quantum resistant public key cryptography a survey
Skip this Video
Download Presentation
Quantum Resistant Public Key Cryptography: A Survey

Loading in 2 Seconds...

play fullscreen
1 / 18

Quantum Resistant Public Key Cryptography: A Survey - PowerPoint PPT Presentation

  • Uploaded on

Quantum Resistant Public Key Cryptography: A Survey. Ray A. Perlner ([email protected]) David A. Cooper ([email protected]). What is a quantum computer. Short answer A classical computer processes classical information. A quantum computer processes quantum information.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Quantum Resistant Public Key Cryptography: A Survey' - jael

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
what is a quantum computer
What is a quantum computer
  • Short answer
    • A classical computer processes classical information.
    • A quantum computer processes quantum information.
  • What is the difference?
    • Classical information is measured in bits (a unit of entropy in the classical limit of physics)
    • Quantum information consists of qbits (a unit of entropy in real physics)
    • Either way, available entropy scales with the size of a system.
    • So it should be possible to build a quantum computer.
what can a quantum computer do faster than a classical computer
What can a quantum computer do?(faster than a classical computer)
  • Simulate a quantum computer
    • The best known classical algorithm is exponentially more costly in the worst case.
    • This does NOT mean that a quantum computer can always provide exponential speedup.
  • Stuff that matters for cryptography
    • Quadratic speedup over classical brute force search. (Grover)
    • Polynomial time algorithms for factoring and discrete logs, including elliptic curves. (Shor)
      • This completely breaks every public key algorithm you’ve probably ever heard of.
why haven t these monstrosities been built
Why haven’t these monstrosities been built?
  • Error correction/fault tolerance is much harder for quantum information.
    • Currently, we’re better off using a classical computer to run simulations.
    • Threshold theorems say that if we can build good enough components, the cost is only polynomial.
  • Components are not cheap like transistors
    • Options include ultra-cold ultra-small solid state devices and charged ions or neutral atoms controlled by lasers.
    • Pure optical systems may be an important component, but are unlikely to be the whole solution.
quantum resistance
Quantum Resistance
  • Quantum resistant algorithms are algorithms we don’t know how to break with a quantum or classical computer.
    • This is the same criterion we use for security in the classical model (pending P≠NP proof)
    • As with classically secure algorithms, related “hard problems” add a measure of confidence.
    • (Classical) algorithms meeting the above criteria do exist at present.
general concerns
General Concerns
  • Security Assumptions
  • Public Key Length
  • Signature Length/Ciphertext Expansion
    • E.g. RSA has ~1-2 kb (~10 - 20×)
  • Public Key Lifetime
    • Mostly an issue for signatures
    • Can be dealt with using Merkle Trees and certificate chains
    • Memory (may need more than just the private key)
  • Computational Cost
lamport signatures
Lamport Signatures
  • One time signatures
  • Basic Scheme: Sign a single bit
    • Private key consists of two secrets S0 and S1
    • Public key is H(S0) || H(S1)
    • Signature for 0 is S0, signature for 1 is S1
  • To sign an n-bit digest, just use n times as many secrets to sign the bits individually.
  • Many optimizations are possible that trade increased computation for reduced key and/or signature size.
lamport signatures1
Lamport Signatures
  • Security Assumption: preimage and second-preimage resistance of a one-way function
    • Only the message digest needs collision resistance.
  • Public Key Length: ~n2 for an n-bit one-way function and a 2n-bit digest
    • ~10 kb for n = 80
    • ~20 kb for n =128
  • Signature Length: same
  • Public Key Lifetime: 1 signature
  • Computational Cost: ~1ms (comparable to DSA)
    • Includes key generation
lamport signatures with merkle trees and chaining
Lamport Signatures (with Merkle Trees and Chaining)
  • Security Assumption: preimage and second-preimage resistance of a one-way function
    • Only the message digest needs collision resistance.
  • Public Key Length: n for an n-bit one-way function and a 2n-bit digest
  • Private Key Length: ~250 – 500 kb
  • Signature Length: ~50 – 100 kb
  • Public Key Lifetime: 1012 signatures
  • Computational Cost: ~1ms (comparable to DSA)
    • key generation: ~1s
mceliece encryption
McEliece Encryption
  • Start with an error correction code generator matrix, G
    • Rectangular matrix such that it’s easy to reconstruct x from Gx + e.
      • x has dimension k
      • e has hamming weight t or less and dimension n > k
  • Public key K = PGS
    • S is k×k and invertible
    • P is an n×n permutation
  • To Encrypt m: compute Km + e
mceliece encryption1
McEliece Encryption
  • Security Assumption: indistinguishability of masked Goppa code and general linear code
    • Decoding problem for general linear codes is NP-complete
  • Public Key Length: ~500kb
  • Message Size: ~1kb
  • Public Key Lifetime: potentially unlimited
  • Computational Cost: ~100μs
    • Signatures exist, but very expensive for signer
  • Private key is a short basis for an N dimensional lattice
  • Public key is a long basis for the same lattice.
  • Save space by representing lattice basis as a polynomial rather than a matrix
    • This requires all lattice basis vectors to be cyclic permutations.
    • Many academic crypto schemes employ lattices but do not employ this technique, preferring security assumptions based on a less symmetric version of the lattice problems.
  • Coefficients are generally reduced modulo q  N  256
  • Security Assumption: unique closest vector problem
  • Public Key Size: 2-4kb
  • Ciphertext Size: 2-4kb
  • Signature Size: 4-8kb
  • Public Key Lifetime: ~1 billion signatures
    • Signature scheme has changed in response to a series of attacks.
  • Computational Cost: ~100μs
  • Hidden Field Equations
  • Braid Groups
  • New schemes based on these crop up from time to time, but most have been broken.
  • Crypto Agility is a Minimum Requirement
  • Long Signatures or Public Keys
    • Transmitting certificates may become unwieldy (especially when revocation is considered)
      • Cache Certificates
      • Limit Cert Chain Depth
  • Limited Lifetime Signing Keys
    • Mostly applicable to high load servers (e.g., OCSP responders)
      • Use a Merkle tree or subordinate public keys where applicable.
  • All widely used public key crypto is threatened by quantum computing.
  • We do have potentially viable options to consider.
  • Protocol designers can think about how to deal with these algorithms now.