Post-Quantum Cryptography a talk about problems problems problems - PowerPoint PPT Presentation

Post-Quantum Cryptography a talk about problems … problems … problems Andreas Hülsing TU Eindhoven

The Problem 9/3/2018 Andreas Hülsing https://huelsing.net 2

Public-key cryptography 9/3/2018 Andreas Hülsing https://huelsing.net 3

Main (public-key) primitives • Digital signature (DSIG) • Proof of authorship • Provides: • Authentication • Non-repudiation • Public-key encryption (PKE) / Key exchange (KEX) / Key encapsulation mechanism (KEM) • Establishment of commonly known secret key • Provides secrecy 9/3/2018 Andreas Hülsing https://huelsing.net 4

Applications • Code signing (DSIG) • Software updates • Software distribution • Mobile code • Communication security (DSIG, PKE / KEX /KEM) • TLS, SSH, IPSec, ... • eCommerce, online banking, eGovernment, ... • Private online communication 9/3/2018 Andreas Hülsing https://huelsing.net 5

Connection security (simplified) Hi pk, Cert(pk belongs to shop) PKC to establish shared secret sk SKC secured communication using sk 9/3/2018 Andreas Hülsing https://huelsing.net 6

How to build PKC (Computationally) hard problem PKC Scheme DL RSA- RSA ECDSA DH- DDH OAEP QR KE 9/3/2018 Andreas Hülsing https://huelsing.net 7

The problem • Large (few thousand logical qubits) quantum computers can solve previously used problems (Factoring & DLog) • All previous public key schemes are broken • No KEX, KEM, PKE, and DSIG • Symmetric key primitives generally remain secure! 9/3/2018 Andreas Hülsing https://huelsing.net 8

This is a problem that QKD cannot solve! 9/3/2018 Andreas Hülsing https://huelsing.net 9

But post-quantum cryptography can! 9/3/2018 Andreas Hülsing https://huelsing.net 10

Early post-quantum crypto „Cryptography based on problems that are conjectured to be hard even for quantum computers.“ Lattice-based: SVP / CVP Hash-based: CR / SPR / ... Code-based: SD Multivariate: MQ     2 y x x x x x x 1 1 1 2 1 4 3      2 1 y x x x x x x 2 3 2 3 2 4 1  ... y 3 9/3/2018 Andreas Hülsing https://huelsing.net 11

Modern post-quantum crypto „Users using cryptography on conventional computers facing quantum adversaries“ Adds questions like • How to argue security? • Are our security models sound? • What is the complexity of actual quantum attacks? 9/3/2018 Andreas Hülsing https://huelsing.net 12

The computational complexity approach • Public key cryptography cannot be information theoretically secure • We need to base it on hardness of computational problems • Cryptanalysis needed to determine complexity of solving problems aka breaking systems • Needed to select parameters. 9/3/2018 Andreas Hülsing https://huelsing.net 13

Conjectured quantum-hard problems • Solving multivariate quadratic equations (MQ-problem) -> Multivariate Crypto • Syndrom decoding problem (SD) -> Code-based crypto • Short(est) and close(st) vector problem (SVP, CVP) -> Lattice-based crypto • Breaking security of symmetric primitives (SHAx-, AES-, Keccak-,... problem) -> Hash-based signatures / symmetric crypto • (Finding isogenies between supersingular elliptic cruves -> SIDH) 9/3/2018 Andreas Hülsing https://huelsing.net 14

NIST Competition “We see our role as managing a process of achieving community consensus in a transparent and timely manner” NIST’s Dustin Moody 2018 9/3/2018 Andreas Hülsing https://huelsing.net 15

Status of the competition • Nov 2017 Submissions collected • Dec 2017 Complete & Proper proposals published • -> Starts round 1 (of 2 or 3 rounds) • 2022 – 2024 Draft standards exist 9/3/2018 Andreas Hülsing https://huelsing.net 16

Submissions (69 complete & proper) Signature & Type PKE/KEM Signature PKE/KEM Lattice 21 (-1 due to merge) 5 Code-based 18 (-1 withdrawn) 3 (-1 withdrawn) Hash-based 3 Multivariate 2 7 2 (-1 withdrawn) Braid group 1 Supersingular Elliptic Curve 1 Isogeny Satirical 1 submission Other 4 (-2 withdrawn) 9/3/2018 Andreas Hülsing https://huelsing.net 17

First evaluation results Submissions • Submissions generally follow a few previously known theoretic constructions. • Submissions differ in how the theoretical construction is implemented Attacks • 11 attacks on 10 schemes published. • No “ b ig surprises” (aka efficient solution to one of the underlying hard problems) • Attacks either break those schemes that are “fundamentally new” or exploit implementation decisions 9/3/2018 Andreas Hülsing https://huelsing.net 18

The computational problems 9/3/2018 Andreas Hülsing https://huelsing.net 19

MQ-Problem 𝑜 and MQ(𝑜, 𝑛, 𝔾 𝑟 ) denote the family of vectorial Let 𝒚 = (𝑦 1 , … , 𝑦 𝑜 ) ∈ 𝔾 𝑟 𝑜 ⟶ 𝔾 𝑟 𝑛 of degree 2 over 𝔾 𝑟 : functions 𝑮: 𝔾 𝑟 MQ 𝑜, 𝑛, 𝔾 𝑟 = 𝑮 𝒚 = 𝑔 1 𝒚 , … , 𝑔 𝑛 𝒚 𝑔 𝑡 𝒚 = 𝑏 𝑗,𝑘 𝑦 𝑗 𝑦 𝑘 + 𝑐 𝑗 𝑦 𝑗 , 𝑗,𝑘 𝑗 9/3/2018 Andreas Hülsing https://huelsing.net 20

Multivariate Cryptography • First proposal 1988 • Only signatures -> (new proposal for encryption exists but very recent) • Cryptanalysis tasks: • Hardness of solving random MQ-instance • Hardness of solving “special” MQ -instances • Known quantum attacks: • “Quantization” of classical algorithms (Bernstein & Yang ‘17, Faugère, Horan, Kahrobaei, Kaplan, Kashefi & Perret ‘17) • Cost 𝒫 2 𝑑𝑜 , 𝑑 = 0.457 for m=n and q=2 9/3/2018 Andreas Hülsing https://huelsing.net 21

Syndrom Decoding Problem 𝑙×𝑜 of rank 𝑙 , the set 𝐷 ≔ {𝑛𝐻 ∶ 𝑛 ∈ 𝔾 𝑟 𝑙 } is called a linear Given a matrix 𝐻 ∈ 𝔾 𝑟 𝑜 ∶ 𝐼𝑑 𝑢 = 0 we call 𝐼 the parity code with generator matrix 𝐻 . If 𝐷 = 𝑑 ∈ 𝔾 𝑟 check matrix. Syndrom Decoding Problem Given: 𝑜 , • Linear Code 𝐷 ⊆ 𝔾 𝑟 𝑙 , • Syndrom 𝑡 ⊆ 𝔾 𝑟 • and error bound 𝑐 ∈ ℕ Return: 𝑜 of weight ≤ 𝑐 such that 𝐼𝑓 𝑢 = 𝑡 • 𝑓 ∈ 𝔾 𝑟 Decision version is NP-hard (Berlekamp, McEliece & v.Tilborg ‘78; Barg ‘94) 9/3/2018 Andreas Hülsing https://huelsing.net 22

Code-based cryptography • First proposal 1978: McEliece with binary Goppa codes • Until recently, practical proposals only known for KEM • Either huge keys or structured codes (QC-MDPC) • Cryptanalysis tasks: • Hardness of solving random SD-instance • Hardness of solving SD for specific codes (QC-MDPC, Goppa) • Known quantum attacks: • “Quantization” of classical algorithms (Kachigar & Tillich '17) • Cost 𝒫 2 𝑑𝑜 , 𝑑 = 0.058 worst-case 9/3/2018 Andreas Hülsing https://huelsing.net 23

Lattice-based cryptography Basis: 𝐶 = 𝑐 1 , 𝑐 2 ∈ ℤ 2×2 ; 𝑐 1 , 𝑐 2 ∈ ℤ 2 Lattice: Λ 𝐶 = 𝑦 = 𝐶𝑧 𝑧 ∈ ℤ 2 } 9/3/2018 Andreas Hülsing https://huelsing.net 24

Shortest vector problem (SVP) 9/3/2018 Andreas Hülsing https://huelsing.net 25

(Worst-case) Lattice Problems • SVP: Find shortest vector in lattice, given random basis. NP- hard (Ajtai’96) • Approximate SVP ( 𝜷 SVP): Find short vector (norm < 𝛽 times norm of shortest vector). Hardness depends on 𝛽 (for 𝛽 used in crypto not NP-hard). • CVP: Given random point in underlying vectorspace (e.g. ℤ 𝑜 ) , find the closest lattice point. (Generalization of SVP, reduction from SVP) • Approximate CVP ( 𝜷 CVP): Find a „close“ lattice point. (Generalization of 𝛽 SVP) 9/3/2018 Andreas Hülsing https://huelsing.net 26

Lattice-based crypto • First proposal GGH (proposed 1995, published 1997) or Ajtai (1996)? • Signatures & KEM / KEX • Either huge keys and/or sigs or structured lattices (Ideal / module lattices) • Cryptanalysis tasks: • Hardness of solving 𝛽 SVP for random lattices • Hardness of solving 𝛽 SVP for structured lattices (Ideal-, Module lattices) • Known quantum attacks: • “Quantization” of classical algorithms ( Laarhoven, Mosca & v.d.Pol ‘15; Aono, Nguyen & Shen '18) • Cost 2 𝑑𝑜+𝑝(𝑜) , 𝑑 = 0.268 (heuristically) 9/3/2018 Andreas Hülsing https://huelsing.net 27

(Hash) function families • 𝐼 𝑜 ≔ ℎ 𝑙 : {0,1} 𝑛 𝑜 → {0,1} 𝑜 {0,1} 𝑜 • 𝑛(𝑜) ≥ 𝑜 ℎ 𝑙 • „efficient“ {0,1} 𝑛 𝑜

Preimage resistance (PRE) 𝐼 𝑜 ≔ ℎ 𝑙 : {0,1} 𝑛 𝑜 → {0,1} 𝑜 𝑧 𝑑 , 𝑙 $ 𝐼 𝑜 ℎ 𝑙 $ {0,1} 𝑛 𝑜 𝑦 𝑧 𝑑 ℎ 𝑙 𝑦 Success if ℎ 𝑙 𝑦 ∗ = 𝑧 𝑑 𝑦 ∗

Collision resistance (CR) 𝐼 𝑜 ≔ ℎ 𝑙 : {0,1} 𝑛 𝑜 → {0,1} 𝑜 𝑙 $ 𝐼 𝑜 ℎ 𝑙 Success if ∗ = ℎ 𝑙 𝑦 2 ∗ and ℎ 𝑙 𝑦 1 ∗ ≠ 𝑦 2 ∗ 𝑦 1 ∗ , 𝑦 2 ∗ ) (𝑦 1

Second-preimage resistance (SPR) 𝐼 𝑜 ≔ ℎ 𝑙 : {0,1} 𝑛 𝑜 → {0,1} 𝑜 𝑦 𝑑 , 𝑙 $ 𝐼 𝑜 ℎ 𝑙 $ {0,1} 𝑛 𝑜 𝑦 𝑑 Success if ℎ 𝑙 𝑦 𝑑 = ℎ 𝑙 𝑦 ∗ and 𝑦 ∗ 𝑦 𝑑 ≠ 𝑦 ∗