Post-Quantum Cryptography Dr. Ruben Niederhagen, February 8, 2016 - PowerPoint PPT Presentation

Code-based Cryptography Error-Correcting Codes 01101100 Error correction on a noisy channel: Add redundant information to the message that allows to detect and correct bit-errors. Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 7 (38)

Code-based Cryptography Error-Correcting Codes 01101100 10011001001 encode Error correction on a noisy channel: Add redundant information to the message that allows to detect and correct bit-errors. Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 7 (38)

Code-based Cryptography Error-Correcting Codes 01101100 10011001001 10010 001011 encode transmitt Error correction on a noisy channel: Add redundant information to the message that allows to detect and correct bit-errors. Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 7 (38)

Code-based Cryptography Error-Correcting Codes 01101100 10011001001 10011 001001 encode transmitt Error correction on a noisy channel: Add redundant information to the message that allows to detect and correct bit-errors. Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 7 (38)

Code-based Cryptography Error-Correcting Codes 01101100 10011001001 10011 001001 01101100 encode transmitt decode Error correction on a noisy channel: Add redundant information to the message that allows to detect and correct bit-errors. Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 7 (38)

Code-based Cryptography Error-Correcting Codes 01101100 10011001001 10011 001001 01101100 encode transmitt decode Error correction on a noisy channel: Add redundant information to the message that allows to detect and correct bit-errors. Practical application requires efficient encoding and decoding algorithms. Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 7 (38)

Code-based Cryptography Error-Correcting Codes 01101100 10011001001 10011 001001 01101100 encode transmitt decode Error correction on a noisy channel: Add redundant information to the message that allows to detect and correct bit-errors. Practical application requires efficient encoding and decoding algorithms. Encoding: Multiply message vector with generator matrix . Decoding: Use decoding algorithm of the code. Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 7 (38)

Code-based Cryptography McEliece Crypto System � System Parameters: n, t ∈ N , where t ≪ n . � Key Generation: G : k × n generator matrix of a code G , S : k × k random non-singular matrix, P : n × n random permutation matrix. Compute k × n matrix G pub = SGP. � Public Key: ( G pub , t ) � Private Key: ( S , D G , P ) where D G is an efficient decoding algorithm for G . Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 8 (38)

Code-based Cryptography McEliece Crypto System (recall: G pub = SGP) � Public Key: ( G pub , t ) � Private Key: ( S , D G , P ) . Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 9 (38)

Code-based Cryptography McEliece Crypto System (recall: G pub = SGP) � Public Key: ( G pub , t ) � Private Key: ( S , D G , P ) . to encrypt message m ∈ F k � Encryption: 2 , randomly choose e ∈ F n 2 of weight t ; compute c = mG pub ⊕ e . Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 9 (38)

Code-based Cryptography McEliece Crypto System (recall: G pub = SGP) � Public Key: ( G pub , t ) � Private Key: ( S , D G , P ) . to encrypt message m ∈ F k � Encryption: 2 , randomly choose e ∈ F n 2 of weight t ; compute c = mG pub ⊕ e . � Decryption: compute c ′ = cP − 1 = mSG ⊕ eP − 1 , use D G to decode c ′ to m ′ = mS, compute m = m ′ S − 1 = mSS − 1 . Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 9 (38)

Code-based Cryptography McEliece Crypto System McEliece problem: Given a McEliece public key ( G pub , t ) , G pub ∈ { 0 , 1 } k × n and a cipher text c ∈ { 0 , 1 } n , find a message m ∈ { 0 , 1 } k with w H ( mG pub − c ) = t . Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 10 (38)

Code-based Cryptography McEliece Crypto System McEliece problem: Given a McEliece public key ( G pub , t ) , G pub ∈ { 0 , 1 } k × n and a cipher text c ∈ { 0 , 1 } n , find a message m ∈ { 0 , 1 } k with w H ( mG pub − c ) = t . The hardness of this problem depends on the specific code. McEliece proposes to use binary Goppa codes. Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 10 (38)

Code-based Cryptography Niederreiter Crypto System � System Parameters: n, t ∈ N , where t ≪ n . � Key Generation: H : ( n − k ) × n parity check matrix of a code G , P : n × n random permutation matrix. Compute S : ( n − k ) × ( n − k ) non-singular matrix, and H pub : ( n − k ) × n matrix � Id n − k | H pub � such that SHP = . � Public Key: ( H pub , t ) � Private Key: ( S , D G , P ) where D G is an efficient syndrome decoding algorithm for G . Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 11 (38)

Code-based Cryptography Niederreiter Crypto System � Public Key: ( H pub , t ) � Id n − k | H pub � = SHP) (recall: � Private Key: ( S , D G , P ) . Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 12 (38)

Code-based Cryptography Niederreiter Crypto System � Public Key: ( H pub , t ) � Id n − k | H pub � = SHP) (recall: � Private Key: ( S , D G , P ) . to encrypt message e ∈ F n � Encryption: 2 of weight t , compute the syndrome Id n − k | H pub � e T . � s = Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 12 (38)

Code-based Cryptography Niederreiter Crypto System � Public Key: ( H pub , t ) � Id n − k | H pub � = SHP) (recall: � Private Key: ( S , D G , P ) . to encrypt message e ∈ F n � Encryption: 2 of weight t , compute the syndrome Id n − k | H pub � e T . � s = � Decryption: compute s ′ = S − 1 s = HPe T , use D G to recover e ′ = Pe T , compute e T = P − 1 e ′ = P − 1 Pe T . Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 12 (38)

Code-based Cryptography McEliece and Niederreiter Recommended parameters: n = 6960 m = 13 t = 119 k = n − mt = 5413 Estimated security level: 266 bit. Public key size: ( n − k ) k bits ≈ 1 , 046 , 739 bytes. Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 13 (38)

Code-based Cryptography McEliece and Niederreiter Recommended parameters: n = 6960 m = 13 t = 119 k = n − mt = 5413 Estimated security level: 266 bit. Public key size: ( n − k ) k bits ≈ 1 , 046 , 739 bytes. Disadvantages of McEliece and Niederreiter: � Large key size when using binary Goppa codes. Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 13 (38)

Code-based Cryptography Further improvements for code-based schemes: Use codes with a more compact representation, e.g. cyclic codes. Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 14 (38)

Code-based Cryptography Further improvements for code-based schemes: Use codes with a more compact representation, e.g. cyclic codes. Problems with decoding errors! Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 14 (38)

Code-based Cryptography Further improvements for code-based schemes: Use codes with a more compact representation, e.g. cyclic codes. Problems with decoding errors! Further code-based schemes: � Signature schemes, e.g., CFS: large (huge?) public keys. Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 14 (38)

Code-based Cryptography Further improvements for code-based schemes: Use codes with a more compact representation, e.g. cyclic codes. Problems with decoding errors! Further code-based schemes: � Signature schemes, e.g., CFS: large (huge?) public keys. � Cryptographic hash functions, e.g., FSB: no competitive performance. Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 14 (38)

Code-based Cryptography Further improvements for code-based schemes: Use codes with a more compact representation, e.g. cyclic codes. Problems with decoding errors! Further code-based schemes: � Signature schemes, e.g., CFS: large (huge?) public keys. � Cryptographic hash functions, e.g., FSB: no competitive performance. � Pseudo random number generators: no competitive performance? Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 14 (38)

Multivariate Cryptography 5 x 3 1 x 2 x 2 3 + 17 x 4 2 x 3 + 23 x 2 1 x 4 2 + 13 x 1 + 12 x 2 + 5 = 0 12 x 2 1 x 3 2 x 3 + 15 x 1 x 3 3 + 25 x 2 x 3 3 + 5 x 1 + 6 x 3 + 12 = 0 28 x 1 x 2 x 4 3 + 14 x 3 2 x 2 3 + 16 x 1 x 3 + 32 x 2 + 7 x 3 + 10 = 0 54 x 6 1 x 3 + 2 x 4 1 + 59 x 2 1 x 3 2 + 42 x 2 1 x 7 3 + x 1 + 17 = 0

Multivariate Cryptography Introduction Underlying problem: Solving a system of m multivariate polynomial equations in n variables over F q is called the MP problem . Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 15 (38)

Multivariate Cryptography Introduction Underlying problem: Solving a system of m multivariate polynomial equations in n variables over F q is called the MP problem . Example 5 x 3 1 x 2 x 2 3 + 17 x 4 2 x 3 + 23 x 2 1 x 4 2 + 13 x 1 + 12 x 2 + 5 = 0 12 x 2 1 x 3 2 x 3 + 15 x 1 x 3 3 + 25 x 2 x 3 3 + 5 x 1 + 6 x 3 + 12 = 0 28 x 1 x 2 x 4 3 + 14 x 3 2 x 2 3 + 16 x 1 x 3 + 32 x 2 + 7 x 3 + 10 = 0 Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 15 (38)

Multivariate Cryptography Introduction Underlying problem: Solving a system of m multivariate polynomial equations in n variables over F q is called the MP problem . Example 5 x 3 1 x 2 x 2 3 + 17 x 4 2 x 3 + 23 x 2 1 x 4 2 + 13 x 1 + 12 x 2 + 5 = 0 12 x 2 1 x 3 2 x 3 + 15 x 1 x 3 3 + 25 x 2 x 3 3 + 5 x 1 + 6 x 3 + 12 = 0 28 x 1 x 2 x 4 3 + 14 x 3 2 x 2 3 + 16 x 1 x 3 + 32 x 2 + 7 x 3 + 10 = 0 Hardness: The MP problem is an NP-complete problem even for multivariate quadratic systems and q = 2 . Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 15 (38)

Multivariate Cryptography Introduction Underlying problem: Solving a system of m multivariate polynomial equations in n variables over F q is called the MP problem . Example x 3 x 2 + x 2 x 1 + x 2 + x 1 + 1 = 0 x 3 x 1 + x 3 x 2 + x 3 + x 1 = 0 x 3 x 2 + x 3 x 1 + x 3 + x 2 = 0 Hardness: The MP problem is an NP-complete problem even for multivariate quadratic systems and q = 2 . Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 15 (38)

Multivariate Cryptography Introduction Notation: For a set f = ( f 1 , . . . , f m ) of m quadratic polynomials in n variables over F 2 , let f ( x ) = ( f 1 ( x ) , . . . , f m ( x )) ∈ F m 2 be the solution vector of the evaluation of f for x ∈ F n 2 . Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 16 (38)

Multivariate Cryptography Introduction Notation: For a set f = ( f 1 , . . . , f m ) of m quadratic polynomials in n variables over F 2 , let f ( x ) = ( f 1 ( x ) , . . . , f m ( x )) ∈ F m 2 be the solution vector of the evaluation of f for x ∈ F n 2 . Definition ( MQ over F 2 ) Let MQ ( F n 2 , F m 2 ) be the set of all systems of quadratic equations in n variables and m equations over F 2 . We call one element P ∈ MQ ( F n 2 , F m 2 ) an instance of MQ over F 2 . Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 16 (38)

Multivariate Cryptography Basic Idea for Multivariate Public Key Cryptography (MPKC) � System Parameters: m, n, ∈ N . choose “random” f ∈ MQ ( F n 2 , F m � Key Generation: 2 ) such that f − 1 is secretly known. � Public Key: f . � Private Key: f − 1 . Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 17 (38)

Multivariate Cryptography Basic Idea for Multivariate Public Key Cryptography (MPKC) � System Parameters: m, n, ∈ N . choose “random” f ∈ MQ ( F n 2 , F m � Key Generation: 2 ) such that f − 1 is secretly known. � Public Key: f . � Private Key: f − 1 . � Encryption: to encrypt message m ∈ F n 2 , compute c = f ( m ) . Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 17 (38)

Multivariate Cryptography Basic Idea for Multivariate Public Key Cryptography (MPKC) � System Parameters: m, n, ∈ N . choose “random” f ∈ MQ ( F n 2 , F m � Key Generation: 2 ) such that f − 1 is secretly known. � Public Key: f . � Private Key: f − 1 . � Encryption: to encrypt message m ∈ F n 2 , compute c = f ( m ) . � Decryption: Decrypt m = f − 1 ( c ) . Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 17 (38)

Multivariate Cryptography Basic Idea for Multivariate Public Key Cryptography (MPKC) � System Parameters: m, n, ∈ N . choose “random” f ∈ MQ ( F n 2 , F m � Key Generation: 2 ) such that f − 1 is secretly known. � Public Key: f . � Private Key: f − 1 . � Encryption: to encrypt message m ∈ F n 2 , compute c = f ( m ) . � Decryption: Decrypt m = f − 1 ( c ) . Problem: How do you find f and f − 1 such that f is a hard instance of MQ ? Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 17 (38)

Multivariate Cryptography Multivariate Public Key Cryptography (MPKC) Design pattern Usually, f is constructed as a sequence of invertible functions, e.g., f = r ◦ s ◦ t with r and t multivariate linear and s quadratic with a easy-to-invert structure. Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 18 (38)

Multivariate Cryptography Multivariate Public Key Cryptography (MPKC) Design pattern Usually, f is constructed as a sequence of invertible functions, e.g., f = r ◦ s ◦ t with r and t multivariate linear and s quadratic with a easy-to-invert structure. This often does NOT result in a hard instance of MQ ! Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 18 (38)

Multivariate Cryptography Multivariate Public Key Cryptography (MPKC) Design pattern Usually, f is constructed as a sequence of invertible functions, e.g., f = r ◦ s ◦ t with r and t multivariate linear and s quadratic with a easy-to-invert structure. This often does NOT result in a hard instance of MQ ! Recent secure (i.e., not yet broken?) examples: � Rainbow signature scheme, � Quartz or HFEv- signature scheme, � PMI+ public key encryption scheme. Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 18 (38)

Multivariate Cryptography Multivariate Public Key Cryptography (MPKC) Design pattern Usually, f is constructed as a sequence of invertible functions, e.g., f = r ◦ s ◦ t with r and t multivariate linear and s quadratic with a easy-to-invert structure. This often does NOT result in a hard instance of MQ ! Recent secure (i.e., not yet broken?) examples: � � Rainbow signature scheme, Easier to construct. � Quartz or HFEv- signature scheme, � PMI+ public key encryption scheme. Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 18 (38)

Multivariate Cryptography Multivariate Public Key Cryptography (MPKC) Further MQ schemes: � symmetric encryption schemes, � cryptographic hash functions, and � pseudo random number generators. Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 19 (38)

Multivariate Cryptography Multivariate Public Key Cryptography (MPKC) Further MQ schemes: � symmetric encryption schemes, � cryptographic hash functions, and � pseudo random number generators. Concerns about MQ schemes: � Most public-key encryption schemes have been broken! � Efficient (sparse) MQ instances have problems with randomness! Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 19 (38)

Hash-based Cryptography

Hash-based Cryptography Introduction Basic idea: Computing pre-images of a cryptographic hash function remains hard also for quantum computers (Grover). ⇒ Use pre-image as private key, hash-value as public key. Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 20 (38)

Hash-based Cryptography Lamport and Merkle h 0 , 0 h 0 , 1 public r 0 , 0 r 0 , 1 private Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 21 (38)

Hash-based Cryptography Lamport and Merkle h 0 , 0 h 0 , 1 public r 0 , 0 r 0 , 1 private Message: 0 b Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 21 (38)

Hash-based Cryptography Lamport and Merkle h 0 , 0 h 0 , 1 public r 0 , 0 r 0 , 1 private Message: 0 b Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 21 (38)

Hash-based Cryptography Lamport and Merkle h 0 , 0 h 0 , 1 h 1 , 0 h 1 , 1 h 2 , 0 h 2 , 1 h 3 , 0 h 3 , 1 public r 0 , 0 r 0 , 1 r 1 , 0 r 1 , 1 r 2 , 0 r 2 , 1 r 3 , 0 r 3 , 1 private Message: 0 b Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 21 (38)

Hash-based Cryptography Lamport and Merkle t 0 0 t 1 0 t 1 1 t 2 0 t 2 1 t 2 2 t 2 3 h 0 , 0 h 0 , 1 h 1 , 0 h 1 , 1 h 2 , 0 h 2 , 1 h 3 , 0 h 3 , 1 public r 0 , 0 r 0 , 1 r 1 , 0 r 1 , 1 r 2 , 0 r 2 , 1 r 3 , 0 r 3 , 1 private Message: 0 b Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 21 (38)

Hash-based Cryptography Lamport and Merkle t 0 0 t 1 0 t 1 1 t 2 0 t 2 1 t 2 2 t 2 3 h 0 , 0 h 0 , 1 h 1 , 0 h 1 , 1 h 2 , 0 h 2 , 1 h 3 , 0 h 3 , 1 public r 0 , 0 r 0 , 1 r 1 , 0 r 1 , 1 r 2 , 0 r 2 , 1 r 3 , 0 r 3 , 1 private Message: 0 b Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 21 (38)

Hash-based Cryptography Lamport and Merkle t 0 0 t 1 0 t 1 1 t 2 0 t 2 1 t 2 2 t 2 3 h 0 , 0 h 0 , 1 h 1 , 0 h 1 , 1 h 2 , 0 h 2 , 1 h 3 , 0 h 3 , 1 public r 0 , 0 r 0 , 1 r 1 , 0 r 1 , 1 r 2 , 0 r 2 , 1 r 3 , 0 r 3 , 1 private Message: 0 b Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 21 (38)

Hash-based Cryptography Lamport and Merkle t 0 0 t 1 0 t 1 1 t 2 0 t 2 1 t 2 2 t 2 3 h 0 , 0 h 0 , 1 h 1 , 0 h 1 , 1 h 2 , 0 h 2 , 1 h 3 , 0 h 3 , 1 public r 0 , 0 r 0 , 1 r 1 , 0 r 1 , 1 r 2 , 0 r 2 , 1 r 3 , 0 r 3 , 1 private Message: 0 b Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 21 (38)

Hash-based Cryptography Lamport and Merkle t 0 0 t 1 0 t 1 1 t 2 0 t 2 1 t 2 2 t 2 3 h 0 , 0 h 0 , 1 h 1 , 0 h 1 , 1 h 2 , 0 h 2 , 1 h 3 , 0 h 3 , 1 public r 0 , 0 r 0 , 1 r 1 , 0 r 1 , 1 r 2 , 0 r 2 , 1 r 3 , 0 r 3 , 1 private Message: 0 b Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 21 (38)

Hash-based Cryptography Lamport and Merkle t 0 0 t 1 0 t 1 1 t 2 0 t 2 1 t 2 2 t 2 3 h 0 , 0 h 0 , 1 h 1 , 0 h 1 , 1 h 2 , 0 h 2 , 1 h 3 , 0 h 3 , 1 public r 0 , 0 r 0 , 1 r 1 , 0 r 1 , 1 r 2 , 0 r 2 , 1 r 3 , 0 r 3 , 1 private Message: 0 b Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 21 (38)

Hash-based Cryptography Lamport and Merkle t 0 0 t 1 0 t 1 1 t 2 0 t 2 1 t 2 2 t 2 3 h 0 , 0 h 0 , 1 h 1 , 0 h 1 , 1 h 2 , 0 h 2 , 1 h 3 , 0 h 3 , 1 public r 0 , 0 r 0 , 1 r 1 , 0 r 1 , 1 r 2 , 0 r 2 , 1 r 3 , 0 r 3 , 1 private Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 21 (38)

Hash-based Cryptography Lamport and Merkle t 0 0 t 1 0 t 1 1 t 2 0 t 2 1 t 2 2 t 2 3 h 0 , 0 h 0 , 1 h 1 , 0 h 1 , 1 h 2 , 0 h 2 , 1 h 3 , 0 h 3 , 1 public r 0 , 0 r 0 , 1 r 1 , 0 r 1 , 1 r 2 , 0 r 2 , 1 r 3 , 0 r 3 , 1 private Message: 1 b Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 21 (38)

Hash-based Cryptography Lamport and Merkle t 0 0 t 1 0 t 1 1 t 2 0 t 2 1 t 2 2 t 2 3 h 0 , 0 h 0 , 1 h 1 , 0 h 1 , 1 h 2 , 0 h 2 , 1 h 3 , 0 h 3 , 1 public r 0 , 0 r 0 , 1 r 1 , 0 r 1 , 1 r 2 , 0 r 2 , 1 r 3 , 0 r 3 , 1 private Message: 1 b Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 21 (38)

Hash-based Cryptography Lamport and Merkle t 0 0 t 1 0 t 1 1 t 2 0 t 2 1 t 2 2 t 2 3 h 0 , 0 h 0 , 1 h 1 , 0 h 1 , 1 h 2 , 0 h 2 , 1 h 3 , 0 h 3 , 1 public r 0 , 0 r 0 , 1 r 1 , 0 r 1 , 1 r 2 , 0 r 2 , 1 r 3 , 0 r 3 , 1 private Message: 1 b Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 21 (38)

Hash-based Cryptography Lamport and Merkle t 0 0 t 1 0 t 1 1 t 2 0 t 2 1 t 2 2 t 2 3 h 0 , 0 h 0 , 1 h 1 , 0 h 1 , 1 h 2 , 0 h 2 , 1 h 3 , 0 h 3 , 1 public r 0 , 0 r 0 , 1 r 1 , 0 r 1 , 1 r 2 , 0 r 2 , 1 r 3 , 0 r 3 , 1 private Message: 1 b Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 21 (38)

Hash-based Cryptography Lamport and Merkle t 0 0 t 1 0 t 1 1 t 2 0 t 2 1 t 2 2 t 2 3 h 0 , 0 h 0 , 1 h 1 , 0 h 1 , 1 h 2 , 0 h 2 , 1 h 3 , 0 h 3 , 1 public r 0 , 0 r 0 , 1 r 1 , 0 r 1 , 1 r 2 , 0 r 2 , 1 r 3 , 0 r 3 , 1 private Message: 1 b Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 21 (38)

Hash-based Cryptography Lamport and Merkle t 0 0 t 1 0 t 1 1 t 2 0 t 2 1 t 2 2 t 2 3 h 0 , 0 h 0 , 1 h 1 , 0 h 1 , 1 h 2 , 0 h 2 , 1 h 3 , 0 h 3 , 1 public r 0 , 0 r 0 , 1 r 1 , 0 r 1 , 1 r 2 , 0 r 2 , 1 r 3 , 0 r 3 , 1 private Message: 1 b Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 21 (38)

Hash-based Cryptography Lamport and Merkle t 0 0 t 1 0 t 1 1 t 2 0 t 2 1 t 2 2 t 2 3 h 0 , 0 h 0 , 1 h 1 , 0 h 1 , 1 h 2 , 0 h 2 , 1 h 3 , 0 h 3 , 1 public r 0 , 0 r 0 , 1 r 1 , 0 r 1 , 1 r 2 , 0 r 2 , 1 r 3 , 0 r 3 , 1 private 10 b Message: Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 21 (38)

Hash-based Cryptography Lamport and Merkle t 0 0 t 1 0 t 1 1 t 2 0 t 2 1 t 2 2 t 2 3 h 0 , 0 h 0 , 1 h 1 , 0 h 1 , 1 h 2 , 0 h 2 , 1 h 3 , 0 h 3 , 1 public r 0 , 0 r 0 , 1 r 1 , 0 r 1 , 1 r 2 , 0 r 2 , 1 r 3 , 0 r 3 , 1 private 10 b Message: Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 21 (38)

Hash-based Cryptography Lamport and Merkle t 0 0 t 1 0 t 1 1 t 2 0 t 2 1 t 2 2 t 2 3 h 0 , 0 h 0 , 1 h 1 , 0 h 1 , 1 h 2 , 0 h 2 , 1 h 3 , 0 h 3 , 1 public r 0 , 0 r 0 , 1 r 1 , 0 r 1 , 1 r 2 , 0 r 2 , 1 r 3 , 0 r 3 , 1 private 10 b Message: Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 21 (38)

Hash-based Cryptography Lamport and Merkle t 0 0 t 1 0 t 1 1 t 2 0 t 2 1 t 2 2 t 2 3 h 0 , 0 h 0 , 1 h 1 , 0 h 1 , 1 h 2 , 0 h 2 , 1 h 3 , 0 h 3 , 1 public r 0 , 0 r 0 , 1 r 1 , 0 r 1 , 1 r 2 , 0 r 2 , 1 r 3 , 0 r 3 , 1 private 10 b Message: Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 21 (38)

Hash-based Cryptography Lamport and Merkle t 0 0 t 1 0 t 1 1 t 2 0 t 2 1 t 2 2 t 2 3 h 0 , 0 h 0 , 1 h 1 , 0 h 1 , 1 h 2 , 0 h 2 , 1 h 3 , 0 h 3 , 1 public r 0 , 0 r 0 , 1 r 1 , 0 r 1 , 1 r 2 , 0 r 2 , 1 r 3 , 0 r 3 , 1 private 10 b Message: Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 21 (38)

Hash-based Cryptography Lamport and Merkle t 0 0 t 1 0 t 1 1 t 2 0 t 2 1 t 2 2 t 2 3 h 0 , 0 h 0 , 1 h 1 , 0 h 1 , 1 h 2 , 0 h 2 , 1 h 3 , 0 h 3 , 1 public r 0 , 0 r 0 , 1 r 1 , 0 r 1 , 1 r 2 , 0 r 2 , 1 r 3 , 0 r 3 , 1 private 10 b Message: Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 21 (38)

Hash-based Cryptography (Simplified) Winternitz One-Time Scheme (WOTS) public h private r 7 r 6 r 5 r 4 r 3 r 2 r 1 r 0 Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 22 (38)

Hash-based Cryptography (Simplified) Winternitz One-Time Scheme (WOTS) public h private r 7 r 6 r 5 r 4 Message: 101 b = 5 r 3 r 2 r 1 r 0 Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 22 (38)

Hash-based Cryptography (Simplified) Winternitz One-Time Scheme (WOTS) public h private r 7 r 6 r 5 r 4 Message: 101 b = 5 r 3 r 2 r 1 r 0 Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 22 (38)

Hash-based Cryptography (Simplified) Winternitz One-Time Scheme (WOTS) public h private r 7 r 6 r 5 r 4 Message: 101 b = 5 r 3 r 2 r 1 r 0 Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 22 (38)

Hash-based Cryptography (Simplified) Winternitz One-Time Scheme (WOTS) public h private r 7 r 6 r 5 r 4 Message: 101 b = 5 r 3 r 2 r 1 r 0 Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 22 (38)

Hash-based Cryptography (Simplified) Winternitz One-Time Scheme (WOTS) public h private r 7 r 6 r 5 r 4 Message: 101 b = 5 r 3 r 2 r 1 r 0 Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 22 (38)

Hash-based Cryptography (Simplified) Winternitz One-Time Scheme (WOTS) public h private r 7 Attacker learns private keys and can sign 110 b and 111 b ! r 6 r 5 r 4 Message: 101 b = 5 r 3 r 2 r 1 r 0 Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 22 (38)

Hash-based Cryptography (Simplified) Winternitz One-Time Scheme (WOTS) h ′ public h r ′ private r 7 0 r 6 r ′ 1 r 5 r ′ 2 r ′ r 4 Message: 101 b = 5 3 r 3 r ′ 4 r 2 r ′ 5 r ′ r 1 6 r 0 r ′ 7 Post-Quantum Cryptography | Dr. Ruben Niederhagen | February 8, 2016 | 22 (38)