Quantum_Safe_Crypto_Overview_v3.pdf

www.monash.edu.au
An Overview of Quantum-Safe
Cryptography
Assoc. Prof. Ron Steinfeld
Dept of Software Systems & Cybersecurity
Faculty of IT
Monash University
10 May 2022

Quantum-Safe Crypto Overview
Outline
• The Quantum Computing threat to Cryptography
– Why quantum-safe cryptography?
• Quantum-Safe Cryptography (PQC)
– Current approaches & characteristics
> Security
> Performance
> The coming new crypto standards (NIST,ETSI,…)
• Glimpse at State-of-the-art Research &
Challenges

Quantum Computing Threat to Cryptography
• Quantum computers
– Concept suggested by quantum physicists Paul Benioff
and Richard Feynman (early 1980s)
– Exploit quantum mechanics to process information
> Use quantum bits = “qubits” instead of 0’s and 1’s
> Qubits can be in “superposition states”: ability of
quantum system to be in multiples states at the same
time
> à Massive parallelization potential to vastly
increase computational power beyond classical
computing limit
– Computational problems that are infeasible for classical
computers may become easy for quantum computers
– à Can have huge impact on cryptography!

Nature of Qubits
A classical computer performs operations using classical bits, which can be
either zero or one.
In contrast, the quantum computer uses quantum bits (Qubits), which can
be zero, one, or both zero and one at the same time. For example the
outermost electron of a phosphorus atom can be used as qubit.
sdsd

Nature of Qubits
Electron can exist in quantum superposition
Measurement outcome either one or zero with
the indicated probabilities.
64% 36%
sdsd

The POWER OF QUANTUM
COMPUTATION
For 2 qubits:
- 1 of 4 possible measured outcomes for 2 qubits
- before measurement: all 4 possible outcomes can have
non-zero weights in a superposition state!
25%
25%
25%
25%
For n qubits:
- after measurement: 1 of 2n possible outcomes
- before measurement: superposition of 2n outcomes!
The potential power of quantum computers:
Quantum computations can be performed in
parallel on all these 2$ possible outcomes!!
sdsd

THE LIMITATION OF QUANTUM
COMPUTERS
Quantum computations can be performed in parallel on all
these 2$
possible superposed outcomes of n qubits!!
BUT, once we measure the quantum system the state
collapses to just one of those 2$
possible outcomes.
1%
2%
96%
1%
àWe can only exploit the parallelism of quantum
computation for certain types of computation problems:
Those problems for which the quantum computation
can concentrate most of the probability on the solution
to our computational problem
à Measurement of final state will give the solution
outcome with high probability
measure
Collapsed measurement result
(solution to the computation prob.)
sdsd

• Shor’s quantum algorithms – exponential speedup
of QCs for breaking classical Public Key Crypto
– 1994: Peter Shor (IBM Research): efficient
quantum computer algorithms for:
> Integer Factorisation Problem (IFP)
– à Breaks RSA public-key encryption in polynomial
time in length of the modulus n
> Discrete Logarithm Problem (DLP)
– Breaks Diffie-Hellman key exchange protocol in
polynomial time length of modulus p
> Later extended also to break ECDLP in poly time
• Implication: large scale QC à RSA and Diffie-
Hellman public-key systems become insecure!

• 1996: Grover’s Algorithm -- polynomial speedup of
QCs for breaking Symmetric-Key Crypto
– Preimage finding (one-wayness): Given y = H(x), for
random n-bit x, find x.
– Brute-force classical algorithm: ~ O(2n) time
– Grover’s quantum algorithm: ~ O( 2$) = 𝑂(2
-
.) time

Summary: Implication of Large scale QC on
Cryptography Security – PKC insecure!
Problem Application Classical
Security
(k=key len)
Quantum
Security (k =
key len)
Key Length
Scaling
factor to
keep Q. Sec.
Integer
Factorization
RSA Pub Key
Enc/Signature
2 /
0(
1
2) poly(k) 2 /
0(
1
2)
-
subexp.
Discrete Log
Problem
Diffie-Hellman
Pub Key
Enc/Sig
2 /
0(
1
2) poly(k) 2 /
0(
1
2)
-
subexp.
EC Discrete
Log Problem
ECDH Pub
Key Enc/Sig
𝑂(2
2
3)
poly(k)
𝑂(2
2
3)
exponential
Symmetric
Key Search
Symmetric key
enc (e.g. AES)
𝑂(22
) 𝑂(22/3
) <= 2

– How Far Away?
• Concrete estimates for ECDL implementation of
Shor’s algorithm [HJN20]:
– ~2124 qubits
– ~2.3 x 109 quantum gates

– How Far Away?
• Technological Improvements in QC:
– 1980-82: idea proposed by Benioff / Feynman
– 1998: first 2-qubit quantum computer realized
– 2000: 7-qubit quantum computer
– 2006: 12-qubits
– 2017: 49/50-qubits (IBM/Intel)
– 2018: 72-qubits (Google)
– 2019: 53 qubits (IBM), Google’s successful quantum
supremacy experiment published
– 2021: IBM `Eagle’ - 127 qubits
– 2023 (IBM Roadmap): 1000+ qubits??

Quantum Computing Threat to
Cryptography: Why Worry now?
• Quantum-insecure Public Key Crypto is everywhere:
– Web security (SSL/TLS)
– VPNs (IPSec)
– IoTs, blockchains, .....
• Collect ciphertexts now and decrypt in the QC
future…
Time to upgrade infrastructure crypto to quantum-safe
alternatives (standards, implementation, deployment)
+ Time for future data security required
< ?? Time to Practical Large scale QC

Resisting QC Attacks on Public-Key Crypto
• Two main countermeasure approaches
investigated:
– Quantum-Safe Cryptography
> Aka Post-Quantum Cryptography (PQC)
> Public key cryptosystems based on computational problems
resistant even to quantum computer attacks
> legitimate parties use only classical computers
– “plug-in” replacement to quantum-insecure public key
crypto.
> Active research topic in cryptography for > 20 years
> Several approaches known (later in this talk)

Resisting QC Attacks on Public-Key Crypto
• Two main countermeasure approaches
investigated (cont):
– Quantum Cryptography
> Aka Quantum Key Distribution (QKD)
> Key exchange protocol resistant even to quantum
computer attacks
> legitimate parties use quantum communication/
computation computers (not plug-in replacement for
quantum-insecure public-key crypto, need special
quantum hardware).
> Requires quantum-safe classical authentication
> Will not discuss further in this talk

The future of Public-Key Cryptography:
Quantum-Safe Public-Key Cryptosystems
• Quantum-Safe (aka Post-Quantum) Cryptography
– Goal: Public-key cryptosystems based on computational
problems resistant to quantum computers
– A delicate balance: need
> Enough math structure to support the functionality
– Encrypt with public key, decrypt with private key
> Not enough math structure to allow quantum attacks
– But several candidate approaches exist:
> Linear equations with Errors: Lattice & Coding problems
> Multivariate non-linear equations
> Isogenies on elliptic curves
> Symmetric-key approaches (digital signatures only)

Quantum-Safe Crypto: Approaches –
Lattices & Codes
• Linear Equations with errors – Codes & Lattices
– Idea inspired by Error Correction Codes
– Add `small’ errors to a linear equation to make it hard
to solve: y = A*x + e
– Encode a message x by an expanding linear
transformation (add redundancy)
– Can decode if noise e is sufficiently `small’
> Easy to decode for special codes (wireless communication)
> Computationally hard to decode for “random-looking” linear
codes in high dimension
• Codes & Lattices: different ways to measure `small’

Lattice-based Cryptography: Idea (1)
Ron Steinfeld sdsd
• Lattice = periodic grid of points in space
• Generated by some set of basis vectors
• E.g. (right) lattice in 2-D (green points = lattice,
basis in blue)
• Can be easily defined mathematically in any
dimension n
• hard to visualise/draw for n > 3!
• Fact: geometric problems in lattices seem
to be computationally infeasible (run time
exponential in n) for large dimension n
• Even against quantum computers!
• Lattice-based crypto: design pub-key encryption so
breaking it requires solving a hard geometric lattice
problem!

Lattice-Based Cryptography: Idea (2)
• Hard geometric lattice Problem:
Bounded-Distance Decoding (BDD)
• Given a basis B of a (high-dim.) lattice and a
point c close to a lattice point m, compute m
• Idea of Public-key encryption:
• Pub key pk: basis B for lattice
• Private key sk: decoding trapdoor for lattice
• Encrypt(m): to encrypt a message m (lattice
point):
• choose random short error vector e
• Compute c = m + e
• Ciphertext = c
• Decrypt(c, sk): use sk to compute closest
lattice point m to c.
• Security: hard to solve BDD without sk!
m
c
e

Lattices & Codes
Brief History of Lattice-Based Cryptography
• 1978: Merkle-Hellman Knapsack PKC.
• 1982: LLL Lattice Reduction algorithm –
– Poly-time secret recovery attack (Shamir).
• 1980s:
for(i = 1; i < N; i++)
repair;
attack;
– Problem with Heuristic Designs:
> shortcut attacks (avoid hard lattice problem)

Lattices & Codes
Brief History of Lattice-Based Cryptography (cont)
• 1996: Lattice One-Way Hash Function with worst case to average
case security proof (Ajtai/Ajtai-Dwork) - SIS problem.
• 1996: NTRUEncrypt: Practical structured lattice PKC, but heuristic
security (Hoffstein Pipher Silverman.)
• 2002: Efficient structured lattice-based one-way hash function with
security proof (Micciancio).
• 2005: PKC with security proof – LWE Problem (Regev)
• 2008: Trapdoor signatures with security proof (Gentry et al.)
• 2009: Efficient Schnorr-type structured lattice signatures
(Lyubashevsky)
• 2009/10: Efficient structured lattice PKC with sec proof –
PLWE/RLWE problems (Stehle-Steinfeld-Tanaka-Xagawa,
Lyubashevsky-Peikert-Regev)

Lattices & Codes
Brief History of Lattice-Based Cryptography (cont)
• 1996: Lattice One-Way Hash Function with worst case to average case
security proof (Ajtai/Ajtai-Dwork) - SIS problem.
• 1996: NTRUEncrypt: Practical structured lattice PKC, but heuristic security
(Hoffstein Pipher Silverman.)
• 2002: Efficient structured lattice-based one-way hash function with security
proof (Micciancio).
• 2005: PKC with security proof – LWE Problem (Regev)
• 2008: Trapdoor signatures with security proof (Gentry et al.)
• 2009: Efficient Schnorr-type structured lattice signatures (Lyubashevsky)
• 2009/10: Efficient structured lattice PKC with sec proof – PLWE/RLWE
problems (Stehle-Steinfeld-Tanaka-Xagawa, Lyubashevsky-Peikert-Regev)
• 2009: Fully Homomorphic Encryption (Gentry)
• 2011: First security proof for variant of NTRU (Stehle-Steinfeld)
• 2010-Present: Improved Efficiency and More functionalities (ID-Based
Encryption, Attribute Based,…)

Lattices & Codes
• Two types of Lattices used in PQC:
• Unstructured (LWE Problem): e.g. FrodoKEM
– Advantage: Low Security Risk – no lattice structure,
relation to worst-case lattices (e.g. FrodoKEM)
– Drawback: large keys/ciphertexts, slow computation
• Structured (Polynomial LWE/Ring LWE/Module LWE)
– E.g. Kyber, Saber, NTRU, …
– Lattice defined with algebraic (polynomial) structure
(matrices with cyclic structure)
– Advantage: short keys/ciphertexts, fast algorithms
– Drawback: higher potential security risk (but OK > 25yr)

• Lattices: Performance and Security
– Security:
> best known attack time ~ 2O(k) for key length k
> But exponent constant is quite small à moderately large
key/ciphertext/signature lengths
> Studied in math & comp sci. since 1980s
– Performance: With practical structured lattices
(MLWE/RLWE/NTRU problems):
> fast algorithms (~ ECC or faster) and
> moderately short keys/ctxts (~10x-40x ECC length)
Lattices & Codes

• Codes: Performance and Security
– Security:
> best known attack time ~ 2O(k) for key length k
> But exponent constant is quite small à moderately large
key/ciphertext/signature lengths
> Studied in math & comp sci. since 1950s
> McEliece PKC (1977) – based on Goppa codes
– Performance: With original McEliece
> Moderately fast algorithms
> very short ctxts (~128 bytes)
> Very long keys (> 100kB)
> Structured codes can improve performance
– Difficult to implement signatures!
Lattices & Codes

Multivariate Non-linear equations
• Multivariate Non-linear equations
– Originated in the 1980s,
– Hide a message in a system of polynomial equations
in many variables.
– Decryption trapdoor transforms system into an easy to
solve linear system
– Security: not very well understood
> recent practical attack against NIST Round 3 candidate
Rainbow signature.
– Peformance:
> Moderately long keys but short signatures
> Fast algorithms

• Idea (e.g. SIKE):
– classical ECC is quantum-insecure due to
commutativity of the EC group operation
– Isogenies are mappings between curves with a non-
commutative structure à resist Shor’s quantum
algorithms
– Use a Diffie-Hellman-like non-commutative protocol
• Security: not so well understood (only studied last ~10-
20 years)
• Performance:
> short keys and ciphertexts
> Slow algorithms
Isogenies on Elliptic Curves

• Idea (e.g. SPHINCS+ / Picnic):
– Use well established symmetric-key algorithms
– Approach 1 (e.g. SPHINCS+):
> Public key = Merkle tree hash of many one-time signature
keys (short)
> Signature = one-time signature (reveal sk) + Merkle auth path
– long signature!
– Approach 2 (e.g. Picnic):
> Public key = one-way hash of secret key
> Signature = Zero-knowledge proof of knowledge of secret key
– long signature!
Quantum-Safe Crypto: Approaches – Symmetric-
key approaches (digital signatures only)

• Security: well understood (depending on
symmetric key crypto algorithm used)
• Performance:
> short public key
> Long signature and slow algorithms
Quantum-Safe Crypto: Approaches – Symmetric-
key approaches (digital signatures only)

The future of Public-Key Cryptography:
“Post-Quantum” Public-Key Cryptosystems
• NIST (US) PQC standardization process: solicit, evaluate an
standardise quantum-resistant public-key cryptosystems:
– Nov. 2017: PQC algorithm submissions deadline
> 69 algorithms submitted (public key encryption and signatures)
> Initiate ~ 4-5 year analysis/evaluation phase
– Apr. 2018: First NIST PQC conference
– Jan. 2019: Second round algorithms selected (26)
– Aug. 2019: Second NIST PQC conference
– Jul. 2020: Third round algorithms selected (7)
– ~ 2022-23: New PQC standards developed
– Goal: ready for PQC deployment in by ~ 2024-27

Cryptanalysis
• Many of the original round 1 schemes were broken
by the research community
And some were even broken in Round 3:

NIST PQC Standardisation Process (Round 2)
Source: NIST 2nd round PQC workshop, opening remarks slides

NIST PQC Standardisation Process: PKE Sizes

NIST PQC Standardisation Process: PKE Speed

NIST PQC Process: Signature & PK Sizes

NIST PQC Process: Signing Speed vs Size

NIST PQC Process: Current Status
• Round 3 Finalists:
– PKE/KEMs:
> Finalists:
– NTRU / Kyber / Saber (Structured lattices)
– Classic McEliece (Codes)
> Alternates:
– Bike, HQC (structured codes)
– FrodoKEM (unstructured lattices)
– NTRUPrime (structured lattices)
– SIKE (isogenies)

• Round 3 Finalists:
– Signatures:
> Finalists:
– Dilithium / Falcon (Structured lattices)
– Rainbow (Multivariate)
> Alternates:
– GeMSS (Multivariate)
– Picnic (symmetric key)
– SPHINCS+ (symmetric key)

Comparison Table: NIST 3rd Round PQC
Finalist PKE (KEM) Candidates
Algorithm Type Dec time
(cycles,
AVX2)
|pk| (bytes) |ctxt| (bytes)
Crystals-Kyber512 Structured
Lattice
34.5𝑘 800 768
LightSaber Structured
Lattice
63𝑘 672 736
NTRUhrss710 Structured
Lattice
62𝑘 1138 1138
Classic
McEliece348864f
Code 134𝑘 𝟐𝟔𝟏𝑘 128
All at NIST level 1 (107 bit quantum sec.)

Comparison Table: NIST 3rd Round PQC
Finalist Signature Candidates
Algorithm Type Sign time
(cycles,
AVX2)
|pk| (bytes) |sig| (bytes)
Crystals-Dilithium2 Structured
Lattice
333𝑘 1312 2420
Falcon512 Structured
Lattice
387𝑘 897 666
Rainbow Multivariate 67𝑘 158𝑘 66
All at NIST level 1 (107 bit quantum sec.)

• Latest News/Remarks:
– NIST to announce standards any day now
> One of structured lattices for enc and sign
> Rainbow/GeMSS Multivariates unlikely to survive? (both
suffered improved attacks in round 3)
– Recent Matzov cryptanalysis:
> Optimizations for lattice-based attacks against lattice
candidates (~5-10 bits of security impact)
– But not a major new idea, unlikely to affect big picture
– NIST likely to call for additional efficient PQ
signature proposals not based on structured lattices

Other PQC standardisation efforts: ETSI
• European Telecommunications Standards
Institute (ETSI)
– Quantum-Safe Cryptography (QSC) working
group.
– Assess and make recommendations for
quantum-safe cryptographic primitives protocols
and implementation considerations
– Besides encryption and signature, also other
functionalities:
> Latte – Lattice Based Hierarchical Identity-Based
Encryption (HIBE)

Implementation Issues
• Quantum-Safe Crypto Implementation
– Need careful (even more than non-qsafe)
implementation to achieve
> High performance
> Security against side-channel attacks (e.g. timing)
– Some central implementation techniques:
> Structured lattices: fast polynomial arithmetic
– Work in polynomial rings, typically Zq[X]/(Xd+1)
– Use Fast Fourier Transform (FFT variants): NTT using
special q
– Modulus q typically quite small ~10-20 bits (unlike RSA)

Implementation Issues
• Quantum-Safe Crypto Implementation (cont)
– Some central implementation techniques:
> Lattice/coding schemes need efficient & constant time `small’
noise sampling
> E.g. Discrete-Gaussian distribution over integers/lattices
> Significant research into practical algs. (e.g.FACCT [ZSS19])

Deployment in Software Libraries
Several libraries implementing NIST PQC algorithms
already available for various platforms, e.g
• Open Quantum Safe (OQS) project
– Q-safe crypto library: liboqs
– Q-safe forks of OpenSSH and OpenSSL
• PQClean library
• Pqm4 library
– Q-safe library optimized for embedded ARM Cortex-M4
– Test integrations and evaluation in WolfSSL [T+21]
• Bouncy Castle library (NIST Q-safe in development)

Post-Quantum Cryptography:
Current Research Areas
• Quantum Security Foundations
– Are lattice-based cryptosystems and other PQC
candidates really secure against quantum attacks?
How secure are they?
• Secure and Efficient Implementation
– How to implement PQC cryptosystems in hardware
& software to ensure security and high
performance?
• Advanced Protocols
– How to design efficient advanced post-quantum
public-key crypto protocols?
> E.g. privacy-preserving blockchain systems and credentials

Making Lattice-Based Hierarchical ID-Based
Encryption (HIBE) practical
• LATTE - ETSI proposed recommendation for
Hierarchical ID-Based Encryption (HIBE)
– Allows for hierarchical key delegation
– Considered by UK govt for emergency LTE
communication network
– Advanced (slow) lattice trapdoor sampling used
> Estimated in order of mins in ETSI proposal doc
– Long key/ctxt lengths

Making Lattice-Based Hierarchical ID-Based
Encryption (HIBE) practical
• Our results ([ZMSSO22]):
– Improved LATTE
> Design optimisations:
– Reduce dimension of lattices à
» cut time & key/ctxt lengths
> Implementation optimisations:
– Fast FACCT/COSAC discrete Gaussian sampling
– Faster lattice Fourier sampling algorithm
– Precision security analysis: support up to 244 delegations/extractions
> Performance Results:
– Our Delegation time ~ 0.4s-1s (vs minutes for ETSI estimate)
– Shorter decryption keys by 2x-3x
– Shorter ctxt length by 33%

Improved LATTE vs Orig. LATTE

Non-Confidential Transaction (e.g Bitcoin)
Spender Verifier
Accept/Reject
Check:
1) Correct signature
2) Input accounts unspent
3) Balance is preserved
{I send $(2+3) to Bob}signed_Alice
Sensitive!
Acc1: (pk1, $2)
Acc2: (pk2, $3)

Confidential Transaction?
Spender Verifier
Accept/Reject
Check:
1) Correct signature?
2) Input accounts unspent?
3) Balance is preserved?
a ZK proof Π
Acc1: (pk1, $2)
Acc2: (pk2, $3)

RingCT: Ring Confidential Transactions
[Noe15]
Spender Verifier
Accept/Reject
Check:
1) Correct signature?
2) Input accounts unspent?
3) Balance is preserved?
Acc1: (pk1, $2)
Acc2: (pk2, $3)
Hom. Commitment
Stealth addresses
(in Monero)
Ring Signature
a ZK proof Π

Our Lattice-Based Ring CT Protocols
• MatRiCT: the first practical “post-quantum” RingCT protocol
[E+19]
– Efficient ring signature and balance proof building on our ZKP
techniques
– Much smaller proofs, public keys and system modulus than
prior protocols
– Based on standard lattice assumptions: M-LWE and M-SIS
– Efficient implementation in C/C++
– Bonus feature: auditability (optional)
• MatRiCT+: Shorter & Faster proofs [E+21]
– CRT-packed balance proof
– Shorter modulus /proof (improved soundness analysis)
– Aggregated ring signature for multiple payer accounts

Concrete Sizes for MatRiCT/MatRiCT+
([E+21])

Running Times for MatRiCT/MatRiCT+
([E+21])

Further Reading
• Galbraith S. et al. 2021. The Quantum Threat to Cybersecurity: Looking
Through the Prism of Post-Quantum Cryptography. CSIRO: Canberra,
Australia. Available at https://data61.csiro.au/en/Our-Research/Our-
Work/The-quantum-secure-cryptography-of-tomorrow
• US White House. National Security Memorandum on Promoting United
States Leadership in Quantum Computing While Mitigating Risks to
Vulnerable Cryptographic Systems (May 4 2022)
• NIST Post-Quantum Cryptography Standardisation Process:
https://csrc.nist.gov/projects/post-quantum-cryptography/post-quantum-
cryptography-standardization
• [HJN20] Thomas H¨aner, Samuel Jaques, Michael Naehrig, Martin
Roetteler and Mathias Soeken. Improved Quantum Circuits for Elliptic
Curve Discrete Logarithms. PQCrypto 2020.
• Chris Peikert. A Decade of Lattice Cryptography. Available at
https://eprint.iacr.org/2015/939.pdf [Lattice Based Cryptography survey]
Further Reading

Further Reading
• [ZSS20] Raymond K. Zhao, Ron Steinfeld, Amin Sakzad. FACCT:
FAst, Compact, and Constant-Time Discrete Gaussian Sampler
over Integers. IEEE Trans. Computers 69(1): 126-137 (2020).
Available at https://eprint.iacr.org/2018/1234
• [ZMSSO22] Raymond K. Zhao, Sarah McCarthy, Ron Steinfeld, Amin
Sakzad, Máire O’Neill. Quantum-safe HIBE: does it cost a Latte?
• [Noe15] Shen Noether, Adam Mackenzie, the Monero Research Lab.
Ring Confidential Transactions. Ledger 2016.34.
• [ESS21] Muhammed F. Esgin and Ron Steinfeld and Raymond K.
Zhao. MatRiCT+: More Efficient Post-Quantum Private Blockchain
Payments. IEEE Symposium on Security and Privacy (S&P) 2022.
Further Reading

Quantum_Safe_Crypto_Overview_v3.pdf

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Quantum_Safe_Crypto_Overview_v3.pdf

Similar to Quantum_Safe_Crypto_Overview_v3.pdf (20)

Recently uploaded

Recently uploaded (20)

Quantum_Safe_Crypto_Overview_v3.pdf