introduction to post quantum cryptography and learning
play

Introduction to post-quantum cryptography and learning with errors - PowerPoint PPT Presentation

Jan 31, 2023 •593 likes •1.67k views

Introduction to post-quantum cryptography and learning with errors Douglas Stebila Funding acknowledgements: Summer School on real-world crypto and privacy ibenik, Croatia June 11, 2018

  1. Stebila • Intro to PQ crypto & LWE Summer school on real-world crypto & privacy • 2018-06-11 25 Search-decision equivalence • Easy fact : If the search LWE problem is easy, then the decision LWE problem is easy. • Fact : If the decision LWE problem is easy, then the search LWE problem is easy. • Requires calls to decision oracle • Intuition: test the each value for the first component of the secret, then move on to the next one, and so on. [Regev STOC 2005]

  2. Stebila • Intro to PQ crypto & LWE Summer school on real-world crypto & privacy • 2018-06-11 26 Choice of error distribution • Usually a discrete Gaussian distribution of width for error rate • Define the Gaussian function • The continuous Gaussian distribution has probability density function

  3. Stebila • Intro to PQ crypto & LWE Summer school on real-world crypto & privacy • 2018-06-11 27 Short secrets • The secret distribution was originally taken to be the uniform distribution • Short secrets : use • There's a tight reduction showing that LWE with short secrets is hard if LWE with uniform secrets is hard. [Applebaum et al., CRYPTO 2009]

  4. Stebila • Intro to PQ crypto & LWE Summer school on real-world crypto & privacy • 2018-06-11 28 Toy example versus real-world example 8 4 1 11 10 5 5 9 5 2738 3842 3345 2979 … 3 9 0 10 2896 595 3607 1 3 3 2 377 1575 640 12 7 3 4 2760 6 5 11 4 … 3 3 5 0 640 × 8 × 15 bits = 9.4 KiB

  5. Stebila • Intro to PQ crypto & LWE Summer school on real-world crypto & privacy • 2018-06-11 29 Ring learning with errors problem random 4 1 11 10 Each row is the cyclic shift of the row above 10 4 1 11 11 10 4 1 1 11 10 4 4 1 11 10 10 4 1 11 11 10 4 1

  6. Stebila • Intro to PQ crypto & LWE Summer school on real-world crypto & privacy • 2018-06-11 30 Ring learning with errors problem random 4 1 11 10 Each row is the cyclic shift of the row above 3 4 1 11 … 2 3 4 1 with a special wrapping rule: x wraps to – x mod 13. 12 2 3 4 9 12 2 3 10 9 12 2 11 10 9 12

  7. Stebila • Intro to PQ crypto & LWE Summer school on real-world crypto & privacy • 2018-06-11 31 Ring learning with errors problem random 4 1 11 10 Each row is the cyclic shift of the row above … with a special wrapping rule: x wraps to – x mod 13. So I only need to tell you the first row.

  8. Stebila • Intro to PQ crypto & LWE Summer school on real-world crypto & privacy • 2018-06-11 32 Ring learning with errors problem 4 + 1 x + 11 x 2 + 10 x 3 random 6 + 9 x + 11 x 2 + 11 x 3 secret × 0 – 1 x + 1 x 2 + 1 x 3 small noise + 10 + 5 x + 10 x 2 + 7 x 3 =

  9. Stebila • Intro to PQ crypto & LWE Summer school on real-world crypto & privacy • 2018-06-11 33 Ring learning with errors problem 4 + 1 x + 11 x 2 + 10 x 3 random secret × small noise + 10 + 5 x + 10 x 2 + 7 x 3 = Search ring-LWE problem: given blue , find red

  10. Stebila • Intro to PQ crypto & LWE Summer school on real-world crypto & privacy • 2018-06-11 34 Search ring-LWE problem [Lyubashesky, Peikert, Regev; EUROCRYPT 2010, JACM 2013]

  11. Stebila • Intro to PQ crypto & LWE Summer school on real-world crypto & privacy • 2018-06-11 35 Decision ring-LWE problem

  12. Stebila • Intro to PQ crypto & LWE Summer school on real-world crypto & privacy • 2018-06-11 36 Module learning with errors problem random secret small noise p 11 p 12 p 13 p 14 p 21 p 22 p 23 p 24 × + = p 31 p 32 p 33 p 34 p 41 p 42 p 43 p 44 p 51 p 52 p 53 p 54 Search Module-LWE problem: given blue , find red [Langlois & Stehlé, https://eprint.iacr.org/2012/090, DCC 2015]

  13. Stebila • Intro to PQ crypto & LWE Summer school on real-world crypto & privacy • 2018-06-11 37 Ring-LWE versus Module-LWE Ring-LWE Module-LWE 4 1 11 10 3 4 1 11 2 3 4 1 12 2 3 4 9 12 2 3 10 9 12 2 11 10 9 12 Figure from https://eprint.iacr.org/2012/090.pdf

  14. Stebila • Intro to PQ crypto & LWE Summer school on real-world crypto & privacy • 2018-06-11 38 Learning with rounding problem random secret 4 1 11 10 4 1 5 5 9 5 7 2 × = 3 9 0 10 2 0 1 3 3 2 11 3 12 7 3 4 5 1 6 5 11 4 12 4 3 3 5 0 8 2 Search LWR problem: given blue , find red [Banerjee, Peikert, Rosen EUROCRYPT 2012]

  15. Stebila • Intro to PQ crypto & LWE Summer school on real-world crypto & privacy • 2018-06-11 39 LWE versus LWR LWE LWR • Noise comes from adding an • Noise comes from rounding to a explicit (Gaussian) error term smaller interval • Shown to be as hard as LWE when modulus/error ratio satisfies certain bounds https://eprint.iacr.org/2013/098, https://eprint.iacr.org/2015/769.pdf

  16. Stebila • Intro to PQ crypto & LWE Summer school on real-world crypto & privacy • 2018-06-11 40 NTRU problem [Hoffstein, Pipher, Silverman ANTS 1998]

  17. Stebila • Intro to PQ crypto & LWE Summer school on real-world crypto & privacy • 2018-06-11 41 Problems Learning with errors Module-LWE Search With uniform secrets Ring-LWE Learning with rounding Decision With short secrets NTRU problem

  18. Stebila • Intro to PQ crypto & LWE Summer school on real-world crypto & privacy • 2018-06-11 42 Public key encryption from LWE

  19. Stebila • Intro to PQ crypto & LWE Summer school on real-world crypto & privacy • 2018-06-11 43 Public key encryption from LWE Key generation Secret key A s e b + = Public key [Lindner, Peikert. CT-RSA 2011]

  20. Stebila • Intro to PQ crypto & LWE Summer school on real-world crypto & privacy • 2018-06-11 44 Public key encryption from LWE Encryption s' A e' b' + = Ciphertext Receiver's public key q = m c s' b + v' v' + = e'' 2 Shared secret mask [Lindner, Peikert. CT-RSA 2011]

  21. Stebila • Intro to PQ crypto & LWE Summer school on real-world crypto & privacy • 2018-06-11 45 q Public key encryption from LWE m c v' + = 2 Decryption Ciphertext q round b' s – = c m m ≈ v v 2 Almost the same shared secret mask as the sender used Secret key [Lindner, Peikert. CT-RSA 2011]

  22. Stebila • Intro to PQ crypto & LWE Summer school on real-world crypto & privacy • 2018-06-11 46 Approximately equal shared secret The sender uses The receiver uses = s' (A s + e) + e'' = (s' A + e') s v' v = s' A s + (s' e + e'') = s' A s + (e' s) ≈ s' A s ≈ s' A s

  23. Stebila • Intro to PQ crypto & LWE Summer school on real-world crypto & privacy • 2018-06-11 47 Regev's public key encryption scheme [Regev; STOC 2005]

  24. Stebila • Intro to PQ crypto & LWE Summer school on real-world crypto & privacy • 2018-06-11 48 Encode/decode [Regev; STOC 2005]

  25. Stebila • Intro to PQ crypto & LWE Summer school on real-world crypto & privacy • 2018-06-11 49 Lindner–Peikert public key encryption [Lindner, Peikert; CT-RSA 2011]

  26. Stebila • Intro to PQ crypto & LWE Summer school on real-world crypto & privacy • 2018-06-11 50 Correctness

  27. Stebila • Intro to PQ crypto & LWE Summer school on real-world crypto & privacy • 2018-06-11 51 Difference between Regev and Lindner–Peikert

  28. Stebila • Intro to PQ crypto & LWE Summer school on real-world crypto & privacy • 2018-06-11 52 IND-CPA security of Lindner–Peikert Indistinguishable against chosen plaintext attacks [Lindner, Peikert; CT-RSA 2011]

  29. Stebila • Intro to PQ crypto & LWE Summer school on real-world crypto & privacy • 2018-06-11 53 IND-CPA security of Lindner–Peikert → Decision-LWE → → Rewrite → [Lindner, Peikert; CT-RSA 2011]

  30. Stebila • Intro to PQ crypto & LWE Summer school on real-world crypto & privacy • 2018-06-11 54 IND-CPA security of Lindner–Peikert → Decision-LWE → → Rewrite → Independent of hidden bit [Lindner, Peikert; CT-RSA 2011]

  31. Stebila • Intro to PQ crypto & LWE Summer school on real-world crypto & privacy • 2018-06-11 55 Lattice-based KEM/PKEs submitted to NIST • BabyBear, MamaBear, PapaBear (ILWE) • CRYSTALS-Kyber (MLWE) • Ding Key Exchange (RLWE) • Emblem (LWE, RLWE) • FrodoKEM (LWE) • HILA5 (RLWE) • KCL (MLWE, RLWE) • KINDI (MLWE) • LAC (PLWE) • LIMA (RLWE) • Lizard (LWE, LWR, RLWE, RLWR) • Lotus (LWE) • NewHope (RLWE) • NTRU Prime (RLWR) • NTRU HRSS (NTRU) • NTRUEncrypt (NTRU) • Round2 (RLWR, LWR) • Saber (MLWR) • Titanium (PLWE) https://estimate-all-the-lwe-ntru-schemes.github.io/docs/

  32. Stebila • Intro to PQ crypto & LWE Summer school on real-world crypto & privacy • 2018-06-11 56 Security of LWE-based cryptography "Lattice-based"

  33. Stebila • Intro to PQ crypto & LWE Summer school on real-world crypto & privacy • 2018-06-11 57 Hardness of decision LWE – "lattice-based" worst-case gap shortest vector problem (GapSVP) poly-time [Regev05, BLPRS13] average-case decision LWE

  34. Stebila • Intro to PQ crypto & LWE Summer school on real-world crypto & privacy • 2018-06-11 58 Lattices

  35. Stebila • Intro to PQ crypto & LWE Summer school on real-world crypto & privacy • 2018-06-11 59 Lattices Discrete additive subgroup of Equivalently, integer linear combinations of a basis Diagram from http://www.cs.bris.ac.uk/pgrad/csjhvdp/files/bkz.pdf

  36. Stebila • Intro to PQ crypto & LWE Summer school on real-world crypto & privacy • 2018-06-11 60 Lattices There are many bases for the same lattice – some short and orthogonalish, some long and acute. Diagram from http://www.cs.bris.ac.uk/pgrad/csjhvdp/files/bkz.pdf

  37. Stebila • Intro to PQ crypto & LWE Summer school on real-world crypto & privacy • 2018-06-11 61 Closest vector problem Given some basis for the lattice and a target point in the space, find the closest lattice point. Diagram from http://www.cs.bris.ac.uk/pgrad/csjhvdp/files/bkz.pdf

  38. Stebila • Intro to PQ crypto & LWE Summer school on real-world crypto & privacy • 2018-06-11 62 Shortest vector problem Given some basis for the lattice, find the shortest non-zero lattice point. Diagram from http://www.cs.bris.ac.uk/pgrad/csjhvdp/files/bkz.pdf

  39. Stebila • Intro to PQ crypto & LWE Summer school on real-world crypto & privacy • 2018-06-11 63 Shortest vector problem

  40. Stebila • Intro to PQ crypto & LWE Summer school on real-world crypto & privacy • 2018-06-11 64 Regev's iterative reduction [Regev; STOC 2005]

  41. Stebila • Intro to PQ crypto & LWE Summer school on real-world crypto & privacy • 2018-06-11 65 Finding short vectors in lattices LLL basis reduction algorithm Block Korkine Zolotarev (BKZ) algorithm • Finds a basis close to Gram–Schmidt • Trade-off between runtime and basis quality • Polynomial runtime (in dimension), • In practice the best algorithm for but basis quality (shortness/orthogonality) is poor cryptographically relevant scenarios

  42. Stebila • Intro to PQ crypto & LWE Summer school on real-world crypto & privacy • 2018-06-11 66 Solving the (approximate) shortest vector problem

  43. Stebila • Intro to PQ crypto & LWE Summer school on real-world crypto & privacy • 2018-06-11 67 Picking parameters • Estimate parameters based on • Based on reductions: • Calculate required runtime for GapSVP runtime of lattice reduction or SVP based on tightness gaps and algorithms. constraints in each reduction • Pick parameters based on best known GapSVP or SVP solvers or known lower bounds • Reductions are typically non-tight (e.g., n 13 ); would lead to very large parameters • Based on cryptanalysis: • Ignore tightness in reductions. • Pick parameters based on best known LWE solvers relying on lattice solvers.

  44. Stebila • Intro to PQ crypto & LWE Summer school on real-world crypto & privacy • 2018-06-11 68 KEMs and key agreement from LWE

  45. Stebila • Intro to PQ crypto & LWE Summer school on real-world crypto & privacy • 2018-06-11 69 Key encapsulation mechanisms (KEMs)

  46. Stebila • Intro to PQ crypto & LWE Summer school on real-world crypto & privacy • 2018-06-11 70 Key exchange protocols • A key exchange protocol is an interactive protocol carried out between two parties. • The goal of the protocol is to output a session key that is indistinguishable from random. • In authenticated key exchange protocols, the adversary can be active and controls all communications between parties; the parties are assumed to have authentically distributed trusted long-term keys out of band prior to the protocol. • In unauthenticated key exchange protocols, the adversary can be passive and only obtains transcripts of communications between honest parties. • IND-CPA KEMs can be viewed as a two flow unauthenticated key exchange protocol.

  47. Stebila • Intro to PQ crypto & LWE Summer school on real-world crypto & privacy • 2018-06-11 71 Basic LWE key agreement (unauthenticated) Based on Lindner–Peikert LWE public key encryption scheme public: “big” A in Z q n x m Alice Bob secret: secret: random “small” s, e in Z q random “small” s', e' in Z q m n b = As + e b' = s'A + e' shared secret: shared secret: b's = s'As + e's ≈ s'As s'b ≈ s'As These are only approximately equal need rounding ⇒

  48. Stebila • Intro to PQ crypto & LWE Summer school on real-world crypto & privacy • 2018-06-11 72 Rounding & reconciliation • Each coefficient of the polynomial is an integer modulo q • Treat each coefficient independently • Send a "reconciliation signal" to help with rounding • Techniques by Ding [Din12] and Peikert [Pei14] [Ding; eprint 2012] [Peikert; PQCrypto 2014]

  49. Stebila • Intro to PQ crypto & LWE Summer school on real-world crypto & privacy • 2018-06-11 73 Basic rounding • Round either to 0 or q /2 • Treat q /2 as 1 This works This works q /4 most of the time: most of the time: prob. failure 2 -10 . prob. failure 2 -10 . round round q /2 0 Not good enough: Not good enough: to 1 to 0 we need exact key we need exact key agreement. agreement. 3 q /4

  50. Stebila • Intro to PQ crypto & LWE Summer school on real-world crypto & privacy • 2018-06-11 74 Rounding and reconciliation (Peikert) Bob says which of two regions the value is in: or q /4 round to 1 q /4 If round q /2 0 to 0 3 q /4 q /2 0 q /4 d n u 0 o r If o t q /2 d 0 n u 3 q /4 o 1 r o t 3 q /4 [Peikert; PQCrypto 2014]

  51. Stebila • Intro to PQ crypto & LWE Summer school on real-world crypto & privacy • 2018-06-11 75 Rounding and reconciliation (Peikert) • If | alice – bob | ≤ q /8, then this always works. q /4 alice bob alice round to 1 If round q /2 0 to 0 alice 3 q /4 • Security not affected: revealing or leaks no information [Peikert; PQCrypto 2014]

  52. Stebila • Intro to PQ crypto & LWE Summer school on real-world crypto & privacy • 2018-06-11 76 Exact LWE key agreement (unauthenticated) public: “big” A in Z q n x m Alice Bob secret: secret: random “small” s, e in Z q random “small” s', e' in Z q m n b = As + e b' = s'A + e', or shared secret: shared secret: round( b's ) round( s'b )

  53. Stebila • Intro to PQ crypto & LWE Summer school on real-world crypto & privacy • 2018-06-11 77 Exact ring-LWE key agreement (unauthenticated) public: “big” a in R q = Z q [ x ] / ( x n + 1) Alice Bob secret: secret: random “small” s, e in R q random “small” s’, e’ in R q b = a • s + e b’ = a • s’ + e’ , or shared secret: shared secret: round( s • b’ ) round( b • s’ )

  54. Stebila • Intro to PQ crypto & LWE Summer school on real-world crypto & privacy • 2018-06-11 78 Public key validation • No public key validation possible for basic LWE/ring-LWE public keys • Key reuse in LWE/ring-LWE leads to real attacks following from search- decision equivalence • Comment in [Peikert, PQCrypto 2014] • Attack described in [Fluhrer, Eprint 2016] • Need to ensure usage is okay with just passive security (IND-CPA) • Or construct actively secure (IND-CCA) KEM/PKE/AKE using Fujisaki– Okamoto transform or quantum-resistant variant [Targhi–Unruh, TCC 2016] [Hofheinz et al., Eprint 2017]

  55. Stebila • Intro to PQ crypto & LWE Summer school on real-world crypto & privacy • 2018-06-11 79 An example: FrodoKEM • KEM: Key encapsulation • Simple design: mechanism (simplified key • Free modular arithmetic exchange protocol) (q = 2 16 ) • Simple Gaussian sampling • Builds on basic (IND-CPA) LWE • Parallelizable matrix-vector public key encryption operations • Achieves IND-CCA security • No reconciliation against adaptive adversaries • Simple to code • By applying a quantum-resistant variant of the Fujisaki–Okamoto transform • Negligible error rate [Bos, Costello, Ducas, Mironov, Naehrig, Nikolaenko, Raghunathan, Stebila. ACM CCS 2016] [Alkim, Bos, Ducas, Easterbrook, LaMacchia, Longa, Mironov, Naehrig, Nikolaenko, Peikert, Raghunathan, Stebila. FrodoKEM NIST Submission, 2017]

  56. Stebila • Intro to PQ crypto & LWE Summer school on real-world crypto & privacy • 2018-06-11 80 FrodoKEM construction IND-CPA secure FrodoPKE Pseudorandom A to save space FrodoPKE.KeyGen Basic LWE public key FrodoPKE.Enc FrodoPKE.Dec

  57. Stebila • Intro to PQ crypto & LWE Summer school on real-world crypto & privacy • 2018-06-11 81 FrodoKEM construction IND-CPA secure FrodoPKE FrodoPKE.KeyGen FrodoPKE.Enc FrodoPKE.Dec Key transport using Basic LWE ciphertext public key encryption Shared secret

  58. Stebila • Intro to PQ crypto & LWE Summer school on real-world crypto & privacy • 2018-06-11 82 FrodoKEM construction IND-CPA secure FrodoPKE FrodoPKE.KeyGen FrodoPKE.Enc FrodoPKE.Dec

  59. Stebila • Intro to PQ crypto & LWE Summer school on real-world crypto & privacy • 2018-06-11 83 FrodoKEM construction IND-CPA secure IND-CCA secure FrodoPKE FrodoKEM Targhi–Unruh Quantum Fujisaki–Okamoto (QFO) transform FrodoPKE.KeyGen FrodoKEM.KeyGen FrodoPKE.Enc FrodoKEM.Encaps Adds well-formedness checks Extra hash value Implicit rejection FrodoPKE.Dec FrodoKEM.Decaps Requires negligible error rate

  60. Stebila • Intro to PQ crypto & LWE Summer school on real-world crypto & privacy • 2018-06-11 84 FrodoKEM parameters FrodoKEM-640 FrodoKEM-976 Dimension n 640 976 Modulus q 2 15 2 16 Error distribution Approx. Gaussian Approx. Gaussian [-11, ..., 11], σ = 2.75 [-10, ..., 10], σ = 2.3 Failure probability 2 -148 2 -199 Ciphertext size 9,736 bytes 15,768 bytes Estimated security 2 143 classical 2 209 classical (cryptanalytic) 2 103 quantum 2 150 quantum Runtime 1.1 msec 2.1 msec

  61. Stebila • Intro to PQ crypto & LWE Summer school on real-world crypto & privacy • 2018-06-11 85 Other applications of LWE

  62. Stebila • Intro to PQ crypto & LWE Summer school on real-world crypto & privacy • 2018-06-11 86 Fully homomorphic encryption from LWE [Brakerski, Vaikuntanathan; FOCS 2011]

  63. Stebila • Intro to PQ crypto & LWE Summer school on real-world crypto & privacy • 2018-06-11 87 Fully homomorphic encryption from LWE [Brakerski, Vaikuntanathan; FOCS 2011]

  64. Stebila • Intro to PQ crypto & LWE Summer school on real-world crypto & privacy • 2018-06-11 88 Fully homomorphic encryption from LWE [Brakerski, Vaikuntanathan; FOCS 2011]

  65. Stebila • Intro to PQ crypto & LWE Summer school on real-world crypto & privacy • 2018-06-11 89 Fully homomorphic encryption from LWE • Error conditions mean that the number of additions and multiplications is limited. • Multiplication increases the dimension (exponentially), so the number of multiplications is again limited. • There are techniques to resolve both of these issues. • Key switching allows converting the dimension of a ciphertext. • Modulus switching and bootstrapping are used to deal with the error rate.

  66. Stebila • Intro to PQ crypto & LWE Summer school on real-world crypto & privacy • 2018-06-11 90 Digital signatures [Lyubashevsky 2011] "Rejection sampling" [Lyubashevsky; Eurocrypt 2012]

  67. Stebila • Intro to PQ crypto & LWE Summer school on real-world crypto & privacy • 2018-06-11 91 Lattice-based signature schemes submitted to NIST • CRYSTALS-Dilithium (MLWE) • Falcon (NTRU) • pqNTRUsign (NTRU) • qTESLA (RLWE) https://estimate-all-the-lwe-ntru-schemes.github.io/docs/

  68. Stebila • Intro to PQ crypto & LWE Summer school on real-world crypto & privacy • 2018-06-11 92 Post-quantum security models

  69. Stebila • Intro to PQ crypto & LWE Summer school on real-world crypto & privacy • 2018-06-11 93 Post-quantum security models • Is the adversary quantum? • If so, at what stage(s) in the security experiment? • If so, can the adversary interact with honest parties (make queries) quantumly? • If so, and if the proof is in the random oracle model, can the adversary access the random oracle quantumly?

  70. Stebila • Intro to PQ crypto & LWE Summer school on real-world crypto & privacy • 2018-06-11 94 Public key encryption security models IND-CCA Quantum security models • A is classical • "Future quantum" • A is quantum in line 5 but always has only classical access to Enc and Dec • "Post-quantum" • A is quantum in lines 2 and 5 but always has only classical access to Enc & Dec • "Fully quantum" • A is quantum in lines 2 and 5 and has quantum (superposition) access to Enc and Dec Symmetric crypto generally quantum-resistant, unless in fully quantum security models. [Kaplan et al., CRYPTO 2016]

  71. Stebila • Intro to PQ crypto & LWE Summer school on real-world crypto & privacy • 2018-06-11 95 Quantum random oracle model • If the adversary is locally quantum (e.g., future quantum, post-quantum), should the adversary be able to query its random oracle quantumly? • No: We imagine the adversary only interacting classically with the honest system. • Yes: The random oracle model artificially makes the adversary interact with something (a hash function) that can implement itself in practice, so the adversary could implement it quantumly. • QROM seems to be prevalent these days • Proofs in QROM often introduce tightness gap • QROM proofs of Fujisaki–Okamoto transform from IND-CPA PKE to IND-CCA PKE very hot topic right now [Boneh et al, ASIACRYPT 2011 https://eprint.iacr.org/2010/428]

  72. Stebila • Intro to PQ crypto & LWE Summer school on real-world crypto & privacy • 2018-06-11 96 Transitioning to PQ crypto

  73. Stebila • Intro to PQ crypto & LWE Summer school on real-world crypto & privacy • 2018-06-11 97 Retroactive decryption • A passive adversary that records today's communication can decrypt once they get a quantum computer • Not a problem for some scenarios • Is a problem for other scenarios • How to provide potential post-quantum security to early adopters?

  74. Stebila • Intro to PQ crypto & LWE Summer school on real-world crypto & privacy • 2018-06-11 98 Hybrid ciphersuites • Use pre-quantum and Why hybrid? post-quantum • Potential post-quantum security for early adopters algorithms together • Maintain compliance with • Secure if either one older standards (e.g. FIPS) remains unbroken • Reduce risk from Need to consider backward uncertainty on PQ compatibility for non-hybrid- assumptions/parameters aware systems

  75. Stebila • Intro to PQ crypto & LWE Summer school on real-world crypto & privacy • 2018-06-11 99 Hybrid ciphersuites Key exchange Authentication Likely focus 1 Hybrid traditional + PQ Single traditional for next 10 years 2 Hybrid traditional + PQ Hybrid traditional + PQ 3 Single PQ Single traditional 4 Single PQ Single PQ

  76. Stebila • Intro to PQ crypto & LWE Summer school on real-world crypto & privacy • 2018-06-11 100 Hybrid post-quantum key exchange TLS 1.2 TLS 1.3 • Prototypes and software experiments: • Prototypes: • Bos, Costello, Naehrig, Stebila, S&P 2015 • liboqs OpenSSL fork • Bos, Costello, Ducas, Mironov, Naehrig, • https://github.com/open-quantum-safe/ope Nikolaenko, Raghunathan, Stebila, ACM CCS nssl/tree/OQS-master 2016 • Google Chrome experiment • Internet drafts: • https://security.googleblog.com/2016/07/experime • Whyte et al. nting-with-post-quantum.html • https://tools.ietf.org/html/draft-whyte-qsh-t • https://www.imperialviolet.org/2016/11/28/cecpq1. ls13-06 html • Shank and Stebila • liboqs OpenSSL fork • https://tools.ietf.org/html/draft-schanck-tls • https://openquantumsafe.org/ -additional-keyshare-00 • Microsoft OpenVPN fork • https://www.bleepingcomputer.com/news/microsof t/microsoft-adds-post-quantum-cryptography-to-

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

From linear algebra to post-quantum cryptography Dr. Ir. Fr e Vercauteren

From linear algebra to post-quantum cryptography Dr. Ir. Fr e Vercauteren

Quantum computers and factoring Learning with errors Cryptography from LWE From linear algebra to post-quantum cryptography Dr. Ir. Fr e Vercauteren frederik.vercauteren@gmail.com Open Security Research (China) ESAT/COSIC - KU Leuven

1.34k views • 70 slides
Introduction to post-quantum cryptography I Tanja Lange Technische Universiteit Eindhoven

Introduction to post-quantum cryptography I Tanja Lange Technische Universiteit Eindhoven

Introduction to post-quantum cryptography I Tanja Lange Technische Universiteit Eindhoven Executive School on Post-Quantum Cryptography 01 July 2019 Cryptography Motivation #1: Communication channels are spying on our data. Motivation

728 views • 42 slides
Standardization of post-quantum cryptography Tanja Lange 08 May 2016 A Workshop About

Standardization of post-quantum cryptography Tanja Lange 08 May 2016 A Workshop About

Standardization of post-quantum cryptography Tanja Lange 08 May 2016 A Workshop About Cryptographic Standards History of post-quantum cryptography 2003 Daniel J. Bernstein introduces term Post-quantum cryptography. PQCrypto 2006:

623 views • 23 slides
Quantum Algorithms Tutorial Ronald de Wolf 1/ 37 Post-quantum cryptography I Quantum computers

Quantum Algorithms Tutorial Ronald de Wolf 1/ 37 Post-quantum cryptography I Quantum computers

Quantum Algorithms Tutorial Ronald de Wolf 1/ 37 Post-quantum cryptography I Quantum computers can break public-key cryptography that is based on assuming hardness of factoring, discrete logs, and a few other problems I Post-quantum

2.98k views • 37 slides
Part I: Introduction to Post Quantum Cryptography Tutorial@CHES 2017 - Taipei Tim Gneysu

Part I: Introduction to Post Quantum Cryptography Tutorial@CHES 2017 - Taipei Tim Gneysu

Part I: Introduction to Post Quantum Cryptography Tutorial@CHES 2017 - Taipei Tim Gneysu Ruhr-Universitt Bochum & DFKI 04.10.2017 Overview Goals Provide a high-level introduction to Post-Quantum Cryptography (PQC)

1.18k views • 113 slides
Post-Quantum Cryptography Dr. Ruben Niederhagen, February 8, 2016 Introduction Quantum Computers

Post-Quantum Cryptography Dr. Ruben Niederhagen, February 8, 2016 Introduction Quantum Computers

Post-Quantum Cryptography Dr. Ruben Niederhagen, February 8, 2016 Introduction Quantum Computers Using quantum states for computation: Introduced in 1985 by David Deutsch [3]. Operate on qubits using gates that perform reversible

1.69k views • 157 slides
Incorporating Post-Quantum Cryptography in a microservice architecture Research Project 2 Why

Incorporating Post-Quantum Cryptography in a microservice architecture Research Project 2 Why

R. van der Gaag, D. Weller Incorporating Post-Quantum Cryptography in a microservice architecture Research Project 2 Why think about post-quantum cryptography W. Buchanan et. al concluded Gate-based quantum computers pose a significant

349 views • 18 slides
SW/HW Codesign of the Post-Quantum Cryptography Algorithm NTRUEncrypt Using HLS and RTL Design

SW/HW Codesign of the Post-Quantum Cryptography Algorithm NTRUEncrypt Using HLS and RTL Design

SW/HW Codesign of the Post-Quantum Cryptography Algorithm NTRUEncrypt Using HLS and RTL Design Methodologies Farnoud Farahmand, Duc Tri Nguyen, Viet B. Dang*, Ahmed Ferozpuri and Kris Gaj George Mason University Post st-Quantum Quantum

441 views • 14 slides
Quantum Cryptography Lecture 28 Quantum Cryptography Quantum Cryptography Quantum information:

Quantum Cryptography Lecture 28 Quantum Cryptography Quantum Cryptography Quantum information:

Quantum Cryptography Lecture 28 Quantum Cryptography Quantum Cryptography Quantum information: Using microscopic physical state of quantum systems (spin of atoms/sub-atomic particles, polarization of photons etc.) to encode information

1.95k views • 154 slides
An Overview on Post-Quantum Cryptography with an Emphasis on Code based Systems Joachim Rosenthal

An Overview on Post-Quantum Cryptography with an Emphasis on Code based Systems Joachim Rosenthal

Basics on Public Key Crypto Systems Research Directions in Post-Quantum Cryptography Variants of McEliece System Distinguisher Attacks McEliece for Rank Metric Codes An Overview on Post-Quantum Cryptography with an Emphasis on Code based

1.05k views • 100 slides
PQCHacks: a gentle introduction to post-quantum cryptography Daniel J. Bernstein 1 , 2 Tanja Lange

PQCHacks: a gentle introduction to post-quantum cryptography Daniel J. Bernstein 1 , 2 Tanja Lange

PQCHacks: a gentle introduction to post-quantum cryptography Daniel J. Bernstein 1 , 2 Tanja Lange 1 1 Technische Universiteit Eindhoven 2 University of Illinois at Chicago 27 December 2015 D-Wave quantum computer isnt universal . . .

789 views • 65 slides
Symmetric Key Cryptography Introduction to Symmetric Key Cryptography What can we do?

Symmetric Key Cryptography Introduction to Symmetric Key Cryptography What can we do?

PQCRYPTO Summer School on Post-Quantum Cryptography 2017 Stefan Klbl June 20th, 2017 DTU Compute, Technical University of Denmark Symmetric Key Cryptography Introduction to Symmetric Key Cryptography What can we do? Authentication

711 views • 47 slides
The Quantum Risk & Post-Quantum Crypto JP Aumasson The Quantum Risk & Post-Quantum

The Quantum Risk & Post-Quantum Crypto JP Aumasson The Quantum Risk & Post-Quantum

The Quantum Risk & Post-Quantum Crypto JP Aumasson The Quantum Risk & Post-Quantum Crypto JP Aumasson uantum /me 15 years experience in applied cryptography (PhD, industry, consulting) Designed widely used algorithms Author of the

816 views • 52 slides
Implementing post-quantum cryptography Peter Schwabe Radboud University, Nijmegen, The

Implementing post-quantum cryptography Peter Schwabe Radboud University, Nijmegen, The

Implementing post-quantum cryptography Peter Schwabe Radboud University, Nijmegen, The Netherlands June 28, 2018 PQCRYPTO Mini-School 2018, Taipei, Taiwan Part I: How to make software secure Implementing post-quantum cryptography 2 Timing

1.44k views • 116 slides
Post-quantum cryptography Tanja Lange 02 October 2015 Academy Contact Forum Coding Theory and

Post-quantum cryptography Tanja Lange 02 October 2015 Academy Contact Forum Coding Theory and

Post-quantum cryptography Tanja Lange 02 October 2015 Academy Contact Forum Coding Theory and Cryptography VI In the long term, all encryption needs to be post-quantum Mark Ketchen, IBM Research, 2012, on quantum computing: Were

854 views • 42 slides
Post-quantum cryptography Tanja Lange (with Daniel J. Bernstein) Technische Universiteit

Post-quantum cryptography Tanja Lange (with Daniel J. Bernstein) Technische Universiteit

Post-quantum cryptography Tanja Lange (with Daniel J. Bernstein) Technische Universiteit Eindhoven 17 January 2016 8th Winter School on Quantum Cybersecurity Cryptography Motivation #1: Communication channels are spying on our

894 views • 68 slides
ADS Workflow Intro March 12, 2019 Enoch Davies Manager, System Stability What is the Anchor

ADS Workflow Intro March 12, 2019 Enoch Davies Manager, System Stability What is the Anchor

ADS Workflow Intro March 12, 2019 Enoch Davies Manager, System Stability What is the Anchor Data Set Anchor is defined as a heavy object attached to a rope or chain and used to moor a vessel to the sea bottom, typically one having a

315 views • 7 slides
General Tool Maintenance Oiling is the most important step in tool maintenance Blow out moisture

General Tool Maintenance Oiling is the most important step in tool maintenance Blow out moisture

General Tool Maintenance Oiling is the most important step in tool maintenance Blow out moisture in air line BEFORE connecting the tool Examine tool for loose bolts, nuts, handles, side-rods, retainers Check air connections / fittings for

553 views • 8 slides
The Effect of Planarization on Width David Eppstein 25th International Symposium on Graph

The Effect of Planarization on Width David Eppstein 25th International Symposium on Graph

The Effect of Planarization on Width David Eppstein 25th International Symposium on Graph Drawing & Network Visualization Boston, Massachusetts, September 2017 Planarization Draw a graph with simple crossings (two edges/crossing) Then,

158 views • 13 slides
Milling Milling is a basic machining process by which a surface is generated progressively by the

Milling Milling is a basic machining process by which a surface is generated progressively by the

Milling Milling is a basic machining process by which a surface is generated progressively by the removal of chips from a workpiece as it is fed to a rotating cutter in a direction perpendicular to the axis of the cutter. In some cases the work

843 views • 34 slides
Decanting the Library Within a Decanting the Library Within a Course Management System Course

Decanting the Library Within a Decanting the Library Within a Course Management System Course

Decanting the Library Within a Decanting the Library Within a Course Management System Course Management System (CMS) (CMS) Presented by: Presented by: Sarah Coysh Coysh (York) (York) Sarah and and Betty Jeffery (UPEI) Betty Jeffery

786 views • 60 slides
All-optical Control of Magnetism I (including pump-probe techniques) Theo Rasing Radboud

All-optical Control of Magnetism I (including pump-probe techniques) Theo Rasing Radboud

All-optical Control of Magnetism I (including pump-probe techniques) Theo Rasing Radboud University Nijmegen Institute for Molecules and Materials HFML - FELIX (THzFEL) 1 1681 : ship to Boston 2 Controlling magnetism by lightning 3

1.26k views • 104 slides
Welcome to All! Welcome to All! Accelerators for Americas Future Symposium and Workshop

Welcome to All! Welcome to All! Accelerators for Americas Future Symposium and Workshop

Welcome to All! Welcome to All! Accelerators for Americas Future Symposium and Workshop October 26- October 26 -28, 2009 28, 2009 Washington, D.C. Washington, D.C. Dennis Kovar Dennis Kovar Associate Director of the Office of Science

332 views • 10 slides
Curve-Based Cryptography Nicolas Thriault nicolas.theriault@usach.cl Departamento de

Curve-Based Cryptography Nicolas Thriault nicolas.theriault@usach.cl Departamento de

Curve-Based Cryptography Nicolas Thriault nicolas.theriault@usach.cl Departamento de Matemtica y Ciencia de la Computacin Universidad de Santiago de Chile Discrete Log Problem Computational Diffie-Hellman Problem: Given g 1 , [ a ] g 1 ,

897 views • 51 slides

More recommend