Towards Post-Quantum TLS ECC 2019 Kris Kwiatkowski DECEMBER 2, - - PowerPoint PPT Presentation

towards post quantum tls
SMART_READER_LITE
LIVE PREVIEW

Towards Post-Quantum TLS ECC 2019 Kris Kwiatkowski DECEMBER 2, - - PowerPoint PPT Presentation

Aug 19, 2022 124 likes •522 views

Towards Post-Quantum TLS ECC 2019 Kris Kwiatkowski DECEMBER 2, 2019 OVERVIEW OUR APPROACH TO REAL WORLD CRYPTOGRAPHY DESIGNING THE EXPERIMENT RESULTS QUESTIONS 2 INTRODUCTION: TEAM = Kris Dave Luke Nick Alan Adam

slide-1
SLIDE 1

DECEMBER 2, 2019

Towards Post-Quantum TLS

ECC 2019 Kris Kwiatkowski

slide-2
SLIDE 2 2

OVERVIEW

  • OUR APPROACH TO REAL WORLD CRYPTOGRAPHY
  • DESIGNING THE EXPERIMENT
  • RESULTS
  • QUESTIONS
slide-3
SLIDE 3

@_henrycase

Kris Kwiatkowski

@grittygrease

Nick Sullivan

@DistributedDave

Dave Levin

@amislove

Alan Mislove

3

INTRODUCTION: TEAM

@lukevalenta

Luke Valenta

=

@agl__

Adam Langley

slide-4
SLIDE 4

Our Approach to Real World Cryptography

slide-5
SLIDE 5 5

MOTIVATION

How best to contribute to the PQC standardization process? Pick an ecosystem and explore the upgrade path.

slide-6
SLIDE 6 6

MOTIVATION

The cryptographic system should be widely deployed and relied on by millions of people for important communications.

Meaningful deployment and impact

Deployments with many different dependencies and complex moving parts are trickier to upgrade. Pick a project that helps uncover potential stumbling blocks.

Non-trivial complexity

There should be well-established requirements and norms for upgrading the ecosystem based on previous upgrades.

Methodology for migration established

slide-7
SLIDE 7 7

MOTIVATION

HTTPS in browsers

The cryptographic system should be widely deployed and relied on by millions of people for important communications.

Meaningful deployment and impact

Deployments with many different dependencies and complex moving parts are trickier to upgrade. Pick a project that helps uncover potential stumbling blocks.

Non-trivial complexity

There should be well-established requirements and norms for upgrading the ecosystem based on previous upgrades.

Methodology for migration established

slide-8
SLIDE 8

MOTIVATION

Online life is encrypted Web traffic is 75% HTTPS This includes almost all banking, eCommerce, social media, search, webmail, video streaming, news, and other

  • nline activity in a browser or mobile app

Cloudflare well positioned as a CDN

Meaningful deployment and impact

slide-9
SLIDE 9 9
  • Variety of browser implementations

○ OS, vendor, devices

  • SSL Libraries

○ BoringSSL, NSS, CommonCrypto, sChannel…

  • Compatibility
  • Embedded app browsing
  • HTTPS API clients
  • Old (archaic) browsers

Browser complexity

  • Anti-virus proxies
  • TCP proxies of other types
  • National Firewalls
  • Forward Proxies (with SNI-filtering)

Other “hidden” participants

  • Possibility of DDoS
  • Slow updates that require downtime
  • Hardware-accelerated TLS offloaders
  • Library dependencies: OpenSSL etc.
  • TLS terminator boxes/cloud services

Server complexity

Non-trivial complexity

slide-10
SLIDE 10
  • HTTPS is HTTP with TLS/SSL
  • Requirements clearly defined in a form of RFC
  • Tooling & methodology for measurements in place

Methodology for migration established

10
slide-11
SLIDE 11

STICKER

Rule of thumb

Breakage rate should be comfortably below 1%

DEPLOYABLE PROTOCOLS

Publish the specification Use test population Detect various breakages

Measure

2012-13 2008 2012

Specify Deploy

Fix bad servers and middleboxes until breakage is low enough Insecure fallback

Adjust

2012-2014

slide-12
SLIDE 12

Rule of thumb

Breakage rate should be comfortably below 1%

DEPLOYABLE PROTOCOLS

Develop draft specifications Use test population Detect various breakages

2016-2018 2014-2018 2016-2018

Change the specification to adjust for the reality of the world

2016-2018

Measure Specify Deploy Adjust

slide-13
SLIDE 13

Designing the experiment

slide-14
SLIDE 14 14

CPU Usage

DESIGNING THE EXPERIMENT

Protocol Shape Latency Key Size

slide-15
SLIDE 15 15

DESIGNING THE EXPERIMENT

1-RTT The client initiates with its key share, the server responds with its key share, signature and potentially initial data. Post-quantum KEMs fit nicely into this model. No client challenge There is no current requirement for a proof-of-work to be done on the client side. Expensive key exchange is a DoS risk.

Protocol Shape

slide-16
SLIDE 16

DESIGNING THE EXPERIMENT

Higher latency If an algorithm takes clock time on the order of network time (10ms+), it may noticeably delay the connection.

CPU Usage

Power consumption Mobile and lightweight devices optimize for battery life. Expensive computations hurt this. Asymmetry risk If an attacker can cause a lot of work using only a small amount of work, it is an amplification attack vector.

slide-17
SLIDE 17

Hard-coded sizes in legacy systems Network congestion causes latency Unknowns

Key Size

17
slide-18
SLIDE 18

DESIGNING THE EXPERIMENT

Post-quantum confidentiality for TLS

Previous work

2018 experiment by Adam Langley to measure impact of key size on latency. Implemented “dummy” extension to simulate larger key sizes. Control group: no extension sent Supersingular isogenies (SI): 400 bytes Structured lattices (SL): 1 100 bytes Unstructured lattice standing (ULS): 3 300 bytes https://www.imperialviolet.org/2018/04/11/pqconftls.html

slide-19
SLIDE 19

Our experiment

slide-20
SLIDE 20

HRSS-SXY (NTRU) SIKE (Isogeny)

20

OUR EXPERIMENT

Implement and deploy two realistic key agreement ciphers

slide-21
SLIDE 21

CECPQ2

NTRU (Round 2)

  • NIST level 1
  • 1138 byte public key/ciphertext
  • Fast Encaps, Decaps, Acceptable KeyGen
  • 76000, 22000, 4000/s on Skylake (<1ms)
  • 33287, 13605, 2057/s on ARM Cortex-A75
  • No decryption errors

CECPQ2b

SIKE/p434 (Round 2)

  • NIST level 1
  • 330 byte public key, 346 byte ciphertext
  • Slow KeyGen, Encaps, Decaps
  • 420, 265, 245/s on Skylake (~5ms)
  • 269, 165, 155/s on ARM Cortex-A75
  • SIDH as a “drop-in” replacement of DH in TLS
21

OUR EXPERIMENT

Integrate two PQ KEMs into TLS and deploy at scale

Characteristics

  • Latency
  • Key sizes
  • CPU utilization
  • Use of existing hardware capabilities for fast implementation
slide-22
SLIDE 22

No SHA-3

SHA-256 instead of SHAKE for KEM

Combined mode with X25519

Concatenate and combine with HKDF

22

OUR EXPERIMENT

Some tweaks

Code available

SIKE : https://github.com/post-quantum-cryptography/c-sike NTRU: https://github.com/google/boringssl/tree/master/crypto/hrss

slide-23
SLIDE 23
  • TLSv1.3 only: sends

algorithm ID and public keys in TLS ClientHello

  • Based on

draft-kiefer-tls-ecdhe-sidh

  • Both client and server use

ephemeral keys

  • Shared secret is a

concatenation of X25519 and KEM secrets

TLS integration

slide-24
SLIDE 24

OUR EXPERIMENT

Ensuring results quality

  • Client browsers splitted into 3 groups

○ CONTROL: using X25519 for key exchange ○ CECPQ2: using NTRU combined with X25519 ○ CECPQ2b: using SIKE combined with X25519

  • “PQ signal” - TLS extension

exchanged between client and server to indicate participation in the experiment

slide-25
SLIDE 25 25

OUR EXPERIMENT

You could be using post-quantum cryptography

A
slide-26
SLIDE 26

DEPLOYMENT

Cloudflare edge Over 20 million Internet properties Both suites supported Located “close” to users Note: SIKE not cleared for Google servers due to DoS risk

Deployment

Chrome Canary A diverse group of beta testers usually using Intel-based desktop computers and ARM-based mobile devices

slide-27
SLIDE 27

Biases of the population

  • 64-bit x86 and ARM CPUs only

○ population significantly biased towards powerful CPUs

  • “Chrome Canary and Dev Chrome users tend to have worse

networks than the Chrome user population as a whole”, A. Langley https://www.imperialviolet.org/2019/10/30/pqsivssl.html

  • Biases result in favoring isogenies over lattices in terms of

performance

slide-28
SLIDE 28

S

slide-29
SLIDE 29

Duration

  • August & September 2019
  • 53 days in total

Data

  • 10 millions of data samples collected
  • represents 5% of TLS connections

sampled

Collected data

slide-30
SLIDE 30

SERVER-SIDE RESULTS

NTRU SIKE NTRU SIKE

slide-31
SLIDE 31

SERVER-SIDE RESULTS

NTRU SIKE NTRU SIKE

slide-32
SLIDE 32

SERVER-SIDE RESULTS

slide-33
SLIDE 33 33

Configuration Additional latency over control group w/ 95% confidence intervals (ms) X25519 NTRU SIKE Latency Difference Mobile, 50th [133,135] [138, 140] [196, 198] 29.44% Mobile, 95th [774, 818] [1001, 1060] [978, 1026] 2.77% Mobile, 99th [2783, 3097] [4057, 4478] [3276, 3646] 18.90% Desktop, 50th [55, 55] [58, 58] [74, 76] 22.67% Desktop, 95th [350, 354] [417, 421] [421, 425] 0.95% Desktop, 99th [1226 1246] [1481, 1509] [1344, 1368] 9.30%

SERVER-SIDE RESULTS

Maritz-Jarrett estimators

slide-34
SLIDE 34
  • Pre-production performance testing

○ Send hardcoded ClientHello and drop connection just after ○ Distribute injectors on multiple machines

Challenges: pre-production testing

SIKE NTRU

slide-35
SLIDE 35

NTRU

slide-36
SLIDE 36
slide-37
SLIDE 37 37
  • Lattice vs Isogeny based key exchange:

○ NTRU looks like better candidate for TLS ○ High-performance isogeny-based public key crypto less developed than lattice based

  • At 50th percentile, the CPU cost dominates handshake

latency

  • However, key size plays a factor at 99th percentile

○ Root cause not found

SIKE NTRU

Conclusion

slide-38
SLIDE 38

Questions?