the year in post quantum crypto
play

The year in post-quantum crypto Daniel J. Bernstein, Tanja Lange - PowerPoint PPT Presentation

Feb 14, 2024 •347 likes •1.29k views

The year in post-quantum crypto Daniel J. Bernstein, Tanja Lange University of Illinois at Chicago, Eindhoven University of Technology Post-quantum cryptography: Cryptography designed under the assumption that the attacker (not the user!) has

  1. The year in post-quantum crypto Daniel J. Bernstein, Tanja Lange University of Illinois at Chicago, Eindhoven University of Technology

  2. Post-quantum cryptography: Cryptography designed under the assumption that the attacker (not the user!) has a large quantum computer. The year in post-quantum crypto https://pqcrypto.org Daniel J. Bernstein, Tanja Lange

  3. http://joakimolofsson.deviantart.com/art/Pacific-Rim-372130691

  4. Interest builds in post-quantum cryptography ◮ 2015: Finally even NSA admits that the world needs post-quantum crypto. ◮ 2016: Every agency posts something (NCSC UK, NCSC NL, NSA). ◮ 2016: After public input, NIST calls for submissions to “Post-Quantum Cryptography Standardization Project”. Solicits submissions on signatures and encryption. The year in post-quantum crypto https://pqcrypto.org Daniel J. Bernstein, Tanja Lange

  5. Interest builds in post-quantum cryptography ◮ 2003: djb coins term “post-quantum cryptography”. ◮ 2005–2015: 10 years of motivating people to work on post-quantum crypto. ◮ 2015: Finally even NSA admits that the world needs post-quantum crypto. ◮ 2016: Every agency posts something (NCSC UK, NCSC NL, NSA). ◮ 2016: After public input, NIST calls for submissions to “Post-Quantum Cryptography Standardization Project”. Solicits submissions on signatures and encryption. The year in post-quantum crypto https://pqcrypto.org Daniel J. Bernstein, Tanja Lange

  6. A year ago in the NIST competition . . . 21 December 2017: NIST posts 69 submissions from 260 people. BIG QUAKE. BIKE. CFPKM. Classic McEliece. Compact LWE. CRYSTALS-DILITHIUM. CRYSTALS-KYBER. DAGS. Ding Key Exchange. DME. DRS. DualModeMS. Edon-K. EMBLEM and R.EMBLEM. FALCON. FrodoKEM. GeMSS. Giophantus. Gravity-SPHINCS. Guess Again. Gui. HILA5. HiMQ-3. HK17. HQC. KINDI. LAC. LAKE. LEDAkem. LEDApkc. Lepton. LIMA. Lizard. LOCKER. LOTUS. LUOV. McNie. Mersenne-756839. MQDSS. NewHope. NTRUEncrypt. pqNTRUSign. NTRU-HRSS-KEM. NTRU Prime. NTS-KEM. Odd Manhattan. OKCN/AKCN/CNKE. Ouroboros-R. Picnic. pqRSA encryption. pqRSA signature. pqsigRM. QC-MDPC KEM. qTESLA. RaCoSS. Rainbow. Ramstake. RankSign. RLCE-KEM. Round2. RQC. RVB. SABER. SIKE. SPHINCS+. SRTPI. Three Bears. Titanium. WalnutDSA. The year in post-quantum crypto https://pqcrypto.org Daniel J. Bernstein, Tanja Lange

  7. A year ago . . . there were already attacks By end of 2017: 8 out of 69 submissions attacked. BIG QUAKE. BIKE. CFPKM. Classic McEliece. Compact LWE. CRYSTALS-DILITHIUM. CRYSTALS-KYBER. DAGS. Ding Key Exchange. DME. DRS. DualModeMS. Edon-K. EMBLEM and R.EMBLEM. FALCON. FrodoKEM. GeMSS. Giophantus. Gravity-SPHINCS. Guess Again. Gui. HILA5. HiMQ-3. HK17. HQC. KINDI. LAC. LAKE. LEDAkem. LEDApkc. Lepton. LIMA. Lizard. LOCKER. LOTUS. LUOV. McNie. Mersenne-756839. MQDSS. NewHope. NTRUEncrypt. pqNTRUSign. NTRU-HRSS-KEM. NTRU Prime. NTS-KEM. Odd Manhattan. OKCN/AKCN/CNKE. Ouroboros-R. Picnic. pqRSA encryption. pqRSA signature. pqsigRM. QC-MDPC KEM. qTESLA. RaCoSS. Rainbow. Ramstake. RankSign. RLCE-KEM. Round2. RQC. RVB. SABER. SIKE. SPHINCS+. SRTPI. Three Bears. Titanium. WalnutDSA. Some less security than claimed; some really broken; some attack scripts. The year in post-quantum crypto https://pqcrypto.org Daniel J. Bernstein, Tanja Lange

  8. Do cryptographers have any idea what they’re doing? By end of 2018: 22 out of 69 submissions attacked. BIG QUAKE. BIKE. CFPKM. Classic McEliece. Compact LWE. CRYSTALS-DILITHIUM. CRYSTALS-KYBER. DAGS. Ding Key Exchange. DME. DRS. DualModeMS. Edon-K. EMBLEM and R.EMBLEM. FALCON. FrodoKEM. GeMSS. Giophantus. Gravity-SPHINCS. Guess Again. Gui. HILA5. HiMQ-3. HK17. HQC. KINDI. LAC. LAKE. LEDAkem. LEDApkc. Lepton. LIMA. Lizard. LOCKER. LOTUS. LUOV. McNie. Mersenne-756839. MQDSS. NewHope. NTRUEncrypt. pqNTRUSign. NTRU-HRSS-KEM. NTRU Prime. NTS-KEM. Odd Manhattan. OKCN/AKCN/CNKE. Ouroboros-R. Picnic. pqRSA encryption. pqRSA signature. pqsigRM. QC-MDPC KEM. qTESLA. RaCoSS. Rainbow. Ramstake. RankSign. RLCE-KEM. Round2. RQC. RVB. SABER. SIKE. SPHINCS+. SRTPI. Three Bears. Titanium. WalnutDSA. Some less security than claimed; some really broken; some attack scripts. The year in post-quantum crypto https://pqcrypto.org Daniel J. Bernstein, Tanja Lange

  9. Some attempts to explain the situation People often categorize submissions. Examples of categories: ◮ Code-based encryption and signatures. ◮ Hash-based signatures. ◮ Isogeny-based encryption. ◮ Lattice-based encryption and signatures. ◮ Multivariate-quadratic encryption and signatures. The year in post-quantum crypto https://pqcrypto.org Daniel J. Bernstein, Tanja Lange

  10. Some attempts to explain the situation “What’s safe is lattice-based cryptography.” — Are you sure about that? The year in post-quantum crypto https://pqcrypto.org Daniel J. Bernstein, Tanja Lange

  11. Some attempts to explain the situation “What’s safe is lattice-based cryptography.” — Are you sure about that? Lattice-based submissions: Compact LWE. CRYSTALS-DILITHIUM. CRYSTALS-KYBER. Ding Key Exchange. DRS. EMBLEM and R.EMBLEM. FALCON. FrodoKEM. HILA5. KINDI. LAC. LIMA. Lizard. LOTUS. NewHope. NTRUEncrypt. NTRU-HRSS-KEM. NTRU Prime. Odd Manhattan. OKCN/AKCN/CNKE. pqNTRUSign. qTESLA. Round2. SABER. Titanium. The year in post-quantum crypto https://pqcrypto.org Daniel J. Bernstein, Tanja Lange

  12. Some attempts to explain the situation “What’s safe is lattice-based cryptography.” — Are you sure about that? Lattice-based submissions: Compact LWE. CRYSTALS-DILITHIUM. CRYSTALS-KYBER. Ding Key Exchange. DRS. EMBLEM and R.EMBLEM. FALCON. FrodoKEM. HILA5. KINDI. LAC. LIMA. Lizard. LOTUS. NewHope. NTRUEncrypt. NTRU-HRSS-KEM. NTRU Prime. Odd Manhattan. OKCN/AKCN/CNKE. pqNTRUSign. qTESLA. Round2. SABER. Titanium. Important progress in lattice attacks this decade—even this year. e.g. D’Anvers–Vercauteren–Verbauwhede papers in November+December: “On the impact of decryption failures on the security of LWE/LWR based schemes”; “The impact of error dependencies on Ring/Mod-LWE/LWR based schemes”. The year in post-quantum crypto https://pqcrypto.org Daniel J. Bernstein, Tanja Lange

  13. Some attempts to explain the situation “What’s safe is using the portfolio from the European PQCRYPTO project.” — Are you sure about that? The year in post-quantum crypto https://pqcrypto.org Daniel J. Bernstein, Tanja Lange

  14. Some attempts to explain the situation “What’s safe is using the portfolio from the European PQCRYPTO project.” — Are you sure about that? The portfolio: BIG QUAKE. BIKE. Classic McEliece. CRYSTALS-DILITHIUM. CRYSTALS-KYBER. DAGS. FrodoKEM. Gui. KINDI. LUOV. MQDSS. NewHope. NTRU-HRSS-KEM. NTRU Prime. Picnic. qTESLA. Rainbow. Ramstake. SABER. SPHINCS+. The year in post-quantum crypto https://pqcrypto.org Daniel J. Bernstein, Tanja Lange

  15. Some attempts to explain the situation “What’s safe is using the portfolio from the European PQCRYPTO project.” — Are you sure about that? The portfolio: BIG QUAKE. BIKE. Classic McEliece. CRYSTALS-DILITHIUM. CRYSTALS-KYBER. DAGS. FrodoKEM. Gui. KINDI. LUOV. MQDSS. NewHope. NTRU-HRSS-KEM. NTRU Prime. Picnic. qTESLA. Rainbow. Ramstake. SABER. SPHINCS+. 69 submissions = denial-of-service attack against security evaluation . Maybe cryptanalysts have been focusing on submissions from outside the project. The year in post-quantum crypto https://pqcrypto.org Daniel J. Bernstein, Tanja Lange

  16. April 2018: PQCrypto 2018, and NIST conference

  17. New RaCoSS parameters Kirill Morozov (UNT) RaCoSS – Random-code-based Courtois-Finiasz-Sendrier signature scheme code-based signature variant is SEUF-CMA • Submitted to NIST Competition [Roy, M, Fukushima, Kiyomoto , Takagi ‘17] [M, Roy, Steinwandt , Xu ‘18] • Adaptation of “Fiat - Shamir with abort” https://www.degruyter.com/downloadpdf/j/math.2018.16. from [Lyubashevsky ‘09] issue-1/math-2018-0011/math-2018-0011.pdf • [Hülsing, Bernstein, Panny , Lange: Nov’17] • Attack on original parameters Problem: EUF-CMA security proof by [Dallot ‘07] does not apply due to Goppa-code distinguisher • Updated secure parameters coming soon, [Faugere, Gauthier, Otmani , Perret, Tillich, ‘11] but the keys and signature sizes are terabytes • • Quasi-cyclic (QC) variant: possibly megabytes Way around: Assume hardness of the underlying Niederreiter problem • # signatures (life-time of keys) may be limited • • Extra: Security against key-substitution attack Design improvements needed to shift from theoretical to practical security via hashing pk [Menezes Smart ‘04] Framework for efficient • Efficient universally composable (UC) protocol for OT secure against active adaptive adversaries from special type of OW-CPA secure PKE in ROM adaptively secure UC • Covered: Low-noise LPN, McEliece, QC-MDPC, and CDH assumptions oblivious transfer (OT) in ROM • The first UC-secure OT protocols based on coding assumptions to achieve: 1) adaptive security, 2) low round complexity, [Barreto, David, Dowsley, M, Nascimento, 3) low communication and computational complexities Crypto ePrint ‘17 ] https:// ia.cr/2017/993

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The Quantum Risk & Post-Quantum Crypto JP Aumasson The Quantum Risk & Post-Quantum

The Quantum Risk & Post-Quantum Crypto JP Aumasson The Quantum Risk & Post-Quantum

The Quantum Risk & Post-Quantum Crypto JP Aumasson The Quantum Risk & Post-Quantum Crypto JP Aumasson uantum /me 15 years experience in applied cryptography (PhD, industry, consulting) Designed widely used algorithms Author of the

816 views • 52 slides
Post Quantum Crypto B e r n d F i x < b r f @ h o i - p o l l o i . o

Post Quantum Crypto B e r n d F i x < b r f @ h o i - p o l l o i . o

1 / 2 9 Post Quantum Crypto B e r n d F i x < b r f @ h o i - p o l l o i . o r g > Post-Quantum Crypto Bernd Fix < b r f @ h o i - p o l l o i . o r g > 2 / 2 9 Intro P r

340 views • 29 slides
Getting Post-Quantum Crypto Algorithms Ready for Deployment End of ECRYPT II Event: Crypto for

Getting Post-Quantum Crypto Algorithms Ready for Deployment End of ECRYPT II Event: Crypto for

Getting Post-Quantum Crypto Algorithms Ready for Deployment End of ECRYPT II Event: Crypto for 2020 Tim Gneysu Hardware Security Group Horst Grtz Institute for IT-Security, Bochum 1/24/2013 Outline Introduction Alternative Public-Key

735 views • 55 slides
Cryptographic Engineering An example of post-quantum crypto Radboud University, Nijmegen, The

Cryptographic Engineering An example of post-quantum crypto Radboud University, Nijmegen, The

Cryptographic Engineering An example of post-quantum crypto Radboud University, Nijmegen, The Netherlands Spring 2015 Crypto today Ephemeral ECDH on 256 -bit curve to compute shared key Use EdDSA signatures for public-key

1.43k views • 109 slides
Revisiting Post-Quantum Fiat-Shamir Qipeng Liu & Mark Zhandry

Revisiting Post-Quantum Fiat-Shamir Qipeng Liu & Mark Zhandry

Revisiting Post-Quantum Fiat-Shamir Qipeng Liu & Mark Zhandry (Princeton & NTT Research) Lattice Crypto Post-Quantum Crypto Typical Lattice Crypto Thm: are

623 views • 61 slides
An Overview on Post-Quantum Cryptography with an Emphasis on Code based Systems Joachim Rosenthal

An Overview on Post-Quantum Cryptography with an Emphasis on Code based Systems Joachim Rosenthal

Basics on Public Key Crypto Systems Research Directions in Post-Quantum Cryptography Variants of McEliece System Distinguisher Attacks McEliece for Rank Metric Codes An Overview on Post-Quantum Cryptography with an Emphasis on Code based

1.05k views • 100 slides
Post-Quantum Crypto Challenges Prof. Audun Jsang Universitetet i Oslo DN.no, 1 December 2017

Post-Quantum Crypto Challenges Prof. Audun Jsang Universitetet i Oslo DN.no, 1 December 2017

Post-Quantum Crypto Challenges Prof. Audun Jsang Universitetet i Oslo DN.no, 1 December 2017 Audun Jsang - 2018 PQ Crypto Challenges 2 Aftenposten.no, 10 May 2018 Audun Jsang - 2018 PQ Crypto Challenges 3 Principle for Quantum

587 views • 42 slides
for Post-Quantum Lattice-based Protocols Utsav Banerjee * , Tenzin S. Ukyab, Anantha P.

for Post-Quantum Lattice-based Protocols Utsav Banerjee * , Tenzin S. Ukyab, Anantha P.

Sapphire: A Configurable Crypto-Processor for Post-Quantum Lattice-based Protocols Utsav Banerjee * , Tenzin S. Ukyab, Anantha P. Chandrakasan * utsav@mit.edu Massachusetts Institute of Technology Post-Quantum Cryptography Current public key

911 views • 25 slides
Dustin Moody Post Quantum Cryptography Team National Institute of Standards and Technology (NIST)

Dustin Moody Post Quantum Cryptography Team National Institute of Standards and Technology (NIST)

Dustin Moody Post Quantum Cryptography Team National Institute of Standards and Technology (NIST) When will a quantum computer be built that breaks current crypto? 15 years, $1 billion USD, nuclear power plant (to break RSA-2048)

432 views • 16 slides
Quantum Algorithms Tutorial Ronald de Wolf 1/ 37 Post-quantum cryptography I Quantum computers

Quantum Algorithms Tutorial Ronald de Wolf 1/ 37 Post-quantum cryptography I Quantum computers

Quantum Algorithms Tutorial Ronald de Wolf 1/ 37 Post-quantum cryptography I Quantum computers can break public-key cryptography that is based on assuming hardness of factoring, discrete logs, and a few other problems I Post-quantum

2.98k views • 37 slides
A key-recovery timing attack on post-quantum primitives using the Fujisaki-Okamoto transformation

A key-recovery timing attack on post-quantum primitives using the Fujisaki-Okamoto transformation

A key-recovery timing attack on post-quantum primitives using the Fujisaki-Okamoto transformation and its application on FrodoKEM Qian Guo, Thomas Johansson, Alexander Nilsson August 10, 2020 Preliminaries Implementing Crypto Is Hard

994 views • 80 slides
Introduction to post-quantum cryptography and learning with errors Douglas Stebila Funding

Introduction to post-quantum cryptography and learning with errors Douglas Stebila Funding

Introduction to post-quantum cryptography and learning with errors Douglas Stebila Funding acknowledgements: Summer School on real-world crypto and privacy ibenik, Croatia June 11, 2018

1.67k views • 106 slides
Quantum Cryptography Quantum Cryptography Quantum Quantum Crypto ?? Crypto ?? or or How

Quantum Cryptography Quantum Cryptography Quantum Quantum Crypto ?? Crypto ?? or or How

Quantum Cryptography Quantum Cryptography Quantum Quantum Crypto ?? Crypto ?? or or How Alice Outwits Eve How Alice Outwits Eve Cani Cani Samuel J. Lomonaco, Jr. Samuel J. Lomonaco, Jr. Dept. of Comp. Sci Dept. of Comp. Sci. &

445 views • 16 slides
Saturnin A suite of lightweight symmetric algorithms for post-quantum security Anne Canteaut 1

Saturnin A suite of lightweight symmetric algorithms for post-quantum security Anne Canteaut 1

Saturnin A suite of lightweight symmetric algorithms for post-quantum security Anne Canteaut 1 Sbastien Duval 2 Gatan Leurent 1 Mara Naya-Plasencia 1 Lo Perrin 1 Thomas Pornin 3 Andr Schrottenloher 1 1 Inria, France 2 UCL Crypto Group,

750 views • 26 slides
SW/HW Codesign of the Post-Quantum Cryptography Algorithm NTRUEncrypt Using HLS and RTL Design

SW/HW Codesign of the Post-Quantum Cryptography Algorithm NTRUEncrypt Using HLS and RTL Design

SW/HW Codesign of the Post-Quantum Cryptography Algorithm NTRUEncrypt Using HLS and RTL Design Methodologies Farnoud Farahmand, Duc Tri Nguyen, Viet B. Dang*, Ahmed Ferozpuri and Kris Gaj George Mason University Post st-Quantum Quantum

441 views • 14 slides
Standardization of post-quantum cryptography Tanja Lange 08 May 2016 A Workshop About

Standardization of post-quantum cryptography Tanja Lange 08 May 2016 A Workshop About

Standardization of post-quantum cryptography Tanja Lange 08 May 2016 A Workshop About Cryptographic Standards History of post-quantum cryptography 2003 Daniel J. Bernstein introduces term Post-quantum cryptography. PQCrypto 2006:

623 views • 23 slides
Meta Analysis Isabel Canette Principal Mathematician and Statistician StataCorp LLC 2020

Meta Analysis Isabel Canette Principal Mathematician and Statistician StataCorp LLC 2020

Performing Meta Analysis with Stata Meta Analysis Isabel Canette Principal Mathematician and Statistician StataCorp LLC 2020 Portugal Stata Conference Porto, January 25 2020 Isabel Canette (StataCorp) 1 / 42 Performing Meta Analysis with

528 views • 42 slides
Lecture 10: Heckscher-Ohlin Empirics (I) 14.581 14.581 Spring 2013 Spring

Lecture 10: Heckscher-Ohlin Empirics (I) 14.581 14.581 Spring 2013 Spring

14.581 International Trade Lecture 10: Heckscher-Ohlin Empirics (I) 14.581 14.581 Spring 2013 Spring 2013 14.581 RV and HO Empirics (I) Spring 2013 1 / 55 Plan of Todays Lecture Empirical work on Ricardo-Viner model: 1

888 views • 56 slides
The first 10 years of Curve25519 Daniel J. Bernstein University of Illinois at Chicago &

The first 10 years of Curve25519 Daniel J. Bernstein University of Illinois at Chicago &

1 The first 10 years of Curve25519 Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven 2005.05.19: Seminar talk; design+software close to done. 2005.09.15: Software online. 2005.09.20: Invited talk

869 views • 73 slides
Predicting NFS time D. J. Bernstein University of Illinois at Chicago Thanks to: NSF

Predicting NFS time D. J. Bernstein University of Illinois at Chicago Thanks to: NSF

Predicting NFS time D. J. Bernstein University of Illinois at Chicago Thanks to: NSF DMS9600083 NSF DMS9970409 NSF DMS0140542 Alfred P. Sloan Foundation NSF ITR0716498 T as the time Define n . used by NFS to factor T depends on

433 views • 31 slides
Does open-source cryptographic software work correctly? Daniel J. Bernstein CVE-2018-0733, an

Does open-source cryptographic software work correctly? Daniel J. Bernstein CVE-2018-0733, an

Does open-source cryptographic software work correctly? Daniel J. Bernstein CVE-2018-0733, an OpenSSL bug Because of an implementation bug the PA-RISC CRYPTO_memcmp function is effectively reduced to only comparing the least significant bit

670 views • 44 slides
Matrix Methods for the Bernstein Form and Their Application in Global Optimization June, 10

Matrix Methods for the Bernstein Form and Their Application in Global Optimization June, 10

Matrix Methods for the Bernstein Form and Their Application in Global Optimization June, 10 Jihad Titi J urgen Garloff University of Konstanz Department of Mathematics and Statistics and University of Applied Sciences / HTWG Konstanz

685 views • 30 slides
Outline Saltzer & Schroeders principles (contd) CSci 5271 More secure design

Outline Saltzer & Schroeders principles (contd) CSci 5271 More secure design

Outline Saltzer & Schroeders principles (contd) CSci 5271 More secure design principles Introduction to Computer Security Software engineering for security Defensive programming 2 (combined lecture) Announcements intermission

632 views • 9 slides
Fast method for testing the smoothness of polynomials Jean-Franc ois Biasse Mike Jacobson

Fast method for testing the smoothness of polynomials Jean-Franc ois Biasse Mike Jacobson

page.1 Fast method for testing the smoothness of polynomials Jean-Franc ois Biasse Mike Jacobson University of Calgary October 2013 Biasse-Jacobson (U of C) Fast smoothness test October 2013 1 / 24 page.2 Presentation of the problem

1.02k views • 89 slides

More recommend