Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Lattice based Merkle for post-quantum epoch

6 views

Published on

Maksim Iavich in Bucharest, Romania on November 8-9th 2018 at DefCamp #9.

The videos and other presentations can be found on https://def.camp/archive

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Lattice based Merkle for post-quantum epoch

  1. 1. Lattice based Merkle for post-quantum epoch Maksim Iavich
  2. 2. Private Key Encryption C cypher K Kkeykey mmessage c := Enck(m) Encryption Decryption m := Deck(c) Deck(Enck(m)) = m
  3. 3.  M = {0,1}n  Gen: k  {0,1}n  Enck(m) = k  m  Deck(c) = k  c  Truth: Deck( Enck(m) ) = k  (k  m) = (k  k)  m = m One-time pad 0  1 = 1 0  0 = 0 1  0 = 1 1  1 = 1 A  A = 0
  4. 4. One-time pad key n bits message n bits Cipher text n bits 
  5. 5. Problems:  The size of the key must be the same as message (quite large)  Is secure if one key is used once to decrypt only one message. One-time pad
  6. 6.  c1 = k  m1 c2 = k  m2  Attacker is able: c1  c2 = (k  m1)  (k  m2) = m1  m2  Leaks information about m1 and m2 Use key twice ?
  7. 7.  G – defined polynomial time algorithm  G increases: |G(x)| = p(|x|) > |x| PRGs seed G output
  8. 8. “Pseudo” one-time pad “pseudo” key p bits  G key n bits cipher text p bits message p bits By means of this key size is increased
  9. 9. Public-key encryption pk, skpk c  Encpk(m) m = Decsk(c) c pk pk
  10. 10. “Plain” RSA encryption m = [cd mod N] (N, e, d)  RSAGen(1n) pk = (N, e) sk = d N, e c = [me mod N] c
  11. 11.  GOOGLE Corporation, in conjunction with with the company D-Wave signed contract about creating quantum computers. D-Wave 2X - is the newest quantum processor, which contains 2,048 physical qubits. To perform calculations in the processor are used 1152 qubits.  Each additional qubit doubles the data search area, thus is also significantly increased the calculation speed. Quantum computers will destroy systems based on the problem of factoring integers (e.g., RSA). RSA cryptosystem is used in different products on different platforms and in different areas. Quantum computers RSA system is widely used in operating systems from Microsoft, Apple, Sun, and Novell. In hardware performance RSA algorithm is used in secure phones, Ethernet, network cards, smart cards, and is also widely used in the cryptographic hardware. Along with this, the algorithm is a part of the underlying protocols protected Internet communications, including S / MIME, SSL and S / WAN, and is also used in many organizations, for example, government, banks, most corporations, public laboratories and universities.
  12. 12.  RSA BSAFE encryption technology is used approximately by 500 million users worldwide. Since in encryption technology is mostly used the RSA algorithm, it can be considered one of the most common public key cryptosystems being developed together with the development of the Internet.  On this basis the RSA destruction will entail easy hacking of most products that can grow into a complete chaos. RSA BSAFE
  13. 13. Hash-based Digital Signature Schemes: One of RSA alternatives are Hash-based Digital Signature Schemes. The safety of these systems depends on the security of cryptographic hash functions. A code-based public-key encryption system: McEliece example. In this system the public key is (Gnew, t), and the private key is (S, G, P), where G is k x n generator matrix for the code C. C is random binary (n, k)-linear code, that is capable to improve t errors. N is the number of code words, k is dimension of C. S is a random k x k binary nonsingular matrix. P is a random n x n binary permutation matrix. Gnew = S * G * P; k x n matrix. To encrypt the message we must encrypt message m as a binary string with the length k; cyp = m x Gnew; is generated random n-bit error vector v with the weight t. The cypher is calculated as c= cyp+v. For decoding is calculated cyp = c*P-1; Using decryption algorithm of C is calculated mnew= m*S => m= mnew*S-1 RSA ALTERNATIVES
  14. 14.  Lattice-based Cryptography: proofs are based on worst-case hardness.  Multivariate public key cryptosystem – MPKCs: have a set of(usually) quadratic polynomials over a finite field. Security assumption is backed by the NP-hardness of the problem to solve nonlinear equations over a finite field. RSA ALTERNATIVES
  15. 15.  To date are already found successful attacks on this crypto system.  The Ph.D. candidate of Dublin City University (DCU) Neill Costigan with the support of Irish Research Council for Science, Engineering and Technology (IRCSET), together with professor Michael Scott, Science Foundation Ireland (SFI) member successfully were able to carry out an attack on the algorithm. To do this they needed 8,000 hours of CPU time. In the attack representatives of four other countries took part. Scientists have discovered that the initial length of the key in this algorithm is insufficient and should be increased.  This system cannot be also used to encrypt the same message twice and to encrypt the message when is known it’s relation with the other message. Successful attacks
  16. 16.  Should be noted the importance of efficiency spectrum. To date experts have reached quite good results in the speed algorithm processing. According to the investigation results it becomes clear that the proposed post-quantum cryptosystems are relatively little effective. Implementation of the algorithms requires much more time for their processing and verification.  Inefficient cryptography may be acceptable for the general user, but it cannot be acceptable for the internet servers that handle thousands of customers in the second. Today, Google has already has problems with the current cryptography. It is easy to imagine what will happen when implementing crypto algorithms will take more time.  The development and improvement of modern cryptosystems will take years. Moreover, all the time are recorded successful attacks on them. When is determined the encryption function, and it becomes standard, it needs the appropriate implementation of the corresponding software, and in most cases, hardware.
  17. 17.  During the implementation it is necessary to ensure not only correct work of the function and the speed of its efficiency, but also to prevent any kind of leaks. Recently have been recorded successful «cache-timing» attacks on RSA and AES system, as a result of that Intel has added the AES instructions to its processors.  McEliece system is vulnerable to attacks, related to side channel attacks. Was shown the successful timing attack on Patterson algorithm. This attack does not detect the key, but detects an error vector that can successfully decrypt the message cipher.  As we can see, for the creation and implementation of safe and effective post-quantum cryptosystems it is necessary to fulfill the rather big work. From the foregoing it is clear that today we are not ready to transfer cryptosystems into post-quantum era. In the near future we cannot be sure in the reliability of the systems.
  18. 18.  Traditional digital signature systems that are used in practice are vulnerable to quantum computers attacks. The security of these systems is based on the problem of factoring large numbers and calculating discrete logarithms. Scientists are working on the development of alternatives to RSA, which are protected from attacks by quantum computer. One of the alternatives are hash based digital signature schemes. These systems use a cryptographic hash function. The security of these digital signature systems is based on the collision resistance of the hash functions that they use. RSA ALTERNATIVES – HASH BASED
  19. 19.  Keys generation in this system occurs as follows: the signature key X of this system consists of 2n lines of length n, and is selected randomly.  X= (xn-1[0], xn-1[1], …, x0[0], x0[1]) ∈ {0,1} n,2n  Verification key Y of this system consists of 2n lines of length n, and is selected randomly.  Y= (yn-1[0], yn-1[1], …, y0[0], y0[1]) ∈ {0,1} n,2n  This key is calculated as follows:  yi[j] = f(xi[j]), 0<=i<=n-1, j=0,1  f – is one-way function:  f: {0,1} n {0,1} n;  To generate the verification key, it is needed to use the function f 2n time. LAMPORT–DIFFIE ONE-TIME SIGNATURE SCHEME (KEY GENERATION)
  20. 20.  To sign a message m of arbitrary size, we transform it into size n using the hash function:  h(m)=hash = (hashn-1, … , hash0)  Function h- is a cryptographic hash function:  h: {0,1} *{0,1} n  The signature is done as follows:  sig= (xn-1[hashn-1], …, x0[hash0]) ∈ {0,1} n,n  i-th string in this signature is equals to xi[0], if i-th bit in sign is equal to 0. The string is equal to xi[1], if i-th bit in sign is equal to 1.  Signature length is n2 and during signature we do not use f function. DOCUMENT SIGNATURE
  21. 21.  To verify the signature sig = (sign-1, …, sig0), is calculated hash of the message hash = (hashn-1, … , hash0) and the following equality is checked:  (f(sign-1), …, f(sig0)) = (yn-1[hashn-1], …, y0[hash0])  If the equation is true, then the signature is correct.  For the verification f function must be used n times. DOCUMENT VERIFICATION
  22. 22.  Keys generation in this system occurs as follows: the signature key X of this system consists of n lines of length p, the key is selected randomly. Winternitz parameter is selected w> = 2, it is equal to the number of bits to be signed simultaneously. Is calculated p1=n/w and p2=(log2p1 +1+w)/w, p= p1+ p2  The signature key X of this system consists of p lines of length n selected randomly:  X= (xp-1[0], …, x0) ∈ {0,1} n,p  Verification key is following:  Y= (yp-1[0], …, y0) ∈ {0,1} n,p, where  yi=f2^w-1(xi), 0<=i<=p-1  The length of the signature and the verification key is equal to np bits, and to generate the verification key, function f must be used p(2w-1) times. WINTERNITZ ONE TIME SIGNATURE SCHEME. KEY GENERATION
  23. 23.  We hash the message hash=h(m) and prepend to hash the minimum number of zeros in order to get the length of hash devisable by w. Afterwards we divide it into p1 parts of length w.  hash=kp-1,…, kp-p1  the checksum is calculated:  с=∑i=p-p1 p-1(2w-ki)  as c<= p12w, the length of its binary representation is log2 p12w+1  We prepend to its binary representation the minimum number of zeros in order to get the length of representation devisable by w, and divide it into p2 parts of length w.  с=kp2-1,…, k0  we calculate the signature of the message m:  sig=(f^kp-1(xp-1), …, f^k0(x0))  In the worst case, for the signature function f must be used ,p(2w-1) times. Signature size is pn. SIGNATURE GENERATION
  24. 24.  For signature verification sig = (sign-1, …, sig0) bit strings are calculated kp- 1,…, k0.  We verify the following equality:  (f^(2w-1-kp-1))(sign-1), …, (f^(2w-1-k0))(sig0) = yn-1, … y0  If the signature is correct, then sigi =f^ki(xi), so  (f^(2w-1-ki))(sigi)= (f^(2w-1))(xi)=yi is equal for every i=p-1,…, 0  In the worst case, for the signature verification function f must be used ,p(2w-1) times SIGNATURE VERIFICATION
  25. 25.  One-time signature schemes are very inconvenient to use, because to sign each message, you need to use a different key pair. Merkle crypto-system was proposed to solve this problem. This system uses a binary tree to replace a large number of verification keys with one public key, the root of a binary tree. This cryptosystem uses an one-time Lamport or Winternitz signature scheme and a cryptographic hash function:  h:{0,1}*{0,1}n  Key generation: The length of the tree is chosen H>=2, with one public key it is possible to sign 2H documents. 2H signature and verification key pairs are generated; Xi, Yi, 0<=i<=2H. Xi- is signature key, Yi- is verification key. h(Yi) are calculated and are used as the leaves of the tree. Each tree node is a hash value of concatenation of its children. MERKLE
  26. 26. MERKLE TREE
  27. 27.  To sign a message m of arbitrary size we transform it into size n using the hash function  h (m) = hash, and generate an one-time signature using any one-time key Xany , the document's signature will be the concatenation of: one time signature, one-time verification key Yany, index any and all fraternal nodes authi in relation to Yany.  Signature= (sig||pub||any|| Yany||auth0,…,authH-1)  Signature verification:  To verify the signature we check the one-time signature of sig using Yany, if it is true, we calculate all the nodes a [i, j] using “authi”, index “any” and Yany. We compare the last node, the root of the tree with public key, if they are equal, then the signature is correct. SIGNATURE GENERATION
  28. 28.  To generate a public key you need to calculate and store 2H pairs of one-time keys. Storing this amount of information is not effective in practice. In order to save space, it was suggested to use the PRNG random number generator. When using PRNG, it is sufficient to store only the seed of the generator and use it to generate one-time keys. It is necessary to calculate one-time keys twice: once in the key generation stage and then in the signature stage of the message. PRNG receives a seed of length n and outputs a new seed and a random number of length n.  PRNG : {0, 1}n: {0, 1}n x {0, 1}n  Key generation using PRNG:  We choose randomly the seed s0 of length n, using si we work out soti, as following:  PRNG(si) = (soti , si+1) 0 ≤ i <2H  soti changes each time when PRNG launches. For Xi key calculation it is enough to know only si. PRNG INTEGRATION
  29. 29. PRNG INTEGRATION
  30. 30.  Quantum computers are able to crack PRNG, which were considered safe against attacks of classical computers. A polynomial quantum time attack on PRNG Blum-Micali is shown. This PRNG is considered safe from threats of standard computers. This attack uses Grover algorithm along with the quantum discrete logarithm, and is able to restore the values at the generator output for this attack. The attacks like these represent a threat of cracking PRNG, used in many real-world crypto systems. As we see, Merkle crypto system with built-in PRNG can be vulnerable to attacks of quantum computers. We suggest using a true random number generator based on qubits, TRNG. Breaking PRNG
  31. 31.  Let’s consider a system with one qubit. The quantum state of a qubit is denoted by: α|0>+β |1>, where α and β are complex numbers; |α|2+ |β|2=1  |0> - is the ground state of qubit, |1>- is the excited state of qubit  This qubit is in the state |0> with probability α2 and likewise in a state |1> with probability β2.  When a qubit is measured, it is in one of two states with probability 1.  Let’s consider a system with two qubits. The quantum state of two qubits is denoted by: α00|00>+ α01 |01>+ α10|10>+ α11 |11>  where αi are complex numbers; ∑| αi|2=1.  We connect these qubits using Bell state, in this case the quantum state of these qubits is denoted by:  1/21/2|00>+1/21/2|11>, so when we measure a given qubit, it will be in a state |0> with probability ½ and likewise in a state |1> also with probability ½. When we measure the second qubit, it will be in the opposite state of the first qubit when we measured it with probability 1.  When we measure n qubits we can get the true number of size n. Quantum TRNG
  32. 32.  Key generation using quantum TRNG:  We choose the tree height H>=2. We can sign 2H documents using one public key. A connection is established between two qubits using Bell state. We take 2H pairs of such qubit sets qi and bi ; every qi and bi consists of n qubits. 0<=i<=2H; We measure 2H*n qubits qi and we get 2H signature keys Xi and calculate the verification keys Yi. h(Yi) are calculated and are used as leaves of a tree.  Signature and verification of the message:  To sign a message m of arbitrary size we transform it into size n using the hash function h(m) = hash, we measure any set, that contains n qubits , bany  qany=Xany with probability equal to 1. We generate one time signature using one- time signature key Xany, the document's signature will be the concatenation of: one time signature, one-time verification key Yany, index “any” and all fraternal nodes authi in relation to Yany.  Signature= (sig||pub||any|| Yany||auth0,…,authH-1)  Verification of the message occurs similarly to the standard Merkle system.  Security of the system with built-in quantum TRNG.  The system is secure, because we do not change the principle of the crypto system, but only integrate TRNG, to reduce the size of the signature key. TRNG is completely safe; it is based on the state of qubits, which are real random numbers.
  33. 33. Lamport Winternitz Merkle Use f to generate keys 2n p(2w-1) 2H+1-1 Use f to calculate the signature Is not used p(2w-1) Use f to generate verify the signature n p(2w-1)
  34. 34.  We propose to use as the hash function, the lattice-based hash function, and to use lattice based one-way function as an one-way function in hash-based digital signature schemes.  Hash functions are considered resistant to quantum computer attacks, but the Grover algorithm allows us to achieve quadratic acceleration in the search algorithms. It means that hash functions must be complicated to be secure against quantum computers attacks. Studies are conducted to determine the cost of attacks on SHA2 and SHA3 families of hash functions, using the Grover algorithm ONE WAY and HASH
  35. 35.  Collision resistant hash functions based on lattices were proposed. Ajtai suggested the family of hash functions, the security of which is based on the worst case, the SVP with approximation ratio of nc, where n is constant. To construct a family of hash functions as parameters are used integers: n, m, q and d.  Parameter n defines the safety of hash function. The key to a hash function specified by the matrix M, chosen uniformly from Z q n×m. Hash function is  hM : {0, . . . , d−1}m → Zq n. The function maps mlogd bits to nlogq bits for input compression, m> log q / log d. This hash function is very easy to implement, because we use only addition and multiplication modulo q, which size is O (log n). Systems based on lattices
  36. 36.  We propose to use as the hash function, the lattice-based hash function, and to use lattice based one-way function as an one-way function in hash-based digital signature schemes.  The family of one-way functions, suggested by Ajtai, can be used. In the case of hash functions, as the key, we select the matrix K from Zn×m a, which transforms mlog b into nlog a number of bits and we calculate h(x) = Kx mod a.  In the case of a one-way function, we select the matrix K from Zm×m b, as the key. It transforms mlog b into mlog b number of bits and we compute f(x) = Kx mod a. HASHED MERKLE
  37. 37.  Should be noted the problem of the effectiveness of these functions, the size of their key grows quadratically in n, so these functions are ineffective. Due to the attacks on these functions by combinatorial method , for the security of 100-bit, you need to use a key of 500,000 bits size. Efficiency problems
  38. 38. MAKSIM IAVICH SCIENTIFIC CYBER SECURITY ASSOCIATION ; CAUCASUS UNIVERSITY T. +(995 595) 511355; E-mail: m.iavich@scsa.ge www.scsa.ge Scientific&practical cyber security journal – www.journal.scsa.ge THANK YOU! QUESTIONS?

×