the libpqcrypto software library for post quantum
play

The libpqcrypto software library for post-quantum cryptography - PowerPoint PPT Presentation

May 26, 2023 •31 likes •541 views

The libpqcrypto software library for post-quantum cryptography Daniel J. Bernstein and many contributors libpqcrypto.org Daniel J. Bernstein Context libpqcrypto.org Daniel J. Bernstein Redesigning crypto for security New requirements for

  1. The libpqcrypto software library for post-quantum cryptography Daniel J. Bernstein and many contributors libpqcrypto.org Daniel J. Bernstein

  2. Context libpqcrypto.org Daniel J. Bernstein

  3. Redesigning crypto for security New requirements for crypto software engineering to avoid real-world crypto disasters: ◮ No data flow from secrets to array indices. Stops, e.g., 2016 CacheBleed attack. libpqcrypto.org Daniel J. Bernstein

  4. Redesigning crypto for security New requirements for crypto software engineering to avoid real-world crypto disasters: ◮ No data flow from secrets to array indices. Stops, e.g., 2016 CacheBleed attack. ◮ No data flow from secrets to branch conditions. Stops, e.g., 2018 RSA key-generation attack by Aldaya–Garc´ ıa–Tapia–Brumley. libpqcrypto.org Daniel J. Bernstein

  5. Redesigning crypto for security New requirements for crypto software engineering to avoid real-world crypto disasters: ◮ No data flow from secrets to array indices. Stops, e.g., 2016 CacheBleed attack. ◮ No data flow from secrets to branch conditions. Stops, e.g., 2018 RSA key-generation attack by Aldaya–Garc´ ıa–Tapia–Brumley. ◮ No padding oracles. Stops, e.g., 2017 ROBOT attack. libpqcrypto.org Daniel J. Bernstein

  6. Redesigning crypto for security But wait, there’s more: ◮ Centralizing randomness: system has one central audited fast PRNG. Stops, e.g., Juniper fiasco discovered in 2015. libpqcrypto.org Daniel J. Bernstein

  7. Redesigning crypto for security But wait, there’s more: ◮ Centralizing randomness: system has one central audited fast PRNG. Stops, e.g., Juniper fiasco discovered in 2015. ◮ Avoiding unnecessary randomness: use audited deterministic functions. Stops, e.g., 2017 ROCA attack. libpqcrypto.org Daniel J. Bernstein

  8. Redesigning crypto for security But wait, there’s more: ◮ Centralizing randomness: system has one central audited fast PRNG. Stops, e.g., Juniper fiasco discovered in 2015. ◮ Avoiding unnecessary randomness: use audited deterministic functions. Stops, e.g., 2017 ROCA attack. ◮ Eliminate low-security options. Stops, e.g., 2015 Logjam attack. libpqcrypto.org Daniel J. Bernstein

  9. Curve25519, Ed25519, etc. Secure (and fast enough) crypto: Much simpler if we upgrade crypto primitives and protocols . libpqcrypto.org Daniel J. Bernstein

  10. Curve25519, Ed25519, etc. Secure (and fast enough) crypto: Much simpler if we upgrade crypto primitives and protocols . Example: Upgrading signatures. ◮ Use ECC, not RSA. Does the user really need “RSA signatures”? Or is the goal “high-security signatures”? libpqcrypto.org Daniel J. Bernstein

  11. Curve25519, Ed25519, etc. Secure (and fast enough) crypto: Much simpler if we upgrade crypto primitives and protocols . Example: Upgrading signatures. ◮ Use ECC, not RSA. Does the user really need “RSA signatures”? Or is the goal “high-security signatures”? ◮ Use Curve25519, not NSA (NIST) curves. Simpler (and faster!) secure implementations. libpqcrypto.org Daniel J. Bernstein

  12. Curve25519, Ed25519, etc. Secure (and fast enough) crypto: Much simpler if we upgrade crypto primitives and protocols . Example: Upgrading signatures. ◮ Use ECC, not RSA. Does the user really need “RSA signatures”? Or is the goal “high-security signatures”? ◮ Use Curve25519, not NSA (NIST) curves. Simpler (and faster!) secure implementations. ◮ Use EdDSA (Ed25519), not NSA signatures. Avoid, e.g., hassle of implementing inversion. libpqcrypto.org Daniel J. Bernstein

  13. A modern cryptographic API Most libraries provide simple all-in-one hashing: const unsigned char m[...]; unsigned long long mlen; unsigned char h[crypto_hash_BYTES]; crypto_hash_sha256(h,m,mlen); libpqcrypto.org Daniel J. Bernstein

  14. A modern cryptographic API Most libraries provide simple all-in-one hashing: const unsigned char m[...]; unsigned long long mlen; unsigned char h[crypto_hash_BYTES]; crypto_hash_sha256(h,m,mlen); Why not the same simplicity for, e.g., signing? crypto_sign_ed25519(sm,&smlen,m,mlen,sk); libpqcrypto.org Daniel J. Bernstein

  15. A modern cryptographic API Most libraries provide simple all-in-one hashing: const unsigned char m[...]; unsigned long long mlen; unsigned char h[crypto_hash_BYTES]; crypto_hash_sha256(h,m,mlen); Why not the same simplicity for, e.g., signing? crypto_sign_ed25519(sm,&smlen,m,mlen,sk); Huge impact of API upon usability: see 2017 Acar– Backes–Fahl–Garfinkel–Kim–Mazurek–Stransky. libpqcrypto.org Daniel J. Bernstein

  16. Implementation and deployment Curve25519: iOS starting 2010; WhatsApp starting 2016; formal verif in Firefox starting 2017; etc. NaCl software library (forks: TweetNaCl, libsodium): Curve25519, audited implementations, modern API. Competitions: Modern API required for submissions to CAESAR, NIST PQC, NIST Lightweight Crypto. SUPERCOP benchmarking framework: Modern API, no requirement of constant-time etc. Currently 2556 implementations of 722 primitives. libpqcrypto.org Daniel J. Bernstein

  17. All done? libpqcrypto.org Daniel J. Bernstein

  19. The PQCRYPTO consortium libpqcrypto.org Daniel J. Bernstein

  20. The PQCRYPTO portfolio PQCRYPTO consortium, with many collaborators: 22 submissions to NIST. 1 damaged later, 0 broken. libpqcrypto.org Daniel J. Bernstein

  21. The PQCRYPTO portfolio PQCRYPTO consortium, with many collaborators: 22 submissions to NIST. 1 damaged later, 0 broken. 2 of the 22: gigabyte RSA encryption + signatures; submitted as baseline, not part of portfolio. libpqcrypto.org Daniel J. Bernstein

  22. The PQCRYPTO portfolio PQCRYPTO consortium, with many collaborators: 22 submissions to NIST. 1 damaged later, 0 broken. 2 of the 22: gigabyte RSA encryption + signatures; submitted as baseline, not part of portfolio. 47 non-PQCRYPTO submissions. 7 damaged, 13 broken. Most attacks by PQCRYPTO + collabs. libpqcrypto.org Daniel J. Bernstein

  23. The PQCRYPTO portfolio PQCRYPTO consortium, with many collaborators: 22 submissions to NIST. 1 damaged later, 0 broken. 2 of the 22: gigabyte RSA encryption + signatures; submitted as baseline, not part of portfolio. 47 non-PQCRYPTO submissions. 7 damaged, 13 broken. Most attacks by PQCRYPTO + collabs. Some broken systems in traditional PQ categories: • Compact LWE, lattice-based encryption scheme. • Edon-K, code-based encryption scheme. • Giophantus, multivariate signature scheme. Need detailed security analysis, not buzzwords. libpqcrypto.org Daniel J. Bernstein

  24. 50 signature systems in libpqcrypto crypto_sign_dilithium{2,3,4} crypto_sign_gui{184,312,448} crypto_sign_luov{863256,890351, 8117404,4849242,6468330,8086399} crypto_sign_mqdss{48,64} crypto_sign_picnicl{1,3,5}{fs,ur} crypto_sign_qtesla{128,192,256} crypto_sign_rainbow{1a,1b,1c, 3b,3c,4a,5c,6a,6b} crypto_sign_sphincs{f,s}{128,192,256} {haraka,sha256,shake256} libpqcrypto.org Daniel J. Bernstein

  25. 27 encryption systems in libpqcrypto crypto_kem_bigquake{1,3,5} crypto_kem_mceliece{6960119,8192128} crypto_kem_kyber{512,768,1024} crypto_kem_dags{3,5} crypto_kem_frodokem{640,976} crypto_kem_kindi{256342,256522, 512222,512241,512321} crypto_kem_newhope{512,1024}cca crypto_kem_ntruhrss701 crypto_kem_{ntrulpr,sntrup}4591761 crypto_kem_ramstakers{216091,756839} crypto_kem_{lightsaber,saber,firesaber} libpqcrypto.org Daniel J. Bernstein

  26. NIST submissions vs. libpqcrypto Each NIST submission includes software: ◮ a reference C implementation; ◮ in many cases, also fast implementations. libpqcrypto.org Daniel J. Bernstein

  27. NIST submissions vs. libpqcrypto Each NIST submission includes software: ◮ a reference C implementation; ◮ in many cases, also fast implementations. libpqcrypto integrates this software with ◮ a unified compilation framework; libpqcrypto.org Daniel J. Bernstein

  28. NIST submissions vs. libpqcrypto Each NIST submission includes software: ◮ a reference C implementation; ◮ in many cases, also fast implementations. libpqcrypto integrates this software with ◮ a unified compilation framework; ◮ an automatic test framework; libpqcrypto.org Daniel J. Bernstein

  29. NIST submissions vs. libpqcrypto Each NIST submission includes software: ◮ a reference C implementation; ◮ in many cases, also fast implementations. libpqcrypto integrates this software with ◮ a unified compilation framework; ◮ an automatic test framework; ◮ automatic selection of fastest implementations; libpqcrypto.org Daniel J. Bernstein

  30. NIST submissions vs. libpqcrypto Each NIST submission includes software: ◮ a reference C implementation; ◮ in many cases, also fast implementations. libpqcrypto integrates this software with ◮ a unified compilation framework; ◮ an automatic test framework; ◮ automatic selection of fastest implementations; ◮ a unified C interface, modern API; libpqcrypto.org Daniel J. Bernstein

  31. NIST submissions vs. libpqcrypto Each NIST submission includes software: ◮ a reference C implementation; ◮ in many cases, also fast implementations. libpqcrypto integrates this software with ◮ a unified compilation framework; ◮ an automatic test framework; ◮ automatic selection of fastest implementations; ◮ a unified C interface, modern API; ◮ a unified Python interface; libpqcrypto.org Daniel J. Bernstein

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The Quantum Risk & Post-Quantum Crypto JP Aumasson The Quantum Risk & Post-Quantum

The Quantum Risk & Post-Quantum Crypto JP Aumasson The Quantum Risk & Post-Quantum

The Quantum Risk & Post-Quantum Crypto JP Aumasson The Quantum Risk & Post-Quantum Crypto JP Aumasson uantum /me 15 years experience in applied cryptography (PhD, industry, consulting) Designed widely used algorithms Author of the

816 views • 52 slides
Quantum Algorithms Tutorial Ronald de Wolf 1/ 37 Post-quantum cryptography I Quantum computers

Quantum Algorithms Tutorial Ronald de Wolf 1/ 37 Post-quantum cryptography I Quantum computers

Quantum Algorithms Tutorial Ronald de Wolf 1/ 37 Post-quantum cryptography I Quantum computers can break public-key cryptography that is based on assuming hardness of factoring, discrete logs, and a few other problems I Post-quantum

2.98k views • 37 slides
Implementing post-quantum cryptography Peter Schwabe Radboud University, Nijmegen, The

Implementing post-quantum cryptography Peter Schwabe Radboud University, Nijmegen, The

Implementing post-quantum cryptography Peter Schwabe Radboud University, Nijmegen, The Netherlands June 28, 2018 PQCRYPTO Mini-School 2018, Taipei, Taiwan Part I: How to make software secure Implementing post-quantum cryptography 2 Timing

1.44k views • 116 slides
SW/HW Codesign of the Post-Quantum Cryptography Algorithm NTRUEncrypt Using HLS and RTL Design

SW/HW Codesign of the Post-Quantum Cryptography Algorithm NTRUEncrypt Using HLS and RTL Design

SW/HW Codesign of the Post-Quantum Cryptography Algorithm NTRUEncrypt Using HLS and RTL Design Methodologies Farnoud Farahmand, Duc Tri Nguyen, Viet B. Dang*, Ahmed Ferozpuri and Kris Gaj George Mason University Post st-Quantum Quantum

441 views • 14 slides
Standardization of post-quantum cryptography Tanja Lange 08 May 2016 A Workshop About

Standardization of post-quantum cryptography Tanja Lange 08 May 2016 A Workshop About

Standardization of post-quantum cryptography Tanja Lange 08 May 2016 A Workshop About Cryptographic Standards History of post-quantum cryptography 2003 Daniel J. Bernstein introduces term Post-quantum cryptography. PQCrypto 2006:

623 views • 23 slides
Incorporating Post-Quantum Cryptography in a microservice architecture Research Project 2 Why

Incorporating Post-Quantum Cryptography in a microservice architecture Research Project 2 Why

R. van der Gaag, D. Weller Incorporating Post-Quantum Cryptography in a microservice architecture Research Project 2 Why think about post-quantum cryptography W. Buchanan et. al concluded Gate-based quantum computers pose a significant

349 views • 18 slides
Quantum++ A modern C++ quantum computing library arXiv:1412.4704 Vlad Gheorghiu

Quantum++ A modern C++ quantum computing library arXiv:1412.4704 Vlad Gheorghiu

Quantum++ A modern C++ quantum computing library arXiv:1412.4704 Vlad Gheorghiu vgheorgh@gmail.com Institute for Quantum Computing University of Waterloo Waterloo, ON, N2L 3G1, Canada Quantum Programming and Circuits Workshop June 8, 2015

464 views • 23 slides
Post-Quantum Cryptography Dr. Ruben Niederhagen, February 8, 2016 Introduction Quantum Computers

Post-Quantum Cryptography Dr. Ruben Niederhagen, February 8, 2016 Introduction Quantum Computers

Post-Quantum Cryptography Dr. Ruben Niederhagen, February 8, 2016 Introduction Quantum Computers Using quantum states for computation: Introduced in 1985 by David Deutsch [3]. Operate on qubits using gates that perform reversible

1.69k views • 157 slides
The Picnic Post-Quantum Signature Scheme and its Security Analysis Itai Dinur Ben-Gurion

The Picnic Post-Quantum Signature Scheme and its Security Analysis Itai Dinur Ben-Gurion

The Picnic Post-Quantum Signature Scheme and its Security Analysis Itai Dinur Ben-Gurion University Credit for some slides: Melissa Chase and Picnic team Post-Quantum Cryptography Large-scale quantum computer could efficiently factor large

533 views • 34 slides
Post-quantum cryptography Tanja Lange 07 October 2015 SPACE 2015 In the long term, all

Post-quantum cryptography Tanja Lange 07 October 2015 SPACE 2015 In the long term, all

Post-quantum cryptography Tanja Lange 07 October 2015 SPACE 2015 In the long term, all encryption needs to be post-quantum Mark Ketchen, IBM Research, 2012, on quantum computing: Were actually doing things that are making us think like,

901 views • 41 slides
An Overview on Post-Quantum Cryptography with an Emphasis on Code based Systems Joachim Rosenthal

An Overview on Post-Quantum Cryptography with an Emphasis on Code based Systems Joachim Rosenthal

Basics on Public Key Crypto Systems Research Directions in Post-Quantum Cryptography Variants of McEliece System Distinguisher Attacks McEliece for Rank Metric Codes An Overview on Post-Quantum Cryptography with an Emphasis on Code based

1.05k views • 100 slides
Twitter: @PatrickLonga Outline Motivation: the quantum menace Post-quantum key exchange

Twitter: @PatrickLonga Outline Motivation: the quantum menace Post-quantum key exchange

https://microsoft.com/en-us/research/people/plonga http://patricklonga.com Twitter: @PatrickLonga Outline Motivation: the quantum menace Post-quantum key exchange from supersingular isogenies: Preliminaries SIDH SIKE

1.82k views • 154 slides
New developments in the quantum ESPRESSO software distribution for quantum simulations at the

New developments in the quantum ESPRESSO software distribution for quantum simulations at the

New developments in the quantum ESPRESSO software distribution for quantum simulations at the nanoscale Paolo Giannozzi Universit` a di Udine, Italy Workshop From experiments to theory & models... Roma Tor Vergata, 2017/12/5 Typeset by

805 views • 35 slides
Quantum circuits: From Structure to Software Aleks Kissinger Quantum Natural Language Processing,

Quantum circuits: From Structure to Software Aleks Kissinger Quantum Natural Language Processing,

Quantum circuits: From Structure to Software Aleks Kissinger Quantum Natural Language Processing, Oxford 2020 Aleks Kissinger QNLP 2020 1 / 34 Quantum software 1. := the code the runs on a quantum computer factoring search physical

1.09k views • 73 slides
Post-quantum cryptography Tanja Lange 02 October 2015 Academy Contact Forum Coding Theory and

Post-quantum cryptography Tanja Lange 02 October 2015 Academy Contact Forum Coding Theory and

Post-quantum cryptography Tanja Lange 02 October 2015 Academy Contact Forum Coding Theory and Cryptography VI In the long term, all encryption needs to be post-quantum Mark Ketchen, IBM Research, 2012, on quantum computing: Were

854 views • 42 slides
An Introduction to the ZX-Calculus ...and some applications in quantum software Aleks Kissinger

An Introduction to the ZX-Calculus ...and some applications in quantum software Aleks Kissinger

An Introduction to the ZX-Calculus ...and some applications in quantum software Aleks Kissinger Full-stack quantum computing 2020 Aleks Kissinger ZX-calculus and Quantum Software FSQC 2020 1 / 26 Quantum software 1. := the code the runs on

1.33k views • 50 slides
Curves and Splines Outline Hermite Splines Catmull-Rom Splines Bezier Curves

Curves and Splines Outline Hermite Splines Catmull-Rom Splines Bezier Curves

Curves and Splines Outline Hermite Splines Catmull-Rom Splines Bezier Curves Higher Continuity: Natural and B-Splines Drawing Splines Modeling Complex Shapes We want to build models of very complicated objects An

675 views • 50 slides
signSGD Jeremy Bernstein Yu-Xiang Wang Caltech UCSB/Amazon Compressed optimisation for

signSGD Jeremy Bernstein Yu-Xiang Wang Caltech UCSB/Amazon Compressed optimisation for

signSGD Jeremy Bernstein Yu-Xiang Wang Caltech UCSB/Amazon Compressed optimisation for non-convex problems Kamyar Azizzadenesheli Anima Anandkumar UCI Caltech/Amazon Snap gradient components to 1 Reduces signSGD

456 views • 22 slides
Fast method for testing the smoothness of polynomials Jean-Franc ois Biasse Mike Jacobson

Fast method for testing the smoothness of polynomials Jean-Franc ois Biasse Mike Jacobson

page.1 Fast method for testing the smoothness of polynomials Jean-Franc ois Biasse Mike Jacobson University of Calgary October 2013 Biasse-Jacobson (U of C) Fast smoothness test October 2013 1 / 24 page.2 Presentation of the problem

1.02k views • 89 slides
Outline Saltzer & Schroeders principles (contd) CSci 5271 More secure design

Outline Saltzer & Schroeders principles (contd) CSci 5271 More secure design

Outline Saltzer & Schroeders principles (contd) CSci 5271 More secure design principles Introduction to Computer Security Software engineering for security Defensive programming 2 (combined lecture) Announcements intermission

632 views • 9 slides
Post-quantum cryptography Daniel J. Bernstein 1 Tanja Lange 1 Peter Schwabe 2 Technische

Post-quantum cryptography Daniel J. Bernstein 1 Tanja Lange 1 Peter Schwabe 2 Technische

Post-quantum cryptography Daniel J. Bernstein 1 Tanja Lange 1 Peter Schwabe 2 Technische Universiteit Eindhoven Radboud University 08 September 2016 Cryptography Motivation #1: Communication channels are spying on our data.

1.34k views • 117 slides
40th Anniversary Midwest Representation Theory Conference University of Chicago September 5-7,

40th Anniversary Midwest Representation Theory Conference University of Chicago September 5-7,

40th Anniversary Midwest Representation Theory Conference University of Chicago September 5-7, 2014 ON UNITARIZABILITY AND REDUCIBILITY MARKO TADI C To the 65 th birthday of Rebecca A. Herb, and the memory of Paul J. Sally, Jr. The work of

512 views • 17 slides
Cryptography: an Efficiency and Security Analysis http://eprint.iacr.org/2014/130.pdf Craig

Cryptography: an Efficiency and Security Analysis http://eprint.iacr.org/2014/130.pdf Craig

Selecting Elliptic Curves for Cryptography: an Efficiency and Security Analysis http://eprint.iacr.org/2014/130.pdf Craig Costello ECC2014 Chennai, India Joint work with Joppe Bos (NXP), Patrick Longa (MSR), Michael Naehrig (MSR) June 2013

1.04k views • 56 slides
New CP (and T) Tests in Low-Energy Hadronic Processes Susan Gardner Department of Physics and

New CP (and T) Tests in Low-Energy Hadronic Processes Susan Gardner Department of Physics and

New CP (and T) Tests in Low-Energy Hadronic Processes Susan Gardner Department of Physics and Astronomy University of Kentucky Lexington, KY 40506 gardner@pa.uky.edu Known Flavor and CP Violation are CKM-like [ 2013 update (th+exp) of Laiho,

367 views • 36 slides

More recommend