The post-quantum Internet IP: Internet Protocol Daniel J. Bernstein - - PowerPoint PPT Presentation

1

The post-quantum Internet Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Includes joint work with: Tanja Lange Technische Universiteit Eindhoven

2

IP: Internet Protocol IP communicates “packets”: limited-length byte strings. Each computer on the Internet has a 4-byte “IP address”. e.g. www.pqcrypto.org has address 131.155.70.11. Your browser creates a packet addressed to 131.155.70.11; gives packet to the Internet. Hopefully the Internet delivers that packet to 131.155.70.11.

1

• st-quantum Internet
• J. Bernstein

University of Illinois at Chicago & echnische Universiteit Eindhoven Includes joint work with: Lange echnische Universiteit Eindhoven

2

IP: Internet Protocol IP communicates “packets”: limited-length byte strings. Each computer on the Internet has a 4-byte “IP address”. e.g. www.pqcrypto.org has address 131.155.70.11. Your browser creates a packet addressed to 131.155.70.11; gives packet to the Internet. Hopefully the Internet delivers that packet to 131.155.70.11. DNS: Domain You actually connect Browser by asking the pqcrypto.org Browser “Where

1

• st-quantum Internet

Bernstein Illinois at Chicago & Universiteit Eindhoven rk with: Universiteit Eindhoven

2

IP: Internet Protocol IP communicates “packets”: limited-length byte strings. Each computer on the Internet has a 4-byte “IP address”. e.g. www.pqcrypto.org has address 131.155.70.11. Your browser creates a packet addressed to 131.155.70.11; gives packet to the Internet. Hopefully the Internet delivers that packet to 131.155.70.11. DNS: Domain Name You actually told y connect to www.pqcrypto.org Browser learns “131.155.70.11 by asking a name server, the pqcrypto.org Browser → 131.155.71.143 “Where is www.pqcrypto.org?

1

Internet Chicago & Eindhoven Eindhoven

2

IP: Internet Protocol IP communicates “packets”: limited-length byte strings. Each computer on the Internet has a 4-byte “IP address”. e.g. www.pqcrypto.org has address 131.155.70.11. Your browser creates a packet addressed to 131.155.70.11; gives packet to the Internet. Hopefully the Internet delivers that packet to 131.155.70.11. DNS: Domain Name System You actually told your browser connect to www.pqcrypto.org Browser learns “131.155.70.11 by asking a name server, the pqcrypto.org name server. Browser → 131.155.71.143 “Where is www.pqcrypto.org?

2

IP: Internet Protocol IP communicates “packets”: limited-length byte strings. Each computer on the Internet has a 4-byte “IP address”. e.g. www.pqcrypto.org has address 131.155.70.11. Your browser creates a packet addressed to 131.155.70.11; gives packet to the Internet. Hopefully the Internet delivers that packet to 131.155.70.11.

3

DNS: Domain Name System You actually told your browser to connect to www.pqcrypto.org. Browser learns “131.155.70.11” by asking a name server, the pqcrypto.org name server. Browser → 131.155.71.143: “Where is www.pqcrypto.org?”

2

IP: Internet Protocol IP communicates “packets”: limited-length byte strings. Each computer on the Internet has a 4-byte “IP address”. e.g. www.pqcrypto.org has address 131.155.70.11. Your browser creates a packet addressed to 131.155.70.11; gives packet to the Internet. Hopefully the Internet delivers that packet to 131.155.70.11.

3

DNS: Domain Name System You actually told your browser to connect to www.pqcrypto.org. Browser learns “131.155.70.11” by asking a name server, the pqcrypto.org name server. Browser → 131.155.71.143: “Where is www.pqcrypto.org?” IP packet from browser also includes a return address: the address of your computer. 131.155.71.143 → browser: “131.155.70.11”

2

Internet Protocol communicates “packets”: limited-length byte strings. computer on the Internet 4-byte “IP address”. www.pqcrypto.org has address 131.155.70.11. rowser creates a packet addressed to 131.155.70.11; packet to the Internet. efully the Internet delivers packet to 131.155.70.11.

3

DNS: Domain Name System You actually told your browser to connect to www.pqcrypto.org. Browser learns “131.155.70.11” by asking a name server, the pqcrypto.org name server. Browser → 131.155.71.143: “Where is www.pqcrypto.org?” IP packet from browser also includes a return address: the address of your computer. 131.155.71.143 → browser: “131.155.70.11” Browser address, by asking Browser “Where 199.19.54.1 “Ask the name server,

2

Protocol communicates “packets”: yte strings.

• n the Internet

address”. www.pqcrypto.org has 131.155.70.11. creates a packet 131.155.70.11; the Internet. Internet delivers 131.155.70.11.

3

DNS: Domain Name System You actually told your browser to connect to www.pqcrypto.org. Browser learns “131.155.70.11” by asking a name server, the pqcrypto.org name server. Browser → 131.155.71.143: “Where is www.pqcrypto.org?” IP packet from browser also includes a return address: the address of your computer. 131.155.71.143 → browser: “131.155.70.11” Browser learns the address, “131.155.71.143 by asking the .org Browser → 199.19.54.1 “Where is www.pqcrypto.org? 199.19.54.1 → b “Ask the pqcrypto.org name server, 131.155.71.143

2

ets”: strings. Internet address”. has packet 131.155.70.11; Internet. delivers 131.155.70.11.

3

DNS: Domain Name System You actually told your browser to connect to www.pqcrypto.org. Browser learns “131.155.70.11” by asking a name server, the pqcrypto.org name server. Browser → 131.155.71.143: “Where is www.pqcrypto.org?” IP packet from browser also includes a return address: the address of your computer. 131.155.71.143 → browser: “131.155.70.11” Browser learns the name-server address, “131.155.71.143”, by asking the .org name server. Browser → 199.19.54.1: “Where is www.pqcrypto.org? 199.19.54.1 → browser: “Ask the pqcrypto.org name server, 131.155.71.143

3

DNS: Domain Name System You actually told your browser to connect to www.pqcrypto.org. Browser learns “131.155.70.11” by asking a name server, the pqcrypto.org name server. Browser → 131.155.71.143: “Where is www.pqcrypto.org?” IP packet from browser also includes a return address: the address of your computer. 131.155.71.143 → browser: “131.155.70.11”

4

Browser learns the name-server address, “131.155.71.143”, by asking the .org name server. Browser → 199.19.54.1: “Where is www.pqcrypto.org?” 199.19.54.1 → browser: “Ask the pqcrypto.org name server, 131.155.71.143”

3

DNS: Domain Name System You actually told your browser to connect to www.pqcrypto.org. Browser learns “131.155.70.11” by asking a name server, the pqcrypto.org name server. Browser → 131.155.71.143: “Where is www.pqcrypto.org?” IP packet from browser also includes a return address: the address of your computer. 131.155.71.143 → browser: “131.155.70.11”

4

Browser learns the name-server address, “131.155.71.143”, by asking the .org name server. Browser → 199.19.54.1: “Where is www.pqcrypto.org?” 199.19.54.1 → browser: “Ask the pqcrypto.org name server, 131.155.71.143” Browser learns “199.19.54.1”, the .org server address, by asking the root name server.

3

DNS: Domain Name System You actually told your browser to connect to www.pqcrypto.org. Browser learns “131.155.70.11” by asking a name server, the pqcrypto.org name server. Browser → 131.155.71.143: “Where is www.pqcrypto.org?” IP packet from browser also includes a return address: the address of your computer. 131.155.71.143 → browser: “131.155.70.11”

4

Browser learns the name-server address, “131.155.71.143”, by asking the .org name server. Browser → 199.19.54.1: “Where is www.pqcrypto.org?” 199.19.54.1 → browser: “Ask the pqcrypto.org name server, 131.155.71.143” Browser learns “199.19.54.1”, the .org server address, by asking the root name server. Browser learned root address by consulting the Bible.

3

Domain Name System actually told your browser to connect to www.pqcrypto.org. wser learns “131.155.70.11” asking a name server, pqcrypto.org name server. wser → 131.155.71.143: is www.pqcrypto.org?” packet from browser also includes a return address: address of your computer. 131.155.71.143 → browser: 131.155.70.11”

4

Browser learns the name-server address, “131.155.71.143”, by asking the .org name server. Browser → 199.19.54.1: “Where is www.pqcrypto.org?” 199.19.54.1 → browser: “Ask the pqcrypto.org name server, 131.155.71.143” Browser learns “199.19.54.1”, the .org server address, by asking the root name server. Browser learned root address by consulting the Bible. TCP: Transmission Packets (Actually Oldest IP ≥576. Usually

• ften 1500,

3

Name System told your browser to www.pqcrypto.org. 131.155.70.11” name server, pqcrypto.org name server. 131.155.71.143: www.pqcrypto.org?” rowser also address:

• ur computer.

→ browser: ”

4

Browser learns the name-server address, “131.155.71.143”, by asking the .org name server. Browser → 199.19.54.1: “Where is www.pqcrypto.org?” 199.19.54.1 → browser: “Ask the pqcrypto.org name server, 131.155.71.143” Browser learns “199.19.54.1”, the .org server address, by asking the root name server. Browser learned root address by consulting the Bible. TCP: Transmission Packets are limited (Actually depends Oldest IP standards ≥576. Usually 1492

• ften 1500, sometimes

3

System wser to www.pqcrypto.org. 131.155.70.11” server. 131.155.71.143: www.pqcrypto.org?” also computer. wser:

4

Browser learns the name-server address, “131.155.71.143”, by asking the .org name server. Browser → 199.19.54.1: “Where is www.pqcrypto.org?” 199.19.54.1 → browser: “Ask the pqcrypto.org name server, 131.155.71.143” Browser learns “199.19.54.1”, the .org server address, by asking the root name server. Browser learned root address by consulting the Bible. TCP: Transmission Control Proto Packets are limited to 1280 b (Actually depends on network. Oldest IP standards required ≥576. Usually 1492 is safe,

• ften 1500, sometimes more.)

4

Browser learns the name-server address, “131.155.71.143”, by asking the .org name server. Browser → 199.19.54.1: “Where is www.pqcrypto.org?” 199.19.54.1 → browser: “Ask the pqcrypto.org name server, 131.155.71.143” Browser learns “199.19.54.1”, the .org server address, by asking the root name server. Browser learned root address by consulting the Bible.

5

TCP: Transmission Control Protocol Packets are limited to 1280 bytes. (Actually depends on network. Oldest IP standards required ≥576. Usually 1492 is safe,

• ften 1500, sometimes more.)

4

Browser learns the name-server address, “131.155.71.143”, by asking the .org name server. Browser → 199.19.54.1: “Where is www.pqcrypto.org?” 199.19.54.1 → browser: “Ask the pqcrypto.org name server, 131.155.71.143” Browser learns “199.19.54.1”, the .org server address, by asking the root name server. Browser learned root address by consulting the Bible.

5

TCP: Transmission Control Protocol Packets are limited to 1280 bytes. (Actually depends on network. Oldest IP standards required ≥576. Usually 1492 is safe,

• ften 1500, sometimes more.)

The page you’re downloading from pqcrypto.org doesn’t fit.

4

Browser learns the name-server address, “131.155.71.143”, by asking the .org name server. Browser → 199.19.54.1: “Where is www.pqcrypto.org?” 199.19.54.1 → browser: “Ask the pqcrypto.org name server, 131.155.71.143” Browser learns “199.19.54.1”, the .org server address, by asking the root name server. Browser learned root address by consulting the Bible.

5

TCP: Transmission Control Protocol Packets are limited to 1280 bytes. (Actually depends on network. Oldest IP standards required ≥576. Usually 1492 is safe,

• ften 1500, sometimes more.)

The page you’re downloading from pqcrypto.org doesn’t fit. Browser actually makes “TCP connection” to pqcrypto.org. Inside that connection: sends HTTP request, receives response.

4

wser learns the name-server address, “131.155.71.143”, asking the .org name server. wser → 199.19.54.1: is www.pqcrypto.org?” 199.19.54.1 → browser: the pqcrypto.org server, 131.155.71.143” wser learns “199.19.54.1”, .org server address, asking the root name server. wser learned root address consulting the Bible.

5

TCP: Transmission Control Protocol Packets are limited to 1280 bytes. (Actually depends on network. Oldest IP standards required ≥576. Usually 1492 is safe,

• ften 1500, sometimes more.)

The page you’re downloading from pqcrypto.org doesn’t fit. Browser actually makes “TCP connection” to pqcrypto.org. Inside that connection: sends HTTP request, receives response. Browser “SYN 168bb5d9 Server → “ACK 168bb5da, Browser “ACK 747bfa42 Server no for this TCP Browser counting Server splits counting

4

the name-server 131.155.71.143”, .org name server. 199.19.54.1: www.pqcrypto.org?” browser: pqcrypto.org 131.155.71.143” 199.19.54.1”, address,

• t name server.

root address the Bible.

5

TCP: Transmission Control Protocol Packets are limited to 1280 bytes. (Actually depends on network. Oldest IP standards required ≥576. Usually 1492 is safe,

• ften 1500, sometimes more.)

The page you’re downloading from pqcrypto.org doesn’t fit. Browser actually makes “TCP connection” to pqcrypto.org. Inside that connection: sends HTTP request, receives response. Browser → server: “SYN 168bb5d9” Server → browser: “ACK 168bb5da, SYN Browser → server: “ACK 747bfa42” Server now allocates for this TCP connection. Browser splits data counting bytes from Server splits data into counting bytes from

4

name-server ”, server. : www.pqcrypto.org?” 131.155.71.143” 199.19.54.1”, server. address

5

TCP: Transmission Control Protocol Packets are limited to 1280 bytes. (Actually depends on network. Oldest IP standards required ≥576. Usually 1492 is safe,

• ften 1500, sometimes more.)

The page you’re downloading from pqcrypto.org doesn’t fit. Browser actually makes “TCP connection” to pqcrypto.org. Inside that connection: sends HTTP request, receives response. Browser → server: “SYN 168bb5d9” Server → browser: “ACK 168bb5da, SYN 747bfa41 Browser → server: “ACK 747bfa42” Server now allocates buffers for this TCP connection. Browser splits data into pack counting bytes from 168bb5da Server splits data into packets, counting bytes from 747bfa42

5

TCP: Transmission Control Protocol Packets are limited to 1280 bytes. (Actually depends on network. Oldest IP standards required ≥576. Usually 1492 is safe,

• ften 1500, sometimes more.)

The page you’re downloading from pqcrypto.org doesn’t fit. Browser actually makes “TCP connection” to pqcrypto.org. Inside that connection: sends HTTP request, receives response.

6

Browser → server: “SYN 168bb5d9” Server → browser: “ACK 168bb5da, SYN 747bfa41” Browser → server: “ACK 747bfa42” Server now allocates buffers for this TCP connection. Browser splits data into packets, counting bytes from 168bb5da. Server splits data into packets, counting bytes from 747bfa42.

5

Transmission Control Protocol ts are limited to 1280 bytes. (Actually depends on network. IP standards required Usually 1492 is safe, 1500, sometimes more.) page you’re downloading pqcrypto.org doesn’t fit. wser actually makes “TCP connection” to pqcrypto.org. that connection: sends request, receives response.

6

Browser → server: “SYN 168bb5d9” Server → browser: “ACK 168bb5da, SYN 747bfa41” Browser → server: “ACK 747bfa42” Server now allocates buffers for this TCP connection. Browser splits data into packets, counting bytes from 168bb5da. Server splits data into packets, counting bytes from 747bfa42. Main feature “reliable Internet

• r delivers

Doesn’t computer inside each Computer if data is Complicated retransmission avoiding

5

ransmission Control Protocol limited to 1280 bytes. ends on network. rds required 1492 is safe, sometimes more.) downloading pqcrypto.org doesn’t fit. makes “TCP pqcrypto.org. connection: sends receives response.

6

Browser → server: “SYN 168bb5d9” Server → browser: “ACK 168bb5da, SYN 747bfa41” Browser → server: “ACK 747bfa42” Server now allocates buffers for this TCP connection. Browser splits data into packets, counting bytes from 168bb5da. Server splits data into packets, counting bytes from 747bfa42. Main feature adver “reliable data streams”. Internet sometimes

• r delivers packets

Doesn’t confuse T computer checks the inside each TCP pack Computer retransmits if data is not ackno Complicated rules retransmission schedule, avoiding network congestion.

5

Control Protocol 1280 bytes.

• rk.

required safe, re.) wnloading esn’t fit. “TCP pqcrypto.org. sends response.

6

Browser → server: “SYN 168bb5d9” Server → browser: “ACK 168bb5da, SYN 747bfa41” Browser → server: “ACK 747bfa42” Server now allocates buffers for this TCP connection. Browser splits data into packets, counting bytes from 168bb5da. Server splits data into packets, counting bytes from 747bfa42. Main feature advertised by TCP: “reliable data streams”. Internet sometimes loses pack

• r delivers packets out of order.

Doesn’t confuse TCP connections: computer checks the counter inside each TCP packet. Computer retransmits data if data is not acknowledged. Complicated rules to decide retransmission schedule, avoiding network congestion.

6

Browser → server: “SYN 168bb5d9” Server → browser: “ACK 168bb5da, SYN 747bfa41” Browser → server: “ACK 747bfa42” Server now allocates buffers for this TCP connection. Browser splits data into packets, counting bytes from 168bb5da. Server splits data into packets, counting bytes from 747bfa42.

7

Main feature advertised by TCP: “reliable data streams”. Internet sometimes loses packets

• r delivers packets out of order.

Doesn’t confuse TCP connections: computer checks the counter inside each TCP packet. Computer retransmits data if data is not acknowledged. Complicated rules to decide retransmission schedule, avoiding network congestion.

6

wser → server: 168bb5d9” → browser: 168bb5da, SYN 747bfa41” wser → server: 747bfa42” now allocates buffers is TCP connection. wser splits data into packets, counting bytes from 168bb5da. splits data into packets, counting bytes from 747bfa42.

7

Main feature advertised by TCP: “reliable data streams”. Internet sometimes loses packets

• r delivers packets out of order.

Doesn’t confuse TCP connections: computer checks the counter inside each TCP packet. Computer retransmits data if data is not acknowledged. Complicated rules to decide retransmission schedule, avoiding network congestion. Stream-level http://www.pqcrypto.org uses HTTP https://www.pqcrypto.org uses HTTP Your bro

• finds address
• makes
• inside

builds by exchangin

• inside

sends HTTP

6

server: ” wser: SYN 747bfa41” server: ” cates buffers connection. data into packets, from 168bb5da. data into packets, from 747bfa42.

7

Main feature advertised by TCP: “reliable data streams”. Internet sometimes loses packets

• r delivers packets out of order.

Doesn’t confuse TCP connections: computer checks the counter inside each TCP packet. Computer retransmits data if data is not acknowledged. Complicated rules to decide retransmission schedule, avoiding network congestion. Stream-level crypto http://www.pqcrypto.org uses HTTP over TCP https://www.pqcrypto.org uses HTTP over TLS Your browser

• finds address 131.155.70.11
• makes TCP connection;
• inside the TCP connection,

builds a TLS connection by exchanging crypto

• inside the TLS connection,

sends HTTP request

6

747bfa41” buffers packets, 168bb5da. packets, 747bfa42.

7

Main feature advertised by TCP: “reliable data streams”. Internet sometimes loses packets

• r delivers packets out of order.

Doesn’t confuse TCP connections: computer checks the counter inside each TCP packet. Computer retransmits data if data is not acknowledged. Complicated rules to decide retransmission schedule, avoiding network congestion. Stream-level crypto http://www.pqcrypto.org uses HTTP over TCP. https://www.pqcrypto.org uses HTTP over TLS over T Your browser

• finds address 131.155.70.11
• makes TCP connection;
• inside the TCP connection,

builds a TLS connection by exchanging crypto keys;

• inside the TLS connection,

sends HTTP request etc.

7

Main feature advertised by TCP: “reliable data streams”. Internet sometimes loses packets

• r delivers packets out of order.

Doesn’t confuse TCP connections: computer checks the counter inside each TCP packet. Computer retransmits data if data is not acknowledged. Complicated rules to decide retransmission schedule, avoiding network congestion.

8

Stream-level crypto http://www.pqcrypto.org uses HTTP over TCP. https://www.pqcrypto.org uses HTTP over TLS over TCP. Your browser

• finds address 131.155.70.11;
• makes TCP connection;
• inside the TCP connection,

builds a TLS connection by exchanging crypto keys;

• inside the TLS connection,

sends HTTP request etc.

7

feature advertised by TCP: “reliable data streams”. Internet sometimes loses packets delivers packets out of order. esn’t confuse TCP connections: computer checks the counter each TCP packet. Computer retransmits data is not acknowledged. Complicated rules to decide retransmission schedule, avoiding network congestion.

8

Stream-level crypto http://www.pqcrypto.org uses HTTP over TCP. https://www.pqcrypto.org uses HTTP over TLS over TCP. Your browser

• finds address 131.155.70.11;
• makes TCP connection;
• inside the TCP connection,

builds a TLS connection by exchanging crypto keys;

• inside the TLS connection,

sends HTTP request etc. What happ forges a pointing Or a TCP with bogus DNS soft TCP soft TLS soft something but has no Browser make a whole but this Huge damage

7

dvertised by TCP: treams”. es loses packets ets out of order. TCP connections: s the counter packet. retransmits data acknowledged. rules to decide schedule, congestion.

8

Stream-level crypto http://www.pqcrypto.org uses HTTP over TCP. https://www.pqcrypto.org uses HTTP over TLS over TCP. Your browser

• finds address 131.155.70.11;
• makes TCP connection;
• inside the TCP connection,

builds a TLS connection by exchanging crypto keys;

• inside the TLS connection,

sends HTTP request etc. What happens if attack forges a DNS pack pointing to fake server? Or a TCP packet with bogus data? DNS software is fo TCP software is fo TLS software sees something has gone but has no way to Browser using TLS make a whole new but this is slow and Huge damage from

7

TCP: packets

• rder.

connections: counter data wledged. decide congestion.

8

Stream-level crypto http://www.pqcrypto.org uses HTTP over TCP. https://www.pqcrypto.org uses HTTP over TLS over TCP. Your browser

• finds address 131.155.70.11;
• makes TCP connection;
• inside the TCP connection,

builds a TLS connection by exchanging crypto keys;

• inside the TLS connection,

sends HTTP request etc. What happens if attacker forges a DNS packet pointing to fake server? Or a TCP packet with bogus data? DNS software is fooled. TCP software is fooled. TLS software sees that something has gone wrong, but has no way to recover. Browser using TLS can make a whole new connection, but this is slow and fragile. Huge damage from forged pack

8

Stream-level crypto http://www.pqcrypto.org uses HTTP over TCP. https://www.pqcrypto.org uses HTTP over TLS over TCP. Your browser

• finds address 131.155.70.11;
• makes TCP connection;
• inside the TCP connection,

builds a TLS connection by exchanging crypto keys;

• inside the TLS connection,

sends HTTP request etc.

9

What happens if attacker forges a DNS packet pointing to fake server? Or a TCP packet with bogus data? DNS software is fooled. TCP software is fooled. TLS software sees that something has gone wrong, but has no way to recover. Browser using TLS can make a whole new connection, but this is slow and fragile. Huge damage from forged packet.

8

Stream-level crypto http://www.pqcrypto.org HTTP over TCP. https://www.pqcrypto.org HTTP over TLS over TCP. rowser address 131.155.70.11; es TCP connection; inside the TCP connection, builds a TLS connection exchanging crypto keys; inside the TLS connection, sends HTTP request etc.

9

What happens if attacker forges a DNS packet pointing to fake server? Or a TCP packet with bogus data? DNS software is fooled. TCP software is fooled. TLS software sees that something has gone wrong, but has no way to recover. Browser using TLS can make a whole new connection, but this is slow and fragile. Huge damage from forged packet. Modern CurveCP; Google’s encrypt each Discard fo immediately: Retransmit authenticated

8

crypto http://www.pqcrypto.org TCP. https://www.pqcrypto.org TLS over TCP. 131.155.70.11; connection; connection, connection crypto keys; connection, request etc.

9

What happens if attacker forges a DNS packet pointing to fake server? Or a TCP packet with bogus data? DNS software is fooled. TCP software is fooled. TLS software sees that something has gone wrong, but has no way to recover. Browser using TLS can make a whole new connection, but this is slow and fragile. Huge damage from forged packet. Modern trend (e.g., CurveCP; see also Google’s QUIC): Authenticate encrypt each packet Discard forged pack immediately: no damage. Retransmit packet authenticated ackno

8

http://www.pqcrypto.org https://www.pqcrypto.org TCP. 131.155.70.11; connection, eys; connection, etc.

9

What happens if attacker forges a DNS packet pointing to fake server? Or a TCP packet with bogus data? DNS software is fooled. TCP software is fooled. TLS software sees that something has gone wrong, but has no way to recover. Browser using TLS can make a whole new connection, but this is slow and fragile. Huge damage from forged packet. Modern trend (e.g., DNSCurve, CurveCP; see also MinimaLT, Google’s QUIC): Authenticate encrypt each packet separately Discard forged packet immediately: no damage. Retransmit packet if no authenticated acknowledgment.

9

What happens if attacker forges a DNS packet pointing to fake server? Or a TCP packet with bogus data? DNS software is fooled. TCP software is fooled. TLS software sees that something has gone wrong, but has no way to recover. Browser using TLS can make a whole new connection, but this is slow and fragile. Huge damage from forged packet.

10

Modern trend (e.g., DNSCurve, CurveCP; see also MinimaLT, Google’s QUIC): Authenticate and encrypt each packet separately. Discard forged packet immediately: no damage. Retransmit packet if no authenticated acknowledgment.

9

What happens if attacker forges a DNS packet pointing to fake server? Or a TCP packet with bogus data? DNS software is fooled. TCP software is fooled. TLS software sees that something has gone wrong, but has no way to recover. Browser using TLS can make a whole new connection, but this is slow and fragile. Huge damage from forged packet.

10

Modern trend (e.g., DNSCurve, CurveCP; see also MinimaLT, Google’s QUIC): Authenticate and encrypt each packet separately. Discard forged packet immediately: no damage. Retransmit packet if no authenticated acknowledgment. Engineering advantage: Packet-level crypto works for more protocols than stream-level crypto.

9

What happens if attacker forges a DNS packet pointing to fake server? Or a TCP packet with bogus data? DNS software is fooled. TCP software is fooled. TLS software sees that something has gone wrong, but has no way to recover. Browser using TLS can make a whole new connection, but this is slow and fragile. Huge damage from forged packet.

10

Modern trend (e.g., DNSCurve, CurveCP; see also MinimaLT, Google’s QUIC): Authenticate and encrypt each packet separately. Discard forged packet immediately: no damage. Retransmit packet if no authenticated acknowledgment. Engineering advantage: Packet-level crypto works for more protocols than stream-level crypto. Disadvantage: Crypto must fit into packet.

9

happens if attacker a DNS packet

• inting to fake server?

TCP packet

• gus data?

software is fooled. software is fooled. software sees that something has gone wrong, has no way to recover. wser using TLS can a whole new connection, this is slow and fragile. damage from forged packet.

10

Modern trend (e.g., DNSCurve, CurveCP; see also MinimaLT, Google’s QUIC): Authenticate and encrypt each packet separately. Discard forged packet immediately: no damage. Retransmit packet if no authenticated acknowledgment. Engineering advantage: Packet-level crypto works for more protocols than stream-level crypto. Disadvantage: Crypto must fit into packet. The KEM+AE Original Message as me mo

9

if attacker packet server? et data? fooled. fooled. sees that gone wrong, to recover. TLS can new connection, and fragile. from forged packet.

10

Modern trend (e.g., DNSCurve, CurveCP; see also MinimaLT, Google’s QUIC): Authenticate and encrypt each packet separately. Discard forged packet immediately: no damage. Retransmit packet if no authenticated acknowledgment. Engineering advantage: Packet-level crypto works for more protocols than stream-level crypto. Disadvantage: Crypto must fit into packet. The KEM+AE philosophy Original view of RSA: Message m is encrypted as me mod pq.

9

wrong, recover. connection, fragile. packet.

10

Modern trend (e.g., DNSCurve, CurveCP; see also MinimaLT, Google’s QUIC): Authenticate and encrypt each packet separately. Discard forged packet immediately: no damage. Retransmit packet if no authenticated acknowledgment. Engineering advantage: Packet-level crypto works for more protocols than stream-level crypto. Disadvantage: Crypto must fit into packet. The KEM+AE philosophy Original view of RSA: Message m is encrypted as me mod pq.

10

Modern trend (e.g., DNSCurve, CurveCP; see also MinimaLT, Google’s QUIC): Authenticate and encrypt each packet separately. Discard forged packet immediately: no damage. Retransmit packet if no authenticated acknowledgment. Engineering advantage: Packet-level crypto works for more protocols than stream-level crypto. Disadvantage: Crypto must fit into packet.

11

The KEM+AE philosophy Original view of RSA: Message m is encrypted as me mod pq.

10

Modern trend (e.g., DNSCurve, CurveCP; see also MinimaLT, Google’s QUIC): Authenticate and encrypt each packet separately. Discard forged packet immediately: no damage. Retransmit packet if no authenticated acknowledgment. Engineering advantage: Packet-level crypto works for more protocols than stream-level crypto. Disadvantage: Crypto must fit into packet.

11

The KEM+AE philosophy Original view of RSA: Message m is encrypted as me mod pq. “Hybrid” view of RSA, including random padding: Choose random AES-GCM key k. Randomly pad k as r. Encrypt r as re mod pq. Encrypt m under k.

10

Modern trend (e.g., DNSCurve, CurveCP; see also MinimaLT, Google’s QUIC): Authenticate and encrypt each packet separately. Discard forged packet immediately: no damage. Retransmit packet if no authenticated acknowledgment. Engineering advantage: Packet-level crypto works for more protocols than stream-level crypto. Disadvantage: Crypto must fit into packet.

11

The KEM+AE philosophy Original view of RSA: Message m is encrypted as me mod pq. “Hybrid” view of RSA, including random padding: Choose random AES-GCM key k. Randomly pad k as r. Encrypt r as re mod pq. Encrypt m under k. Fragile, many problems: e.g., Coppersmith attack, Bleichenbacher attack, bogus OAEP security proof.

10

dern trend (e.g., DNSCurve, CurveCP; see also MinimaLT,

• gle’s QUIC): Authenticate and

encrypt each packet separately. rd forged packet immediately: no damage. Retransmit packet if no authenticated acknowledgment. Engineering advantage: t-level crypto for more protocols stream-level crypto. Disadvantage: must fit into packet.

11

The KEM+AE philosophy Original view of RSA: Message m is encrypted as me mod pq. “Hybrid” view of RSA, including random padding: Choose random AES-GCM key k. Randomly pad k as r. Encrypt r as re mod pq. Encrypt m under k. Fragile, many problems: e.g., Coppersmith attack, Bleichenbacher attack, bogus OAEP security proof. Shoup’s “Key enc Choose random Encrypt Define k “Data encapsulation Encrypt m under Authenticato any modification Much easier Also generalizes Can mix

10

(e.g., DNSCurve, also MinimaLT, QUIC): Authenticate and packet separately. packet damage. et if no acknowledgment. advantage: crypto rotocols stream-level crypto. into packet.

11

The KEM+AE philosophy Original view of RSA: Message m is encrypted as me mod pq. “Hybrid” view of RSA, including random padding: Choose random AES-GCM key k. Randomly pad k as r. Encrypt r as re mod pq. Encrypt m under k. Fragile, many problems: e.g., Coppersmith attack, Bleichenbacher attack, bogus OAEP security proof. Shoup’s “KEM+DEM” “Key encapsulation Choose random r mo Encrypt r as re mo Define k = H(r; re “Data encapsulation Encrypt and authe m under AES-GCM Authenticator catches any modification of Much easier to get Also generalizes nicely Can mix multiple hashes.

10

DNSCurve, MinimaLT, Authenticate and rately. wledgment. et.

11

The KEM+AE philosophy Original view of RSA: Message m is encrypted as me mod pq. “Hybrid” view of RSA, including random padding: Choose random AES-GCM key k. Randomly pad k as r. Encrypt r as re mod pq. Encrypt m under k. Fragile, many problems: e.g., Coppersmith attack, Bleichenbacher attack, bogus OAEP security proof. Shoup’s “KEM+DEM” view: “Key encapsulation mechanism”: Choose random r mod pq. Encrypt r as re mod pq. Define k = H(r; re mod pq). “Data encapsulation mechanism”: Encrypt and authenticate m under AES-GCM key k. Authenticator catches any modification of re mod p Much easier to get right. Also generalizes nicely. Can mix multiple hashes.

11

The KEM+AE philosophy Original view of RSA: Message m is encrypted as me mod pq. “Hybrid” view of RSA, including random padding: Choose random AES-GCM key k. Randomly pad k as r. Encrypt r as re mod pq. Encrypt m under k. Fragile, many problems: e.g., Coppersmith attack, Bleichenbacher attack, bogus OAEP security proof.

12

Shoup’s “KEM+DEM” view: “Key encapsulation mechanism”: Choose random r mod pq. Encrypt r as re mod pq. Define k = H(r; re mod pq). “Data encapsulation mechanism”: Encrypt and authenticate m under AES-GCM key k. Authenticator catches any modification of re mod pq. Much easier to get right. Also generalizes nicely. Can mix multiple hashes.

11

KEM+AE philosophy Original view of RSA: Message m is encrypted mod pq. rid” view of RSA, including random padding:

• se random AES-GCM key k.

Randomly pad k as r. Encrypt r as re mod pq. Encrypt m under k. ragile, many problems: Coppersmith attack, Bleichenbacher attack, OAEP security proof.

12

Shoup’s “KEM+DEM” view: “Key encapsulation mechanism”: Choose random r mod pq. Encrypt r as re mod pq. Define k = H(r; re mod pq). “Data encapsulation mechanism”: Encrypt and authenticate m under AES-GCM key k. Authenticator catches any modification of re mod pq. Much easier to get right. Also generalizes nicely. Can mix multiple hashes. DEM sec weak single-message

• f securit

authenticated Chou: Is for multip Answer: KEM+AE (But need AES-GCM, aim for full More complicated Use KEM n-time sec

11

philosophy RSA: encrypted

• f RSA,

padding: AES-GCM key k. as r. mod pq. under k. roblems: ersmith attack, attack, security proof.

12

Shoup’s “KEM+DEM” view: “Key encapsulation mechanism”: Choose random r mod pq. Encrypt r as re mod pq. Define k = H(r; re mod pq). “Data encapsulation mechanism”: Encrypt and authenticate m under AES-GCM key k. Authenticator catches any modification of re mod pq. Much easier to get right. Also generalizes nicely. Can mix multiple hashes. DEM security hypothesis: weak single-message

• f security for secret

authenticated encryption. Chou: Is it safe to for multiple messages? Answer: KEM+AE KEM+AE ⇒ KEM+“ (But need literature AES-GCM, Salsa20-P aim for full AE securit More complicated Use KEM+DEM to n-time secret key m

11

padding: key k.

• f.

12

Shoup’s “KEM+DEM” view: “Key encapsulation mechanism”: Choose random r mod pq. Encrypt r as re mod pq. Define k = H(r; re mod pq). “Data encapsulation mechanism”: Encrypt and authenticate m under AES-GCM key k. Authenticator catches any modification of re mod pq. Much easier to get right. Also generalizes nicely. Can mix multiple hashes. DEM security hypothesis: weak single-message version

• f security for secret-key

authenticated encryption. Chou: Is it safe to reuse k for multiple messages? Answer: KEM+AE is safe; KEM+AE ⇒ KEM+“nDEM”. (But need literature on this!) AES-GCM, Salsa20-Poly1305, aim for full AE security goal. More complicated alternative: Use KEM+DEM to encrypt n-time secret key m; reuse m

12

Shoup’s “KEM+DEM” view: “Key encapsulation mechanism”: Choose random r mod pq. Encrypt r as re mod pq. Define k = H(r; re mod pq). “Data encapsulation mechanism”: Encrypt and authenticate m under AES-GCM key k. Authenticator catches any modification of re mod pq. Much easier to get right. Also generalizes nicely. Can mix multiple hashes.

13

DEM security hypothesis: weak single-message version

• f security for secret-key

authenticated encryption. Chou: Is it safe to reuse k for multiple messages? Answer: KEM+AE is safe; KEM+AE ⇒ KEM+“nDEM”. (But need literature on this!) AES-GCM, Salsa20-Poly1305, etc. aim for full AE security goal. More complicated alternative: Use KEM+DEM to encrypt an n-time secret key m; reuse m.

12

Shoup’s “KEM+DEM” view: encapsulation mechanism”:

• se random r mod pq.

Encrypt r as re mod pq. k = H(r; re mod pq). encapsulation mechanism”: Encrypt and authenticate under AES-GCM key k. Authenticator catches modification of re mod pq. easier to get right. generalizes nicely. mix multiple hashes.

13

DEM security hypothesis: weak single-message version

• f security for secret-key

authenticated encryption. Chou: Is it safe to reuse k for multiple messages? Answer: KEM+AE is safe; KEM+AE ⇒ KEM+“nDEM”. (But need literature on this!) AES-GCM, Salsa20-Poly1305, etc. aim for full AE security goal. More complicated alternative: Use KEM+DEM to encrypt an n-time secret key m; reuse m. DNSCurve: Server kno Client kno server’s public Client → packet containin where k E is authenticated q is DNS Server → packet containin where r

12

“KEM+DEM” view: psulation mechanism”: r mod pq. mod pq. re mod pq). encapsulation mechanism”: thenticate AES-GCM key k. tches

• f re mod pq.

get right. nicely. multiple hashes.

13

DEM security hypothesis: weak single-message version

• f security for secret-key

authenticated encryption. Chou: Is it safe to reuse k for multiple messages? Answer: KEM+AE is safe; KEM+AE ⇒ KEM+“nDEM”. (But need literature on this!) AES-GCM, Salsa20-Poly1305, etc. aim for full AE security goal. More complicated alternative: Use KEM+DEM to encrypt an n-time secret key m; reuse m. DNSCurve: ECDH Server knows ECDH Client knows ECDH server’s public key Client → server: packet containing where k = H(cS); E is authenticated q is DNS query. Server → client: packet containing where r is DNS resp

12

view: mechanism”: . q). mechanism”: . d pq.

13

DEM security hypothesis: weak single-message version

• f security for secret-key

authenticated encryption. Chou: Is it safe to reuse k for multiple messages? Answer: KEM+AE is safe; KEM+AE ⇒ KEM+“nDEM”. (But need literature on this!) AES-GCM, Salsa20-Poly1305, etc. aim for full AE security goal. More complicated alternative: Use KEM+DEM to encrypt an n-time secret key m; reuse m. DNSCurve: ECDH for DNS Server knows ECDH secret k Client knows ECDH secret k server’s public key S = sG. Client → server: packet containing cG; Ek(0; where k = H(cS); E is authenticated cipher; q is DNS query. Server → client: packet containing Ek(1; r) where r is DNS response.

13

DEM security hypothesis: weak single-message version

• f security for secret-key

authenticated encryption. Chou: Is it safe to reuse k for multiple messages? Answer: KEM+AE is safe; KEM+AE ⇒ KEM+“nDEM”. (But need literature on this!) AES-GCM, Salsa20-Poly1305, etc. aim for full AE security goal. More complicated alternative: Use KEM+DEM to encrypt an n-time secret key m; reuse m.

14

DNSCurve: ECDH for DNS Server knows ECDH secret key s. Client knows ECDH secret key c, server’s public key S = sG. Client → server: packet containing cG; Ek(0; q) where k = H(cS); E is authenticated cipher; q is DNS query. Server → client: packet containing Ek(1; r) where r is DNS response.

13

security hypothesis: single-message version security for secret-key authenticated encryption. Is it safe to reuse k ultiple messages? er: KEM+AE is safe; KEM+AE ⇒ KEM+“nDEM”. need literature on this!) AES-GCM, Salsa20-Poly1305, etc. r full AE security goal. complicated alternative: KEM+DEM to encrypt an secret key m; reuse m.

14

DNSCurve: ECDH for DNS Server knows ECDH secret key s. Client knows ECDH secret key c, server’s public key S = sG. Client → server: packet containing cG; Ek(0; q) where k = H(cS); E is authenticated cipher; q is DNS query. Server → client: packet containing Ek(1; r) where r is DNS response. Client can across multiple but this Let’s assume

13

hypothesis: single-message version secret-key encryption. to reuse k messages? KEM+AE is safe; KEM+“nDEM”. literature on this!) Salsa20-Poly1305, etc. security goal. complicated alternative: to encrypt an ey m; reuse m.

14

DNSCurve: ECDH for DNS Server knows ECDH secret key s. Client knows ECDH secret key c, server’s public key S = sG. Client → server: packet containing cG; Ek(0; q) where k = H(cS); E is authenticated cipher; q is DNS query. Server → client: packet containing Ek(1; r) where r is DNS response. Client can reuse c across multiple queries, but this leaks metadata. Let’s assume one-time

13

version safe; DEM”. this!)

• ly1305, etc.

goal. alternative: encrypt an m.

14

DNSCurve: ECDH for DNS Server knows ECDH secret key s. Client knows ECDH secret key c, server’s public key S = sG. Client → server: packet containing cG; Ek(0; q) where k = H(cS); E is authenticated cipher; q is DNS query. Server → client: packet containing Ek(1; r) where r is DNS response. Client can reuse c across multiple queries, but this leaks metadata. Let’s assume one-time c.

14

DNSCurve: ECDH for DNS Server knows ECDH secret key s. Client knows ECDH secret key c, server’s public key S = sG. Client → server: packet containing cG; Ek(0; q) where k = H(cS); E is authenticated cipher; q is DNS query. Server → client: packet containing Ek(1; r) where r is DNS response.

15

Client can reuse c across multiple queries, but this leaks metadata. Let’s assume one-time c.

14

DNSCurve: ECDH for DNS Server knows ECDH secret key s. Client knows ECDH secret key c, server’s public key S = sG. Client → server: packet containing cG; Ek(0; q) where k = H(cS); E is authenticated cipher; q is DNS query. Server → client: packet containing Ek(1; r) where r is DNS response.

15

Client can reuse c across multiple queries, but this leaks metadata. Let’s assume one-time c. KEM+AE view: Client is sending k = H(cS) encapsulated as cG. This is an “ECDH KEM”.

14

DNSCurve: ECDH for DNS Server knows ECDH secret key s. Client knows ECDH secret key c, server’s public key S = sG. Client → server: packet containing cG; Ek(0; q) where k = H(cS); E is authenticated cipher; q is DNS query. Server → client: packet containing Ek(1; r) where r is DNS response.

15

Client can reuse c across multiple queries, but this leaks metadata. Let’s assume one-time c. KEM+AE view: Client is sending k = H(cS) encapsulated as cG. This is an “ECDH KEM”. Client then uses k to authenticate+encrypt. Server also uses k to authenticate+encrypt.

14

DNSCurve: ECDH for DNS knows ECDH secret key s. knows ECDH secret key c, server’s public key S = sG. → server: containing cG; Ek(0; q) k = H(cS); authenticated cipher; DNS query. → client: containing Ek(1; r) r is DNS response.

15

Client can reuse c across multiple queries, but this leaks metadata. Let’s assume one-time c. KEM+AE view: Client is sending k = H(cS) encapsulated as cG. This is an “ECDH KEM”. Client then uses k to authenticate+encrypt. Server also uses k to authenticate+encrypt. Post-quantum “McEliece Client sends encapsulated Random random small public ke

14

ECDH for DNS ECDH secret key s. ECDH secret key c, ey S = sG. g cG; Ek(0; q) ); authenticated cipher; g Ek(1; r) response.

15

Client can reuse c across multiple queries, but this leaks metadata. Let’s assume one-time c. KEM+AE view: Client is sending k = H(cS) encapsulated as cG. This is an “ECDH KEM”. Client then uses k to authenticate+encrypt. Server also uses k to authenticate+encrypt. Post-quantum encrypted “McEliece KEM”: Client sends k = H encapsulated as Sc Random c ∈ F5413

2

random small e ∈ public key S ∈ F6960

2

14

DNS secret key s. key c, . (0; q)

15

Client can reuse c across multiple queries, but this leaks metadata. Let’s assume one-time c. KEM+AE view: Client is sending k = H(cS) encapsulated as cG. This is an “ECDH KEM”. Client then uses k to authenticate+encrypt. Server also uses k to authenticate+encrypt. Post-quantum encrypted DNS “McEliece KEM”: Client sends k = H(c; e; Sc + encapsulated as Sc + e. Random c ∈ F5413

2

; random small e ∈ F6960

2

; public key S ∈ F6960×5413

2

.

15

Client can reuse c across multiple queries, but this leaks metadata. Let’s assume one-time c. KEM+AE view: Client is sending k = H(cS) encapsulated as cG. This is an “ECDH KEM”. Client then uses k to authenticate+encrypt. Server also uses k to authenticate+encrypt.

16

Post-quantum encrypted DNS “McEliece KEM”: Client sends k = H(c; e; Sc + e) encapsulated as Sc + e. Random c ∈ F5413

2

; random small e ∈ F6960

2

; public key S ∈ F6960×5413

2

.

15

Client can reuse c across multiple queries, but this leaks metadata. Let’s assume one-time c. KEM+AE view: Client is sending k = H(cS) encapsulated as cG. This is an “ECDH KEM”. Client then uses k to authenticate+encrypt. Server also uses k to authenticate+encrypt.

16

Post-quantum encrypted DNS “McEliece KEM”: Client sends k = H(c; e; Sc + e) encapsulated as Sc + e. Random c ∈ F5413

2

; random small e ∈ F6960

2

; public key S ∈ F6960×5413

2

. S has secret Goppa structure allowing server to decrypt.

15

Client can reuse c across multiple queries, but this leaks metadata. Let’s assume one-time c. KEM+AE view: Client is sending k = H(cS) encapsulated as cG. This is an “ECDH KEM”. Client then uses k to authenticate+encrypt. Server also uses k to authenticate+encrypt.

16

Post-quantum encrypted DNS “McEliece KEM”: Client sends k = H(c; e; Sc + e) encapsulated as Sc + e. Random c ∈ F5413

2

; random small e ∈ F6960

2

; public key S ∈ F6960×5413

2

. S has secret Goppa structure allowing server to decrypt. “Niederreiter KEM”, smaller: Client sends k = H(e; S′e) encapsulated as S′e ∈ F1547

2

.

15

can reuse c multiple queries, this leaks metadata. assume one-time c. KEM+AE view: is sending k = H(cS) encapsulated as cG. an “ECDH KEM”. then uses k authenticate+encrypt. also uses k authenticate+encrypt.

16

Post-quantum encrypted DNS “McEliece KEM”: Client sends k = H(c; e; Sc + e) encapsulated as Sc + e. Random c ∈ F5413

2

; random small e ∈ F6960

2

; public key S ∈ F6960×5413

2

. S has secret Goppa structure allowing server to decrypt. “Niederreiter KEM”, smaller: Client sends k = H(e; S′e) encapsulated as S′e ∈ F1547

2

. Client → packet containin (Combine Server → packet containin

15

c queries, metadata.

• ne-time c.

k = H(cS) cG. “ECDH KEM”. k authenticate+encrypt. k authenticate+encrypt.

16

Post-quantum encrypted DNS “McEliece KEM”: Client sends k = H(c; e; Sc + e) encapsulated as Sc + e. Random c ∈ F5413

2

; random small e ∈ F6960

2

; public key S ∈ F6960×5413

2

. S has secret Goppa structure allowing server to decrypt. “Niederreiter KEM”, smaller: Client sends k = H(e; S′e) encapsulated as S′e ∈ F1547

2

. Client → server: packet containing (Combine with ECDH Server → client: packet containing

15

S)

16

Post-quantum encrypted DNS “McEliece KEM”: Client sends k = H(c; e; Sc + e) encapsulated as Sc + e. Random c ∈ F5413

2

; random small e ∈ F6960

2

; public key S ∈ F6960×5413

2

. S has secret Goppa structure allowing server to decrypt. “Niederreiter KEM”, smaller: Client sends k = H(e; S′e) encapsulated as S′e ∈ F1547

2

. Client → server: packet containing Sc+e; Ek (Combine with ECDH KEM.) Server → client: packet containing Ek(1; r).

16

Post-quantum encrypted DNS “McEliece KEM”: Client sends k = H(c; e; Sc + e) encapsulated as Sc + e. Random c ∈ F5413

2

; random small e ∈ F6960

2

; public key S ∈ F6960×5413

2

. S has secret Goppa structure allowing server to decrypt. “Niederreiter KEM”, smaller: Client sends k = H(e; S′e) encapsulated as S′e ∈ F1547

2

.

17

Client → server: packet containing Sc+e; Ek(0; q). (Combine with ECDH KEM.) Server → client: packet containing Ek(1; r).

16

Post-quantum encrypted DNS “McEliece KEM”: Client sends k = H(c; e; Sc + e) encapsulated as Sc + e. Random c ∈ F5413

2

; random small e ∈ F6960

2

; public key S ∈ F6960×5413

2

. S has secret Goppa structure allowing server to decrypt. “Niederreiter KEM”, smaller: Client sends k = H(e; S′e) encapsulated as S′e ∈ F1547

2

.

17

Client → server: packet containing Sc+e; Ek(0; q). (Combine with ECDH KEM.) Server → client: packet containing Ek(1; r). r states a server address and the server’s public key. What if the key is too long to fit into a single packet? One simple answer: Client separately requests each block of public key. Can do many requests in parallel.

16

• st-quantum encrypted DNS

“McEliece KEM”: sends k = H(c; e; Sc + e) encapsulated as Sc + e. Random c ∈ F5413

2

; small e ∈ F6960

2

; key S ∈ F6960×5413

2

. secret Goppa structure wing server to decrypt. “Niederreiter KEM”, smaller: sends k = H(e; S′e) encapsulated as S′e ∈ F1547

2

.

17

Client → server: packet containing Sc+e; Ek(0; q). (Combine with ECDH KEM.) Server → client: packet containing Ek(1; r). r states a server address and the server’s public key. What if the key is too long to fit into a single packet? One simple answer: Client separately requests each block of public key. Can do many requests in parallel. Confidentialit Attacker can’t decrypt Integrity: Server never but Ek includes Attacker but can’t Attacker Availabilit Client disca continues eventually

16

encrypted DNS KEM”: H(c; e; Sc + e) Sc + e.

5413;

∈ F6960

2

;

6960×5413 2

. Goppa structure to decrypt. M”, smaller: H(e; S′e) S′e ∈ F1547

2

.

17

Client → server: packet containing Sc+e; Ek(0; q). (Combine with ECDH KEM.) Server → client: packet containing Ek(1; r). r states a server address and the server’s public key. What if the key is too long to fit into a single packet? One simple answer: Client separately requests each block of public key. Can do many requests in parallel. Confidentiality: Attacker can’t guess can’t decrypt Ek(0 Integrity: Server never signs but Ek includes authentication. Attacker can send but can’t forge q o Attacker can repla Availability: Client discards forgery continues waiting fo eventually retransmits

16

DNS c + e) . structure decrypt. smaller: )

1547.

17

Client → server: packet containing Sc+e; Ek(0; q). (Combine with ECDH KEM.) Server → client: packet containing Ek(1; r). r states a server address and the server’s public key. What if the key is too long to fit into a single packet? One simple answer: Client separately requests each block of public key. Can do many requests in parallel. Confidentiality: Attacker can’t guess k, can’t decrypt Ek(0; q); Ek(1; Integrity: Server never signs anything, but Ek includes authentication. Attacker can send new queries but can’t forge q or r. Attacker can replay request. Availability: Client discards forgery, continues waiting for reply, eventually retransmits request.

17

Client → server: packet containing Sc+e; Ek(0; q). (Combine with ECDH KEM.) Server → client: packet containing Ek(1; r). r states a server address and the server’s public key. What if the key is too long to fit into a single packet? One simple answer: Client separately requests each block of public key. Can do many requests in parallel.

18

Confidentiality: Attacker can’t guess k, can’t decrypt Ek(0; q); Ek(1; r). Integrity: Server never signs anything, but Ek includes authentication. Attacker can send new queries but can’t forge q or r. Attacker can replay request. Availability: Client discards forgery, continues waiting for reply, eventually retransmits request.

17

→ server: containing Sc+e; Ek(0; q). (Combine with ECDH KEM.) → client: containing Ek(1; r). states a server address the server’s public key. if the key is too long into a single packet? simple answer: separately requests block of public key. do many requests in parallel.

18

Confidentiality: Attacker can’t guess k, can’t decrypt Ek(0; q); Ek(1; r). Integrity: Server never signs anything, but Ek includes authentication. Attacker can send new queries but can’t forge q or r. Attacker can replay request. Availability: Client discards forgery, continues waiting for reply, eventually retransmits request. Big keys McEliece for long-t Is this size Do we need lower-confidence such as NTRU Size of average in Alexa Web page public ke but public can be reused

17

g Sc+e; Ek(0; q). ECDH KEM.) g Ek(1; r). address public key. is too long single packet? er: requests public key. requests in parallel.

18

Confidentiality: Attacker can’t guess k, can’t decrypt Ek(0; q); Ek(1; r). Integrity: Server never signs anything, but Ek includes authentication. Attacker can send new queries but can’t forge q or r. Attacker can replay request. Availability: Client discards forgery, continues waiting for reply, eventually retransmits request. Big keys McEliece public key for long-term confidence Is this size a problem Do we need to switch lower-confidence app such as NTRU or QC- Size of average web in Alexa Top 1000000: Web page often needs public keys for several but public key for can be reused for many

17

k(0; q).

KEM.) ). . long parallel.

18

Confidentiality: Attacker can’t guess k, can’t decrypt Ek(0; q); Ek(1; r). Integrity: Server never signs anything, but Ek includes authentication. Attacker can send new queries but can’t forge q or r. Attacker can replay request. Availability: Client discards forgery, continues waiting for reply, eventually retransmits request. Big keys McEliece public key is 1MB for long-term confidence toda Is this size a problem? Do we need to switch to lower-confidence approaches such as NTRU or QC-MDPC? Size of average web page in Alexa Top 1000000: 1.8MB. Web page often needs public keys for several servers, but public key for a server can be reused for many pages.

18

Confidentiality: Attacker can’t guess k, can’t decrypt Ek(0; q); Ek(1; r). Integrity: Server never signs anything, but Ek includes authentication. Attacker can send new queries but can’t forge q or r. Attacker can replay request. Availability: Client discards forgery, continues waiting for reply, eventually retransmits request.

19

Big keys McEliece public key is 1MB for long-term confidence today. Is this size a problem? Do we need to switch to lower-confidence approaches such as NTRU or QC-MDPC? Size of average web page in Alexa Top 1000000: 1.8MB. Web page often needs public keys for several servers, but public key for a server can be reused for many pages.

18

Confidentiality: er can’t guess k, decrypt Ek(0; q); Ek(1; r). Integrity: never signs anything, includes authentication. er can send new queries can’t forge q or r. er can replay request. Availability: discards forgery, continues waiting for reply, eventually retransmits request.

19

Big keys McEliece public key is 1MB for long-term confidence today. Is this size a problem? Do we need to switch to lower-confidence approaches such as NTRU or QC-MDPC? Size of average web page in Alexa Top 1000000: 1.8MB. Web page often needs public keys for several servers, but public key for a server can be reused for many pages. Most imp

• n reuse

switching and prom Rationale: subsequent doesn’t allo e.g. Microsoft switches Safer: new Easier to new key

18

guess k, (0; q); Ek(1; r). signs anything, authentication. send new queries

• r r.

replay request. forgery, aiting for reply, retransmits request.

19

Big keys McEliece public key is 1MB for long-term confidence today. Is this size a problem? Do we need to switch to lower-confidence approaches such as NTRU or QC-MDPC? Size of average web page in Alexa Top 1000000: 1.8MB. Web page often needs public keys for several servers, but public key for a server can be reused for many pages. Most important limitation

• n reuse of public

switching to new k and promptly erasing Rationale: “forward subsequent theft of doesn’t allow decryption. e.g. Microsoft SChann switches keys every Safer: new key every Easier to implement: new key every connection.

18

(1; r). anything, authentication. queries request. , request.

19

Big keys McEliece public key is 1MB for long-term confidence today. Is this size a problem? Do we need to switch to lower-confidence approaches such as NTRU or QC-MDPC? Size of average web page in Alexa Top 1000000: 1.8MB. Web page often needs public keys for several servers, but public key for a server can be reused for many pages. Most important limitation

• n reuse of public keys:

switching to new keys and promptly erasing old k Rationale: “forward secrecy”— subsequent theft of computer doesn’t allow decryption. e.g. Microsoft SChannel switches keys every two hours. Safer: new key every minute. Easier to implement: new key every connection.

19

Big keys McEliece public key is 1MB for long-term confidence today. Is this size a problem? Do we need to switch to lower-confidence approaches such as NTRU or QC-MDPC? Size of average web page in Alexa Top 1000000: 1.8MB. Web page often needs public keys for several servers, but public key for a server can be reused for many pages.

20

Most important limitation

• n reuse of public keys:

switching to new keys and promptly erasing old keys. Rationale: “forward secrecy”— subsequent theft of computer doesn’t allow decryption. e.g. Microsoft SChannel switches keys every two hours. Safer: new key every minute. Easier to implement: new key every connection.

19

eys McEliece public key is 1MB long-term confidence today. size a problem? need to switch to er-confidence approaches as NTRU or QC-MDPC?

• f average web page

Alexa Top 1000000: 1.8MB. age often needs keys for several servers, public key for a server reused for many pages.

20

Most important limitation

• n reuse of public keys:

switching to new keys and promptly erasing old keys. Rationale: “forward secrecy”— subsequent theft of computer doesn’t allow decryption. e.g. Microsoft SChannel switches keys every two hours. Safer: new key every minute. Easier to implement: new key every connection. What is a new key If server key gen, client encrypts server decrypts.

19

key is 1MB confidence today. roblem? switch to approaches r QC-MDPC? web page 1000000: 1.8MB. needs several servers, r a server r many pages.

20

Most important limitation

• n reuse of public keys:

switching to new keys and promptly erasing old keys. Rationale: “forward secrecy”— subsequent theft of computer doesn’t allow decryption. e.g. Microsoft SChannel switches keys every two hours. Safer: new key every minute. Easier to implement: new key every connection. What is the performance a new key every minute? If server makes new key gen, ≤1 per minute; client encrypts to new server decrypts.

19

1MB today. roaches MDPC? 1.8MB. servers, pages.

20

Most important limitation

• n reuse of public keys:

switching to new keys and promptly erasing old keys. Rationale: “forward secrecy”— subsequent theft of computer doesn’t allow decryption. e.g. Microsoft SChannel switches keys every two hours. Safer: new key every minute. Easier to implement: new key every connection. What is the performance of a new key every minute? If server makes new key: key gen, ≤1 per minute; client encrypts to new key; server decrypts.

20

Most important limitation

• n reuse of public keys:

switching to new keys and promptly erasing old keys. Rationale: “forward secrecy”— subsequent theft of computer doesn’t allow decryption. e.g. Microsoft SChannel switches keys every two hours. Safer: new key every minute. Easier to implement: new key every connection.

21

What is the performance of a new key every minute? If server makes new key: key gen, ≤1 per minute; client encrypts to new key; server decrypts.

20

Most important limitation

• n reuse of public keys:

switching to new keys and promptly erasing old keys. Rationale: “forward secrecy”— subsequent theft of computer doesn’t allow decryption. e.g. Microsoft SChannel switches keys every two hours. Safer: new key every minute. Easier to implement: new key every connection.

21

What is the performance of a new key every minute? If server makes new key: key gen, ≤1 per minute; client encrypts to new key; server decrypts. If client makes new key: client has key-gen cost; server has encryption cost; client has decryption cost. Either way:

• ne key transmission for each

active client-server pair.

20

important limitation reuse of public keys: switching to new keys romptly erasing old keys. Rationale: “forward secrecy”— subsequent theft of computer esn’t allow decryption. Microsoft SChannel switches keys every two hours. new key every minute. to implement: ey every connection.

21

What is the performance of a new key every minute? If server makes new key: key gen, ≤1 per minute; client encrypts to new key; server decrypts. If client makes new key: client has key-gen cost; server has encryption cost; client has decryption cost. Either way:

• ne key transmission for each

active client-server pair. How does encrypt to without

20

limitation public keys: keys erasing old keys. ard secrecy”—

• f computer

decryption. SChannel every two hours. every minute. implement: connection.

21

What is the performance of a new key every minute? If server makes new key: key gen, ≤1 per minute; client encrypts to new key; server decrypts. If client makes new key: client has key-gen cost; server has encryption cost; client has decryption cost. Either way:

• ne key transmission for each

active client-server pair. How does a stateless encrypt to a new client without storing the

20

keys. secrecy”— computer hours. minute.

21

What is the performance of a new key every minute? If server makes new key: key gen, ≤1 per minute; client encrypts to new key; server decrypts. If client makes new key: client has key-gen cost; server has encryption cost; client has decryption cost. Either way:

• ne key transmission for each

active client-server pair. How does a stateless server encrypt to a new client key without storing the key?

21

What is the performance of a new key every minute? If server makes new key: key gen, ≤1 per minute; client encrypts to new key; server decrypts. If client makes new key: client has key-gen cost; server has encryption cost; client has decryption cost. Either way:

• ne key transmission for each

active client-server pair.

22

How does a stateless server encrypt to a new client key without storing the key?

21

What is the performance of a new key every minute? If server makes new key: key gen, ≤1 per minute; client encrypts to new key; server decrypts. If client makes new key: client has key-gen cost; server has encryption cost; client has decryption cost. Either way:

• ne key transmission for each

active client-server pair.

22

How does a stateless server encrypt to a new client key without storing the key? Slice McEliece public key so that each slice of encryption produces separate small output. Client sends slices (in parallel), receives outputs as cookies, sends cookies (in parallel). Server combines cookies. Continue up through tree. Server generates randomness as secret function of key hash. Statelessly verifies key hash.