Quantum resistant public key cryptography a survey
This presentation is the property of its rightful owner.
Sponsored Links
1 / 18

Quantum Resistant Public Key Cryptography: A Survey PowerPoint PPT Presentation


  • 122 Views
  • Uploaded on
  • Presentation posted in: Sports / Games

Quantum Resistant Public Key Cryptography: A Survey. Ray A. Perlner ([email protected]) David A. Cooper ([email protected]). What is a quantum computer. Short answer A classical computer processes classical information. A quantum computer processes quantum information.

Download Presentation

Quantum Resistant Public Key Cryptography: A Survey

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Quantum resistant public key cryptography a survey

Quantum Resistant Public Key Cryptography: A Survey

Ray A. Perlner

([email protected])

David A. Cooper

([email protected])


What is a quantum computer

What is a quantum computer

  • Short answer

    • A classical computer processes classical information.

    • A quantum computer processes quantum information.

  • What is the difference?

    • Classical information is measured in bits (a unit of entropy in the classical limit of physics)

    • Quantum information consists of qbits (a unit of entropy in real physics)

    • Either way, available entropy scales with the size of a system.

    • So it should be possible to build a quantum computer.


What can a quantum computer do faster than a classical computer

What can a quantum computer do?(faster than a classical computer)

  • Simulate a quantum computer

    • The best known classical algorithm is exponentially more costly in the worst case.

    • This does NOT mean that a quantum computer can always provide exponential speedup.

  • Stuff that matters for cryptography

    • Quadratic speedup over classical brute force search. (Grover)

    • Polynomial time algorithms for factoring and discrete logs, including elliptic curves. (Shor)

      • This completely breaks every public key algorithm you’ve probably ever heard of.


Why haven t these monstrosities been built

Why haven’t these monstrosities been built?

  • Error correction/fault tolerance is much harder for quantum information.

    • Currently, we’re better off using a classical computer to run simulations.

    • Threshold theorems say that if we can build good enough components, the cost is only polynomial.

  • Components are not cheap like transistors

    • Options include ultra-cold ultra-small solid state devices and charged ions or neutral atoms controlled by lasers.

    • Pure optical systems may be an important component, but are unlikely to be the whole solution.


Quantum resistance

Quantum Resistance

  • Quantum resistant algorithms are algorithms we don’t know how to break with a quantum or classical computer.

    • This is the same criterion we use for security in the classical model (pending P≠NP proof)

    • As with classically secure algorithms, related “hard problems” add a measure of confidence.

    • (Classical) algorithms meeting the above criteria do exist at present.


The algorithms

TheAlgorithms


General concerns

General Concerns

  • Security Assumptions

  • Public Key Length

  • Signature Length/Ciphertext Expansion

    • E.g. RSA has ~1-2 kb (~10 - 20×)

  • Public Key Lifetime

    • Mostly an issue for signatures

    • Can be dealt with using Merkle Trees and certificate chains

    • Memory (may need more than just the private key)

  • Computational Cost


Lamport signatures

Lamport Signatures

  • One time signatures

  • Basic Scheme: Sign a single bit

    • Private key consists of two secrets S0 and S1

    • Public key is H(S0) || H(S1)

    • Signature for 0 is S0, signature for 1 is S1

  • To sign an n-bit digest, just use n times as many secrets to sign the bits individually.

  • Many optimizations are possible that trade increased computation for reduced key and/or signature size.


Merkle trees

Merkle Trees


Lamport signatures1

Lamport Signatures

  • Security Assumption: preimage and second-preimage resistance of a one-way function

    • Only the message digest needs collision resistance.

  • Public Key Length: ~n2 for an n-bit one-way function and a 2n-bit digest

    • ~10 kb for n = 80

    • ~20 kb for n =128

  • Signature Length: same

  • Public Key Lifetime: 1 signature

  • Computational Cost: ~1ms (comparable to DSA)

    • Includes key generation


Lamport signatures with merkle trees and chaining

Lamport Signatures (with Merkle Trees and Chaining)

  • Security Assumption: preimage and second-preimage resistance of a one-way function

    • Only the message digest needs collision resistance.

  • Public Key Length: n for an n-bit one-way function and a 2n-bit digest

  • Private Key Length: ~250 – 500 kb

  • Signature Length: ~50 – 100 kb

  • Public Key Lifetime: 1012 signatures

  • Computational Cost: ~1ms (comparable to DSA)

    • key generation: ~1s


Mceliece encryption

McEliece Encryption

  • Start with an error correction code generator matrix, G

    • Rectangular matrix such that it’s easy to reconstruct x from Gx + e.

      • x has dimension k

      • e has hamming weight t or less and dimension n > k

  • Public key K = PGS

    • S is k×k and invertible

    • P is an n×n permutation

  • To Encrypt m: compute Km + e


Mceliece encryption1

McEliece Encryption

  • Security Assumption: indistinguishability of masked Goppa code and general linear code

    • Decoding problem for general linear codes is NP-complete

  • Public Key Length: ~500kb

  • Message Size: ~1kb

  • Public Key Lifetime: potentially unlimited

  • Computational Cost: ~100μs

    • Signatures exist, but very expensive for signer


Quantum resistant public key cryptography a survey

NTRU

  • Private key is a short basis for an N dimensional lattice

  • Public key is a long basis for the same lattice.

  • Save space by representing lattice basis as a polynomial rather than a matrix

    • This requires all lattice basis vectors to be cyclic permutations.

    • Many academic crypto schemes employ lattices but do not employ this technique, preferring security assumptions based on a less symmetric version of the lattice problems.

  • Coefficients are generally reduced modulo q  N  256


Quantum resistant public key cryptography a survey

NTRU

  • Security Assumption: unique closest vector problem

  • Public Key Size: 2-4kb

  • Ciphertext Size: 2-4kb

  • Signature Size: 4-8kb

  • Public Key Lifetime: ~1 billion signatures

    • Signature scheme has changed in response to a series of attacks.

  • Computational Cost: ~100μs


Other

Other

  • Hidden Field Equations

  • Braid Groups

  • New schemes based on these crop up from time to time, but most have been broken.


Implications

Implications

  • Crypto Agility is a Minimum Requirement

  • Long Signatures or Public Keys

    • Transmitting certificates may become unwieldy (especially when revocation is considered)

      • Cache Certificates

      • Limit Cert Chain Depth

  • Limited Lifetime Signing Keys

    • Mostly applicable to high load servers (e.g., OCSP responders)

      • Use a Merkle tree or subordinate public keys where applicable.


Conclusion

Conclusion

  • All widely used public key crypto is threatened by quantum computing.

  • We do have potentially viable options to consider.

  • Protocol designers can think about how to deal with these algorithms now.


  • Login