5. Problems:
The size of the key must be the
same as message (quite large)
Is secure if one key is used once to
decrypt only one message.
One-time pad
6. c1 = k m1
c2 = k m2
Attacker is able:
c1 c2 = (k m1) (k m2) = m1 m2
Leaks information about m1 and m2
Use key twice ?
7. G – defined polynomial time algorithm
G increases: |G(x)| = p(|x|) > |x|
PRGs
seed
G
output
10. “Plain” RSA encryption
m = [cd mod N]
(N, e, d) RSAGen(1n)
pk = (N, e)
sk = d
N, e
c = [me mod N]
c
11. GOOGLE Corporation, in conjunction with with the company D-Wave signed
contract about creating quantum computers. D-Wave 2X - is the newest quantum
processor, which contains 2,048 physical qubits. To perform calculations in the
processor are used 1152 qubits.
Each additional qubit doubles the data search area, thus is also significantly
increased the calculation speed. Quantum computers will destroy systems based on
the problem of factoring integers (e.g., RSA). RSA cryptosystem is used in different
products on different platforms and in different areas.
Quantum computers
RSA system is widely used in operating systems from Microsoft, Apple, Sun, and Novell. In hardware performance
RSA algorithm is used in secure phones, Ethernet, network cards, smart cards, and is also widely used in the
cryptographic hardware. Along with this, the algorithm is a part of the underlying protocols protected Internet
communications, including S / MIME, SSL and S / WAN, and is also used in many organizations, for example,
government, banks, most corporations, public laboratories and universities.
12. RSA BSAFE encryption technology is used approximately by 500
million users worldwide. Since in encryption technology is mostly
used the RSA algorithm, it can be considered one of the most
common public key cryptosystems being developed together with
the development of the Internet.
On this basis the RSA destruction will entail easy hacking of most
products that can grow into a complete chaos.
RSA BSAFE
13. Hash-based Digital Signature Schemes: One of RSA alternatives are Hash-based Digital
Signature Schemes. The safety of these systems depends on the security of cryptographic
hash functions.
A code-based public-key encryption system: McEliece example. In this system the public
key is (Gnew, t), and the private key is (S, G, P), where G is k x n generator matrix for the
code C. C is random binary (n, k)-linear code, that is capable to improve t errors. N is the
number of code words, k is dimension of C. S is a random k x k binary nonsingular
matrix. P is a random n x n binary permutation matrix. Gnew = S * G * P; k x n matrix. To
encrypt the message we must encrypt message m as a binary string with the length k; cyp
= m x Gnew; is generated random n-bit error vector v with the weight t. The cypher is
calculated as c= cyp+v. For decoding is calculated cyp = c*P-1; Using decryption algorithm
of C is calculated mnew= m*S => m= mnew*S-1
RSA ALTERNATIVES
14. Lattice-based Cryptography: proofs are based on worst-case hardness.
Multivariate public key cryptosystem – MPKCs: have a set of(usually) quadratic
polynomials over a finite field. Security assumption is backed by the NP-hardness of
the problem to solve nonlinear equations over a finite field.
RSA ALTERNATIVES
15. To date are already found successful attacks on this crypto system.
The Ph.D. candidate of Dublin City University (DCU) Neill
Costigan with the support of Irish Research Council for Science,
Engineering and Technology (IRCSET), together with professor
Michael Scott, Science Foundation Ireland (SFI) member
successfully were able to carry out an attack on the algorithm. To
do this they needed 8,000 hours of CPU time. In the attack
representatives of four other countries took part. Scientists have
discovered that the initial length of the key in this algorithm is
insufficient and should be increased.
This system cannot be also used to encrypt the same message
twice and to encrypt the message when is known it’s relation
with the other message.
Successful attacks
16. Should be noted the importance of efficiency spectrum. To date experts have reached quite good
results in the speed algorithm processing. According to the investigation results it becomes clear
that the proposed post-quantum cryptosystems are relatively little effective. Implementation of
the algorithms requires much more time for their processing and verification.
Inefficient cryptography may be acceptable for the general user, but it cannot be acceptable for
the internet servers that handle thousands of customers in the second. Today, Google has already
has problems with the current cryptography. It is easy to imagine what will happen when
implementing crypto algorithms will take more time.
The development and improvement of modern cryptosystems will take years. Moreover, all the
time are recorded successful attacks on them. When is determined the encryption function, and it
becomes standard, it needs the appropriate implementation of the corresponding software, and in
most cases, hardware.
17. During the implementation it is necessary to ensure not only correct work of the
function and the speed of its efficiency, but also to prevent any kind of leaks. Recently
have been recorded successful «cache-timing» attacks on RSA and AES system, as a
result of that Intel has added the AES instructions to its processors.
McEliece system is vulnerable to attacks, related to side channel attacks. Was shown
the successful timing attack on Patterson algorithm. This attack does not detect the key,
but detects an error vector that can successfully decrypt the message cipher.
As we can see, for the creation and implementation of safe and effective post-quantum
cryptosystems it is necessary to fulfill the rather big work. From the foregoing it is clear
that today we are not ready to transfer cryptosystems into post-quantum era. In the near
future we cannot be sure in the reliability of the systems.
18. Traditional digital signature systems that are used in practice are vulnerable to quantum
computers attacks. The security of these systems is based on the problem of factoring large
numbers and calculating discrete logarithms. Scientists are working on the development of
alternatives to RSA, which are protected from attacks by quantum computer. One of the
alternatives are hash based digital signature schemes. These systems use a cryptographic
hash function. The security of these digital signature systems is based on the collision
resistance of the hash functions that they use.
RSA ALTERNATIVES – HASH BASED
19. Keys generation in this system occurs as follows: the signature key X of this system
consists of 2n lines of length n, and is selected randomly.
X= (xn-1[0], xn-1[1], …, x0[0], x0[1]) ∈ {0,1} n,2n
Verification key Y of this system consists of 2n lines of length n, and is selected
randomly.
Y= (yn-1[0], yn-1[1], …, y0[0], y0[1]) ∈ {0,1} n,2n
This key is calculated as follows:
yi[j] = f(xi[j]), 0<=i<=n-1, j=0,1
f – is one-way function:
f: {0,1} n {0,1} n;
To generate the verification key, it is needed to use the function f 2n time.
LAMPORT–DIFFIE ONE-TIME SIGNATURE SCHEME (KEY
GENERATION)
20. To sign a message m of arbitrary size, we transform it into size n using the
hash function:
h(m)=hash = (hashn-1, … , hash0)
Function h- is a cryptographic hash function:
h: {0,1} *{0,1} n
The signature is done as follows:
sig= (xn-1[hashn-1], …, x0[hash0]) ∈ {0,1} n,n
i-th string in this signature is equals to xi[0], if i-th bit in sign is equal to 0.
The string is equal to xi[1], if i-th bit in sign is equal to 1.
Signature length is n2 and during signature we do not use f function.
DOCUMENT SIGNATURE
21. To verify the signature sig = (sign-1, …, sig0), is calculated hash of the message hash =
(hashn-1, … , hash0) and the following equality is checked:
(f(sign-1), …, f(sig0)) = (yn-1[hashn-1], …, y0[hash0])
If the equation is true, then the signature is correct.
For the verification f function must be used n times.
DOCUMENT VERIFICATION
22. Keys generation in this system occurs as follows: the signature key X of this
system consists of n lines of length p, the key is selected randomly. Winternitz
parameter is selected w> = 2, it is equal to the number of bits to be signed
simultaneously. Is calculated p1=n/w and p2=(log2p1 +1+w)/w, p= p1+ p2
The signature key X of this system consists of p lines of length n selected
randomly:
X= (xp-1[0], …, x0) ∈ {0,1} n,p
Verification key is following:
Y= (yp-1[0], …, y0) ∈ {0,1} n,p, where
yi=f2^w-1(xi), 0<=i<=p-1
The length of the signature and the verification key is equal to np bits, and to
generate the verification key, function f must be used p(2w-1) times.
WINTERNITZ ONE TIME SIGNATURE SCHEME.
KEY GENERATION
23. We hash the message hash=h(m) and prepend to hash the minimum number of zeros in
order to get the length of hash devisable by w. Afterwards we divide it into p1 parts of
length w.
hash=kp-1,…, kp-p1
the checksum is calculated:
с=∑i=p-p1
p-1(2w-ki)
as c<= p12w, the length of its binary representation is log2 p12w+1
We prepend to its binary representation the minimum number of zeros in order to get
the length of representation devisable by w, and divide it into p2 parts of length w.
с=kp2-1,…, k0
we calculate the signature of the message m:
sig=(f^kp-1(xp-1), …, f^k0(x0))
In the worst case, for the signature function f must be used ,p(2w-1) times. Signature size
is pn.
SIGNATURE GENERATION
24. For signature verification sig = (sign-1, …, sig0) bit strings are calculated kp-
1,…, k0.
We verify the following equality:
(f^(2w-1-kp-1))(sign-1), …, (f^(2w-1-k0))(sig0) = yn-1, … y0
If the signature is correct, then sigi =f^ki(xi), so
(f^(2w-1-ki))(sigi)= (f^(2w-1))(xi)=yi is equal for every i=p-1,…, 0
In the worst case, for the signature verification function f must be used
,p(2w-1) times
SIGNATURE VERIFICATION
25. One-time signature schemes are very inconvenient to use, because to sign each message, you
need to use a different key pair. Merkle crypto-system was proposed to solve this problem.
This system uses a binary tree to replace a large number of verification keys with one public
key, the root of a binary tree. This cryptosystem uses an one-time Lamport or Winternitz
signature scheme and a cryptographic hash function:
h:{0,1}*{0,1}n
Key generation: The length of the tree is chosen H>=2, with one public key it is possible to
sign 2H documents. 2H signature and verification key pairs are generated; Xi, Yi, 0<=i<=2H.
Xi- is signature key, Yi- is verification key. h(Yi) are calculated and are used as the leaves of
the tree. Each tree node is a hash value of concatenation of its children.
MERKLE
27. To sign a message m of arbitrary size we transform it into size n using the hash
function
h (m) = hash, and generate an one-time signature using any one-time key Xany , the
document's signature will be the concatenation of: one time signature, one-time
verification key Yany, index any and all fraternal nodes authi in relation to Yany.
Signature= (sig||pub||any|| Yany||auth0,…,authH-1)
Signature verification:
To verify the signature we check the one-time signature of sig using Yany, if it is true,
we calculate all the nodes a [i, j] using “authi”, index “any” and Yany. We compare the
last node, the root of the tree with public key, if they are equal, then the signature is
correct.
SIGNATURE GENERATION
28. To generate a public key you need to calculate and store 2H pairs of one-time keys. Storing
this amount of information is not effective in practice. In order to save space, it was
suggested to use the PRNG random number generator. When using PRNG, it is sufficient to
store only the seed of the generator and use it to generate one-time keys. It is necessary to
calculate one-time keys twice: once in the key generation stage and then in the signature
stage of the message. PRNG receives a seed of length n and outputs a new seed and a
random number of length n.
PRNG : {0, 1}n: {0, 1}n x {0, 1}n
Key generation using PRNG:
We choose randomly the seed s0 of length n, using si we work out soti, as following:
PRNG(si) = (soti , si+1) 0 ≤ i <2H
soti changes each time when PRNG launches. For Xi key calculation it is enough to know
only si.
PRNG INTEGRATION
30. Quantum computers are able to crack PRNG, which were considered safe against attacks of
classical computers. A polynomial quantum time attack on PRNG Blum-Micali is shown.
This PRNG is considered safe from threats of standard computers. This attack uses Grover
algorithm along with the quantum discrete logarithm, and is able to restore the values at the
generator output for this attack. The attacks like these represent a threat of cracking PRNG,
used in many real-world crypto systems. As we see, Merkle crypto system with built-in
PRNG can be vulnerable to attacks of quantum computers. We suggest using a true random
number generator based on qubits, TRNG.
Breaking PRNG
31. Let’s consider a system with one qubit. The quantum state of a qubit is denoted by: α|0>+β |1>,
where α and β are complex numbers; |α|2+ |β|2=1
|0> - is the ground state of qubit, |1>- is the excited state of qubit
This qubit is in the state |0> with probability α2 and likewise in a state |1> with probability β2.
When a qubit is measured, it is in one of two states with probability 1.
Let’s consider a system with two qubits. The quantum state of two qubits is denoted by:
α00|00>+ α01 |01>+ α10|10>+ α11 |11>
where αi are complex numbers; ∑| αi|2=1.
We connect these qubits using Bell state, in this case the quantum state of these qubits is
denoted by:
1/21/2|00>+1/21/2|11>, so when we measure a given qubit, it will be in a state |0> with probability
½ and likewise in a state |1> also with probability ½. When we measure the second qubit, it
will be in the opposite state of the first qubit when we measured it with probability 1.
When we measure n qubits we can get the true number of size n.
Quantum TRNG
32. Key generation using quantum TRNG:
We choose the tree height H>=2. We can sign 2H documents using one public
key. A connection is established between two qubits using Bell state. We take
2H pairs of such qubit sets qi and bi ; every qi and bi consists of n qubits.
0<=i<=2H; We measure 2H*n qubits qi and we get 2H signature keys Xi and
calculate the verification keys Yi. h(Yi) are calculated and are used as leaves of a
tree.
Signature and verification of the message:
To sign a message m of arbitrary size we transform it into size n using the hash
function h(m) = hash, we measure any set, that contains n qubits , bany
qany=Xany with probability equal to 1. We generate one time signature using one-
time signature key Xany, the document's signature will be the concatenation of:
one time signature, one-time verification key Yany, index “any” and all fraternal
nodes authi in relation to Yany.
Signature= (sig||pub||any|| Yany||auth0,…,authH-1)
Verification of the message occurs similarly to the standard Merkle system.
Security of the system with built-in quantum TRNG.
The system is secure, because we do not change the principle of the crypto
system, but only integrate TRNG, to reduce the size of the signature key. TRNG
is completely safe; it is based on the state of qubits, which are real random
numbers.
33. Lamport Winternitz Merkle
Use f to
generate keys
2n p(2w-1) 2H+1-1
Use f to
calculate the
signature
Is not used p(2w-1)
Use f to
generate verify
the signature
n p(2w-1)
34. We propose to use as the hash function, the lattice-based hash function, and to use lattice
based one-way function as an one-way function in hash-based digital signature schemes.
Hash functions are considered resistant to quantum computer attacks, but the Grover
algorithm allows us to achieve quadratic acceleration in the search algorithms. It means that
hash functions must be complicated to be secure against quantum computers attacks. Studies
are conducted to determine the cost of attacks on SHA2 and SHA3 families of hash functions,
using the Grover algorithm
ONE WAY and HASH
35. Collision resistant hash functions based on lattices were proposed. Ajtai
suggested the family of hash functions, the security of which is based on
the worst case, the SVP with approximation ratio of nc, where n is
constant. To construct a family of hash functions as parameters are used
integers: n, m, q and d.
Parameter n defines the safety of hash function. The key to a hash
function specified by the matrix M, chosen uniformly from Z q
n×m. Hash
function is
hM : {0, . . . , d−1}m → Zq
n. The function maps mlogd bits to nlogq bits
for input compression, m> log q / log d. This hash function is very easy
to implement, because we use only addition and multiplication modulo
q, which size is O (log n).
Systems based on lattices
36. We propose to use as the hash function, the lattice-based hash function, and to use lattice
based one-way function as an one-way function in hash-based digital signature schemes.
The family of one-way functions, suggested by Ajtai, can be used. In the case of hash
functions, as the key, we select the matrix K from Zn×m
a, which transforms mlog b into nlog
a number of bits and we calculate h(x) = Kx mod a.
In the case of a one-way function, we select the matrix K from Zm×m
b, as the key. It
transforms mlog b into mlog b number of bits and we compute f(x) = Kx mod a.
HASHED MERKLE
37. Should be noted the problem of the effectiveness of these functions, the size of their key
grows quadratically in n, so these functions are ineffective. Due to the attacks on these
functions by combinatorial method , for the security of 100-bit, you need to use a key of
500,000 bits size.
Efficiency problems
38.
39.
40.
41.
42. MAKSIM IAVICH
SCIENTIFIC CYBER SECURITY ASSOCIATION ; CAUCASUS UNIVERSITY
T. +(995 595) 511355; E-mail: m.iavich@scsa.ge
www.scsa.ge
Scientific&practical cyber security journal – www.journal.scsa.ge
THANK YOU! QUESTIONS?