[PPT] - Post Quantum Crypto B e r n d F i x < b r f @ h o PowerPoint Presentation

SLIDE 1

Bernd Fix < b r f @ h

i
p
l

l

i

.

r

g >

Post-Quantum Crypto

1 / 2 9

Post Quantum Crypto

B e r n d F i x

< b r f @ h

i
p
l

l

i

.

r

g >

SLIDE 2

Bernd Fix < b r f @ h

i
p
l

l

i

.

r

g >

Post-Quantum Crypto

2 / 2 9

Intro

„ E n c r y p t i

n

w

r

k s . P r

p

e r l y i m p l e m e n t e d s t r

n

g c r y p t

s

y s t e m s a r e

n

e

f

t h e f e w t h i n g s t h a t y

u

c a n r e l y

n

. “

E d w a r d S n

w

d e n

SLIDE 3

Bernd Fix < b r f @ h

i
p
l

l

i

.

r

g >

Post-Quantum Crypto

3 / 2 9

Intro

G

t
https://cryptoparty.in t
fj

n d

n

e n e a r y

u

. . .

SLIDE 4

Bernd Fix < b r f @ h

i
p
l

l

i

.

r

g >

Post-Quantum Crypto

4 / 2 9

Intro

T h e u p c

m

i n g

c r y p t

c

a l y p s e

:

M
s

t e n c r y p t e d c

mmu

n i c a t i

n

( l i k e O p e n P G P e m a i l s ) a n d a l

t
f

t r a n s i e n t c

m

m u n i c a t i

n

( w i t h S S L / T L S ) d

e

s n

t

p r

v

i d e P F S ( „ P e r f e c t F

r

w a r d S e c r e c y “ ) .

M
s

t e n c r y p t e d c

mmu

n i c a t i

n

i s s t

r

e d l

n

g

t

e r m i n d a t a c e n t e r s a r

u

n d t h e w

r

l d b y s e c r e t a g e n c i e s ( B l u ff d a l e , U t a h i s j u s t

n

e

f

t h e m ) .

M
s

t p u b l i c

k

e y e n c r y p t i

n

s c h e me s w i l l b e b r

k

e n w i t h i n t h e n e x t t e n y e a r s d u e t

a

d v a n c e m e n t s i n q u a n t u m c

m

p u t e r t e c h n

l
g

y .

SLIDE 5

Bernd Fix < b r f @ h

i
p
l

l

i

.

r

g >

Post-Quantum Crypto

5 / 2 9

Intro T h i n g s w e n e e d t

s

t a r t d

i

n g r i g h t N O W :

O

n l y u s e P F S c r y p t

s

c h e me s w h e n c

mmu

n i c a t i n g

n

l i n e : G e t r i d

f

O p e n P G P e m a i l a n d m

v

e t

s

y s t e m s l i k e P

n

d ( h t t p s : / / p

n

d . i m p e r i a l v i

l

e t .

r

g / ) . F i x t h e S S L / T L S s e t t i n g s

n

y

u

r

w

n s e r v e r s a n d /

r

k i c k a s s w i t h

p

e r a t

r

s . S t

p

u s i n g s e r v i c e s t h a t d

n

' t c a r e t

c
m

p l y .

D

e s i g n , i mp l e me n t a n d d e p l

y

n e w p u b l i c

k

e y c r y p t

s

c h e me s t h a t c a n n

t

b e b r

k

e n b y q u a n t u m c

mp

u t e r s

SLIDE 6

Bernd Fix < b r f @ h

i
p
l

l

i

.

r

g >

Post-Quantum Crypto

6 / 2 9

Q

u a n t u m

r

e s i s t e n t p u b l i c k e y c r y p t

s
A

t t a c k v e c t

r

s

n

p u b l i c k e y c r y p t

s
C

l a s s i c a l a p p r

a

c h

Q

u a n t u m c

m

p u t i n g

E

x i s t i n g a s y m m e t r i c k e y a l g

r

i t h m s ( p u b l i c k e y c r y p t

s

)

a t t i c e

b

a s e d c r y p t

C

r y p t

s

b a s e s

n

e n c

d

i n g p r

b

l e m s

SLIDE 7

Bernd Fix < b r f @ h

i
p
l

l

i

.

r

g >

Post-Quantum Crypto

7 / 2 9

RSA algorithm (1977)

m = p⋅q r := ϕ(m) = ( p−1)⋅(q−1)

r c a n

n

l y b e c

m

p u t e d w i t h k n

w

l e d g e

f

( p, q)

C h

s

e a p u b l i c e x p

n

e n t e a n d c

m

p u t e a p r i v a t e e x p

n

e n t d:

g

n⋅r +1 ≡ g (mod m)

⇒

d ⋅e ≡ 1 (mod r) d = e

−1 (mod r)

⇒ P u b l i c k e y : ( e, m) P r i v a t e k e y : ( d, m)

≡ g

d⋅e

SLIDE 8

Bernd Fix < b r f @ h

i
p
l

l

i

.

r

g >

Post-Quantum Crypto

8 / 2 9

RSA algorithm (1977)

Encryption:

b = a

e mod m

Decryption:

b

d ≡ a e⋅d mod m = a

Signature:

b = a

d mod m

Verifjcation:

b

e ≡ a d⋅e mod m = a

( D L P : D i s c r e t e L

g

a r i t h m P r

b

l e m )

SLIDE 9

Bernd Fix < b r f @ h

i
p
l

l

i

.

r

g >

Post-Quantum Crypto

9 / 2 9

Elliptic Curve Crypto (1985)

y

2 = x 3 + a⋅x + b (mod p)

SLIDE 10

Bernd Fix < b r f @ h

i
p
l

l

i

.

r

g >

Post-Quantum Crypto

1 / 2 9

G e n e r a t

r

p

i

n t G f

r

m s a n a d d i t i v e c y c l i c g r

u

p 〈G〉F

p

n

c u r v e ⇒ a l l p

i

n t s

n

t h e c u r v e h a v e t h e f

r

m P = a ⋅ G w i t h s c a l a r a (mod n) T h e

r

d e r n

f

G

n

t h e c u r v e i s t h e s m a l l e s t v a l u e w i t h n ⋅ G =

∞

( a n a l

g

t

D

L P : D i s c r e t e L

g

a r i t h m P r

b

l e m , b u t m u c h m

r

e d i ffj c u l t t

s
l

v e t h a n D L P

v

e r fj n i t e fj e l d s ⇒ s h

r

t e r k e y s )

Private key: d Public key: d ⋅ G I t i s e a s y t

c
m

p u t e P = a ⋅ G, b u t „ i n f e a s i b l e “ t

c
m

p u t e a f r

m

P a n d G

Elliptic Curve Crypto (1985)

SLIDE 11

Bernd Fix < b r f @ h

i
p
l

l

i

.

r

g >

Post-Quantum Crypto

1 1 / 2 9

E v e r y D L P

b

a s e d c r y p t

s

y s t e m ( D S A , E l G a m a l , D H ) c a n b e t r a n s f

r

m e d i n t

a

n E C C

b

a s e d c r y p t

s

y s t e m !

Signature / Verifjcation:

E C D S A

En-/Decryption:

E C D H DH (Diffje-Hellman)

P

a r a m e t e r g, p

P

u b l i c : e X = g

d X mod p

S

h a r e d : s = eA

d B = eB d A (mod p)

R

a n d

m

s e c r e t s : dA a n d dB ECDH

P

a r a m e t e r G, n

R

a n d

m

s e c r e t s : dA a n d dB

P

u b l i c : e X = d X⋅G mod n

S

h a r e d : S = e A⋅d B = eB⋅d A (mod n)

Elliptic Curve Crypto (1985)

SLIDE 12

Bernd Fix < b r f @ h

i
p
l

l

i

.

r

g >

Post-Quantum Crypto

1 2 / 2 9

Attack vectors

Classical approach (number theory):

Pollard-Rho algorithm, Baby-step giant-step All forms of quadratic sieves to fjnd congruences a2 ≡ b2 ( mod m)

p = (a + b) , q = (a − b) ⇒ m = p⋅q =(a + b) ⋅ (a − b)=a

2 − b 2

⇒ a

2 ≡ b 2 (mod m)

Integer Factorization:

[ R S A ]

m = p⋅q a = b

e (mod m)

Discrete Logarithm Problem:

[ R S A ] [ E C C ]

P = a⋅G (mod n)

SLIDE 13

Bernd Fix < b r f @ h

i
p
l

l

i

.

r

g >

Post-Quantum Crypto

1 3 / 2 9

Quantum computing (1994)

Attack vectors

SLIDE 14

Bernd Fix < b r f @ h

i
p
l

l

i

.

r

g >

Post-Quantum Crypto

1 4 / 2 9

Quantum computers

Qubits:

T

w

s

t a t e s i n s u p e r p

s

i t i

n

: α ∣0〉 + β ∣1〉 = α (

1 0) + β ( 1)

R

e a l i z e d w i t h i

n

t r a p s , N M R , Josephson junctions, p h

t
n

s , . . .

T w

s

u p e r c

n

d u c t i n g r e g i

n

s ( l

p

) s e p a r a t e d b y a w e a k l i n k ( i n s u l a t

r

) S Q U I D ( u s e d f

r

r e a d

u

t )

S

u

r c e : e n . w i k i p e d i a .

r

g

SLIDE 15

Bernd Fix < b r f @ h

i
p
l

l

i

.

r

g >

Post-Quantum Crypto

1 5 / 2 9

Qubits (Josephson junction):

Writing:

A p p l y a m a g n e t i c fj e l d , c u r r e n t s w i l l fm

w

i n t h e l

p
Reading:

U s e a s q u i d t

m

e a s u r e t h e fm

w

s i n t h e l

p

A p p l y a p a r t i c u l a r m a g n e t i c fj e l d a n d t h e g r

u

n d s t a t e i s s p l i t i n t

t

w

s

t a t e s i n s u p e r p

s

i t i

n

.

∣0 〉 ∣1〉

Quantum computers

SLIDE 16

Bernd Fix < b r f @ h

i
p
l

l

i

.

r

g >

Post-Quantum Crypto

1 6 / 2 9

Quantum gates (doing computations): C l a s s i c c

m

p u t e r s : N O T , A N D , O R NOT:

A =( 0 1 1 0)

( q u a n t u m c

m

p u t e r :

n

l y r e v e r s i b l e

p

e r a t i

n

s = u n i t a r y m a t r i c e s ) C-NOT:

B =( 1 0 0 0 0 1 0 0 0 0 0 1 0 0 1 0)

CC-NOT: C =(

1 0 0 0 0 0 0 1 0 0 0 0 0 0 1 0 0 0 0 0 0 1 0 0 0 0 0 0 0 1 0 0 0 0 1 0)

Suffjcient to build a universal computer!

Quantum computers

SLIDE 17

Bernd Fix < b r f @ h

i
p
l

l

i

.

r

g >

Post-Quantum Crypto

1 7 / 2 9

Quantum gates (doing computations): C-NOT:

N =( 1 0 0 0 0 1 0 0 0 0 0 1 0 0 1 0)

C-SHIFT:

P =( 1 0 0 0 0 1 0 0 0 0 1 0 0 0 0 e

iϕ)

HADAMARD:

H = 1

√2 (

1 1 1 −1)

Quantum computers

C

m

p

s

i t e g a t e s : DQTn Uf ...

}

SLIDE 18

Bernd Fix < b r f @ h

i
p
l

l

i

.

r

g >

Post-Quantum Crypto

1 8 / 2 9

Quantum computing (Shor's algorithm): F i n d a n

n
t

r i v i a l s

l

u t i

n

f

r

b s u c h t h a t b2 ≡ 1 ( mod m) S u b s t i t u t e „ f a c t

r

i n g p r

b

l e m“ w i t h „

r

d e r

f

i n d i n g p r

b

l e m“ w h i c h i s m

r

e s u i t a b l e f

r

q u a n t u m c

m

p u t i n g

1 . P i c k a r a n d

m

a < m w i t h gcd(a,m) = 1 2 . F i n d t h e p e r i

d

r

f

f(x) = ax mod m s u c h t h a t f(x+r) = f(x) 3 . I f r i s

d

d

r

ar/2 ≡ ±1 (mod m), g

b

a c k t

s

t e p 1 4 . b = ar/2 a n d gcd(b ±1, m) i s a n

n
t

r i v i a l f a c t

r
f

n

50% chance of fjnding a non-trivial factor for each pass

Attack vectors

SLIDE 19

Bernd Fix < b r f @ h

i
p
l

l

i

.

r

g >

Post-Quantum Crypto

1 9 / 2 9 1 . S e l e c t q s u c h t h a t m2 ≤ q (= 2L) < 2m2 2 . P r e p a r e q u b i t r e g i s t e r |a〉

f

l e n g t h L a n d i n i t i a l i z e t

s

t a t e |0〉 4 . C r e a t e h i g h e s t s u p e r p

s

i t i

n
f

|a〉 b y a p p y i n g H a d a m a r d g a t e s 5 . A p p l y ( c

m

p

s

i t e ) U

f

g a t e t

|a〉

a n d |b〉 : |a,b〉 → |a, b

⨁ f(a)〉

3 . P r e p a r e q u b i t r e g i s t e r |b〉

f

l e n g t h ⎡ log2 m⎤ a n d i n i t i a l i z e t

s

t a t e |0〉 6 . T r a n s f

r

m |a〉 i n t

a

d i fg e r e n t b a s i s b y a Q F T ( Q u a n t u m F

u

r i e r T r a n s f

r

m a t i

n

) 7 . O b s e r v e |a〉 a n d c

m

p u t e t h e p e r i

d

r

Quantum computing (Shor's algorithm):

Attack vectors

SLIDE 20

Bernd Fix < b r f @ h

i
p
l

l

i

.

r

g >

Post-Quantum Crypto

2 / 2 9

Attack vectors

N I S T E C C d

m

a i n p a r a m e t e r s ( a n d

t

h e r s ? ! ) b e c

m

i n g f u b a r Thank you, stupid assholes!

SLIDE 21

Bernd Fix < b r f @ h

i
p
l

l

i

.

r

g >

Post-Quantum Crypto

2 1 / 2 9

Post Quantum Crypto

We need new asymmetric key crypto:

w

i t h r e s i s t e n c e t

q

u a n t u m c

m

p u t e r a t t a c k s

d

e v e l

p

e d a s f r e e s

f

t w a r e w i t h n

p

a t e n t s w h a t s

e

v e r

w

i t h

p

e n p e e r r e v i e w b y c r y p t

c
m

m u n i t y

„

d

w

h a t y

u

w a n t , a n y t h i n g g

e

s “ i g n

r

e c

m

m e r c i a l / g

v

e r m e n t a l s t a n d a r d i z a t i

n

p r

m
t

e c

m

m u n i t y

a

g r e e d , d e c e n t r a l i z e d „ s t a n d a r d s “

SLIDE 22

Bernd Fix < b r f @ h

i
p
l

l

i

.

r

g >

Post-Quantum Crypto

2 2 / 2 9

Post Quantum Crypto

Lattice-based cryptography:

nTru, G G H

M

u l t i v a r i a t e c r y p t

g

r a p h y

H

a s h

b

a s e d s i g n a t u r e s : L a m p

r

t

,

M e r k l e

s

i g n a t u r e s

Code-based cryptography:

McEliece enc., N i e d e r r e i t e r s i g s

SLIDE 23

Bernd Fix < b r f @ h

i
p
l

l

i

.

r

g >

Post-Quantum Crypto

2 3 / 2 9

Post Quantum Crypto

Lattice-based crypto: „ g

d

“ b a s e „ b a d “ b a s e F i n d p r

b

l e m s t h a t a r e e a s y t

s
l

v e w i t h a g

d

b a s e , b u t a r e v e r y h a r d t

s
l

v e w i t h a b a d b a s e . . .

SLIDE 24

Bernd Fix < b r f @ h

i
p
l

l

i

.

r

g >

Post-Quantum Crypto

2 4 / 2 9

Post Quantum Crypto Post Quantum Crypto

Lattice-based crypto

Closest Vector Problem (CVP)

F i n d t h e v e c t

r

v ∈ L c l

s

e s t t

a

v e c t

r

w ∉ L

Shortest Vector Problem (SVP)

F i n d t h e s h

r

t e s t v e c t

r

v ∈ L

S

u

r c e : e n . w i k i p e d i a .

r

g

SLIDE 25

Bernd Fix < b r f @ h

i
p
l

l

i

.

r

g >

Post-Quantum Crypto

2 5 / 2 9

Post Quantum Crypto

Lattice-based crypto: nTru

Key generation:

t w

p
l

y n

m

i n a l s f a n d g w i t h an ∈ { -1,0,1 } P r i v a t e k e y : ( f, f -1 mod p ) P u b l i c k e y : p ⋅ (f -1 mod q)⋅ g (mod q)

Encryption:

p

l

y n

m

i n a l s m, r r e s u l t s i n e = r⋅ h + m (mod q)

Decryption:

a = e f (mod q) ⋅ , b = a (mod p), m = (f -1 mod p)⋅ b

(https://github.com/NTRUOpenSourceProject/ntru-crypto)

B

a s e d

n
b

j e c t s i n a t r u n c a t e d p

l

y n

m

i n a l r i n g ℤ [ X] / ( XN-1) :

a = a0 + a1 X + a2 X 2 + a2 X 2 + ⋯+ aN −1 X N −1

D
m

a i n p a r a m e t e r s ( N, p, q) w i t h N p r i m e , q > p a n d p ⊥ q

SLIDE 26

Bernd Fix < b r f @ h

i
p
l

l

i

.

r

g >

Post-Quantum Crypto

2 6 / 2 9

Post Quantum Crypto

Code-based cryptography: (McEliece encryption)

L

i n e a r b i n a r y c

d

e s [ n,k,d] h a v e l e n g t h n, r a n k k a n d d i s t a n c e d

E

x a m p l e : H a m m i n g c

d

e [ 2r, 2r – r – 1, 3] w i t h r ≥ 2 1 . B i n a r y m a t r i x G e n c

d

e s b l

c

k s

f

k b i t s i n t

b

l

c

k s

f

n b i t s 4 . M a t r i x H d e t e c t s t e r r

r

s a t a n y p

s

i t i

n

i n b l

c

k s

f

k b i t s 3 . E ffj c i e n t d e c

d

i n g a l g

r

i t h m t

t

r a n s f

r

m n b i t s b a c k i n t

k

b i t s 2 . M i n i m a l H a m m i n g d i s t a n c e

f

r

w

s ( b a s e v e c t

r

s ! )

f

G i s d

E

x a m p l e : H a d a m a r d c

d

e [ 2r, r, 2r-1] w i t h r ≥ 2

SLIDE 27

Bernd Fix < b r f @ h

i
p
l

l

i

.

r

g >

Post-Quantum Crypto

2 7 / 2 9

Post Quantum Crypto

Code-based cryptography: (McEliece encryption)

K

e y g e n e r a t i

n

: 1 . C

n

s t r u c t a k ⨉ n b i n a r y m a t r i x G t h a t c a n c

r

r e c t t e r r

r

s 2 . C

n

s t r u c t a r a n d

m

k ⨉ k i n v e r t i b l e b i n a r y m a t r i x S 3 . C

n

s t r u c t a r a n d

m

n ⨉ n p e r m u t a t i

n

m a t r i x P 4 . C

m

p u t e m a t r i x K = S⋅ G⋅ P Public key: ( K, t ) Private key: ( S, G, P )

SLIDE 28

Bernd Fix < b r f @ h

i
p
l

l

i

.

r

g >

Post-Quantum Crypto

2 8 / 2 9

Post Quantum Crypto

Code-based cryptography: (McEliece encryption)

E

n c r y p t i

n

u s i n g p u b l i c k e y ( K, t ) : 1 . C

n

s t r u c t a k- b i t m e s s a g e m t

b

e e n c r y p t e d 2 . C

m

p u t e n- b i t e n c r y p t e d m e s s a g e e = m⋅ K 3 . C

n

s t r u c t a r a n d

m

n- b i t v e c t

r

r w i t h t b i t s s e t 4 . C

m

p u t e c i p h e r t e x t c = e ⨁ t

D

e c r y p t i

n

u s i n g p r i v a t e k e y ( S, G, P ) : 1 . C

m

p u t e n- b i t m e s s a g e p = c P ⋅

1

2 . D e c

d

e n- b i t m e s s a g e p i n t

k-

b i t m e s s a g e d 3 . C

m

p u t e k- b i t p l a i n t e x t m e s s a g e m = p S ⋅

1

SLIDE 29

Bernd Fix < b r f @ h

i
p
l

l

i

.

r

g >

Post-Quantum Crypto

2 9 / 2 9

P

s

t Q u a n t u m C r y p t

B

e r n d F i x

< b r f @ h

i
p
l

l

i

.

r

g >