An Upda te on Post Qua ntum Cr yptog r a phy Mike Bro wn, CT O - - PowerPoint PPT Presentation

An Upda te on Post Qua ntum Cr yptog r a phy

Mike Bro wn, CT O & Co -fo unde r, ISARA Co rpo ra tio n

F

• unde d | 2015

He a dqua rte rs | Wa te rlo o , Onta rio , Ca na da Initia l F unding from Qua ntum Va lle y Inve stme nts| $11.5M Se rie s A from Sha sta Ve nture s | $10M Ca na dia n Gove rnme nt Stra te g ic F unding (April 2019) | $5.5M F ull- time e mploye e s | 33 (9 PhDs)

Visionary L e ade rship T e am Co mb ine d 150+ ye a rs e xpe rie nc e a nd e xte nsive g lo b a l b usine ss e xpe rie nc e a nd ne two rks. Standards- base d Approac h Co lla b o ra tive ly se tting sta nda rds with E

T SI, IT U- T , X9, IE T F , a nd NIST

. Maste r Prac titione rs, Quantum- safe E xpe rts Spe c ia lize in

qua ntum- sa fe c rypto .

De e p kno wle dg e o f

lig htwe ig ht c rypto fo r Io T

.

WHAT IS QUANT UM COMPUT ING?

Ma jo r Ind ustry Pla ye rs

Quantum computing harnesses the unique properties of quantum physics to break barriers currently limiting the speed of today’s “classical” computers, as they’re now called. Quantum computing will not replace current computers; you won’t have a quantum computer smartphone in your pocket. They will, however, be able to solve very specific, hard problems that even the fastest supercomputers couldn’t solve in a reasonable amount of time today. The first real use for them will likely be in advancements in areas such as material design, pharmaceuticals, and optimizing the power grid.

T HE QUANT UM RACE IS ON

DRUG DE SIGN SE ARCH/ BIG DAT A MACHINE L E ARNING MAT E RIAL DE SIGN OPT IMIZAT ION

POSIT IVE DISRUPT IONS

CHE MICAL DISCOVE RY

NOISY QC UNIVE RSAL QC ANAL OG QC

T ime line to Quantum

T he Quantum E ffe c t on Public Ke y Cr yptogr aphy

T ype Algorithm Ke y Stre ngth Classic (bits) Ke y Stre ngth Quantum (bits) Quantum Attac k Asymme tric RSA 2048 112 Sho r’ s Alg o rithm RSA 3072 128 E CC 256 128 E CC 521 256 Symme tric AE S 128 128 64 Gro ve r’ s Alg o rithm AE S 256 256 128

MIT IGAT ING AN UNPRE CE DE NT E D T HRE AT

T

• da y, da ta b re a c he s o c c ur o utside o f c rypto g ra phy, a nd the c o sts o f

tho se b re a c he s is gr

• wing.

A c o mple te b re a k o f pub lic ke y c rypto g ra phy is unpr

e c e de nte d.

I n o ur c o nne c te d wo rld, e ve rything tha t pr

• te c ts data, author

ize s or authe ntic ate s must be update d to b e q ua ntum-sa fe .

T his ma g nitude o f c ha ng e ha s ne ve r b e e n re q uire d on suc h a lar

ge sc ale .

Mic rosoft

= L e ss tha n 11 ye a rs

IBM

= L e ss tha n 20 ye a rs

E T SI

= L e ss tha n 10 ye a rs

NIST

= L e ss tha n 11 ye a rs

E urope an Commission

= So me time a fte r 2025

By 2026, the risk be c ome s too high to ignore T he dawn of large - sc ale quantum c ompute rs

T he be st time to star t is now

Today 2026

(Mosca, IQC, 2015)*

Y2Q Range

Modern cryptography broken.

2030

(NIST, 2016)*

2035

Life of an Average Vehicle = 11.5 years

2023

Development 2 - 4 years

Durable Connected Devices Long-term Data Confidentiality PKI Migrations 7+ year confidentiality

• bligation at risk

How many years does the connected device need to be secured for?

If 7+ years, you need to start preparing today

How long does the information need to remain confidential?

If 7+ years, you need to start preparing today

Does the device require strong security?

• PKI and digital certificates
• Hardware security modules (HSMs)
• Physically embedded roots of trust

T WO PAT HS T O QUANT UM- SAF E SE CURIT Y

Quantum Ke y Distr ibution Quantum- Safe Cr yptogr aphy

T HE “NE W” MAT H

Ha sh- ba se d Isog e ny- ba se d Multiva r ia te - ba se d Code - ba se d L a ttic e - ba se d

Ready to Use Today Undergoing NIST Evaluation

T HE MIGRAT ION CHAL L E NGE

KE Y E ST ABL ISHME NT

• VS. AUT

HE NT ICAT ION

K e y e sta b lishme nt c a n b e e asily upgrade d b e c a use the c lie nt a nd se rve r ne g o tia te whic h a lg o rithm to use . 1) Use q ua ntum-sa fe ke y transport o r ke y

agre e me nt a lg o rithms

2) Use hybrid ke ys, a mix o f b o th c la ssic a nd q ua ntum-sa fe a lg o rithms

T he c omple xity and inte rc onne c tivity o f p ub lic ke y

infra struc ture d e ma nd s a c tio n to d a y in o rd e r to b e re a d y fo r the q ua ntum a g e , a nd d iffic ult to d o while ma inta ining b a c kwa rd c o mp a tib ility.

DoD PKI MIGRAT ION E XAMPL E

T he re ’ s mo re tha n

4.5 million a c tive use rs

in the Do D ide ntity ma na g e me nt syste m.

Cr e ating a quantum-safe duplic ate infr astr uc tur e is time -c onsuming and c ost pr

• hibitive .

Br idging the Gap Using Cr ypto-Agility

T

• day

?

Quantum- safe Cr yptogr aphy Cur r e nt Public Ke y Cr yptogr aphy

Crypto- Ag ility Hybrid- Crypto

(Cur r e nt + Quantum-Safe )

Root CA IA2 IA3 IA1 Upgrade High- Value Asse ts

HYBRID PKI & PHASE D MIGRAT ION

• Hybrid Root certificates can be created today and

embedded into systems today

• Stateful hash-based signatures are perfectly suited for

certificate signing and are ready to be used today

• Code signing end systems can also be upgraded today
• Communication systems are ready to be upgraded to

use hybrid algorithms or leading NIST candidates

PKI MIGRAT ION APPROACHE S

Duplic a te Infra struc ture

One ide ntity with quantum- safe c e r tific ate

One ide ntity with hybrid c e rtific ate

One ide ntity with c ur r e nt c e r tific ate

L e gac y Upgrade d L e gac y Upgrade d

Hybrid Infra struc ture

Upgrade d L e gac y

Hybr id and Standar ds

• ITU-T
• A contribution submitted by ISARA Corporation (Canada) was approved that proposes

the inclusion of optional support for multiple public-key algorithms in Recommendation ITU-T X509 | ISO/IEC 9594-8

• IETF
• Two proposals
• “Composite” – IETF draft Composite P

e Pub ublic K c Keys eys and Signatur ures es (draft-pala-composite-crypto)

• “Catalyst” - IETF draft Mult

ltiple le P Publi lic-Key A ey Algorithm X.509 C Cer ertifica cates es (draft-truskovsky-lamps- pq-hybrid-x509)

• Both expired

HIGH RISK: Authe ntic a te d Softwa re Ove r- T he - Air (OT A) Upda te s

What’s at risk? Durable connected devices (IoT) with long in-field lives Forged software updates by quantum-enabled adversaries What’s The Attack What’s Affected

Digital Signatures Code Signing Embedded Roots of Trust

Protection: Physically embed stateful hash-based roots of trust today

Hash-Base d Cr yptogr aphy 101

• Introduced by Merkle in 1979
• “One-Time Signatures”
• Small public key but very large private key
• Fast signing & verifying
• Stateful
• Candidates:
• Leighton-Micali Signatures (LMS)
• eXtended Merkle Signature Scheme (XMSS)
• SPHINCS

Verification Keys Signing Keys

Y1 X1 Y2 X2 Y3 X3 Y4 X4 Y5 X5 Y6 X6 Y7 X7 Y8 X8 A3,1 A3,2 A3,3 A3,4 A3,5 A3,6 A3,7 A3,8 A2,1 A2,2 A2,3 A2,4 A1,2 A1,2 A0 Public Key Tree Height = 3

20

NIST

• n State ful Hash-base d

Signatur e s (HBS)

1. HBS schemes are good candidates for early standardization because they’re trusted, mature, and well understood 2. NIST is actively reviewing XMSS and LMS (HSS) for early approval outside their Post-Quantum Cryptography Standardization Process 3. Under consideration for specific use-cases, such as code-signing 4. The security of an HBS scheme relies on the same basis as many current NIST-approved cryptographic algorithms and protocols, and no known quantum algorithms pose a practical threat

21

https://csrc.nist.gov/Projects/Stateful-Hash-Based-Signatures

State ful HBS Ope r ational Implic ations

1. Running out of keys: The private key of a stateful HBS scheme is an “exhaustible” resource, so careful planning is required 2. Growing signatures: Signature size grows as the size of the private key grows 3. New implementation considerations: Private key splitting and state management is not something the industry has had to deal with before 4. Special considerations for high-value roots: For extremely high-value root keys that don’t produce many signatures during their validity a manual process for state management may be required

22

Globa l Sta nda rds F

• c us

NIST Standar dization Update

• 17 KEM Candidates
• BIKE
• Classic McEliece
• Kyber
• Frodo
• HQC
• LAC
• LEDAcrypt
• NewHope
• NTRU
• NTRU Prime
• NTS-KEM
• ROLLO
• Round5
• RQC
• SABER
• SIKE
• Three Bears
• 9 Signature Candidates
• Dilithium
• Falcon
• GeMSS
• LUOV
• MQDSS
• Picnic
• qTESLA
• Rainbow
• SPHINCS+

NIST Standar dization Update

• Timelines
• Round 2 ends June 2020
• Round 3 begins after with reduced list
• Final standards 2022-2024(ish)
• Potential additional algorithms standardized post Round 3
• Request more merging
• Hybrid modes of operation
• Complexity of implementation

We le ve rage de c ade s of re al- world c ybe rse c urity e xpe rtise to prote c t today’s c omputing e c osyste ms in the quantum age using prac tic al, standardize d te c hnologie s for a se amle ss migration.

CL E ARING T HE PAT H T O QUANT UM- SAF E SE CURIT Y

www.isa ra .c o m q ua ntumsa fe @ isa ra .c o m