two completely unrelated topics 1 mcbits 2 post quantum
play

Two completely unrelated topics: (1) McBits; (2) Post-Quantum RSA - PDF document

Oct 02, 2023 •173 likes •464 views

Two completely unrelated topics: (1) McBits; (2) Post-Quantum RSA D. J. Bernstein University of Illinois at Chicago Thanks for (1) to: Cisco University Research Program Two completely unrelated topics: (1) McBits; (2) Post-Quantum RSA D.

  1. Two completely unrelated topics: (1) McBits; (2) Post-Quantum RSA D. J. Bernstein University of Illinois at Chicago Thanks for (1) to: Cisco University Research Program

  2. Two completely unrelated topics: (1) McBits; (2) Post-Quantum RSA D. J. Bernstein University of Illinois at Chicago Thanks for (1) to: Cisco University Research Program Thanks for (2) to: No sponsors yet!

  3. Two completely unrelated topics: (1) McBits; (2) Post-Quantum RSA D. J. Bernstein University of Illinois at Chicago Thanks for (1) to: Cisco University Research Program Thanks for (2) to: No sponsors yet! Insert Coin

  4. Bonus topic added today: 0. Wild McEliece (joint work with Tanja Lange, Christiane Peters) Conventional wisdom on McEliece using degree- t Goppa: t errors over F 2 , but only t❂ 2 errors over F q if q ❃ 2.

  5. Bonus topic added today: 0. Wild McEliece (joint work with Tanja Lange, Christiane Peters) Conventional wisdom on McEliece using degree- t Goppa: t errors over F 2 , but only t❂ 2 errors over F q if q ❃ 2.

  7. New: “Wild McEliece” uses qt❂ (2( q � 1)) errors over F q . More details: See talk from C. Peters from two days ago.

  8. 1. McBits: Arithmetic circuits for code-based cryptography

  9. � � � � � � � � � � � An F 2 -arithmetic circuit starts from inputs and constants and computes a chain of two-input F 2 -adds ✉❀ ✈ ✼✦ ✉ + ✈ , two-input F 2 -mults ✉❀ ✈ ✼✦ ✉✈ . Example, not the smallest 2 ✂ 2 polynomial multiplier: � ❤ 0 � ✂ ❢ 0 � � � � � � � � � � ✂ ❢ 1 + � � � � � � � � � � � � � ❤ 1 � + � � � � � � � � � � � � � � ❣ 0 + + � � � � � � � � � � � ❤ 2 ❣ 1 � ✂

  10. What I’m working on: fast arithmetic circuits for confidence-inspiring code-based public-key encryption. Circuits are good for security: no conditional jumps; no variable array indices; no input-dependent timings; no software side channels. Plan to publish software and place into public domain.

  11. Main challenge: Speed. Metric for this project: “ops” = #adds + #mults. Clear definition; simple. Not a bad predictor of bitsliced software speed. Also not a bad predictor of throughput of unrolled hardware. Warnings: metric doesn’t see code size (“ops” unrolls loops), communication costs, etc.

  12. Counting bit operations rewards fast mult algorithms, as in new ECC speed records (2009 “batch binary Edwards”). Now exploring Gao–Mateer mult. Use fast multipoint evaluation to eliminate conditional jumps from fast root-finding; ♥ 1+ ♦ (1) ops. Most annoying part to write: ♥ 1+ ♦ (1) fast continued fraction without conditional jumps. Biggest asymptotic bottleneck: matrix randomizer, ♥ 2+ ♦ (1) ops. Can reduce 2 with more batching.

  13. 2. Post-Quantum RSA: Is it possible that the community has missed another plausible candidate for post-quantum cryptography?

  14. 2. Post-Quantum RSA: Is it possible that the community has missed another plausible candidate for post-quantum cryptography? Conventional wisdom: Shor’s algorithm supersedes all previous factorization methods. In fact, it breaks RSA as quickly as RSA decrypts, so we have no hope of security from scaling RSA key sizes.

  15. 2. Post-Quantum RSA: Is it possible that the community has missed another plausible candidate for post-quantum cryptography? Conventional wisdom: Shor’s algorithm supersedes all previous factorization methods. In fact, it breaks RSA as quickly as RSA decrypts, so we have no hope of security from scaling RSA key sizes. Is this actually true?

  16. Some methods to factor ♥ (assuming standard conjectures): Trial division finds ♣ using ( ♣ + lg ♥ ) 1+ ♦ (1) bit ops.

  17. Some methods to factor ♥ (assuming standard conjectures): Trial division finds ♣ using ( ♣ + lg ♥ ) 1+ ♦ (1) bit ops. Pollard’s rho method finds ♣ using ( ♣ 1 ❂ 2 lg ♥ ) 1+ ♦ (1) bit ops.

  18. Some methods to factor ♥ (assuming standard conjectures): Trial division finds ♣ using ( ♣ + lg ♥ ) 1+ ♦ (1) bit ops. Pollard’s rho method finds ♣ using ( ♣ 1 ❂ 2 lg ♥ ) 1+ ♦ (1) bit ops. Quadratic sieve finds ♣ using (2 (lg ♥ lg lg ♥ ) 1 ❂ 2 ) 1+ ♦ (1) bit ops.

  19. Some methods to factor ♥ (assuming standard conjectures): Trial division finds ♣ using ( ♣ + lg ♥ ) 1+ ♦ (1) bit ops. Pollard’s rho method finds ♣ using ( ♣ 1 ❂ 2 lg ♥ ) 1+ ♦ (1) bit ops. Quadratic sieve finds ♣ using (2 (lg ♥ lg lg ♥ ) 1 ❂ 2 ) 1+ ♦ (1) bit ops. ECM finds ♣ using (2 (2 lg ♣ lg lg ♣ ) 1 ❂ 2 lg ♥ ) 1+ ♦ (1) bit ops.

  20. Some methods to factor ♥ (assuming standard conjectures): Trial division finds ♣ using ( ♣ + lg ♥ ) 1+ ♦ (1) bit ops. Pollard’s rho method finds ♣ using ( ♣ 1 ❂ 2 lg ♥ ) 1+ ♦ (1) bit ops. Quadratic sieve finds ♣ using (2 (lg ♥ lg lg ♥ ) 1 ❂ 2 ) 1+ ♦ (1) bit ops. ECM finds ♣ using (2 (2 lg ♣ lg lg ♣ ) 1 ❂ 2 lg ♥ ) 1+ ♦ (1) bit ops. Number-field sieve finds ♣ using (2 ❝ (lg ♥ ) 1 ❂ 3 (lg lg ♥ ) 2 ❂ 3 ) 1+ ♦ (1) bit ops.

  21. Shor’s algorithm finds ♣ using (lg ♥ ) 2+ ♦ (1) qubit ops. Let’s assume that qubit ops aren’t much harder than bit ops, and that ♦ (1) isn’t very big. Does Shor supersede NFS? Yes.

  22. Shor’s algorithm finds ♣ using (lg ♥ ) 2+ ♦ (1) qubit ops. Let’s assume that qubit ops aren’t much harder than bit ops, and that ♦ (1) isn’t very big. Does Shor supersede NFS? Yes. Does Shor supersede ECM? Not necessarily! ECM beats Shor for small ♣ : compare 2 lg ♣ lg lg ♣ to (lg lg ♥ ) 2 . Best small- ♣ algorithm I know: GEECM.

  23. Shor’s algorithm finds ♣ using (lg ♥ ) 2+ ♦ (1) qubit ops. Let’s assume that qubit ops aren’t much harder than bit ops, and that ♦ (1) isn’t very big. Does Shor supersede NFS? Yes. Does Shor supersede ECM? Not necessarily! ECM beats Shor for small ♣ : compare 2 lg ♣ lg lg ♣ to (lg lg ♥ ) 2 . Best small- ♣ algorithm I know: GEECM. Grover+Edwards+ECM.

  24. Standard RSA decryption: compute cube root mod ♥ = ♣q by computing and combining cube roots mod ♣ and q . (lg ♥ ) 2+ ♦ (1) ops. Same as Shor. Game over?

  25. Standard RSA decryption: compute cube root mod ♥ = ♣q by computing and combining cube roots mod ♣ and q . (lg ♥ ) 2+ ♦ (1) ops. Same as Shor. Game over? No! Speed up decryption.

  26. Standard RSA decryption: compute cube root mod ♥ = ♣q by computing and combining cube roots mod ♣ and q . (lg ♥ ) 2+ ♦ (1) ops. Same as Shor. Game over? No! Speed up decryption. Use “multi-prime RSA.” 1997/1998 Tandem patent

  27. Standard RSA decryption: compute cube root mod ♥ = ♣q by computing and combining cube roots mod ♣ and q . (lg ♥ ) 2+ ♦ (1) ops. Same as Shor. Game over? No! Speed up decryption. Use “multi-prime RSA.” 1997/1998 Tandem patent but already in 1983 RSA patent: “the present invention may use a modulus ♥ which is a product of three or more primes (not necessarily distinct).”

  28. Public key ♥ = ♣ 1 ♣ 2 ✁ ✁ ✁ ♣ ❦ . Secret primes ♣ 1 ❀ ♣ 2 ❀ ✿ ✿ ✿ ❀ ♣ ❦ with lg ♣ ✐ ✷ ❜ 2+ ♦ (1) , ❦ ✷ 2 (1+ ♦ (1)) ❜❂ 2 . Key: 2 (1+ ♦ (1)) ❜❂ 2 bits. Encryption: 2 (1+ ♦ (1)) ❜❂ 2 bit ops. Decryption: 2 (1+ ♦ (1)) ❜❂ 2 bit ops. Shor attack, GEECM attack: ❃ 2 ❜ qubit ops if each ♦ (1) was chosen properly.

  29. Public key ♥ = ♣ 1 ♣ 2 ✁ ✁ ✁ ♣ ❦ . Secret primes ♣ 1 ❀ ♣ 2 ❀ ✿ ✿ ✿ ❀ ♣ ❦ with lg ♣ ✐ ✷ ❜ 2+ ♦ (1) , ❦ ✷ 2 (1+ ♦ (1)) ❜❂ 2 . Key: 2 (1+ ♦ (1)) ❜❂ 2 bits. Encryption: 2 (1+ ♦ (1)) ❜❂ 2 bit ops. Decryption: 2 (1+ ♦ (1)) ❜❂ 2 bit ops. Shor attack, GEECM attack: ❃ 2 ❜ qubit ops if each ♦ (1) was chosen properly. Concrete analysis suggests that RSA with 2 31 4096-bit primes provides ❃ 2 100 security vs. all known quantum attacks. Key almost fits on a hard drive.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The Quantum Risk & Post-Quantum Crypto JP Aumasson The Quantum Risk & Post-Quantum

The Quantum Risk & Post-Quantum Crypto JP Aumasson The Quantum Risk & Post-Quantum

The Quantum Risk & Post-Quantum Crypto JP Aumasson The Quantum Risk & Post-Quantum Crypto JP Aumasson uantum /me 15 years experience in applied cryptography (PhD, industry, consulting) Designed widely used algorithms Author of the

816 views • 52 slides
Quantum Algorithms Tutorial Ronald de Wolf 1/ 37 Post-quantum cryptography I Quantum computers

Quantum Algorithms Tutorial Ronald de Wolf 1/ 37 Post-quantum cryptography I Quantum computers

Quantum Algorithms Tutorial Ronald de Wolf 1/ 37 Post-quantum cryptography I Quantum computers can break public-key cryptography that is based on assuming hardness of factoring, discrete logs, and a few other problems I Post-quantum

2.98k views • 37 slides
Preview question Which of the following would have to be completely abandoned if scalable quantum

Preview question Which of the following would have to be completely abandoned if scalable quantum

Preview question Which of the following would have to be completely abandoned if scalable quantum computers become widely available? CSci 5271 A. one-time pads Introduction to Computer Security Crypto and protocols combined slides B. RSA

674 views • 9 slides
SW/HW Codesign of the Post-Quantum Cryptography Algorithm NTRUEncrypt Using HLS and RTL Design

SW/HW Codesign of the Post-Quantum Cryptography Algorithm NTRUEncrypt Using HLS and RTL Design

SW/HW Codesign of the Post-Quantum Cryptography Algorithm NTRUEncrypt Using HLS and RTL Design Methodologies Farnoud Farahmand, Duc Tri Nguyen, Viet B. Dang*, Ahmed Ferozpuri and Kris Gaj George Mason University Post st-Quantum Quantum

441 views • 14 slides
Standardization of post-quantum cryptography Tanja Lange 08 May 2016 A Workshop About

Standardization of post-quantum cryptography Tanja Lange 08 May 2016 A Workshop About

Standardization of post-quantum cryptography Tanja Lange 08 May 2016 A Workshop About Cryptographic Standards History of post-quantum cryptography 2003 Daniel J. Bernstein introduces term Post-quantum cryptography. PQCrypto 2006:

623 views • 23 slides
And now for something completely different And now for something completely different Algorithms

And now for something completely different And now for something completely different Algorithms

And now for something completely different And now for something completely different Algorithms for NLP (11-711) Fall 2019 Formal Language Theory In one lecture Robert Frederking Now for Something Completely Different We will look at

567 views • 45 slides
Incorporating Post-Quantum Cryptography in a microservice architecture Research Project 2 Why

Incorporating Post-Quantum Cryptography in a microservice architecture Research Project 2 Why

R. van der Gaag, D. Weller Incorporating Post-Quantum Cryptography in a microservice architecture Research Project 2 Why think about post-quantum cryptography W. Buchanan et. al concluded Gate-based quantum computers pose a significant

349 views • 18 slides
Post-Quantum Cryptography Dr. Ruben Niederhagen, February 8, 2016 Introduction Quantum Computers

Post-Quantum Cryptography Dr. Ruben Niederhagen, February 8, 2016 Introduction Quantum Computers

Post-Quantum Cryptography Dr. Ruben Niederhagen, February 8, 2016 Introduction Quantum Computers Using quantum states for computation: Introduced in 1985 by David Deutsch [3]. Operate on qubits using gates that perform reversible

1.69k views • 157 slides
The Picnic Post-Quantum Signature Scheme and its Security Analysis Itai Dinur Ben-Gurion

The Picnic Post-Quantum Signature Scheme and its Security Analysis Itai Dinur Ben-Gurion

The Picnic Post-Quantum Signature Scheme and its Security Analysis Itai Dinur Ben-Gurion University Credit for some slides: Melissa Chase and Picnic team Post-Quantum Cryptography Large-scale quantum computer could efficiently factor large

533 views • 34 slides
Post-quantum cryptography Tanja Lange 07 October 2015 SPACE 2015 In the long term, all

Post-quantum cryptography Tanja Lange 07 October 2015 SPACE 2015 In the long term, all

Post-quantum cryptography Tanja Lange 07 October 2015 SPACE 2015 In the long term, all encryption needs to be post-quantum Mark Ketchen, IBM Research, 2012, on quantum computing: Were actually doing things that are making us think like,

901 views • 41 slides
An Overview on Post-Quantum Cryptography with an Emphasis on Code based Systems Joachim Rosenthal

An Overview on Post-Quantum Cryptography with an Emphasis on Code based Systems Joachim Rosenthal

Basics on Public Key Crypto Systems Research Directions in Post-Quantum Cryptography Variants of McEliece System Distinguisher Attacks McEliece for Rank Metric Codes An Overview on Post-Quantum Cryptography with an Emphasis on Code based

1.05k views • 100 slides
Twitter: @PatrickLonga Outline Motivation: the quantum menace Post-quantum key exchange

Twitter: @PatrickLonga Outline Motivation: the quantum menace Post-quantum key exchange

https://microsoft.com/en-us/research/people/plonga http://patricklonga.com Twitter: @PatrickLonga Outline Motivation: the quantum menace Post-quantum key exchange from supersingular isogenies: Preliminaries SIDH SIKE

1.82k views • 154 slides
Post-quantum cryptography Tanja Lange 02 October 2015 Academy Contact Forum Coding Theory and

Post-quantum cryptography Tanja Lange 02 October 2015 Academy Contact Forum Coding Theory and

Post-quantum cryptography Tanja Lange 02 October 2015 Academy Contact Forum Coding Theory and Cryptography VI In the long term, all encryption needs to be post-quantum Mark Ketchen, IBM Research, 2012, on quantum computing: Were

854 views • 42 slides
for Post-Quantum Lattice-based Protocols Utsav Banerjee * , Tenzin S. Ukyab, Anantha P.

for Post-Quantum Lattice-based Protocols Utsav Banerjee * , Tenzin S. Ukyab, Anantha P.

Sapphire: A Configurable Crypto-Processor for Post-Quantum Lattice-based Protocols Utsav Banerjee * , Tenzin S. Ukyab, Anantha P. Chandrakasan * utsav@mit.edu Massachusetts Institute of Technology Post-Quantum Cryptography Current public key

911 views • 25 slides
From linear algebra to post-quantum cryptography Dr. Ir. Fr e Vercauteren

From linear algebra to post-quantum cryptography Dr. Ir. Fr e Vercauteren

Quantum computers and factoring Learning with errors Cryptography from LWE From linear algebra to post-quantum cryptography Dr. Ir. Fr e Vercauteren frederik.vercauteren@gmail.com Open Security Research (China) ESAT/COSIC - KU Leuven

1.34k views • 70 slides
Implementing post-quantum cryptography Peter Schwabe Radboud University, Nijmegen, The

Implementing post-quantum cryptography Peter Schwabe Radboud University, Nijmegen, The

Implementing post-quantum cryptography Peter Schwabe Radboud University, Nijmegen, The Netherlands June 28, 2018 PQCRYPTO Mini-School 2018, Taipei, Taiwan Part I: How to make software secure Implementing post-quantum cryptography 2 Timing

1.44k views • 116 slides
How To Get Away With Murder in CMBS We will show a case study of an actual murder Persons of

How To Get Away With Murder in CMBS We will show a case study of an actual murder Persons of

How To Get Away With Murder in CMBS We will show a case study of an actual murder Persons of Interest Person of Interest Master Servicer Responsibility is to service the loans in the pool through maturity, unless the Borrower defaults

647 views • 32 slides
CS101 Final Exam: How to Prepare Aaron Stevens 29 April 2009 1 Exam Format Short Answer

CS101 Final Exam: How to Prepare Aaron Stevens 29 April 2009 1 Exam Format Short Answer

CS101 Final Exam: How to Prepare Aaron Stevens 29 April 2009 1 Exam Format Short Answer Questions Mandatory: 5 questions worth 8 points each Optional: 5 questions worth 6 points each Similar style to quiz questions Answers

239 views • 6 slides
Component-Based Software Engineering (CBSE) 0. Announcements Dr.-Ing. Sebastian Gtz Technische

Component-Based Software Engineering (CBSE) 0. Announcements Dr.-Ing. Sebastian Gtz Technische

Fakultt Informatik - Institut Software- und Multimediatechnik - Softwaretechnologie Prof. Amann - CBSE Component-Based Software Engineering (CBSE) 0. Announcements Dr.-Ing. Sebastian Gtz Technische Universitt Dresden Institut fr

310 views • 12 slides
MASSACHUSETTS OFFICE OF TRAVEL & TOURISM TONY DAGOSTINO, RESEARCH DIRECTOR NOVEMBER 5,

MASSACHUSETTS OFFICE OF TRAVEL & TOURISM TONY DAGOSTINO, RESEARCH DIRECTOR NOVEMBER 5,

MASSACHUSETTS OFFICE OF TRAVEL & TOURISM TONY DAGOSTINO, RESEARCH DIRECTOR NOVEMBER 5, 2020 1 ACT&T Research Presentation Single event: Check out and pay for overnight stay Smith Travel Research: Receive from individual

269 views • 8 slides
Programming Practice Friday, 13:0016:00 (CS 109) You implement a programming task during

Programming Practice Friday, 13:0016:00 (CS 109) You implement a programming task during

CS109 CS109 Spring Semester 2018 Labs We have a lab once a week: Programming Practice Friday, 13:0016:00 (CS 109) You implement a programming task during the lab. If you cannot finish the task during the lab, you need to program

529 views • 3 slides
Extended Binary Trees Recurrence relations After today, you should be able to explain what

Extended Binary Trees Recurrence relations After today, you should be able to explain what

Extended Binary Trees Recurrence relations After today, you should be able to explain what an extended binary tree is solve simple recurrences using patterns Today: Extended Binary Trees (on HW10) Recurrence relations, part

563 views • 20 slides
For Friday Read Becker, chapter 9, sections 4, 9-10 Recommended Practice Problems:

For Friday Read Becker, chapter 9, sections 4, 9-10 Recommended Practice Problems:

For Friday Read Becker, chapter 9, sections 4, 9-10 Recommended Practice Problems: Chapter 9, exercises 3-5 Program 6 Any questions? Questions before the quiz? Quiz File Practice Write code to read a file of integers and

243 views • 13 slides
CSC304 Lecture 15 Voting 2: Gibbard-Satterthwaite Theorem CSC304 - Nisarg Shah 1 Recap We

CSC304 Lecture 15 Voting 2: Gibbard-Satterthwaite Theorem CSC304 - Nisarg Shah 1 Recap We

CSC304 Lecture 15 Voting 2: Gibbard-Satterthwaite Theorem CSC304 - Nisarg Shah 1 Recap We introduced a plethora of voting rules Plurality Plurality with runoff Borda Kemeny Veto Copeland -Approval

577 views • 21 slides

More recommend