post quantum rsa pqrsa
play

Post-quantum RSA (pqRSA) Daniel J. Bernstein Joint work with: - PowerPoint PPT Presentation

Oct 06, 2023 •113 likes •404 views

Post-quantum RSA (pqRSA) Daniel J. Bernstein Joint work with: Josh Fried Nadia Heninger Paul Lou Luke Valenta Post-quantum RSA Daniel J. Bernstein, Josh Fried, Nadia Heninger, Paul Lou, Luke Valenta Parameters Scaled-down targets for

  1. Post-quantum RSA (pqRSA) Daniel J. Bernstein Joint work with: Josh Fried Nadia Heninger Paul Lou Luke Valenta Post-quantum RSA Daniel J. Bernstein, Josh Fried, Nadia Heninger, Paul Lou, Luke Valenta

  2. Parameters Scaled-down targets for cryptanalysis: ◮ pqrsa15 : 2 15 -byte keys using 512-bit primes. ◮ pqrsa20 : 2 20 -byte keys using 512-bit primes. ◮ pqrsa25 : 2 25 -byte keys using 1024-bit primes. Primary parameter set included in submission: ◮ pqrsa30 : 2 30 -byte keys using 1024-bit primes. Feasible option not included in submission: ◮ pqrsa40 : 2 40 -byte keys using 4096-bit primes. Yes, we generated one of these keys. Post-quantum RSA Daniel J. Bernstein, Josh Fried, Nadia Heninger, Paul Lou, Luke Valenta

  3. Speeds Approximate cycles/byte on 1 core of 3GHz Intel Skylake: keygen dec enc 110000 3700 530 pqrsa15 110000 5800 1000 (Expect future speedups, pqrsa20 540000 15000 1400 especially for keygen.) pqrsa25 550000 21000 1700 pqrsa30 pqrsa30 keygen: 2.3 days; dec: 2.1 hours; enc: 10.1 minutes. Post-quantum RSA Daniel J. Bernstein, Josh Fried, Nadia Heninger, Paul Lou, Luke Valenta

  4. Speeds Approximate cycles/byte on 1 core of 3GHz Intel Skylake: keygen dec enc 110000 3700 530 pqrsa15 110000 5800 1000 (Expect future speedups, pqrsa20 540000 15000 1400 especially for keygen.) pqrsa25 550000 21000 1700 pqrsa30 pqrsa30 keygen: 2.3 days; dec: 2.1 hours; enc: 10.1 minutes. Submission also says “. . . quadrillion cycles”. Should say “trillion”. NIST didn’t notice? Post-quantum RSA Daniel J. Bernstein, Josh Fried, Nadia Heninger, Paul Lou, Luke Valenta

  5. Network traffic For pqrsa30 : 2 30 bytes. ◮ Key: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ≈ 2 30 bytes. ◮ Signature: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 30 bytes. ◮ Ciphertext for kem : . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 30 bytes, ◮ Ciphertext for encrypt : . . . . . . . . . . . . . . . . . . . . . . . including ≈ 2 30 bytes of encrypted message. Submission does not cover options for compressing signed messages. Post-quantum RSA Daniel J. Bernstein, Josh Fried, Nadia Heninger, Paul Lou, Luke Valenta

  6. Security against known attacks pqrsa30 security analysis in submission: ◮ 2017 H¨ aner–Roetteler–Svore ⇒ ≈ 2 110 Toffoli gates using ≈ 2 34 qubits. Beyond NIST Category 2 under reasonable assumptions. Post-quantum RSA Daniel J. Bernstein, Josh Fried, Nadia Heninger, Paul Lou, Luke Valenta

  7. Security against known attacks pqrsa30 security analysis in submission: ◮ 2017 H¨ aner–Roetteler–Svore ⇒ ≈ 2 110 Toffoli gates using ≈ 2 34 qubits. Beyond NIST Category 2 under reasonable assumptions. ◮ Actually higher security: consider communication costs. Post-quantum RSA Daniel J. Bernstein, Josh Fried, Nadia Heninger, Paul Lou, Luke Valenta

  8. Security against known attacks pqrsa30 security analysis in submission: ◮ 2017 H¨ aner–Roetteler–Svore ⇒ ≈ 2 110 Toffoli gates using ≈ 2 34 qubits. Beyond NIST Category 2 under reasonable assumptions. ◮ Actually higher security: consider communication costs. ◮ Actually higher security: consider latency limits. NIST Categories 3–5 are not clearly defined! Post-quantum RSA Daniel J. Bernstein, Josh Fried, Nadia Heninger, Paul Lou, Luke Valenta

  9. Security against known attacks pqrsa30 security analysis in submission: ◮ 2017 H¨ aner–Roetteler–Svore ⇒ ≈ 2 110 Toffoli gates using ≈ 2 34 qubits. Beyond NIST Category 2 under reasonable assumptions. ◮ Actually higher security: consider communication costs. ◮ Actually higher security: consider latency limits. NIST Categories 3–5 are not clearly defined! ◮ Maybe lower security: e.g., lower-cost multiplications? Post-quantum RSA Daniel J. Bernstein, Josh Fried, Nadia Heninger, Paul Lou, Luke Valenta

  10. Security against known attacks pqrsa30 security analysis in submission: ◮ 2017 H¨ aner–Roetteler–Svore ⇒ ≈ 2 110 Toffoli gates using ≈ 2 34 qubits. Beyond NIST Category 2 under reasonable assumptions. ◮ Actually higher security: consider communication costs. ◮ Actually higher security: consider latency limits. NIST Categories 3–5 are not clearly defined! ◮ Maybe lower security: e.g., lower-cost multiplications? ◮ Prime size: 512 bits probably ok; 1024 ample. Post-quantum RSA Daniel J. Bernstein, Josh Fried, Nadia Heninger, Paul Lou, Luke Valenta

  11. Security against known attacks pqrsa30 security analysis in submission: ◮ 2017 H¨ aner–Roetteler–Svore ⇒ ≈ 2 110 Toffoli gates using ≈ 2 34 qubits. Beyond NIST Category 2 under reasonable assumptions. ◮ Actually higher security: consider communication costs. ◮ Actually higher security: consider latency limits. NIST Categories 3–5 are not clearly defined! ◮ Maybe lower security: e.g., lower-cost multiplications? ◮ Prime size: 512 bits probably ok; 1024 ample. Submitted to NIST as Category 2. Post-quantum RSA Daniel J. Bernstein, Josh Fried, Nadia Heninger, Paul Lou, Luke Valenta

  12. Security stability RSA has tons of mathematical structure. Long history of many scary RSA security losses. Post-quantum RSA Daniel J. Bernstein, Josh Fried, Nadia Heninger, Paul Lou, Luke Valenta

  13. Security stability RSA has tons of mathematical structure. Long history of many scary RSA security losses. pqRSA already has close to the worst performance-security tradeoffs in this competition. Further security losses would not be surprising. e.g. Shor vs. small primes has barely been studied. Post-quantum RSA Daniel J. Bernstein, Josh Fried, Nadia Heninger, Paul Lou, Luke Valenta

  14. Security stability RSA has tons of mathematical structure. Long history of many scary RSA security losses. pqRSA already has close to the worst performance-security tradeoffs in this competition. Further security losses would not be surprising. e.g. Shor vs. small primes has barely been studied. But users keep using RSA. Post-quantum RSA Daniel J. Bernstein, Josh Fried, Nadia Heninger, Paul Lou, Luke Valenta

  15. Security stability RSA has tons of mathematical structure. Long history of many scary RSA security losses. pqRSA already has close to the worst performance-security tradeoffs in this competition. Further security losses would not be surprising. e.g. Shor vs. small primes has barely been studied. But users keep using RSA. RSA-512 publicly broken: “Let’s use RSA-768.” Post-quantum RSA Daniel J. Bernstein, Josh Fried, Nadia Heninger, Paul Lou, Luke Valenta

  16. Security stability RSA has tons of mathematical structure. Long history of many scary RSA security losses. pqRSA already has close to the worst performance-security tradeoffs in this competition. Further security losses would not be surprising. e.g. Shor vs. small primes has barely been studied. But users keep using RSA. RSA-512 publicly broken: “Let’s use RSA-768.” RSA-768 publicly broken: “Let’s use RSA-1024.” Post-quantum RSA Daniel J. Bernstein, Josh Fried, Nadia Heninger, Paul Lou, Luke Valenta

  17. Security stability RSA has tons of mathematical structure. Long history of many scary RSA security losses. pqRSA already has close to the worst performance-security tradeoffs in this competition. Further security losses would not be surprising. e.g. Shor vs. small primes has barely been studied. But users keep using RSA. RSA-512 publicly broken: “Let’s use RSA-768.” RSA-768 publicly broken: “Let’s use RSA-1024.” RSA-2048 publicly broken by quantum computers: Post-quantum RSA Daniel J. Bernstein, Josh Fried, Nadia Heninger, Paul Lou, Luke Valenta

  18. Security stability RSA has tons of mathematical structure. Long history of many scary RSA security losses. pqRSA already has close to the worst performance-security tradeoffs in this competition. Further security losses would not be surprising. e.g. Shor vs. small primes has barely been studied. But users keep using RSA. RSA-512 publicly broken: “Let’s use RSA-768.” RSA-768 publicly broken: “Let’s use RSA-1024.” RSA-2048 publicly broken by quantum computers: “Yeah, NSA already told us to use RSA-3072.” Post-quantum RSA Daniel J. Bernstein, Josh Fried, Nadia Heninger, Paul Lou, Luke Valenta

  19. Familiarity Users care about more than security+performance. “I learned RSA in school.” Post-quantum RSA Daniel J. Bernstein, Josh Fried, Nadia Heninger, Paul Lou, Luke Valenta

  20. Familiarity Users care about more than security+performance. “I learned RSA in school.” “Factorization has been deeply studied by some of the great mathematicians going back to the ancient Greeks.” Post-quantum RSA Daniel J. Bernstein, Josh Fried, Nadia Heninger, Paul Lou, Luke Valenta

  21. Familiarity Users care about more than security+performance. “I learned RSA in school.” “Factorization has been deeply studied by some of the great mathematicians going back to the ancient Greeks.” No mention of how much security has been lost. Post-quantum RSA Daniel J. Bernstein, Josh Fried, Nadia Heninger, Paul Lou, Luke Valenta

  22. Familiarity Users care about more than security+performance. “I learned RSA in school.” “Factorization has been deeply studied by some of the great mathematicians going back to the ancient Greeks.” No mention of how much security has been lost. Is the quoted argument competent cryptography? No. Post-quantum RSA Daniel J. Bernstein, Josh Fried, Nadia Heninger, Paul Lou, Luke Valenta

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The Quantum Risk & Post-Quantum Crypto JP Aumasson The Quantum Risk & Post-Quantum

The Quantum Risk & Post-Quantum Crypto JP Aumasson The Quantum Risk & Post-Quantum

The Quantum Risk & Post-Quantum Crypto JP Aumasson The Quantum Risk & Post-Quantum Crypto JP Aumasson uantum /me 15 years experience in applied cryptography (PhD, industry, consulting) Designed widely used algorithms Author of the

816 views • 52 slides
Quantum Algorithms Tutorial Ronald de Wolf 1/ 37 Post-quantum cryptography I Quantum computers

Quantum Algorithms Tutorial Ronald de Wolf 1/ 37 Post-quantum cryptography I Quantum computers

Quantum Algorithms Tutorial Ronald de Wolf 1/ 37 Post-quantum cryptography I Quantum computers can break public-key cryptography that is based on assuming hardness of factoring, discrete logs, and a few other problems I Post-quantum

2.98k views • 37 slides
SW/HW Codesign of the Post-Quantum Cryptography Algorithm NTRUEncrypt Using HLS and RTL Design

SW/HW Codesign of the Post-Quantum Cryptography Algorithm NTRUEncrypt Using HLS and RTL Design

SW/HW Codesign of the Post-Quantum Cryptography Algorithm NTRUEncrypt Using HLS and RTL Design Methodologies Farnoud Farahmand, Duc Tri Nguyen, Viet B. Dang*, Ahmed Ferozpuri and Kris Gaj George Mason University Post st-Quantum Quantum

441 views • 14 slides
Standardization of post-quantum cryptography Tanja Lange 08 May 2016 A Workshop About

Standardization of post-quantum cryptography Tanja Lange 08 May 2016 A Workshop About

Standardization of post-quantum cryptography Tanja Lange 08 May 2016 A Workshop About Cryptographic Standards History of post-quantum cryptography 2003 Daniel J. Bernstein introduces term Post-quantum cryptography. PQCrypto 2006:

623 views • 23 slides
Incorporating Post-Quantum Cryptography in a microservice architecture Research Project 2 Why

Incorporating Post-Quantum Cryptography in a microservice architecture Research Project 2 Why

R. van der Gaag, D. Weller Incorporating Post-Quantum Cryptography in a microservice architecture Research Project 2 Why think about post-quantum cryptography W. Buchanan et. al concluded Gate-based quantum computers pose a significant

349 views • 18 slides
Post-Quantum Cryptography Dr. Ruben Niederhagen, February 8, 2016 Introduction Quantum Computers

Post-Quantum Cryptography Dr. Ruben Niederhagen, February 8, 2016 Introduction Quantum Computers

Post-Quantum Cryptography Dr. Ruben Niederhagen, February 8, 2016 Introduction Quantum Computers Using quantum states for computation: Introduced in 1985 by David Deutsch [3]. Operate on qubits using gates that perform reversible

1.69k views • 157 slides
The Picnic Post-Quantum Signature Scheme and its Security Analysis Itai Dinur Ben-Gurion

The Picnic Post-Quantum Signature Scheme and its Security Analysis Itai Dinur Ben-Gurion

The Picnic Post-Quantum Signature Scheme and its Security Analysis Itai Dinur Ben-Gurion University Credit for some slides: Melissa Chase and Picnic team Post-Quantum Cryptography Large-scale quantum computer could efficiently factor large

533 views • 34 slides
Post-quantum cryptography Tanja Lange 07 October 2015 SPACE 2015 In the long term, all

Post-quantum cryptography Tanja Lange 07 October 2015 SPACE 2015 In the long term, all

Post-quantum cryptography Tanja Lange 07 October 2015 SPACE 2015 In the long term, all encryption needs to be post-quantum Mark Ketchen, IBM Research, 2012, on quantum computing: Were actually doing things that are making us think like,

901 views • 41 slides
An Overview on Post-Quantum Cryptography with an Emphasis on Code based Systems Joachim Rosenthal

An Overview on Post-Quantum Cryptography with an Emphasis on Code based Systems Joachim Rosenthal

Basics on Public Key Crypto Systems Research Directions in Post-Quantum Cryptography Variants of McEliece System Distinguisher Attacks McEliece for Rank Metric Codes An Overview on Post-Quantum Cryptography with an Emphasis on Code based

1.05k views • 100 slides
Twitter: @PatrickLonga Outline Motivation: the quantum menace Post-quantum key exchange

Twitter: @PatrickLonga Outline Motivation: the quantum menace Post-quantum key exchange

https://microsoft.com/en-us/research/people/plonga http://patricklonga.com Twitter: @PatrickLonga Outline Motivation: the quantum menace Post-quantum key exchange from supersingular isogenies: Preliminaries SIDH SIKE

1.82k views • 154 slides
Post-quantum cryptography Tanja Lange 02 October 2015 Academy Contact Forum Coding Theory and

Post-quantum cryptography Tanja Lange 02 October 2015 Academy Contact Forum Coding Theory and

Post-quantum cryptography Tanja Lange 02 October 2015 Academy Contact Forum Coding Theory and Cryptography VI In the long term, all encryption needs to be post-quantum Mark Ketchen, IBM Research, 2012, on quantum computing: Were

854 views • 42 slides
for Post-Quantum Lattice-based Protocols Utsav Banerjee * , Tenzin S. Ukyab, Anantha P.

for Post-Quantum Lattice-based Protocols Utsav Banerjee * , Tenzin S. Ukyab, Anantha P.

Sapphire: A Configurable Crypto-Processor for Post-Quantum Lattice-based Protocols Utsav Banerjee * , Tenzin S. Ukyab, Anantha P. Chandrakasan * utsav@mit.edu Massachusetts Institute of Technology Post-Quantum Cryptography Current public key

911 views • 25 slides
From linear algebra to post-quantum cryptography Dr. Ir. Fr e Vercauteren

From linear algebra to post-quantum cryptography Dr. Ir. Fr e Vercauteren

Quantum computers and factoring Learning with errors Cryptography from LWE From linear algebra to post-quantum cryptography Dr. Ir. Fr e Vercauteren frederik.vercauteren@gmail.com Open Security Research (China) ESAT/COSIC - KU Leuven

1.34k views • 70 slides
Implementing post-quantum cryptography Peter Schwabe Radboud University, Nijmegen, The

Implementing post-quantum cryptography Peter Schwabe Radboud University, Nijmegen, The

Implementing post-quantum cryptography Peter Schwabe Radboud University, Nijmegen, The Netherlands June 28, 2018 PQCRYPTO Mini-School 2018, Taipei, Taiwan Part I: How to make software secure Implementing post-quantum cryptography 2 Timing

1.44k views • 116 slides
Post Quantum Crypto B e r n d F i x < b r f @ h o i - p o l l o i . o

Post Quantum Crypto B e r n d F i x < b r f @ h o i - p o l l o i . o

1 / 2 9 Post Quantum Crypto B e r n d F i x < b r f @ h o i - p o l l o i . o r g > Post-Quantum Crypto Bernd Fix < b r f @ h o i - p o l l o i . o r g > 2 / 2 9 Intro P r

340 views • 29 slides
A Story of United Nations of Post Quantum Cryptogrpahy Direct dialogue between quantum

A Story of United Nations of Post Quantum Cryptogrpahy Direct dialogue between quantum

A Story of United Nations of Post Quantum Cryptogrpahy Direct dialogue between quantum alg. & braid Crypt. Licheng Wang and Lihua Wang National Institute of Information and Communications Technology Story of two United

272 views • 8 slides
A remark on the composition of polynomial Erhard Aichinger and functions over algebraically

A remark on the composition of polynomial Erhard Aichinger and functions over algebraically

A remark on the composition of polynomial functions over algebraically closed fields A remark on the composition of polynomial Erhard Aichinger and functions over algebraically closed fields Stefan Steinerberger Compositions Erhard

473 views • 14 slides
GAGTA7 Conference Dynamics for the splittings of free-by-cyclic groups Ilya Kapovich University

GAGTA7 Conference Dynamics for the splittings of free-by-cyclic groups Ilya Kapovich University

GAGTA7 Conference Dynamics for the splittings of free-by-cyclic groups Ilya Kapovich University of Illinois at Urbana-Champaign Based on joint work with Spencer Dowdall and Chris Leininger arXiv:1301.7739 GAGTA7 Conference, New York; May,

1.53k views • 135 slides
Information Retrieval Ling573 NLP Systems & Applications April 15, 2014 Roadmap

Information Retrieval Ling573 NLP Systems & Applications April 15, 2014 Roadmap

Information Retrieval Ling573 NLP Systems & Applications April 15, 2014 Roadmap Information Retrieval Vector Space Model Term Selection & Weighting Evaluation Refinements: Query Expansion

514 views • 23 slides
Y P O C Intensive Course in Transcranial Magnetic Stimulation T O N O D E The cause

Y P O C Intensive Course in Transcranial Magnetic Stimulation T O N O D E The cause

Y P O C Intensive Course in Transcranial Magnetic Stimulation T O N O D E The cause of, and solution to, some of TMSs variability S And a way to potentially increase its selectivity and efficacy A E Peter J. Fried, Ph.D. L

822 views • 44 slides
Free abelian covers and arrangements of Schubert varieties Alex Suciu Northeastern University

Free abelian covers and arrangements of Schubert varieties Alex Suciu Northeastern University

Free abelian covers and arrangements of Schubert varieties Alex Suciu Northeastern University Centro Ennio De Giorgi Pisa, Italy May 25, 2010 Alex Suciu (Northeastern University) Free abelian covers and Schubert varieties Pisa, May 2010 1

880 views • 41 slides
Incorporating Relational Knowledge into Word Representations using Subspace Regularization Jun

Incorporating Relational Knowledge into Word Representations using Subspace Regularization Jun

Incorporating Relational Knowledge into Word Representations using Subspace Regularization Jun Araki (Carnegie Mellon University) joint work with Abhishek Kumar (IBM Research) ACL 2016 Distributed word representations Low-dimensional dense

378 views • 18 slides
Alaskas Economic Climate November 16th, 2016 Alaska Department of Labor and Workforce

Alaskas Economic Climate November 16th, 2016 Alaska Department of Labor and Workforce

Alaskas Economic Climate November 16th, 2016 Alaska Department of Labor and Workforce Development, Research Section, Neal Fried, Economist AlaskaPast Long Term Trends No Longer A Road Map To The Future (basically 27 years of growth)

532 views • 34 slides
As find your seats, consider this scenario: In the middle of the semester, a student comes to

As find your seats, consider this scenario: In the middle of the semester, a student comes to

As find your seats, consider this scenario: In the middle of the semester, a student comes to your office hours, worried about failing the course you are TA-ing The student shares that he/she spends many hours per week on your course, but

385 views • 12 slides

More recommend