1 / 18

Quantum Resistant Public Key Cryptography: A Survey

Quantum Resistant Public Key Cryptography: A Survey. Ray A. Perlner (ray.perlner@nist.gov) David A. Cooper (david.cooper@nist.gov). What is a quantum computer. Short answer A classical computer processes classical information. A quantum computer processes quantum information.

jael
Download Presentation

Quantum Resistant Public Key Cryptography: A Survey

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Quantum Resistant Public Key Cryptography: A Survey Ray A. Perlner (ray.perlner@nist.gov) David A. Cooper (david.cooper@nist.gov)

  2. What is a quantum computer • Short answer • A classical computer processes classical information. • A quantum computer processes quantum information. • What is the difference? • Classical information is measured in bits (a unit of entropy in the classical limit of physics) • Quantum information consists of qbits (a unit of entropy in real physics) • Either way, available entropy scales with the size of a system. • So it should be possible to build a quantum computer.

  3. What can a quantum computer do?(faster than a classical computer) • Simulate a quantum computer • The best known classical algorithm is exponentially more costly in the worst case. • This does NOT mean that a quantum computer can always provide exponential speedup. • Stuff that matters for cryptography • Quadratic speedup over classical brute force search. (Grover) • Polynomial time algorithms for factoring and discrete logs, including elliptic curves. (Shor) • This completely breaks every public key algorithm you’ve probably ever heard of.

  4. Why haven’t these monstrosities been built? • Error correction/fault tolerance is much harder for quantum information. • Currently, we’re better off using a classical computer to run simulations. • Threshold theorems say that if we can build good enough components, the cost is only polynomial. • Components are not cheap like transistors • Options include ultra-cold ultra-small solid state devices and charged ions or neutral atoms controlled by lasers. • Pure optical systems may be an important component, but are unlikely to be the whole solution.

  5. Quantum Resistance • Quantum resistant algorithms are algorithms we don’t know how to break with a quantum or classical computer. • This is the same criterion we use for security in the classical model (pending P≠NP proof) • As with classically secure algorithms, related “hard problems” add a measure of confidence. • (Classical) algorithms meeting the above criteria do exist at present.

  6. TheAlgorithms

  7. General Concerns • Security Assumptions • Public Key Length • Signature Length/Ciphertext Expansion • E.g. RSA has ~1-2 kb (~10 - 20×) • Public Key Lifetime • Mostly an issue for signatures • Can be dealt with using Merkle Trees and certificate chains • Memory (may need more than just the private key) • Computational Cost

  8. Lamport Signatures • One time signatures • Basic Scheme: Sign a single bit • Private key consists of two secrets S0 and S1 • Public key is H(S0) || H(S1) • Signature for 0 is S0, signature for 1 is S1 • To sign an n-bit digest, just use n times as many secrets to sign the bits individually. • Many optimizations are possible that trade increased computation for reduced key and/or signature size.

  9. Merkle Trees

  10. Lamport Signatures • Security Assumption: preimage and second-preimage resistance of a one-way function • Only the message digest needs collision resistance. • Public Key Length: ~n2 for an n-bit one-way function and a 2n-bit digest • ~10 kb for n = 80 • ~20 kb for n =128 • Signature Length: same • Public Key Lifetime: 1 signature • Computational Cost: ~1ms (comparable to DSA) • Includes key generation

  11. Lamport Signatures (with Merkle Trees and Chaining) • Security Assumption: preimage and second-preimage resistance of a one-way function • Only the message digest needs collision resistance. • Public Key Length: n for an n-bit one-way function and a 2n-bit digest • Private Key Length: ~250 – 500 kb • Signature Length: ~50 – 100 kb • Public Key Lifetime: 1012 signatures • Computational Cost: ~1ms (comparable to DSA) • key generation: ~1s

  12. McEliece Encryption • Start with an error correction code generator matrix, G • Rectangular matrix such that it’s easy to reconstruct x from Gx + e. • x has dimension k • e has hamming weight t or less and dimension n > k • Public key K = PGS • S is k×k and invertible • P is an n×n permutation • To Encrypt m: compute Km + e

  13. McEliece Encryption • Security Assumption: indistinguishability of masked Goppa code and general linear code • Decoding problem for general linear codes is NP-complete • Public Key Length: ~500kb • Message Size: ~1kb • Public Key Lifetime: potentially unlimited • Computational Cost: ~100μs • Signatures exist, but very expensive for signer

  14. NTRU • Private key is a short basis for an N dimensional lattice • Public key is a long basis for the same lattice. • Save space by representing lattice basis as a polynomial rather than a matrix • This requires all lattice basis vectors to be cyclic permutations. • Many academic crypto schemes employ lattices but do not employ this technique, preferring security assumptions based on a less symmetric version of the lattice problems. • Coefficients are generally reduced modulo q  N  256

  15. NTRU • Security Assumption: unique closest vector problem • Public Key Size: 2-4kb • Ciphertext Size: 2-4kb • Signature Size: 4-8kb • Public Key Lifetime: ~1 billion signatures • Signature scheme has changed in response to a series of attacks. • Computational Cost: ~100μs

  16. Other • Hidden Field Equations • Braid Groups • New schemes based on these crop up from time to time, but most have been broken.

  17. Implications • Crypto Agility is a Minimum Requirement • Long Signatures or Public Keys • Transmitting certificates may become unwieldy (especially when revocation is considered) • Cache Certificates • Limit Cert Chain Depth • Limited Lifetime Signing Keys • Mostly applicable to high load servers (e.g., OCSP responders) • Use a Merkle tree or subordinate public keys where applicable.

  18. Conclusion • All widely used public key crypto is threatened by quantum computing. • We do have potentially viable options to consider. • Protocol designers can think about how to deal with these algorithms now.

More Related