mctiny fast high confidence post quantum key erasure for
play

McTiny: Fast High-Confidence Post-Quantum Key Erasure for Tiny - PowerPoint PPT Presentation

May 15, 2023 •193 likes •388 views

McTiny: Fast High-Confidence Post-Quantum Key Erasure for Tiny Network Servers Daniel J. Bernstein 1,2 and Tanja Lange 3 1 University of Illinois at Chicago 2 Ruhr University Bochum 3 Eindhoven University of Technology USENIX Security 2020

  1. McTiny: Fast High-Confidence Post-Quantum Key Erasure for Tiny Network Servers Daniel J. Bernstein 1,2 and Tanja Lange 3 1 University of Illinois at Chicago 2 Ruhr University Bochum 3 Eindhoven University of Technology USENIX Security 2020

  2. Post-quantum cryptography Cryptography designed under the assumption that the attacker (not the user!) has a large quantum computer. Options: code-based, hash-based, isogeny-based, lattice-based, multivariates. 1978 McEliece: Public-key encryption using error-correcting codes. ◮ Original parameters designed for 2 64 security. ◮ 2008 Bernstein–Lange–Peters: broken in ≈ 2 60 cycles. ◮ Easily scale up for higher security. ◮ 1962 Prange: simple attack idea guiding sizes in 1978 McEliece. The McEliece system (with later key-size optimizations) achieves 2 λ security against Prange’s attack using (0 . 741186 . . . + o (1)) λ 2 (log 2 λ ) 2 -bit keys as λ → ∞ . Daniel J. Bernstein & Tanja Lange McTiny https://mctiny.org/ 2

  3. Security analysis of McEliece encryption Some papers studying algorithms for attackers: 1962 Prange; 1981 Clark–Cain, crediting Omura; 1988 Lee–Brickell; 1988 Leon; 1989 Krouk; 1989 Stern; 1989 Dumer; 1990 Coffey–Goodman; 1990 van Tilburg; 1991 Dumer; 1991 Coffey–Goodman–Farrell; 1993 Chabanne–Courteau; 1993 Chabaud; 1994 van Tilburg; 1994 Canteaut–Chabanne; 1998 Canteaut–Chabaud; 1998 Canteaut–Sendrier; 2008 Bernstein–Lange–Peters; 2009 Bernstein–Lange–Peters–van Tilborg; 2009 Bernstein ( post-quantum ); 2009 Finiasz–Sendrier; 2010 Bernstein–Lange–Peters; 2011 May–Meurer–Thomae; 2012 Becker–Joux–May–Meurer; 2013 Hamdaoui–Sendrier; 2015 May–Ozerov; 2016 Canto Torres–Sendrier; 2017 Kachigar–Tillich ( post-quantum ); 2017 Both–May; 2018 Both–May; 2018 Kirshanova ( post-quantum ). All of these attacks involve huge searches, like attacking AES. The quantum attacks (Grover etc.) leave at least half of the bits of security. Daniel J. Bernstein & Tanja Lange McTiny https://mctiny.org/ 3

  4. Attack progress over time 1978 K →∞ Daniel J. Bernstein & Tanja Lange lim Clark–Cain • log 2 AttackCost 2020 ( K ) log 2 AttackCost year ( K ) Lee–Brickell • Leon • Krouk • Stern • Dumer • Coffey–Goodman • van Tilburg • Dumer • Coffey–Goodman–Farrell • Chabanne–Courteau • Chabaud • van Tilburg • Canteaut–Chabanne • McTiny 1.154 1.315 1.421 Canteaut–Chabaud • ∞ Canteaut–Sendrier • https://mctiny.org/ Bernstein–Lange–Peters • Bernstein–Lange–Peters–van Tilborg • Finiasz–Sendrier • Bernstein–Lange–Peters • May–Meurer–Thomae • Becker–Joux–May–Meurer • Hamdaoui–Sendrier • May–Ozerov • Canto Torres–Sendrier • Both–May • Both–May • 4 2020

  5. Attack progress over time 1978 ten years ago than they have today. Lattices had 42% higher security levels Red: Lattices have lost much more security. K →∞ Daniel J. Bernstein & Tanja Lange lim Clark–Cain • log 2 AttackCost 2020 ( K ) log 2 AttackCost year ( K ) Lee–Brickell • Leon • Krouk • Stern • Dumer • Coffey–Goodman • van Tilburg • Dumer • Coffey–Goodman–Farrell • Chabanne–Courteau • Chabaud • van Tilburg • Canteaut–Chabanne • McTiny 1.154 1.315 1.421 Canteaut–Chabaud • ∞ Canteaut–Sendrier • × Ajtai–Kumar–Sivakumar https://mctiny.org/ Bernstein–Lange–Peters • × Nguyen–Vidick Bernstein–Lange–Peters–van Tilborg • Finiasz–Sendrier • × Micciancio–Voulgaris × Bernstein–Lange–Peters • Wang–Liu–Tian–Bi May–Meurer–Thomae • Becker–Joux–May–Meurer • × Hamdaoui–Sendrier • Zhang–Pan–Hu × Laarhoven Becker–Ducas–Gama–Laarhoven May–Ozerov • × × Laarhoven–de Weger Canto Torres–Sendrier • Both–May • Both–May • 4 2020

  6. NIST PQC submission Classic McEliece No patents. Shortest ciphertexts. Fast open-source constant-time software implementations. Very conservative system, expected to last; has strongest security track record. Sizes with similar post-quantum security to AES-128, AES-192, AES-256: Metric mceliece348864 mceliece460896 mceliece6960119 Public-key size 261120 bytes 524160 bytes 1047319 bytes Secret-key size 6452 bytes 13568 bytes 13908 bytes Ciphertext size 128 bytes 188 bytes 226 bytes Key-generation time 52415436 cycles 181063400 cycles 417271280 cycles Encapsulation time 43648 cycles 77380 cycles 143908 cycles Decapsulation time 130944 cycles 267828 cycles 295628 cycles See https://classic.mceliece.org for authors, details & parameters. Daniel J. Bernstein & Tanja Lange McTiny https://mctiny.org/ 5

  7. Key issues for McEliece Daniel J. Bernstein & Tanja Lange McTiny https://mctiny.org/ 6

  8. Key issues for McEliece BIG PUBLIC KEYS. Daniel J. Bernstein & Tanja Lange McTiny https://mctiny.org/ 6

  9. Key issues for McEliece Users send big data anyway. We have lots of bandwidth. Maybe 1MB keys are okay. Each client spends a small fraction of a second generating new ephemeral 1MB key. Daniel J. Bernstein & Tanja Lange McTiny https://mctiny.org/ 6

  10. Key issues for McEliece Users send big data anyway. We have lots of bandwidth. Maybe 1MB keys are okay. Each client spends a small fraction of a second generating new ephemeral 1MB key. But: If any client is allowed to send a new ephemeral 1MB McEliece key to server, an attacker can easily flood server’s memory. This invites DoS attacks. Daniel J. Bernstein & Tanja Lange McTiny https://mctiny.org/ 6

  11. Key issues for McEliece Users send big data anyway. We have lots of bandwidth. Maybe 1MB keys are okay. Each client spends a small fraction of a second generating new ephemeral 1MB key. But: If any client is allowed to send a new ephemeral 1MB McEliece key to server, an attacker can easily flood server’s memory. This invites DoS attacks. Our goal: Eliminate these attacks by eliminating all per-client storage on server. Daniel J. Bernstein & Tanja Lange McTiny https://mctiny.org/ 6

  12. Goodness, what big keys you have! Public keys look like this:  1 0 0 1 1 0 1  . . . . . . 0 1 0 0 0 1 1 . . . . . .   K =  . . .  ... . . .   1 1 1 0 . . . . . .   0 0 1 0 1 1 1 . . . . . . Left part is ( n − k ) × ( n − k ) identity matrix (no need to send). Right part is random-looking ( n − k ) × k matrix. E.g. n = 6960, k = 5413, so n − k = 1547. Daniel J. Bernstein & Tanja Lange McTiny https://mctiny.org/ 7

  13. Goodness, what big keys you have! Public keys look like this:  1 0 0 1 1 0 1  . . . . . . 0 1 0 0 0 1 1 . . . . . .   K =  . . .  ... . . .   1 1 1 0 . . . . . .   0 0 1 0 1 1 1 . . . . . . Left part is ( n − k ) × ( n − k ) identity matrix (no need to send). Right part is random-looking ( n − k ) × k matrix. E.g. n = 6960, k = 5413, so n − k = 1547. Encryption xors secretly selected columns, e.g.  0   1   0   1   0  1 0 1 1 1            +  +  +  =           0 1 1 0 0       0 0 1 1 0 Daniel J. Bernstein & Tanja Lange McTiny https://mctiny.org/ 7

  14. Can servers avoid storing big keys?   1 0 . . . 0 1 . . . 1 0 1 0 1 0 0 0 1 1 . . . . . .    = ( I n − k | K ′ ) K =   . . . ... . . .   . . . 1 . . . 1 1 0  0 0 1 0 1 1 1 . . . . . . Encryption xors secretly selected columns. With some storage and trusted environment: Receive columns of K ′ one at a time, store and update partial sum. Daniel J. Bernstein & Tanja Lange McTiny https://mctiny.org/ 8

  15. Can servers avoid storing big keys?   1 0 . . . 0 1 . . . 1 0 1 0 1 0 0 0 1 1 . . . . . .    = ( I n − k | K ′ ) K =   . . . ... . . .   . . . 1 . . . 1 1 0  0 0 1 0 1 1 1 . . . . . . Encryption xors secretly selected columns. With some storage and trusted environment: Receive columns of K ′ one at a time, store and update partial sum. On the real Internet, without per-client state: Daniel J. Bernstein & Tanja Lange McTiny https://mctiny.org/ 8

  16. Can servers avoid storing big keys?   1 0 . . . 0 1 . . . 1 0 1 0 1 0 0 0 1 1 . . . . . .    = ( I n − k | K ′ ) K =   . . . ... . . .   . . . 1 . . . 1 1 0  0 0 1 0 1 1 1 . . . . . . Encryption xors secretly selected columns. With some storage and trusted environment: Receive columns of K ′ one at a time, store and update partial sum. On the real Internet, without per-client state: Don’t reveal intermediate results! Which columns are picked is the secret message! Intermediate results show whether a column was used or not. Daniel J. Bernstein & Tanja Lange McTiny https://mctiny.org/ 8

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Bounds on achievable rates of sparse quantum codes over the quantum erasure channel Nicolas

Bounds on achievable rates of sparse quantum codes over the quantum erasure channel Nicolas

Bounds on achievable rates of sparse quantum codes over the quantum erasure channel Nicolas Delfosse (with Gilles Z emor) Institute of Mathematics - Univ. of Bordeaux - France Second Int. Conf. on Quantum Error Correction - QEC 11 USC Los

506 views • 38 slides
The Quantum Risk & Post-Quantum Crypto JP Aumasson The Quantum Risk & Post-Quantum

The Quantum Risk & Post-Quantum Crypto JP Aumasson The Quantum Risk & Post-Quantum

The Quantum Risk & Post-Quantum Crypto JP Aumasson The Quantum Risk & Post-Quantum Crypto JP Aumasson uantum /me 15 years experience in applied cryptography (PhD, industry, consulting) Designed widely used algorithms Author of the

816 views • 52 slides
Fidelity of Finite Length Quantum Codes in Qubit Erasure Channel Alexei Ashikhmin, Bell Labs

Fidelity of Finite Length Quantum Codes in Qubit Erasure Channel Alexei Ashikhmin, Bell Labs

1 Fidelity of Finite Length Quantum Codes in Qubit Erasure Channel Alexei Ashikhmin, Bell Labs Correction of Erasures by Classical Codes Quantum Erasure Channel (QEC) Probability of Decoding Error in QEC via Combinatorial Invariants

452 views • 20 slides
Fast Zero-Knowledge Proofs and Post-Quantum Signatures Claudio Orlandi Aarhus University

Fast Zero-Knowledge Proofs and Post-Quantum Signatures Claudio Orlandi Aarhus University

Fast Zero-Knowledge Proofs and Post-Quantum Signatures Claudio Orlandi Aarhus University @claudiorlandi Based on joint work with: Meliisa Chase (Microsoft) David Derler (TU Graz) Tore Frederiksen (BIU) Irene Giacomelli

1.21k views • 77 slides
Q B : Quantum capacity assisted by back classical communication in local op local op Alice

Q B : Quantum capacity assisted by back classical communication in local op local op Alice

Lower bounds on Q B of E p Q B = quantum capacity assisted by back classical communication E p = erasure channel with erasure prob p Debbie Leung 1 & Peter Shor 2 Charles Bennett, Igor Devetak, Aram Harrow, Patrick Hayden, Andreas Winter 1:

261 views • 14 slides
Equating quantum and thermodynamic entropy productions (Information erasure in closed system:

Equating quantum and thermodynamic entropy productions (Information erasure in closed system:

Equating quantum and thermodynamic entropy productions (Information erasure in closed system: Nature may operate twirling) Lajos Di osi Wigner Research Centre, Budapest 21 Sept 2016, Sopot Acknowledgements: EU COST Action MP1209

569 views • 8 slides
Pyrit: Polynomial Ring Transforms for Fast Erasure Coding Some parts of this work have been

Pyrit: Polynomial Ring Transforms for Fast Erasure Coding Some parts of this work have been

Pyrit: Polynomial Ring Transforms for Fast Erasure Coding Some parts of this work have been patented Jonathan Detchart and Jrme Lacan July 18, 2017 J. Detchart, J. Lacan NWCRG Erasure coding via polynomial ring transforms 1/ 14 Outline

316 views • 18 slides
Quantum Algorithms Tutorial Ronald de Wolf 1/ 37 Post-quantum cryptography I Quantum computers

Quantum Algorithms Tutorial Ronald de Wolf 1/ 37 Post-quantum cryptography I Quantum computers

Quantum Algorithms Tutorial Ronald de Wolf 1/ 37 Post-quantum cryptography I Quantum computers can break public-key cryptography that is based on assuming hardness of factoring, discrete logs, and a few other problems I Post-quantum

2.98k views • 37 slides
SW/HW Codesign of the Post-Quantum Cryptography Algorithm NTRUEncrypt Using HLS and RTL Design

SW/HW Codesign of the Post-Quantum Cryptography Algorithm NTRUEncrypt Using HLS and RTL Design

SW/HW Codesign of the Post-Quantum Cryptography Algorithm NTRUEncrypt Using HLS and RTL Design Methodologies Farnoud Farahmand, Duc Tri Nguyen, Viet B. Dang*, Ahmed Ferozpuri and Kris Gaj George Mason University Post st-Quantum Quantum

441 views • 14 slides
Standardization of post-quantum cryptography Tanja Lange 08 May 2016 A Workshop About

Standardization of post-quantum cryptography Tanja Lange 08 May 2016 A Workshop About

Standardization of post-quantum cryptography Tanja Lange 08 May 2016 A Workshop About Cryptographic Standards History of post-quantum cryptography 2003 Daniel J. Bernstein introduces term Post-quantum cryptography. PQCrypto 2006:

623 views • 23 slides
Forward Error Correction using Erasure Codes using Erasure Codes Reference : L. Rizzo,

Forward Error Correction using Erasure Codes using Erasure Codes Reference : L. Rizzo,

Forward Error Correction using Erasure Codes using Erasure Codes Reference : L. Rizzo, Effective Erasure Codes for Reliable Computer Communication Protocols, ACM p SIGCOMM Computer Communication Review , April 1997 Erasure codes (Simon

705 views • 25 slides
Part I: Introduction to Post Quantum Cryptography Tutorial@CHES 2017 - Taipei Tim Gneysu

Part I: Introduction to Post Quantum Cryptography Tutorial@CHES 2017 - Taipei Tim Gneysu

Part I: Introduction to Post Quantum Cryptography Tutorial@CHES 2017 - Taipei Tim Gneysu Ruhr-Universitt Bochum & DFKI 04.10.2017 Overview Goals Provide a high-level introduction to Post-Quantum Cryptography (PQC)

1.18k views • 113 slides
High Confidence Rule Mining h f d l Row Enumeration for Microarray Analysis Confidence

High Confidence Rule Mining h f d l Row Enumeration for Microarray Analysis Confidence

2007-11-26 Outline Introduction High Confidence Rule Mining h f d l Row Enumeration for Microarray Analysis Confidence based Prune Strategy MAXCONF Algorithm Kang Deng Evaluation U i University of Alberta it f Alb t

83 views • 7 slides
Type Erasure 86 What is Type Erasure? The way for the Java

Type Erasure 86 What is Type Erasure? The way for the Java

Type Erasure 86 What is Type Erasure? The way for the Java compiler to generate byte code which implements our Generic Types & Generic Methods Type

276 views • 15 slides
Incorporating Post-Quantum Cryptography in a microservice architecture Research Project 2 Why

Incorporating Post-Quantum Cryptography in a microservice architecture Research Project 2 Why

R. van der Gaag, D. Weller Incorporating Post-Quantum Cryptography in a microservice architecture Research Project 2 Why think about post-quantum cryptography W. Buchanan et. al concluded Gate-based quantum computers pose a significant

349 views • 18 slides
2 1 Joppe W. Bos and Simon Friedberger Why these strange primes? 2 Quantum

2 1 Joppe W. Bos and Simon Friedberger Why these strange primes? 2 Quantum

Fast Arithmetic Modulo 2 1 Joppe W. Bos and Simon Friedberger Why these strange primes? 2 Quantum computers NIST call for PQC standards [1] [2] Post-Quantum Cryptography 3 Lattice-based Code-based MQ-based

524 views • 25 slides
A8: Cross-site Request Forgery (CSRF) A8: Cross-site Request Forgery (CSRF) XSS Trick

A8: Cross-site Request Forgery (CSRF) A8: Cross-site Request Forgery (CSRF) XSS Trick

A8: Cross-site Request Forgery (CSRF) A8: Cross-site Request Forgery (CSRF) XSS Trick browser to execute code without user knowledge CSRF Trick browser to access sensitive pages without user knowledge CSRF Vulnerability Pattern

284 views • 11 slides
Nemesis: Preventing Web Authentication & Access Control Vulnerabilities Michael Dalton ,

Nemesis: Preventing Web Authentication & Access Control Vulnerabilities Michael Dalton ,

Nemesis: Preventing Web Authentication & Access Control Vulnerabilities Michael Dalton , Christos Kozyrakis Stanford University Nickolai Zeldovich Massachusetts Institute of Technology Web Application Overview User: webdb User: httpd

446 views • 22 slides
Web client programming JavaScript/AJAX Web requests with JavaScript/AJAX Needed for

Web client programming JavaScript/AJAX Web requests with JavaScript/AJAX Needed for

Web client programming JavaScript/AJAX Web requests with JavaScript/AJAX Needed for reverse-engineering homework site Web request via jQuery JavaScript library jQuery.ajax({ 'type': 'GET', 'url': 'http://vulnerable/ajax.php',

335 views • 22 slides
Tracking Web Visitors Aaron Stevens Computer Science What Youll Learn Today Computer Science

Tracking Web Visitors Aaron Stevens Computer Science What Youll Learn Today Computer Science

4/17/13 CS108: Lecture 26 Tracking Web Visitors Aaron Stevens Computer Science What Youll Learn Today Computer Science How do you know whos using your Application? Using hidden fields to keep session state HTTP Environment

347 views • 10 slides
Cookies Cookies HTTP is stateless To "remember" a user we use cookies In a

Cookies Cookies HTTP is stateless To "remember" a user we use cookies In a

Cookies Cookies HTTP is stateless To "remember" a user we use cookies In a response header, we can give the user information as a cookie All subsequent requests will contain these cookies in a header Since cookies work

475 views • 10 slides
Large Deviations and Slowdown Asymptotics of Excited Random Walks Jonathon Peterson Department

Large Deviations and Slowdown Asymptotics of Excited Random Walks Jonathon Peterson Department

LDP for Excited Random Walks Large Deviations and Slowdown Asymptotics of Excited Random Walks Jonathon Peterson Department of Mathematics Purdue University September 4, 2012 Jonathon Peterson 9/4/2012 1 / 13 LDP for Excited Random Walks

688 views • 32 slides
Chapter 12 COOKIES AND SESSIONS INTRO Unlike the unified single process that is the typical

Chapter 12 COOKIES AND SESSIONS INTRO Unlike the unified single process that is the typical

Chapter 12 COOKIES AND SESSIONS INTRO Unlike the unified single process that is the typical desktop application, a web application consists of a series of disconnected HTTP requests to a web server where each request for a server page is

660 views • 45 slides
Identifying and Preventing Conditions for Web Privacy Leakage Craig E. Wills Computer Science

Identifying and Preventing Conditions for Web Privacy Leakage Craig E. Wills Computer Science

Identifying and Preventing Conditions for Web Privacy Leakage Craig E. Wills Computer Science Department Worcester Polytechnic Institute Worcester, MA USA W3C Workshop on Web Tracking and User Privacy April, 2011 1 Its Not Just Tracking

474 views • 4 slides

More recommend