PostQuantum Cryptography Andreas Hlsing TU Eindhoven Quantum kills
- Slides: 48
Post-Quantum Cryptography Andreas Hülsing TU Eindhoven
Quantum kills the Internet 10/21/2021 Andreas Hülsing https: //huelsing. net 2
Background: Cryptography 10/21/2021 Andreas Hülsing https: //huelsing. net 3
Secret key encryption (SKE) plaintext SKE. Enc Sdkfj ölakjs ödasjd följasö ldjföas jölakj Key k 01/07/2019 SKE. Dec plaintext Key k https: //huelsing. net 4
Message authentication (MAC) plaintext MAC. Ta g plaintext Key k 01/07/2019 MAC. Vrfy Key k https: //huelsing. net 5
How to build secret key crypto? • Spoiler: Killed by quantum? Not that we know. (but weakened)* Engineering* * Disclaimer: Massive simplification 10/21/2021 Andreas Hülsing https: //huelsing. net 6
How does Bob learn shared key k? 10/21/2021 Andreas Hülsing https: //huelsing. net 7
Public key encryption (PKE) plaintext PKE. Enc Sdkfj ölakjs ödasjd följasö ldjföas jölakj Bob’s pk 01/07/2019 PKE. Dec plaintext Bob’s sk https: //huelsing. net 8
Digital Signature (DSig) plaintext DSig. Sign plaintext Alice’s sk 01/07/2019 DSig. Vrfy Alice’s pk https: //huelsing. net 9
Applications • Code signing (DSIG) • Software updates • Software distribution • Mobile code • Communication security (DSIG, PKE / KEX /KEM) • TLS, SSH, IPSec, . . . • e. Commerce, online banking, e. Government, . . . • Private online communication 10/21/2021 Andreas Hülsing https: //huelsing. net 11
Communication security (simplified) Hi pk, Cert(pk belongs to shop) PKC to establish shared secret sk SKC secured communication using sk 10/21/2021 Andreas Hülsing https: //huelsing. net 12
How to build PKC (Computationally) hard problem RSA 10/21/2021 DL QR PKC Scheme RSAOAEP DDH Andreas Hülsing https: //huelsing. net ECDSA DH-KE 13
The Quantum Threat
Shor‘s algorithm (1994) • Quantum computers can do FFT very efficiently • Can be used to find period of a function • This can be exploited to factor efficiently (RSA) • Shor also shows how to solve discrete log efficiently (DSA, DH, ECDSA, ECDH)
Grover‘s algorithm (1996) •
What is the problem that QKD solves? 10/21/2021 Andreas Hülsing https: //huelsing. net 17
Recall: Communication security (simplified) Hi pk, Cert(pk belongs to shop) PKC to establish shared secret sk SKC secured communication using sk 10/21/2021 Andreas Hülsing https: //huelsing. net 18
The problem solved by QKD Given • a shared classical secret, • a physical channel between parties that supports QKD • compatible QKD devices on both ends of the channel It is possible to • generate a longer shared classical secret. 10/21/2021 Andreas Hülsing https: //huelsing. net 19
Solution to the problem caused by Shor? Post-quantum cryptography 10/21/2021 Andreas Hülsing https: //huelsing. net 20
How to build PKC (Computationally) (computationally) hard problem Quantum-hard DL RSA DDH Problem QR 10/21/2021 PKC Scheme RSAOAEP Andreas Hülsing https: //huelsing. net ECDSA DH-KE 21
Early post-quantum crypto „Cryptography based on problems that are conjectured to be hard even for quantum computers. “ Lattice-based: SVP / CVP Hash-based: CR / SPR /. . . Code-based: SD Multivariate: MQ 10/21/2021 Andreas Hülsing https: //huelsing. net 22
Conjectured quantum-hard problems • Solving multivariate quadratic equations (MQ-problem) -> Multivariate Crypto • Syndrom decoding problem (SD) -> Code-based crypto • Short(est) and close(st) vector problem (SVP, CVP) -> Lattice-based crypto • Breaking security of symmetric primitives (SHAx-, AES-, Keccak-, . . . problem) -> Hash-based signatures / symmetric crypto • (Finding isogenies between supersingular elliptic curves -> SIDH / CSIDH) 10/21/2021 Andreas Hülsing https: //huelsing. net 23
MQ-Problem 10/21/2021 Andreas Hülsing https: //huelsing. net 24
Syndrom Decoding Problem • 10/21/2021 Andreas Hülsing https: //huelsing. net 26
Lattice-based cryptography • 10/21/2021 Andreas Hülsing https: //huelsing. net 28
Shortest vector problem (SVP) 10/21/2021 Andreas Hülsing https: //huelsing. net 29
(Worst-case) Lattice Problems • 10/21/2021 Andreas Hülsing https: //huelsing. net 30
MQ, lattice & codes • Average-case versions of NP-hard problems • Best known quantum attacks: ”Quantizations” of classical attacks • Need “structured versions” for efficiency • More structure -> often easier break • Still only quantum attacks on “overstretched parameters“ • Theoretically, signatures & PKE/KEM possible 10/21/2021 Andreas Hülsing https: //huelsing. net 32
(Hash) functions •
Preimage resistance (PRE) •
Collision resistance (CR)
Second-preimage resistance (SPR) •
Hash-based signatures • 10/21/2021 Andreas Hülsing https: //huelsing. net 37
Isogeny-based crypto • Problem: find isogeny between two given elliptic curves. • New kid on the block / Late to the party • Sexy for old-school crypto people: Can reuse knowledge about elliptic curves • Only area that allows for “non-interactive key exchange“ (NIKE) 10/21/2021 Andreas Hülsing https: //huelsing. net 39
10/21/2021 Andreas Hülsing https: //huelsing. net 40
CSIDH (Castryck, Lange, Martindale, Renes, Panny) • Classical world: Diffie-Hellman key exchange operation very special • Only real post-quantum replacement for DH • Subexponential time quantum attacks (Kuperberg‘s algorithm) • Not my speciality -> ask the experts in the room 10/21/2021 Andreas Hülsing https: //huelsing. net 41
Modern post-quantum crypto „Users using cryptography on conventional computers facing quantum adversaries“ Adds questions like • How to argue security? • Are our security models sound? • What is the complexity of actual quantum attacks? 10/21/2021 Andreas Hülsing https: //huelsing. net 42
QS 0: Classical security 01/07/2019 https: //huelsing. net 43
QS 1: Post-quantum security 01/07/2019 https: //huelsing. net 44
QS 2: Quantum security 01/07/2019 https: //huelsing. net 45
For practical applications we care about QS 1 01/07/2019 https: //huelsing. net 46
NIST Competition “We see our role as managing a process of achieving community consensus in a transparent and timely manner” NIST’s Dustin Moody 2018 10/21/2021 Andreas Hülsing https: //huelsing. net 47
Status of the competition • Nov 2017: 82 submissions collected • Dec 2017: 69 “complete & proper” proposals published • -> Starts round 1 (of 2 or 3 rounds) • 6 proposals with involvement from Eindhoven • Jan 2019: 26 proposals selected for 2 nd round. • 17 KEM, 9 Signature • TU/e: 4 KEM, 2 Signature in 2 nd round! • 2022 – 2024 Draft standards exist 10/21/2021 Andreas Hülsing https: //huelsing. net 48
Implementation security 10/21/2021 Andreas Hülsing https: //huelsing. net 49
Side-channel attacks • Implementations leak information: • • Timing Power-consumption EM-radiation. . . • Implementations have to ensure that leak noncritical • New mathematical problems = new basic operations 10/21/2021 Andreas Hülsing https: //huelsing. net 50
Gaussian sampling 10/21/2021 Andreas Hülsing https: //huelsing. net 51
Resources • PQ Summer School: http: //www. pqcschool. org/ • NIST PQC Standardization Project: https: //csrc. nist. gov/Projects/Post-Quantum. Cryptography 10/21/2021 Andreas Hülsing https: //huelsing. net 52
Thank you! Questions? 10/21/2021 Andreas Hülsing https: //huelsing. net 53
- Quantum physics vs quantum mechanics
- Quantum physics vs quantum mechanics
- Rino eindhoven
- Eindhoven university of technology
- Woningprijsontwikkeling
- Rebound eindhoven
- Clausplein 6 5611 xp eindhoven
- Pvm vastgoed
- Stadsverwarming eindhoven
- Yoni nazarathy
- Hlsing
- Hlsing
- Hlsing
- Hlsing
- Hlsing
- Fsprg
- Hlsing
- Hlsing
- Hlsing
- Hlsing
- Hlsing
- Hlsing
- Hlsing
- Gkhs football
- Sarsat
- Macbeth plot
- Testimonial advertising definition
- Studying
- Lady macbeth persuasive quotes
- A bird stalks kills then eats
- David kills a bear and a lion
- Themes of hamlet
- Juliet's servant and mentor. *
- Smoking kills
- Cryptography in distributed system
- Kerckhoffs’s principle
- Lattice-based cryptography
- Ufcma
- Key management in cryptography
- Introduction to cryptography and network security
- Authentication functions in cryptography
- Introduction to cryptography
- Modular arithmetic in cryptography and network security
- Principles of public key cryptography
- Whirlpool cryptography
- Two simple hash functions
- What is cryptography
- Terminologi kriptografi adalah
- Cryptography basics