Slide Note
0 likes | 80 Views
NIST has been at the forefront of cryptographic standards development since the 1970s with the introduction of DES. As technology evolves, NIST continues to enhance security standards to counter sophisticated attacks, including the looming threat of quantum algorithms. There is a growing need to transition cryptographic systems to quantum-resistant cryptography by 2035 to mitigate quantum risks. The transition involves the development and adoption of new standards and algorithms that can withstand both classical and quantum attacks.
E N D
THE THE NIST NIST PQC LIGHT AT THE END OF THE TUNNEL LIGHT AT THE END OF THE TUNNEL PQC STANDARDS: STANDARDS: Dustin Moody Computer Security Division NIST
NIST CRYPTOGRAPHIC STANDARDS • NIST DEVELOPED THE FIRST ENCRYPTION STANDARDS IN 1970S Nearly all commercial laptops, cellphones, Internet routes, VPN servers, and ATMs use NIST Cryptography • DATA ENCRYPTION STANDARD (DES), PUBLISHED 1977 AS FEDERAL INFORMATION PROCESSING STANDARD (FIPS) 46 • OVER 40 YEARS, NIST CONTINUES TO EVOLVE ITS CRYPTOGRAPHIC STANDARDS • ENABLE TO RESPOND THE GROWING APPLICATION DEMAND • ENHANCE SECURITY STRENGTH TO AGAINST MORE SOPHISTICATED ATTACKS
QUANTUM ALGORITHMS • 1994 – SHOR’S ALGORITHM • A QUANTUM ALGORITHM GIVING AN EXPONENTIAL SPEED-UP OVER CLASSICAL COMPUTERS • FACTORING LARGE INTEGERS • FINDING DISCRETE LOGARITHMS • 1996 - GROVER’S ALGORITHM • POLYNOMIAL SPEED-UP IN UNSTRUCTURED SEARCH, FROM O(N ) TO O( ?)
NIST CRYPTO STANDARDS – AT A GLANCE Cryptography standards Guidelines Symmetric key based Public key based AES (FIPS 197 ) TDEA (800-67) Hash usage/security (800-107) Signature (FIPS 186) Transition (800-131A) Modes of operations (800 38A-38G) Key establishment (800-56A/B/C) Key generation (800-133) SHA-1/2 (FIPS 180) and SHA-3 (FIPS 202) Key management (800-57) Tools Randomized hash (800-106) HMAC (FIPS 198) RNG (800-90A/B/C) SHA3 derived functions (parallel hashing, KMAC, etc. (800-185) KDF (800-108, 800-135)
THE QUANTUM THREAT • NIST public-key crypto standards • SP 800-56A: Diffie-Hellman, ECDH • SP 800-56B: RSA encryption • FIPS 186: RSA, DSA, and ECDSA signatures all vulnerable to attacks from a (large-scale) quantum computer Symmetric-key crypto (AES, SHA) would also be affected, but less dramatically
WHEN WILL A QUANTUM COMPUTER BE BUILT? Source: M. Mosca, M. Piani, Quantum Threat Timeline Report, 2021 https://globalriskinstitute.org/publications/2021-quantum-threat-timeline-report//
HOW SOON DO WE NEED TO WORRY? Theorem (Mosca): If x + y > z, then problem (”Harvest now, decrypt later”) What do we do here?? y x z secret keys revealed time ? – how long data needs to be safe ? – time for standardization and adoption ? – time until quantum computers
HOW SOON SHOULD WE WORRY? ”The United States must prioritize the transition of cryptographic systems to quantum-resistant cryptography, with the goal of mitigating as much of the quantum risk as is feasible by 2035.”
THE OMB ‘MIGRATING TO PQC’ MEMO • PRIORITIZE INVENTORY OF CRYPTOGRAPHIC SYSTEMS • FOCUS ON HIGH VALUE ASSETS AND HIGH IMPACT SYSTEMS • ANNUALLY SUBMIT RESULTS TO ONCD AND CISA UNTIL 2035 • ONCD/CISA WILL RELEASE TOOLS AND PROCEDURES FOR INVENTORY • MORE SPECIFICS PROVIDED….. • ANNUAL ASSESSMENT OF FUNDING REQUIRED FOR MIGRATION • AGENCIES SHOULD HAVE ALREADY DESIGNATED A MIGRATION LEAD • OMB WILL COORDINATE GOVERNMENT-WIDE RESPONSE • TESTING PRE-STANDARDIZED PQC ALGORITHMS ENCOURAGED • NIST WILL CREATE A WORKING GROUP TO DEVELOP BEST PRACTICES ”THE UNITED STATES MUST PRIORITIZE THE TRANSITION OF CRYPTOGRAPHIC SYSTEMS TO QUANTUM-RESISTANT CRYPTOGRAPHY, WITH THE GOAL OF MITIGATING AS MUCH OF THE QUANTUM RISK AS IS FEASIBLE BY 2035.”
CNSA - COMMERCIAL NATIONAL SECURITY ALGORITHM SUITE 2.0 • IN SEPT 2022, NSA ANNOUNCED CNSA 2.0 ADVISORY TO PREPARE NATIONAL SECURITY SYSTEMS FOR THE TRANSITION TO PQC • NSA EXPECTS THE TRANSITION TO QR ALGORITHMS FOR NSS TO BE COMPLETE BY 2035 IN LINE WITH NSM-10.
THE NIST PQC “COMPETITION” • IN 2016, NIST CALLED FOR QUANTUM-RESISTANT CRYPTOGRAPHIC ALGORITHMS FOR NEW PUBLIC-KEY CRYPTO STANDARDS • DIGITAL SIGNATURES • ENCRYPTION/KEY-ESTABLISHMENT • OUR ROLE: MANAGING A PROCESS OF ACHIEVING COMMUNITY CONSENSUS IN A TRANSPARENT AND TIMELY MANNER • DIFFERENT AND MORE COMPLICATED THAN PAST AES/SHA-3 COMPETITIONS • THERE WOULD NOT BE A SINGLE “WINNER” • IDEALLY, SEVERAL ALGORITHMS WILL EMERGE AS ‘GOOD CHOICES’
SELECTION CRITERIA 1. SECURE AGAINST BOTH CLASSICAL AND QUANTUM ATTACKS Level Security Description I At least as hard to break as AES128 (exhaustive key search) II At least as hard to break as SHA256 (collision search) III At least as hard to break as AES192 (exhaustive key search) IV At least as hard to break as SHA384 (collision search) V At least as hard to break as AES256 (exhaustive key search) 2. PERFORMANCE - MEASURED ON VARIOUS "CLASSICAL" PLATFORMS 3. OTHER PROPERTIES • DROP-IN REPLACEMENTS - COMPATIBILITY WITH EXISTING PROTOCOLS AND NETWORKS • PERFECT FORWARD SECRECY • RESISTANCE TO SIDE-CHANNEL ATTACKS • SIMPLICITY AND FLEXIBILITY • MISUSE RESISTANCE, ETC…
THE FIRST THREE ROUNDS ROUND 1 (DEC ‘17 – JAN ‘18) Signatures 5 2 7 3 2 19 KEM/Encryption 21 17 2 Overall 26 19 9 3 7 64 • 69 CANDIDATES AND 278 DISTINCT SUBMITTERS Lattice-based Code-based Multi-variate Symmetric based Other Total • SUBMITTERS FROM >25 COUNTRIES, ALL 6 CONTINENTS • APR 2018, 1STNIST PQC CONFERENCE 5 45 • ALMOST 25 SCHEMES BROKEN/ATTACKED • NISTIR 8240, NIST REPORT ON THE 1STROUND Signatures 3 0 4 2 0 KEMs/Encryption 9 7 0 Total 12 7 4 2 1 Lattice-based Code-based Multi-variate Symmetric-based Other ROUND 2 (JAN ‘18 – JUL ‘20) • 26 CANDIDATES 1 • AUG 2019 – 2NDNIST PQC CONFERENCE Total 9 17 26 • 7 SCHEMES BROKEN/ATTACKED Signatures 2 0 2 2 0 KEMs/Encryption 5 3 0 0 1 Total 7 3 2 2 1 • NISTIR 8309, NIST REPORT ON THE 2NDROUND Lattice-based Code-based Multi-variate Symmetric-based Other ROUND 3 (JUL ‘20 – JUL ‘22) • 7 FINALISTS AND 8 ALTERNATES Total 6 9 15 • JUNE 2021 – 3RDNIST PQC CONFERENCE • NISTIR 8413, NIST REPORT ON THE 3RDROUND
ROUND 3 RESULTS ROUND 3 RESULTS 3rdround selection (Signatures) 3rdround selection (KEM) CRYSTALS-Kyber CRYSTALS-Dilithium, Falcon, SPHINCS+ See NISTIR 8413, Status Report on the 3rdRound of the NIST PQC Standardization Process, for the rationale on the selections 4thround candidates (all KEMs) evaluated for 18-24 months o ClassicMcEliece o BIKE o HQC o SIKE On-ramp signatures NIST issued a new call for additional signatures – preferably for signatures based on non-lattice problems
TIMELINE • The 4thNIST PQC Standardization Conference • Nov 29-Dec 1, 2022, held virtually • Draft standards for public comment will be in summer 2023 • The first PQC standards should be published in 2024
THE KEMS IN THE 4THROUND • Classic McEliece • NIST is confident in the security • Smallest ciphertexts, but largest public keys • We’d like feedback on specific use cases for Classic McEliece • BIKE • Most competitive performance of 4thround candidates • We encourage vetting of IND-CCA security • HQC • Offers strong security assurances and mature decryption failure rate analysis • Larger public keys and ciphertext sizes than BIKE • SIKE • The SIKE team acknowledges that SIKE (and SIDH) are insecure and should not be used
AN ON-RAMP FOR SIGNATURES • NIST issued a new Call for Signatures • Deadline for submission: June 1, 2023 • This will be much smaller in scope than main NIST PQC effort • The main reason for this call is to diversify our signature portfolio • These signatures will be on a different track than the candidates in the 4thround • We are most interested in a general-purpose digital signature scheme which is not based on structured lattices • We may be interested in other signature schemes targeted for certain applications. For example, a scheme with very short signatures. • The more mature the scheme, the better. • NIST will decide which (if any) of the received schemes to focus attention on No on-ramp for KEMs currently planned.
STANDARDIZATION • THE PQC STANDARDS WILL BE FIPS • EACH ALGORITHM WILL BE ITS OWN DOCUMENT • MIGHT HAVE SOME SP’S WHICH CONTAIN MORE GUIDANCE/DETAILS • ALL THE ALGORITHMS WILL BE GIVEN A STANDARDIZED NAME • SOMETHING LIKE ML-KEM (KYBER), ML-DSA (DILITHIUM), NL-DSA (FALCON) AND SLH-DSA (SPHINCS+) • SOME CHOICES NEED TO BE MADE • WHICH PARAMETER SETS TO INCLUDE • WHICH HASH FUNCTIONS, OTHER SYMMETRIC PRIMITIVES, ETC? • HOW TO ALLOW FOR ANY POTENTIAL CHANGES FROM THE ROUND 3 SPECIFICATIONS? • SUBMISSION TEAMS MAY SUBMIT SUGGESTED CHANGES • ANY CHANGES BY NIST (OR SUGGESTED BY TEAMS) WILL BE DISCUSSED PUBLICLY • PLEASE PROVIDE FEEDBACK • PQC-FORUM, EMAIL ETC
STANDARDIZATION CRYSTALS - KYBER • STRONG SECURITY AND PERFORMANCE • SIDE-CHANNEL SECURITY: • MANY RESEARCH PAPERS FINDING SIDE-CHANNEL ATTACKS OR SCA- RESISTANT IMPLEMENTATIONS • THE FO TRANSFORM NEEDS CARE • NOT BROKEN BY AI
STANDARDIZATION CRYSTALS - KYBER • WE ARE PLANNING TO STANDARDIZE BOTH KYBER-768 AND KYBER-1024 • WE ARE STILL LEANING TOWARDS INCLUDE KYBER-512 • THE RECOMMENDED DEFAULT OPTION WOULD BE KYBER-768 • NIST IS NOT PLANNING ON STANDARDIZING THE 90’S VERSION OF KYBER • SOME TOPICS DISCUSSED ON PQC-FORUM • LEAVE DOMAIN SEPARATION AS WAS SPECIFIED IN THE ROUND 3 SPEC (USE FIPS 202 FUNCTIONS WITH INTERNAL DOMAIN SEPARATION) • NIST NOTED THAT IT WILL NOT BE USING TURBOSHAKE • A TWEAK OF THE FO TRANSFORM FOR ADDITIONAL SECURITY PROPERTIES WILL BE INCORPORATED • THE LENGTH OF THE SHARED SECRET WILL BE FIXED TO 256 BITS
DILITHIUM VS FALCON: PERFORMANCE Falcon has smaller key sizes • • Falcon key/signature generation may be more difficult in constrained environments • For many applications, both would have acceptable performance
STANDARDIZATION CRYSTALS - DILITHIUM • SELECTED BASED ON ITS SECURITY, HIGH EFFICIENCY, AND RELATIVELY SIMPLE IMPLEMENTATION • WE RECOMMEND IT BE THE PRIMARY SIGNATURE ALGORITHM USED • SIDE-CHANNEL SECURITY: • MANY RESEARCH PAPERS FINDING SIDE-CHANNEL ATTACKS OR SCA- RESISTANT IMPLEMENTATIONS • THE DETERMINISTIC VERSION IS MORE VULNERABLE TO FAULT ATTACKS
STANDARDIZATION CRYSTALS - DILITHIUM • WE WILL STANDARDIZE THE PARAMETER SETS FOR DILITHIUM CORRESPONDING TO SECURITY CATEGORIES 2, 3, AND 5 • PRE-HASH VERSION ALLOWED, BUT NOT THE DEFAULT • MAKES A RANDOMIZED VERSION OF DILITHIUM THE DEFAULT • ALSO INCLUDES A DETERMINISTIC VERSION • (WE’RE NOT CONSIDERING THE AES VARIANT) • INCREASED THE LENGTHS OF A FEW SYSTEM PARAMETERS (?,?,??, ?) FOR THE HIGHER SECURITY CATEGORIES
STANDARDIZATION • SELECTED FOR ITS SMALL BANDWIDTH, FAST VERIFICATION AND SECURITY • THE IMPLEMENTATION MAY BE COMPLICATED FOR SOME APPLICATIONS • SIDE CHANNEL SECURITY: LIKELY MORE DIFFICULT TO PROTECT • GAUSSIAN SAMPLING, FLOATING POINT ARITHMETIC, CONSTANT-TIME • WE ARE PLANNING TO STANDARDIZE THE PARAMETER SETS FOR FALCON CORRESPONDING TO SECURITY CATEGORIES 1 AND 5 • THE STANDARD WILL COME AFTER THE DILITHIUM STANDARD
STANDARDIZATION SPHINCS+ • SELECTED FOR ITS SOLID SECURITY • BASED ON A DIFFERENT SET OF ASSUMPTIONS FROM LATTICES • SIDE CHANNEL SECURITY: • EASIER? DETERMINED MOSTLY BY SIDE-CHANNEL PROTECTIONS AGAINST KEYED HASH IMPLEMENTATIONS
STANDARDIZATION SPHINCS+ • PRE-HASH VERSION ALLOWED, BUT NOT THE DEFAULT • THERE ARE MANY PARAMETER SETS INCLUDED IN THE SUBMISSION • WE WILL INCLUDE PARAMETER SETS FOR SECURITY CATEGORIES 1, 3, AND 5 • NIST IS PLANNING ON CONSIDERING THE SIMPLE VERSION (NOT THE ROBUST VERSION) • NIST PLANS TO INCLUDE BOTH THE FAST AND SMALL VERSIONS • ALLOWED HASH FUNCTIONS: SHAKE AND SHA-2 • WE ARE NOT CONSIDERING SPHINCS+C • THIS WAS A TWEAKED VARIANT INTRODUCED AFTER THE 3RDROUND • NIST WILL STANDARDIZE A VERSION OF SPHINCS+ WITH A LOWER NUMBER FOR MAXSIG IN A FUTURE SPECIAL PUBLICATION
STATEFUL HASH BASED SIGNATURES FOR EARLY ADOPTION Stateful hash-based signatures from SP 800-208 are allowed for signing software/firmware updates in CNSA 2.0
STANDARDIZATION CHALLENGES • THERE WERE SEVERAL CRYPTANALYTIC RESULTS IN THE 3RD(AND 4TH) ROUNDS • ADVANCES ON THE MINRANK PROBLEM LEADING TO ATTACKS ON GEMSS AND RAINBOW • IMPROVEMENTS IN LATTICE ATTACKS • ATTACKS ON SOME PARAMETER SETS OF SPHINCS+ • SIKE/SIDH ATTACK • IP CONSIDERATIONS • NIST SIGNED LICENSE AGREEMENTS TO ALLOW FOR ROYALTY-FREE USE* OF KYBER IMPLEMENTATIONS FOLLOWING THE NIST STANDARD • DISCLAIMER: I’M NOT A LAWYER. • *ROYALTY-FREE USE IS FROM THE PARTIES IN THE AGREEMENT (CNRS, THE UNIVERSITY OF LIMOGES, THE LABORATORY XLIM, AND JINTAI DING) • ONGOING SUGGESTED CHANGES FROM ROUND 3 SPECIFICATIONS
TRANSITION AND MIGRATION • THERE HAS BEEN MUCH DISCUSSION ON HYBRID/COMPOSITE MODES • NIST SP800-56C REV. 2 ALLOWS FOR A CERTAIN HYBRID MODE A B • WE WILL WORK WITH THE COMMUNITY IN DIFFERENT STAGES OF MIGRATION TO ASSURE SECURITY ECDH PQC ECDH • NIST WILL PROVIDE TRANSITION GUIDELINES TO PQC STANDARDS PQC ECDH Z • NIST HAS PROVIDED SUCH GUIDANCE BEFORE KDF(?||?) • EXAMPLES: TRIPLE DES, SHA-1, KEYS < 112 BITS • TIMEFRAME WILL BE BASED ON RISK ASSESSMENT OF QUANTUM ATTACKS
GETTING READY FOR PQC • The National Cybersecurity Center of Excellence (NCCoE) has a project for Migration to PQC. The goals: • Align and complement NIST PQC standardization activities • Raise awareness and develop practices to ease the migration • Deliver white papers, playbooks, and demonstrable implementations for organizations o Collaboration with industry participants through CRADAs and a Community of Interest o Product developers and service providers o Standards development organizations o Service providers and major user organizations and consortia o Government organizations (such as U.S. Department of Homeland Security, Department of Defense) See Bill Newhouse’s talk later today…. o
OTHER STANDARDS ORGANIZATIONS • WE ARE AWARE THAT MANY STANDARDS ORGANIZATIONS AND EXPERT GROUPS ARE WORKING ON PQC • ASC X9 HAS DONE STUDIES AND WRITTEN WHITE PAPERS • IEEE P1363.3 HAS STANDARDIZED SOME LATTICE-BASED SCHEMES • IETF HAS STANDARDIZED STATEFUL HASH-BASED SIGNATURES LMS/XMSS AND IS CURRENTLY DOING NEW WORK GEARED TO THE PQC MIGRATION • ETSI HAS RELEASED QUANTUM-SAFE CRYPTOGRAPHY REPORTS • EU EXPERT GROUPS PQCRYPTO AND SAFECRYPTO MADE RECOMMENDATIONS AND RELEASED REPORTS • ISO/IEC JTC 1 SC27 HAD A STUDY PERIOD FOR QUANTUM-RESISTANT CRYPTOGRAPHY AND RELEASED A STANDING DOCUMENT (SD) • NIST IS INTERACTING AND COLLABORATING WITH THESE ORGANIZATIONS AND GROUPS • SOME COUNTRIES HAVE BEGUN STANDARDIZATION ACTIVITIES
WHAT CAN ORGANIZATIONS DO NOW? • PERFORM A QUANTUM RISK ASSESSMENT WITHIN YOUR ORGANIZATION • INVENTORY INFORMATION ASSETS AND THEIR CURRENT CRYPTO PROTECTION • IDENTIFY WHAT ‘X’, ‘Y’, AND ‘Z’ MIGHT BE FOR YOU – DETERMINE YOUR QUANTUM RISK • PRIORITIZE ACTIVITIES REQUIRED TO MAINTAIN AWARENESS, AND TO MIGRATE TECHNOLOGY TO QUANTUM-SAFE SOLUTIONS EVALUATE VENDOR PRODUCTS WITH QUANTUM SAFE FEATURES • • KNOW WHICH PRODUCTS ARE NOT QUANTUM SAFE • DEVELOP AN INTERNAL KNOWLEDGE BASE AMONGST IT STAFF TRACK DEVELOPMENTS IN QUANTUM COMPUTING AND QUANTUM SAFE SOLUTIONS ESTABLISH A ROADMAP TO QUANTUM READINESS FOR YOUR ORGANIZATION ASK VENDORS FOR QUANTUM SAFE FEATURES IN PROCUREMENT TEMPLATES • • • • ACT NOW – IT WILL BE LESS EXPENSIVE, LESS DISRUPTIVE, AND LESS LIKELY TO HAVE MISTAKES CAUSED BY RUSHING AND SCRAMBLING
• THE BEGINNING OF THE END IS HERE! • OR IS IT THE END OF THE BEGINNING? • NIST IS GRATEFUL FOR EVERYBODY’S EFFORTS • CHECK OUT WWW.NIST.GOV/PQCRYPTO • SIGN UP FOR THE PQC-FORUM FOR ANNOUNCEMENTS & DISCUSSION • SEND E-MAIL TO PQC-COMMENTS@NIST.GOV
![[PDF] Free Download Threat Vector By Tom Clancy & Mark Greaney](https://cdn4.slideserve.com/8072597/slide1-dt.jpg)
![[PDF] Free Download The Threat By Andrew G. McCabe](https://cdn4.slideserve.com/8194042/slide1-dt.jpg)
