post quantum cryptanalysis d j bernstein university of
play

Post-quantum cryptanalysis D. J. Bernstein University of Illinois - PDF document

Feb 20, 2024 •261 likes •828 views

Post-quantum cryptanalysis D. J. Bernstein University of Illinois at Chicago Cryptographic speed What is the fastest public-key encryption system? Or public-key signature system? Cryptographic speed What is the fastest public-key encryption

  1. Post-quantum cryptanalysis D. J. Bernstein University of Illinois at Chicago

  2. Cryptographic speed What is the fastest public-key encryption system? Or public-key signature system?

  3. Cryptographic speed What is the fastest public-key encryption system? Or public-key signature system? RSA-1024 is quite fast.

  4. Cryptographic speed What is the fastest public-key encryption system? Or public-key signature system? RSA-1024 is quite fast. RSA-512 is faster.

  5. Cryptographic speed What is the fastest public-key encryption system? Or public-key signature system? RSA-1024 is quite fast. RSA-512 is faster. RSA-256 is even faster.

  6. Cryptographic speed What is the fastest public-key encryption system? Or public-key signature system? RSA-1024 is quite fast. RSA-512 is faster. RSA-256 is even faster. This question is stupid.

  7. Cryptographic speed What is the fastest public-key encryption system with security level ✕ 2 ❜ ?

  8. Cryptographic speed What is the fastest public-key encryption system with security level ✕ 2 ❜ ? (Plausible-sounding definition: breaking costs ✕ 2 ❜ .)

  9. Cryptographic speed What is the fastest public-key encryption system with security level ✕ 2 ❜ ? (Plausible-sounding definition: breaking with probability 1 costs ✕ 2 ❜ .)

  10. Cryptographic speed What is the fastest public-key encryption system with security level ✕ 2 ❜ ? (Plausible-sounding definition: for each ✎ ❃ 0, breaking with probability ✕ ✎ costs ✕ 2 ❜ ✎ .)

  11. Cryptographic speed What is the fastest public-key encryption system with security level ✕ 2 ❜ ? (Plausible-sounding definition: for each ✎ ❃ 2 � ❜❂ 2 , breaking with probability ✕ ✎ costs ✕ 2 ❜ ✎ .)

  12. � � Cryptographic speed What is the fastest public-key encryption system with security level ✕ 2 ❜ ? How to evaluate candidates: Encryption systems Analyze attack algorithms Systems with security ✕ 2 ❜ Analyze encryption algorithms Fastest systems with security ✕ 2 ❜

  13. Two pre-quantum examples RSA (with small exponent, reasonable padding, etc.): Factoring ♥ costs 2 (lg ♥ ) 1 ❂ 3+ ♦ (1) by the number-field sieve. Conjecture: this is the optimal attack against RSA. Key size: Can take lg ♥ ✷ ❜ 3+ ♦ (1) ensuring 2 (lg ♥ ) 1 ❂ 3+ ♦ (1) ✕ 2 ❜ . Encryption: Fast exp costs (lg ♥ ) 1+ ♦ (1) bit operations. Summary: RSA costs ❜ 3+ ♦ (1) .

  14. ECC (with strong curve/ F q , reasonable padding, etc.): ECDL costs 2 (1 ❂ 2+ ♦ (1)) lg q by Pollard’s rho method. Conjecture: this is the optimal attack against ECC. Can take lg q ✷ (2 + ♦ (1)) ❜ . Encryption: Fast scalar mult costs (lg q ) 2+ ♦ (1) = ❜ 2+ ♦ (1) . Summary: ECC costs ❜ 2+ ♦ (1) . Asymptotically faster than RSA: i.e., more security for same cost. Bonus: also ❜ 2+ ♦ (1) decryption .

  15. These analyses are quite crude. To really understand costs need much more precise analysis and optimization of attack algorithms and encryption algorithms. e.g. R -algebraic complexity of size- ♥ DFT over C , when ♥ is a power of 2: ♥ 1+ ♦ (1) : Gauss FFT.

  16. These analyses are quite crude. To really understand costs need much more precise analysis and optimization of attack algorithms and encryption algorithms. e.g. R -algebraic complexity of size- ♥ DFT over C , when ♥ is a power of 2: ♥ 1+ ♦ (1) : Gauss FFT. ❖ ( ♥ lg ♥ ): Gauss FFT.

  17. These analyses are quite crude. To really understand costs need much more precise analysis and optimization of attack algorithms and encryption algorithms. e.g. R -algebraic complexity of size- ♥ DFT over C , when ♥ is a power of 2: ♥ 1+ ♦ (1) : Gauss FFT. ❖ ( ♥ lg ♥ ): Gauss FFT. (5 + ♦ (1)) ♥ lg ♥ : Gauss FFT.

  18. These analyses are quite crude. To really understand costs need much more precise analysis and optimization of attack algorithms and encryption algorithms. e.g. R -algebraic complexity of size- ♥ DFT over C , when ♥ is a power of 2: ♥ 1+ ♦ (1) : Gauss FFT. ❖ ( ♥ lg ♥ ): Gauss FFT. (5 + ♦ (1)) ♥ lg ♥ : Gauss FFT. (4 + ♦ (1)) ♥ lg ♥ : split-radix FFT.

  19. These analyses are quite crude. To really understand costs need much more precise analysis and optimization of attack algorithms and encryption algorithms. e.g. R -algebraic complexity of size- ♥ DFT over C , when ♥ is a power of 2: ♥ 1+ ♦ (1) : Gauss FFT. ❖ ( ♥ lg ♥ ): Gauss FFT. (5 + ♦ (1)) ♥ lg ♥ : Gauss FFT. (4 + ♦ (1)) ♥ lg ♥ : split-radix FFT. (34 ❂ 9 + ♦ (1)) ♥ lg ♥ : tangent FFT.

  20. Cryptanalysis is slowly moving to a realistic model of computation. A circuit is a 2-dimensional mesh of small parallel gates. Have fast communication between neighboring gates . Try to optimize time ❚ as function of area ❆ . See, e.g., classic area-time theorem from 1981 Brent–Kung. Warning: Naive student model— a=x[i] costs 1, like a=b+c —gives wildly unrealistic algorithm-scalability conclusions.

  21. “Maybe there’s a better attack breaking your ‘secure’ systems. Maybe security costs far more!” This is a familiar risk. This is why the community puts tremendous effort into cryptanalysis: analyzing and optimizing attack algorithms. Results of cryptanalysis: Some systems are killed. Some systems need larger keys but still have competitive cost. Some systems inspire confidence.

  22. Post-quantum cryptography Assume that attacker has a large quantum computer, making qubit operations as cheap as bit operations. (Yes, that’s too extreme. Tweak for more plausibility: maybe 2 ❜ ❂❜ 3 qubit operations are similar to 2 ❜ bit operations.) Consequence of this assumption: Attacker has old algorithm arsenal (ECM, ISD, LLL, XL, F4, F5, ✿ ✿ ✿ ) plus Grover and Shor.

  23. Conventional wisdom: Factoring ♥ costs (lg ♥ ) 2+ ♦ (1) by Shor (in naive model), so RSA is dead. Similarly DSA and ECDSA.

  24. Conventional wisdom: Factoring ♥ costs (lg ♥ ) 2+ ♦ (1) by Shor (in naive model), so RSA is dead. Similarly DSA and ECDSA. More careful RSA evaluation: Can take lg ♥ ✷ 2 (1 ❂ 2+ ♦ (1)) ❜ ensuring (lg ♥ ) 2+ ♦ (1) ✕ 2 ❜ . Can reduce RSA encryption, decryption, key generation to 2 (1 ❂ 2+ ♦ (1)) ❜ bit ops, far below attacker’s cost.

  25. Conventional wisdom: Factoring ♥ costs (lg ♥ ) 2+ ♦ (1) by Shor (in naive model), so RSA is dead. Similarly DSA and ECDSA. More careful RSA evaluation: Can take lg ♥ ✷ 2 (1 ❂ 2+ ♦ (1)) ❜ ensuring (lg ♥ ) 2+ ♦ (1) ✕ 2 ❜ . Can reduce RSA encryption, decryption, key generation to 2 (1 ❂ 2+ ♦ (1)) ❜ bit ops, far below attacker’s cost. ✿ ✿ ✿ but other systems are better! Here are some leading candidates.

  26. Hash-based signatures. Example: 1979 Merkle hash trees. Code-based encryption. Example: 1978 McEliece hidden Goppa codes. Lattice-based encryption. Example: 1998 “NTRU.” Multivariate-quadratic- equations signatures. Example: 1996 Patarin “HFE v � ” public-key signature system. Secret-key cryptography. Example: 1998 Daemen–Rijmen “Rijndael” cipher, aka “AES.”

  27. A hash-based signature system Standardize a 256-bit hash function ❍ . Signer’s public key: 512 strings ② 1 [0] ❀ ② 1 [1] ❀ ✿ ✿ ✿ ❀ ② 256 [0] ❀ ② 256 [1], each 256 bits. Total: 131072 bits. Signature of a message ♠ : 256-bit strings r❀ ① 1 ❀ ✿ ✿ ✿ ❀ ① 256 such that the bits ( ❤ 1 ❀ ✿ ✿ ✿ ❀ ❤ 256 ) of ❍ ( r❀ ♠ ) satisfy ② 1 [ ❤ 1 ] = ❍ ( ① 1 ), ✿ ✿ ✿ , ② 256 [ ❤ 256 ] = ❍ ( ① 256 ).

  28. Signer’s secret key: 512 independent uniform random 256-bit strings ① 1 [0] ❀ ① 1 [1] ❀ ✿ ✿ ✿ ❀ ① 256 [0] ❀ ① 256 [1]. Signer computes ② 1 [0] ❀ ② 1 [1] ❀ ✿ ✿ ✿ ❀ ② 256 [0] ❀ ② 256 [1] as ❍ ( ① 1 [0]) ❀ ❍ ( ① 1 [1]) ❀ ✿ ✿ ✿ ❀ ❍ ( ① 256 [0]) ❀ ❍ ( ① 256 [1]). To sign ♠ : generate uniform random r ; ❍ ( r❀ ♠ ) = ( ❤ 1 ❀ ✿ ✿ ✿ ❀ ❤ 256 ); reveal ( r❀ ① 1 [ ❤ 1 ] ❀ ✿ ✿ ✿ ❀ ① 256 [ ❤ 256 ]); discard remaining ① values; refuse to sign more messages.

  29. This is the “Lamport–Diffie one-time signature system.” How to sign more than one message? Easy answer: “Chaining.” Signer expands ♠ to include a newly generated public key that will sign next message. More advanced answers (Merkle et al.) scale logarithmically with the number of messages signed.

  30. Grover finds ① 1 [0] from ② 1 [0] using ✙ 2 128 qubit ops. Maybe ❍ has some structure allowing faster inversion ✿ ✿ ✿ but most functions don’t seem to have such structures. “SHA-3 competition”: 2008: 191 cryptographers submitted 64 proposals for ❍ . Ongoing: Extensive public review. 2011 status: 5 finalists. 2012: SHA-3 is standardized.

  31. Chaum–van Heijst–Pfitzmann, 1991: ❍ ( ❛❀ ❜ ) = 4 ❛ 9 ❜ mod ♣ . Simple, beautiful, structured. Allows “provable security”: e.g., ❍ collisions imply computing a discrete logarithm, when ♣ is chosen sensibly.

  32. Chaum–van Heijst–Pfitzmann, 1991: ❍ ( ❛❀ ❜ ) = 4 ❛ 9 ❜ mod ♣ . Simple, beautiful, structured. Allows “provable security”: e.g., ❍ collisions imply computing a discrete logarithm, when ♣ is chosen sensibly. But very bad cryptography. Horrible security for its speed. Far worse security record than “unstructured” ❍ designs.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The year in post-quantum crypto Daniel J. Bernstein, Tanja Lange University of Illinois at

The year in post-quantum crypto Daniel J. Bernstein, Tanja Lange University of Illinois at

The year in post-quantum crypto Daniel J. Bernstein, Tanja Lange University of Illinois at Chicago, Eindhoven University of Technology Post-quantum cryptography: Cryptography designed under the assumption that the attacker (not the user!) has

1.29k views • 94 slides
Post-quantum cryptography Daniel J. Bernstein University of Illinois at Chicago; Ruhr University

Post-quantum cryptography Daniel J. Bernstein University of Illinois at Chicago; Ruhr University

Post-quantum cryptography Daniel J. Bernstein University of Illinois at Chicago; Ruhr University Bochum Wikipedia: Hoover became a controversial figure as evidence of his secretive abuses of power began to surface. He was found to have

1.21k views • 103 slides
The post-quantum Internet Risk management Daniel J. Bernstein Combining congruences:

The post-quantum Internet Risk management Daniel J. Bernstein Combining congruences:

1 2 The post-quantum Internet Risk management Daniel J. Bernstein Combining congruences: state-of-the-art pre-quantum University of Illinois at Chicago & attack against original DH, Technische Universiteit Eindhoven RSA, and some

2.34k views • 171 slides
Post-quantum cryptography Daniel J. Bernstein & Tanja Lange University of Illinois at

Post-quantum cryptography Daniel J. Bernstein & Tanja Lange University of Illinois at

Post-quantum cryptography Daniel J. Bernstein & Tanja Lange University of Illinois at Chicago; Ruhr University Bochum & Technische Universiteit Eindhoven 12 September 2020 Cryptography Sender Receiver Alice Bob Tsai

760 views • 48 slides
PQCHacks: a gentle introduction to post-quantum cryptography Daniel J. Bernstein 1 , 2 Tanja Lange

PQCHacks: a gentle introduction to post-quantum cryptography Daniel J. Bernstein 1 , 2 Tanja Lange

PQCHacks: a gentle introduction to post-quantum cryptography Daniel J. Bernstein 1 , 2 Tanja Lange 1 1 Technische Universiteit Eindhoven 2 University of Illinois at Chicago 27 December 2015 D-Wave quantum computer isnt universal . . .

789 views • 65 slides
Post-quantum RSA We built a great, great 1-terabyte RSA wall, and we had the university pay for

Post-quantum RSA We built a great, great 1-terabyte RSA wall, and we had the university pay for

Post-quantum RSA We built a great, great 1-terabyte RSA wall, and we had the university pay for the electricity Daniel J. Bernstein Joint work with: Nadia Heninger Paul Lou Luke Valenta Post-quantum RSA Daniel J. Bernstein, Nadia Heninger,

788 views • 50 slides
Two completely unrelated topics: (1) McBits; (2) Post-Quantum RSA D. J. Bernstein University of

Two completely unrelated topics: (1) McBits; (2) Post-Quantum RSA D. J. Bernstein University of

Two completely unrelated topics: (1) McBits; (2) Post-Quantum RSA D. J. Bernstein University of Illinois at Chicago Thanks for (1) to: Cisco University Research Program Two completely unrelated topics: (1) McBits; (2) Post-Quantum RSA D.

464 views • 29 slides
The post-quantum Internet IP: Internet Protocol Daniel J. Bernstein IP communicates

The post-quantum Internet IP: Internet Protocol Daniel J. Bernstein IP communicates

1 2 The post-quantum Internet IP: Internet Protocol Daniel J. Bernstein IP communicates packets: limited-length byte strings. University of Illinois at Chicago & Technische Universiteit Eindhoven Each computer on the Internet has

1.36k views • 97 slides
Post-quantum cryptography Daniel J. Bernstein & Tanja Lange University of Illinois at Chicago

Post-quantum cryptography Daniel J. Bernstein & Tanja Lange University of Illinois at Chicago

Post-quantum cryptography Daniel J. Bernstein & Tanja Lange University of Illinois at Chicago & Ruhr University Bochum & Technische Universiteit Eindhoven 10 June 2019 Cryptography Motivation #1: Communication channels are spying

1.17k views • 91 slides
Post-quantum cryptography D. J. Bernstein University of Illinois at Chicago, Technische

Post-quantum cryptography D. J. Bernstein University of Illinois at Chicago, Technische

Post-quantum cryptography D. J. Bernstein University of Illinois at Chicago, Technische Universiteit Eindhoven Cryptographers Working systems Cryptanalytic algorithm designers Unbroken systems Cryptographic algorithm

454 views • 13 slides
The libpqcrypto software library for post-quantum cryptography Daniel J. Bernstein and many

The libpqcrypto software library for post-quantum cryptography Daniel J. Bernstein and many

The libpqcrypto software library for post-quantum cryptography Daniel J. Bernstein and many contributors libpqcrypto.org Daniel J. Bernstein Context libpqcrypto.org Daniel J. Bernstein Redesigning crypto for security New requirements for

541 views • 51 slides
Post-quantum cryptography Tanja Lange (with Daniel J. Bernstein) Technische Universiteit

Post-quantum cryptography Tanja Lange (with Daniel J. Bernstein) Technische Universiteit

Post-quantum cryptography Tanja Lange (with Daniel J. Bernstein) Technische Universiteit Eindhoven 17 January 2016 8th Winter School on Quantum Cybersecurity Cryptography Motivation #1: Communication channels are spying on our

894 views • 68 slides
The post-quantum Internet Daniel J. Bernstein University of Illinois at Chicago & Technische

The post-quantum Internet Daniel J. Bernstein University of Illinois at Chicago & Technische

1 The post-quantum Internet Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Includes joint work with: Tanja Lange Technische Universiteit Eindhoven 2 Risk management Combining

988 views • 70 slides
Post-quantum cryptography Daniel J. Bernstein Turing, 1950 I have set up on the Manchester

Post-quantum cryptography Daniel J. Bernstein Turing, 1950 I have set up on the Manchester

Post-quantum cryptography Daniel J. Bernstein Turing, 1950 I have set up on the Manchester computer a small programme using only 1000 units of storage, whereby the machine supplied with one sixteen figure number replies with another within

2.74k views • 95 slides
Post-quantum cryptography Daniel J. Bernstein 1 Tanja Lange 1 Peter Schwabe 2 Technische

Post-quantum cryptography Daniel J. Bernstein 1 Tanja Lange 1 Peter Schwabe 2 Technische

Post-quantum cryptography Daniel J. Bernstein 1 Tanja Lange 1 Peter Schwabe 2 Technische Universiteit Eindhoven Radboud University 08 September 2016 Cryptography Motivation #1: Communication channels are spying on our data.

1.34k views • 117 slides
Standardization of post-quantum cryptography Tanja Lange 08 May 2016 A Workshop About

Standardization of post-quantum cryptography Tanja Lange 08 May 2016 A Workshop About

Standardization of post-quantum cryptography Tanja Lange 08 May 2016 A Workshop About Cryptographic Standards History of post-quantum cryptography 2003 Daniel J. Bernstein introduces term Post-quantum cryptography. PQCrypto 2006:

623 views • 23 slides
Computer Graphics (CS 543) Lecture 2b: 2D Graphics Systems (Drawing Polylines, tiling, &

Computer Graphics (CS 543) Lecture 2b: 2D Graphics Systems (Drawing Polylines, tiling, &

Computer Graphics (CS 543) Lecture 2b: 2D Graphics Systems (Drawing Polylines, tiling, & Aspect Ratio) Prof Emmanuel Agu Computer Science Dept. Worcester Polytechnic Institute (WPI) Announcements All code from book (working programs)

522 views • 41 slides
Programming: Control Flow Functions, Graphics Marco Chiarandini (marco@imada.sdu.dk) Department

Programming: Control Flow Functions, Graphics Marco Chiarandini (marco@imada.sdu.dk) Department

FF505/FY505 Computational Science Lecture 3 Programming: Control Flow Functions, Graphics Marco Chiarandini (marco@imada.sdu.dk) Department of Mathematics and Computer Science (IMADA) University of Southern Denmark Exercise: MC Simul.

937 views • 75 slides
Programming from Gershom Bazerman, Universal Properties S&P/CapitalIQ Warning: This Talk

Programming from Gershom Bazerman, Universal Properties S&P/CapitalIQ Warning: This Talk

Haskell eXchange 2015 Programming from Gershom Bazerman, Universal Properties S&P/CapitalIQ Warning: This Talk Contains Lies What is a Universal Property Take some notion of a mathematical object and define some notion of

445 views • 30 slides
Categories and Logic Programming LSV, October 2016 Logic Programming A Category - Theoretic

Categories and Logic Programming LSV, October 2016 Logic Programming A Category - Theoretic

Categories and Logic Programming LSV, October 2016 Logic Programming A Category - Theoretic Framework James Lipton (Wesleyan) I Categories A category is a directed graph whose nodes are called objects and whose edges are called arrows ,

1.55k views • 100 slides
Selling Home Produce, Arts & Crafts Almost anything can be made at home, but if it is to be

Selling Home Produce, Arts & Crafts Almost anything can be made at home, but if it is to be

Selling Home Produce, Arts & Crafts Almost anything can be made at home, but if it is to be sold it must be of good design quality and be something that people want to buy! What To Sell ? Working with friends in a group can be fun and

428 views • 7 slides
Virtual Tour The perfect place to learn a language through play! Who we are Polyglots offers

Virtual Tour The perfect place to learn a language through play! Who we are Polyglots offers

2020-08-29 Virtual Tour The perfect place to learn a language through play! Who we are Polyglots offers language play opportunities for young children. Sarah founded Polyglots after more than ten years experience working with children as a

214 views • 7 slides
Brentford Waterside Isleworth & Brentford Area Forum January 2019 Scheme Facts 4.79

Brentford Waterside Isleworth & Brentford Area Forum January 2019 Scheme Facts 4.79

Brentford Waterside Isleworth & Brentford Area Forum January 2019 Scheme Facts 4.79 Hectare Site 11 Buildings 876 Homes 786 Private 90 Affordable to be delivered by local authority Circa 700 Car Parking Spaces

278 views • 13 slides
MOE KINDERGARTEN ON TO A STRONG START! MOE Kindergarten @ Frontier Mrs Tonnine Chua Principal

MOE KINDERGARTEN ON TO A STRONG START! MOE Kindergarten @ Frontier Mrs Tonnine Chua Principal

MOE KINDERGARTEN ON TO A STRONG START! MOE Kindergarten @ Frontier Mrs Tonnine Chua Principal Ms Nur Afiqah Wu Lao Shi Ms Aisyah Ms Jennifer Ang Ms Nur Afiqah Level Head Senior Teacher Centre Head Deputy Centre Head Senior Teacher Ms

907 views • 70 slides

More recommend