DefCamp, profile picture
Uploaded byDefCamp
PPTX, PDF264 views

Lattice based Merkle for post-quantum epoch

The document discusses various cryptographic systems, particularly focusing on the vulnerabilities of RSA encryption due to advancements in quantum computing, emphasizing the need for post-quantum alternatives. It outlines issues with current algorithms, such as one-time pads and public-key systems, and presents alternatives like lattice-based cryptography and hash-based digital signature schemes. Additionally, it highlights the necessity of developing efficient and secure systems to safeguard against potential quantum attacks.

Technology◦
Related topics:
Cyber-Security• Information Security•

Embed presentation

Download to read offline
Lattice based Merkle for post-quantum epoch Maksim Iavich
Private Key Encryption C cypher K Kkeykey mmessage c := Enck(m) Encryption Decryption m := Deck(c) Deck(Enck(m)) = m
 M = {0,1}n  Gen: k  {0,1}n  Enck(m) = k  m  Deck(c) = k  c  Truth: Deck( Enck(m) ) = k  (k  m) = (k  k)  m = m One-time pad 0  1 = 1 0  0 = 0 1  0 = 1 1  1 = 1 A  A = 0
One-time pad key n bits message n bits Cipher text n bits 
Problems:  The size of the key must be the same as message (quite large)  Is secure if one key is used once to decrypt only one message. One-time pad
 c1 = k  m1 c2 = k  m2  Attacker is able: c1  c2 = (k  m1)  (k  m2) = m1  m2  Leaks information about m1 and m2 Use key twice ?
 G – defined polynomial time algorithm  G increases: |G(x)| = p(|x|) > |x| PRGs seed G output
“Pseudo” one-time pad “pseudo” key p bits  G key n bits cipher text p bits message p bits By means of this key size is increased
Public-key encryption pk, skpk c  Encpk(m) m = Decsk(c) c pk pk
“Plain” RSA encryption m = [cd mod N] (N, e, d)  RSAGen(1n) pk = (N, e) sk = d N, e c = [me mod N] c
 GOOGLE Corporation, in conjunction with with the company D-Wave signed contract about creating quantum computers. D-Wave 2X - is the newest quantum processor, which contains 2,048 physical qubits. To perform calculations in the processor are used 1152 qubits.  Each additional qubit doubles the data search area, thus is also significantly increased the calculation speed. Quantum computers will destroy systems based on the problem of factoring integers (e.g., RSA). RSA cryptosystem is used in different products on different platforms and in different areas. Quantum computers RSA system is widely used in operating systems from Microsoft, Apple, Sun, and Novell. In hardware performance RSA algorithm is used in secure phones, Ethernet, network cards, smart cards, and is also widely used in the cryptographic hardware. Along with this, the algorithm is a part of the underlying protocols protected Internet communications, including S / MIME, SSL and S / WAN, and is also used in many organizations, for example, government, banks, most corporations, public laboratories and universities.
 RSA BSAFE encryption technology is used approximately by 500 million users worldwide. Since in encryption technology is mostly used the RSA algorithm, it can be considered one of the most common public key cryptosystems being developed together with the development of the Internet.  On this basis the RSA destruction will entail easy hacking of most products that can grow into a complete chaos. RSA BSAFE
Hash-based Digital Signature Schemes: One of RSA alternatives are Hash-based Digital Signature Schemes. The safety of these systems depends on the security of cryptographic hash functions. A code-based public-key encryption system: McEliece example. In this system the public key is (Gnew, t), and the private key is (S, G, P), where G is k x n generator matrix for the code C. C is random binary (n, k)-linear code, that is capable to improve t errors. N is the number of code words, k is dimension of C. S is a random k x k binary nonsingular matrix. P is a random n x n binary permutation matrix. Gnew = S * G * P; k x n matrix. To encrypt the message we must encrypt message m as a binary string with the length k; cyp = m x Gnew; is generated random n-bit error vector v with the weight t. The cypher is calculated as c= cyp+v. For decoding is calculated cyp = c*P-1; Using decryption algorithm of C is calculated mnew= m*S => m= mnew*S-1 RSA ALTERNATIVES
 Lattice-based Cryptography: proofs are based on worst-case hardness.  Multivariate public key cryptosystem – MPKCs: have a set of(usually) quadratic polynomials over a finite field. Security assumption is backed by the NP-hardness of the problem to solve nonlinear equations over a finite field. RSA ALTERNATIVES
 To date are already found successful attacks on this crypto system.  The Ph.D. candidate of Dublin City University (DCU) Neill Costigan with the support of Irish Research Council for Science, Engineering and Technology (IRCSET), together with professor Michael Scott, Science Foundation Ireland (SFI) member successfully were able to carry out an attack on the algorithm. To do this they needed 8,000 hours of CPU time. In the attack representatives of four other countries took part. Scientists have discovered that the initial length of the key in this algorithm is insufficient and should be increased.  This system cannot be also used to encrypt the same message twice and to encrypt the message when is known it’s relation with the other message. Successful attacks
 Should be noted the importance of efficiency spectrum. To date experts have reached quite good results in the speed algorithm processing. According to the investigation results it becomes clear that the proposed post-quantum cryptosystems are relatively little effective. Implementation of the algorithms requires much more time for their processing and verification.  Inefficient cryptography may be acceptable for the general user, but it cannot be acceptable for the internet servers that handle thousands of customers in the second. Today, Google has already has problems with the current cryptography. It is easy to imagine what will happen when implementing crypto algorithms will take more time.  The development and improvement of modern cryptosystems will take years. Moreover, all the time are recorded successful attacks on them. When is determined the encryption function, and it becomes standard, it needs the appropriate implementation of the corresponding software, and in most cases, hardware.
 During the implementation it is necessary to ensure not only correct work of the function and the speed of its efficiency, but also to prevent any kind of leaks. Recently have been recorded successful «cache-timing» attacks on RSA and AES system, as a result of that Intel has added the AES instructions to its processors.  McEliece system is vulnerable to attacks, related to side channel attacks. Was shown the successful timing attack on Patterson algorithm. This attack does not detect the key, but detects an error vector that can successfully decrypt the message cipher.  As we can see, for the creation and implementation of safe and effective post-quantum cryptosystems it is necessary to fulfill the rather big work. From the foregoing it is clear that today we are not ready to transfer cryptosystems into post-quantum era. In the near future we cannot be sure in the reliability of the systems.
 Traditional digital signature systems that are used in practice are vulnerable to quantum computers attacks. The security of these systems is based on the problem of factoring large numbers and calculating discrete logarithms. Scientists are working on the development of alternatives to RSA, which are protected from attacks by quantum computer. One of the alternatives are hash based digital signature schemes. These systems use a cryptographic hash function. The security of these digital signature systems is based on the collision resistance of the hash functions that they use. RSA ALTERNATIVES – HASH BASED
 Keys generation in this system occurs as follows: the signature key X of this system consists of 2n lines of length n, and is selected randomly.  X= (xn-1[0], xn-1[1], …, x0[0], x0[1]) ∈ {0,1} n,2n  Verification key Y of this system consists of 2n lines of length n, and is selected randomly.  Y= (yn-1[0], yn-1[1], …, y0[0], y0[1]) ∈ {0,1} n,2n  This key is calculated as follows:  yi[j] = f(xi[j]), 0<=i<=n-1, j=0,1  f – is one-way function:  f: {0,1} n {0,1} n;  To generate the verification key, it is needed to use the function f 2n time. LAMPORT–DIFFIE ONE-TIME SIGNATURE SCHEME (KEY GENERATION)
 To sign a message m of arbitrary size, we transform it into size n using the hash function:  h(m)=hash = (hashn-1, … , hash0)  Function h- is a cryptographic hash function:  h: {0,1} *{0,1} n  The signature is done as follows:  sig= (xn-1[hashn-1], …, x0[hash0]) ∈ {0,1} n,n  i-th string in this signature is equals to xi[0], if i-th bit in sign is equal to 0. The string is equal to xi[1], if i-th bit in sign is equal to 1.  Signature length is n2 and during signature we do not use f function. DOCUMENT SIGNATURE
 To verify the signature sig = (sign-1, …, sig0), is calculated hash of the message hash = (hashn-1, … , hash0) and the following equality is checked:  (f(sign-1), …, f(sig0)) = (yn-1[hashn-1], …, y0[hash0])  If the equation is true, then the signature is correct.  For the verification f function must be used n times. DOCUMENT VERIFICATION
 Keys generation in this system occurs as follows: the signature key X of this system consists of n lines of length p, the key is selected randomly. Winternitz parameter is selected w> = 2, it is equal to the number of bits to be signed simultaneously. Is calculated p1=n/w and p2=(log2p1 +1+w)/w, p= p1+ p2  The signature key X of this system consists of p lines of length n selected randomly:  X= (xp-1[0], …, x0) ∈ {0,1} n,p  Verification key is following:  Y= (yp-1[0], …, y0) ∈ {0,1} n,p, where  yi=f2^w-1(xi), 0<=i<=p-1  The length of the signature and the verification key is equal to np bits, and to generate the verification key, function f must be used p(2w-1) times. WINTERNITZ ONE TIME SIGNATURE SCHEME. KEY GENERATION
 We hash the message hash=h(m) and prepend to hash the minimum number of zeros in order to get the length of hash devisable by w. Afterwards we divide it into p1 parts of length w.  hash=kp-1,…, kp-p1  the checksum is calculated:  с=∑i=p-p1 p-1(2w-ki)  as c<= p12w, the length of its binary representation is log2 p12w+1  We prepend to its binary representation the minimum number of zeros in order to get the length of representation devisable by w, and divide it into p2 parts of length w.  с=kp2-1,…, k0  we calculate the signature of the message m:  sig=(f^kp-1(xp-1), …, f^k0(x0))  In the worst case, for the signature function f must be used ,p(2w-1) times. Signature size is pn. SIGNATURE GENERATION
 For signature verification sig = (sign-1, …, sig0) bit strings are calculated kp- 1,…, k0.  We verify the following equality:  (f^(2w-1-kp-1))(sign-1), …, (f^(2w-1-k0))(sig0) = yn-1, … y0  If the signature is correct, then sigi =f^ki(xi), so  (f^(2w-1-ki))(sigi)= (f^(2w-1))(xi)=yi is equal for every i=p-1,…, 0  In the worst case, for the signature verification function f must be used ,p(2w-1) times SIGNATURE VERIFICATION
 One-time signature schemes are very inconvenient to use, because to sign each message, you need to use a different key pair. Merkle crypto-system was proposed to solve this problem. This system uses a binary tree to replace a large number of verification keys with one public key, the root of a binary tree. This cryptosystem uses an one-time Lamport or Winternitz signature scheme and a cryptographic hash function:  h:{0,1}*{0,1}n  Key generation: The length of the tree is chosen H>=2, with one public key it is possible to sign 2H documents. 2H signature and verification key pairs are generated; Xi, Yi, 0<=i<=2H. Xi- is signature key, Yi- is verification key. h(Yi) are calculated and are used as the leaves of the tree. Each tree node is a hash value of concatenation of its children. MERKLE
MERKLE TREE
 To sign a message m of arbitrary size we transform it into size n using the hash function  h (m) = hash, and generate an one-time signature using any one-time key Xany , the document's signature will be the concatenation of: one time signature, one-time verification key Yany, index any and all fraternal nodes authi in relation to Yany.  Signature= (sig||pub||any|| Yany||auth0,…,authH-1)  Signature verification:  To verify the signature we check the one-time signature of sig using Yany, if it is true, we calculate all the nodes a [i, j] using “authi”, index “any” and Yany. We compare the last node, the root of the tree with public key, if they are equal, then the signature is correct. SIGNATURE GENERATION
 To generate a public key you need to calculate and store 2H pairs of one-time keys. Storing this amount of information is not effective in practice. In order to save space, it was suggested to use the PRNG random number generator. When using PRNG, it is sufficient to store only the seed of the generator and use it to generate one-time keys. It is necessary to calculate one-time keys twice: once in the key generation stage and then in the signature stage of the message. PRNG receives a seed of length n and outputs a new seed and a random number of length n.  PRNG : {0, 1}n: {0, 1}n x {0, 1}n  Key generation using PRNG:  We choose randomly the seed s0 of length n, using si we work out soti, as following:  PRNG(si) = (soti , si+1) 0 ≤ i <2H  soti changes each time when PRNG launches. For Xi key calculation it is enough to know only si. PRNG INTEGRATION
PRNG INTEGRATION
 Quantum computers are able to crack PRNG, which were considered safe against attacks of classical computers. A polynomial quantum time attack on PRNG Blum-Micali is shown. This PRNG is considered safe from threats of standard computers. This attack uses Grover algorithm along with the quantum discrete logarithm, and is able to restore the values at the generator output for this attack. The attacks like these represent a threat of cracking PRNG, used in many real-world crypto systems. As we see, Merkle crypto system with built-in PRNG can be vulnerable to attacks of quantum computers. We suggest using a true random number generator based on qubits, TRNG. Breaking PRNG
 Let’s consider a system with one qubit. The quantum state of a qubit is denoted by: α|0>+β |1>, where α and β are complex numbers; |α|2+ |β|2=1  |0> - is the ground state of qubit, |1>- is the excited state of qubit  This qubit is in the state |0> with probability α2 and likewise in a state |1> with probability β2.  When a qubit is measured, it is in one of two states with probability 1.  Let’s consider a system with two qubits. The quantum state of two qubits is denoted by: α00|00>+ α01 |01>+ α10|10>+ α11 |11>  where αi are complex numbers; ∑| αi|2=1.  We connect these qubits using Bell state, in this case the quantum state of these qubits is denoted by:  1/21/2|00>+1/21/2|11>, so when we measure a given qubit, it will be in a state |0> with probability ½ and likewise in a state |1> also with probability ½. When we measure the second qubit, it will be in the opposite state of the first qubit when we measured it with probability 1.  When we measure n qubits we can get the true number of size n. Quantum TRNG
 Key generation using quantum TRNG:  We choose the tree height H>=2. We can sign 2H documents using one public key. A connection is established between two qubits using Bell state. We take 2H pairs of such qubit sets qi and bi ; every qi and bi consists of n qubits. 0<=i<=2H; We measure 2H*n qubits qi and we get 2H signature keys Xi and calculate the verification keys Yi. h(Yi) are calculated and are used as leaves of a tree.  Signature and verification of the message:  To sign a message m of arbitrary size we transform it into size n using the hash function h(m) = hash, we measure any set, that contains n qubits , bany  qany=Xany with probability equal to 1. We generate one time signature using one- time signature key Xany, the document's signature will be the concatenation of: one time signature, one-time verification key Yany, index “any” and all fraternal nodes authi in relation to Yany.  Signature= (sig||pub||any|| Yany||auth0,…,authH-1)  Verification of the message occurs similarly to the standard Merkle system.  Security of the system with built-in quantum TRNG.  The system is secure, because we do not change the principle of the crypto system, but only integrate TRNG, to reduce the size of the signature key. TRNG is completely safe; it is based on the state of qubits, which are real random numbers.
Lamport Winternitz Merkle Use f to generate keys 2n p(2w-1) 2H+1-1 Use f to calculate the signature Is not used p(2w-1) Use f to generate verify the signature n p(2w-1)
 We propose to use as the hash function, the lattice-based hash function, and to use lattice based one-way function as an one-way function in hash-based digital signature schemes.  Hash functions are considered resistant to quantum computer attacks, but the Grover algorithm allows us to achieve quadratic acceleration in the search algorithms. It means that hash functions must be complicated to be secure against quantum computers attacks. Studies are conducted to determine the cost of attacks on SHA2 and SHA3 families of hash functions, using the Grover algorithm ONE WAY and HASH
 Collision resistant hash functions based on lattices were proposed. Ajtai suggested the family of hash functions, the security of which is based on the worst case, the SVP with approximation ratio of nc, where n is constant. To construct a family of hash functions as parameters are used integers: n, m, q and d.  Parameter n defines the safety of hash function. The key to a hash function specified by the matrix M, chosen uniformly from Z q n×m. Hash function is  hM : {0, . . . , d−1}m → Zq n. The function maps mlogd bits to nlogq bits for input compression, m> log q / log d. This hash function is very easy to implement, because we use only addition and multiplication modulo q, which size is O (log n). Systems based on lattices
 We propose to use as the hash function, the lattice-based hash function, and to use lattice based one-way function as an one-way function in hash-based digital signature schemes.  The family of one-way functions, suggested by Ajtai, can be used. In the case of hash functions, as the key, we select the matrix K from Zn×m a, which transforms mlog b into nlog a number of bits and we calculate h(x) = Kx mod a.  In the case of a one-way function, we select the matrix K from Zm×m b, as the key. It transforms mlog b into mlog b number of bits and we compute f(x) = Kx mod a. HASHED MERKLE
 Should be noted the problem of the effectiveness of these functions, the size of their key grows quadratically in n, so these functions are ineffective. Due to the attacks on these functions by combinatorial method , for the security of 100-bit, you need to use a key of 500,000 bits size. Efficiency problems
MAKSIM IAVICH SCIENTIFIC CYBER SECURITY ASSOCIATION ; CAUCASUS UNIVERSITY T. +(995 595) 511355; E-mail: m.iavich@scsa.ge www.scsa.ge Scientific&practical cyber security journal – www.journal.scsa.ge THANK YOU! QUESTIONS?

More Related Content

PPTX
Ch9
byMahender Kumar
 
PPT
Rsa
byismaelhaider
 
PDF
rsa-1
byaniruddh Tyagi
 
PPT
The rsa algorithm
byKomal Singh
 
PDF
An Image Encryption using Chaotic Based Cryptosystem
byxlyle
 
DOC
Implementation of bpsc stegnography ( synopsis)
byMumbai Academisc
 
DOCX
RSA - ENCRYPTION ALGORITHM CRYPTOGRAPHY
byQualcomm
 
PDF
F010243136
byIOSR Journals
 
Ch9
byMahender Kumar
 
Rsa
byismaelhaider
 
rsa-1
byaniruddh Tyagi
 
The rsa algorithm
byKomal Singh
 
An Image Encryption using Chaotic Based Cryptosystem
byxlyle
 
Implementation of bpsc stegnography ( synopsis)
byMumbai Academisc
 
RSA - ENCRYPTION ALGORITHM CRYPTOGRAPHY
byQualcomm
 
F010243136
byIOSR Journals
 

What's hot

PPTX
Rsa cryptosystem
byAbhishek Gautam
 
PPTX
Key reinstallation attacks forcing nonce reuse in wpa2
byUniversitĂ  Degli Studi Di Salerno
 
PPTX
RSA - ALGORITHM by Muthugomathy and Meenakshi Shetti of GIT COLLEGE
byQualcomm
 
PPT
RSA Algorithm - Public Key Cryptography
byMd. Shafiul Alam Sagor
 
PPT
Ch09
byJoe Christensen
 
PPT
Rsa
byNavneet Sharma
 
PDF
Lattice Based Cryptography - GGH Cryptosystem
byVarun Janga
 
PPTX
Public Key Cryptography
byGopal Sakarkar
 
PDF
Introduction - Lattice-based Cryptography
byAlexandre Augusto Giron
 
PPTX
Information and data security public key cryptography and rsa
byMazin Alwaaly
 
PPTX
Cryptography & Network Security By, Er. Swapnil Kaware
byProf. Swapnil V. Kaware
 
PPTX
An Image Encryption using Chaotic Based Cryptosystem
byxlyle
 
PDF
RSA Algorithm
byJoon Young Park
 
PDF
Threshold-optimal DSAECDSA signatures and an application to Bitcoin wallet se...
byNational Chengchi University
 
PPTX
3 pkc+rsa
byShashank Mishra
 
PPT
Cupdf.com public key-cryptography-569692953829a
byjsk1950
 
PDF
Public key cryptography
byrinnocente
 
PPTX
Performance evluvation of chaotic encryption technique
byAncy Mariam Babu
 
PPT
104 Icdcit05
byDebapriyay Mukhopadhyay
 
PPT
public-key cryptography Shamir
byInformation Security Awareness Group
 
Rsa cryptosystem
byAbhishek Gautam
 
Key reinstallation attacks forcing nonce reuse in wpa2
byUniversitĂ  Degli Studi Di Salerno
 
RSA - ALGORITHM by Muthugomathy and Meenakshi Shetti of GIT COLLEGE
byQualcomm
 
RSA Algorithm - Public Key Cryptography
byMd. Shafiul Alam Sagor
 
Ch09
byJoe Christensen
 
Rsa
byNavneet Sharma
 
Lattice Based Cryptography - GGH Cryptosystem
byVarun Janga
 
Public Key Cryptography
byGopal Sakarkar
 
Introduction - Lattice-based Cryptography
byAlexandre Augusto Giron
 
Information and data security public key cryptography and rsa
byMazin Alwaaly
 
Cryptography & Network Security By, Er. Swapnil Kaware
byProf. Swapnil V. Kaware
 
An Image Encryption using Chaotic Based Cryptosystem
byxlyle
 
RSA Algorithm
byJoon Young Park
 
Threshold-optimal DSAECDSA signatures and an application to Bitcoin wallet se...
byNational Chengchi University
 
3 pkc+rsa
byShashank Mishra
 
Cupdf.com public key-cryptography-569692953829a
byjsk1950
 
Public key cryptography
byrinnocente
 
Performance evluvation of chaotic encryption technique
byAncy Mariam Babu
 
104 Icdcit05
byDebapriyay Mukhopadhyay
 
public-key cryptography Shamir
byInformation Security Awareness Group
 

Similar to Lattice based Merkle for post-quantum epoch

PPTX
Public-Key Cryptography- ApplicationsRSA
byDr.Manjunath Kotari
 
PPT
RSA
bybansidhar11
 
PPT
Rsa
bymagentie
 
PDF
Post quantum cryptography - thesis
bySamy Shehata
 
PPT
Unit --3.ppt
byDHANABALSUBRAMANIAN
 
PPTX
Ch9_Cryptokkkllllllllllllllllllllk6e.pptx
byLaxmanBhandari22
 
PPTX
Network security
byABHISHEK KUMAR
 
PDF
international security system data threats
bygacop74666
 
PDF
PRINCIPLES OF INFORMATION SYSTEM SECURITY
bygacop74666
 
PDF
Post Quantum Cryptography - Emerging Frontiers
byGokul Alex
 
PDF
A Comparative Study between RSA and MD5 algorithms
byEr Piyush Gupta IN ⊞⌘
 
PDF
encryption and decryption
bySri Manakula Vinayagar Engineering College
 
PDF
Chapter 8 cryptography lanjutan
bynewbie2019
 
ODP
Network Security Topic 4 cryptography2
byKhawar Nehal khawar.nehal@atrc.net.pk
 
DOC
DOCS ON NETWORK SECURITY
byTuhin_Das
 
PPTX
Cryptography Key Management.pptx
bySurendraBasnet6
 
PDF
Intro to Cryptography
byGalin Dinkov
 
PPTX
IS413 Topic 5.pptx
byWarrenPhiri4
 
PDF
Ao318992
byIJMER
 
PPTX
Security
bySaqib Shehzad
 
Public-Key Cryptography- ApplicationsRSA
byDr.Manjunath Kotari
 
RSA
bybansidhar11
 
Rsa
bymagentie
 
Post quantum cryptography - thesis
bySamy Shehata
 
Unit --3.ppt
byDHANABALSUBRAMANIAN
 
Ch9_Cryptokkkllllllllllllllllllllk6e.pptx
byLaxmanBhandari22
 
Network security
byABHISHEK KUMAR
 
international security system data threats
bygacop74666
 
PRINCIPLES OF INFORMATION SYSTEM SECURITY
bygacop74666
 
Post Quantum Cryptography - Emerging Frontiers
byGokul Alex
 
A Comparative Study between RSA and MD5 algorithms
byEr Piyush Gupta IN ⊞⌘
 
encryption and decryption
bySri Manakula Vinayagar Engineering College
 
Chapter 8 cryptography lanjutan
bynewbie2019
 
Network Security Topic 4 cryptography2
byKhawar Nehal khawar.nehal@atrc.net.pk
 
DOCS ON NETWORK SECURITY
byTuhin_Das
 
Cryptography Key Management.pptx
bySurendraBasnet6
 
Intro to Cryptography
byGalin Dinkov
 
IS413 Topic 5.pptx
byWarrenPhiri4
 
Ao318992
byIJMER
 
Security
bySaqib Shehzad
 

More from DefCamp

PPTX
We will charge you. How to [b]reach vendor’s network using EV charging station.
byDefCamp
 
PPTX
The Charter of Trust
byDefCamp
 
PDF
Remote Yacht Hacking
byDefCamp
 
PPTX
Economical Denial of Sustainability in the Cloud (EDOS)
byDefCamp
 
PPTX
Building application security with 0 money down
byDefCamp
 
PPTX
Drupalgeddon 2 – Yet Another Weapon for the Attacker
byDefCamp
 
PPTX
Trust, but verify – Bypassing MFA
byDefCamp
 
PDF
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
byDefCamp
 
PPTX
Bridging the gap between CyberSecurity R&D and UX
byDefCamp
 
PPTX
Internet Balkanization: Why Are We Raising Borders Online?
byDefCamp
 
PPTX
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
byDefCamp
 
PPTX
Timing attacks against web applications: Are they still practical?
byDefCamp
 
PPTX
Secure and privacy-preserving data transmission and processing using homomorp...
byDefCamp
 
PPTX
Catch Me If You Can - Finding APTs in your network
byDefCamp
 
PPTX
The lions and the watering hole
byDefCamp
 
PPTX
Implementation of information security techniques on modern android based Kio...
byDefCamp
 
PPTX
Threat Hunting: From Platitudes to Practical Application
byDefCamp
 
PPTX
Connect & Inspire Cyber Security
byDefCamp
 
PPTX
The challenge of building a secure and safe digital environment in healthcare
byDefCamp
 
PPTX
Tor .onions: The Good, The Rotten and The Misconfigured
byDefCamp
 
We will charge you. How to [b]reach vendor’s network using EV charging station.
byDefCamp
 
The Charter of Trust
byDefCamp
 
Remote Yacht Hacking
byDefCamp
 
Economical Denial of Sustainability in the Cloud (EDOS)
byDefCamp
 
Building application security with 0 money down
byDefCamp
 
Drupalgeddon 2 – Yet Another Weapon for the Attacker
byDefCamp
 
Trust, but verify – Bypassing MFA
byDefCamp
 
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
byDefCamp
 
Bridging the gap between CyberSecurity R&D and UX
byDefCamp
 
Internet Balkanization: Why Are We Raising Borders Online?
byDefCamp
 
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
byDefCamp
 
Timing attacks against web applications: Are they still practical?
byDefCamp
 
Secure and privacy-preserving data transmission and processing using homomorp...
byDefCamp
 
Catch Me If You Can - Finding APTs in your network
byDefCamp
 
The lions and the watering hole
byDefCamp
 
Implementation of information security techniques on modern android based Kio...
byDefCamp
 
Threat Hunting: From Platitudes to Practical Application
byDefCamp
 
Connect & Inspire Cyber Security
byDefCamp
 
The challenge of building a secure and safe digital environment in healthcare
byDefCamp
 
Tor .onions: The Good, The Rotten and The Misconfigured
byDefCamp
 

Recently uploaded

PDF
Skills to Pass the UiPath Agentic Automation Associate (UiAAA) Certification
byUiPathCommunity
 
PPTX
Coded Agents – with UiPath SDK + LlamaIndex.pptx
bysuhanisingh58689
 
PDF
Getting the Best of TrueDEM – January News & Updates
bypanagenda
 
PPTX
apidays Australia 2025 | Building AI RAG Applications with No Code.pptx
byapidays
 
PDF
Safer’s Picks: Recent FME Enhancements with Big Everyday Impact
bySafe Software
 
PDF
apidays Australia 2025 | User Brainpower vs. AI Blind Spots in API Docs
byapidays
 
PDF
Enterprise Data Services_ A Development Guide with Use Cases, Trends and Impl...
by2601harsh23
 
PPTX
Dell poweredge-customer-presentation.pptx
byhungungphu123
 
PDF
How to Build a Crypto Wallet that Excels in 2026.pdf
byimoliviabennett
 
PDF
Azure DevOps Managed Services: Driving Speed, Security, and Business Growth
byjohncarterjn
 
PPTX
API Gateway Architecture - Technical Report 2026
byPowersoft2026
 
PDF
apidays Australia 2025 | The Strategic Role of APIs in Digital Transformation
byapidays
 
PDF
How the EU Ecolabel's Record Growth Creates ESG Opportunities for CRE
byWastify AI
 
PPTX
Achieve enterprise automation with SAP BTP solutions and SAP Signavio
bydarrellkiwi
 
PDF
How to Design Premium Health (Public Health) PPT Using AI? Top Strategies
byPublic Health Concern Nepal
 
PDF
Teaching Robots how to Read 1/2: AI Center & Classic Document Understanding (...
byanabulhac
 
PPTX
Advance Computer Architecture Lecture 4.pptx
byBottshikanBottshikan
 
PPT
Database Management Systems: Basics, History, Data Models, etc.
byParithi Thamizh
 
PDF
Ethical AI applied to publishing: Presenting wâsikan kisewâtisiwin, an AI too...
byBookNet Canada
 
PPTX
Single Cell Protein from Methane or Methanol - Process development research c...
byJohn Downs
 
Skills to Pass the UiPath Agentic Automation Associate (UiAAA) Certification
byUiPathCommunity
 
Coded Agents – with UiPath SDK + LlamaIndex.pptx
bysuhanisingh58689
 
Getting the Best of TrueDEM – January News & Updates
bypanagenda
 
apidays Australia 2025 | Building AI RAG Applications with No Code.pptx
byapidays
 
Safer’s Picks: Recent FME Enhancements with Big Everyday Impact
bySafe Software
 
apidays Australia 2025 | User Brainpower vs. AI Blind Spots in API Docs
byapidays
 
Enterprise Data Services_ A Development Guide with Use Cases, Trends and Impl...
by2601harsh23
 
Dell poweredge-customer-presentation.pptx
byhungungphu123
 
How to Build a Crypto Wallet that Excels in 2026.pdf
byimoliviabennett
 
Azure DevOps Managed Services: Driving Speed, Security, and Business Growth
byjohncarterjn
 
API Gateway Architecture - Technical Report 2026
byPowersoft2026
 
apidays Australia 2025 | The Strategic Role of APIs in Digital Transformation
byapidays
 
How the EU Ecolabel's Record Growth Creates ESG Opportunities for CRE
byWastify AI
 
Achieve enterprise automation with SAP BTP solutions and SAP Signavio
bydarrellkiwi
 
How to Design Premium Health (Public Health) PPT Using AI? Top Strategies
byPublic Health Concern Nepal
 
Teaching Robots how to Read 1/2: AI Center & Classic Document Understanding (...
byanabulhac
 
Advance Computer Architecture Lecture 4.pptx
byBottshikanBottshikan
 
Database Management Systems: Basics, History, Data Models, etc.
byParithi Thamizh
 
Ethical AI applied to publishing: Presenting wâsikan kisewâtisiwin, an AI too...
byBookNet Canada
 
Single Cell Protein from Methane or Methanol - Process development research c...
byJohn Downs
 

Lattice based Merkle for post-quantum epoch

  • 1.
    Lattice based Merklefor post-quantum epoch Maksim Iavich
  • 2.
    Private Key Encryption C cypher KKkeykey mmessage c := Enck(m) Encryption Decryption m := Deck(c) Deck(Enck(m)) = m
  • 3.
     M ={0,1}n  Gen: k  {0,1}n  Enck(m) = k  m  Deck(c) = k  c  Truth: Deck( Enck(m) ) = k  (k  m) = (k  k)  m = m One-time pad 0  1 = 1 0  0 = 0 1  0 = 1 1  1 = 1 A  A = 0
  • 4.
    One-time pad key n bits message nbits Cipher text n bits 
  • 5.
    Problems:  The sizeof the key must be the same as message (quite large)  Is secure if one key is used once to decrypt only one message. One-time pad
  • 6.
     c1 =k  m1 c2 = k  m2  Attacker is able: c1  c2 = (k  m1)  (k  m2) = m1  m2  Leaks information about m1 and m2 Use key twice ?
  • 7.
     G –defined polynomial time algorithm  G increases: |G(x)| = p(|x|) > |x| PRGs seed G output
  • 8.
    “Pseudo” one-time pad “pseudo” key pbits  G key n bits cipher text p bits message p bits By means of this key size is increased
  • 9.
    Public-key encryption pk, skpk c Encpk(m) m = Decsk(c) c pk pk
  • 10.
    “Plain” RSA encryption m= [cd mod N] (N, e, d)  RSAGen(1n) pk = (N, e) sk = d N, e c = [me mod N] c
  • 11.
     GOOGLE Corporation,in conjunction with with the company D-Wave signed contract about creating quantum computers. D-Wave 2X - is the newest quantum processor, which contains 2,048 physical qubits. To perform calculations in the processor are used 1152 qubits.  Each additional qubit doubles the data search area, thus is also significantly increased the calculation speed. Quantum computers will destroy systems based on the problem of factoring integers (e.g., RSA). RSA cryptosystem is used in different products on different platforms and in different areas. Quantum computers RSA system is widely used in operating systems from Microsoft, Apple, Sun, and Novell. In hardware performance RSA algorithm is used in secure phones, Ethernet, network cards, smart cards, and is also widely used in the cryptographic hardware. Along with this, the algorithm is a part of the underlying protocols protected Internet communications, including S / MIME, SSL and S / WAN, and is also used in many organizations, for example, government, banks, most corporations, public laboratories and universities.
  • 12.
     RSA BSAFEencryption technology is used approximately by 500 million users worldwide. Since in encryption technology is mostly used the RSA algorithm, it can be considered one of the most common public key cryptosystems being developed together with the development of the Internet.  On this basis the RSA destruction will entail easy hacking of most products that can grow into a complete chaos. RSA BSAFE
  • 13.
    Hash-based Digital SignatureSchemes: One of RSA alternatives are Hash-based Digital Signature Schemes. The safety of these systems depends on the security of cryptographic hash functions. A code-based public-key encryption system: McEliece example. In this system the public key is (Gnew, t), and the private key is (S, G, P), where G is k x n generator matrix for the code C. C is random binary (n, k)-linear code, that is capable to improve t errors. N is the number of code words, k is dimension of C. S is a random k x k binary nonsingular matrix. P is a random n x n binary permutation matrix. Gnew = S * G * P; k x n matrix. To encrypt the message we must encrypt message m as a binary string with the length k; cyp = m x Gnew; is generated random n-bit error vector v with the weight t. The cypher is calculated as c= cyp+v. For decoding is calculated cyp = c*P-1; Using decryption algorithm of C is calculated mnew= m*S => m= mnew*S-1 RSA ALTERNATIVES
  • 14.
     Lattice-based Cryptography:proofs are based on worst-case hardness.  Multivariate public key cryptosystem – MPKCs: have a set of(usually) quadratic polynomials over a finite field. Security assumption is backed by the NP-hardness of the problem to solve nonlinear equations over a finite field. RSA ALTERNATIVES
  • 15.
     To dateare already found successful attacks on this crypto system.  The Ph.D. candidate of Dublin City University (DCU) Neill Costigan with the support of Irish Research Council for Science, Engineering and Technology (IRCSET), together with professor Michael Scott, Science Foundation Ireland (SFI) member successfully were able to carry out an attack on the algorithm. To do this they needed 8,000 hours of CPU time. In the attack representatives of four other countries took part. Scientists have discovered that the initial length of the key in this algorithm is insufficient and should be increased.  This system cannot be also used to encrypt the same message twice and to encrypt the message when is known it’s relation with the other message. Successful attacks
  • 16.
     Should benoted the importance of efficiency spectrum. To date experts have reached quite good results in the speed algorithm processing. According to the investigation results it becomes clear that the proposed post-quantum cryptosystems are relatively little effective. Implementation of the algorithms requires much more time for their processing and verification.  Inefficient cryptography may be acceptable for the general user, but it cannot be acceptable for the internet servers that handle thousands of customers in the second. Today, Google has already has problems with the current cryptography. It is easy to imagine what will happen when implementing crypto algorithms will take more time.  The development and improvement of modern cryptosystems will take years. Moreover, all the time are recorded successful attacks on them. When is determined the encryption function, and it becomes standard, it needs the appropriate implementation of the corresponding software, and in most cases, hardware.
  • 17.
     During theimplementation it is necessary to ensure not only correct work of the function and the speed of its efficiency, but also to prevent any kind of leaks. Recently have been recorded successful «cache-timing» attacks on RSA and AES system, as a result of that Intel has added the AES instructions to its processors.  McEliece system is vulnerable to attacks, related to side channel attacks. Was shown the successful timing attack on Patterson algorithm. This attack does not detect the key, but detects an error vector that can successfully decrypt the message cipher.  As we can see, for the creation and implementation of safe and effective post-quantum cryptosystems it is necessary to fulfill the rather big work. From the foregoing it is clear that today we are not ready to transfer cryptosystems into post-quantum era. In the near future we cannot be sure in the reliability of the systems.
  • 18.
     Traditional digitalsignature systems that are used in practice are vulnerable to quantum computers attacks. The security of these systems is based on the problem of factoring large numbers and calculating discrete logarithms. Scientists are working on the development of alternatives to RSA, which are protected from attacks by quantum computer. One of the alternatives are hash based digital signature schemes. These systems use a cryptographic hash function. The security of these digital signature systems is based on the collision resistance of the hash functions that they use. RSA ALTERNATIVES – HASH BASED
  • 19.
     Keys generationin this system occurs as follows: the signature key X of this system consists of 2n lines of length n, and is selected randomly.  X= (xn-1[0], xn-1[1], …, x0[0], x0[1]) ∈ {0,1} n,2n  Verification key Y of this system consists of 2n lines of length n, and is selected randomly.  Y= (yn-1[0], yn-1[1], …, y0[0], y0[1]) ∈ {0,1} n,2n  This key is calculated as follows:  yi[j] = f(xi[j]), 0<=i<=n-1, j=0,1  f – is one-way function:  f: {0,1} n {0,1} n;  To generate the verification key, it is needed to use the function f 2n time. LAMPORT–DIFFIE ONE-TIME SIGNATURE SCHEME (KEY GENERATION)
  • 20.
     To signa message m of arbitrary size, we transform it into size n using the hash function:  h(m)=hash = (hashn-1, … , hash0)  Function h- is a cryptographic hash function:  h: {0,1} *{0,1} n  The signature is done as follows:  sig= (xn-1[hashn-1], …, x0[hash0]) ∈ {0,1} n,n  i-th string in this signature is equals to xi[0], if i-th bit in sign is equal to 0. The string is equal to xi[1], if i-th bit in sign is equal to 1.  Signature length is n2 and during signature we do not use f function. DOCUMENT SIGNATURE
  • 21.
     To verifythe signature sig = (sign-1, …, sig0), is calculated hash of the message hash = (hashn-1, … , hash0) and the following equality is checked:  (f(sign-1), …, f(sig0)) = (yn-1[hashn-1], …, y0[hash0])  If the equation is true, then the signature is correct.  For the verification f function must be used n times. DOCUMENT VERIFICATION
  • 22.
     Keys generationin this system occurs as follows: the signature key X of this system consists of n lines of length p, the key is selected randomly. Winternitz parameter is selected w> = 2, it is equal to the number of bits to be signed simultaneously. Is calculated p1=n/w and p2=(log2p1 +1+w)/w, p= p1+ p2  The signature key X of this system consists of p lines of length n selected randomly:  X= (xp-1[0], …, x0) ∈ {0,1} n,p  Verification key is following:  Y= (yp-1[0], …, y0) ∈ {0,1} n,p, where  yi=f2^w-1(xi), 0<=i<=p-1  The length of the signature and the verification key is equal to np bits, and to generate the verification key, function f must be used p(2w-1) times. WINTERNITZ ONE TIME SIGNATURE SCHEME. KEY GENERATION
  • 23.
     We hashthe message hash=h(m) and prepend to hash the minimum number of zeros in order to get the length of hash devisable by w. Afterwards we divide it into p1 parts of length w.  hash=kp-1,…, kp-p1  the checksum is calculated:  с=∑i=p-p1 p-1(2w-ki)  as c<= p12w, the length of its binary representation is log2 p12w+1  We prepend to its binary representation the minimum number of zeros in order to get the length of representation devisable by w, and divide it into p2 parts of length w.  с=kp2-1,…, k0  we calculate the signature of the message m:  sig=(f^kp-1(xp-1), …, f^k0(x0))  In the worst case, for the signature function f must be used ,p(2w-1) times. Signature size is pn. SIGNATURE GENERATION
  • 24.
     For signatureverification sig = (sign-1, …, sig0) bit strings are calculated kp- 1,…, k0.  We verify the following equality:  (f^(2w-1-kp-1))(sign-1), …, (f^(2w-1-k0))(sig0) = yn-1, … y0  If the signature is correct, then sigi =f^ki(xi), so  (f^(2w-1-ki))(sigi)= (f^(2w-1))(xi)=yi is equal for every i=p-1,…, 0  In the worst case, for the signature verification function f must be used ,p(2w-1) times SIGNATURE VERIFICATION
  • 25.
     One-time signatureschemes are very inconvenient to use, because to sign each message, you need to use a different key pair. Merkle crypto-system was proposed to solve this problem. This system uses a binary tree to replace a large number of verification keys with one public key, the root of a binary tree. This cryptosystem uses an one-time Lamport or Winternitz signature scheme and a cryptographic hash function:  h:{0,1}*{0,1}n  Key generation: The length of the tree is chosen H>=2, with one public key it is possible to sign 2H documents. 2H signature and verification key pairs are generated; Xi, Yi, 0<=i<=2H. Xi- is signature key, Yi- is verification key. h(Yi) are calculated and are used as the leaves of the tree. Each tree node is a hash value of concatenation of its children. MERKLE
  • 26.
  • 27.
     To signa message m of arbitrary size we transform it into size n using the hash function  h (m) = hash, and generate an one-time signature using any one-time key Xany , the document's signature will be the concatenation of: one time signature, one-time verification key Yany, index any and all fraternal nodes authi in relation to Yany.  Signature= (sig||pub||any|| Yany||auth0,…,authH-1)  Signature verification:  To verify the signature we check the one-time signature of sig using Yany, if it is true, we calculate all the nodes a [i, j] using “authi”, index “any” and Yany. We compare the last node, the root of the tree with public key, if they are equal, then the signature is correct. SIGNATURE GENERATION
  • 28.
     To generatea public key you need to calculate and store 2H pairs of one-time keys. Storing this amount of information is not effective in practice. In order to save space, it was suggested to use the PRNG random number generator. When using PRNG, it is sufficient to store only the seed of the generator and use it to generate one-time keys. It is necessary to calculate one-time keys twice: once in the key generation stage and then in the signature stage of the message. PRNG receives a seed of length n and outputs a new seed and a random number of length n.  PRNG : {0, 1}n: {0, 1}n x {0, 1}n  Key generation using PRNG:  We choose randomly the seed s0 of length n, using si we work out soti, as following:  PRNG(si) = (soti , si+1) 0 ≤ i <2H  soti changes each time when PRNG launches. For Xi key calculation it is enough to know only si. PRNG INTEGRATION
  • 29.
  • 30.
     Quantum computersare able to crack PRNG, which were considered safe against attacks of classical computers. A polynomial quantum time attack on PRNG Blum-Micali is shown. This PRNG is considered safe from threats of standard computers. This attack uses Grover algorithm along with the quantum discrete logarithm, and is able to restore the values at the generator output for this attack. The attacks like these represent a threat of cracking PRNG, used in many real-world crypto systems. As we see, Merkle crypto system with built-in PRNG can be vulnerable to attacks of quantum computers. We suggest using a true random number generator based on qubits, TRNG. Breaking PRNG
  • 31.
     Let’s considera system with one qubit. The quantum state of a qubit is denoted by: α|0>+β |1>, where α and β are complex numbers; |α|2+ |β|2=1  |0> - is the ground state of qubit, |1>- is the excited state of qubit  This qubit is in the state |0> with probability α2 and likewise in a state |1> with probability β2.  When a qubit is measured, it is in one of two states with probability 1.  Let’s consider a system with two qubits. The quantum state of two qubits is denoted by: α00|00>+ α01 |01>+ α10|10>+ α11 |11>  where αi are complex numbers; ∑| αi|2=1.  We connect these qubits using Bell state, in this case the quantum state of these qubits is denoted by:  1/21/2|00>+1/21/2|11>, so when we measure a given qubit, it will be in a state |0> with probability ½ and likewise in a state |1> also with probability ½. When we measure the second qubit, it will be in the opposite state of the first qubit when we measured it with probability 1.  When we measure n qubits we can get the true number of size n. Quantum TRNG
  • 32.
     Key generationusing quantum TRNG:  We choose the tree height H>=2. We can sign 2H documents using one public key. A connection is established between two qubits using Bell state. We take 2H pairs of such qubit sets qi and bi ; every qi and bi consists of n qubits. 0<=i<=2H; We measure 2H*n qubits qi and we get 2H signature keys Xi and calculate the verification keys Yi. h(Yi) are calculated and are used as leaves of a tree.  Signature and verification of the message:  To sign a message m of arbitrary size we transform it into size n using the hash function h(m) = hash, we measure any set, that contains n qubits , bany  qany=Xany with probability equal to 1. We generate one time signature using one- time signature key Xany, the document's signature will be the concatenation of: one time signature, one-time verification key Yany, index “any” and all fraternal nodes authi in relation to Yany.  Signature= (sig||pub||any|| Yany||auth0,…,authH-1)  Verification of the message occurs similarly to the standard Merkle system.  Security of the system with built-in quantum TRNG.  The system is secure, because we do not change the principle of the crypto system, but only integrate TRNG, to reduce the size of the signature key. TRNG is completely safe; it is based on the state of qubits, which are real random numbers.
  • 33.
    Lamport Winternitz Merkle Usef to generate keys 2n p(2w-1) 2H+1-1 Use f to calculate the signature Is not used p(2w-1) Use f to generate verify the signature n p(2w-1)
  • 34.
     We proposeto use as the hash function, the lattice-based hash function, and to use lattice based one-way function as an one-way function in hash-based digital signature schemes.  Hash functions are considered resistant to quantum computer attacks, but the Grover algorithm allows us to achieve quadratic acceleration in the search algorithms. It means that hash functions must be complicated to be secure against quantum computers attacks. Studies are conducted to determine the cost of attacks on SHA2 and SHA3 families of hash functions, using the Grover algorithm ONE WAY and HASH
  • 35.
     Collision resistanthash functions based on lattices were proposed. Ajtai suggested the family of hash functions, the security of which is based on the worst case, the SVP with approximation ratio of nc, where n is constant. To construct a family of hash functions as parameters are used integers: n, m, q and d.  Parameter n defines the safety of hash function. The key to a hash function specified by the matrix M, chosen uniformly from Z q n×m. Hash function is  hM : {0, . . . , d−1}m → Zq n. The function maps mlogd bits to nlogq bits for input compression, m> log q / log d. This hash function is very easy to implement, because we use only addition and multiplication modulo q, which size is O (log n). Systems based on lattices
  • 36.
     We proposeto use as the hash function, the lattice-based hash function, and to use lattice based one-way function as an one-way function in hash-based digital signature schemes.  The family of one-way functions, suggested by Ajtai, can be used. In the case of hash functions, as the key, we select the matrix K from Zn×m a, which transforms mlog b into nlog a number of bits and we calculate h(x) = Kx mod a.  In the case of a one-way function, we select the matrix K from Zm×m b, as the key. It transforms mlog b into mlog b number of bits and we compute f(x) = Kx mod a. HASHED MERKLE
  • 37.
     Should benoted the problem of the effectiveness of these functions, the size of their key grows quadratically in n, so these functions are ineffective. Due to the attacks on these functions by combinatorial method , for the security of 100-bit, you need to use a key of 500,000 bits size. Efficiency problems
  • 42.
    MAKSIM IAVICH SCIENTIFIC CYBERSECURITY ASSOCIATION ; CAUCASUS UNIVERSITY T. +(995 595) 511355; E-mail: m.iavich@scsa.ge www.scsa.ge Scientific&practical cyber security journal – www.journal.scsa.ge THANK YOU! QUESTIONS?