Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Emily Stamm - Post-Quantum Cryptography


Published on

Chicago CSNP - January 2020

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Emily Stamm - Post-Quantum Cryptography

  1. 1. Emily Stamm Allstate Information Security January 9, 2020 Post-Quantum Cryptography
  2. 2. • Introduction to Cryptography • Quantum Computing • Post-Quantum Cryptography • Lattice-Based • Code-Based • Multivariate • Hash-Based • Isogeny-Based Outline
  3. 3. Introduction to Cryptography
  4. 4. Whatis Cryptography? Cryptography from Greek kryptós "hidden / secret” and graphein, "to write” • From the Caesar Shift 2000 yearsago • To the Lorenz Cipher Machinein WWII • To today:’secure communicationin presence of third parties’
  5. 5. Cryptography Today Confidentiality:restrict the access of information Integrity:verify that data has not been altered (maliciously or accidentally) Authentication: verify the identity of a party Types of Cryptography 1. Public Key Cryptography (Asymmetric) 2. Secret Key Cryptography (Symmetric) 3. Cryptographic Hashing
  6. 6. Hard Math Problems: the strengthof the algorithm relies on the hardness of some underlying math problem What is Good Cryptography? Proper Implementation: algorithms must be correctly implemented so as not to leak information Key Secrecy: secret piece of information (key) used to uncover information
  7. 7. What is Public Key Cryptography? • Key to encrypt and the key to decrypt are different • Public Key:known to everyone • Private Key:known to parties accessing data • Digital signature version: private key to sign and public key to verify • Examples:RSA, DSA, Diffie-Hellman, Elliptic Curve Cryptography
  8. 8. Where is Public Key Cryptography Used? • Used anytime two or more parties need to communicate • ‘Parties’ aren’t necessarily people (browsers, servers, endpoints) • E.g. HTTPS, Firewalls, Routers, Printers, SSH, TLS, Bitcoin
  9. 9. Quantum Computing
  10. 10. Quantum Computing • A quantum computer is a computer based on quantum physics rather than classical physics • Instead of a bit uses a quantum bit or qubit The D-Wave 2000Q Quantum Computer IBM’s50-qubit quantum computer • Take advantage of quantum phenomenon to perform some tasks much more efficiently • E.g. entanglement, parallelism, interference
  11. 11. • Shor’s Algorithm: quantum factoring algorithm in ~4n3 time, 2n qubits • Reduces factoring to finding the period and breaks RSA • Efficiently computed using Quantum FourierTransform to reveal periodicities • Similaralgorithm for elliptic curve (n bit finite field) attack in ~ 360n3 time, 6n qubits • Similaralgorithmsfor all PKC based on (abelian) hidden subgroupproblem • Eventually all our current public key cryptography will be obsolete Effect on Cryptography IBM’s50-qubit quantum computer
  12. 12. • Quantum cryptography is cryptography that runs on a quantum computer • Security like no other form of cryptography by laws of quantum mechanics against quantum and classical attacks Quantum Cryptography Thor Labs, Quantum Cryptography Analogy Demonstration Kit
  13. 13. What is POST-QUANTUM CRYPTOGRAPHY? Problem: Quantum cryptography requires a quantum computer, which is expensive, large, and requires extreme conditions Solution: Post-QuantumCryptography (PQC) cryptography that runs on current computers and is secure against classical and quantum attacks Kahn, 2019
  14. 14. Post-Quantum Cryptography
  15. 15. NIST Competition for Post-QuantumCryptography (PQC) Currently evaluatingand eliminatingcryptosystems 5 levelsof security Encryption/Key Exchange and Signatures Identify hardnessassumptions that are not broken by quantum computers Build cryptosystems based on these problems Prove security against quantumand classical attacks
  16. 16. Why Switch to PQC Now? 1. PQC works on current computers 2. More secure against quantum and classical attacks 3. It’s hard to estimate when quantum threat will occur 4. Transitioning cryptography takes many years 5. Some implementations may not be able to switch cryptography in time eg: a satellite goes into space for 30 years 6. Government agencies announced switch to PQC based on NIST results
  17. 17. NIST Competition Currently Encryption Signatures Overall Lattice: 9 3 12 Code: 7 0 7 Multivariate: 0 4 4 Hash: 0 2 2 Isogeny: 1 0 1 Total 17 9 26
  18. 18. Lattice-Based Cryptography • Cryptography based on hard lattice problems • 1996: NTRU (Hoffstein,Pipher, Silverman) • NIST: 9 Encryption, 3 Digital Signatures • Pros • Efficient, simple, adaptable • Secure: some schemes as secure as worst-case lattice problems • Cons • Large key sizes
  19. 19. Lattice
  20. 20. Hard LatticeProblems • Shortest Vector Problem (SVP): Given a basis for a lattice, find the shortest nonzero vector in the lattice. • Given a ‘bad’ basis, this is NP-hard • Closest Vector Problem (CVP): Given a basis for a lattice and a target vector, find the closest lattice vector. • Generalization ofSVP – same hardness • Special Case is Bounded Decoding Distance (BDD) Problem: Given a basis for a latticeand target vector of distance at most m to the lattice, find the closest lattice vector. SVP CVP
  21. 21. • b1 = <a1, s> + e1 mod q • b2 = <a2, s> + e2 mod q • … • bm= <am, s> + em mod q • Each ai is a random vector • The s is the secret vector • Each ei is the error term – a small random number • Problem: Given the pairs (ai,bi) for i = 1, … , m, find the secret vector s • Formulated as a Bounded Distance Decoding lattice problem: Given A ={(ai)} a matrix, b = {(bi)} = As + e mod q, where is from e error distribution, Find target vector s close enough to latticegenerated by solutionsto y = As mod q Learning With Errors Buchanan 2018 s a1 a2 … am b1 b2 … bm e1 e2 … em
  22. 22. Alice Bob Bob sends ciphertext (a,b) to Alice Eve LWE Lattice Scheme Asymmetric Encryption & Decryption Alice sends public key to Bob Public Key: Recover s by solving Bounded Distance Decoding Problem 3. DECRYPTION Bob has bit x = 0 or 1 2. ENCRYPTION • b1 = <a1, s> + e1 mod q • b2 = <a2, s> + e2 mod q • … • bm= <am, s> + em mod q Private Key: 1. KEY GENERATION s
  23. 23. Lattice-based Encryption Schemes(9) Digital Signatures (3) • FrodoKEM: LWE • LAC: LWE • NewHope: Ring LWE • NTRU: Ring LWE • Kyber : Module LWE • Three Bears: Module LWE • Round5: Learning with Rounding (LWR) • NTRU Prime: Ring LWR • SABER: Module LWR • CRYSTALS-DILITHIUM : Module LWE • FALCON : Ring LWE • qTESLA : Ring LWE
  24. 24. Code-BasedCryptography • Cryptography based on error correcting codes: maps that ‘correct’ the error of an input i.e. f(x+e) = x for small error e • 1978: McEliece • NIST: 7 Encryption • Pros • Fast to encrypt/decrypt • Hardness well studied and understood (>40 years) • Cons • Large key sizes (10,000-1 million bits) • Classic McEliece • NTS-KEM • BIKE • HQC • LEDAcrypt • Rollo • RQC
  25. 25. Error Correcting Codes A map is error correcting if it sends an input (+/- small error) back to itself, that is, it ’corrects the error’
  26. 26. Alice Bob Bob sends ciphertext c to Alice Eve McEliece Code-based Scheme Asymmetric Encryption & Decryption Alice sends public key G to Bob Public Key: Find without knowing error e Private Key: 1. KEY GENERATION Public Key: 3. DECRYPTION Bob has message m vector 2. ENCRYPTION Given message m and small random error vector e, get ciphertext
  27. 27. MultivariateCryptography • Cryptography based on polynomial equations in multiple variables • 1998: C* (Matsumoto Imai) now broken but inspired other schemes • 1996: HFE Hidden Field Equations (Patarin) • NIST: 4 Digital Signatures • GeMSS • LUOV • MQDSS • Rainbow • Pros • Fast (much faster than RSA) • Small signature size • Operations are simple arithmetic • Cons • Large key sizes (80,000-800,000 bits) • Security analysis difficult
  28. 28. Hash-Based Cryptography • Cryptography based on hash functions • 1978: Combine one-time hash signatures with Merkle trees (Merkle) • NIST: 2 Digital Signatures • Picnic • SPHINCS+ • Pros • Only security assumption is security of hash function • Easily replace hash functions with newer/efficient/secure • Fast • Cons • Large private key and signatures • Only finite number of signatures
  29. 29. Isogeny-Based Cryptography • Cryptography based on maps between elliptic curves • 2011: SIDH Supersingular Isgoney Diffie-Hellman (De Feo, Jao, Plu) • NIST: 1 Encryption • SIKE (Supersingular Isogeny Key Exchange) • Pros • Smallest key sizes of all remaining cryptosystems:6,000 bits • Cons • Security problem upon which SIKE not been studied as much • Slower than manyother candidates Leuven,2019
  30. 30. CONCLUSIONS • Cryptography ensures secure communicationin the presence of third parties through difficult math problems • Quantum computer uses quantummechanics • Quantum algorithms(e.g. Shor’s Algorithm ) can break current public key cryptography(e.g. RSA, ECC) • Post-Quantum Cryptography runs on our current computers but is (conjectured) secure againstquantum and classical computers
  31. 31. Conclusions: PQC Types Lattice-Based Cryptography: Learning with Errors Code-Based Cryptography (encryption): Error Correcting Codes Multivariate Cryptography (signatures): Equations in Multiple Variables Hash-Based Cryptography (signatures): Hash functions and Merkle Trees Isogeny-Based Cryptography (encryption): Maps between Elliptic Curves
  32. 32. Emily Stamm Security Research Engineer | Allstate Vice President | CSNP Email: Resources NIST PQC Competition: Thank You!
  33. 33. References Thor Labs Jeremy Kahn 2018 Learning With Errors and Ring Learning With Errors Buchanan 2018 Ku Leuven, ELLIPTIC CURVES ARE QUANTUM DEAD, LONG LIVE ELLIPTIC CURVES, 2019 CURVES