 1 , n = 1024 √ Error distribution: χ = D Z ,σ , σ = 8 / 2 π $ Global system parameter: a ← R q Alice (server) Bob (client) $ $ s , e ← χ s ′ , e ′ , e ′′ ← χ u ← as ′ + e ′ b b ← as + e − → v ← bs ′ + e ′′ $ v ¯ ← dbl ( v ) u , v ′ v ′ = � ¯ ← − − − v � 2 µ ← rec (2 us , v ′ ) µ ←⌊ ¯ v ⌉ 2 2 us = 2 ass ′ + 2 e ′ s Alice has v ≈ 2 v = 2( bs ′ + e ′′ ) = 2(( as + e ) s ′ + e ′′ ) = 2 ass ′ + 2 es ′ + 2 e ′′ Bob has ¯ Daniel J. Bernstein, Tanja Lange, Peter Schwabe https://pqcrypto.eu.org Post-quantum cryptography 49

  72. A new hope Our contributions ◮ Improve failure analysis and error reconciliation ◮ Choose parameters for failure probability ≈ 2 − 60 Daniel J. Bernstein, Tanja Lange, Peter Schwabe https://pqcrypto.eu.org Post-quantum cryptography 50

  73. A new hope Our contributions ◮ Improve failure analysis and error reconciliation ◮ Choose parameters for failure probability ≈ 2 − 60 ◮ Keep dimension n = 1024 ◮ Drastically reduce q to 12289 < 2 14 ◮ Higher security, shorter messages, and speedups Daniel J. Bernstein, Tanja Lange, Peter Schwabe https://pqcrypto.eu.org Post-quantum cryptography 50

  74. A new hope Our contributions ◮ Improve failure analysis and error reconciliation ◮ Choose parameters for failure probability ≈ 2 − 60 ◮ Keep dimension n = 1024 ◮ Drastically reduce q to 12289 < 2 14 ◮ Higher security, shorter messages, and speedups ◮ Analysis of post-quantum security Daniel J. Bernstein, Tanja Lange, Peter Schwabe https://pqcrypto.eu.org Post-quantum cryptography 50

  75. A new hope Our contributions ◮ Improve failure analysis and error reconciliation ◮ Choose parameters for failure probability ≈ 2 − 60 ◮ Keep dimension n = 1024 ◮ Drastically reduce q to 12289 < 2 14 ◮ Higher security, shorter messages, and speedups ◮ Analysis of post-quantum security ◮ Use centered binomial noise ψ k (HW( a ) − HW( b ) for k -bit a, b ) Daniel J. Bernstein, Tanja Lange, Peter Schwabe https://pqcrypto.eu.org Post-quantum cryptography 50

  76. A new hope Our contributions ◮ Improve failure analysis and error reconciliation ◮ Choose parameters for failure probability ≈ 2 − 60 ◮ Keep dimension n = 1024 ◮ Drastically reduce q to 12289 < 2 14 ◮ Higher security, shorter messages, and speedups ◮ Analysis of post-quantum security ◮ Use centered binomial noise ψ k (HW( a ) − HW( b ) for k -bit a, b ) ◮ Choose a fresh parameter a for every protocol run Daniel J. Bernstein, Tanja Lange, Peter Schwabe https://pqcrypto.eu.org Post-quantum cryptography 50

  77. A new hope Our contributions ◮ Improve failure analysis and error reconciliation ◮ Choose parameters for failure probability ≈ 2 − 60 ◮ Keep dimension n = 1024 ◮ Drastically reduce q to 12289 < 2 14 ◮ Higher security, shorter messages, and speedups ◮ Analysis of post-quantum security ◮ Use centered binomial noise ψ k (HW( a ) − HW( b ) for k -bit a, b ) ◮ Choose a fresh parameter a for every protocol run ◮ Encode polynomials in NTT domain Daniel J. Bernstein, Tanja Lange, Peter Schwabe https://pqcrypto.eu.org Post-quantum cryptography 50

  78. A new hope Our contributions ◮ Improve failure analysis and error reconciliation ◮ Choose parameters for failure probability ≈ 2 − 60 ◮ Keep dimension n = 1024 ◮ Drastically reduce q to 12289 < 2 14 ◮ Higher security, shorter messages, and speedups ◮ Analysis of post-quantum security ◮ Use centered binomial noise ψ k (HW( a ) − HW( b ) for k -bit a, b ) ◮ Choose a fresh parameter a for every protocol run ◮ Encode polynomials in NTT domain ◮ Multiple implementations Daniel J. Bernstein, Tanja Lange, Peter Schwabe https://pqcrypto.eu.org Post-quantum cryptography 50

  79. A new hope – protocol Parameters: q = 12289 < 2 14 , n = 1024 Error distribution: ψ 16 Alice (server) Bob (client) ← { 0 , 1 } 256 $ seed a ← Parse ( SHAKE-128 ( seed )) ← ψ n $ ← ψ n $ s ′ , e ′ , e ′′ s , e 16 16 ( b ,seed ) b ← as + e − − − − − → a ← Parse ( SHAKE-128 ( seed )) u ← as ′ + e ′ v ← bs ′ + e ′′ ( u , r ) $ v ′ ← us ← − − − r ← HelpRec ( v ) k ← Rec ( v ′ , r ) k ← Rec ( v , r ) µ ← SHA3-256 ( k ) µ ← SHA3-256 ( k ) v ′ = us = ass ′ + e ′ s Alice has v = bs ′ + e ′′ = ( as + e ) s ′ + e ′′ = ass ′ + es ′ + e ′′ Bob has Daniel J. Bernstein, Tanja Lange, Peter Schwabe https://pqcrypto.eu.org Post-quantum cryptography 51

Recommend

Standardization of post-quantum cryptography Tanja Lange 08 May 2016 A Workshop About

Standardization of post-quantum cryptography Tanja Lange 08 May 2016 A Workshop About

Standardization of post-quantum cryptography Tanja Lange 08 May 2016 A Workshop About Cryptographic Standards History of post-quantum cryptography 2003 Daniel J. Bernstein introduces term Post-quantum cryptography. PQCrypto 2006:

623 views • 23 slides
Quantum Algorithms Tutorial Ronald de Wolf 1/ 37 Post-quantum cryptography I Quantum computers

Quantum Algorithms Tutorial Ronald de Wolf 1/ 37 Post-quantum cryptography I Quantum computers

Quantum Algorithms Tutorial Ronald de Wolf 1/ 37 Post-quantum cryptography I Quantum computers can break public-key cryptography that is based on assuming hardness of factoring, discrete logs, and a few other problems I Post-quantum

2.98k views • 37 slides
Incorporating Post-Quantum Cryptography in a microservice architecture Research Project 2 Why

Incorporating Post-Quantum Cryptography in a microservice architecture Research Project 2 Why

R. van der Gaag, D. Weller Incorporating Post-Quantum Cryptography in a microservice architecture Research Project 2 Why think about post-quantum cryptography W. Buchanan et. al concluded Gate-based quantum computers pose a significant

349 views • 18 slides
SW/HW Codesign of the Post-Quantum Cryptography Algorithm NTRUEncrypt Using HLS and RTL Design

SW/HW Codesign of the Post-Quantum Cryptography Algorithm NTRUEncrypt Using HLS and RTL Design

SW/HW Codesign of the Post-Quantum Cryptography Algorithm NTRUEncrypt Using HLS and RTL Design Methodologies Farnoud Farahmand, Duc Tri Nguyen, Viet B. Dang*, Ahmed Ferozpuri and Kris Gaj George Mason University Post st-Quantum Quantum

441 views • 14 slides
Quantum Cryptography Lecture 28 Quantum Cryptography Quantum Cryptography Quantum information:

Quantum Cryptography Lecture 28 Quantum Cryptography Quantum Cryptography Quantum information:

Quantum Cryptography Lecture 28 Quantum Cryptography Quantum Cryptography Quantum information: Using microscopic physical state of quantum systems (spin of atoms/sub-atomic particles, polarization of photons etc.) to encode information

1.95k views • 154 slides
From linear algebra to post-quantum cryptography Dr. Ir. Fr e Vercauteren

From linear algebra to post-quantum cryptography Dr. Ir. Fr e Vercauteren

Quantum computers and factoring Learning with errors Cryptography from LWE From linear algebra to post-quantum cryptography Dr. Ir. Fr e Vercauteren frederik.vercauteren@gmail.com Open Security Research (China) ESAT/COSIC - KU Leuven

1.34k views • 70 slides
An Overview on Post-Quantum Cryptography with an Emphasis on Code based Systems Joachim Rosenthal

An Overview on Post-Quantum Cryptography with an Emphasis on Code based Systems Joachim Rosenthal

Basics on Public Key Crypto Systems Research Directions in Post-Quantum Cryptography Variants of McEliece System Distinguisher Attacks McEliece for Rank Metric Codes An Overview on Post-Quantum Cryptography with an Emphasis on Code based

1.05k views • 100 slides
Introduction to post-quantum cryptography I Tanja Lange Technische Universiteit Eindhoven

Introduction to post-quantum cryptography I Tanja Lange Technische Universiteit Eindhoven

Introduction to post-quantum cryptography I Tanja Lange Technische Universiteit Eindhoven Executive School on Post-Quantum Cryptography 01 July 2019 Cryptography Motivation #1: Communication channels are spying on our data. Motivation

728 views • 42 slides
The Quantum Risk &amp; Post-Quantum Crypto JP Aumasson The Quantum Risk &amp; Post-Quantum

The Quantum Risk &amp; Post-Quantum Crypto JP Aumasson The Quantum Risk &amp; Post-Quantum

The Quantum Risk &amp; Post-Quantum Crypto JP Aumasson The Quantum Risk &amp; Post-Quantum Crypto JP Aumasson uantum /me 15 years experience in applied cryptography (PhD, industry, consulting) Designed widely used algorithms Author of the

816 views • 52 slides
Implementing post-quantum cryptography Peter Schwabe Radboud University, Nijmegen, The

Implementing post-quantum cryptography Peter Schwabe Radboud University, Nijmegen, The

Implementing post-quantum cryptography Peter Schwabe Radboud University, Nijmegen, The Netherlands June 28, 2018 PQCRYPTO Mini-School 2018, Taipei, Taiwan Part I: How to make software secure Implementing post-quantum cryptography 2 Timing

1.44k views • 116 slides
Post-quantum cryptography Tanja Lange 02 October 2015 Academy Contact Forum Coding Theory and

Post-quantum cryptography Tanja Lange 02 October 2015 Academy Contact Forum Coding Theory and

Post-quantum cryptography Tanja Lange 02 October 2015 Academy Contact Forum Coding Theory and Cryptography VI In the long term, all encryption needs to be post-quantum Mark Ketchen, IBM Research, 2012, on quantum computing: Were

854 views • 42 slides
Post-Quantum Cryptography Dr. Ruben Niederhagen, February 8, 2016 Introduction Quantum Computers

Post-Quantum Cryptography Dr. Ruben Niederhagen, February 8, 2016 Introduction Quantum Computers

Post-Quantum Cryptography Dr. Ruben Niederhagen, February 8, 2016 Introduction Quantum Computers Using quantum states for computation: Introduced in 1985 by David Deutsch [3]. Operate on qubits using gates that perform reversible

1.69k views • 157 slides
Post-quantum cryptography Tanja Lange (with Daniel J. Bernstein) Technische Universiteit

Post-quantum cryptography Tanja Lange (with Daniel J. Bernstein) Technische Universiteit

Post-quantum cryptography Tanja Lange (with Daniel J. Bernstein) Technische Universiteit Eindhoven 17 January 2016 8th Winter School on Quantum Cybersecurity Cryptography Motivation #1: Communication channels are spying on our

894 views • 68 slides
Part I: Introduction to Post Quantum Cryptography Tutorial@CHES 2017 - Taipei Tim Gneysu

Part I: Introduction to Post Quantum Cryptography Tutorial@CHES 2017 - Taipei Tim Gneysu

Part I: Introduction to Post Quantum Cryptography Tutorial@CHES 2017 - Taipei Tim Gneysu Ruhr-Universitt Bochum &amp; DFKI 04.10.2017 Overview Goals Provide a high-level introduction to Post-Quantum Cryptography (PQC)

1.18k views • 113 slides
Post-quantum cryptography Tanja Lange 07 October 2015 SPACE 2015 In the long term, all

Post-quantum cryptography Tanja Lange 07 October 2015 SPACE 2015 In the long term, all

Post-quantum cryptography Tanja Lange 07 October 2015 SPACE 2015 In the long term, all encryption needs to be post-quantum Mark Ketchen, IBM Research, 2012, on quantum computing: Were actually doing things that are making us think like,

901 views • 41 slides
Quantum Cryptography Lecture 26 Quantum Cryptography Quantum information: Using microscopic

Quantum Cryptography Lecture 26 Quantum Cryptography Quantum information: Using microscopic

Quantum Cryptography Lecture 26 Quantum Cryptography Quantum information: Using microscopic physical state of quantum systems (spin of atoms/sub-atomic particles, polarization of photons etc.) to encode information (and generate

455 views • 19 slides
Code-based Cryptography ECRYPT-CSA Executive School on Post-Quantum Cryptography 2017 TU

Code-based Cryptography ECRYPT-CSA Executive School on Post-Quantum Cryptography 2017 TU

Code-based Cryptography ECRYPT-CSA Executive School on Post-Quantum Cryptography 2017 TU Eindhoven Nicolas Sendrier Linear Codes for Telecommunication linear expansion data codeword k n &gt; k noisy channel noisy

783 views • 52 slides
Post-quantum cryptography Daniel J. Bernstein &amp; Tanja Lange University of Illinois at

Post-quantum cryptography Daniel J. Bernstein &amp; Tanja Lange University of Illinois at

Post-quantum cryptography Daniel J. Bernstein &amp; Tanja Lange University of Illinois at Chicago; Ruhr University Bochum &amp; Technische Universiteit Eindhoven 12 September 2020 Cryptography Sender Receiver Alice Bob Tsai

760 views • 48 slides
BIK IKE - Bi Bit-Flipping Key Encapsulation Presented to the 2 nd NIST Post-Quantum Cryptography

BIK IKE - Bi Bit-Flipping Key Encapsulation Presented to the 2 nd NIST Post-Quantum Cryptography

BIK IKE - Bi Bit-Flipping Key Encapsulation Presented to the 2 nd NIST Post-Quantum Cryptography Standardization Conference August, 24 th 2019, Santa Barbara, California, USA Authors: Affiliations: Nicolas Aragon University of Limoges, France

291 views • 14 slides
Code-Based Post-Quantum Cryptography Wijik Lee 1 , Young-Sik Kim 2 , and Jong-Seon No 1 1

Code-Based Post-Quantum Cryptography Wijik Lee 1 , Young-Sik Kim 2 , and Jong-Seon No 1 1

Mathematical Methods for Cryptography 2017, Svolvaer, Lofoten, Norway 1 / 41 Code-Based Post-Quantum Cryptography Wijik Lee 1 , Young-Sik Kim 2 , and Jong-Seon No 1 1 Department of ECE, INMC, Seoul National University, Seoul, Korea 2 Chosun

565 views • 41 slides
Code-based Cryptography PQCRYPTO Summer School on Post-Quantum Cryptography 2017 TU

Code-based Cryptography PQCRYPTO Summer School on Post-Quantum Cryptography 2017 TU

Code-based Cryptography PQCRYPTO Summer School on Post-Quantum Cryptography 2017 TU Eindhoven Nicolas Sendrier Linear Codes for Telecommunication linear expansion data codeword k n &gt; k noisy channel noisy codeword

916 views • 74 slides
PQCHacks: a gentle introduction to post-quantum cryptography Daniel J. Bernstein 1 , 2 Tanja Lange

PQCHacks: a gentle introduction to post-quantum cryptography Daniel J. Bernstein 1 , 2 Tanja Lange

PQCHacks: a gentle introduction to post-quantum cryptography Daniel J. Bernstein 1 , 2 Tanja Lange 1 1 Technische Universiteit Eindhoven 2 University of Illinois at Chicago 27 December 2015 D-Wave quantum computer isnt universal . . .

789 views • 65 slides
Post-quantum cryptography Daniel J. Bernstein &amp; Tanja Lange University of Illinois at Chicago

Post-quantum cryptography Daniel J. Bernstein &amp; Tanja Lange University of Illinois at Chicago

Post-quantum cryptography Daniel J. Bernstein &amp; Tanja Lange University of Illinois at Chicago &amp; Ruhr University Bochum &amp; Technische Universiteit Eindhoven 10 June 2019 Cryptography Motivation #1: Communication channels are spying

1.17k views • 91 slides
Rings and Modules for Identity-Based Post-Quantum Public-Key Cryptography BASED ON THE PAPER

Rings and Modules for Identity-Based Post-Quantum Public-Key Cryptography BASED ON THE PAPER

Rings and Modules for Identity-Based Post-Quantum Public-Key Cryptography BASED ON THE PAPER EPRINT.IACR.ORG/2014/794 BY DUCAS, LYUBASHEVSKY, AND PREST 2016-09-21, Royal Holloway, Egham OFFICIAL Public Key Cryptography (PKC) Also called

403 views • 26 slides

More recommend