living with post quantum cryptography - nist · nist workshop on cybersecurity in a post-quantum...
TRANSCRIPT
![Page 1: Living with post quantum cryptography - NIST · NIST Workshop on Cybersecurity in a Post-Quantum World April 2, 2015 17 State must be stored for each peer Problematic for small devices](https://reader031.vdocuments.mx/reader031/viewer/2022040522/5e7c5def1cc20c17263c0008/html5/thumbnails/1.jpg)
Living with postquantum cryptography
David McGrew, PhD Cisco Fellow
April 2, 2015
![Page 2: Living with post quantum cryptography - NIST · NIST Workshop on Cybersecurity in a Post-Quantum World April 2, 2015 17 State must be stored for each peer Problematic for small devices](https://reader031.vdocuments.mx/reader031/viewer/2022040522/5e7c5def1cc20c17263c0008/html5/thumbnails/2.jpg)
April 2, 2015 2 NIST Workshop on Cybersecurity in a Post-Quantum World
Biasi, Barreto, Misoczki, Ruggiero, Scaling efficient code-based cryptosystems for embedded platforms, 2012
Bernstein, Lange, Peters, Smaller decoding exponents: ball-collision decoding, CRYPTO 2011
Bernstein, Lange, Peters, Wild McEliece Incognito, PQC 2011
Bernstein, Grover vs. McEliece, PQC 2010
Burleson, Paar, Heyse, Alternative Public-Key Algorithms for High-Performance Network Security, 2011
Research into PQC sponsored (in part) by Cisco
![Page 3: Living with post quantum cryptography - NIST · NIST Workshop on Cybersecurity in a Post-Quantum World April 2, 2015 17 State must be stored for each peer Problematic for small devices](https://reader031.vdocuments.mx/reader031/viewer/2022040522/5e7c5def1cc20c17263c0008/html5/thumbnails/3.jpg)
April 2, 2015 3 NIST Workshop on Cybersecurity in a Post-Quantum World
1. Prepare for threat of practical quantum computer
2. Embrace well-known postquantum-secure algorithms Well established security is paramount
3. Use systems engineering to mitigate performance issues
Approach
![Page 4: Living with post quantum cryptography - NIST · NIST Workshop on Cybersecurity in a Post-Quantum World April 2, 2015 17 State must be stored for each peer Problematic for small devices](https://reader031.vdocuments.mx/reader031/viewer/2022040522/5e7c5def1cc20c17263c0008/html5/thumbnails/4.jpg)
April 2, 2015 4 NIST Workshop on Cybersecurity in a Post-Quantum World
1. Prepare for threat of practical quantum computer
2. Embrace well-known postquantum-secure algorithms Well established security is paramount No Quantum Cryptography
3. Use systems engineering to mitigate performance issues
Approach
Identify opportunities and challenges, not detailed proposals
![Page 5: Living with post quantum cryptography - NIST · NIST Workshop on Cybersecurity in a Post-Quantum World April 2, 2015 17 State must be stored for each peer Problematic for small devices](https://reader031.vdocuments.mx/reader031/viewer/2022040522/5e7c5def1cc20c17263c0008/html5/thumbnails/5.jpg)
April 2, 2015 5 NIST Workshop on Cybersecurity in a Post-Quantum World
Hash Based Signatures (HBS) SHA-256
Code Based Encryption (CBE) McEliece/Neiderreiter encryption 800KB public keys, but fast encryption/decryption
Symmetric cryptography AES, SHA-2, SHA-3
Cryptography
![Page 6: Living with post quantum cryptography - NIST · NIST Workshop on Cybersecurity in a Post-Quantum World April 2, 2015 17 State must be stored for each peer Problematic for small devices](https://reader031.vdocuments.mx/reader031/viewer/2022040522/5e7c5def1cc20c17263c0008/html5/thumbnails/6.jpg)
April 2, 2015 6 NIST Workshop on Cybersecurity in a Post-Quantum World
HBS for authentication
Minimize use of public key cryptography
Optimize transmission and storage of large public keys
Symmetric TTP key establishment
Applications of ‘systems’ approach
![Page 7: Living with post quantum cryptography - NIST · NIST Workshop on Cybersecurity in a Post-Quantum World April 2, 2015 17 State must be stored for each peer Problematic for small devices](https://reader031.vdocuments.mx/reader031/viewer/2022040522/5e7c5def1cc20c17263c0008/html5/thumbnails/7.jpg)
April 2, 2015 7 NIST Workshop on Cybersecurity in a Post-Quantum World
Quantum Key Distribution Is Not Needed
Minimal computational assumptions Yes Side channel resistance No Keys can be public No Minimal entropy requirements No Any device No High data rates No No range limitations No Point to multipoint No Any network, including wireless No Can be implemented in software No Simple No
![Page 8: Living with post quantum cryptography - NIST · NIST Workshop on Cybersecurity in a Post-Quantum World April 2, 2015 17 State must be stored for each peer Problematic for small devices](https://reader031.vdocuments.mx/reader031/viewer/2022040522/5e7c5def1cc20c17263c0008/html5/thumbnails/8.jpg)
April 2, 2015 8 NIST Workshop on Cybersecurity in a Post-Quantum World
Hash Based Signatures
![Page 9: Living with post quantum cryptography - NIST · NIST Workshop on Cybersecurity in a Post-Quantum World April 2, 2015 17 State must be stored for each peer Problematic for small devices](https://reader031.vdocuments.mx/reader031/viewer/2022040522/5e7c5def1cc20c17263c0008/html5/thumbnails/9.jpg)
April 2, 2015 9 NIST Workshop on Cybersecurity in a Post-Quantum World
128-bit security level 16*(265 + 20) = 1392 bytes, Key Gen time = 0.4ms * 2^20 = 7m 16*(34+20) = 864 bytes, Key Gen time = 2.5ms * 2^20 = 45 m Multilevel schemes improve these numbers
Stateful signing
Good security
Feasible and useful
Hash Based Signatures
![Page 10: Living with post quantum cryptography - NIST · NIST Workshop on Cybersecurity in a Post-Quantum World April 2, 2015 17 State must be stored for each peer Problematic for small devices](https://reader031.vdocuments.mx/reader031/viewer/2022040522/5e7c5def1cc20c17263c0008/html5/thumbnails/10.jpg)
April 2, 2015 10 NIST Workshop on Cybersecurity in a Post-Quantum World
Minimize use of public key cryptography
![Page 11: Living with post quantum cryptography - NIST · NIST Workshop on Cybersecurity in a Post-Quantum World April 2, 2015 17 State must be stored for each peer Problematic for small devices](https://reader031.vdocuments.mx/reader031/viewer/2022040522/5e7c5def1cc20c17263c0008/html5/thumbnails/11.jpg)
April 2, 2015 11 NIST Workshop on Cybersecurity in a Post-Quantum World
Cryptographic services used in SSL/TLS
Service Algorithm End-entity authentication Digital signatures
PKC decryption MAC
Session secret establishment DH PKC encryption Symmetric TTP
Session authenticated encryption AEAD MAC encryption
![Page 12: Living with post quantum cryptography - NIST · NIST Workshop on Cybersecurity in a Post-Quantum World April 2, 2015 17 State must be stored for each peer Problematic for small devices](https://reader031.vdocuments.mx/reader031/viewer/2022040522/5e7c5def1cc20c17263c0008/html5/thumbnails/12.jpg)
April 2, 2015 12 NIST Workshop on Cybersecurity in a Post-Quantum World
SSL/TLS session establishment
Authenticated key transport
Revocation/ authorization check
Session key establishment
Encrypted, authenticated session
Asymmetric
Symmetric
![Page 13: Living with post quantum cryptography - NIST · NIST Workshop on Cybersecurity in a Post-Quantum World April 2, 2015 17 State must be stored for each peer Problematic for small devices](https://reader031.vdocuments.mx/reader031/viewer/2022040522/5e7c5def1cc20c17263c0008/html5/thumbnails/13.jpg)
April 2, 2015 13 NIST Workshop on Cybersecurity in a Post-Quantum World
SSL/TLS session establishment – session resumption
Authenticated key transport
Revocation/ authorization check
Session key re-establishment
Encrypted, authenticated session
Asymmetric
Symmetric
![Page 14: Living with post quantum cryptography - NIST · NIST Workshop on Cybersecurity in a Post-Quantum World April 2, 2015 17 State must be stored for each peer Problematic for small devices](https://reader031.vdocuments.mx/reader031/viewer/2022040522/5e7c5def1cc20c17263c0008/html5/thumbnails/14.jpg)
April 2, 2015 14 NIST Workshop on Cybersecurity in a Post-Quantum World
SSL/TLS long-lived sessions & session resumption
Authenticated key transport
Revocation/ authorization check
Session key (re)establishment
Encrypted, authenticated session
Asymmetric
Symmetric
Once per peer
Once per session
![Page 15: Living with post quantum cryptography - NIST · NIST Workshop on Cybersecurity in a Post-Quantum World April 2, 2015 17 State must be stored for each peer Problematic for small devices](https://reader031.vdocuments.mx/reader031/viewer/2022040522/5e7c5def1cc20c17263c0008/html5/thumbnails/15.jpg)
April 2, 2015 15 NIST Workshop on Cybersecurity in a Post-Quantum World
TLS
M
T
W
R
F
Asymmetric and symmetric
![Page 16: Living with post quantum cryptography - NIST · NIST Workshop on Cybersecurity in a Post-Quantum World April 2, 2015 17 State must be stored for each peer Problematic for small devices](https://reader031.vdocuments.mx/reader031/viewer/2022040522/5e7c5def1cc20c17263c0008/html5/thumbnails/16.jpg)
April 2, 2015 16 NIST Workshop on Cybersecurity in a Post-Quantum World
TLS with Session Resumption
M
T
W
R
F
Symmetric
Asymmetric and symmetric
![Page 17: Living with post quantum cryptography - NIST · NIST Workshop on Cybersecurity in a Post-Quantum World April 2, 2015 17 State must be stored for each peer Problematic for small devices](https://reader031.vdocuments.mx/reader031/viewer/2022040522/5e7c5def1cc20c17263c0008/html5/thumbnails/17.jpg)
April 2, 2015 17 NIST Workshop on Cybersecurity in a Post-Quantum World
State must be stored for each peer Problematic for small devices Problematic in web model
Solution: state avoidance through encryption with local key Enables server to maintain shared secret with N devices with O(1) state
RFC 5077, TLS Session Resumption w/o Server-Side State ~ 64 bytes of state
Issue: per-peer state
![Page 18: Living with post quantum cryptography - NIST · NIST Workshop on Cybersecurity in a Post-Quantum World April 2, 2015 17 State must be stored for each peer Problematic for small devices](https://reader031.vdocuments.mx/reader031/viewer/2022040522/5e7c5def1cc20c17263c0008/html5/thumbnails/18.jpg)
April 2, 2015 18 NIST Workshop on Cybersecurity in a Post-Quantum World
Revocation check needed Should use symmetric cryptography Could be external to TLS
Forward security is desirable Could be achieved through use of PRF key updating function
Issues with long-lived sessions and session resumption
![Page 19: Living with post quantum cryptography - NIST · NIST Workshop on Cybersecurity in a Post-Quantum World April 2, 2015 17 State must be stored for each peer Problematic for small devices](https://reader031.vdocuments.mx/reader031/viewer/2022040522/5e7c5def1cc20c17263c0008/html5/thumbnails/19.jpg)
April 2, 2015 19 NIST Workshop on Cybersecurity in a Post-Quantum World
Optimize transmission and storage
![Page 20: Living with post quantum cryptography - NIST · NIST Workshop on Cybersecurity in a Post-Quantum World April 2, 2015 17 State must be stored for each peer Problematic for small devices](https://reader031.vdocuments.mx/reader031/viewer/2022040522/5e7c5def1cc20c17263c0008/html5/thumbnails/20.jpg)
April 2, 2015 20 NIST Workshop on Cybersecurity in a Post-Quantum World
Optimize transmission and storage
High bandwidth (Gb/s)
High bandwidth (Gb/s)
Low bandwidth (Mb/s)
H-devices
L-devices
![Page 21: Living with post quantum cryptography - NIST · NIST Workshop on Cybersecurity in a Post-Quantum World April 2, 2015 17 State must be stored for each peer Problematic for small devices](https://reader031.vdocuments.mx/reader031/viewer/2022040522/5e7c5def1cc20c17263c0008/html5/thumbnails/21.jpg)
April 2, 2015 21 NIST Workshop on Cybersecurity in a Post-Quantum World
Time to send 800KB key
40 Gb/s
40 Gb/s
1 Mb/s
H-devices
L-devices
6.25s
0.00015s
![Page 22: Living with post quantum cryptography - NIST · NIST Workshop on Cybersecurity in a Post-Quantum World April 2, 2015 17 State must be stored for each peer Problematic for small devices](https://reader031.vdocuments.mx/reader031/viewer/2022040522/5e7c5def1cc20c17263c0008/html5/thumbnails/22.jpg)
April 2, 2015 22 NIST Workshop on Cybersecurity in a Post-Quantum World
KS
KC
Using large public keys in TLS
NC
NS, KS
EKS(PMK), SigKC(M1), {M2}K
{M3}K
Simplified TLS – Protocol 4.24, Boyd and Mathuria, PFAKM
C S
![Page 23: Living with post quantum cryptography - NIST · NIST Workshop on Cybersecurity in a Post-Quantum World April 2, 2015 17 State must be stored for each peer Problematic for small devices](https://reader031.vdocuments.mx/reader031/viewer/2022040522/5e7c5def1cc20c17263c0008/html5/thumbnails/23.jpg)
April 2, 2015 23 NIST Workshop on Cybersecurity in a Post-Quantum World
KS
KC
Using large public keys in TLS
NC
NS, KS
EKS(PMK), SigKC(M1), {M2}K
{M3}K
Simplified TLS – Protocol 4.24, Boyd and Mathuria, PFAKM
Revocation Check
C S
![Page 24: Living with post quantum cryptography - NIST · NIST Workshop on Cybersecurity in a Post-Quantum World April 2, 2015 17 State must be stored for each peer Problematic for small devices](https://reader031.vdocuments.mx/reader031/viewer/2022040522/5e7c5def1cc20c17263c0008/html5/thumbnails/24.jpg)
April 2, 2015 24 NIST Workshop on Cybersecurity in a Post-Quantum World
KS
KC
Using large public keys in TLS
NC
NS, KS
EKS(PMK), SigKC(M1), {M2}K
{M3}K
Simplified TLS – Protocol 4.24, Boyd and Mathuria, PFAKM
Revocation Check
C S
Large key, slow link!
![Page 25: Living with post quantum cryptography - NIST · NIST Workshop on Cybersecurity in a Post-Quantum World April 2, 2015 17 State must be stored for each peer Problematic for small devices](https://reader031.vdocuments.mx/reader031/viewer/2022040522/5e7c5def1cc20c17263c0008/html5/thumbnails/25.jpg)
April 2, 2015 25 NIST Workshop on Cybersecurity in a Post-Quantum World
KS
KC
Using large public keys in ‘reversed’ TLS
NS
NC, KC
EKC(PMK), SigKS(M1), {M2}K
C S
{M3}K
R
![Page 26: Living with post quantum cryptography - NIST · NIST Workshop on Cybersecurity in a Post-Quantum World April 2, 2015 17 State must be stored for each peer Problematic for small devices](https://reader031.vdocuments.mx/reader031/viewer/2022040522/5e7c5def1cc20c17263c0008/html5/thumbnails/26.jpg)
April 2, 2015 26 NIST Workshop on Cybersecurity in a Post-Quantum World
KS
KC
Using large public keys in ‘reversed’ TLS
NS
NC, IDC
EKC(PMK), SigKS(M1), {M2}K
C S
{M3}K
R
IDC
KC
Lots of keys
![Page 27: Living with post quantum cryptography - NIST · NIST Workshop on Cybersecurity in a Post-Quantum World April 2, 2015 17 State must be stored for each peer Problematic for small devices](https://reader031.vdocuments.mx/reader031/viewer/2022040522/5e7c5def1cc20c17263c0008/html5/thumbnails/27.jpg)
April 2, 2015 27 NIST Workshop on Cybersecurity in a Post-Quantum World
Avoid transmitting large public keys across slow links
Avoid storing large public keys on endpoints
Leverage public cloud Storing public keys Revocation service
What did we achieve?
![Page 28: Living with post quantum cryptography - NIST · NIST Workshop on Cybersecurity in a Post-Quantum World April 2, 2015 17 State must be stored for each peer Problematic for small devices](https://reader031.vdocuments.mx/reader031/viewer/2022040522/5e7c5def1cc20c17263c0008/html5/thumbnails/28.jpg)
April 2, 2015 28 NIST Workshop on Cybersecurity in a Post-Quantum World
Symmetric TTP for encryption
![Page 29: Living with post quantum cryptography - NIST · NIST Workshop on Cybersecurity in a Post-Quantum World April 2, 2015 17 State must be stored for each peer Problematic for small devices](https://reader031.vdocuments.mx/reader031/viewer/2022040522/5e7c5def1cc20c17263c0008/html5/thumbnails/29.jpg)
April 2, 2015 29 NIST Workshop on Cybersecurity in a Post-Quantum World
Trusted Third Party Key Establishment
ACME
Internet
![Page 30: Living with post quantum cryptography - NIST · NIST Workshop on Cybersecurity in a Post-Quantum World April 2, 2015 17 State must be stored for each peer Problematic for small devices](https://reader031.vdocuments.mx/reader031/viewer/2022040522/5e7c5def1cc20c17263c0008/html5/thumbnails/30.jpg)
April 2, 2015 30 NIST Workshop on Cybersecurity in a Post-Quantum World
Easily postquantum secure
Can use standards like krb5
Can use server state avoidance to minimize storage cost
Trusted Third Party key management
![Page 31: Living with post quantum cryptography - NIST · NIST Workshop on Cybersecurity in a Post-Quantum World April 2, 2015 17 State must be stored for each peer Problematic for small devices](https://reader031.vdocuments.mx/reader031/viewer/2022040522/5e7c5def1cc20c17263c0008/html5/thumbnails/31.jpg)
April 2, 2015 31 NIST Workshop on Cybersecurity in a Post-Quantum World
Threshold Trusted Third Party Key Establishment
ACME ACE
Internet
![Page 32: Living with post quantum cryptography - NIST · NIST Workshop on Cybersecurity in a Post-Quantum World April 2, 2015 17 State must be stored for each peer Problematic for small devices](https://reader031.vdocuments.mx/reader031/viewer/2022040522/5e7c5def1cc20c17263c0008/html5/thumbnails/32.jpg)
April 2, 2015 32 NIST Workshop on Cybersecurity in a Post-Quantum World
Group Keys for Encryption with Hash-based signatures
ACME
Internet
![Page 33: Living with post quantum cryptography - NIST · NIST Workshop on Cybersecurity in a Post-Quantum World April 2, 2015 17 State must be stored for each peer Problematic for small devices](https://reader031.vdocuments.mx/reader031/viewer/2022040522/5e7c5def1cc20c17263c0008/html5/thumbnails/33.jpg)
April 2, 2015 33 NIST Workshop on Cybersecurity in a Post-Quantum World
TTP is high-risk target Could use key sharing / threshold to mitigate risk
Scalability State avoidance Hierarchical TTP
Trusted Third Party key management - issues
![Page 34: Living with post quantum cryptography - NIST · NIST Workshop on Cybersecurity in a Post-Quantum World April 2, 2015 17 State must be stored for each peer Problematic for small devices](https://reader031.vdocuments.mx/reader031/viewer/2022040522/5e7c5def1cc20c17263c0008/html5/thumbnails/34.jpg)
April 2, 2015 34 NIST Workshop on Cybersecurity in a Post-Quantum World
Hierarchical TTP
C
B
A
![Page 35: Living with post quantum cryptography - NIST · NIST Workshop on Cybersecurity in a Post-Quantum World April 2, 2015 17 State must be stored for each peer Problematic for small devices](https://reader031.vdocuments.mx/reader031/viewer/2022040522/5e7c5def1cc20c17263c0008/html5/thumbnails/35.jpg)
April 2, 2015 35 NIST Workshop on Cybersecurity in a Post-Quantum World
Hierarchical TTP
C
B
A
KA, KB, KC
![Page 36: Living with post quantum cryptography - NIST · NIST Workshop on Cybersecurity in a Post-Quantum World April 2, 2015 17 State must be stored for each peer Problematic for small devices](https://reader031.vdocuments.mx/reader031/viewer/2022040522/5e7c5def1cc20c17263c0008/html5/thumbnails/36.jpg)
April 2, 2015 36 NIST Workshop on Cybersecurity in a Post-Quantum World
Hierarchical TTP
C
B
A
KA, KB, KC KC
![Page 37: Living with post quantum cryptography - NIST · NIST Workshop on Cybersecurity in a Post-Quantum World April 2, 2015 17 State must be stored for each peer Problematic for small devices](https://reader031.vdocuments.mx/reader031/viewer/2022040522/5e7c5def1cc20c17263c0008/html5/thumbnails/37.jpg)
April 2, 2015 37 NIST Workshop on Cybersecurity in a Post-Quantum World
Hierarchical TTP
C
B
A
KA, KB, KC KB KC
![Page 38: Living with post quantum cryptography - NIST · NIST Workshop on Cybersecurity in a Post-Quantum World April 2, 2015 17 State must be stored for each peer Problematic for small devices](https://reader031.vdocuments.mx/reader031/viewer/2022040522/5e7c5def1cc20c17263c0008/html5/thumbnails/38.jpg)
April 2, 2015 38 NIST Workshop on Cybersecurity in a Post-Quantum World
Hierarchical TTP
C
B
A
KA, KB, KC KB KA KC
![Page 39: Living with post quantum cryptography - NIST · NIST Workshop on Cybersecurity in a Post-Quantum World April 2, 2015 17 State must be stored for each peer Problematic for small devices](https://reader031.vdocuments.mx/reader031/viewer/2022040522/5e7c5def1cc20c17263c0008/html5/thumbnails/39.jpg)
April 2, 2015 39 NIST Workshop on Cybersecurity in a Post-Quantum World
Engineering for large keys is feasible and useful We can solve many of today’s Communications Security problems this way
Best promise HBS Minimizing and optimizing public key use Revocation using HBS or symmetric cryptography TTP for encryption keys Multiple TTPs HBS authentication
Conclusions
![Page 40: Living with post quantum cryptography - NIST · NIST Workshop on Cybersecurity in a Post-Quantum World April 2, 2015 17 State must be stored for each peer Problematic for small devices](https://reader031.vdocuments.mx/reader031/viewer/2022040522/5e7c5def1cc20c17263c0008/html5/thumbnails/40.jpg)
Thank you.