POST-QUANTUM CRYPTOGRAPHY HOW WILL WE ENCRYPT TOMORROW? Hanno Bck - - PowerPoint PPT Presentation

1

POST-QUANTUM CRYPTOGRAPHY

HOW WILL WE ENCRYPT TOMORROW?

Hanno Böck https://hboeck.de

2

INTRODUCTION

Hanno Böck, freelance journalist and hacker. Writing for and others. Golem.de , funded by Linux Foundation's Core Infrastructure Initiative. Fuzzing Project Author of monthly . Bulletproof TLS Newsletter

3

Richard Feynman presents idea of a quantum computer

1982

CC by-sa 3.0, Tamiko Thiel, Wikimedia Commons

4

Peter Shor shows quantum computers could break public key cryptography

1994

CC sa 1.0, Peter Shor, Wikimedia Commons

5

QUANTUM COMPUTERS

Well understood theory, but hard to engineer. Some researchers give timeframes of 10-15 years for scalable quantum computers.

6

POST-QUANTUM CRYPTOGRAPHY

Algorithms that we believe to be resistant to quantum attacks. Development still in early stages.

7

SYMMETRIC POST-QUANTUM CRYPTOGRAPHY

Hash functions (SHA-2, SHA-3) and symmetric encryption (AES) are the easy part. Just use larger keys (256 bit is fine).

8

PUBLIC KEY CRYPTOGRAPHY

Encryption with separate public and private key Signatures Key exchanges

9

UNDERLYING PROBLEMS OF PUBLIC KEY CRYPTOGRAPHY

Factoring-based (RSA) Discrete-logarithm-based (Diffie Hellman, DSA, ElGamal) Elliptic-curve-based (ECDSA, ECDH, X25519, Ed25519) Quantum computers break all three.

10

CRYPTO IS BROKEN

Almost every crypto soware and protocol today uses these algorithms. TLS/SSL, SSH, OpenPGP/GnuPG, Signal, Whatsapp, OTR, OMEMO, ... Quantum computers break practically everything using crypto.

11

CANDIDATES FOR POST-QUANTUM CRYPTOGRAPHY

Code-based cryptography Lattice-based cryptography Isogeny-based cryptography Hash-based signatures Multivariate cryptography

12

CONSERVATIVE, SAFE CHOICES

EU PQCRYPTO recommendations

13

MCELIECE / MCBITS

McEliece: Code-based encryption. Parameters from paper (Bernstein, Chou, Schwabe, 2013). McBits Good: old, well researched Bad: large keys (~1 MB)

14

HASH-BASED SIGNATURES

Good: as secure as the hash function : needs internal state XMSS : no state, but large signatures SPHINCS

15

LATTICES

Ntru, Ring-Learning-With-Errors, , Ntru prime, BLISS, Tesla#. New Hope Pro: Practical, fast, relatively small keys. Con: Patents, conflicts over security estimates. Most likely candidate for early deployments.

16

SUPERSINGULAR ISOGENIES OF ELLIPTIC CURVES

SIDH - Diffie-Hellman-alike key exchange. Pro: Very similar workflow to Diffie Hellman, small keys. Con: Not that fast, very new, needs more research.

17

POST-QUANTUM CRYPTOGRAPHY TODAY

We have the choice between very impractical and experimental algorithms.

18

IMPLEMENTATION CONSIDERATIONGS

19

ATTACKS ON OLD CRYPTO

Logjam, FREAK, DROWN, SWEET32

20

DEPRECATION IS HARD

It oen takes decades to deprecate old crypto. Windows-XP- compatibility is still a concern for some. If quantum computers come in 10-15 years then the transition will be rough.

21

IT'S NOT JUST THE ALGORITHMS

Secure algorithms can be used in insecure ways. October 2016: Three research papers on potential backdoors and security issues with Diffie Hellman. If we don't even know how to use the oldest public key algorithm safely, how should we know how to use entirely new algorithms?

22

STORE NOW, DECRYPT LATER

Attackers could store large amounts of encrypted communication today and decrypt it once a quantum computer is available. Strong argument for fast deployment.

23

HYBRID MODES

No confidence in practical postquantum schemes. Combine experimental postquantum algorithm with well researched prequantum algorithm. Example: X25519 (elliptic curve) and New Hope (lattice- based) key exchange.

24

CECPQ1

Google deployed New Hope / X25519 hybrid in Chrome/BoringSSL and on some servers.

25

REBELALLIANCE

Hybrid New Hope / X25519 key exchange for tor.

26

QUANTUM MYTHBUSTING

27

WHEN WILL I HAVE A QUANTUM COMPUTER ON MY DESK?

Maybe never.

28

QUANTUM ALGORITHMS

Quantum computers don't magically make everything faster, they're faster for very specific problems (factoring, physical simulations). Even if possible: It's not clear if there's a need for home quantum computers. Possible scenario: Quantum computers are run by universities and companies, one can rent computing time.

29

D-WAVE

The D-Wave quantum computer can't run Shor's algorithm. It's not clear if D-Wave quantum computers can do anything

• useful. But they are almost certainly irrelevant for

cryptography.

30

QUANTUM CRYPTOGRAPHY

Image public domain, Wikimedia Commons

31

CLARIFICATION OF VOCABULARY

Quantum computing: Using quantum effects to solve mathematical problems that can't efficiently be solved on normal computers. Post-Quantum cryptography: Cryptography that resists attacks with quantum computers. Quantum cryptography / quantum key distribution: Using physical channels to exchange cryptographic keys.

32

QUANTUM CRYPTOGRAPHY / QKD

Idea: cryptography that is secure based on the laws of physics. Send single particles with polarized encoding, exchange polarization filter configuration. This has major drawbacks and solves nothing.

33

HUGE HYPE

Latest trend: Talk about Quantum Internet.

34

LIMITATIONS

Very likely limited distances (tens or hundreds of kilometers). Or maybe this is good?

35

But they can only function over distances up to 300 km [...] Instead, repeaters based on trusted nodes or fully quantum devices, possibly involving satellites, are needed to reach global distances. The advantage of trusted-node schemes is that they provide access for lawful intercept, as required by many nation states Source: EU Quantum Manifesto

36

TRUSTED INTERMEDIATES?

37

QUANTUM INTERNET?

Let's say I want to send an encrypted message from Berlin to Sydney. Trusted intermediates in Poland, Ukraine, Russia, Kazakhstan, China, India, Burma, Thailand, Malaysia, Indonesia, Australia.

38

NOT WIRELESS

QKD needs a physical connection between endpoints. No Wifi No mobile Internet

39

QUANTUM HACKING

Quantum cryptography provides perfect security. However regularly commercial QKD devices get broken. How's that even possible?

40

QKD: SECURE IN THEORY

The big argument for QKD: It's perfectly secure - based on the laws of physics! However that's only true for an idealized version of QKD, not for any real system.

41

PROBLEMS OF HARDWARE-BASED SECURITY

If you have a bug in your encryption soware you can install an update (hopefully). If you have a bug in your encryption hardware you need to buy new hardware.

42

QKD NEEDS AUTHENTICATION

All QKD systems need an authenticated channel. QKD depends on the cryptography its proponents claim it should replace. This limitation is rarely mentioned, but it's significant. It means QKD can't solve the problems created by quantum computers.

43

"It is a well-established fact that all QKE protocols require that the parties have access to an authentic channel. Without this authenticated link, QKE is vulnerable to man-in-the-middle

• attacks. Overlooking this fact results in exaggerated claims

and/or false expectations about the potential impact of QKE." ( ) Paterson, Piper, Schack, 2004

44

QUANTUM CRYPTOGRAPHY

Extremely overhyped with outragerous claims ("Quantum Internet"). Entirely unclear which problems it should solve. Definitely not a solution for the problems created by quantum computers. That solution is Post-Quantum cryptography.

45

CONCLUSIONS

Quantum computers may come pretty soon (or not at all). We need to be prepared. Post-Quantum cryptography is still in its early stages. We're already too late. Be wary of overhyped claims about quantum cryptography, which likely won't solve anything

46

MORE INFO

• EU PQCRYPTO research project
• NIST

standardization effort Questions? pqcrypto.org pqcrypto.eu.org csrc.nist.gov/groups/ST/post-quantum-crypto/