8/30/17

1

IntroductiontoPost-QuantumCryptography

CERG @ GMUhttp://cryptography.gmu.edu

10 PhD students3 MS students

8/30/17

2

3

Features Required from Today’s Ciphers

FUNCTIONALITY• easy key distribution• digital signatures

STRENGTHPERFORMANCE• software• hardware

4

Secret-key (Symmetric) Ciphers

key of Alice and Bob - KAB key of Alice and Bob - KAB

Alice Bob

Network

Encryption Decryption

Most Popular Standards: AES, Triple DES

8/30/17

3

5

Features of Secret-Key Ciphers

FUNCTIONALITY• easy key distribution• digital signatures

STRENGTHPERFORMANCE• software• hardware

Best attack:Exhaustive-key search2k trials for a k-bit key

Primary Application: Bulk data encryption

6

Public-key (Asymmetric) CiphersPublic key of Bob - KB Private key of Bob - kB

Alice Bob

Network

Encryption Decryption

Most Popular Standards: RSA, Elliptic Curve Cryptography (ECC)

8/30/17

4

7

Digital Signature Schemes

Message

Hash function

Public keycipher

Alice Signature

Alice’s private key

Bob

Hash function

Alice’s public key

Hash value 1

Hash value 2

Hash value

Public key cipher

yes no

Message Signature

8

Features of Public-Key Ciphers

FUNCTIONALITY• easy key distribution• digital signatures

STRENGTHPERFORMANCE• software• hardware

Best attack:Solving the underlying math problem, such asfactoring of largeintegers:Given N=P�Q,find P and Q.

Primary Applications: Exchange of keys for secret-key ciphersDigital signatures

8/30/17

5

Five security levels & corresponding key sizes allowed by American government

NIST SP 800-56

RSA ECCSymmetricciphersLevel

IIIIIIIVV

80

112

128

192

256

160

224

256

384

512

1024

2048

3072

8192

15360

10

Threat of Quantum Computers

• First perceived by physicists (R. Feynman,D. Deutsch) in 1980s

• First significant quantum algorithms(capable of running on quantum computers only) developed in 1990s

• First practical realization in 1998(2 qubits)

• Significant technological breakthroughsduring the last 20 years

• Quantum Artificial Intelligence lab started by Google in 2013

• IBM quantum processor (16-17 qubits)in 2017Photo: Vandersypen, PQCrypto 2017

8/30/17

6

11Source: Vandersypen, PQCrypto 2017

Major advances during the last 20 years

Timeline of Quantum Computing: https://en.wikipedia.org/wiki/Timeline_of_quantum_computing

12

Effect on Secret-Key Algorithms

1996: Grover’s Algorithm, reduces the time of the exhaustive-key searchfor secret key ciphers

from 2k to 2k/2 operations, for a k-bit key, e.g., from 2128 to 264 operations, for a 128-bit key or

from 2256 to 2128 operations, for a 256-bit key

assuming a sufficiently powerful and reliable quantum computer available

Easy Countermeasure: Double the size of a key

8/30/17

7

13

Effect on Public-Key Algorithms

1994: Shor’s Algorithm, breaks major public key cryptosystems based on

factoring: RSA

discrete logarithm problem: DSA, Diffie-Hellman

Elliptic Curve discrete logarithm problem: Elliptic Curve Cryptosystems

independently of the key size assuming

a sufficiently powerful and reliable quantum computer available

No known countermeasuresNew algorithms and standards required

14

Public-key cryptographic algorithms for which there are no known attacks using quantum computers

Capable of • being implemented using any traditional methods,

including software and hardware• running efficiently on any modern computing platforms:

PCs, tablets, smartphones, servers with FPGA accelerators, etc.

Post-Quantum Cryptography

8/30/17

8

15

• New public-key cryptographic families: mid-1990s-present• D.J. Bernstein introduces the term post-quantum cryptography: 2003• Series of PQCrypto Conferences: 2006-present• NIST Workshop on Cybersecurity in a Post-Quantum World 2015• NIST announcement of standardization plans at PQCrypto 2016,

Fukuoka, Japan, Feb. 2016• NIST Call for Proposals and Request for Nominations for Public-Key

Post-Quantum Cryptographic Algorithms: Dec. 2016Deadline for submitting candidates: November 30, 2017

Post-Quantum Cryptography Efforts

16

• NIST Call for Proposals and Request for Nominations for Public-Key Post-Quantum Cryptographic Algorithms: Dec. 2016

Deadline for submitting candidates: November 30, 2017

Post-Quantum Cryptography NIST Project

Source: Moody, NIST 2017

8/30/17

9

17

Promising PQC Families

Family Encryption Signature Key Agreement

Hash-based XX

Code-based XX X

Lattice-based XX X

Multivariate X XX

Supersingular Elliptic CurveIsogeny

XX

XX – high-confidence candidates, X – medium-confidence candidates

18

Promising PQC Algorithms

Family Encryption & Key Exchange

Signature

Hash-based XMSS (2011), SPHINCS (2015)

Code-based McEliece (1978), Niederreiter (1986)

CFS (2001)

Lattice-based NTRUEncrypt (1996), Ring-LWE (2010),

NewHope (2016), Kyber (2017)

pqNTRUSign (2001-2017),BLISS (2013),

Dilithium (2017)

Multivariate PMI+ (2004), SRP (2015) Unbalanced Oil and Vinegar (1999), HFEv-, QUARTZ (2001), Rainbow (2005)

8/30/17

10

19

1. NTRUEncrypt Short Vector Encryption Scheme (SVES)fully compliant with

IEEE 1363.1 Standard Specification for Public Key Cryptographic Techniques Based on Hard Problems over Lattices

Parameter sets: • Optimized for speed• 192-bit security: ees1087ep1: p=3, q=2048, N=1087, df=dr=63• 256-bit security: ees1499ep1: p=3, q=2048, N=1499, df=dr=79

2. Multivariate Rainbow Signature Scheme

Parameter set: • (17,12)(1,12)• 80-bit security level

Algorithms Selected for a Pilot Study

20

Paving the way for the future comprehensive, fair, and efficient hardware benchmarking of PQC candidates through

1. Uniform Hardware API

2. Uniform & Efficient Development Process

Our Objectives

8/30/17

11

21

Minimum Compliance Criteria• Encryption & decryption, or

Signature generation & verification• External key generation (e.g., in software)• Permitted data port widths, etc.

Communication Protocol

Interface Timing Characteristics

Proposed Uniform Hardware API

22

Comparative Analysis of Implementation Difficulties

Feature NTRUEncrypt Rainbow SSHigh-security levels Easy to

implementChallenging toimplement

Key sizes Small Very LargeSupport for multiple parameter sets swapped at run time

Relatively easy to implement

Challenging to implement

Component operations Standard: variable rotator, hash function

Complex: Systemof Linear Equation Solver

Dependence of the execution timeon message size

Strong Weak

8/30/17

12

23

Outcomes of Our Pilot Study

• First hardware implementation of the full NTRUEncrypt-SVES scheme

• Hardware optimization for speed revealed the hash function bottleneck

• Changes in the NTRUEncrypt standards recommended to overcome this bottleneck

• State of the art implementation of the Rainbow Signature Scheme comparable to the earlier results by Tang et al.from PQCrypto 2011

• New PQC Hardware API, paving the way for the fair evaluation of candidates in the NIST standardizationprocess

24

• Complex mathematical descriptions• Large public and private keys• Security vs. feasibility & cost trade-offs• Quickly evolving algorithms and algorithm variants• Uncertainty about parameter values corresponding to a

given security level

Challenges of PQC Benchmarking

8/30/17

13

SeeQuantumComputing

&Post-QuantumCryptographyProjects