NewHope for ARM Cortex-M Erdem Alkim 1 , Philipp Jakubeit 2 , Peter Schwabe 2 erdemalkim@gmail.com , phil.jakubeit@gmail.com , peter@cryptojedi.org 1 Ege University, Izmir, Turkey 2 Radboud University, Nijmegen, The Netherlands SPACE 2016
NewHope Efficient Implementation Post-Quantum Cryptography Shor’s algorithm in 1994: ◮ Factorization problem – polynomial time ◮ Discrete logarithm problem – polynomial time Alkim, Jakubeit, Schwabe 2016 A new hope on ARM Cortex-M 2 / 16
NewHope Efficient Implementation Post-Quantum Cryptography Shor’s algorithm in 1994: ◮ Factorization problem – polynomial time ◮ Discrete logarithm problem – polynomial time ◮ Quantum computers are in reach: IBM estimates ≈ 15 years Alkim, Jakubeit, Schwabe 2016 A new hope on ARM Cortex-M 2 / 16
NewHope Efficient Implementation Post-Quantum Cryptography Shor’s algorithm in 1994: ◮ Factorization problem – polynomial time ◮ Discrete logarithm problem – polynomial time ◮ Quantum computers are in reach: IBM estimates ≈ 15 years Alkim, Jakubeit, Schwabe 2016 A new hope on ARM Cortex-M 2 / 16
NewHope Efficient Implementation Post-Quantum Cryptography Shor’s algorithm in 1994: ◮ Factorization problem – polynomial time ◮ Discrete logarithm problem – polynomial time ◮ Quantum computers are in reach: IBM estimates ≈ 15 years Threat: ◮ Record encrypted messages today ◮ Break encryption with quantum computers Alkim, Jakubeit, Schwabe 2016 A new hope on ARM Cortex-M 2 / 16
NewHope Efficient Implementation Post-Quantum Cryptography Shor’s algorithm in 1994: ◮ Factorization problem – polynomial time ◮ Discrete logarithm problem – polynomial time ◮ Quantum computers are in reach: IBM estimates ≈ 15 years Threat: ◮ Record encrypted messages today ◮ Break encryption with quantum computers Alternatives: ◮ Problems which are not broken by quantum algorithms (yet) Alkim, Jakubeit, Schwabe 2016 A new hope on ARM Cortex-M 2 / 16
NewHope Efficient Implementation Post-Quantum Cryptography Shor’s algorithm in 1994: ◮ Factorization problem – polynomial time ◮ Discrete logarithm problem – polynomial time ◮ Quantum computers are in reach: IBM estimates ≈ 15 years Threat: ◮ Record encrypted messages today ◮ Break encryption with quantum computers Alternatives: ◮ Problems which are not broken by quantum algorithms (yet) ◮ Lattice based cryptography ◮ Ring-learning-with-errors problem Alkim, Jakubeit, Schwabe 2016 A new hope on ARM Cortex-M 2 / 16
NewHope Efficient Implementation Post-Quantum Cryptography Shor’s algorithm in 1994: ◮ Factorization problem – polynomial time ◮ Discrete logarithm problem – polynomial time ◮ Quantum computers are in reach: IBM estimates ≈ 15 years Threat: ◮ Record encrypted messages today ◮ Break encryption with quantum computers Alternatives: ◮ Problems which are not broken by quantum algorithms (yet) ◮ Lattice based cryptography ◮ Ring-learning-with-errors problem Steps taken: ◮ Tor considering (ECC+RLWE) Alkim, Jakubeit, Schwabe 2016 A new hope on ARM Cortex-M 2 / 16
NewHope Efficient Implementation Post-Quantum Cryptography Shor’s algorithm in 1994: ◮ Factorization problem – polynomial time ◮ Discrete logarithm problem – polynomial time ◮ Quantum computers are in reach: IBM estimates ≈ 15 years Threat: ◮ Record encrypted messages today ◮ Break encryption with quantum computers Alternatives: ◮ Problems which are not broken by quantum algorithms (yet) ◮ Lattice based cryptography ◮ Ring-learning-with-errors problem Steps taken: ◮ Tor considering (ECC+RLWE) ◮ Google experimented (ECC+RLWE) Alkim, Jakubeit, Schwabe 2016 A new hope on ARM Cortex-M 2 / 16
NewHope Efficient Implementation Post-Quantum Cryptography Shor’s algorithm in 1994: ◮ Factorization problem – polynomial time ◮ Discrete logarithm problem – polynomial time ◮ Quantum computers are in reach: IBM estimates ≈ 15 years Threat: ◮ Record encrypted messages today ◮ Break encryption with quantum computers Alternatives: ◮ Problems which are not broken by quantum algorithms (yet) ◮ Lattice based cryptography ◮ Ring-learning-with-errors problem Steps taken: ◮ Tor considering (ECC+RLWE) ◮ Google experimented (ECC+RLWE) ◮ Slowest 5% increased by 20ms ◮ Slowest 1% increased by 150ms Alkim, Jakubeit, Schwabe 2016 A new hope on ARM Cortex-M 2 / 16
NewHope Efficient Implementation Ring-Learning-With-Errors Problem R q = Z q [ X ] / ( X n + 1), Alkim, Jakubeit, Schwabe 2016 A new hope on ARM Cortex-M 3 / 16
NewHope Efficient Implementation Ring-Learning-With-Errors Problem R q = Z q [ X ] / ( X n + 1), χ – an error distribution on R q Search version: $ Given: ( a i , b i ) for a i ∈ R q and b i = s · a i + e i for e i ← χ Wanted: s Alkim, Jakubeit, Schwabe 2016 A new hope on ARM Cortex-M 3 / 16
NewHope Efficient Implementation Ring-Learning-With-Errors Problem R q = Z q [ X ] / ( X n + 1), χ – an error distribution on R q Search version: $ Given: ( a i , b i ) for a i ∈ R q and b i = s · a i + e i for e i ← χ Wanted: s a 1 ∈ R q , b 1 = s · a 1 + e 1 a 2 ∈ R q , b 2 = s · a 2 + e 2 . . . Alkim, Jakubeit, Schwabe 2016 A new hope on ARM Cortex-M 3 / 16
NewHope Efficient Implementation Post-Quantum Key Exchange Use encryption scheme to send a chosen key Alkim, Jakubeit, Schwabe 2016 A new hope on ARM Cortex-M 4 / 16
NewHope Efficient Implementation Post-Quantum Key Exchange Use encryption scheme to send a chosen key 1998 Hoffstein, Pipher, Silverman: NTRU cryptosystem Alkim, Jakubeit, Schwabe 2016 A new hope on ARM Cortex-M 4 / 16
NewHope Efficient Implementation Post-Quantum Key Exchange Use encryption scheme to send a chosen key 1998 Hoffstein, Pipher, Silverman: NTRU cryptosystem 2005 Regev: LWE Alkim, Jakubeit, Schwabe 2016 A new hope on ARM Cortex-M 4 / 16
NewHope Efficient Implementation Post-Quantum Key Exchange Use encryption scheme to send a chosen key 1998 Hoffstein, Pipher, Silverman: NTRU cryptosystem 2005 Regev: LWE 2010 Lyubashevsky, Peikert, Regev: RLWE Alkim, Jakubeit, Schwabe 2016 A new hope on ARM Cortex-M 4 / 16
NewHope Efficient Implementation Post-Quantum Key Exchange Use encryption scheme to send a chosen key 1998 Hoffstein, Pipher, Silverman: NTRU cryptosystem 2005 Regev: LWE 2010 Lyubashevsky, Peikert, Regev: RLWE Lattice based key exchange Alkim, Jakubeit, Schwabe 2016 A new hope on ARM Cortex-M 4 / 16
NewHope Efficient Implementation Post-Quantum Key Exchange Use encryption scheme to send a chosen key 1998 Hoffstein, Pipher, Silverman: NTRU cryptosystem 2005 Regev: LWE 2010 Lyubashevsky, Peikert, Regev: RLWE Lattice based key exchange 2010 Gaborit: Noisy Diffie-Hellman Alkim, Jakubeit, Schwabe 2016 A new hope on ARM Cortex-M 4 / 16
NewHope Efficient Implementation Post-Quantum Key Exchange Use encryption scheme to send a chosen key 1998 Hoffstein, Pipher, Silverman: NTRU cryptosystem 2005 Regev: LWE 2010 Lyubashevsky, Peikert, Regev: RLWE Lattice based key exchange 2010 Gaborit: Noisy Diffie-Hellman 2011 Linder, Peikert: (Approximate) Key Agreement Alkim, Jakubeit, Schwabe 2016 A new hope on ARM Cortex-M 4 / 16
NewHope Efficient Implementation Post-Quantum Key Exchange Use encryption scheme to send a chosen key 1998 Hoffstein, Pipher, Silverman: NTRU cryptosystem 2005 Regev: LWE 2010 Lyubashevsky, Peikert, Regev: RLWE Lattice based key exchange 2010 Gaborit: Noisy Diffie-Hellman 2011 Linder, Peikert: (Approximate) Key Agreement 2012 Ding: Reconciliation-based Key Exchange Alkim, Jakubeit, Schwabe 2016 A new hope on ARM Cortex-M 4 / 16
NewHope Efficient Implementation Post-Quantum Key Exchange Use encryption scheme to send a chosen key 1998 Hoffstein, Pipher, Silverman: NTRU cryptosystem 2005 Regev: LWE 2010 Lyubashevsky, Peikert, Regev: RLWE Lattice based key exchange 2010 Gaborit: Noisy Diffie-Hellman 2011 Linder, Peikert: (Approximate) Key Agreement 2012 Ding: Reconciliation-based Key Exchange 2014 Peikert: Tweak to obtain unbiased keys Alkim, Jakubeit, Schwabe 2016 A new hope on ARM Cortex-M 4 / 16
NewHope Efficient Implementation Post-Quantum Key Exchange Use encryption scheme to send a chosen key 1998 Hoffstein, Pipher, Silverman: NTRU cryptosystem 2005 Regev: LWE 2010 Lyubashevsky, Peikert, Regev: RLWE Lattice based key exchange 2010 Gaborit: Noisy Diffie-Hellman 2011 Linder, Peikert: (Approximate) Key Agreement 2012 Ding: Reconciliation-based Key Exchange 2014 Peikert: Tweak to obtain unbiased keys 2015 Bos, Costello, Naehrig, Stebila: Instantiate, Implement, and integrate into OpenSSL Alkim, Jakubeit, Schwabe 2016 A new hope on ARM Cortex-M 4 / 16
NewHope Efficient Implementation NewHope – The Protocol Parameters: q = 12289 < 2 14 , n = 1024 Error distribution: ψ n 16 Alice (server) Bob (client) ← { 0 , . . . , 255 } 32 $ seed a ← Parse(SHAKE-128( seed )) $ $ ← ψ n ← ψ n s , e s ′ , e ′ , e ′′ 16 16 ( seed , b ) b ← as + e − − − − − − → a ← Parse(SHAKE-128( seed )) 1824 Bytes u ← as ′ + e ′ v ← bs ′ + e ′′ ( u , r ) $ v ′ ← us ← − − − − − − r ← HelpRec( v ) 2048 Bytes ν ← Rec( v ′ , r ) ν ← Rec( v , r ) µ ← SHA3-256( ν ) µ ← SHA3-256( ν ) Alkim, Jakubeit, Schwabe 2016 A new hope on ARM Cortex-M 5 / 16
Recommend
More recommend