the post quantum internet risk management daniel j
play

The post-quantum Internet Risk management Daniel J. Bernstein - PowerPoint PPT Presentation

Dec 22, 2023 •621 likes •2.34k views

1 2 The post-quantum Internet Risk management Daniel J. Bernstein Combining congruences: state-of-the-art pre-quantum University of Illinois at Chicago & attack against original DH, Technische Universiteit Eindhoven RSA, and some

  1. 3 4 smaller improvements: If we put enough effort into Conservative cryptographers papers. exploring Attack Mountain, prefer mountains that will we find the highest peak? less huge, less foggy algorithms for At least within › ? more thoroughly explo RSA-1024, RSA-2048: CFRAC; Combining-Congruences Mountain LS; is a huge, foggy, high-dimensional QS; mountain with many paths up. NFS. Scary: easy to imagine that relevant to RSA.) we’re not at the top yet. is there 18-year bet announced in 2014: reakthroughs? Joux wins if RSA-2048 is broken first by pre-quantum algorithms; is there I win if RSA-2048 is broken reakthroughs? first by quantum algorithms.

  2. 3 4 rovements: If we put enough effort into Conservative cryptographers exploring Attack Mountain, prefer mountains that seem will we find the highest peak? less huge, less foggy, for At least within › ? more thoroughly explored. RSA-2048: Combining-Congruences Mountain is a huge, foggy, high-dimensional mountain with many paths up. Scary: easy to imagine that RSA.) we’re not at the top yet. 18-year bet announced in 2014: Joux wins if RSA-2048 is broken first by pre-quantum algorithms; I win if RSA-2048 is broken first by quantum algorithms.

  3. 4 5 If we put enough effort into Conservative cryptographers exploring Attack Mountain, prefer mountains that seem will we find the highest peak? less huge, less foggy, At least within › ? more thoroughly explored. Combining-Congruences Mountain is a huge, foggy, high-dimensional mountain with many paths up. Scary: easy to imagine that we’re not at the top yet. 18-year bet announced in 2014: Joux wins if RSA-2048 is broken first by pre-quantum algorithms; I win if RSA-2048 is broken first by quantum algorithms.

  4. 4 5 If we put enough effort into Conservative cryptographers exploring Attack Mountain, prefer mountains that seem will we find the highest peak? less huge, less foggy, At least within › ? more thoroughly explored. Combining-Congruences Mountain 1986 Miller “Use of is a huge, foggy, high-dimensional elliptic curves in cryptography”: mountain with many paths up. “It is extremely unlikely Scary: easy to imagine that that an ‘index calculus’ attack we’re not at the top yet. [combining-congruences attack] on the elliptic curve method 18-year bet announced in 2014: will ever be able to work.” Joux wins if RSA-2048 is broken first by pre-quantum algorithms; I win if RSA-2048 is broken first by quantum algorithms.

  5. 4 5 If we put enough effort into Conservative cryptographers exploring Attack Mountain, prefer mountains that seem will we find the highest peak? less huge, less foggy, At least within › ? more thoroughly explored. Combining-Congruences Mountain 1986 Miller “Use of is a huge, foggy, high-dimensional elliptic curves in cryptography”: mountain with many paths up. “It is extremely unlikely Scary: easy to imagine that that an ‘index calculus’ attack we’re not at the top yet. [combining-congruences attack] on the elliptic curve method 18-year bet announced in 2014: will ever be able to work.” Joux wins if RSA-2048 is broken first by pre-quantum algorithms; This is the core argument for I win if RSA-2048 is broken ECC. Exceptions: rare curves with first by quantum algorithms. special structure—e.g., pairings.

  6. 4 5 put enough effort into Conservative cryptographers 2015 Lange: ring Attack Mountain, prefer mountains that seem bet your find the highest peak? less huge, less foggy, least within › ? more thoroughly explored. Combining-Congruences Mountain 1986 Miller “Use of huge, foggy, high-dimensional elliptic curves in cryptography”: mountain with many paths up. “It is extremely unlikely easy to imagine that that an ‘index calculus’ attack not at the top yet. [combining-congruences attack] on the elliptic curve method r bet announced in 2014: will ever be able to work.” wins if RSA-2048 is broken y pre-quantum algorithms; This is the core argument for if RSA-2048 is broken ECC. Exceptions: rare curves with y quantum algorithms. special structure—e.g., pairings.

  7. 4 5 effort into Conservative cryptographers 2015 Lange: “Would Mountain, prefer mountains that seem bet your kidneys on highest peak? less huge, less foggy, ? more thoroughly explored. Combining-Congruences Mountain 1986 Miller “Use of high-dimensional elliptic curves in cryptography”: many paths up. “It is extremely unlikely imagine that that an ‘index calculus’ attack top yet. [combining-congruences attack] on the elliptic curve method announced in 2014: will ever be able to work.” RSA-2048 is broken re-quantum algorithms; This is the core argument for RSA-2048 is broken ECC. Exceptions: rare curves with algorithms. special structure—e.g., pairings.

  8. 4 5 into Conservative cryptographers 2015 Lange: “Would you Mountain, prefer mountains that seem bet your kidneys on that?” eak? less huge, less foggy, more thoroughly explored. Mountain 1986 Miller “Use of high-dimensional elliptic curves in cryptography”: paths up. “It is extremely unlikely that that an ‘index calculus’ attack [combining-congruences attack] on the elliptic curve method 2014: will ever be able to work.” broken rithms; This is the core argument for en ECC. Exceptions: rare curves with rithms. special structure—e.g., pairings.

  9. 5 6 Conservative cryptographers 2015 Lange: “Would you prefer mountains that seem bet your kidneys on that?” less huge, less foggy, more thoroughly explored. 1986 Miller “Use of elliptic curves in cryptography”: “It is extremely unlikely that an ‘index calculus’ attack [combining-congruences attack] on the elliptic curve method will ever be able to work.” This is the core argument for ECC. Exceptions: rare curves with special structure—e.g., pairings.

  10. 5 6 Conservative cryptographers 2015 Lange: “Would you Risk of future mountains that seem bet your kidneys on that?” big universal huge, less foggy, noticeable thoroughly explored. terrifying Miller “Use of curves in cryptography”: extremely unlikely an ‘index calculus’ attack [combining-congruences attack] elliptic curve method ever be able to work.” the core argument for Exceptions: rare curves with ecial structure—e.g., pairings.

  11. 5 6 cryptographers 2015 Lange: “Would you Risk of future attack ins that seem bet your kidneys on that?” big universal quantum foggy, noticeable probabilit explored. terrifying impact. “Use of cryptography”: unlikely calculus’ attack [combining-congruences attack] curve method to work.” argument for Exceptions: rare curves with structure—e.g., pairings.

  12. 5 6 cryptographers 2015 Lange: “Would you Risk of future attacker having bet your kidneys on that?” big universal quantum computer: noticeable probability; terrifying impact. cryptography”: attack attack] d for curves with pairings.

  13. 6 7 2015 Lange: “Would you Risk of future attacker having bet your kidneys on that?” big universal quantum computer: noticeable probability; terrifying impact.

  14. 6 7 2015 Lange: “Would you Risk of future attacker having bet your kidneys on that?” big universal quantum computer: noticeable probability; terrifying impact. Fortunately, we already know some confidence-inspiring post-quantum systems, including • hash-based signatures; • McEliece public-key encryption; • AES-256 etc. https://pqcrypto.eu.org/docs/ initial-recommendations.pdf

  15. 6 7 Lange: “Would you Risk of future attacker having Application: our kidneys on that?” big universal quantum computer: Your computer noticeable probability; new version terrifying impact. Your computer Fortunately, we already know signature some confidence-inspiring from the post-quantum systems, including Critical use • hash-based signatures; Otherwise • McEliece public-key encryption; insert malw • AES-256 etc. e.g. OpenBSD https://pqcrypto.eu.org/docs/ signed using initial-recommendations.pdf ECC signature

  16. 6 7 ould you Risk of future attacker having Application: softw on that?” big universal quantum computer: Your computer dow noticeable probability; new version of its terrifying impact. Your computer checks Fortunately, we already know signature on the do some confidence-inspiring from the OS manufacturer. post-quantum systems, including Critical use of crypto! • hash-based signatures; Otherwise criminals • McEliece public-key encryption; insert malware into • AES-256 etc. e.g. OpenBSD updates https://pqcrypto.eu.org/docs/ signed using state-of-the-a initial-recommendations.pdf ECC signature system:

  17. 6 7 Risk of future attacker having Application: software updates that?” big universal quantum computer: Your computer downloads noticeable probability; new version of its OS. terrifying impact. Your computer checks Fortunately, we already know signature on the download some confidence-inspiring from the OS manufacturer. post-quantum systems, including Critical use of crypto! • hash-based signatures; Otherwise criminals could • McEliece public-key encryption; insert malware into the OS. • AES-256 etc. e.g. OpenBSD updates are https://pqcrypto.eu.org/docs/ signed using state-of-the-art initial-recommendations.pdf ECC signature system: Ed25519.

  18. 7 8 Risk of future attacker having Application: software updates big universal quantum computer: Your computer downloads noticeable probability; new version of its OS. terrifying impact. Your computer checks Fortunately, we already know signature on the download some confidence-inspiring from the OS manufacturer. post-quantum systems, including Critical use of crypto! • hash-based signatures; Otherwise criminals could • McEliece public-key encryption; insert malware into the OS. • AES-256 etc. e.g. OpenBSD updates are https://pqcrypto.eu.org/docs/ signed using state-of-the-art initial-recommendations.pdf ECC signature system: Ed25519.

  19. 7 8 of future attacker having Application: software updates Pre-quantum universal quantum computer: needs to Your computer downloads noticeable probability; post-quantum new version of its OS. terrifying impact. Your computer checks nately, we already know signature on the download confidence-inspiring from the OS manufacturer. ost-quantum systems, including Critical use of crypto! hash-based signatures; Otherwise criminals could McEliece public-key encryption; insert malware into the OS. AES-256 etc. e.g. OpenBSD updates are https://pqcrypto.eu.org/docs/ signed using state-of-the-art initial-recommendations.pdf ECC signature system: Ed25519.

  20. 7 8 attacker having Application: software updates Pre-quantum signature antum computer: needs to be replaced Your computer downloads ability; post-quantum signature new version of its OS. impact. Your computer checks already know signature on the download e-inspiring from the OS manufacturer. systems, including Critical use of crypto! signatures; Otherwise criminals could ublic-key encryption; insert malware into the OS. e.g. OpenBSD updates are https://pqcrypto.eu.org/docs/ signed using state-of-the-art initial-recommendations.pdf ECC signature system: Ed25519.

  21. 7 8 having Application: software updates Pre-quantum signature system computer: needs to be replaced with Your computer downloads post-quantum signature system new version of its OS. Your computer checks know signature on the download from the OS manufacturer. including Critical use of crypto! Otherwise criminals could encryption; insert malware into the OS. e.g. OpenBSD updates are https://pqcrypto.eu.org/docs/ signed using state-of-the-art initial-recommendations.pdf ECC signature system: Ed25519.

  22. 8 9 Application: software updates Pre-quantum signature system P needs to be replaced with Your computer downloads post-quantum signature system Q . new version of its OS. Your computer checks signature on the download from the OS manufacturer. Critical use of crypto! Otherwise criminals could insert malware into the OS. e.g. OpenBSD updates are signed using state-of-the-art ECC signature system: Ed25519.

  23. 8 9 Application: software updates Pre-quantum signature system P needs to be replaced with Your computer downloads post-quantum signature system Q . new version of its OS. Make auditors happier: Your computer checks Replace P with P + Q . signature on the download from the OS manufacturer. P + Q public key concatenates P public key, Q public key. Critical use of crypto! P + Q signature concatenates Otherwise criminals could P signature, Q signature. insert malware into the OS. e.g. OpenBSD updates are signed using state-of-the-art ECC signature system: Ed25519.

  24. 8 9 Application: software updates Pre-quantum signature system P needs to be replaced with Your computer downloads post-quantum signature system Q . new version of its OS. Make auditors happier: Your computer checks Replace P with P + Q . signature on the download from the OS manufacturer. P + Q public key concatenates P public key, Q public key. Critical use of crypto! P + Q signature concatenates Otherwise criminals could P signature, Q signature. insert malware into the OS. Want a tiny public key? e.g. OpenBSD updates are Replace public key with hash. signed using state-of-the-art Include missing information ECC signature system: Ed25519. ( ≤ entire key) inside signature.

  25. 8 9 Application: software updates Pre-quantum signature system P e.g. Ed25519+SPHINCS-256. needs to be replaced with computer downloads SPHINCS-256 post-quantum signature system Q . version of its OS. ≈ 50 million Make auditors happier: ≈ 1 million computer checks Replace P with P + Q . Negligible signature on the download verify compa the OS manufacturer. P + Q public key concatenates P public key, Q public key. Critical use of crypto! P + Q signature concatenates Otherwise criminals could P signature, Q signature. malware into the OS. Want a tiny public key? OpenBSD updates are Replace public key with hash. using state-of-the-art Include missing information signature system: Ed25519. ( ≤ entire key) inside signature.

  26. 8 9 software updates Pre-quantum signature system P e.g. Ed25519+SPHINCS-256. needs to be replaced with downloads SPHINCS-256 signature post-quantum signature system Q . its OS. ≈ 50 million cycles Make auditors happier: ≈ 1 million cycles to checks Replace P with P + Q . Negligible cost to sign, download verify compared to manufacturer. P + Q public key concatenates P public key, Q public key. crypto! P + Q signature concatenates nals could P signature, Q signature. into the OS. Want a tiny public key? updates are Replace public key with hash. state-of-the-art Include missing information system: Ed25519. ( ≤ entire key) inside signature.

  27. 8 9 dates Pre-quantum signature system P e.g. Ed25519+SPHINCS-256. needs to be replaced with SPHINCS-256 signature is 41KB; post-quantum signature system Q . ≈ 50 million cycles to generate; Make auditors happier: ≈ 1 million cycles to verify. Replace P with P + Q . Negligible cost to sign, transmit, verify compared to OS update. manufacturer. P + Q public key concatenates P public key, Q public key. P + Q signature concatenates P signature, Q signature. OS. Want a tiny public key? re Replace public key with hash. rt Include missing information Ed25519. ( ≤ entire key) inside signature.

  28. 9 10 Pre-quantum signature system P e.g. Ed25519+SPHINCS-256. needs to be replaced with SPHINCS-256 signature is 41KB; post-quantum signature system Q . ≈ 50 million cycles to generate; Make auditors happier: ≈ 1 million cycles to verify. Replace P with P + Q . Negligible cost to sign, transmit, verify compared to OS update. P + Q public key concatenates P public key, Q public key. P + Q signature concatenates P signature, Q signature. Want a tiny public key? Replace public key with hash. Include missing information ( ≤ entire key) inside signature.

  29. 9 10 Pre-quantum signature system P e.g. Ed25519+SPHINCS-256. needs to be replaced with SPHINCS-256 signature is 41KB; post-quantum signature system Q . ≈ 50 million cycles to generate; Make auditors happier: ≈ 1 million cycles to verify. Replace P with P + Q . Negligible cost to sign, transmit, verify compared to OS update. P + Q public key concatenates P public key, Q public key. +Ed25519: unnoticeable cost. P + Q signature concatenates Some extra system complexity, P signature, Q signature. but the system includes Ed25519 code anyway. Want a tiny public key? Replace public key with hash. Include missing information ( ≤ entire key) inside signature.

  30. 9 10 Pre-quantum signature system P e.g. Ed25519+SPHINCS-256. needs to be replaced with SPHINCS-256 signature is 41KB; post-quantum signature system Q . ≈ 50 million cycles to generate; Make auditors happier: ≈ 1 million cycles to verify. Replace P with P + Q . Negligible cost to sign, transmit, verify compared to OS update. P + Q public key concatenates P public key, Q public key. +Ed25519: unnoticeable cost. P + Q signature concatenates Some extra system complexity, P signature, Q signature. but the system includes Ed25519 code anyway. Want a tiny public key? Replace public key with hash. Auditor sees very easily Include missing information that Ed25519+SPHINCS-256 ( ≤ entire key) inside signature. security ≥ Ed25519 security.

  31. 9 10 Pre-quantum signature system P e.g. Ed25519+SPHINCS-256. Does deplo to be replaced with mean that SPHINCS-256 signature is 41KB; ost-quantum signature system Q . On the contra ≈ 50 million cycles to generate; auditors happier: ≈ 1 million cycles to verify. Pre-quantum Replace P with P + Q . Negligible cost to sign, transmit, Hash-based verify compared to OS update. even more public key concatenates than ECC public key, Q public key. +Ed25519: unnoticeable cost. But understanding signature concatenates Some extra system complexity, takes extra signature, Q signature. but the system includes Ed25519 code anyway. a tiny public key? Replace public key with hash. Auditor sees very easily Include missing information that Ed25519+SPHINCS-256 entire key) inside signature. security ≥ Ed25519 security.

  32. 9 10 signature system P e.g. Ed25519+SPHINCS-256. Does deployment of replaced with mean that we don’t SPHINCS-256 signature is 41KB; signature system Q . On the contrary! ≈ 50 million cycles to generate; happier: ≈ 1 million cycles to verify. Pre-quantum situation: P + Q . Negligible cost to sign, transmit, Hash-based signatures verify compared to OS update. even more confidence-inspiring ey concatenates than ECC signature public key. +Ed25519: unnoticeable cost. But understanding concatenates Some extra system complexity, takes extra work fo signature. but the system includes Ed25519 code anyway. public key? ey with hash. Auditor sees very easily information that Ed25519+SPHINCS-256 inside signature. security ≥ Ed25519 security.

  33. 9 10 system P e.g. Ed25519+SPHINCS-256. Does deployment of P + Q mean that we don’t trust Q ? SPHINCS-256 signature is 41KB; system Q . On the contrary! ≈ 50 million cycles to generate; ≈ 1 million cycles to verify. Pre-quantum situation: Negligible cost to sign, transmit, Hash-based signatures are verify compared to OS update. even more confidence-inspiring concatenates than ECC signatures. . +Ed25519: unnoticeable cost. But understanding this fact concatenates Some extra system complexity, takes extra work for auditor. but the system includes Ed25519 code anyway. sh. Auditor sees very easily rmation that Ed25519+SPHINCS-256 signature. security ≥ Ed25519 security.

  34. 10 11 e.g. Ed25519+SPHINCS-256. Does deployment of P + Q mean that we don’t trust Q ? SPHINCS-256 signature is 41KB; On the contrary! ≈ 50 million cycles to generate; ≈ 1 million cycles to verify. Pre-quantum situation: Negligible cost to sign, transmit, Hash-based signatures are verify compared to OS update. even more confidence-inspiring than ECC signatures. +Ed25519: unnoticeable cost. But understanding this fact Some extra system complexity, takes extra work for auditor. but the system includes Ed25519 code anyway. Auditor sees very easily that Ed25519+SPHINCS-256 security ≥ Ed25519 security.

  35. 10 11 e.g. Ed25519+SPHINCS-256. Does deployment of P + Q mean that we don’t trust Q ? SPHINCS-256 signature is 41KB; On the contrary! ≈ 50 million cycles to generate; ≈ 1 million cycles to verify. Pre-quantum situation: Negligible cost to sign, transmit, Hash-based signatures are verify compared to OS update. even more confidence-inspiring than ECC signatures. +Ed25519: unnoticeable cost. But understanding this fact Some extra system complexity, takes extra work for auditor. but the system includes Ed25519 code anyway. Long-term situation: Users see quantum computers Auditor sees very easily easily breaking P . Simplify system that Ed25519+SPHINCS-256 by switching from P + Q to Q . security ≥ Ed25519 security.

  36. 10 11 Ed25519+SPHINCS-256. Does deployment of P + Q IP: Internet mean that we don’t trust Q ? SPHINCS-256 signature is 41KB; IP communicates On the contrary! million cycles to generate; limited-length million cycles to verify. Pre-quantum situation: Each computer Negligible cost to sign, transmit, Hash-based signatures are has a 4-b compared to OS update. even more confidence-inspiring e.g. www.pqcrypto.org than ECC signatures. +Ed25519: unnoticeable cost. address 131.155.70.11 But understanding this fact extra system complexity, Your bro takes extra work for auditor. the system includes addressed Ed25519 code anyway. Long-term situation: gives pack Users see quantum computers r sees very easily Hopefully easily breaking P . Simplify system Ed25519+SPHINCS-256 that pack by switching from P + Q to Q . y ≥ Ed25519 security.

  37. 10 11 Ed25519+SPHINCS-256. Does deployment of P + Q IP: Internet Protocol mean that we don’t trust Q ? signature is 41KB; IP communicates “pack On the contrary! cycles to generate; limited-length byte cycles to verify. Pre-quantum situation: Each computer on to sign, transmit, Hash-based signatures are has a 4-byte “IP address”. to OS update. even more confidence-inspiring e.g. www.pqcrypto.org than ECC signatures. unnoticeable cost. address 131.155.70.11 But understanding this fact system complexity, Your browser creates takes extra work for auditor. includes addressed to 131.155.70.11 anyway. Long-term situation: gives packet to the Users see quantum computers very easily Hopefully the Internet easily breaking P . Simplify system Ed25519+SPHINCS-256 that packet to 131.155.70.11 by switching from P + Q to Q . Ed25519 security.

  38. 10 11 Ed25519+SPHINCS-256. Does deployment of P + Q IP: Internet Protocol mean that we don’t trust Q ? 41KB; IP communicates “packets”: On the contrary! generate; limited-length byte strings. . Pre-quantum situation: Each computer on the Internet transmit, Hash-based signatures are has a 4-byte “IP address”. date. even more confidence-inspiring e.g. www.pqcrypto.org has than ECC signatures. cost. address 131.155.70.11 . But understanding this fact complexity, Your browser creates a packet takes extra work for auditor. addressed to 131.155.70.11 Long-term situation: gives packet to the Internet. Users see quantum computers Hopefully the Internet delivers easily breaking P . Simplify system Ed25519+SPHINCS-256 that packet to 131.155.70.11 by switching from P + Q to Q . security.

  39. 11 12 Does deployment of P + Q IP: Internet Protocol mean that we don’t trust Q ? IP communicates “packets”: On the contrary! limited-length byte strings. Pre-quantum situation: Each computer on the Internet Hash-based signatures are has a 4-byte “IP address”. even more confidence-inspiring e.g. www.pqcrypto.org has than ECC signatures. address 131.155.70.11 . But understanding this fact Your browser creates a packet takes extra work for auditor. addressed to 131.155.70.11 ; Long-term situation: gives packet to the Internet. Users see quantum computers Hopefully the Internet delivers easily breaking P . Simplify system that packet to 131.155.70.11 . by switching from P + Q to Q .

  40. 11 12 deployment of P + Q IP: Internet Protocol DNS: Domain that we don’t trust Q ? IP communicates “packets”: You actually the contrary! limited-length byte strings. connect Pre-quantum situation: Each computer on the Internet Browser Hash-based signatures are has a 4-byte “IP address”. by asking more confidence-inspiring e.g. www.pqcrypto.org has the pqcrypto.org ECC signatures. address 131.155.70.11 . Browser understanding this fact Your browser creates a packet “ Where extra work for auditor. addressed to 131.155.70.11 ; Long-term situation: gives packet to the Internet. see quantum computers Hopefully the Internet delivers breaking P . Simplify system that packet to 131.155.70.11 . switching from P + Q to Q .

  41. 11 12 t of P + Q IP: Internet Protocol DNS: Domain Name don’t trust Q ? IP communicates “packets”: You actually told y ry! limited-length byte strings. connect to www.pqcrypto.org situation: Each computer on the Internet Browser learns “ 131.155.70.11 signatures are has a 4-byte “IP address”. by asking a name server, confidence-inspiring e.g. www.pqcrypto.org has the pqcrypto.org signatures. address 131.155.70.11 . Browser → 131.155.71.143 understanding this fact Your browser creates a packet “ Where is www.pqcrypto.org? for auditor. addressed to 131.155.70.11 ; situation: gives packet to the Internet. quantum computers Hopefully the Internet delivers . Simplify system that packet to 131.155.70.11 . from P + Q to Q .

  42. 11 12 IP: Internet Protocol DNS: Domain Name System Q ? IP communicates “packets”: You actually told your browser limited-length byte strings. connect to www.pqcrypto.org Each computer on the Internet Browser learns “ 131.155.70.11 has a 4-byte “IP address”. by asking a name server, confidence-inspiring e.g. www.pqcrypto.org has the pqcrypto.org name server. address 131.155.70.11 . Browser → 131.155.71.143 fact Your browser creates a packet “ Where is www.pqcrypto.org? auditor. addressed to 131.155.70.11 ; gives packet to the Internet. computers Hopefully the Internet delivers Simplify system that packet to 131.155.70.11 . to Q .

  43. 12 13 IP: Internet Protocol DNS: Domain Name System IP communicates “packets”: You actually told your browser to limited-length byte strings. connect to www.pqcrypto.org . Each computer on the Internet Browser learns “ 131.155.70.11 ” has a 4-byte “IP address”. by asking a name server, e.g. www.pqcrypto.org has the pqcrypto.org name server. address 131.155.70.11 . Browser → 131.155.71.143 : Your browser creates a packet “ Where is www.pqcrypto.org? ” addressed to 131.155.70.11 ; gives packet to the Internet. Hopefully the Internet delivers that packet to 131.155.70.11 .

  44. 12 13 IP: Internet Protocol DNS: Domain Name System IP communicates “packets”: You actually told your browser to limited-length byte strings. connect to www.pqcrypto.org . Each computer on the Internet Browser learns “ 131.155.70.11 ” has a 4-byte “IP address”. by asking a name server, e.g. www.pqcrypto.org has the pqcrypto.org name server. address 131.155.70.11 . Browser → 131.155.71.143 : Your browser creates a packet “ Where is www.pqcrypto.org? ” addressed to 131.155.70.11 ; IP packet from browser also gives packet to the Internet. includes a return address: Hopefully the Internet delivers the address of your computer. that packet to 131.155.70.11 . 131.155.71.143 → browser: “ 131.155.70.11 ”

  45. 12 13 Internet Protocol DNS: Domain Name System Browser address, communicates “packets”: You actually told your browser to by asking limited-length byte strings. connect to www.pqcrypto.org . Browser computer on the Internet Browser learns “ 131.155.70.11 ” “ Where 4-byte “IP address”. by asking a name server, www.pqcrypto.org has the pqcrypto.org name server. 199.19.54.1 address 131.155.70.11 . “ Ask the Browser → 131.155.71.143 : name server, rowser creates a packet “ Where is www.pqcrypto.org? ” addressed to 131.155.70.11 ; IP packet from browser also packet to the Internet. includes a return address: efully the Internet delivers the address of your computer. packet to 131.155.70.11 . 131.155.71.143 → browser: “ 131.155.70.11 ”

  46. 12 13 Protocol DNS: Domain Name System Browser learns the address, “ 131.155.71.143 communicates “packets”: You actually told your browser to by asking the .org yte strings. connect to www.pqcrypto.org . Browser → 199.19.54.1 on the Internet Browser learns “ 131.155.70.11 ” “ Where is www.pqcrypto.org? address”. by asking a name server, www.pqcrypto.org has the pqcrypto.org name server. 199.19.54.1 → b 131.155.70.11 . “ Ask the pqcrypto.org Browser → 131.155.71.143 : name server, 131.155.71.143 creates a packet “ Where is www.pqcrypto.org? ” 131.155.70.11 ; IP packet from browser also the Internet. includes a return address: Internet delivers the address of your computer. 131.155.70.11 . 131.155.71.143 → browser: “ 131.155.70.11 ”

  47. 12 13 DNS: Domain Name System Browser learns the name-server address, “ 131.155.71.143 ”, ets”: You actually told your browser to by asking the .org name server. strings. connect to www.pqcrypto.org . Browser → 199.19.54.1 : Internet Browser learns “ 131.155.70.11 ” “ Where is www.pqcrypto.org? address”. by asking a name server, has the pqcrypto.org name server. 199.19.54.1 → browser: “ Ask the pqcrypto.org Browser → 131.155.71.143 : name server, 131.155.71.143 packet “ Where is www.pqcrypto.org? ” 131.155.70.11 ; IP packet from browser also Internet. includes a return address: delivers the address of your computer. 131.155.70.11 . 131.155.71.143 → browser: “ 131.155.70.11 ”

  48. 13 14 DNS: Domain Name System Browser learns the name-server address, “ 131.155.71.143 ”, You actually told your browser to by asking the .org name server. connect to www.pqcrypto.org . Browser → 199.19.54.1 : Browser learns “ 131.155.70.11 ” “ Where is www.pqcrypto.org? ” by asking a name server, the pqcrypto.org name server. 199.19.54.1 → browser: “ Ask the pqcrypto.org Browser → 131.155.71.143 : name server, 131.155.71.143 ” “ Where is www.pqcrypto.org? ” IP packet from browser also includes a return address: the address of your computer. 131.155.71.143 → browser: “ 131.155.70.11 ”

  49. 13 14 DNS: Domain Name System Browser learns the name-server address, “ 131.155.71.143 ”, You actually told your browser to by asking the .org name server. connect to www.pqcrypto.org . Browser → 199.19.54.1 : Browser learns “ 131.155.70.11 ” “ Where is www.pqcrypto.org? ” by asking a name server, the pqcrypto.org name server. 199.19.54.1 → browser: “ Ask the pqcrypto.org Browser → 131.155.71.143 : name server, 131.155.71.143 ” “ Where is www.pqcrypto.org? ” Browser learns “ 199.19.54.1 ”, IP packet from browser also the .org server address, includes a return address: by asking the root name server. the address of your computer. 131.155.71.143 → browser: “ 131.155.70.11 ”

  50. 13 14 DNS: Domain Name System Browser learns the name-server address, “ 131.155.71.143 ”, You actually told your browser to by asking the .org name server. connect to www.pqcrypto.org . Browser → 199.19.54.1 : Browser learns “ 131.155.70.11 ” “ Where is www.pqcrypto.org? ” by asking a name server, the pqcrypto.org name server. 199.19.54.1 → browser: “ Ask the pqcrypto.org Browser → 131.155.71.143 : name server, 131.155.71.143 ” “ Where is www.pqcrypto.org? ” Browser learns “ 199.19.54.1 ”, IP packet from browser also the .org server address, includes a return address: by asking the root name server. the address of your computer. Browser learned root address 131.155.71.143 → browser: by consulting the Bible. “ 131.155.70.11 ”

  51. 13 14 Domain Name System Browser learns the name-server TCP: Transmission address, “ 131.155.71.143 ”, actually told your browser to Packets by asking the .org name server. connect to www.pqcrypto.org . (Actually Browser → 199.19.54.1 : wser learns “ 131.155.70.11 ” Oldest IP “ Where is www.pqcrypto.org? ” asking a name server, ≥ 576. Usually pqcrypto.org name server. 199.19.54.1 → browser: often 1500, “ Ask the pqcrypto.org wser → 131.155.71.143 : name server, 131.155.71.143 ” is www.pqcrypto.org? ” Browser learns “ 199.19.54.1 ”, packet from browser also the .org server address, includes a return address: by asking the root name server. address of your computer. Browser learned root address 131.155.71.143 → browser: by consulting the Bible. 131.155.70.11 ”

  52. 13 14 Name System Browser learns the name-server TCP: Transmission address, “ 131.155.71.143 ”, told your browser to Packets are limited by asking the .org name server. www.pqcrypto.org . (Actually depends Browser → 199.19.54.1 : 131.155.70.11 ” Oldest IP standards “ Where is www.pqcrypto.org? ” name server, ≥ 576. Usually 1492 pqcrypto.org name server. 199.19.54.1 → browser: often 1500, sometimes “ Ask the pqcrypto.org 131.155.71.143 : name server, 131.155.71.143 ” www.pqcrypto.org? ” Browser learns “ 199.19.54.1 ”, rowser also the .org server address, address: by asking the root name server. our computer. Browser learned root address → browser: by consulting the Bible. ”

  53. 13 14 System Browser learns the name-server TCP: Transmission Control Proto address, “ 131.155.71.143 ”, wser to Packets are limited to 1280 b by asking the .org name server. www.pqcrypto.org . (Actually depends on network. Browser → 199.19.54.1 : 131.155.70.11 ” Oldest IP standards required “ Where is www.pqcrypto.org? ” ≥ 576. Usually 1492 is safe, server. 199.19.54.1 → browser: often 1500, sometimes more.) “ Ask the pqcrypto.org 131.155.71.143 : name server, 131.155.71.143 ” www.pqcrypto.org? ” Browser learns “ 199.19.54.1 ”, also the .org server address, by asking the root name server. computer. Browser learned root address wser: by consulting the Bible.

  54. 14 15 Browser learns the name-server TCP: Transmission Control Protocol address, “ 131.155.71.143 ”, Packets are limited to 1280 bytes. by asking the .org name server. (Actually depends on network. Browser → 199.19.54.1 : Oldest IP standards required “ Where is www.pqcrypto.org? ” ≥ 576. Usually 1492 is safe, 199.19.54.1 → browser: often 1500, sometimes more.) “ Ask the pqcrypto.org name server, 131.155.71.143 ” Browser learns “ 199.19.54.1 ”, the .org server address, by asking the root name server. Browser learned root address by consulting the Bible.

  55. 14 15 Browser learns the name-server TCP: Transmission Control Protocol address, “ 131.155.71.143 ”, Packets are limited to 1280 bytes. by asking the .org name server. (Actually depends on network. Browser → 199.19.54.1 : Oldest IP standards required “ Where is www.pqcrypto.org? ” ≥ 576. Usually 1492 is safe, 199.19.54.1 → browser: often 1500, sometimes more.) “ Ask the pqcrypto.org The page you’re downloading name server, 131.155.71.143 ” from pqcrypto.org doesn’t fit. Browser learns “ 199.19.54.1 ”, the .org server address, by asking the root name server. Browser learned root address by consulting the Bible.

  56. 14 15 Browser learns the name-server TCP: Transmission Control Protocol address, “ 131.155.71.143 ”, Packets are limited to 1280 bytes. by asking the .org name server. (Actually depends on network. Browser → 199.19.54.1 : Oldest IP standards required “ Where is www.pqcrypto.org? ” ≥ 576. Usually 1492 is safe, 199.19.54.1 → browser: often 1500, sometimes more.) “ Ask the pqcrypto.org The page you’re downloading name server, 131.155.71.143 ” from pqcrypto.org doesn’t fit. Browser learns “ 199.19.54.1 ”, Browser actually makes “TCP the .org server address, connection” to pqcrypto.org . by asking the root name server. Inside that connection: sends Browser learned root address HTTP request, receives response. by consulting the Bible.

  57. 14 15 wser learns the name-server TCP: Transmission Control Protocol Browser address, “ 131.155.71.143 ”, “ SYN 168bb5d9 Packets are limited to 1280 bytes. asking the .org name server. Server → (Actually depends on network. wser → 199.19.54.1 : “ ACK 168bb5da, Oldest IP standards required is www.pqcrypto.org? ” ≥ 576. Usually 1492 is safe, Browser 199.19.54.1 → browser: often 1500, sometimes more.) “ ACK 747bfa42 the pqcrypto.org The page you’re downloading Server no server, 131.155.71.143 ” from pqcrypto.org doesn’t fit. for this TCP wser learns “ 199.19.54.1 ”, Browser actually makes “TCP Browser .org server address, connection” to pqcrypto.org . counting asking the root name server. Inside that connection: sends Server splits wser learned root address HTTP request, receives response. counting consulting the Bible.

  58. 14 15 the name-server TCP: Transmission Control Protocol Browser → server: 131.155.71.143 ”, “ SYN 168bb5d9 ” Packets are limited to 1280 bytes. .org name server. Server → browser: (Actually depends on network. 199.19.54.1 : “ ACK 168bb5da, SYN Oldest IP standards required www.pqcrypto.org? ” ≥ 576. Usually 1492 is safe, Browser → server: browser: often 1500, sometimes more.) “ ACK 747bfa42 ” pqcrypto.org The page you’re downloading Server now allocates 131.155.71.143 ” from pqcrypto.org doesn’t fit. for this TCP connection. 199.19.54.1 ”, Browser actually makes “TCP Browser splits data address, connection” to pqcrypto.org . counting bytes from ot name server. Inside that connection: sends Server splits data into root address HTTP request, receives response. counting bytes from the Bible.

  59. 14 15 name-server TCP: Transmission Control Protocol Browser → server: ”, “ SYN 168bb5d9 ” Packets are limited to 1280 bytes. server. Server → browser: (Actually depends on network. : “ ACK 168bb5da, SYN 747bfa41 Oldest IP standards required www.pqcrypto.org? ” ≥ 576. Usually 1492 is safe, Browser → server: often 1500, sometimes more.) “ ACK 747bfa42 ” The page you’re downloading Server now allocates buffers 131.155.71.143 ” from pqcrypto.org doesn’t fit. for this TCP connection. 199.19.54.1 ”, Browser actually makes “TCP Browser splits data into pack connection” to pqcrypto.org . counting bytes from 168bb5da server. Inside that connection: sends Server splits data into packets, address HTTP request, receives response. counting bytes from 747bfa42

  60. 15 16 TCP: Transmission Control Protocol Browser → server: “ SYN 168bb5d9 ” Packets are limited to 1280 bytes. Server → browser: (Actually depends on network. “ ACK 168bb5da, SYN 747bfa41 ” Oldest IP standards required ≥ 576. Usually 1492 is safe, Browser → server: often 1500, sometimes more.) “ ACK 747bfa42 ” The page you’re downloading Server now allocates buffers from pqcrypto.org doesn’t fit. for this TCP connection. Browser actually makes “TCP Browser splits data into packets, connection” to pqcrypto.org . counting bytes from 168bb5da . Inside that connection: sends Server splits data into packets, HTTP request, receives response. counting bytes from 747bfa42 .

  61. 15 16 Transmission Control Protocol Browser → server: Main feature “ SYN 168bb5d9 ” “reliable ts are limited to 1280 bytes. Server → browser: Internet (Actually depends on network. “ ACK 168bb5da, SYN 747bfa41 ” or delivers IP standards required Doesn’t Usually 1492 is safe, Browser → server: computer 1500, sometimes more.) “ ACK 747bfa42 ” inside each page you’re downloading Server now allocates buffers Computer pqcrypto.org doesn’t fit. for this TCP connection. if data is wser actually makes “TCP Browser splits data into packets, Complicated connection” to pqcrypto.org . counting bytes from 168bb5da . retransmission that connection: sends avoiding Server splits data into packets, request, receives response. counting bytes from 747bfa42 .

  62. 15 16 ransmission Control Protocol Browser → server: Main feature adver “ SYN 168bb5d9 ” “reliable data streams”. limited to 1280 bytes. Server → browser: Internet sometimes ends on network. “ ACK 168bb5da, SYN 747bfa41 ” or delivers packets rds required Doesn’t confuse T 1492 is safe, Browser → server: computer checks the sometimes more.) “ ACK 747bfa42 ” inside each TCP pack downloading Server now allocates buffers Computer retransmits pqcrypto.org doesn’t fit. for this TCP connection. if data is not ackno makes “TCP Browser splits data into packets, Complicated rules pqcrypto.org . counting bytes from 168bb5da . retransmission schedule, connection: sends avoiding network congestion. Server splits data into packets, receives response. counting bytes from 747bfa42 .

  63. 15 16 Control Protocol Browser → server: Main feature advertised by TCP: “ SYN 168bb5d9 ” “reliable data streams”. 1280 bytes. Server → browser: Internet sometimes loses pack ork. “ ACK 168bb5da, SYN 747bfa41 ” or delivers packets out of order. required Doesn’t confuse TCP connections: safe, Browser → server: computer checks the counter re.) “ ACK 747bfa42 ” inside each TCP packet. wnloading Server now allocates buffers Computer retransmits data esn’t fit. for this TCP connection. if data is not acknowledged. “TCP Browser splits data into packets, Complicated rules to decide pqcrypto.org . counting bytes from 168bb5da . retransmission schedule, sends avoiding network congestion. Server splits data into packets, response. counting bytes from 747bfa42 .

  64. 16 17 Browser → server: Main feature advertised by TCP: “ SYN 168bb5d9 ” “reliable data streams”. Server → browser: Internet sometimes loses packets “ ACK 168bb5da, SYN 747bfa41 ” or delivers packets out of order. Doesn’t confuse TCP connections: Browser → server: computer checks the counter “ ACK 747bfa42 ” inside each TCP packet. Server now allocates buffers Computer retransmits data for this TCP connection. if data is not acknowledged. Browser splits data into packets, Complicated rules to decide counting bytes from 168bb5da . retransmission schedule, avoiding network congestion. Server splits data into packets, counting bytes from 747bfa42 .

  65. 16 17 wser → server: Main feature advertised by TCP: Stream-level 168bb5d9 ” “reliable data streams”. http://www.pqcrypto.org → browser: Internet sometimes loses packets uses HTTP 168bb5da, SYN 747bfa41 ” or delivers packets out of order. https://www.pqcrypto.org Doesn’t confuse TCP connections: wser → server: uses HTTP computer checks the counter 747bfa42 ” Your bro inside each TCP packet. now allocates buffers • finds address Computer retransmits data is TCP connection. • makes if data is not acknowledged. • inside wser splits data into packets, Complicated rules to decide builds counting bytes from 168bb5da . retransmission schedule, by exchangin avoiding network congestion. splits data into packets, • inside counting bytes from 747bfa42 . sends HTTP

  66. 16 17 server: Main feature advertised by TCP: Stream-level crypto ” “reliable data streams”. http://www.pqcrypto.org wser: Internet sometimes loses packets uses HTTP over TCP SYN 747bfa41 ” or delivers packets out of order. https://www.pqcrypto.org Doesn’t confuse TCP connections: server: uses HTTP over TLS computer checks the counter ” Your browser inside each TCP packet. cates buffers • finds address 131.155.70.11 Computer retransmits data connection. • makes TCP connection; if data is not acknowledged. • inside the TCP connection, data into packets, Complicated rules to decide builds a TLS connection from 168bb5da . retransmission schedule, by exchanging crypto avoiding network congestion. data into packets, • inside the TLS connection, from 747bfa42 . sends HTTP request

  67. 16 17 Main feature advertised by TCP: Stream-level crypto “reliable data streams”. http://www.pqcrypto.org Internet sometimes loses packets uses HTTP over TCP. 747bfa41 ” or delivers packets out of order. https://www.pqcrypto.org Doesn’t confuse TCP connections: uses HTTP over TLS over T computer checks the counter Your browser inside each TCP packet. buffers • finds address 131.155.70.11 Computer retransmits data • makes TCP connection; if data is not acknowledged. • inside the TCP connection, packets, Complicated rules to decide builds a TLS connection 168bb5da . retransmission schedule, by exchanging crypto keys; avoiding network congestion. packets, • inside the TLS connection, 747bfa42 . sends HTTP request etc.

  68. 17 18 Main feature advertised by TCP: Stream-level crypto “reliable data streams”. http://www.pqcrypto.org Internet sometimes loses packets uses HTTP over TCP. or delivers packets out of order. https://www.pqcrypto.org Doesn’t confuse TCP connections: uses HTTP over TLS over TCP. computer checks the counter Your browser inside each TCP packet. • finds address 131.155.70.11 ; Computer retransmits data • makes TCP connection; if data is not acknowledged. • inside the TCP connection, Complicated rules to decide builds a TLS connection retransmission schedule, by exchanging crypto keys; avoiding network congestion. • inside the TLS connection, sends HTTP request etc.

  69. 17 18 feature advertised by TCP: Stream-level crypto What happ “reliable data streams”. forges a http://www.pqcrypto.org pointing Internet sometimes loses packets uses HTTP over TCP. Or a TCP delivers packets out of order. https://www.pqcrypto.org with bogus esn’t confuse TCP connections: uses HTTP over TLS over TCP. computer checks the counter DNS soft Your browser each TCP packet. TCP soft • finds address 131.155.70.11 ; TLS soft Computer retransmits data • makes TCP connection; something is not acknowledged. • inside the TCP connection, but has no Complicated rules to decide builds a TLS connection retransmission schedule, Browser by exchanging crypto keys; avoiding network congestion. make a whole • inside the TLS connection, but this sends HTTP request etc. Huge damage

  70. 17 18 dvertised by TCP: Stream-level crypto What happens if attack treams”. forges a DNS pack http://www.pqcrypto.org pointing to fake server? es loses packets uses HTTP over TCP. Or a TCP packet ets out of order. https://www.pqcrypto.org with bogus data? TCP connections: uses HTTP over TLS over TCP. s the counter DNS software is fo Your browser packet. TCP software is fo • finds address 131.155.70.11 ; TLS software sees retransmits data • makes TCP connection; something has gone acknowledged. • inside the TCP connection, but has no way to rules to decide builds a TLS connection schedule, Browser using TLS by exchanging crypto keys; congestion. make a whole new • inside the TLS connection, but this is slow and sends HTTP request etc. Huge damage from

  71. 17 18 TCP: Stream-level crypto What happens if attacker forges a DNS packet http://www.pqcrypto.org pointing to fake server? packets uses HTTP over TCP. Or a TCP packet order. https://www.pqcrypto.org with bogus data? connections: uses HTTP over TLS over TCP. counter DNS software is fooled. Your browser TCP software is fooled. • finds address 131.155.70.11 ; TLS software sees that data • makes TCP connection; something has gone wrong, wledged. • inside the TCP connection, but has no way to recover. decide builds a TLS connection Browser using TLS can by exchanging crypto keys; congestion. make a whole new connection, • inside the TLS connection, but this is slow and fragile. sends HTTP request etc. Huge damage from forged pack

  72. 18 19 Stream-level crypto What happens if attacker forges a DNS packet http://www.pqcrypto.org pointing to fake server? uses HTTP over TCP. Or a TCP packet https://www.pqcrypto.org with bogus data? uses HTTP over TLS over TCP. DNS software is fooled. Your browser TCP software is fooled. • finds address 131.155.70.11 ; TLS software sees that • makes TCP connection; something has gone wrong, • inside the TCP connection, but has no way to recover. builds a TLS connection Browser using TLS can by exchanging crypto keys; make a whole new connection, • inside the TLS connection, but this is slow and fragile. sends HTTP request etc. Huge damage from forged packet.

  73. 18 19 Stream-level crypto What happens if attacker Modern forges a DNS packet CurveCP; http://www.pqcrypto.org pointing to fake server? Google’s HTTP over TCP. Or a TCP packet encrypt each https://www.pqcrypto.org with bogus data? Discard fo HTTP over TLS over TCP. DNS software is fooled. immediately: rowser TCP software is fooled. Retransmit address 131.155.70.11 ; TLS software sees that authenticated es TCP connection; something has gone wrong, inside the TCP connection, but has no way to recover. builds a TLS connection Browser using TLS can exchanging crypto keys; make a whole new connection, inside the TLS connection, but this is slow and fragile. sends HTTP request etc. Huge damage from forged packet.

  74. 18 19 crypto What happens if attacker Modern trend (e.g., forges a DNS packet CurveCP; see also http://www.pqcrypto.org pointing to fake server? Google’s QUIC): Authenticate TCP. Or a TCP packet encrypt each packet https://www.pqcrypto.org with bogus data? Discard forged pack TLS over TCP. DNS software is fooled. immediately: no damage. TCP software is fooled. Retransmit packet 131.155.70.11 ; TLS software sees that authenticated ackno connection; something has gone wrong, connection, but has no way to recover. connection Browser using TLS can crypto keys; make a whole new connection, connection, but this is slow and fragile. request etc. Huge damage from forged packet.

  75. 18 19 What happens if attacker Modern trend (e.g., DNSCurve, forges a DNS packet CurveCP; see also MinimaLT, http://www.pqcrypto.org pointing to fake server? Google’s QUIC): Authenticate Or a TCP packet encrypt each packet separately https://www.pqcrypto.org with bogus data? Discard forged packet TCP. DNS software is fooled. immediately: no damage. TCP software is fooled. Retransmit packet if no 131.155.70.11 ; TLS software sees that authenticated acknowledgment. something has gone wrong, connection, but has no way to recover. Browser using TLS can eys; make a whole new connection, connection, but this is slow and fragile. etc. Huge damage from forged packet.

  76. 19 20 What happens if attacker Modern trend (e.g., DNSCurve, forges a DNS packet CurveCP; see also MinimaLT, pointing to fake server? Google’s QUIC): Authenticate and Or a TCP packet encrypt each packet separately. with bogus data? Discard forged packet DNS software is fooled. immediately: no damage. TCP software is fooled. Retransmit packet if no TLS software sees that authenticated acknowledgment. something has gone wrong, but has no way to recover. Browser using TLS can make a whole new connection, but this is slow and fragile. Huge damage from forged packet.

  77. 19 20 What happens if attacker Modern trend (e.g., DNSCurve, forges a DNS packet CurveCP; see also MinimaLT, pointing to fake server? Google’s QUIC): Authenticate and Or a TCP packet encrypt each packet separately. with bogus data? Discard forged packet DNS software is fooled. immediately: no damage. TCP software is fooled. Retransmit packet if no TLS software sees that authenticated acknowledgment. something has gone wrong, Engineering advantage: but has no way to recover. Packet-level crypto Browser using TLS can works for more protocols make a whole new connection, than stream-level crypto. but this is slow and fragile. Huge damage from forged packet.

  78. 19 20 What happens if attacker Modern trend (e.g., DNSCurve, forges a DNS packet CurveCP; see also MinimaLT, pointing to fake server? Google’s QUIC): Authenticate and Or a TCP packet encrypt each packet separately. with bogus data? Discard forged packet DNS software is fooled. immediately: no damage. TCP software is fooled. Retransmit packet if no TLS software sees that authenticated acknowledgment. something has gone wrong, Engineering advantage: but has no way to recover. Packet-level crypto Browser using TLS can works for more protocols make a whole new connection, than stream-level crypto. but this is slow and fragile. Disadvantage: Huge damage from forged packet. Crypto must fit into packet.

  79. 19 20 happens if attacker Modern trend (e.g., DNSCurve, The KEM+AE a DNS packet CurveCP; see also MinimaLT, Original ointing to fake server? Google’s QUIC): Authenticate and Message TCP packet encrypt each packet separately. as m e mo ogus data? Discard forged packet software is fooled. immediately: no damage. software is fooled. Retransmit packet if no software sees that authenticated acknowledgment. something has gone wrong, Engineering advantage: has no way to recover. Packet-level crypto wser using TLS can works for more protocols a whole new connection, than stream-level crypto. this is slow and fragile. Disadvantage: damage from forged packet. Crypto must fit into packet.

  80. 19 20 if attacker Modern trend (e.g., DNSCurve, The KEM+AE philosophy packet CurveCP; see also MinimaLT, Original view of RSA: server? Google’s QUIC): Authenticate and Message m is encrypted et encrypt each packet separately. as m e mod pq . data? Discard forged packet fooled. immediately: no damage. fooled. Retransmit packet if no sees that authenticated acknowledgment. gone wrong, Engineering advantage: to recover. Packet-level crypto TLS can works for more protocols new connection, than stream-level crypto. and fragile. Disadvantage: from forged packet. Crypto must fit into packet.

  81. 19 20 Modern trend (e.g., DNSCurve, The KEM+AE philosophy CurveCP; see also MinimaLT, Original view of RSA: Google’s QUIC): Authenticate and Message m is encrypted encrypt each packet separately. as m e mod pq . Discard forged packet immediately: no damage. Retransmit packet if no authenticated acknowledgment. wrong, Engineering advantage: recover. Packet-level crypto works for more protocols connection, than stream-level crypto. fragile. Disadvantage: packet. Crypto must fit into packet.

  82. 20 21 Modern trend (e.g., DNSCurve, The KEM+AE philosophy CurveCP; see also MinimaLT, Original view of RSA: Google’s QUIC): Authenticate and Message m is encrypted encrypt each packet separately. as m e mod pq . Discard forged packet immediately: no damage. Retransmit packet if no authenticated acknowledgment. Engineering advantage: Packet-level crypto works for more protocols than stream-level crypto. Disadvantage: Crypto must fit into packet.

  83. 20 21 Modern trend (e.g., DNSCurve, The KEM+AE philosophy CurveCP; see also MinimaLT, Original view of RSA: Google’s QUIC): Authenticate and Message m is encrypted encrypt each packet separately. as m e mod pq . Discard forged packet “Hybrid” view of RSA, immediately: no damage. including random padding: Retransmit packet if no Choose random AES-GCM key k . authenticated acknowledgment. Randomly pad k as r . Encrypt r as r e mod pq . Engineering advantage: Packet-level crypto Encrypt m under k . works for more protocols than stream-level crypto. Disadvantage: Crypto must fit into packet.

  84. 20 21 Modern trend (e.g., DNSCurve, The KEM+AE philosophy CurveCP; see also MinimaLT, Original view of RSA: Google’s QUIC): Authenticate and Message m is encrypted encrypt each packet separately. as m e mod pq . Discard forged packet “Hybrid” view of RSA, immediately: no damage. including random padding: Retransmit packet if no Choose random AES-GCM key k . authenticated acknowledgment. Randomly pad k as r . Encrypt r as r e mod pq . Engineering advantage: Packet-level crypto Encrypt m under k . works for more protocols Fragile, many problems: than stream-level crypto. e.g., Coppersmith attack, Disadvantage: Bleichenbacher attack, Crypto must fit into packet. bogus OAEP security proof.

  85. 20 21 dern trend (e.g., DNSCurve, The KEM+AE philosophy Shoup’s CurveCP; see also MinimaLT, Original view of RSA: “Key enc ogle’s QUIC): Authenticate and Message m is encrypted Choose random encrypt each packet separately. as m e mod pq . Encrypt rd forged packet Define k “Hybrid” view of RSA, immediately: no damage. including random padding: “Data encapsulation Retransmit packet if no Choose random AES-GCM key k . Encrypt authenticated acknowledgment. Randomly pad k as r . m under Encrypt r as r e mod pq . Engineering advantage: Authenticato t-level crypto Encrypt m under k . any modification for more protocols Fragile, many problems: Much easier stream-level crypto. e.g., Coppersmith attack, Also generalizes Disadvantage: Bleichenbacher attack, P + Q : hash must fit into packet. bogus OAEP security proof.

  86. 20 21 (e.g., DNSCurve, The KEM+AE philosophy Shoup’s “KEM+DEM” also MinimaLT, Original view of RSA: “Key encapsulation QUIC): Authenticate and Message m is encrypted Choose random r mo packet separately. as m e mod pq . Encrypt r as r e mo Define k = H ( r; r e packet “Hybrid” view of RSA, damage. including random padding: “Data encapsulation et if no Choose random AES-GCM key k . Encrypt and authe acknowledgment. Randomly pad k as r . m under AES-GCM Encrypt r as r e mod pq . advantage: Authenticator catches crypto Encrypt m under k . any modification of rotocols Fragile, many problems: Much easier to get stream-level crypto. e.g., Coppersmith attack, Also generalizes nicely Bleichenbacher attack, P + Q : hash concatenation. into packet. bogus OAEP security proof.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The post-quantum Internet IP: Internet Protocol Daniel J. Bernstein IP communicates

The post-quantum Internet IP: Internet Protocol Daniel J. Bernstein IP communicates

1 2 The post-quantum Internet IP: Internet Protocol Daniel J. Bernstein IP communicates packets: limited-length byte strings. University of Illinois at Chicago & Technische Universiteit Eindhoven Each computer on the Internet has

1.36k views • 97 slides
The post-quantum Internet Daniel J. Bernstein University of Illinois at Chicago & Technische

The post-quantum Internet Daniel J. Bernstein University of Illinois at Chicago & Technische

1 The post-quantum Internet Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Includes joint work with: Tanja Lange Technische Universiteit Eindhoven 2 Risk management Combining

988 views • 70 slides
The Quantum Risk & Post-Quantum Crypto JP Aumasson The Quantum Risk & Post-Quantum

The Quantum Risk & Post-Quantum Crypto JP Aumasson The Quantum Risk & Post-Quantum

The Quantum Risk & Post-Quantum Crypto JP Aumasson The Quantum Risk & Post-Quantum Crypto JP Aumasson uantum /me 15 years experience in applied cryptography (PhD, industry, consulting) Designed widely used algorithms Author of the

816 views • 52 slides
The post-quantum Internet Daniel J. Bernstein University of Illinois at Chicago & Technische

The post-quantum Internet Daniel J. Bernstein University of Illinois at Chicago & Technische

1 The post-quantum Internet Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Includes joint work with: Tanja Lange Technische Universiteit Eindhoven 2 IP: Internet Protocol IP communicates

526 views • 38 slides
Standardization of post-quantum cryptography Tanja Lange 08 May 2016 A Workshop About

Standardization of post-quantum cryptography Tanja Lange 08 May 2016 A Workshop About

Standardization of post-quantum cryptography Tanja Lange 08 May 2016 A Workshop About Cryptographic Standards History of post-quantum cryptography 2003 Daniel J. Bernstein introduces term Post-quantum cryptography. PQCrypto 2006:

623 views • 23 slides
Post-quantum cryptography Tanja Lange (with Daniel J. Bernstein) Technische Universiteit

Post-quantum cryptography Tanja Lange (with Daniel J. Bernstein) Technische Universiteit

Post-quantum cryptography Tanja Lange (with Daniel J. Bernstein) Technische Universiteit Eindhoven 17 January 2016 8th Winter School on Quantum Cybersecurity Cryptography Motivation #1: Communication channels are spying on our

894 views • 68 slides
PQCHacks: a gentle introduction to post-quantum cryptography Daniel J. Bernstein 1 , 2 Tanja Lange

PQCHacks: a gentle introduction to post-quantum cryptography Daniel J. Bernstein 1 , 2 Tanja Lange

PQCHacks: a gentle introduction to post-quantum cryptography Daniel J. Bernstein 1 , 2 Tanja Lange 1 1 Technische Universiteit Eindhoven 2 University of Illinois at Chicago 27 December 2015 D-Wave quantum computer isnt universal . . .

789 views • 65 slides
The year in post-quantum crypto Daniel J. Bernstein, Tanja Lange University of Illinois at

The year in post-quantum crypto Daniel J. Bernstein, Tanja Lange University of Illinois at

The year in post-quantum crypto Daniel J. Bernstein, Tanja Lange University of Illinois at Chicago, Eindhoven University of Technology Post-quantum cryptography: Cryptography designed under the assumption that the attacker (not the user!) has

1.29k views • 94 slides
Post-quantum cryptography Daniel J. Bernstein Turing, 1950 I have set up on the Manchester

Post-quantum cryptography Daniel J. Bernstein Turing, 1950 I have set up on the Manchester

Post-quantum cryptography Daniel J. Bernstein Turing, 1950 I have set up on the Manchester computer a small programme using only 1000 units of storage, whereby the machine supplied with one sixteen figure number replies with another within

2.74k views • 95 slides
Post-quantum RSA We built a great, great 1-terabyte RSA wall, and we had the university pay for

Post-quantum RSA We built a great, great 1-terabyte RSA wall, and we had the university pay for

Post-quantum RSA We built a great, great 1-terabyte RSA wall, and we had the university pay for the electricity Daniel J. Bernstein Joint work with: Nadia Heninger Paul Lou Luke Valenta Post-quantum RSA Daniel J. Bernstein, Nadia Heninger,

788 views • 50 slides
The libpqcrypto software library for post-quantum cryptography Daniel J. Bernstein and many

The libpqcrypto software library for post-quantum cryptography Daniel J. Bernstein and many

The libpqcrypto software library for post-quantum cryptography Daniel J. Bernstein and many contributors libpqcrypto.org Daniel J. Bernstein Context libpqcrypto.org Daniel J. Bernstein Redesigning crypto for security New requirements for

541 views • 51 slides
Post-quantum cryptography Daniel J. Bernstein University of Illinois at Chicago; Ruhr University

Post-quantum cryptography Daniel J. Bernstein University of Illinois at Chicago; Ruhr University

Post-quantum cryptography Daniel J. Bernstein University of Illinois at Chicago; Ruhr University Bochum Wikipedia: Hoover became a controversial figure as evidence of his secretive abuses of power began to surface. He was found to have

1.21k views • 103 slides
Post-quantum cryptography Daniel J. Bernstein & Tanja Lange University of Illinois at

Post-quantum cryptography Daniel J. Bernstein & Tanja Lange University of Illinois at

Post-quantum cryptography Daniel J. Bernstein & Tanja Lange University of Illinois at Chicago; Ruhr University Bochum & Technische Universiteit Eindhoven 12 September 2020 Cryptography Sender Receiver Alice Bob Tsai

760 views • 48 slides
Post-quantum cryptography Daniel J. Bernstein 1 Tanja Lange 1 Peter Schwabe 2 Technische

Post-quantum cryptography Daniel J. Bernstein 1 Tanja Lange 1 Peter Schwabe 2 Technische

Post-quantum cryptography Daniel J. Bernstein 1 Tanja Lange 1 Peter Schwabe 2 Technische Universiteit Eindhoven Radboud University 08 September 2016 Cryptography Motivation #1: Communication channels are spying on our data.

1.34k views • 117 slides
Post-quantum cryptography Daniel J. Bernstein & Tanja Lange University of Illinois at Chicago

Post-quantum cryptography Daniel J. Bernstein & Tanja Lange University of Illinois at Chicago

Post-quantum cryptography Daniel J. Bernstein & Tanja Lange University of Illinois at Chicago & Ruhr University Bochum & Technische Universiteit Eindhoven 10 June 2019 Cryptography Motivation #1: Communication channels are spying

1.17k views • 91 slides
Quantum Algorithms Tutorial Ronald de Wolf 1/ 37 Post-quantum cryptography I Quantum computers

Quantum Algorithms Tutorial Ronald de Wolf 1/ 37 Post-quantum cryptography I Quantum computers

Quantum Algorithms Tutorial Ronald de Wolf 1/ 37 Post-quantum cryptography I Quantum computers can break public-key cryptography that is based on assuming hardness of factoring, discrete logs, and a few other problems I Post-quantum

2.98k views • 37 slides
Universal XSS via IE8s XSS Filters the sordid tale of a wayward hash sign slides:

Universal XSS via IE8s XSS Filters the sordid tale of a wayward hash sign slides:

Universal XSS via IE8s XSS Filters the sordid tale of a wayward hash sign slides: http://p42.us/ie8xss/ About Us Eduardo Vela Nava aka sirdarckcat http://sirdarckcat.net http://twitter.com/sirdarckcat David Lindsay aka

1.1k views • 73 slides
Stocks and Options and Bonds, Oh My! A corporation has this great idea Capital is required to

Stocks and Options and Bonds, Oh My! A corporation has this great idea Capital is required to

Stocks and Options and Bonds, Oh My! A corporation has this great idea Capital is required to see it through Ill let you guess how much he wants Option 1: Borrow the money From a bank From bonds Option 2: Issue stocks on an

952 views • 44 slides
Security Planning and Risk Analysis CS461/ECE422 Computer Security I Fall 2010 Slide #1

Security Planning and Risk Analysis CS461/ECE422 Computer Security I Fall 2010 Slide #1

Security Planning and Risk Analysis CS461/ECE422 Computer Security I Fall 2010 Slide #1 Overview Elements of Risk Analysis Quantitative vs Qualitative Analysis One Risk Analysis framework Slide #2 Reading Material Chapter

706 views • 32 slides
Intro to Life Cycle Analysis 2.83/2.813 Manufacturing End of Life Mining Use Phase Life Cycle

Intro to Life Cycle Analysis 2.83/2.813 Manufacturing End of Life Mining Use Phase Life Cycle

Intro to Life Cycle Analysis 2.83/2.813 Manufacturing End of Life Mining Use Phase Life Cycle Assessment LCA is a methodology to account for and assess the environmental impacts from all phases / stages of a product life cycle Mining

993 views • 72 slides
Chaucer and The Canterbury Tales P . S. Langeslag Chaucer Anglo-Saxon Bureaucracy Laws

Chaucer and The Canterbury Tales P . S. Langeslag Chaucer Anglo-Saxon Bureaucracy Laws

Chaucer and The Canterbury Tales P . S. Langeslag Chaucer Anglo-Saxon Bureaucracy Laws Charters Writs Annals Anglo-Norman Bureaucracy Laws Charters Writs (Chancery) Annals Balance sheets Figure 1: Domesday

601 views • 31 slides
Data Mining 2018 Mining (Social) Network Data Ad Feelders Universiteit Utrecht Ad Feelders (

Data Mining 2018 Mining (Social) Network Data Ad Feelders Universiteit Utrecht Ad Feelders (

Data Mining 2018 Mining (Social) Network Data Ad Feelders Universiteit Utrecht Ad Feelders ( Universiteit Utrecht ) Data Mining 1 / 39 Example: Predicting Romantic Relationships The latest offering from Facebooks data-science team teases

686 views • 39 slides
Business Process Education - Quantum PCard July 9, 2019 Disclaimer This is not meant to be

Business Process Education - Quantum PCard July 9, 2019 Disclaimer This is not meant to be

A leap forward. Transforming systems. Empowering People! Business Process Education - Quantum PCard July 9, 2019 Disclaimer This is not meant to be TRAINING training will be offered closer to Go-Live some will be required to get

479 views • 27 slides
Novinky ve starm dobrm SQL svt Overview PRESENTED BY: Honza Hork Co ns ek

Novinky ve starm dobrm SQL svt Overview PRESENTED BY: Honza Hork Co ns ek

Novinky ve starm dobrm SQL svt Overview PRESENTED BY: Honza Hork Co ns ek Obecn pohled na data ve svt Staronov lenov SQL klubu MySQL MariaDB Galera PostgreSQL Mal odboka... Buzzword

625 views • 29 slides

More recommend