PUBLIC KEY INFRASTRUCTURE Nina Bindel Cryptography for the - - PowerPoint PPT Presentation

public key infrastructure
SMART_READER_LITE
LIVE PREVIEW

PUBLIC KEY INFRASTRUCTURE Nina Bindel Cryptography for the - - PowerPoint PPT Presentation

Aug 12, 2023 430 likes •616 views

TRANSITIONING TO A QUANTUM-RESISTENT PUBLIC KEY INFRASTRUCTURE Nina Bindel Cryptography for the IoT+Cloud Udyani Herath Bochum, Germany Matthew McKague 11/06/2017 Douglas Stebila 1 7 chance of breaking RSA-2048 (Michele Mosca Nov 2015)

slide-1
SLIDE 1

TRANSITIONING TO A QUANTUM-RESISTENT PUBLIC KEY INFRASTRUCTURE

Nina Bindel Udyani Herath Matthew McKague Douglas Stebila

Cryptography for the IoT+Cloud Bochum, Germany 11/06/2017

slide-2
SLIDE 2

Start PQ project

2

Today 2035 Universal quantum computer

(Quantum Manifesto)

18 years Best: start transition now Nov. 2017 2016

1 7 chance of breaking RSA-2048

(Michele Mosca – Nov 2015)

1 2 chance of breaking RSA-2048

(Michele Mosca – Nov 2015)

2026 2031 2002 Jan. 2017 MS started to stopp support of SHA-1 15 years

?

slide-3
SLIDE 3

BIT-HARDNESS ESTIMATIONS WITH LWE-ESTIMATOR

[APS15]

3

71 62 61 60 58 48 51 10 20 30 40 50 60 70 80

Jan 2015 Jun 2015 Jan 2016 Jun 2016 Jan 2017 Jun 2017 Log hardness

Difference of ~20 bit in 2.5 years LWE Instance - Regev(128) n=128, q=16411, 𝜏=29.6

Nov 2017

slide-4
SLIDE 4

CURRENT SITUATION

4

Quantum threat against RSA- and discrete log Unstable hardness estimations of “PQ assumptions“

slide-5
SLIDE 5

5

NOT ENOUGH TO CARE ABOUT THE PRIMITIVES…

slide-6
SLIDE 6

CHALLENGES DURING TRANSITION

6

  • Security
  • Compatibility
slide-7
SLIDE 7

HYBRID SIGNATURE SCHEMES

7

Given: Σ1 and Σ2 Construct: ΣC s.t. ΣC is secure if Σ1 or Σ2 secure

  • What means “secure“ ?
  • How to construct Σ𝐷 ?
  • Can we use hybrids in current protocols and standards?

Example:

  • Σ1 PQ scheme and Σ2 classical scheme
  • 2 PQ schemes based on different assumptions

Q

slide-8
SLIDE 8

SECURITY DEFINITION

8

Intuition:

  • eUF-CMA with 2-stage adversary A = (𝐵1, 𝐵2)
  • 𝐵1, 𝐵2 different access to quantum computer
  • 𝐵1 classical/quantum access to sign oracle
slide-9
SLIDE 9

EXPTΣ

EUF−CMA(A):

9

Σ. KeyGen() qs ← 0 sk, vk m1, σ1 , … , (mqs+1, σqs+1) ΟS qs ← qs + 1 If Σ. Verify vk, mi, σi = 1 Return 1 Else Return 0 A(vk)

slide-10
SLIDE 10

EXPTΣ

EUF−CMA(A):

10

A1, A2 :

Σ. KeyGen() qs ← 0 sk, vk m1, σ1 , … , (mqs+1, σqs+1) ΟS qs ← qs + 1 If Σ. Verify vk, mi, σi = 1 Return 1 Else Return 0 A1(vk) A2(st) st

010…1/

?

010…1/

?

010…1

/ ?

slide-11
SLIDE 11
  • 𝐵1 classical
  • Access to ΟS classical
  • 𝐵2 classical

ADVERSARY MODEL

11

𝐃𝐝𝐃 - Fully classical (eUF-CMA) 𝐃𝐝𝐑 - Future quantum 𝐑𝐝𝐑 - Quantum adversary 𝐑𝐫𝐑 - Fully quantum (also in [BZ13]) 𝐃𝐝𝐃 𝐃𝐝𝐑 𝐑𝐝𝐑 𝐑𝐫𝐑 THEOREM

  • 𝐵2:
  • 𝐵1:
  • 𝐵2:
  • 𝐵1:
  • 𝐵2:
  • Access ΟS:
slide-12
SLIDE 12

EXAMPLES OF HYBRID SIGNATURES

13

Combiner 𝛕 = (𝛕𝟐, 𝛕𝟑) Unforgeability Non-separability C|| σ1 ← Sign1 m σ2 ← Sign2 m max{XyZ, UvW} No Cnest σ1 ← Sign1 m σ2 ← Sign2 m, σ1 max{XyZ, UvW} Depending on UvW Cdual−nest σ1 ← Sign1 m1 σ2 ← Sign2 m1, σ1, m2 XyZ wrt to m1, UvW Depending on UvW Σ1 XyZ-secure Σ2 UvW-secure

slide-13
SLIDE 13

APPLICABLE TO CURRENT PKI?

14

Q

(1) How can hybrid combiners be used in current standards? (2) What about backwards-compatibility? (3) Do large key and siganture size raise problems?

  • Certificates:

X.509v3

  • Secure channels:

TLS (not in this talk)

  • Secure email:

S/MIME

slide-14
SLIDE 14

HYBRID SIGNATURE IN S/MIME EMAIL

15

Idea:

  • Use concatenation combiner
  • S/MIME data structures allow multiple

parallel signatures

  • Disadvantage: Verification of all

signatures  backwards-compatibility? 2nd Idea:

  • Use nested combiner
  • Use optional attributes
slide-15
SLIDE 15

HYBRID SIGNATURES IN X.509V3 CERT

16

skPQ

CA, vkPQ CA , skRSA CA , vkRSA CA

← KeyGendual−nest skPQ

Sub, vkPQ Sub , skRSA Sub, vkRSA Sub

← KeyGendual−nest

Certificate c2 (RSA) tbsCertificate m2: CA, subject, vkRSA

Sub

c2 = SignRSA(skRSA

CA , (m2,vkRSA Sub , c1, m1))

Extensions:

  • Ext. id. = non-critical

Certificate c1 (PQ) tbsCertificate m1: CA, subject, vkPQ

Sub

c1 = SignPQ(skPQ

CA, ( m1, vkPQ Sub))

Idea:

  • Use dual nested combiner
  • PQ cert = extension of RSA cert
  • Hybrid software recognizes and

processes PQ cert and RSA cert

  • Older softeware ignores non-critical ext.
slide-16
SLIDE 16

COMPATIBILITY OF HYBRID X.509V3 CERTS

17

Application Extension size [KB] 1.5 3.5 9.0 43.0 1333.0 GnuTLS      Java SE      mbedTLS      NSS      OpenSSL      Apple Safari      Google Chrome      MS Edge      MS IE      Mozilla Firefox      Opera     

Libraries Web browsers

slide-17
SLIDE 17

18

SUMMARY

THANKS

  • 2-stage adversary
  • Adversary model wrt quantum power
  • Construction hybrid signatures
  • Compatibility of with current PKI:
  • Nested single message in S/MIME
  • Nested dual message in X.509 cert

OPEN QUESTIONS

  • Our combiners used in PKI still either

secure or compatible

  • Better combiners/application in PKI ?
  • Change protocols ?
  • No compatibility ?
  • Define other hybrids (work in progress)

IACR ePrint Archive: Report 2017/460