- 113 Views
- Uploaded on
- Presentation posted in: Sports / Games

Quantum Resistant Public Key Cryptography: A Survey

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Quantum Resistant Public Key Cryptography: A Survey

Ray A. Perlner

David A. Cooper

- Short answer
- A classical computer processes classical information.
- A quantum computer processes quantum information.

- What is the difference?
- Classical information is measured in bits (a unit of entropy in the classical limit of physics)
- Quantum information consists of qbits (a unit of entropy in real physics)
- Either way, available entropy scales with the size of a system.
- So it should be possible to build a quantum computer.

- Simulate a quantum computer
- The best known classical algorithm is exponentially more costly in the worst case.
- This does NOT mean that a quantum computer can always provide exponential speedup.

- Stuff that matters for cryptography
- Quadratic speedup over classical brute force search. (Grover)
- Polynomial time algorithms for factoring and discrete logs, including elliptic curves. (Shor)
- This completely breaks every public key algorithm you’ve probably ever heard of.

- Error correction/fault tolerance is much harder for quantum information.
- Currently, we’re better off using a classical computer to run simulations.
- Threshold theorems say that if we can build good enough components, the cost is only polynomial.

- Components are not cheap like transistors
- Options include ultra-cold ultra-small solid state devices and charged ions or neutral atoms controlled by lasers.
- Pure optical systems may be an important component, but are unlikely to be the whole solution.

- Quantum resistant algorithms are algorithms we don’t know how to break with a quantum or classical computer.
- This is the same criterion we use for security in the classical model (pending P≠NP proof)
- As with classically secure algorithms, related “hard problems” add a measure of confidence.
- (Classical) algorithms meeting the above criteria do exist at present.

- Security Assumptions
- Public Key Length
- Signature Length/Ciphertext Expansion
- E.g. RSA has ~1-2 kb (~10 - 20×)

- Public Key Lifetime
- Mostly an issue for signatures
- Can be dealt with using Merkle Trees and certificate chains
- Memory (may need more than just the private key)

- Computational Cost

- One time signatures
- Basic Scheme: Sign a single bit
- Private key consists of two secrets S0 and S1
- Public key is H(S0) || H(S1)
- Signature for 0 is S0, signature for 1 is S1

- To sign an n-bit digest, just use n times as many secrets to sign the bits individually.
- Many optimizations are possible that trade increased computation for reduced key and/or signature size.

- Security Assumption: preimage and second-preimage resistance of a one-way function
- Only the message digest needs collision resistance.

- Public Key Length: ~n2 for an n-bit one-way function and a 2n-bit digest
- ~10 kb for n = 80
- ~20 kb for n =128

- Signature Length: same
- Public Key Lifetime: 1 signature
- Computational Cost: ~1ms (comparable to DSA)
- Includes key generation

- Security Assumption: preimage and second-preimage resistance of a one-way function
- Only the message digest needs collision resistance.

- Public Key Length: n for an n-bit one-way function and a 2n-bit digest
- Private Key Length: ~250 – 500 kb
- Signature Length: ~50 – 100 kb
- Public Key Lifetime: 1012 signatures
- Computational Cost: ~1ms (comparable to DSA)
- key generation: ~1s

- Start with an error correction code generator matrix, G
- Rectangular matrix such that it’s easy to reconstruct x from Gx + e.
- x has dimension k
- e has hamming weight t or less and dimension n > k

- Rectangular matrix such that it’s easy to reconstruct x from Gx + e.
- Public key K = PGS
- S is k×k and invertible
- P is an n×n permutation

- To Encrypt m: compute Km + e

- Security Assumption: indistinguishability of masked Goppa code and general linear code
- Decoding problem for general linear codes is NP-complete

- Public Key Length: ~500kb
- Message Size: ~1kb
- Public Key Lifetime: potentially unlimited
- Computational Cost: ~100μs
- Signatures exist, but very expensive for signer

- Private key is a short basis for an N dimensional lattice
- Public key is a long basis for the same lattice.
- Save space by representing lattice basis as a polynomial rather than a matrix
- This requires all lattice basis vectors to be cyclic permutations.
- Many academic crypto schemes employ lattices but do not employ this technique, preferring security assumptions based on a less symmetric version of the lattice problems.

- Coefficients are generally reduced modulo q N 256

- Security Assumption: unique closest vector problem
- Public Key Size: 2-4kb
- Ciphertext Size: 2-4kb
- Signature Size: 4-8kb
- Public Key Lifetime: ~1 billion signatures
- Signature scheme has changed in response to a series of attacks.

- Computational Cost: ~100μs

- Hidden Field Equations
- Braid Groups
- New schemes based on these crop up from time to time, but most have been broken.

- Crypto Agility is a Minimum Requirement
- Long Signatures or Public Keys
- Transmitting certificates may become unwieldy (especially when revocation is considered)
- Cache Certificates
- Limit Cert Chain Depth

- Transmitting certificates may become unwieldy (especially when revocation is considered)
- Limited Lifetime Signing Keys
- Mostly applicable to high load servers (e.g., OCSP responders)
- Use a Merkle tree or subordinate public keys where applicable.

- Mostly applicable to high load servers (e.g., OCSP responders)

- All widely used public key crypto is threatened by quantum computing.
- We do have potentially viable options to consider.
- Protocol designers can think about how to deal with these algorithms now.