Karen Easterbrook, Microsoft
Brian LaMacchia, Microsoft
Quantum computers may be 10 years away, but well-funded adversaries are already preparing for their arrival. Even if they can’t read high-value encrypted traffic today, they are recording and storing for when they can decrypt it in the future. If your secrets need to be protected for more than 10 years, you need to take action now. In this talk, we will explore how sufficiently large quantum computers will catastrophically break all public-key cryptography commonly used today, the overall scope of this threat, and the steps underway to develop and deploy quantum-resistant replacement algorithms and security protocols. We will introduce the code and tools that you can use today to fend off these future advanced threats.
10. Van Meter et al., 2006
RSA-2048
Challenge
Problem
Number of bits N
TimetoFactorN-bitNumber
11. Difficulty of factoring
Difficulty of elliptic
curve discrete
logarithms
Can be solved efficiently by a
large-scale quantum computer
(Shor’s Algorithm 1994)
RSA signatures
Elliptic curve
Diffie–Hellman
key exchange
AES SHA-2
Impacted by quantum computing but we can
mitigate by increasing key sizes
(Grover’s Algorithm 1996)
12. Source: Quantum Resource Estimates for Computing Elliptic Curve Discrete Logarithms, Roeteller et al., Asiacrypt 2017.
13. Hypothetical 15-Year View for PQ Crypto
~ 2030
Quantum Computer Breaks
Asymmetric Crypto
Dec 2017 – Dec 2023
NIST PQ Standardization Process
WE ARE
HERE
JAN 2015 JAN 2016 JAN 2017 JAN 2018 JAN 2019 JAN 2020 JAN 2021 JAN 2022 JAN 2023 JAN 2024 JAN 2025 JAN 2026 JAN 2027 JAN 2028 JAN 2029 Dec 2029
R&D
ROLLOUTS DECOMMISSION
PILOTS
MIGRATION
STANDARDS DISCUSSIONS
14.
15.
16. NIST Post-Quantum
Project
• “Competition” launched Nov 30, 2017
• Research teams from around the world have
responded
• 69 submissions, of which 5 withdrawn, a few others
have apparently successful attacks.
• Four candidates entered by Microsoft & collaborators
• While NIST analyzes, crypto community gleefully doing
cryptanalysis
• Round 2 candidates likely announced Summer 2019
• NIST expected to pick multiple algorithms
This Photo by Unknown Author is licensed under CC BY-SA
17. Isogeny-based
Finding a specific isogeny between two elliptic curves or a
path between them in the isogeny graph
Other
Lattice-Based
Hardness of finding shortest vector in a high-
dimensional lattice
Hash-based
Security of hash functions
Multivariate
Multivariate quadratic polynomial problem (MQ)
Code-based
Hardness of decoding a random linear code
18. • The Frodo team:
Microsoft (Craig Costello, Karen Easterbrook, Brian LaMacchia,
Michael Naehrig, Patrick Longa)
Google (Ilya Mironov, Ananth Raghunathan)
NXP (Joppe Bos)
CWI (Leo Ducas)
McMaster University (Douglas Stebila)
University of Michigan (Chris Peikert)
Ege University (Erdem Alkim)
Stanford University (Valeria Nikolaenko)
• Lattice-based encryption based on the “learning with errors” problem
• LWE, not R-LWE: Frodo doesn’t have a ring…
• Based upon well-studied problem
• Efficiency: Fast, but relatively large keys.
19. Meet Frodo
A visual explanation
Given a public matrix (blue) and our secret (red), and adding a little error (yellow), get an answer (green)
To break this, adversary must calculate the secret (red)
20. • The SIKE Team:
Microsoft (Craig Costello, Brian LaMacchia, Michael Naehrig, Patrick Longa)
Amazon (Matt Campagna)
InfoSec Global (Basil Hess, Vladimir Soukharev)
Texas Instruments (Brian Koziel)
University of Waterloo (David Jao, David Urbanik)
Université de Versailles (Luca DeFeo)
Radboud University (Joost Renes)
Florida Atlantic University (Reza Azarderakhsh, Amir Jalali)
• Elliptic curve-based KEM, based on the “supersingular isogeny” problem
• Related D-H: “SIDH” – Supersingular Isogeny Diffie-Hellman
• Fewer years of study (cryptanalysis) in comparison to lattices
• Efficiency: Small keys, but relatively slow
22. • The qTESLA team:
Microsoft (Patrick Longa)
Isara Corporation (Edward Eaton, Gus Gutowski)
Ondokuz Mayis University (Sedat Akleylek, Erdem Alkim)
Technische U. Darmstädt (Nina Bindel, Johannes Buchmann, Juliane Krämer,
Harun Polat)
University of São Paulo (Jefferson Ricardini, Gustavo Zanon)
University of Washington-Tacoma (Paulo Barreto)
26. PQC Protocol Integrations using OQS
• We integrated the OQS library into protocols to provide PQC and
hybrid ciphersuites
• Hybrid: keep your FIPS or otherwise approved crypto, add PQ protection
• For more on hybrid PKI, see Bindel et al. 2017:
https://eprint.iacr.org/2017/460.pdf
• OpenSSL, with TLS 1.2 and 1.3 support
• https://github.com/open-quantum-safe/openssl
• OpenSSH
• https://github.com/open-quantum-safe/openssh-portable
• OpenVPN: For securing links against “record now/exploit later”
attacks.
• https://github.com/Microsoft/PQCrypto-VPN
27. PQ-VPN Demo Architecture
• Making legacy applications PQ-agile can be difficult and expensive
• A PQ-VPN wrapper is a deployment option that doesn’t require updating the
entire legacy stack
Browser
azuresite.com
office365.com
ssh
3rd Party
App
PQ-enabled
OpenVPN
client
Azure
PQ-enabled
OpenVPN
server
3rd Party
App
Service
sshd
Office365
Internet
dnsleaktest.com
azuresite.com
TLS
TLS
TLS
TLS
TLS
Windows PC
PQ-protected VPN
tunnel
28. PQAP: An RPi3 PQ-VPN Appliance
• Our PQ-VPN project also includes
software and instructions for
building a PQ secure VPN appliance
using a standard Raspberry Pi 3.
• Acts as a WiFi access point, tunnels
all of its traffic over PQ-VPN to a
cloud-hosted endpoint.
• No software install needed on client
devices.
• All connected devices device get
PQ security transparently. Yeah, we changed the password on this…
29. Systems: Key Scenarios for Microsoft
• Public Key Infrastructure (PKI)
• Both corporate and externally-facing
• Code signing for Microsoft products and services
• Authenticode (e.g. Windows DLLs)
• UWP (Microsoft Store) applications
• XBOX
• Azure Cloud Computing
• Key Vault
30. PQC with a Hardware Security Module
• We added support for the Picnic algorithm to an Utimaco HSM
• To the HSM simulator first, then cross-compiled to the HSM itself.
• Where possible, we replaced functions in MS software with calls to Utimaco
firmware: RNG, SHA-3, ASN.1 utilities
• Goal: demonstrate three key PKI CA operations
1. HSM generates & stores new PQ CA key and issues self-signed cert
2. HSM generates & stores new PQ EE key, CA issues cert for EE key
3. User creates CSR outside the HSM for a legacy (RSA) key pair.
Sends CSR to PQ CA in the HSM. CA issues PQ cert for RSA public key.
• All PQ operations use Picnic keys and signatures
32. Summary – Preparing for a PQ future
• Quantum computers are coming – maybe not for a decade or more, but
within the protection lifetime of data we are generating and encrypting
today
• We need to start planning the transition to post-quantum cryptographic algorithms
now.
• To prepare for the PQ transition, all our systems need cryptographic agility
• Hybrid solutions combining classical and post-quantum primitives look promising; they
provide both traditional cryptographic guarantees as well as some PQ resistance
• Practical engineering options exist today for deploying PQ
• But it is going to take a long time to update our software stacks…
• We may already be late to transition
• Some of our customers have data with a protection lifespan of 15-20 years or more.
• IoT and critical infrastructure have devices that won’t be updated for 15+ years.
33. Preparing Today’s Analysis Tools for PQ
• The NIST competition attracted lots of new candidate algorithms with
open source reference and optimized implementations
• While the PQ community cryptanalyzes all the proposals, assume that the bad
guys are already looking at how they can leverage PQ algorithms too.
• Tools you use to parse protocols, search for algorithm signatures, etc.,
may encounter encryption algorithms that don’t match what you’ve
seen previously
• Same is true for digital signatures
• Once NIST chooses algorithms, there will be a bunch of churn in the
commonly-used security protocols as they are upgraded to support PQ
34. How will we know when an adversary has access
to a sufficiently large quantum computer?