post quantum cryptography
play

Post-quantum cryptography Daniel J. Bernstein & Tanja Lange - PowerPoint PPT Presentation

Sep 25, 2022 •245 likes •1.17k views

Post-quantum cryptography Daniel J. Bernstein & Tanja Lange University of Illinois at Chicago & Ruhr University Bochum & Technische Universiteit Eindhoven 10 June 2019 Cryptography Motivation #1: Communication channels are spying

  1. Post-quantum cryptography Daniel J. Bernstein & Tanja Lange University of Illinois at Chicago & Ruhr University Bochum & Technische Universiteit Eindhoven 10 June 2019

  2. Cryptography ◮ Motivation #1: Communication channels are spying on our data. ◮ Motivation #2: Communication channels are modifying our data. Daniel J. Bernstein & Tanja Lange Post-quantum cryptography 2

  3. Cryptography ◮ Motivation #1: Communication channels are spying on our data. ◮ Motivation #2: Communication channels are modifying our data. Daniel J. Bernstein & Tanja Lange Post-quantum cryptography 2

  4. � � Cryptography ◮ Motivation #1: Communication channels are spying on our data. ◮ Motivation #2: Communication channels are modifying our data. Sender Untrustworthy network Receiver “Alice” “Eve” “Bob” ◮ Literal meaning of cryptography: “secret writing”. ◮ Security goal #1: Confidentiality despite Eve’s espionage. ◮ Security goal #2: Integrity , i.e., recognizing Eve’s sabotage. Daniel J. Bernstein & Tanja Lange Post-quantum cryptography 2

  5. Cryptographic applications in daily life ◮ Mobile phones connecting to cell towers. ◮ Credit cards, EC-cards, access codes for banks. ◮ Electronic passports; electronic ID cards. ◮ Internet commerce, online tax declarations, webmail. ◮ Facebook, Gmail, WhatsApp, iMessage on iPhone. ◮ Any webpage with https . ◮ Encrypted file system on iPhone: see Apple vs. FBI. Daniel J. Bernstein & Tanja Lange Post-quantum cryptography 3

  6. Cryptographic applications in daily life ◮ Mobile phones connecting to cell towers. ◮ Credit cards, EC-cards, access codes for banks. ◮ Electronic passports; electronic ID cards. ◮ Internet commerce, online tax declarations, webmail. ◮ Facebook, Gmail, WhatsApp, iMessage on iPhone. ◮ Any webpage with https . ◮ Encrypted file system on iPhone: see Apple vs. FBI. ◮ PGP encrypted email, Signal, Tor, Tails, Qubes OS. ◮ VPN to company network. Daniel J. Bernstein & Tanja Lange Post-quantum cryptography 3

  7. Cryptographic applications in daily life ◮ Mobile phones connecting to cell towers. ◮ Credit cards, EC-cards, access codes for banks. ◮ Electronic passports; electronic ID cards. ◮ Internet commerce, online tax declarations, webmail. ◮ Facebook, Gmail, WhatsApp, iMessage on iPhone. ◮ Any webpage with https . ◮ Encrypted file system on iPhone: see Apple vs. FBI. ◮ PGP encrypted email, Signal, Tor, Tails, Qubes OS. ◮ VPN to company network. Snowden in Reddit AmA Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say. Daniel J. Bernstein & Tanja Lange Post-quantum cryptography 3

  10. Cryptographic tools Many factors influence the security and privacy of data: ◮ Secure storage, physical security; access control. ◮ Protection against alteration of data ⇒ public-key signatures, message-authentication codes. ◮ Protection of sensitive content against reading ⇒ encryption. Many more security goals studied in cryptography ◮ Protecting against denial of service. ◮ Stopping traffic analysis. ◮ Securely tallying votes. ◮ Searching in and computing on encrypted data. ◮ . . . Daniel J. Bernstein & Tanja Lange Post-quantum cryptography 6

  11. Cryptanalysis ◮ Cryptanalysis is the study of security of cryptosystems. ◮ Breaking a system can mean that the hardness assumption was not hard or that it just was not as hard as previously assumed. ◮ Public cryptanalysis is ultimately constructive – ensure that secure systems get used, not insecure ones. ◮ Weakened crypto ultimately backfires – attacks in 2018 because of crypto wars in the 90s. ◮ Good arsenal of general approaches to cryptanalysis. There are some automated tools. ◮ This area is constantly under development; researchers revisit systems continuously. Daniel J. Bernstein & Tanja Lange Post-quantum cryptography 7

  14. Security assumptions ◮ Hardness assumptions at the basis of all public-key and essentially all symmetric-key systems result from (failed) attempts at breaking systems. Security proofs are built only on top of those assumptions. ◮ A solid symmetric system is required to be as strong as exhaustive key search. ◮ For public-key systems the best attacks are faster than exhaustive key search. Parameters are chosen to ensure that the best attack is infeasible. Daniel J. Bernstein & Tanja Lange Post-quantum cryptography 10

  15. Key-size recommendations Future System Use Parameter Legacy Near Term Long Term Symmetric Key Size k 80 128 256 Hash Function Output Size 160 256 512 m MAC Output Size ⋆ 80 128 256 m RSA Problem ℓ ( n ) ≥ 1024 3072 15360 ℓ ( p n ) ≥ Finite Field DLP 1024 3072 15360 ℓ ( p ) , ℓ ( q ) ≥ 160 256 512 ECDLP ℓ ( q ) ≥ 160 256 512 ℓ ( p k · n ) ≥ Pairing 1024 6144 15360 ℓ ( p ) , ℓ ( q ) ≥ 160 256 512 ◮ Source: ECRYPT-CSA “Algorithms, Key Size and Protocols Report” (2018). ◮ These recommendations take into account attacks known today. ◮ Use extrapolations to larger problem sizes. ◮ Attacker power typically limited to 2 128 operations (less for legacy). ◮ More to come on long-term security . . . Daniel J. Bernstein & Tanja Lange Post-quantum cryptography 11

  16. Summary: current state of the art ◮ Currently used crypto (check the lock icon in your browser) starts with RSA, Diffie-Hellman (DH) in finite fields, or elliptic-curve Diffie-Hellman (ECDH). ◮ Older standards are RSA or elliptic curves from NIST (or Brainpool), e.g. NIST P256 or ECDSA. ◮ Internet currently moving over to Curve25519 (Bernstein) and Ed25519 (Bernstein, Duif, Lange, Schwabe, and Yang). ◮ For symmetric crypto TLS (the protocol behind https) uses AES or ChaCha20 and some MAC, e.g. AES-GCM or ChaCha20-Poly1305. High-end devices have support for AES-GCM, smaller ones do better with ChaCha20-Poly1305. ◮ Security is getting better. Some obstacles: bugs; untrustworthy hardware; Daniel J. Bernstein & Tanja Lange Post-quantum cryptography 12

  17. Summary: current state of the art ◮ Currently used crypto (check the lock icon in your browser) starts with RSA, Diffie-Hellman (DH) in finite fields, or elliptic-curve Diffie-Hellman (ECDH). ◮ Older standards are RSA or elliptic curves from NIST (or Brainpool), e.g. NIST P256 or ECDSA. ◮ Internet currently moving over to Curve25519 (Bernstein) and Ed25519 (Bernstein, Duif, Lange, Schwabe, and Yang). ◮ For symmetric crypto TLS (the protocol behind https) uses AES or ChaCha20 and some MAC, e.g. AES-GCM or ChaCha20-Poly1305. High-end devices have support for AES-GCM, smaller ones do better with ChaCha20-Poly1305. ◮ Security is getting better. Some obstacles: bugs; untrustworthy hardware; let alone anti-security measures such as laws restricting encryption in Australia, China, Iran, Russia, UK. Daniel J. Bernstein & Tanja Lange Post-quantum cryptography 12

  20. Universal quantum computers are coming, and are scary ◮ Massive research effort. Tons of progress summarized in, e.g., https: //en.wikipedia.org/wiki/Timeline_of_quantum_computing . Daniel J. Bernstein & Tanja Lange Post-quantum cryptography 15

  21. Universal quantum computers are coming, and are scary ◮ Massive research effort. Tons of progress summarized in, e.g., https: //en.wikipedia.org/wiki/Timeline_of_quantum_computing . ◮ Mark Ketchen, IBM Research, 2012, on quantum computing: “We’re actually doing things that are making us think like, ‘hey this isn’t 50 years off, this is maybe just 10 years off, or 15 years off.’ It’s within reach.” ◮ Fast-forward to 2022, or 2027. Universal quantum computers exist. Daniel J. Bernstein & Tanja Lange Post-quantum cryptography 15

  22. Universal quantum computers are coming, and are scary ◮ Massive research effort. Tons of progress summarized in, e.g., https: //en.wikipedia.org/wiki/Timeline_of_quantum_computing . ◮ Mark Ketchen, IBM Research, 2012, on quantum computing: “We’re actually doing things that are making us think like, ‘hey this isn’t 50 years off, this is maybe just 10 years off, or 15 years off.’ It’s within reach.” ◮ Fast-forward to 2022, or 2027. Universal quantum computers exist. ◮ Shor’s algorithm solves in polynomial time: ◮ Integer factorization. RSA is dead. ◮ The discrete-logarithm problem in finite fields. DSA is dead. ◮ The discrete-logarithm problem on elliptic curves. ECDSA is dead. ◮ This breaks all current public-key cryptography on the Internet! Daniel J. Bernstein & Tanja Lange Post-quantum cryptography 15

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Standardization of post-quantum cryptography Tanja Lange 08 May 2016 A Workshop About

Standardization of post-quantum cryptography Tanja Lange 08 May 2016 A Workshop About

Standardization of post-quantum cryptography Tanja Lange 08 May 2016 A Workshop About Cryptographic Standards History of post-quantum cryptography 2003 Daniel J. Bernstein introduces term Post-quantum cryptography. PQCrypto 2006:

623 views • 23 slides
Quantum Algorithms Tutorial Ronald de Wolf 1/ 37 Post-quantum cryptography I Quantum computers

Quantum Algorithms Tutorial Ronald de Wolf 1/ 37 Post-quantum cryptography I Quantum computers

Quantum Algorithms Tutorial Ronald de Wolf 1/ 37 Post-quantum cryptography I Quantum computers can break public-key cryptography that is based on assuming hardness of factoring, discrete logs, and a few other problems I Post-quantum

2.98k views • 37 slides
Incorporating Post-Quantum Cryptography in a microservice architecture Research Project 2 Why

Incorporating Post-Quantum Cryptography in a microservice architecture Research Project 2 Why

R. van der Gaag, D. Weller Incorporating Post-Quantum Cryptography in a microservice architecture Research Project 2 Why think about post-quantum cryptography W. Buchanan et. al concluded Gate-based quantum computers pose a significant

349 views • 18 slides
SW/HW Codesign of the Post-Quantum Cryptography Algorithm NTRUEncrypt Using HLS and RTL Design

SW/HW Codesign of the Post-Quantum Cryptography Algorithm NTRUEncrypt Using HLS and RTL Design

SW/HW Codesign of the Post-Quantum Cryptography Algorithm NTRUEncrypt Using HLS and RTL Design Methodologies Farnoud Farahmand, Duc Tri Nguyen, Viet B. Dang*, Ahmed Ferozpuri and Kris Gaj George Mason University Post st-Quantum Quantum

441 views • 14 slides
Quantum Cryptography Lecture 28 Quantum Cryptography Quantum Cryptography Quantum information:

Quantum Cryptography Lecture 28 Quantum Cryptography Quantum Cryptography Quantum information:

Quantum Cryptography Lecture 28 Quantum Cryptography Quantum Cryptography Quantum information: Using microscopic physical state of quantum systems (spin of atoms/sub-atomic particles, polarization of photons etc.) to encode information

1.95k views • 154 slides
From linear algebra to post-quantum cryptography Dr. Ir. Fr e Vercauteren

From linear algebra to post-quantum cryptography Dr. Ir. Fr e Vercauteren

Quantum computers and factoring Learning with errors Cryptography from LWE From linear algebra to post-quantum cryptography Dr. Ir. Fr e Vercauteren frederik.vercauteren@gmail.com Open Security Research (China) ESAT/COSIC - KU Leuven

1.34k views • 70 slides
An Overview on Post-Quantum Cryptography with an Emphasis on Code based Systems Joachim Rosenthal

An Overview on Post-Quantum Cryptography with an Emphasis on Code based Systems Joachim Rosenthal

Basics on Public Key Crypto Systems Research Directions in Post-Quantum Cryptography Variants of McEliece System Distinguisher Attacks McEliece for Rank Metric Codes An Overview on Post-Quantum Cryptography with an Emphasis on Code based

1.05k views • 100 slides
Introduction to post-quantum cryptography I Tanja Lange Technische Universiteit Eindhoven

Introduction to post-quantum cryptography I Tanja Lange Technische Universiteit Eindhoven

Introduction to post-quantum cryptography I Tanja Lange Technische Universiteit Eindhoven Executive School on Post-Quantum Cryptography 01 July 2019 Cryptography Motivation #1: Communication channels are spying on our data. Motivation

728 views • 42 slides
The Quantum Risk & Post-Quantum Crypto JP Aumasson The Quantum Risk & Post-Quantum

The Quantum Risk & Post-Quantum Crypto JP Aumasson The Quantum Risk & Post-Quantum

The Quantum Risk & Post-Quantum Crypto JP Aumasson The Quantum Risk & Post-Quantum Crypto JP Aumasson uantum /me 15 years experience in applied cryptography (PhD, industry, consulting) Designed widely used algorithms Author of the

816 views • 52 slides
Implementing post-quantum cryptography Peter Schwabe Radboud University, Nijmegen, The

Implementing post-quantum cryptography Peter Schwabe Radboud University, Nijmegen, The

Implementing post-quantum cryptography Peter Schwabe Radboud University, Nijmegen, The Netherlands June 28, 2018 PQCRYPTO Mini-School 2018, Taipei, Taiwan Part I: How to make software secure Implementing post-quantum cryptography 2 Timing

1.44k views • 116 slides
Post-quantum cryptography Tanja Lange 02 October 2015 Academy Contact Forum Coding Theory and

Post-quantum cryptography Tanja Lange 02 October 2015 Academy Contact Forum Coding Theory and

Post-quantum cryptography Tanja Lange 02 October 2015 Academy Contact Forum Coding Theory and Cryptography VI In the long term, all encryption needs to be post-quantum Mark Ketchen, IBM Research, 2012, on quantum computing: Were

854 views • 42 slides
Post-Quantum Cryptography Dr. Ruben Niederhagen, February 8, 2016 Introduction Quantum Computers

Post-Quantum Cryptography Dr. Ruben Niederhagen, February 8, 2016 Introduction Quantum Computers

Post-Quantum Cryptography Dr. Ruben Niederhagen, February 8, 2016 Introduction Quantum Computers Using quantum states for computation: Introduced in 1985 by David Deutsch [3]. Operate on qubits using gates that perform reversible

1.69k views • 157 slides
Post-quantum cryptography Tanja Lange (with Daniel J. Bernstein) Technische Universiteit

Post-quantum cryptography Tanja Lange (with Daniel J. Bernstein) Technische Universiteit

Post-quantum cryptography Tanja Lange (with Daniel J. Bernstein) Technische Universiteit Eindhoven 17 January 2016 8th Winter School on Quantum Cybersecurity Cryptography Motivation #1: Communication channels are spying on our

894 views • 68 slides
Part I: Introduction to Post Quantum Cryptography Tutorial@CHES 2017 - Taipei Tim Gneysu

Part I: Introduction to Post Quantum Cryptography Tutorial@CHES 2017 - Taipei Tim Gneysu

Part I: Introduction to Post Quantum Cryptography Tutorial@CHES 2017 - Taipei Tim Gneysu Ruhr-Universitt Bochum & DFKI 04.10.2017 Overview Goals Provide a high-level introduction to Post-Quantum Cryptography (PQC)

1.18k views • 113 slides
Post-quantum cryptography Tanja Lange 07 October 2015 SPACE 2015 In the long term, all

Post-quantum cryptography Tanja Lange 07 October 2015 SPACE 2015 In the long term, all

Post-quantum cryptography Tanja Lange 07 October 2015 SPACE 2015 In the long term, all encryption needs to be post-quantum Mark Ketchen, IBM Research, 2012, on quantum computing: Were actually doing things that are making us think like,

901 views • 41 slides
Quantum Cryptography Lecture 26 Quantum Cryptography Quantum information: Using microscopic

Quantum Cryptography Lecture 26 Quantum Cryptography Quantum information: Using microscopic

Quantum Cryptography Lecture 26 Quantum Cryptography Quantum information: Using microscopic physical state of quantum systems (spin of atoms/sub-atomic particles, polarization of photons etc.) to encode information (and generate

455 views • 19 slides
List of Attendees Paul Stacey, John Storer, Rich Langan, David Patrick, Dean Peschel, Lindsey

List of Attendees Paul Stacey, John Storer, Rich Langan, David Patrick, Dean Peschel, Lindsey

List of Attendees Paul Stacey, John Storer, Rich Langan, David Patrick, Dean Peschel, Lindsey Williams, Fred Short, Cory Riley, Terry Desmarais, Ray Grizzle, Krystin Ward, Robert Eckert, Kevin Sullivan, Doug Grout, Bruce Smith, Shannon Rogers,

1.15k views • 75 slides
Predicting the relevance of distributional semantic similarity with contextual information

Predicting the relevance of distributional semantic similarity with contextual information

Predicting the relevance of distributional semantic similarity with contextual information Philippe Muller, Ccile Fabre, Clmentine Adam IRIT & CLLE, University of Toulouse June 23rd, 2014 supported by Asfalda project (ANR-12-CORD-023)

269 views • 15 slides
The Strategist Adam Brandenburger J.P . Valles Professor, NYU Stern School of

The Strategist Adam Brandenburger J.P . Valles Professor, NYU Stern School of

The Strategist Adam Brandenburger J.P . Valles Professor, NYU Stern School of Business Distinguished Professor, NYU Tandon School of Engineering Faculty Director, NYU Shanghai Program on Creativity + Innovation Global

881 views • 35 slides
Named Entity Recognition & Sequence Labeling CSCI 699: ML for Knowledge Extraction &

Named Entity Recognition & Sequence Labeling CSCI 699: ML for Knowledge Extraction &

Named Entity Recognition & Sequence Labeling CSCI 699: ML for Knowledge Extraction & Reasoning Instructor: Xiang Ren USC Computer Science Recap: Information Extraction Information extraction (IE) systems Find and understand

1.82k views • 142 slides
SPDY, err... HTTP 2.0 WebRTC what is it, how, why, and when? Make the Web Fast, Google Improve

SPDY, err... HTTP 2.0 WebRTC what is it, how, why, and when? Make the Web Fast, Google Improve

SPDY, err... HTTP 2.0 WebRTC what is it, how, why, and when? Make the Web Fast, Google Improve end-user perceived latency Address the "head of line blocking" Not require multiple connections Retain the semantics of

1.16k views • 47 slides
What, exactly, is different or new about MOBILE mobile security? SECURITY TECHNOLOGIES 2017

What, exactly, is different or new about MOBILE mobile security? SECURITY TECHNOLOGIES 2017

What, exactly, is different or new about MOBILE mobile security? SECURITY TECHNOLOGIES 2017 Dan S. Wallach , Rice University tl;dr The computers inside the computer Every chip has one or more CPUs inside; they have exploitable bugs

1.23k views • 87 slides
Open Information Extraction Mausam Associate Professor Indian Institute of Technology, Delhi

Open Information Extraction Mausam Associate Professor Indian Institute of Technology, Delhi

Open Information Extraction Mausam Associate Professor Indian Institute of Technology, Delhi The Internet is the worlds largest library. Its just that all the books are on the floor. - John Allen Paulos ~20 Trillion URLs (Google)

1.34k views • 89 slides
What is EGG? Measures amount of current between electrodes Re fm ects the amount of vocal

What is EGG? Measures amount of current between electrodes Re fm ects the amount of vocal

10/7/18 Electroglottography for voice analysis Marc Garellek, UCSD AMP 2018 What is EGG? Measures amount of current between electrodes Re fm ects the amount of vocal fold contact: More VF contact more EGG current 1 1 10/7/18

329 views • 11 slides

More recommend