PUBLIC KEY INFRASTRUCTURE Nina Bindel Cryptography for the - PowerPoint PPT Presentation

TRANSITIONING TO A QUANTUM-RESISTENT PUBLIC KEY INFRASTRUCTURE Nina Bindel Cryptography for the IoT+Cloud Udyani Herath Bochum, Germany Matthew McKague 11/06/2017 Douglas Stebila

1 7 chance of breaking RSA-2048 (Michele Mosca – Nov 2015) 1 2 chance of breaking RSA-2048 Start (Michele Mosca – Nov 2015) Universal quantum computer PQ project (Quantum Manifesto) Jan. Today … Nov. 2031 2035 2002 2016 2026 2017 2017 18 years MS started to stopp support of SHA-1 ? 15 years Best: start transition now 2

BIT-HARDNESS ESTIMATIONS WITH LWE-ESTIMATOR [APS15] 80 71 70 62 61 60 Difference of 58 60 51 Log hardness 48 ~20 bit in 2.5 years 50 40 30 20 10 LWE Instance - Regev(128) 0 n=128, q=16411, 𝜏 =29.6 Jan Jun Jan Jun Jan Jun Nov 2015 2015 2016 2016 2017 2017 2017 3

CURRENT SITUATION Unstable hardness Quantum threat against estimations of “PQ RSA- and discrete log assumptions “ 4

NOT ENOUGH TO CARE ABOUT THE PRIMITIVES… 5

CHALLENGES DURING TRANSITION o Security o Compatibility 6

HYBRID SIGNATURE SCHEMES Given: Σ 1 and Σ 2 Construct: Σ C s.t. Σ C is secure if Σ 1 or Σ 2 secure Example: • Σ 1 PQ scheme and Σ 2 classical scheme • 2 PQ schemes based on different assumptions Q • What means “ secure “ ? • How to construct Σ 𝐷 ? • Can we use hybrids in current protocols and standards? 7

SECURITY DEFINITION Intuition : • eUF-CMA with 2-stage adversary A = (𝐵 1 , 𝐵 2 ) • 𝐵 1 , 𝐵 2 different access to quantum computer • 𝐵 1 classical/quantum access to sign oracle 8

EUF−CMA (A) : EXPT Σ q s ← 0 sk, vk Σ. KeyGen() Ο S m 1 , σ 1 , … , (m q s +1 , σ q s +1 ) A(vk) q s ← q s + 1 If Σ. Verify vk, m i , σ i = 1 Return 1 Else Return 0 9

EUF−CMA (A) : EXPT Σ A 1 , A 2 : 010…1 / ? q s ← 0 sk, vk Σ. KeyGen() 010…1 / ? Ο S st A 1 (vk) q s ← q s + 1 m 1 , σ 1 , … , (m q s +1 , σ q s +1 ) A 2 (st) If Σ. Verify vk, m i , σ i = 1 Return 1 010…1 / ? Else Return 0 10

ADVERSARY MODEL • 𝐵 1 classical 𝐃 𝐝 𝐃 - Fully classical (eUF-CMA) • Access to Ο S classical • 𝐵 2 classical • 𝐵 2 : 𝐃 𝐝 𝐑 - Future quantum • 𝐵 1 : • 𝐵 1 : 𝐑 𝐝 𝐑 - Quantum adversary • 𝐵 2 : • 𝐵 2 : 𝐑 𝐫 𝐑 - Fully quantum (also in [BZ13]) • Access Ο S : THEOREM 𝐑 𝐝 𝐑 𝐃 𝐝 𝐃 𝐑 𝐫 𝐑 𝐃 𝐝 𝐑 11

EXAMPLES OF HYBRID SIGNATURES Σ 1 X y Z -secure Σ 2 U v W -secure Combiner Unforgeability Non-separability 𝛕 = (𝛕 𝟐 , 𝛕 𝟑 ) max{ X y Z, U v W } No C || σ 1 ← Sign 1 m σ 2 ← Sign 2 m max{ X y Z, U v W } Depending on U v W C nest σ 1 ← Sign 1 m σ 2 ← Sign 2 m, σ 1 Depending on U v W X y Z wrt to m 1 , C dual−nest σ 1 ← Sign 1 m 1 U v W σ 2 ← Sign 2 m 1 , σ 1 , m 2 13

APPLICABLE TO CURRENT PKI? • Certificates: X.509v3 • Secure channels: TLS (not in this talk) • Secure email: S/MIME (1) How can hybrid combiners be used in current standards? Q (2) What about backwards-compatibility? (3) Do large key and siganture size raise problems? 14

HYBRID SIGNATURE IN S/MIME EMAIL Idea: 2nd Idea: • Use concatenation combiner • Use nested combiner • S/MIME data structures allow multiple • Use optional attributes parallel signatures • Disadvantage: Verification of all signatures  backwards-compatibility? 15

HYBRID SIGNATURES IN X.509V3 CERT Idea: Certificate c 2 (RSA) • Use dual nested combiner tbsCertificate m 2 : • PQ cert = extension of RSA cert Sub CA, subject, vk RSA CA , ( m 2 , vk RSA Sub , c 1 , m 1 )) • Hybrid software recognizes and c 2 = Sign RSA (sk RSA Extensions: processes PQ cert and RSA cert Ext. id. = non-critical • Older softeware ignores non-critical ext. Certificate c 1 (PQ) CA , sk RSA CA , vk RSA tbsCertificate m 1 : CA , vk PQ CA sk PQ ← KeyGen dual−nest Sub CA, subject, vk PQ Sub , sk RSA Sub , vk PQ Sub , vk RSA Sub sk PQ ← KeyGen dual−nest CA , ( m 1 , vk PQ Sub )) c 1 = Sign PQ (sk PQ 16

COMPATIBILITY OF HYBRID X.509V3 CERTS Application Extension size [KB] 1.5 3.5 9.0 43.0 1333.0      GnuTLS Libraries      Java SE      mbedTLS NSS           OpenSSL      Apple Safari Web browsers      Google Chrome      MS Edge MS IE           Mozilla Firefox      Opera 17

SUMMARY OPEN QUESTIONS • 2-stage adversary • Our combiners used in PKI still either • Adversary model wrt quantum power secure or compatible • Construction hybrid signatures • Better combiners/application in PKI ? • Compatibility of with current PKI: • Change protocols ? • Nested single message in S/MIME • No compatibility ? • Nested dual message in X.509 cert • Define other hybrids (work in progress) IACR ePrint Archive: Report 2017/460 THANKS 18