Karen Easterbrook, Microsoft Brian LaMacchia, Microsoft Quantum computers may be 10 years away, but well-funded adversaries are already preparing for their arrival. Even if they can’t read high-value encrypted traffic today, they are recording and storing for when they can decrypt it in the future. If your secrets need to be protected for more than 10 years, you need to take action now. In this talk, we will explore how sufficiently large quantum computers will catastrophically break all public-key cryptography commonly used today, the overall scope of this threat, and the steps underway to develop and deploy quantum-resistant replacement algorithms and security protocols. We will introduce the code and tools that you can use today to fend off these future advanced threats.

2. Source: Kaspersky Lab

3. Source: Kaspersky Lab

5. 2000 2002 2004 2006 2008 2010 2012 2014 2016 2018
Relative Algorithms Strength Over Time
MD5 SHA1 RSA 1024->2048 RSA->ECC PQC
1st better-than-brute-
force attack on SHA-1
1st MD5
collision
1st SHA-1
collision
MSR PQC
project starts
NSA revises Suite B
& says PQC coming
Crypto SDL bans
RSA <2048
NIST announces
RSA-1024 transition
Windows blocks
RSA <1024
FLAME attack on
MS PKI
NSA announces Suite B,
starts move to ECC
MD5 (1991)
SHA-1 (1995)
RSA (1978), RSA-1024 (US/CA NT 4.0 1996)

6. Quantum is coming

8. Photos courtesy of: Professor Charlie Marcus

10. Van Meter et al., 2006
RSA-2048
Challenge
Problem
Number of bits N
TimetoFactorN-bitNumber

11. Difficulty of factoring
Difficulty of elliptic
curve discrete
logarithms
Can be solved efficiently by a
large-scale quantum computer
(Shor’s Algorithm 1994)
RSA signatures
Elliptic curve
Diffie–Hellman
key exchange
AES SHA-2
Impacted by quantum computing but we can
mitigate by increasing key sizes
(Grover’s Algorithm 1996)

12. Source: Quantum Resource Estimates for Computing Elliptic Curve Discrete Logarithms, Roeteller et al., Asiacrypt 2017.

13. Hypothetical 15-Year View for PQ Crypto
~ 2030
Quantum Computer Breaks
Asymmetric Crypto
Dec 2017 – Dec 2023
NIST PQ Standardization Process
WE ARE
HERE
JAN 2015 JAN 2016 JAN 2017 JAN 2018 JAN 2019 JAN 2020 JAN 2021 JAN 2022 JAN 2023 JAN 2024 JAN 2025 JAN 2026 JAN 2027 JAN 2028 JAN 2029 Dec 2029
R&D
ROLLOUTS DECOMMISSION
PILOTS
MIGRATION
STANDARDS DISCUSSIONS

16. NIST Post-Quantum
Project
• “Competition” launched Nov 30, 2017
• Research teams from around the world have
responded
• 69 submissions, of which 5 withdrawn, a few others
have apparently successful attacks.
• Four candidates entered by Microsoft & collaborators
• While NIST analyzes, crypto community gleefully doing
cryptanalysis
• Round 2 candidates likely announced Summer 2019
• NIST expected to pick multiple algorithms
This Photo by Unknown Author is licensed under CC BY-SA

17. Isogeny-based
Finding a specific isogeny between two elliptic curves or a
path between them in the isogeny graph
Other
Lattice-Based
Hardness of finding shortest vector in a high-
dimensional lattice
Hash-based
Security of hash functions
Multivariate
Multivariate quadratic polynomial problem (MQ)
Code-based
Hardness of decoding a random linear code

18. • The Frodo team:
Microsoft (Craig Costello, Karen Easterbrook, Brian LaMacchia,
Michael Naehrig, Patrick Longa)
Google (Ilya Mironov, Ananth Raghunathan)
NXP (Joppe Bos)
CWI (Leo Ducas)
McMaster University (Douglas Stebila)
University of Michigan (Chris Peikert)
Ege University (Erdem Alkim)
Stanford University (Valeria Nikolaenko)
• Lattice-based encryption based on the “learning with errors” problem
• LWE, not R-LWE: Frodo doesn’t have a ring…
• Based upon well-studied problem
• Efficiency: Fast, but relatively large keys.

19. Meet Frodo
A visual explanation
Given a public matrix (blue) and our secret (red), and adding a little error (yellow), get an answer (green)
To break this, adversary must calculate the secret (red)

20. • The SIKE Team:
Microsoft (Craig Costello, Brian LaMacchia, Michael Naehrig, Patrick Longa)
Amazon (Matt Campagna)
InfoSec Global (Basil Hess, Vladimir Soukharev)
Texas Instruments (Brian Koziel)
University of Waterloo (David Jao, David Urbanik)
Université de Versailles (Luca DeFeo)
Radboud University (Joost Renes)
Florida Atlantic University (Reza Azarderakhsh, Amir Jalali)
• Elliptic curve-based KEM, based on the “supersingular isogeny” problem
• Related D-H: “SIDH” – Supersingular Isogeny Diffie-Hellman
• Fewer years of study (cryptanalysis) in comparison to lattices
• Efficiency: Small keys, but relatively slow

21. Performance Metrics – Key Exchange/Encipherment
Time (ms) Comm. (bytes) Quantum
SecurityA→B B→A
RSA 3072 4.58 387 384 -
ECDH nistp256 1.40 32 32 -
NewHope 0.06 1824 2048 206 bits
FrodoKEM-640 1.19 9,616 9,752 Level 1 (*)
SIKEp503 9.0 378 378 Level 1 (*)
Classical
Lattice-
based
Isogeny
Timings obtained on Intel Core i7 (3.4GHz) Skylake.
(*) Matches brute-force security of AES-128.

22. • The qTESLA team:
Microsoft (Patrick Longa)
Isara Corporation (Edward Eaton, Gus Gutowski)
Ondokuz Mayis University (Sedat Akleylek, Erdem Alkim)
Technische U. Darmstädt (Nina Bindel, Johannes Buchmann, Juliane Krämer,
Harun Polat)
University of São Paulo (Jefferson Ricardini, Gustavo Zanon)
University of Washington-Tacoma (Paulo Barreto)

24. Performance Metrics – Digital Signatures
Sign
(ms)
Verify
(ms)
Privkey
(bytes)
Pubkey
(bytes)
Signature
(bytes)
Quantum
Security
RSA 4096 6.033 0.093 512 512 512 -
Picnic-L1-FS 1.95 1.36 16 32 34,000 Level 1 (*)
qTESLA-I 0.15 0.03 1,216 1,504 1,376 Level 1 (*)
qTESLA-III-speed 0.24 0.07 2,112 3,104 2,848 Level 3 (*)
Timings obtained on Intel Core i7 (3.4GHz) Skylake.
(*) Level 1 matches brute-force security of AES-128, Level 3 matches AES-192.

25. https://openquantumsafe.org/

26. PQC Protocol Integrations using OQS
• We integrated the OQS library into protocols to provide PQC and
hybrid ciphersuites
• Hybrid: keep your FIPS or otherwise approved crypto, add PQ protection
• For more on hybrid PKI, see Bindel et al. 2017:
https://eprint.iacr.org/2017/460.pdf
• OpenSSL, with TLS 1.2 and 1.3 support
• https://github.com/open-quantum-safe/openssl
• OpenSSH
• https://github.com/open-quantum-safe/openssh-portable
• OpenVPN: For securing links against “record now/exploit later”
attacks.
• https://github.com/Microsoft/PQCrypto-VPN

27. PQ-VPN Demo Architecture
• Making legacy applications PQ-agile can be difficult and expensive
• A PQ-VPN wrapper is a deployment option that doesn’t require updating the
entire legacy stack
Browser
azuresite.com
office365.com
ssh
3rd Party
App
PQ-enabled
OpenVPN
client
Azure
PQ-enabled
OpenVPN
server
3rd Party
App
Service
sshd
Office365
Internet
dnsleaktest.com
azuresite.com
TLS
TLS
TLS
TLS
TLS
Windows PC
PQ-protected VPN
tunnel

28. PQAP: An RPi3 PQ-VPN Appliance
• Our PQ-VPN project also includes
software and instructions for
building a PQ secure VPN appliance
using a standard Raspberry Pi 3.
• Acts as a WiFi access point, tunnels
all of its traffic over PQ-VPN to a
cloud-hosted endpoint.
• No software install needed on client
devices.
• All connected devices device get
PQ security transparently. Yeah, we changed the password on this…

29. Systems: Key Scenarios for Microsoft
• Public Key Infrastructure (PKI)
• Both corporate and externally-facing
• Code signing for Microsoft products and services
• Authenticode (e.g. Windows DLLs)
• UWP (Microsoft Store) applications
• XBOX
• Azure Cloud Computing
• Key Vault

30. PQC with a Hardware Security Module
• We added support for the Picnic algorithm to an Utimaco HSM
• To the HSM simulator first, then cross-compiled to the HSM itself.
• Where possible, we replaced functions in MS software with calls to Utimaco
firmware: RNG, SHA-3, ASN.1 utilities
• Goal: demonstrate three key PKI CA operations
1. HSM generates & stores new PQ CA key and issues self-signed cert
2. HSM generates & stores new PQ EE key, CA issues cert for EE key
3. User creates CSR outside the HSM for a legacy (RSA) key pair.
Sends CSR to PQ CA in the HSM. CA issues PQ cert for RSA public key.
• All PQ operations use Picnic keys and signatures

31. Libraries:
• https://github.com/Microsoft/PQCrypto-LWEKE
• https://github.com/Microsoft/PQCrypto-SIKE
• https://github.com/qtesla/qTesla
• https://github.com/Microsoft/Picnic
Protocol Integrations:
• https://openquantumsafe.org/
• https://github.com/open-quantum-safe/openssl
• https://github.com/open-quantum-safe/openssh-portable
• https://github.com/Microsoft/PQCrypto-VPN
Overall project site:
• https://www.microsoft.com/en-us/research/project/post-quantum-cryptography/
PQ Open Source Releases

32. Summary – Preparing for a PQ future
• Quantum computers are coming – maybe not for a decade or more, but
within the protection lifetime of data we are generating and encrypting
today
• We need to start planning the transition to post-quantum cryptographic algorithms
now.
• To prepare for the PQ transition, all our systems need cryptographic agility
• Hybrid solutions combining classical and post-quantum primitives look promising; they
provide both traditional cryptographic guarantees as well as some PQ resistance
• Practical engineering options exist today for deploying PQ
• But it is going to take a long time to update our software stacks…
• We may already be late to transition
• Some of our customers have data with a protection lifespan of 15-20 years or more.
• IoT and critical infrastructure have devices that won’t be updated for 15+ years.

33. Preparing Today’s Analysis Tools for PQ
• The NIST competition attracted lots of new candidate algorithms with
open source reference and optimized implementations
• While the PQ community cryptanalyzes all the proposals, assume that the bad
guys are already looking at how they can leverage PQ algorithms too.
• Tools you use to parse protocols, search for algorithm signatures, etc.,
may encounter encryption algorithms that don’t match what you’ve
seen previously
• Same is true for digital signatures
• Once NIST chooses algorithms, there will be a bunch of churn in the
commonly-used security protocols as they are upgraded to support PQ

34. How will we know when an adversary has access
to a sufficiently large quantum computer?

35. https://github.com/Microsoft/PQCrypto-LWEKE
https://github.com/Microsoft/PQCrypto-SIKE
https://github.com/qtesla/qTesla
https://github.com/Microsoft/Picnic
https://openquantumsafe.org/
https://github.com/open-quantum-safe/openssl
https://github.com/open-quantum-safe/openssh-portable
https://github.com/Microsoft/PQCrypto-VPN
https://www.microsoft.com/en-us/research/project/post-quantum-cryptography/
bal@microsoft.com
keaster@microsoft.com