the year in post quantum crypto
play

The year in post-quantum crypto Daniel J. Bernstein, Tanja Lange - PowerPoint PPT Presentation

Feb 14, 2024 •347 likes •1.29k views

The year in post-quantum crypto Daniel J. Bernstein, Tanja Lange University of Illinois at Chicago, Eindhoven University of Technology Post-quantum cryptography: Cryptography designed under the assumption that the attacker (not the user!) has

  1. The year in post-quantum crypto Daniel J. Bernstein, Tanja Lange University of Illinois at Chicago, Eindhoven University of Technology

  2. Post-quantum cryptography: Cryptography designed under the assumption that the attacker (not the user!) has a large quantum computer. The year in post-quantum crypto https://pqcrypto.org Daniel J. Bernstein, Tanja Lange

  3. http://joakimolofsson.deviantart.com/art/Pacific-Rim-372130691

  4. Interest builds in post-quantum cryptography ◮ 2015: Finally even NSA admits that the world needs post-quantum crypto. ◮ 2016: Every agency posts something (NCSC UK, NCSC NL, NSA). ◮ 2016: After public input, NIST calls for submissions to “Post-Quantum Cryptography Standardization Project”. Solicits submissions on signatures and encryption. The year in post-quantum crypto https://pqcrypto.org Daniel J. Bernstein, Tanja Lange

  5. Interest builds in post-quantum cryptography ◮ 2003: djb coins term “post-quantum cryptography”. ◮ 2005–2015: 10 years of motivating people to work on post-quantum crypto. ◮ 2015: Finally even NSA admits that the world needs post-quantum crypto. ◮ 2016: Every agency posts something (NCSC UK, NCSC NL, NSA). ◮ 2016: After public input, NIST calls for submissions to “Post-Quantum Cryptography Standardization Project”. Solicits submissions on signatures and encryption. The year in post-quantum crypto https://pqcrypto.org Daniel J. Bernstein, Tanja Lange

  6. A year ago in the NIST competition . . . 21 December 2017: NIST posts 69 submissions from 260 people. BIG QUAKE. BIKE. CFPKM. Classic McEliece. Compact LWE. CRYSTALS-DILITHIUM. CRYSTALS-KYBER. DAGS. Ding Key Exchange. DME. DRS. DualModeMS. Edon-K. EMBLEM and R.EMBLEM. FALCON. FrodoKEM. GeMSS. Giophantus. Gravity-SPHINCS. Guess Again. Gui. HILA5. HiMQ-3. HK17. HQC. KINDI. LAC. LAKE. LEDAkem. LEDApkc. Lepton. LIMA. Lizard. LOCKER. LOTUS. LUOV. McNie. Mersenne-756839. MQDSS. NewHope. NTRUEncrypt. pqNTRUSign. NTRU-HRSS-KEM. NTRU Prime. NTS-KEM. Odd Manhattan. OKCN/AKCN/CNKE. Ouroboros-R. Picnic. pqRSA encryption. pqRSA signature. pqsigRM. QC-MDPC KEM. qTESLA. RaCoSS. Rainbow. Ramstake. RankSign. RLCE-KEM. Round2. RQC. RVB. SABER. SIKE. SPHINCS+. SRTPI. Three Bears. Titanium. WalnutDSA. The year in post-quantum crypto https://pqcrypto.org Daniel J. Bernstein, Tanja Lange

  7. A year ago . . . there were already attacks By end of 2017: 8 out of 69 submissions attacked. BIG QUAKE. BIKE. CFPKM. Classic McEliece. Compact LWE. CRYSTALS-DILITHIUM. CRYSTALS-KYBER. DAGS. Ding Key Exchange. DME. DRS. DualModeMS. Edon-K. EMBLEM and R.EMBLEM. FALCON. FrodoKEM. GeMSS. Giophantus. Gravity-SPHINCS. Guess Again. Gui. HILA5. HiMQ-3. HK17. HQC. KINDI. LAC. LAKE. LEDAkem. LEDApkc. Lepton. LIMA. Lizard. LOCKER. LOTUS. LUOV. McNie. Mersenne-756839. MQDSS. NewHope. NTRUEncrypt. pqNTRUSign. NTRU-HRSS-KEM. NTRU Prime. NTS-KEM. Odd Manhattan. OKCN/AKCN/CNKE. Ouroboros-R. Picnic. pqRSA encryption. pqRSA signature. pqsigRM. QC-MDPC KEM. qTESLA. RaCoSS. Rainbow. Ramstake. RankSign. RLCE-KEM. Round2. RQC. RVB. SABER. SIKE. SPHINCS+. SRTPI. Three Bears. Titanium. WalnutDSA. Some less security than claimed; some really broken; some attack scripts. The year in post-quantum crypto https://pqcrypto.org Daniel J. Bernstein, Tanja Lange

  8. Do cryptographers have any idea what they’re doing? By end of 2018: 22 out of 69 submissions attacked. BIG QUAKE. BIKE. CFPKM. Classic McEliece. Compact LWE. CRYSTALS-DILITHIUM. CRYSTALS-KYBER. DAGS. Ding Key Exchange. DME. DRS. DualModeMS. Edon-K. EMBLEM and R.EMBLEM. FALCON. FrodoKEM. GeMSS. Giophantus. Gravity-SPHINCS. Guess Again. Gui. HILA5. HiMQ-3. HK17. HQC. KINDI. LAC. LAKE. LEDAkem. LEDApkc. Lepton. LIMA. Lizard. LOCKER. LOTUS. LUOV. McNie. Mersenne-756839. MQDSS. NewHope. NTRUEncrypt. pqNTRUSign. NTRU-HRSS-KEM. NTRU Prime. NTS-KEM. Odd Manhattan. OKCN/AKCN/CNKE. Ouroboros-R. Picnic. pqRSA encryption. pqRSA signature. pqsigRM. QC-MDPC KEM. qTESLA. RaCoSS. Rainbow. Ramstake. RankSign. RLCE-KEM. Round2. RQC. RVB. SABER. SIKE. SPHINCS+. SRTPI. Three Bears. Titanium. WalnutDSA. Some less security than claimed; some really broken; some attack scripts. The year in post-quantum crypto https://pqcrypto.org Daniel J. Bernstein, Tanja Lange

  9. Some attempts to explain the situation People often categorize submissions. Examples of categories: ◮ Code-based encryption and signatures. ◮ Hash-based signatures. ◮ Isogeny-based encryption. ◮ Lattice-based encryption and signatures. ◮ Multivariate-quadratic encryption and signatures. The year in post-quantum crypto https://pqcrypto.org Daniel J. Bernstein, Tanja Lange

  10. Some attempts to explain the situation “What’s safe is lattice-based cryptography.” — Are you sure about that? The year in post-quantum crypto https://pqcrypto.org Daniel J. Bernstein, Tanja Lange

  11. Some attempts to explain the situation “What’s safe is lattice-based cryptography.” — Are you sure about that? Lattice-based submissions: Compact LWE. CRYSTALS-DILITHIUM. CRYSTALS-KYBER. Ding Key Exchange. DRS. EMBLEM and R.EMBLEM. FALCON. FrodoKEM. HILA5. KINDI. LAC. LIMA. Lizard. LOTUS. NewHope. NTRUEncrypt. NTRU-HRSS-KEM. NTRU Prime. Odd Manhattan. OKCN/AKCN/CNKE. pqNTRUSign. qTESLA. Round2. SABER. Titanium. The year in post-quantum crypto https://pqcrypto.org Daniel J. Bernstein, Tanja Lange

  12. Some attempts to explain the situation “What’s safe is lattice-based cryptography.” — Are you sure about that? Lattice-based submissions: Compact LWE. CRYSTALS-DILITHIUM. CRYSTALS-KYBER. Ding Key Exchange. DRS. EMBLEM and R.EMBLEM. FALCON. FrodoKEM. HILA5. KINDI. LAC. LIMA. Lizard. LOTUS. NewHope. NTRUEncrypt. NTRU-HRSS-KEM. NTRU Prime. Odd Manhattan. OKCN/AKCN/CNKE. pqNTRUSign. qTESLA. Round2. SABER. Titanium. Important progress in lattice attacks this decade—even this year. e.g. D’Anvers–Vercauteren–Verbauwhede papers in November+December: “On the impact of decryption failures on the security of LWE/LWR based schemes”; “The impact of error dependencies on Ring/Mod-LWE/LWR based schemes”. The year in post-quantum crypto https://pqcrypto.org Daniel J. Bernstein, Tanja Lange

  13. Some attempts to explain the situation “What’s safe is using the portfolio from the European PQCRYPTO project.” — Are you sure about that? The year in post-quantum crypto https://pqcrypto.org Daniel J. Bernstein, Tanja Lange

  14. Some attempts to explain the situation “What’s safe is using the portfolio from the European PQCRYPTO project.” — Are you sure about that? The portfolio: BIG QUAKE. BIKE. Classic McEliece. CRYSTALS-DILITHIUM. CRYSTALS-KYBER. DAGS. FrodoKEM. Gui. KINDI. LUOV. MQDSS. NewHope. NTRU-HRSS-KEM. NTRU Prime. Picnic. qTESLA. Rainbow. Ramstake. SABER. SPHINCS+. The year in post-quantum crypto https://pqcrypto.org Daniel J. Bernstein, Tanja Lange

  15. Some attempts to explain the situation “What’s safe is using the portfolio from the European PQCRYPTO project.” — Are you sure about that? The portfolio: BIG QUAKE. BIKE. Classic McEliece. CRYSTALS-DILITHIUM. CRYSTALS-KYBER. DAGS. FrodoKEM. Gui. KINDI. LUOV. MQDSS. NewHope. NTRU-HRSS-KEM. NTRU Prime. Picnic. qTESLA. Rainbow. Ramstake. SABER. SPHINCS+. 69 submissions = denial-of-service attack against security evaluation . Maybe cryptanalysts have been focusing on submissions from outside the project. The year in post-quantum crypto https://pqcrypto.org Daniel J. Bernstein, Tanja Lange

  16. April 2018: PQCrypto 2018, and NIST conference

  17. New RaCoSS parameters Kirill Morozov (UNT) RaCoSS – Random-code-based Courtois-Finiasz-Sendrier signature scheme code-based signature variant is SEUF-CMA • Submitted to NIST Competition [Roy, M, Fukushima, Kiyomoto , Takagi ‘17] [M, Roy, Steinwandt , Xu ‘18] • Adaptation of “Fiat - Shamir with abort” https://www.degruyter.com/downloadpdf/j/math.2018.16. from [Lyubashevsky ‘09] issue-1/math-2018-0011/math-2018-0011.pdf • [Hülsing, Bernstein, Panny , Lange: Nov’17] • Attack on original parameters Problem: EUF-CMA security proof by [Dallot ‘07] does not apply due to Goppa-code distinguisher • Updated secure parameters coming soon, [Faugere, Gauthier, Otmani , Perret, Tillich, ‘11] but the keys and signature sizes are terabytes • • Quasi-cyclic (QC) variant: possibly megabytes Way around: Assume hardness of the underlying Niederreiter problem • # signatures (life-time of keys) may be limited • • Extra: Security against key-substitution attack Design improvements needed to shift from theoretical to practical security via hashing pk [Menezes Smart ‘04] Framework for efficient • Efficient universally composable (UC) protocol for OT secure against active adaptive adversaries from special type of OW-CPA secure PKE in ROM adaptively secure UC • Covered: Low-noise LPN, McEliece, QC-MDPC, and CDH assumptions oblivious transfer (OT) in ROM • The first UC-secure OT protocols based on coding assumptions to achieve: 1) adaptive security, 2) low round complexity, [Barreto, David, Dowsley, M, Nascimento, 3) low communication and computational complexities Crypto ePrint ‘17 ] https:// ia.cr/2017/993

Recommend

The Quantum Risk & Post-Quantum Crypto JP Aumasson The Quantum Risk & Post-Quantum

The Quantum Risk & Post-Quantum Crypto JP Aumasson The Quantum Risk & Post-Quantum

The Quantum Risk & Post-Quantum Crypto JP Aumasson The Quantum Risk & Post-Quantum Crypto JP Aumasson uantum /me 15 years experience in applied cryptography (PhD, industry, consulting) Designed widely used algorithms Author of the

816 views • 52 slides
Post Quantum Crypto B e r n d F i x < b r f @ h o i - p o l l o i . o

Post Quantum Crypto B e r n d F i x < b r f @ h o i - p o l l o i . o

1 / 2 9 Post Quantum Crypto B e r n d F i x < b r f @ h o i - p o l l o i . o r g > Post-Quantum Crypto Bernd Fix < b r f @ h o i - p o l l o i . o r g > 2 / 2 9 Intro P r

340 views • 29 slides
Getting Post-Quantum Crypto Algorithms Ready for Deployment End of ECRYPT II Event: Crypto for

Getting Post-Quantum Crypto Algorithms Ready for Deployment End of ECRYPT II Event: Crypto for

Getting Post-Quantum Crypto Algorithms Ready for Deployment End of ECRYPT II Event: Crypto for 2020 Tim Gneysu Hardware Security Group Horst Grtz Institute for IT-Security, Bochum 1/24/2013 Outline Introduction Alternative Public-Key

735 views • 55 slides
Cryptographic Engineering An example of post-quantum crypto Radboud University, Nijmegen, The

Cryptographic Engineering An example of post-quantum crypto Radboud University, Nijmegen, The

Cryptographic Engineering An example of post-quantum crypto Radboud University, Nijmegen, The Netherlands Spring 2015 Crypto today Ephemeral ECDH on 256 -bit curve to compute shared key Use EdDSA signatures for public-key

1.43k views • 109 slides
Revisiting Post-Quantum Fiat-Shamir Qipeng Liu & Mark Zhandry

Revisiting Post-Quantum Fiat-Shamir Qipeng Liu & Mark Zhandry

Revisiting Post-Quantum Fiat-Shamir Qipeng Liu & Mark Zhandry (Princeton & NTT Research) Lattice Crypto Post-Quantum Crypto Typical Lattice Crypto Thm: are

623 views • 61 slides
An Overview on Post-Quantum Cryptography with an Emphasis on Code based Systems Joachim Rosenthal

An Overview on Post-Quantum Cryptography with an Emphasis on Code based Systems Joachim Rosenthal

Basics on Public Key Crypto Systems Research Directions in Post-Quantum Cryptography Variants of McEliece System Distinguisher Attacks McEliece for Rank Metric Codes An Overview on Post-Quantum Cryptography with an Emphasis on Code based

1.05k views • 100 slides
Post-Quantum Crypto Challenges Prof. Audun Jsang Universitetet i Oslo DN.no, 1 December 2017

Post-Quantum Crypto Challenges Prof. Audun Jsang Universitetet i Oslo DN.no, 1 December 2017

Post-Quantum Crypto Challenges Prof. Audun Jsang Universitetet i Oslo DN.no, 1 December 2017 Audun Jsang - 2018 PQ Crypto Challenges 2 Aftenposten.no, 10 May 2018 Audun Jsang - 2018 PQ Crypto Challenges 3 Principle for Quantum

587 views • 42 slides
for Post-Quantum Lattice-based Protocols Utsav Banerjee * , Tenzin S. Ukyab, Anantha P.

for Post-Quantum Lattice-based Protocols Utsav Banerjee * , Tenzin S. Ukyab, Anantha P.

Sapphire: A Configurable Crypto-Processor for Post-Quantum Lattice-based Protocols Utsav Banerjee * , Tenzin S. Ukyab, Anantha P. Chandrakasan * utsav@mit.edu Massachusetts Institute of Technology Post-Quantum Cryptography Current public key

911 views • 25 slides
Dustin Moody Post Quantum Cryptography Team National Institute of Standards and Technology (NIST)

Dustin Moody Post Quantum Cryptography Team National Institute of Standards and Technology (NIST)

Dustin Moody Post Quantum Cryptography Team National Institute of Standards and Technology (NIST) When will a quantum computer be built that breaks current crypto? 15 years, $1 billion USD, nuclear power plant (to break RSA-2048)

432 views • 16 slides
Quantum Algorithms Tutorial Ronald de Wolf 1/ 37 Post-quantum cryptography I Quantum computers

Quantum Algorithms Tutorial Ronald de Wolf 1/ 37 Post-quantum cryptography I Quantum computers

Quantum Algorithms Tutorial Ronald de Wolf 1/ 37 Post-quantum cryptography I Quantum computers can break public-key cryptography that is based on assuming hardness of factoring, discrete logs, and a few other problems I Post-quantum

2.98k views • 37 slides
A key-recovery timing attack on post-quantum primitives using the Fujisaki-Okamoto transformation

A key-recovery timing attack on post-quantum primitives using the Fujisaki-Okamoto transformation

A key-recovery timing attack on post-quantum primitives using the Fujisaki-Okamoto transformation and its application on FrodoKEM Qian Guo, Thomas Johansson, Alexander Nilsson August 10, 2020 Preliminaries Implementing Crypto Is Hard

994 views • 80 slides
Introduction to post-quantum cryptography and learning with errors Douglas Stebila Funding

Introduction to post-quantum cryptography and learning with errors Douglas Stebila Funding

Introduction to post-quantum cryptography and learning with errors Douglas Stebila Funding acknowledgements: Summer School on real-world crypto and privacy ibenik, Croatia June 11, 2018

1.67k views • 106 slides
Quantum Cryptography Quantum Cryptography Quantum Quantum Crypto ?? Crypto ?? or or How

Quantum Cryptography Quantum Cryptography Quantum Quantum Crypto ?? Crypto ?? or or How

Quantum Cryptography Quantum Cryptography Quantum Quantum Crypto ?? Crypto ?? or or How Alice Outwits Eve How Alice Outwits Eve Cani Cani Samuel J. Lomonaco, Jr. Samuel J. Lomonaco, Jr. Dept. of Comp. Sci Dept. of Comp. Sci. &

445 views • 16 slides
Saturnin A suite of lightweight symmetric algorithms for post-quantum security Anne Canteaut 1

Saturnin A suite of lightweight symmetric algorithms for post-quantum security Anne Canteaut 1

Saturnin A suite of lightweight symmetric algorithms for post-quantum security Anne Canteaut 1 Sbastien Duval 2 Gatan Leurent 1 Mara Naya-Plasencia 1 Lo Perrin 1 Thomas Pornin 3 Andr Schrottenloher 1 1 Inria, France 2 UCL Crypto Group,

750 views • 26 slides
SW/HW Codesign of the Post-Quantum Cryptography Algorithm NTRUEncrypt Using HLS and RTL Design

SW/HW Codesign of the Post-Quantum Cryptography Algorithm NTRUEncrypt Using HLS and RTL Design

SW/HW Codesign of the Post-Quantum Cryptography Algorithm NTRUEncrypt Using HLS and RTL Design Methodologies Farnoud Farahmand, Duc Tri Nguyen, Viet B. Dang*, Ahmed Ferozpuri and Kris Gaj George Mason University Post st-Quantum Quantum

441 views • 14 slides
Standardization of post-quantum cryptography Tanja Lange 08 May 2016 A Workshop About

Standardization of post-quantum cryptography Tanja Lange 08 May 2016 A Workshop About

Standardization of post-quantum cryptography Tanja Lange 08 May 2016 A Workshop About Cryptographic Standards History of post-quantum cryptography 2003 Daniel J. Bernstein introduces term Post-quantum cryptography. PQCrypto 2006:

623 views • 23 slides
Quantum Computing Jim Royer CIS 675 Algorithms April 24, 2019 . . . Crypto (CIS 675)

Quantum Computing Jim Royer CIS 675 Algorithms April 24, 2019 . . . Crypto (CIS 675)

Quantum Computing Jim Royer CIS 675 Algorithms April 24, 2019 . . . Crypto (CIS 675) Quantum Computing April 24, 2019 1 / 1 References A Physics-Free Introduction to the Quantum Computation Model by Stephen A. Fenner.

537 views • 28 slides
Incorporating Post-Quantum Cryptography in a microservice architecture Research Project 2 Why

Incorporating Post-Quantum Cryptography in a microservice architecture Research Project 2 Why

R. van der Gaag, D. Weller Incorporating Post-Quantum Cryptography in a microservice architecture Research Project 2 Why think about post-quantum cryptography W. Buchanan et. al concluded Gate-based quantum computers pose a significant

349 views • 18 slides
The libpqcrypto software library for post-quantum cryptography Daniel J. Bernstein and many

The libpqcrypto software library for post-quantum cryptography Daniel J. Bernstein and many

The libpqcrypto software library for post-quantum cryptography Daniel J. Bernstein and many contributors libpqcrypto.org Daniel J. Bernstein Context libpqcrypto.org Daniel J. Bernstein Redesigning crypto for security New requirements for

541 views • 51 slides
Preparing Symmetric Crypto for the Quantum World Mar a Naya-Plasencia Inria, France ERC

Preparing Symmetric Crypto for the Quantum World Mar a Naya-Plasencia Inria, France ERC

Preparing Symmetric Crypto for the Quantum World Mar a Naya-Plasencia Inria, France ERC project QUASYModo FSE 2019 Paris - March 26 2019 Preliminaries... No quantum knowledge needed for following this talk Outline Introduction

882 views • 72 slides
Post-Quantum Cryptography Dr. Ruben Niederhagen, February 8, 2016 Introduction Quantum Computers

Post-Quantum Cryptography Dr. Ruben Niederhagen, February 8, 2016 Introduction Quantum Computers

Post-Quantum Cryptography Dr. Ruben Niederhagen, February 8, 2016 Introduction Quantum Computers Using quantum states for computation: Introduced in 1985 by David Deutsch [3]. Operate on qubits using gates that perform reversible

1.69k views • 157 slides
CRYPTO HERE, CRYPTO THERE, CRYPTO, CRYPTO EVERYWHERE WORLD AQUATIC HEALTH CONFERENCE

CRYPTO HERE, CRYPTO THERE, CRYPTO, CRYPTO EVERYWHERE WORLD AQUATIC HEALTH CONFERENCE

CRYPTO HERE, CRYPTO THERE, CRYPTO, CRYPTO EVERYWHERE WORLD AQUATIC HEALTH CONFERENCE WILLIAMSBURG, VA THURSDAY, OCTOBER 17 TH , 2019 JOHN KELLY, PE IOWA DEPARTMENT OF PUBLIC HEALTH DISCLAIMER THIS PRESENTATION: IS INTENDED FOR

843 views • 40 slides
The Picnic Post-Quantum Signature Scheme and its Security Analysis Itai Dinur Ben-Gurion

The Picnic Post-Quantum Signature Scheme and its Security Analysis Itai Dinur Ben-Gurion

The Picnic Post-Quantum Signature Scheme and its Security Analysis Itai Dinur Ben-Gurion University Credit for some slides: Melissa Chase and Picnic team Post-Quantum Cryptography Large-scale quantum computer could efficiently factor large

533 views • 34 slides
Post-quantum cryptography Tanja Lange 07 October 2015 SPACE 2015 In the long term, all

Post-quantum cryptography Tanja Lange 07 October 2015 SPACE 2015 In the long term, all

Post-quantum cryptography Tanja Lange 07 October 2015 SPACE 2015 In the long term, all encryption needs to be post-quantum Mark Ketchen, IBM Research, 2012, on quantum computing: Were actually doing things that are making us think like,

901 views • 41 slides

More recommend