Post quantum cryptography in vault (hashi talks 2020)

Copyright © 2018 HashiCorp ⁄
Post-Quantum
Cryptography and
Vault
Andy Manoske
Senior Product Manager, HashiCorp

⁄ Copyright © 2018 HashiCorp ⁄
Who am I?
● Senior Product Manager at HashiCorp
● Former product lead for Cryptography and
Defense Systems at NetApp
● 10+ years building and investing in security
and cryptography related products and
companies
● BA Economics and Computer Science from
SJSU, focus on Cryptography and
Quantitative Economics / Game Theory

What is This Talk?
This is not…
- ...a reflection of the opinions of my employers, past or present
- ...an exhaustive review of either Quantum Computing, Quantum
Mechanics, or Quantum Cryptography
(See Instead: Steinkirch - Hacking Quantum Cryptography, DEF CON 23)
- ...Spinal Tap
This is….
- ...a practitioner-level review of how we think about quantum
computing when building Vault to defend secrets for 10+ years

Perfect Forward Secrecy (PFS)
“How long do you want these messages to remain secret?”
“...As long as men are capable of evil.”
Neal Stephenson,
The Cryptonomicon

A Crash Course on Quantum
Mechanics
2 semesters of physics in about 5 minutes

Quantum State
Where is Anything?
Due to the observer eﬀect and the Heisenberg Uncertainty
Principle we can’t directly measure and know both position and
momentum of a quantum particle with certainty.
So How Do We Find Stuﬀ?
Gather lots of samples into a wave form and use probability theory
and statistics to estimate the answer with high accuracy with
minimal error.
The result: We generate a wave function / probability amplitude
which describes all possible results of measurement. We can use
that to derive a probability distribution function (PDF).

Superposition and Entanglement
Superposition
When two or more waves of the same type cross at some
point, the resultant displacement at that point is equal to
the sum of the displacements due to each individual wave.
Implication: Quantum systems hold multiple state values
simultaneously
Quantum Entanglement
When one or many quantum particles are
described by a single wave function
Implication: Interactions between quantum systems, like
the state values of their parents, hold multiple states
simultaneously

WTF is Quantum Computing?
The sort of new hotness

What is a Qubit?
Digital computers use bits:
A series of transistors in a computer are constructed to gate the flow of
electricity. Two states are the result: an “on” or “oﬀ” state.
Quantum computers use quantum bits, or qubits:
QCs smash two quantum systems together to create a resulting
system (e.g.: shooting a laser through a cloud of excited gas to see
spin of a particle).
Due to superposition and entanglement, that state holds multiple
values simultaneously with diﬀerent probabilities associated with
each state.

Beneﬁts of Quantum Computers (QCs)
QCs are Programmable
Like digital computers, we can create arrays and switches to
program logic and compute data via quantum logic gates (QLGs)
QCs are Very, Very Parallelizable
Because of entanglement and superposition, you can parallelize a
computation infinitely - the only limit being your ability to estimate
the result.

Drawbacks of Quantum Computers
QCs are Comparatively Slow
Unlike digital computers, quantum computers don’t instantly get the
result of a computation. You need to measure many (billions) of
repeated computation and error correct to get the likely result.
QCs are Very Expensive
QCs today rely on large physical apparatus with expensive physical
components, ensuring the cost per computation is very high.
QCs are Very, Very Complicated
Many aspects of QC are not abstracted for developers, ensuring that
it is currently very diﬀicult to write code and implement algorithms.

Neven’s Law: QC Today and Tomorrow
QCs Today are slow, ungainly, expensive
● Largest public quantum computer is Google’s 75-qubit
machine
● The state of error correction and low qubit count ensure QC is
only able to compute small ranges of data at very high cost.
● Not economic for most computing applications and only used
for generating entropy and scientific modelling.
But QC technology is improving very quickly
● Neven’s Law:
Quantum computers improve at a doubly exponential rate year
over year.
● Within the next decade QC may be economically feasible
beyond scientific computing.
Dr. Hartmut Neven, Google

Quantum Cryptanalysis
“Hack the Planet”

Cryptanalysis: Codebreaking with Math
Codebreaking can be divided into two types of attacks:
I go around the math - Side Channel Attack
Steal credentials or keys, exploit implementation faults to steal
plaintext, etc.
Example: “Cold Boot” attacks on RSA
I go through the math - Cryptanalysis
Make the problem to guess a key or parts of the plaintext easier
using algorithms and/or properties of mathematics (number theory,
abstract algebra, etc.)
Example: GCHQ cryptanalysis on Enigma

Quantum Cryptanalysis
There are two primary cryptanalytical algorithms that
quantum computers can employ to break encryption:
Shor’s Algorithm - Reduce the complexity of factoring
numbers
Grover’s Algorithm - Reduce the diﬀiculty of searching for
“black box” inputs
To understand how QCs break encryption, we need to dive
into both of them...

Shor’s Algorithm - Factor Primes Very Quickly
What is it?
A way for quickly searching for factors faster than any classical
algorithm
AKA: Given a composite odd integer N, find an integer X such that 1 < X < N and N mod X is 0 (X divides N)
How does it work?
Changes traditional search into a period finding problem, and uses a
quantum fast fourier transform to parallelize factoring a number
What is the result?
On a powerful-enough quantum computer, Shor’s can search for the
prime factors of a composite number very quickly.
Example: searching for the factors of a 1024-bit number
Classical Computer: 40 years
Shor’s (5124qb QC): 3.8 minutes

Crypto Vulnerable to Shor’s Algorithm
Public Key Infrastructure (PKI)
Ciphers like RSA that rely on the diﬀiculty of prime factorization are
vulnerable to Shor’s
Key Exchange and Digital Signature Algorithms
Shor’s enables attackers to take a discrete logarithm, a computationally
intractable (hard af) problem that protects key exchange ciphers based on
the Diﬀie-Hellman suite and elliptic curve signature algorithms including
ECDSA
TL;DR: Shor’s threatens protocols used to secure online communication
Vulnerable: TLS/SSL, Certificate PKI infrastructure, Bitcoin, etc.

Grover’s Algorithm - Search for Things Quicker
What is it?
A way for more quickly searching for the input to a function given its
output or the index of a value in a database
AKA: Given a set of N elements forming a set X = {x1, x2, . . . , xN } and given a boolean function f : X → {0,
1}, the goal is to find an element x ∗ in X such that f(x ∗ ) = 1
How does it work?
Leverages quantum parallelism to “divide and conquer” the data set
search and deduce the correct answer based on error correction and
linear algebra
What is the result?
Grover’s improves the speed of searching for an input by a quadratic
factor

Crypto Vulnerable to Grover’s Algorithm
Weaker Key Symmetric Ciphers
Ciphers like AES that rely on lower key lengths (e.g.: AES 128,
Blowfish) are vulnerable to brute force search powered by
Grover’s
Weakerer Hash Algorithms
Some hash algorithms powered by weaker symmetric
cryptography (bcrypt, SHA, MD5, etc.) can be attacked by
Grovers to better search for collisions
What is the Result?
Legacy cryptography and some hash algorithms for
protecting files and passwords need to use stronger
cryptography - 2x the key length typically But you should be doing that anyway, so….

Is Quantum Computing a Threat?
Today: Not really
● Error correction too basic to make QC economical for
computing
● Google’s Sycamore QC is 3 orders of magnitude too small to
run Shor’s algorithm
In 10 years: Probably?
● Using existing Ion Trap QC arrays, Shor’s requires 10^5 qubits
to factor a 1024-bit number in approximately 2 months (57.98
days)
● Ion Trap QCs likely to be able to run this by mid-2030s,
assuming no change in error correction tech
● Result: data archived today for 10 years+ will likely require
protections against quantum cryptanalysis

NIST PQCSP - Dealing With the Threat by the 2030s
NIST Post-Quantum Cryptographic Standardization Project (PQCSP)
● Process to identify, evaluate, and ultimately replace recommendations for
crypto in light of QC cryptanalytical threats
What’s Changing?
● Digital Signature Algorithms (FIPS 186-4)
● Guidelines for key management and key generation schemes (SP 800-133,
800-57)
● Approved algorithms (FIPS 197, 198, 186, etc.)
● Approved mathematics (SP800-56A/B/C, 800-90A/B/C, etc.)
What GRCs Impacted?
● FIPS 140: Very popular cryptographic security guidelines
● FISMA: Risk management infosec reqs for US Federal systems
● Common Criteria: Security guidelines for military systems

Post Quantum Cryptography in
Vault
Protecting Against, and Using, Quantum Computers for Crypto

Architecting for a Post-Quantum World
In a post-quantum world, HashiCorp Vault needs to…
Defend against quantum cryptanalysis
When considering quantum cryptanalysis, we consider how our algorithm
choices when protecting Vault data:
- At Rest: The Cryptographic Barrier
- In Flight: Algorithms used in secure communication, replication, etc.
- In Compliance: How Vault complies with future crypto GRC
Utilize post-quantum cryptography
New and updated cryptography for key management and encryption are
enabled by quantum computing and its consequences

Defending Against Post-Quantum Cryptanalysis
Vault is built to defend against QC attacks today
● Cryptographic Barrier:
AES-256 GCM defends against Grover’s
● Avoid Shor’s Vulnerable Crypto:
Actively chosen not to use ECDSA and other crypto
vulnerable to Shor’s in defending Vault’s CSPs
...but we’re looking for ways to be even better
● Identified where PQCSP cryptography (e.g.: Ring Learning
With Errors - RLWE) and future quantum encryption can
be used in replacing key exchange algorithms

Utilizing Post Quantum Cryptography
Vault has “post-quantum cryptography” available
today
● Transit (as of 2018)
Chacha20-Poly1305 supported in Vault as of 2018
(protects against Grover’s as parallelization doesn’t
help)
● Entropy Augmentation (as of 2019)
Supports augmenting Vault’s entropy pool with RNGs
from QC TRNGs within HSMs
...and we’re looking to use more in the future
● Evaluating how we make the cryptographic barrier more
modular to support migration to new algorithms like
Chacha20

TL;DR
Protecting Against, and Using, Quantum Computers for Crypto

The Real Threat from Quantum Computing:
Procrastination and Future Tech Debt
TL;DR
● This stuﬀ is serious: Quantum Computing will enable attacks
on popular cryptography (especially PKI, key exchange, and
signature crypto)
● But it’s not a threat right now: QC cryptanalysis is not
possible today, and likely won’t appear in public QCs until the
early/mid-2030s at earliest
● If you’re protecting data into the 2030s, you need to
consider it: SEC 17a4 (broker trade transactions), FISMA (federal
archival reqs) will be subject to future crypto requirements that
require post-quantum crypto
● Defending against QC isn’t the end of the world: We have
much of the technology to defend against it today

Post quantum cryptography in vault (hashi talks 2020)

More Related Content

What's hot

Similar to Post quantum cryptography in vault (hashi talks 2020)

More from Mitchell Pronschinske

Recently uploaded

Post quantum cryptography in vault (hashi talks 2020)