TRANSITIONING TO A QUANTUM-RESISTENT PUBLIC KEY INFRASTRUCTURE Nina Bindel PQCrypto 2017 Udyani Herath Utrecht, The Nederlands Matthew McKague 06/26/2017 Douglas Stebila
1 7 chance of breaking RSA-2048 (Michele Mosca – Nov 2015) 1 2 chance of breaking RSA-2048 Start (Michele Mosca – Nov 2015) Universal quantum computer PQ project (Quantum Manifesto) Jan. Today Nov. 2031 2035 2002 2016 2026 2017 2017 18 years MS started to stopp support of SHA-1 ? Best: start transition now 15 years 2
BIT-HARDNESS ESTIMATIONS WITH LWE-ESTIMATOR [APS15] 80 71 70 62 61 60 Difference of 58 60 ~20 bit in 2.5 years Log hardness 48 50 40 30 20 LWE Instance - Regev(128) 10 n=128, q=16411, 𝜏 =29.6 0 Jan 2015 Jun 2015 Jan 2016 Jun 2016 Jan 2017 Jun 2017 3
CURRENT SITUATION Unstable hardness Quantum threat against estimations of “PQ RSA- and discrete log assumptions “ 4
HYBRID SIGNATURE SCHEMES Given: Σ 1 and Σ 2 Construct: Σ C s.t. Σ C is secure if Σ 1 or Σ 2 secure Example: • Σ 1 PQ scheme and Σ 2 classical scheme • 2 PQ schemes based on different assumptions Q • What means “ secure “? • How to construct Σ 𝐷 ? • Can we use hybrids in current protocols and standards? 5
SECURITY DEFINITION Intuition : • eUF-CMA with 2-stage adversary A = (𝐵 1 , 𝐵 2 ) • 𝐵 1 , 𝐵 2 different access to quantum computer • 𝐵 1 classical/quantum access to sign oracle 6
EUF−CMA (A) : EXPT Σ q s ← 0 sk, vk Σ. KeyGen() Ο S m 1 , σ 1 , … , (m q s +1 , σ q s +1 ) A(vk) q s ← q s + 1 If Σ. Verify vk, m i , σ i = 1 Return 1 Else Return 0 7
EUF−CMA (A) : EXPT Σ A 1 , A 2 : 010…1 / ? q s ← 0 sk, vk Σ. KeyGen() 010…1 / ? Ο S st A 1 (vk) q s ← q s + 1 m 1 , σ 1 , … , (m q s +1 , σ q s +1 ) A 2 (st) If Σ. Verify vk, m i , σ i = 1 Return 1 010…1 / ? Else Return 0 8
ADVERSARY MODEL • 𝐵 1 classical 𝐃 𝐝 𝐃 - Fully classical (eUF-CMA) • Access to Ο S classical • 𝐵 2 classical • 𝐵 2 : 𝐃 𝐝 𝐑 - Future quantum • 𝐵 1 : • 𝐵 1 : 𝐑 𝐝 𝐑 - Quantum adversary • 𝐵 2 : • 𝐵 2 : 𝐑 𝐫 𝐑 - Fully quantum (also in [BZ13]) • Access Ο S : THEOREM 𝐑 𝐝 𝐑 𝐃 𝐝 𝐃 𝐑 𝐫 𝐑 𝐃 𝐝 𝐑 9
EXAMPLES OF HYBRID SIGNATURES Σ 1 X y Z -secure Σ 2 U v W -secure Combiner Unforgeability 𝛕 = (𝛕 𝟐 , 𝛕 𝟑 ) max{ X y Z, U v W } C || σ 1 ← Sign 1 m σ 2 ← Sign 2 m max{ X y Z, U v W } C nest σ 1 ← Sign 1 m σ 2 ← Sign 2 m, σ 1 X y Z wrt to m 1 , C dual−nest σ 1 ← Sign 1 m 1 U v W σ 2 ← Sign 2 m 1 , σ 1 , m 2 10
APPLICABLE TO CURRENT PKI? • Certificates: X.509v3 • Secure channels: TLS • Secure email: S/MIME (1) How can hybrid combiners be used in current standards? Q (2) What about backwards-compatibility? (3) Do large key and siganture size raise problems? 11
HYBRID SIGNATURE IN S/MIME EMAIL Idea: 2nd Idea: • Use concatenation combiner • Use nested combiner • S/MIME data structures allow multiple • Use optional attributes parallel signatures • Disadvantage: Verification of all signatures backwards-compatibility? 12
HYBRID SIGNATURES IN X.509V3 CERT Idea: Certificate c 2 (RSA) • Use dual nested combiner tbsCertificate m 2 : • PQ cert = extension of RSA cert Sub CA, subject, vk RSA CA , ( m 2 , vk RSA Sub , c 1 , m 1 )) • Hybrid software recognizes and c 2 = Sign RSA (sk RSA Extensions: processes PQ cert and RSA cert Ext. id. = non-critical • Older softeware ignores non-critical ext. Certificate c 1 (PQ) CA , sk RSA CA , vk RSA tbsCertificate m 1 : CA , vk PQ CA sk PQ ← KeyGen dual−nest Sub CA, subject, vk PQ Sub , sk RSA Sub , vk PQ Sub , vk RSA Sub sk PQ ← KeyGen dual−nest CA , ( m 1 , vk PQ Sub )) c 1 = Sign PQ (sk PQ 13
COMPATIBILITY OF HYBRID X.509V3 CERTS Application Extension size [KB] 1.5 3.5 9.0 43.0 1333.0 GnuTLS Libraries Java SE mbedTLS NSS OpenSSL Apple Safari Web browsers Google Chrome MS Edge MS IE Mozilla Firefox Opera 14
SUMMARY • Security experiment with 2-stage adversary • Adversary model with respect to quantum power • Construction of hybrid signature schemes • Compatibility of with current PKI: • Nested single message in S/MIME • Nested dual message in X.509 cert in applications • Left out: non-separability THANKS 15
Recommend
More recommend
