post quantum cryptography
play

Post-Quantum Cryptography Dr. Ruben Niederhagen, February 8, 2016 - PowerPoint PPT Presentation

Post-Quantum Cryptography Dr. Ruben Niederhagen, February 8, 2016 Introduction Quantum Computers Using quantum states for computation: Introduced in 1985 by David Deutsch [3]. Operate on qubits using gates that perform reversible


  1. Code-based Cryptography Error-Correcting Codes 01101100 Error correction on a noisy channel: Add redundant information to the message that allows to detect and correct bit-errors. Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 7 (38)

  2. Code-based Cryptography Error-Correcting Codes 01101100 10011001001 encode Error correction on a noisy channel: Add redundant information to the message that allows to detect and correct bit-errors. Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 7 (38)

  3. Code-based Cryptography Error-Correcting Codes 01101100 10011001001 10010 001011 encode transmitt Error correction on a noisy channel: Add redundant information to the message that allows to detect and correct bit-errors. Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 7 (38)

  4. Code-based Cryptography Error-Correcting Codes 01101100 10011001001 10011 001001 encode transmitt Error correction on a noisy channel: Add redundant information to the message that allows to detect and correct bit-errors. Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 7 (38)

  5. Code-based Cryptography Error-Correcting Codes 01101100 10011001001 10011 001001 01101100 encode transmitt decode Error correction on a noisy channel: Add redundant information to the message that allows to detect and correct bit-errors. Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 7 (38)

  6. Code-based Cryptography Error-Correcting Codes 01101100 10011001001 10011 001001 01101100 encode transmitt decode Error correction on a noisy channel: Add redundant information to the message that allows to detect and correct bit-errors. Practical application requires efficient encoding and decoding algorithms. Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 7 (38)

  7. Code-based Cryptography Error-Correcting Codes 01101100 10011001001 10011 001001 01101100 encode transmitt decode Error correction on a noisy channel: Add redundant information to the message that allows to detect and correct bit-errors. Practical application requires efficient encoding and decoding algorithms. Encoding: Multiply message vector with generator matrix . Decoding: Use decoding algorithm of the code. Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 7 (38)

  8. Code-based Cryptography McEliece Crypto System � System Parameters: n, t ∈ N , where t ≪ n . � Key Generation: G : k × n generator matrix of a code G , S : k × k random non-singular matrix, P : n × n random permutation matrix. Compute k × n matrix G pub = SGP. � Public Key: ( G pub , t ) � Private Key: ( S , D G , P ) where D G is an efficient decoding algorithm for G . Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 8 (38)

  9. Code-based Cryptography McEliece Crypto System (recall: G pub = SGP) � Public Key: ( G pub , t ) � Private Key: ( S , D G , P ) . Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 9 (38)

  10. Code-based Cryptography McEliece Crypto System (recall: G pub = SGP) � Public Key: ( G pub , t ) � Private Key: ( S , D G , P ) . to encrypt message m ∈ F k � Encryption: 2 , randomly choose e ∈ F n 2 of weight t ; compute c = mG pub ⊕ e . Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 9 (38)

  11. Code-based Cryptography McEliece Crypto System (recall: G pub = SGP) � Public Key: ( G pub , t ) � Private Key: ( S , D G , P ) . to encrypt message m ∈ F k � Encryption: 2 , randomly choose e ∈ F n 2 of weight t ; compute c = mG pub ⊕ e . � Decryption: compute c ′ = cP − 1 = mSG ⊕ eP − 1 , use D G to decode c ′ to m ′ = mS, compute m = m ′ S − 1 = mSS − 1 . Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 9 (38)

  12. Code-based Cryptography McEliece Crypto System McEliece problem: Given a McEliece public key ( G pub , t ) , G pub ∈ { 0 , 1 } k × n and a cipher text c ∈ { 0 , 1 } n , find a message m ∈ { 0 , 1 } k with w H ( mG pub − c ) = t . Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 10 (38)

  13. Code-based Cryptography McEliece Crypto System McEliece problem: Given a McEliece public key ( G pub , t ) , G pub ∈ { 0 , 1 } k × n and a cipher text c ∈ { 0 , 1 } n , find a message m ∈ { 0 , 1 } k with w H ( mG pub − c ) = t . The hardness of this problem depends on the specific code. McEliece proposes to use binary Goppa codes. Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 10 (38)

  14. Code-based Cryptography Niederreiter Crypto System � System Parameters: n, t ∈ N , where t ≪ n . � Key Generation: H : ( n − k ) × n parity check matrix of a code G , P : n × n random permutation matrix. Compute S : ( n − k ) × ( n − k ) non-singular matrix, and H pub : ( n − k ) × n matrix � Id n − k | H pub � such that SHP = . � Public Key: ( H pub , t ) � Private Key: ( S , D G , P ) where D G is an efficient syndrome decoding algorithm for G . Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 11 (38)

  15. Code-based Cryptography Niederreiter Crypto System � Public Key: ( H pub , t ) � Id n − k | H pub � = SHP) (recall: � Private Key: ( S , D G , P ) . Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 12 (38)

  16. Code-based Cryptography Niederreiter Crypto System � Public Key: ( H pub , t ) � Id n − k | H pub � = SHP) (recall: � Private Key: ( S , D G , P ) . to encrypt message e ∈ F n � Encryption: 2 of weight t , compute the syndrome Id n − k | H pub � e T . � s = Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 12 (38)

  17. Code-based Cryptography Niederreiter Crypto System � Public Key: ( H pub , t ) � Id n − k | H pub � = SHP) (recall: � Private Key: ( S , D G , P ) . to encrypt message e ∈ F n � Encryption: 2 of weight t , compute the syndrome Id n − k | H pub � e T . � s = � Decryption: compute s ′ = S − 1 s = HPe T , use D G to recover e ′ = Pe T , compute e T = P − 1 e ′ = P − 1 Pe T . Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 12 (38)

  18. Code-based Cryptography McEliece and Niederreiter Recommended parameters: n = 6960 m = 13 t = 119 k = n − mt = 5413 Estimated security level: 266 bit. Public key size: ( n − k ) k bits ≈ 1 , 046 , 739 bytes. Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 13 (38)

  19. Code-based Cryptography McEliece and Niederreiter Recommended parameters: n = 6960 m = 13 t = 119 k = n − mt = 5413 Estimated security level: 266 bit. Public key size: ( n − k ) k bits ≈ 1 , 046 , 739 bytes. Disadvantages of McEliece and Niederreiter: � Large key size when using binary Goppa codes. Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 13 (38)

  20. Code-based Cryptography Further improvements for code-based schemes: Use codes with a more compact representation, e.g. cyclic codes. Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 14 (38)

  21. Code-based Cryptography Further improvements for code-based schemes: Use codes with a more compact representation, e.g. cyclic codes. Problems with decoding errors! Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 14 (38)

  22. Code-based Cryptography Further improvements for code-based schemes: Use codes with a more compact representation, e.g. cyclic codes. Problems with decoding errors! Further code-based schemes: � Signature schemes, e.g., CFS: large (huge?) public keys. Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 14 (38)

  23. Code-based Cryptography Further improvements for code-based schemes: Use codes with a more compact representation, e.g. cyclic codes. Problems with decoding errors! Further code-based schemes: � Signature schemes, e.g., CFS: large (huge?) public keys. � Cryptographic hash functions, e.g., FSB: no competitive performance. Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 14 (38)

  24. Code-based Cryptography Further improvements for code-based schemes: Use codes with a more compact representation, e.g. cyclic codes. Problems with decoding errors! Further code-based schemes: � Signature schemes, e.g., CFS: large (huge?) public keys. � Cryptographic hash functions, e.g., FSB: no competitive performance. � Pseudo random number generators: no competitive performance? Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 14 (38)

  25. Multivariate Cryptography 5 x 3 1 x 2 x 2 3 + 17 x 4 2 x 3 + 23 x 2 1 x 4 2 + 13 x 1 + 12 x 2 + 5 = 0 12 x 2 1 x 3 2 x 3 + 15 x 1 x 3 3 + 25 x 2 x 3 3 + 5 x 1 + 6 x 3 + 12 = 0 28 x 1 x 2 x 4 3 + 14 x 3 2 x 2 3 + 16 x 1 x 3 + 32 x 2 + 7 x 3 + 10 = 0 54 x 6 1 x 3 + 2 x 4 1 + 59 x 2 1 x 3 2 + 42 x 2 1 x 7 3 + x 1 + 17 = 0

  26. Multivariate Cryptography Introduction Underlying problem: Solving a system of m multivariate polynomial equations in n variables over F q is called the MP problem . Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 15 (38)

  27. Multivariate Cryptography Introduction Underlying problem: Solving a system of m multivariate polynomial equations in n variables over F q is called the MP problem . Example 5 x 3 1 x 2 x 2 3 + 17 x 4 2 x 3 + 23 x 2 1 x 4 2 + 13 x 1 + 12 x 2 + 5 = 0 12 x 2 1 x 3 2 x 3 + 15 x 1 x 3 3 + 25 x 2 x 3 3 + 5 x 1 + 6 x 3 + 12 = 0 28 x 1 x 2 x 4 3 + 14 x 3 2 x 2 3 + 16 x 1 x 3 + 32 x 2 + 7 x 3 + 10 = 0 Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 15 (38)

  28. Multivariate Cryptography Introduction Underlying problem: Solving a system of m multivariate polynomial equations in n variables over F q is called the MP problem . Example 5 x 3 1 x 2 x 2 3 + 17 x 4 2 x 3 + 23 x 2 1 x 4 2 + 13 x 1 + 12 x 2 + 5 = 0 12 x 2 1 x 3 2 x 3 + 15 x 1 x 3 3 + 25 x 2 x 3 3 + 5 x 1 + 6 x 3 + 12 = 0 28 x 1 x 2 x 4 3 + 14 x 3 2 x 2 3 + 16 x 1 x 3 + 32 x 2 + 7 x 3 + 10 = 0 Hardness: The MP problem is an NP-complete problem even for multivariate quadratic systems and q = 2 . Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 15 (38)

  29. Multivariate Cryptography Introduction Underlying problem: Solving a system of m multivariate polynomial equations in n variables over F q is called the MP problem . Example x 3 x 2 + x 2 x 1 + x 2 + x 1 + 1 = 0 x 3 x 1 + x 3 x 2 + x 3 + x 1 = 0 x 3 x 2 + x 3 x 1 + x 3 + x 2 = 0 Hardness: The MP problem is an NP-complete problem even for multivariate quadratic systems and q = 2 . Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 15 (38)

  30. Multivariate Cryptography Introduction Notation: For a set f = ( f 1 , . . . , f m ) of m quadratic polynomials in n variables over F 2 , let f ( x ) = ( f 1 ( x ) , . . . , f m ( x )) ∈ F m 2 be the solution vector of the evaluation of f for x ∈ F n 2 . Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 16 (38)

  31. Multivariate Cryptography Introduction Notation: For a set f = ( f 1 , . . . , f m ) of m quadratic polynomials in n variables over F 2 , let f ( x ) = ( f 1 ( x ) , . . . , f m ( x )) ∈ F m 2 be the solution vector of the evaluation of f for x ∈ F n 2 . Definition ( MQ over F 2 ) Let MQ ( F n 2 , F m 2 ) be the set of all systems of quadratic equations in n variables and m equations over F 2 . We call one element P ∈ MQ ( F n 2 , F m 2 ) an instance of MQ over F 2 . Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 16 (38)

  32. Multivariate Cryptography Basic Idea for Multivariate Public Key Cryptography (MPKC) � System Parameters: m, n, ∈ N . choose “random” f ∈ MQ ( F n 2 , F m � Key Generation: 2 ) such that f − 1 is secretly known. � Public Key: f . � Private Key: f − 1 . Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 17 (38)

  33. Multivariate Cryptography Basic Idea for Multivariate Public Key Cryptography (MPKC) � System Parameters: m, n, ∈ N . choose “random” f ∈ MQ ( F n 2 , F m � Key Generation: 2 ) such that f − 1 is secretly known. � Public Key: f . � Private Key: f − 1 . � Encryption: to encrypt message m ∈ F n 2 , compute c = f ( m ) . Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 17 (38)

  34. Multivariate Cryptography Basic Idea for Multivariate Public Key Cryptography (MPKC) � System Parameters: m, n, ∈ N . choose “random” f ∈ MQ ( F n 2 , F m � Key Generation: 2 ) such that f − 1 is secretly known. � Public Key: f . � Private Key: f − 1 . � Encryption: to encrypt message m ∈ F n 2 , compute c = f ( m ) . � Decryption: Decrypt m = f − 1 ( c ) . Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 17 (38)

  35. Multivariate Cryptography Basic Idea for Multivariate Public Key Cryptography (MPKC) � System Parameters: m, n, ∈ N . choose “random” f ∈ MQ ( F n 2 , F m � Key Generation: 2 ) such that f − 1 is secretly known. � Public Key: f . � Private Key: f − 1 . � Encryption: to encrypt message m ∈ F n 2 , compute c = f ( m ) . � Decryption: Decrypt m = f − 1 ( c ) . Problem: How do you find f and f − 1 such that f is a hard instance of MQ ? Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 17 (38)

  36. Multivariate Cryptography Multivariate Public Key Cryptography (MPKC) Design pattern Usually, f is constructed as a sequence of invertible functions, e.g., f = r ◦ s ◦ t with r and t multivariate linear and s quadratic with a easy-to-invert structure. Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 18 (38)

  37. Multivariate Cryptography Multivariate Public Key Cryptography (MPKC) Design pattern Usually, f is constructed as a sequence of invertible functions, e.g., f = r ◦ s ◦ t with r and t multivariate linear and s quadratic with a easy-to-invert structure. This often does NOT result in a hard instance of MQ ! Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 18 (38)

  38. Multivariate Cryptography Multivariate Public Key Cryptography (MPKC) Design pattern Usually, f is constructed as a sequence of invertible functions, e.g., f = r ◦ s ◦ t with r and t multivariate linear and s quadratic with a easy-to-invert structure. This often does NOT result in a hard instance of MQ ! Recent secure (i.e., not yet broken?) examples: � Rainbow signature scheme, � Quartz or HFEv- signature scheme, � PMI+ public key encryption scheme. Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 18 (38)

  39. Multivariate Cryptography Multivariate Public Key Cryptography (MPKC) Design pattern Usually, f is constructed as a sequence of invertible functions, e.g., f = r ◦ s ◦ t with r and t multivariate linear and s quadratic with a easy-to-invert structure. This often does NOT result in a hard instance of MQ ! Recent secure (i.e., not yet broken?) examples: � � Rainbow signature scheme, Easier to construct. � Quartz or HFEv- signature scheme, � PMI+ public key encryption scheme. Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 18 (38)

  40. Multivariate Cryptography Multivariate Public Key Cryptography (MPKC) Further MQ schemes: � symmetric encryption schemes, � cryptographic hash functions, and � pseudo random number generators. Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 19 (38)

  41. Multivariate Cryptography Multivariate Public Key Cryptography (MPKC) Further MQ schemes: � symmetric encryption schemes, � cryptographic hash functions, and � pseudo random number generators. Concerns about MQ schemes: � Most public-key encryption schemes have been broken! � Efficient (sparse) MQ instances have problems with randomness! Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 19 (38)

  42. Hash-based Cryptography

  43. Hash-based Cryptography Introduction Basic idea: Computing pre-images of a cryptographic hash function remains hard also for quantum computers (Grover). ⇒ Use pre-image as private key, hash-value as public key. Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 20 (38)

  44. Hash-based Cryptography Lamport and Merkle h 0 , 0 h 0 , 1 public r 0 , 0 r 0 , 1 private Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 21 (38)

  45. Hash-based Cryptography Lamport and Merkle h 0 , 0 h 0 , 1 public r 0 , 0 r 0 , 1 private Message: 0 b Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 21 (38)

  46. Hash-based Cryptography Lamport and Merkle h 0 , 0 h 0 , 1 public r 0 , 0 r 0 , 1 private Message: 0 b Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 21 (38)

  47. Hash-based Cryptography Lamport and Merkle h 0 , 0 h 0 , 1 h 1 , 0 h 1 , 1 h 2 , 0 h 2 , 1 h 3 , 0 h 3 , 1 public r 0 , 0 r 0 , 1 r 1 , 0 r 1 , 1 r 2 , 0 r 2 , 1 r 3 , 0 r 3 , 1 private Message: 0 b Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 21 (38)

  48. Hash-based Cryptography Lamport and Merkle t 0 0 t 1 0 t 1 1 t 2 0 t 2 1 t 2 2 t 2 3 h 0 , 0 h 0 , 1 h 1 , 0 h 1 , 1 h 2 , 0 h 2 , 1 h 3 , 0 h 3 , 1 public r 0 , 0 r 0 , 1 r 1 , 0 r 1 , 1 r 2 , 0 r 2 , 1 r 3 , 0 r 3 , 1 private Message: 0 b Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 21 (38)

  49. Hash-based Cryptography Lamport and Merkle t 0 0 t 1 0 t 1 1 t 2 0 t 2 1 t 2 2 t 2 3 h 0 , 0 h 0 , 1 h 1 , 0 h 1 , 1 h 2 , 0 h 2 , 1 h 3 , 0 h 3 , 1 public r 0 , 0 r 0 , 1 r 1 , 0 r 1 , 1 r 2 , 0 r 2 , 1 r 3 , 0 r 3 , 1 private Message: 0 b Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 21 (38)

  50. Hash-based Cryptography Lamport and Merkle t 0 0 t 1 0 t 1 1 t 2 0 t 2 1 t 2 2 t 2 3 h 0 , 0 h 0 , 1 h 1 , 0 h 1 , 1 h 2 , 0 h 2 , 1 h 3 , 0 h 3 , 1 public r 0 , 0 r 0 , 1 r 1 , 0 r 1 , 1 r 2 , 0 r 2 , 1 r 3 , 0 r 3 , 1 private Message: 0 b Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 21 (38)

  51. Hash-based Cryptography Lamport and Merkle t 0 0 t 1 0 t 1 1 t 2 0 t 2 1 t 2 2 t 2 3 h 0 , 0 h 0 , 1 h 1 , 0 h 1 , 1 h 2 , 0 h 2 , 1 h 3 , 0 h 3 , 1 public r 0 , 0 r 0 , 1 r 1 , 0 r 1 , 1 r 2 , 0 r 2 , 1 r 3 , 0 r 3 , 1 private Message: 0 b Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 21 (38)

  52. Hash-based Cryptography Lamport and Merkle t 0 0 t 1 0 t 1 1 t 2 0 t 2 1 t 2 2 t 2 3 h 0 , 0 h 0 , 1 h 1 , 0 h 1 , 1 h 2 , 0 h 2 , 1 h 3 , 0 h 3 , 1 public r 0 , 0 r 0 , 1 r 1 , 0 r 1 , 1 r 2 , 0 r 2 , 1 r 3 , 0 r 3 , 1 private Message: 0 b Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 21 (38)

  53. Hash-based Cryptography Lamport and Merkle t 0 0 t 1 0 t 1 1 t 2 0 t 2 1 t 2 2 t 2 3 h 0 , 0 h 0 , 1 h 1 , 0 h 1 , 1 h 2 , 0 h 2 , 1 h 3 , 0 h 3 , 1 public r 0 , 0 r 0 , 1 r 1 , 0 r 1 , 1 r 2 , 0 r 2 , 1 r 3 , 0 r 3 , 1 private Message: 0 b Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 21 (38)

  54. Hash-based Cryptography Lamport and Merkle t 0 0 t 1 0 t 1 1 t 2 0 t 2 1 t 2 2 t 2 3 h 0 , 0 h 0 , 1 h 1 , 0 h 1 , 1 h 2 , 0 h 2 , 1 h 3 , 0 h 3 , 1 public r 0 , 0 r 0 , 1 r 1 , 0 r 1 , 1 r 2 , 0 r 2 , 1 r 3 , 0 r 3 , 1 private Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 21 (38)

  55. Hash-based Cryptography Lamport and Merkle t 0 0 t 1 0 t 1 1 t 2 0 t 2 1 t 2 2 t 2 3 h 0 , 0 h 0 , 1 h 1 , 0 h 1 , 1 h 2 , 0 h 2 , 1 h 3 , 0 h 3 , 1 public r 0 , 0 r 0 , 1 r 1 , 0 r 1 , 1 r 2 , 0 r 2 , 1 r 3 , 0 r 3 , 1 private Message: 1 b Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 21 (38)

  56. Hash-based Cryptography Lamport and Merkle t 0 0 t 1 0 t 1 1 t 2 0 t 2 1 t 2 2 t 2 3 h 0 , 0 h 0 , 1 h 1 , 0 h 1 , 1 h 2 , 0 h 2 , 1 h 3 , 0 h 3 , 1 public r 0 , 0 r 0 , 1 r 1 , 0 r 1 , 1 r 2 , 0 r 2 , 1 r 3 , 0 r 3 , 1 private Message: 1 b Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 21 (38)

  57. Hash-based Cryptography Lamport and Merkle t 0 0 t 1 0 t 1 1 t 2 0 t 2 1 t 2 2 t 2 3 h 0 , 0 h 0 , 1 h 1 , 0 h 1 , 1 h 2 , 0 h 2 , 1 h 3 , 0 h 3 , 1 public r 0 , 0 r 0 , 1 r 1 , 0 r 1 , 1 r 2 , 0 r 2 , 1 r 3 , 0 r 3 , 1 private Message: 1 b Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 21 (38)

  58. Hash-based Cryptography Lamport and Merkle t 0 0 t 1 0 t 1 1 t 2 0 t 2 1 t 2 2 t 2 3 h 0 , 0 h 0 , 1 h 1 , 0 h 1 , 1 h 2 , 0 h 2 , 1 h 3 , 0 h 3 , 1 public r 0 , 0 r 0 , 1 r 1 , 0 r 1 , 1 r 2 , 0 r 2 , 1 r 3 , 0 r 3 , 1 private Message: 1 b Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 21 (38)

  59. Hash-based Cryptography Lamport and Merkle t 0 0 t 1 0 t 1 1 t 2 0 t 2 1 t 2 2 t 2 3 h 0 , 0 h 0 , 1 h 1 , 0 h 1 , 1 h 2 , 0 h 2 , 1 h 3 , 0 h 3 , 1 public r 0 , 0 r 0 , 1 r 1 , 0 r 1 , 1 r 2 , 0 r 2 , 1 r 3 , 0 r 3 , 1 private Message: 1 b Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 21 (38)

  60. Hash-based Cryptography Lamport and Merkle t 0 0 t 1 0 t 1 1 t 2 0 t 2 1 t 2 2 t 2 3 h 0 , 0 h 0 , 1 h 1 , 0 h 1 , 1 h 2 , 0 h 2 , 1 h 3 , 0 h 3 , 1 public r 0 , 0 r 0 , 1 r 1 , 0 r 1 , 1 r 2 , 0 r 2 , 1 r 3 , 0 r 3 , 1 private Message: 1 b Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 21 (38)

  61. Hash-based Cryptography Lamport and Merkle t 0 0 t 1 0 t 1 1 t 2 0 t 2 1 t 2 2 t 2 3 h 0 , 0 h 0 , 1 h 1 , 0 h 1 , 1 h 2 , 0 h 2 , 1 h 3 , 0 h 3 , 1 public r 0 , 0 r 0 , 1 r 1 , 0 r 1 , 1 r 2 , 0 r 2 , 1 r 3 , 0 r 3 , 1 private 10 b Message: Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 21 (38)

  62. Hash-based Cryptography Lamport and Merkle t 0 0 t 1 0 t 1 1 t 2 0 t 2 1 t 2 2 t 2 3 h 0 , 0 h 0 , 1 h 1 , 0 h 1 , 1 h 2 , 0 h 2 , 1 h 3 , 0 h 3 , 1 public r 0 , 0 r 0 , 1 r 1 , 0 r 1 , 1 r 2 , 0 r 2 , 1 r 3 , 0 r 3 , 1 private 10 b Message: Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 21 (38)

  63. Hash-based Cryptography Lamport and Merkle t 0 0 t 1 0 t 1 1 t 2 0 t 2 1 t 2 2 t 2 3 h 0 , 0 h 0 , 1 h 1 , 0 h 1 , 1 h 2 , 0 h 2 , 1 h 3 , 0 h 3 , 1 public r 0 , 0 r 0 , 1 r 1 , 0 r 1 , 1 r 2 , 0 r 2 , 1 r 3 , 0 r 3 , 1 private 10 b Message: Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 21 (38)

  64. Hash-based Cryptography Lamport and Merkle t 0 0 t 1 0 t 1 1 t 2 0 t 2 1 t 2 2 t 2 3 h 0 , 0 h 0 , 1 h 1 , 0 h 1 , 1 h 2 , 0 h 2 , 1 h 3 , 0 h 3 , 1 public r 0 , 0 r 0 , 1 r 1 , 0 r 1 , 1 r 2 , 0 r 2 , 1 r 3 , 0 r 3 , 1 private 10 b Message: Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 21 (38)

  65. Hash-based Cryptography Lamport and Merkle t 0 0 t 1 0 t 1 1 t 2 0 t 2 1 t 2 2 t 2 3 h 0 , 0 h 0 , 1 h 1 , 0 h 1 , 1 h 2 , 0 h 2 , 1 h 3 , 0 h 3 , 1 public r 0 , 0 r 0 , 1 r 1 , 0 r 1 , 1 r 2 , 0 r 2 , 1 r 3 , 0 r 3 , 1 private 10 b Message: Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 21 (38)

  66. Hash-based Cryptography Lamport and Merkle t 0 0 t 1 0 t 1 1 t 2 0 t 2 1 t 2 2 t 2 3 h 0 , 0 h 0 , 1 h 1 , 0 h 1 , 1 h 2 , 0 h 2 , 1 h 3 , 0 h 3 , 1 public r 0 , 0 r 0 , 1 r 1 , 0 r 1 , 1 r 2 , 0 r 2 , 1 r 3 , 0 r 3 , 1 private 10 b Message: Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 21 (38)

  67. Hash-based Cryptography (Simplified) Winternitz One-Time Scheme (WOTS) public h private r 7 r 6 r 5 r 4 r 3 r 2 r 1 r 0 Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 22 (38)

  68. Hash-based Cryptography (Simplified) Winternitz One-Time Scheme (WOTS) public h private r 7 r 6 r 5 r 4 Message: 101 b = 5 r 3 r 2 r 1 r 0 Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 22 (38)

  69. Hash-based Cryptography (Simplified) Winternitz One-Time Scheme (WOTS) public h private r 7 r 6 r 5 r 4 Message: 101 b = 5 r 3 r 2 r 1 r 0 Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 22 (38)

  70. Hash-based Cryptography (Simplified) Winternitz One-Time Scheme (WOTS) public h private r 7 r 6 r 5 r 4 Message: 101 b = 5 r 3 r 2 r 1 r 0 Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 22 (38)

  71. Hash-based Cryptography (Simplified) Winternitz One-Time Scheme (WOTS) public h private r 7 r 6 r 5 r 4 Message: 101 b = 5 r 3 r 2 r 1 r 0 Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 22 (38)

  72. Hash-based Cryptography (Simplified) Winternitz One-Time Scheme (WOTS) public h private r 7 r 6 r 5 r 4 Message: 101 b = 5 r 3 r 2 r 1 r 0 Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 22 (38)

  73. Hash-based Cryptography (Simplified) Winternitz One-Time Scheme (WOTS) public h private r 7 Attacker learns private keys and can sign 110 b and 111 b ! r 6 r 5 r 4 Message: 101 b = 5 r 3 r 2 r 1 r 0 Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 22 (38)

  74. Hash-based Cryptography (Simplified) Winternitz One-Time Scheme (WOTS) h ′ public h r ′ private r 7 0 r 6 r ′ 1 r 5 r ′ 2 r ′ r 4 Message: 101 b = 5 3 r 3 r ′ 4 r 2 r ′ 5 r ′ r 1 6 r 0 r ′ 7 Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 22 (38)

Recommend


More recommend