Post-Quantum Cryptography Johannes Buchmann and Nina Bindel - PowerPoint PPT Presentation

Post-Quantum Cryptography Johannes Buchmann and Nina Bindel 16.01.2015 | 1

Public-key cryptography 16.01.2015 | 2

Public-key encryption plaintext plaintext encrypt decrypt ciphertext public secret  16.01.2015 | 3

Digital signatures document sign verify valid / invalid signature secret public  16.01.2015 | 4

IT-security requires public-key cryptography 16.01.2015 | 5

TLS TLS public-key encryption digital signatures Billions daily! 16.01.2015 | 6

Software downloads digital signatures 16.01.2015 | 7

Number of worldwide downloads from Apple App Store July 2008 - October 2014 (in billions) 90 85 80 75 70 70 60 60 Downloads (in billions) 50 50 40 40 35 30 30 25 18 20 15 14 10 10 7 6,5 5 4 3 1,5 1 0,01 0,1 0 Jul '08 Sep '08 Apr '09 Jul '09 Jan '10 April '10 June Sep '10 Oct '10 Jan '11 Jun '11 Jul '11 Okt '11 Mar '12 Jun '12 Oct '12 Jan '13 May '13 Oct '13 Apr '14 Jun '14 Oct '14 '10 Source: Apple 16.01.2015 | 8

Current public-key cryptography 16.01.2015 | 9

“Generic” RSA finite Group G , exponent e , gcd e, G � 1 Public key: |G| Secret key: � g � �� ��� |�| , g ∈ G � g Allows to compute : 16.01.2015 | 10

“Generic” RSA encryption finite Group G , exponent e , gcd e, G � 1 Public key: |G| Secret key: � g � �� ��� |�| , g ∈ G � g Allows to compute: encrypt decrypt plaintext plaintext ciphertext g g s � s � g � g � s ,e 16.01.2015 | 11

“Generic” RSA signature finite Group G , exponent e , gcd e, G � 1 Public key: |G| Secret key: � g � �� ��� |�| , g ∈ G � g Allows to compute: h: �0,1� ∗ → G Hash function sign verify document signature valid / d s invalid s � � ? h�d� � s � h�d� 16.01.2015 | 12

RSA: How to keep |�| secret? e, p, q primes, n � pq , G � ��/n�� ∗ Public key: G � p � 1 q � 1 Secret key: relies on hardness of integer factorization only known method to keep |G| secret 16.01.2015 | 13

Factorization complexity   (log ) (log log ) ( u 1 u ) v n n [ , ] L u v e n L n [0,v] = (log n ) v polynomial L n [1,v] = ( e log n ) v exponential 16.01.2015 | 14

Factorization progress 1984 1993 2009 1996 1988 1985 1994 2003 2012 RSA-130 RSA-120 (NFS) (QS) RSA-768 (NFS) Elliptic Curve RSA-576 Method (NFS) 2 1061 − 1 (NFS) Quadratic Sieve Number Field Shor L � �1/2,1 � o 1 � Sieve algorithm L � �0, v ] � L � �1/3, 64/9 ] 16.01.2015 | 15

ElGamal encryption and signatures Rely on Discrete Logarithm Problem: Given: Group G � g , h ∈ G x ∈ � with h � g � Find: Choices for G : -GF �p � � ∗ - group of points of elliptic curves over GF �p � � 16.01.2015 | 16

Algorithms for solving �� � � ∗ -DL 1994 1975 1992 2013 2014 2012 GF( 2 ���·�� ) Number Field Sieve GF( 3 �·�� ) Joux � L � �1/3, 64/9 ] L_n�1/4, v ] Shor algorithm L � �0, v ] GF( 3 �·��� ) Pollard Rho L_n�1, v ] 16.01.2015 | 17

Algorithms for solving EC-DL 2000 1994 1975 2004 2009 1997 2002 2014 ECC2K-108 ECC-2-109 ECC-p-79 ECC-p-109 Secp112r1 Shor algorithm L � �0, v ] ECC2K-113 Pollard Rho L � �1, v ] 16.01.2015 | 18

The quantum computer threat 16.01.2015 | 19

Shor’s algorithm 1997 RSA and ElGamal insecure 16.01.2015 | 20

Quantum computer realistic? 16.01.2015 | 21

Quantum computer realistic 16.01.2015 | 22

16.01.2015 | 23

Post-quantum cryptography 16.01.2015 | 24

Performance requirements Secure until Security level RSA Elliptic curve modulus/finite field size 2015 80 1248 160 2025 96 1776 192 2030 112 2493 224 2040 128 3248 256 Ecrypt recommendations • Space for keys and signatures: a few kilobytes • Small ciphertext expansion • Times: milliseconds 16.01.2015 | 25

Post-quantum problems? No provable quantum resistence NP ‐ complete We must look here NP Factoring Bounded-Error BQP Quantum P Polynomial-Time 16.01.2015 | 26

Candidates • Solving non-linear equation systems over finite fields • Bounded distance decoding over NP ‐ complete finite fields • Short and close lattice vectors NP • Breaking cryptographic hash functions Factoring BQP • Quantum key exchange P 16.01.2015 | 27

Strategy Crypto scheme parameter set Security level 4 Assess Optimize performance 2 3 1 hardness instance Quantum resistant problem 16.01.2015 | 28

Multivariate cryptography 16.01.2015 | 29

MQ problem 4x � x � � y � z ≡ 1 mod 13 7y � � 2xz � ≡ 12 mod 13 x � y � � 12xz � ≡ 4 mod 13 Solution: x � 15, y � 29, z � 45 16.01.2015 | 30

MQ-Problem n, m, p � , … , p � ∈ F x � , … , x � quadratic , F finite field Given: y � , … , y � ∈ F , such that Find: p � y � , … , y � � … � p � y � , … , y � � 0 MP is NP-complete (Garey, Johnson 1979) (decision version) 16.01.2015 | 31

Multivariate signatures Fast P : F � → F � , easily invertible non-linear S: F � → F � , T: F � → F � , affine linear Large keys: 100 kBit for 100 bit security G � S ◦ P ◦ T , hard to invert Public key: Compared to S, P ,T allows to compute G � � T �� ◦ P �� ◦ S �� 1776 bit Secret Key: RSA modulus s � T �� ◦ P �� ◦ S �� �m� Signing: • UOV , Goubin et al., 1999 G�s� � ? m • Rainbow, Ding, et al. 2005 Verifying: • pFlash, Cheng, 2007 • Gui, Ding, Petzoldt, 2015 Forging signature: Solve G s � m � 0 16.01.2015 | 32

Code-based cryptography 16.01.2015 | 33

Bounded distance decoding problem � Linear code C ⊆ F � Given: • � y ∈ F � • t ∈ � • x ∈ C: dist�x, y� � t Find: • BDD is NP-complete (Berlekamp et al. 1978) (Decisional version) 16.01.2015 | 34

McEliece cryptosystem (1978) S, G, P matrices over F Allows to G generator matrix for Goppa code solve BDD G′ � S ◦ G ◦ P , t Public key: P, S, G Secret Key: Fast c � mG � � z ∈ F � Encryption: Large public keys! x � cP �� � mSG � zP �� Decryption: 500 kBits for 100 bit security Compared to 1776 bit RSA solve BDD to get y � mSG modulus decode to obtain m IND-CPA secure version 16.01.2015 | 35

Lattice-based cryptography 16.01.2015 | 36

Why lattice-based cryptography? • Expected to resist quantum computer attacks • Worst-to-average-case reduction • Permits fully homomorphic encryption 16.01.2015 | 37

Lattice problems n ∈ �, L � �b � � ⋯ � �b � ⊆ � n lattice; B = (b 1 , …, b n ) basis � -Shortest Vector Problem (SVP) Given: α � 1 , lattice L � L�B� basis B Find: v ∈ L nonzero such that | v | � αλ � �L� � -Closest Vector Problem (CVP) Given: α � 1 , lattice L � L�B� basis B, t v ∈ L such that t � v � α min �∈� | t � w | Find: 16.01.2015 | 38

2-dimensional α CVP Given: B � b � , b � , t, α Find: CV t ∈ L B : t � CV t � α min ||t � w|| w ∈ L t b 2 CV�t� b 1 16.01.2015 | 39

Complexity of � -CVP Arora et al. (1997):   c log n - CVP is NP - hard for all c  not NP - hard NP - hard n Goldreich, Goldwasser (2000):     coNP  coNP AM AM  / log - CVP is not NP - hard or n n 16.01.2015 | 40

Practical complexity http://www.latticechallenge.org/ 16.01.2015 | 41

The idea of lattice-based cryptography • GGH Sign 1995 • NTRU Encrypt 1996 • NTRU Sign 2003 16.01.2015 | 42

Reduced bases (Gauß 1801) b � 1 b � 2 b � 16.01.2015 | 43

� � , � � reduced ⇒ CVP easy t � x � b � � x � b � CV t � �x 1 �b � � �x 2 � b � t b 2 CV�t� b 1 16.01.2015 | 44

� � � � , � � not reduced ⇒ CVP hard L = � 2 , B = ( 1 0 , 0 1 �, t � 3.4 �2.3 , CVP�t� � 3 �2 Another basis B ’ = ( 100 99 , 99 98 ) t = 3.4 �2.3 = − 560.9 · 100 + 566.6 · 99 99 98 − 561 · 100 + 567 · 99 98 = 33 3 27 � �2 = CVP�t� 99 16.01.2015 | 45

Key generation Key generation: n ∈ �, L ⊆ � n lattice Secret key: „reduced“ basis B of L . (Allows to efficiently solve CVP.) Public key: „bad” basis B’ of L . (Does not.) 16.01.2015 | 46

Public-key encryption Plaintext v ∈ L Encryption( public key , v ) - small e ∈ � n w - ciphertext w � v � e e v Decryption( secret key, w ): ‐ v � CV�w� 16.01.2015 | 47

Digital signature Public: Cryptographic hash function h: 0,1 → � n Sign(secret key, document d ): w � h�d� v � CV�w� w Verify(public key, v, w ): v v close to w ? 16.01.2015 | 48

Learning the secret key Nguyen and Regev 2006 s1 s1 s3 s4 s2 NTRU-251 broken using ≈ 400 signatures GGH-400 broken using ≈ 160.000 signatures 16.01.2015 | 49