Getting Post-Quantum Crypto Algorithms Ready for Deployment · 2013-03-25 · Code-based...
Transcript of Getting Post-Quantum Crypto Algorithms Ready for Deployment · 2013-03-25 · Code-based...
![Page 1: Getting Post-Quantum Crypto Algorithms Ready for Deployment · 2013-03-25 · Code-based Cryptography – Basics Hard problem(s): decoding a syndrome/random linear code Principle:](https://reader035.fdocuments.us/reader035/viewer/2022070812/5f0b42697e708231d42fa1d6/html5/thumbnails/1.jpg)
Tim Güneysu Hardware Security Group Horst Görtz Institute for IT-Security, Bochum
1/24/2013
Getting Post-Quantum Crypto Algorithms Ready for Deployment
End of ECRYPT II Event: Crypto for 2020
![Page 2: Getting Post-Quantum Crypto Algorithms Ready for Deployment · 2013-03-25 · Code-based Cryptography – Basics Hard problem(s): decoding a syndrome/random linear code Principle:](https://reader035.fdocuments.us/reader035/viewer/2022070812/5f0b42697e708231d42fa1d6/html5/thumbnails/2.jpg)
Outline
• Introduction
• Alternative Public-Key Cryptosystems (APKC)
• Practical Considerations of APKCs
• Case Studies on Lattice-based Cryptography
• Conclusions
![Page 3: Getting Post-Quantum Crypto Algorithms Ready for Deployment · 2013-03-25 · Code-based Cryptography – Basics Hard problem(s): decoding a syndrome/random linear code Principle:](https://reader035.fdocuments.us/reader035/viewer/2022070812/5f0b42697e708231d42fa1d6/html5/thumbnails/3.jpg)
Public-Key Crypto – Situation Today
• PKCs used in practice are in fact RSA and ECC
• Underlying problems (factorization/dlog) are both closely related
• As learned from Tanja‘s talk yesterday, both are dead when quantum-computing comes into play
![Page 4: Getting Post-Quantum Crypto Algorithms Ready for Deployment · 2013-03-25 · Code-based Cryptography – Basics Hard problem(s): decoding a syndrome/random linear code Principle:](https://reader035.fdocuments.us/reader035/viewer/2022070812/5f0b42697e708231d42fa1d6/html5/thumbnails/4.jpg)
Public-Key Crypto – A Wishlist
• Add some alternative PK-cryptosystems to our basket
• Security reductions based on known hard problems
• No possible poly-time attack algorithms (e.g., Shor) with quantum computers
• Efficiency in implementations comparable to RSA and ECC
![Page 5: Getting Post-Quantum Crypto Algorithms Ready for Deployment · 2013-03-25 · Code-based Cryptography – Basics Hard problem(s): decoding a syndrome/random linear code Principle:](https://reader035.fdocuments.us/reader035/viewer/2022070812/5f0b42697e708231d42fa1d6/html5/thumbnails/5.jpg)
Outline
• Introduction
• Alternative Public-Key Cryptosystems (APKC)
• Practical Considerations of APKCs
• Case Studies on Lattice-based Cryptography
• Conclusions
![Page 6: Getting Post-Quantum Crypto Algorithms Ready for Deployment · 2013-03-25 · Code-based Cryptography – Basics Hard problem(s): decoding a syndrome/random linear code Principle:](https://reader035.fdocuments.us/reader035/viewer/2022070812/5f0b42697e708231d42fa1d6/html5/thumbnails/6.jpg)
Alternative Public-Key Cryptography
• Four main branches of post-quantum crypto:
– Code-based
– Hash-based
– Multivariate-quadratic
– Lattice-based
• Can potentially provide PK encryption
and/or signature schemes
![Page 7: Getting Post-Quantum Crypto Algorithms Ready for Deployment · 2013-03-25 · Code-based Cryptography – Basics Hard problem(s): decoding a syndrome/random linear code Principle:](https://reader035.fdocuments.us/reader035/viewer/2022070812/5f0b42697e708231d42fa1d6/html5/thumbnails/7.jpg)
Alternative Public-Key Cryptography (APKC)
• But: Why haven‘t we seen any APKC in real-world systems yet?
– Many constructions are too novel and hardly analyzed/not mature enough
– Potential of possible attacks is not fully captured yet
– No concrete instances/parameters given
– Implementations of „secure“ instances seem to be much too huge and/or slow
– Skeptics still like to keep ECC/RSA or just don‘t believe in quantum computers
![Page 8: Getting Post-Quantum Crypto Algorithms Ready for Deployment · 2013-03-25 · Code-based Cryptography – Basics Hard problem(s): decoding a syndrome/random linear code Principle:](https://reader035.fdocuments.us/reader035/viewer/2022070812/5f0b42697e708231d42fa1d6/html5/thumbnails/8.jpg)
Alternative Public-Key Cryptography (APKC)
• How to get APKCs ready for deployment?
– Pick APKCs for which sufficient confidence of security and defined instances/parameters exist
– Make sure their description is comprehensible for implementers
– Evaluate efficiency of APKC implementations in particular on constrained embedded devices
– Disseminate APKCs to crypto libraries and (international) standards
![Page 9: Getting Post-Quantum Crypto Algorithms Ready for Deployment · 2013-03-25 · Code-based Cryptography – Basics Hard problem(s): decoding a syndrome/random linear code Principle:](https://reader035.fdocuments.us/reader035/viewer/2022070812/5f0b42697e708231d42fa1d6/html5/thumbnails/9.jpg)
Outline
• Introduction
• Alternative Public-Key Cryptosystems (APKC)
• Practical Considerations of APKCs
– Code-based Cryptography
– Hash-based Cryptography
– Multivariate-Quadratic-based Cryptography
– Lattice-based Cryptography
• Conclusions
![Page 10: Getting Post-Quantum Crypto Algorithms Ready for Deployment · 2013-03-25 · Code-based Cryptography – Basics Hard problem(s): decoding a syndrome/random linear code Principle:](https://reader035.fdocuments.us/reader035/viewer/2022070812/5f0b42697e708231d42fa1d6/html5/thumbnails/10.jpg)
Disclaimer Slide
A Word of Warning…
The following overview on PQC systems does not claim to be complete.
It rather focusses on selected systems that are suitable to provide evidence on • Activities within each PQC branch
• Good and (some) bad constructions
• Constructions that provide concrete instances or only “some” parameters
• Constructions that provide efficient instances
Some (important) parameters are also omitted from some slides
See http://pqcrypto.org for more works and definitions
![Page 11: Getting Post-Quantum Crypto Algorithms Ready for Deployment · 2013-03-25 · Code-based Cryptography – Basics Hard problem(s): decoding a syndrome/random linear code Principle:](https://reader035.fdocuments.us/reader035/viewer/2022070812/5f0b42697e708231d42fa1d6/html5/thumbnails/11.jpg)
Code-based Cryptography – Basics
Hard problem(s): decoding a syndrome/random linear code
Principle:
• Hide the code generating matrix G by multiplication with permutation P and a scrambling matrix S (remark: the latter is not required in all cases) Public Key G’=SGP
• Add errors e during cryptographic operation
• Decoding is only efficiently possible if the generator matrix is known Secret Key G
The general concept of “decoding with errors” is also picked up by other constructions (e.g., in lattice-based crypto)
![Page 12: Getting Post-Quantum Crypto Algorithms Ready for Deployment · 2013-03-25 · Code-based Cryptography – Basics Hard problem(s): decoding a syndrome/random linear code Principle:](https://reader035.fdocuments.us/reader035/viewer/2022070812/5f0b42697e708231d42fa1d6/html5/thumbnails/12.jpg)
Code-based Encryption Schemes
McEliece [M78] Niederreiter [N86]
Taxonomy of Code-based Encryption
Generalized Reed-Solomon
Goppa
Reed Muller
Concatenated
Turbo/LDCP/MDCP Srivastava
Elliptic
![Page 13: Getting Post-Quantum Crypto Algorithms Ready for Deployment · 2013-03-25 · Code-based Cryptography – Basics Hard problem(s): decoding a syndrome/random linear code Principle:](https://reader035.fdocuments.us/reader035/viewer/2022070812/5f0b42697e708231d42fa1d6/html5/thumbnails/13.jpg)
Code-based Encryption Schemes
McEliece [M78] Niederreiter [N86]
Taxonomy of Code-based Encryption
Generalized Reed-Solomon
Goppa
Reed Muller
Concatenated
Srivastava
Elliptic
Turbo/LDCP/MDCP
![Page 14: Getting Post-Quantum Crypto Algorithms Ready for Deployment · 2013-03-25 · Code-based Cryptography – Basics Hard problem(s): decoding a syndrome/random linear code Principle:](https://reader035.fdocuments.us/reader035/viewer/2022070812/5f0b42697e708231d42fa1d6/html5/thumbnails/14.jpg)
Code-based Encryption Schemes
McEliece [M78] Niederreiter [N86]
Taxonomy of Code-based Encryption
Key sizes for ≈ 80-bit equivalent symmetric security.
Generalized Reed-Solomon
Goppa
Reed Muller
Concatenated
Srivastava
Elliptic
Turbo/LDCP/MDCP PK: 0.6 kB SK: 180 B
PK: 63 kB SK: 2.5 kB
PK: 2.5 kB SK: 1.5 kB
![Page 15: Getting Post-Quantum Crypto Algorithms Ready for Deployment · 2013-03-25 · Code-based Cryptography – Basics Hard problem(s): decoding a syndrome/random linear code Principle:](https://reader035.fdocuments.us/reader035/viewer/2022070812/5f0b42697e708231d42fa1d6/html5/thumbnails/15.jpg)
Code-based Signature Schemes
Courtois, Finiasz, Sendrier (CFS) Signatures
Taxonomy of Code-based Signatures
Original [CFS01] Parallel CFS [F10]
![Page 16: Getting Post-Quantum Crypto Algorithms Ready for Deployment · 2013-03-25 · Code-based Cryptography – Basics Hard problem(s): decoding a syndrome/random linear code Principle:](https://reader035.fdocuments.us/reader035/viewer/2022070812/5f0b42697e708231d42fa1d6/html5/thumbnails/16.jpg)
Code-based Signature Schemes
Courtois, Finiasz, Sendrier (CFS) Signatures
Taxonomy of Code-based Signatures
Original [CFS01] Parallel CFS [F10]
![Page 17: Getting Post-Quantum Crypto Algorithms Ready for Deployment · 2013-03-25 · Code-based Cryptography – Basics Hard problem(s): decoding a syndrome/random linear code Principle:](https://reader035.fdocuments.us/reader035/viewer/2022070812/5f0b42697e708231d42fa1d6/html5/thumbnails/17.jpg)
Code-based Signature Schemes
Courtois, Finiasz, Sendrier (CFS) Signatures
Taxonomy of Code-based Signatures
Original [CFS01] Parallel CFS [F10]
PK: 5 MB SK: few kB Sig: < 0.5 KB
Key sizes for ≈ 80-bit equivalent symmetric security.
![Page 18: Getting Post-Quantum Crypto Algorithms Ready for Deployment · 2013-03-25 · Code-based Cryptography – Basics Hard problem(s): decoding a syndrome/random linear code Principle:](https://reader035.fdocuments.us/reader035/viewer/2022070812/5f0b42697e708231d42fa1d6/html5/thumbnails/18.jpg)
Key Aspects of Code-based Systems
Focus on encryption, signature schemes are less efficient Selection of underlying code is the most critical issue
• Structures in codes reduce key sizes, but often enable also attacks • Encoding is a very fast operation on most platforms (matrix multiplication) • Decoding is typically a more complex process (fast decoders are available)
Reasonably small public and private keys for encryption
Additional computational efforts on constant weight encoding algorithm for Niederreiter’s scheme
Encryption schemes are quite mature (McEliece proposed in ’78, Niederreiter ‘83) CCA2-conversion available
![Page 19: Getting Post-Quantum Crypto Algorithms Ready for Deployment · 2013-03-25 · Code-based Cryptography – Basics Hard problem(s): decoding a syndrome/random linear code Principle:](https://reader035.fdocuments.us/reader035/viewer/2022070812/5f0b42697e708231d42fa1d6/html5/thumbnails/19.jpg)
Hints on Efficiency: McEliece vs. Niederreiter
McEliece (using binary Goppa codes, 80 bit equiv. security)
• Existing implementations:
• PC (HyMES ‘08) : 140 cycles/bit enc. 2714 cycles/bit dec.
• AVR µC [EGH09] : 7200 cycles/bit enc. 11300 cycles/bit dec.
• FPGA [SWM+09] : 160 cycles/bit enc. 446 cycles/bit dec.
Niederreiter (using binary Goppa codes, 80 bit equiv. security)
• Existing implementations:
• PC (public domain) : returns a segfault (?)
• AVR µC [H11] : 267 cycles/bit enc 30000 cycles/bit dec.
• FPGA : see next slide
![Page 20: Getting Post-Quantum Crypto Algorithms Ready for Deployment · 2013-03-25 · Code-based Cryptography – Basics Hard problem(s): decoding a syndrome/random linear code Principle:](https://reader035.fdocuments.us/reader035/viewer/2022070812/5f0b42697e708231d42fa1d6/html5/thumbnails/20.jpg)
Implementation Results
Niederreiter
McEliece
[enc] [dec]
[enc] [dec]
Niederreiter [enc] [dec]
McEliece [enc] [dec]
Niederreiter [enc] [dec]
• Results on FPGAs for roughly 80 bit of equivalent symmetric security
• Parameter set (n=2048, k=1751, t=27) using Goppa codes
![Page 21: Getting Post-Quantum Crypto Algorithms Ready for Deployment · 2013-03-25 · Code-based Cryptography – Basics Hard problem(s): decoding a syndrome/random linear code Principle:](https://reader035.fdocuments.us/reader035/viewer/2022070812/5f0b42697e708231d42fa1d6/html5/thumbnails/21.jpg)
Outline
• Introduction
• Alternative Public-Key Cryptosystems (APKC)
• Practical Considerations of APKCs
– Code-based Cryptography
– Hash-based Cryptography
– Multivariate-Quadratic-based Cryptography
– Lattice-based Cryptography
• Conclusions
![Page 22: Getting Post-Quantum Crypto Algorithms Ready for Deployment · 2013-03-25 · Code-based Cryptography – Basics Hard problem(s): decoding a syndrome/random linear code Principle:](https://reader035.fdocuments.us/reader035/viewer/2022070812/5f0b42697e708231d42fa1d6/html5/thumbnails/22.jpg)
Hash-based Cryptography – Basics
Hard problem: find (second) preimages of cryptographic hash functions
Build OTS scheme using a cryptographic hash function
A Hash tree reduces many OTS public keys to a single root
![Page 23: Getting Post-Quantum Crypto Algorithms Ready for Deployment · 2013-03-25 · Code-based Cryptography – Basics Hard problem(s): decoding a syndrome/random linear code Principle:](https://reader035.fdocuments.us/reader035/viewer/2022070812/5f0b42697e708231d42fa1d6/html5/thumbnails/23.jpg)
Hash-based Signature Schemes
Merkle Signature Scheme MSS [Mer89]
CMSS [BCD+06]
W-OTS [Mer89, DSS05, RED+08]
LD-OTS [LD79]
XMSS [BDH11]
Taxonomy of Hash-based Signatures
GMSS [BDK+07]
SPR-MSS [DOTV08]
![Page 24: Getting Post-Quantum Crypto Algorithms Ready for Deployment · 2013-03-25 · Code-based Cryptography – Basics Hard problem(s): decoding a syndrome/random linear code Principle:](https://reader035.fdocuments.us/reader035/viewer/2022070812/5f0b42697e708231d42fa1d6/html5/thumbnails/24.jpg)
Hash-based Signature Schemes
MSS [Mer89]
CMSS [BCD+06]
W-OTS [Mer89,DSS05]
LD-OTS [LD79]
XMSS [BDH11]
Taxonomy of Hash-based Signatures
GMSS [BDK+07]
SPR-MSS [DOTV08]
Key sizes for ≈ 80-bit equivalent symmetric security (≈ 1M #Sigs)
H=16 PK: 16 Byte SK: 1.4 kB Sig: 2.29 kB
H=20 PK: 46 Byte SK: 1.86 kB Sig: 7 kB
H=20 PK: 0.93 kB SK: 152 Bit Sig: 8.31 kB
H=20 PK: 0.91 kB SK: 152 Bit Sig: 2.39 kB
![Page 25: Getting Post-Quantum Crypto Algorithms Ready for Deployment · 2013-03-25 · Code-based Cryptography – Basics Hard problem(s): decoding a syndrome/random linear code Principle:](https://reader035.fdocuments.us/reader035/viewer/2022070812/5f0b42697e708231d42fa1d6/html5/thumbnails/25.jpg)
Hash-based Encryption Schemes
Taxonomy of Hash-based Encryption
{ }
![Page 26: Getting Post-Quantum Crypto Algorithms Ready for Deployment · 2013-03-25 · Code-based Cryptography – Basics Hard problem(s): decoding a syndrome/random linear code Principle:](https://reader035.fdocuments.us/reader035/viewer/2022070812/5f0b42697e708231d42fa1d6/html5/thumbnails/26.jpg)
Key Aspects of Hash-based Systems
Only signature schemes available, no encryption
Moderate requirements for implementations • Second preimage (older schemes: collision) resistant hash function
• Pseudorandom functions for OTS (XMSS)
Hard limitation on the number of signatures per tree • Height of the tree determines max. # of signatures
(issue with DoS attacks for real-world systems)
• Requires track record of signatures already used (critical in untrusted environments!)
• Increasing tree height increases memory requirements and computational complexity
![Page 27: Getting Post-Quantum Crypto Algorithms Ready for Deployment · 2013-03-25 · Code-based Cryptography – Basics Hard problem(s): decoding a syndrome/random linear code Principle:](https://reader035.fdocuments.us/reader035/viewer/2022070812/5f0b42697e708231d42fa1d6/html5/thumbnails/27.jpg)
Implementation Results
Lots of hash functions available, but not many implementations of hash-based crypto
Results for XMSS with H=20 [BDH11] presented on PQCrypto 2011 Platform: Intel Core i5 [email protected]; Figure marked with (*) uses AES NI
![Page 28: Getting Post-Quantum Crypto Algorithms Ready for Deployment · 2013-03-25 · Code-based Cryptography – Basics Hard problem(s): decoding a syndrome/random linear code Principle:](https://reader035.fdocuments.us/reader035/viewer/2022070812/5f0b42697e708231d42fa1d6/html5/thumbnails/28.jpg)
Outline
• Introduction
• Alternative Public-Key Cryptosystems (APKC)
• Practical Considerations of APKCs
– Code-based Cryptography
– Hash-based Cryptography
– Multivariate-Quadratic-based Cryptography
– Lattice-based Cryptography
• Case Studies on Lattice-based Cryptography
• Conclusions
![Page 29: Getting Post-Quantum Crypto Algorithms Ready for Deployment · 2013-03-25 · Code-based Cryptography – Basics Hard problem(s): decoding a syndrome/random linear code Principle:](https://reader035.fdocuments.us/reader035/viewer/2022070812/5f0b42697e708231d42fa1d6/html5/thumbnails/29.jpg)
Multivariate-quadratic Cryptography – Basics
Hard problem: Find the solution for a set of MQ equations
Given F and P MQ maps and two linear maps S and T
P has no special structure and is large, therefore hard to invert
A special (secret) structure in F is necessary to allow easy inversion
This secret structure is hidden by mappings S and T
![Page 30: Getting Post-Quantum Crypto Algorithms Ready for Deployment · 2013-03-25 · Code-based Cryptography – Basics Hard problem(s): decoding a syndrome/random linear code Principle:](https://reader035.fdocuments.us/reader035/viewer/2022070812/5f0b42697e708231d42fa1d6/html5/thumbnails/30.jpg)
MQ-based Signature Schemes
Oil and Vinegar
Stepwise Triangular Systems (STS)
(C)UOV [KPG99, PTBW11]
Original OV [Pat97]
Hidden-Field Equations
Taxonomy of Multivariate-Quadratic Signatures
Matsumoto-Imai A
HFE(F) [Pat96]
HFE± HFEv HFEv- (Quartz)
(enhanced) TTS
Tractable Rational Maps
Rainbow
MIA [IM85]
C* [MI88]
Flash/SFlash [PGC01]
![Page 31: Getting Post-Quantum Crypto Algorithms Ready for Deployment · 2013-03-25 · Code-based Cryptography – Basics Hard problem(s): decoding a syndrome/random linear code Principle:](https://reader035.fdocuments.us/reader035/viewer/2022070812/5f0b42697e708231d42fa1d6/html5/thumbnails/31.jpg)
MQ-based Signature Schemes
Oil and Vinegar
Stepwise Triangular Systems (STS)
(C)UOV [KPG99, PTBW11]
Original OV [Pat97]
Hidden-Field Equations
Taxonomy of Multivariate-Quadratic Signatures
Matsumoto-Imai A
HFE(F) [Pat96]
HFE± HFEv HFEv- (Quartz)
(enhanced) TTS
Tractable Rational Maps
Rainbow
MIA [IM85]
C* [MI88]
Flash/SFlash [PGC01]
![Page 32: Getting Post-Quantum Crypto Algorithms Ready for Deployment · 2013-03-25 · Code-based Cryptography – Basics Hard problem(s): decoding a syndrome/random linear code Principle:](https://reader035.fdocuments.us/reader035/viewer/2022070812/5f0b42697e708231d42fa1d6/html5/thumbnails/32.jpg)
MQ-based Signature Schemes
Oil and Vinegar
Stepwise Triangular Systems (STS)
(C)UOV [PTBW11] Original OV [Pat97]
Hidden-Field Equations
Taxonomy of Multivariate-Quadratic Signatures
Matsumoto-Imai A
HFE(F) [Pat96]
HFE± HFEv HFEv- (Quartz)
(enhanced) TTS
Tractable Rational Maps
Rainbow
MIA [IM85]
C* [MI88]
Flash/SFlash [PGC01]
PK: 27.9 kB SK: 19.6 kB Sig: 256 Bit
Key sizes for ≈ 80-bit eqivalent symmetric security.
PK: 3.9 kB SK: 71 kB Sig: 128 Bit
PK: 8.9 kB SK: 75.3kB Sig: 624 Bit
PK: 49.6 kB SK: 4.5 kB Sig: 256 Bit
![Page 33: Getting Post-Quantum Crypto Algorithms Ready for Deployment · 2013-03-25 · Code-based Cryptography – Basics Hard problem(s): decoding a syndrome/random linear code Principle:](https://reader035.fdocuments.us/reader035/viewer/2022070812/5f0b42697e708231d42fa1d6/html5/thumbnails/33.jpg)
MQ Encryption Schemes
Taxonomy of Multivariate-Quadratic Encryption
{ }
![Page 34: Getting Post-Quantum Crypto Algorithms Ready for Deployment · 2013-03-25 · Code-based Cryptography – Basics Hard problem(s): decoding a syndrome/random linear code Principle:](https://reader035.fdocuments.us/reader035/viewer/2022070812/5f0b42697e708231d42fa1d6/html5/thumbnails/34.jpg)
Key Aspects of MQ-based Systems
Only signature schemes available, no encryption
Basic operations are efficient
• Mainly linear operations over finite field (e.g., Gaussian elimination)
• Operations are simple to implement on any platform
Large public and private key (but the latter is certainly more critical)
• Embedded microcontrollers/smart cards have <16 KB internal Flash
• High number of memory accesses required
• Extra external (permanent) memory for keys required
![Page 35: Getting Post-Quantum Crypto Algorithms Ready for Deployment · 2013-03-25 · Code-based Cryptography – Basics Hard problem(s): decoding a syndrome/random linear code Principle:](https://reader035.fdocuments.us/reader035/viewer/2022070812/5f0b42697e708231d42fa1d6/html5/thumbnails/35.jpg)
Sign
Verify
Some implementations of an 80-bit level of equivalent security targeting
an AVR microcontroller:
Comparison with
ECC/RSA on the
same platform
Implementation Results
![Page 36: Getting Post-Quantum Crypto Algorithms Ready for Deployment · 2013-03-25 · Code-based Cryptography – Basics Hard problem(s): decoding a syndrome/random linear code Principle:](https://reader035.fdocuments.us/reader035/viewer/2022070812/5f0b42697e708231d42fa1d6/html5/thumbnails/36.jpg)
Outline
• Introduction
• Alternative Public-Key Cryptosystems (APKC)
• Practical Considerations of APKCs
– Multivariate-Quadratic-based Cryptography
– Hash-based Cryptography
– Code-based Cryptography
– Lattice-based Cryptography
• Conclusions
![Page 37: Getting Post-Quantum Crypto Algorithms Ready for Deployment · 2013-03-25 · Code-based Cryptography – Basics Hard problem(s): decoding a syndrome/random linear code Principle:](https://reader035.fdocuments.us/reader035/viewer/2022070812/5f0b42697e708231d42fa1d6/html5/thumbnails/37.jpg)
Lattice-based Cryptography – Basics
• Hard problem: Shortest/Closest Vector Problem (SVP/CVP) in the worst case
• Typically thought to be – Unpractical but provably secure – Practical but without proof
(GGH/NTRU) – Lately: Ideal lattices can potentially combine both
• More constructions feasible beyond classical PKC: hash functions, PRFs, identity-based encryption, homomorphic encryption
![Page 38: Getting Post-Quantum Crypto Algorithms Ready for Deployment · 2013-03-25 · Code-based Cryptography – Basics Hard problem(s): decoding a syndrome/random linear code Principle:](https://reader035.fdocuments.us/reader035/viewer/2022070812/5f0b42697e708231d42fa1d6/html5/thumbnails/38.jpg)
Lattice-based Signature Schemes
Taxonomy of Lattice-based Signatures
NTRU Sign/GGH
Hash-and-sign
[GPV08]
[HPS01]
[HHGP+03] [GGH97]
Fiat-Shamir [FS86]
[Lyu09]
[Lyu12] [GLP12] [MP12]
![Page 39: Getting Post-Quantum Crypto Algorithms Ready for Deployment · 2013-03-25 · Code-based Cryptography – Basics Hard problem(s): decoding a syndrome/random linear code Principle:](https://reader035.fdocuments.us/reader035/viewer/2022070812/5f0b42697e708231d42fa1d6/html5/thumbnails/39.jpg)
Lattice-based Signature Schemes
Taxonomy of Lattice-based Signatures
NTRU Sign/GGH
Hash-and-sign
[GPV08]
[HPS01]
[HHGP+03]
[GS02]
[NR09]
[GGH97]
Fiat-Shamir
[Lyu09]
[Lyu12] [GLP12] [MP12]
![Page 40: Getting Post-Quantum Crypto Algorithms Ready for Deployment · 2013-03-25 · Code-based Cryptography – Basics Hard problem(s): decoding a syndrome/random linear code Principle:](https://reader035.fdocuments.us/reader035/viewer/2022070812/5f0b42697e708231d42fa1d6/html5/thumbnails/40.jpg)
Lattice-based Signature Schemes
Taxonomy of Lattice-based Signatures
NTRU Sign/GGH
Hash-and-sign
[GPV08]
[HPS01]
[HHGP+03]
[GS02]
[NR09]
[GGH97]
Fiat-Shamir
[Lyu09]
[Lyu12] [GLP12] [MP12]
PK: 44.1 kB
PK: 2 kB SK: 2 kB Sig: 6 kB
PK: 1.5 kB SK: 0.2 kB Sig: 1 kB
PK: 362 kB SK: 831 kB Sig: 2.3 kB
Note: Most proposed signatures do not come with parameters
Key sizes for medium security (roughly 128-bit?)
![Page 41: Getting Post-Quantum Crypto Algorithms Ready for Deployment · 2013-03-25 · Code-based Cryptography – Basics Hard problem(s): decoding a syndrome/random linear code Principle:](https://reader035.fdocuments.us/reader035/viewer/2022070812/5f0b42697e708231d42fa1d6/html5/thumbnails/41.jpg)
Lattice-based Encryption Schemes
Taxonomy of Lattice-based Encryption
NTRU
[HHHW09] [HPS98]
LWE-[Reg05]
Micciancio-Regev
[MR08]
Lindner-Peikert [LP10]
(R)-LWE
NTRU-Variant [SS11]
Standard Lattices
Ideal Lattices
![Page 42: Getting Post-Quantum Crypto Algorithms Ready for Deployment · 2013-03-25 · Code-based Cryptography – Basics Hard problem(s): decoding a syndrome/random linear code Principle:](https://reader035.fdocuments.us/reader035/viewer/2022070812/5f0b42697e708231d42fa1d6/html5/thumbnails/42.jpg)
Lattice-based Encryption Schemes
Taxonomy of Lattice-based Encryption
NTRU
[HHHW09] [HPS98]
LWE-[Reg05]
Micciancio-Regev
[MR08]
Lindner-Peikert [LP10]
(R)-LWE
NTRU-Variant [SS11]
Standard Lattices
Ideal Lattices
![Page 43: Getting Post-Quantum Crypto Algorithms Ready for Deployment · 2013-03-25 · Code-based Cryptography – Basics Hard problem(s): decoding a syndrome/random linear code Principle:](https://reader035.fdocuments.us/reader035/viewer/2022070812/5f0b42697e708231d42fa1d6/html5/thumbnails/43.jpg)
Lattice-based Encryption Schemes
Taxonomy of Lattice-based Encryption
NTRU
[HHHW09] [HPS98]
LWE-[Reg05]
Micciancio-Regev
[MR08]
Lindner-Peikert [LP10]
(R)-LWE
NTRU-Variant [SS11]
Standard Lattices
Ideal Lattices
x
![Page 44: Getting Post-Quantum Crypto Algorithms Ready for Deployment · 2013-03-25 · Code-based Cryptography – Basics Hard problem(s): decoding a syndrome/random linear code Principle:](https://reader035.fdocuments.us/reader035/viewer/2022070812/5f0b42697e708231d42fa1d6/html5/thumbnails/44.jpg)
Lattice-based Encryption Schemes
Taxonomy of Lattice-based Encryption
NTRU
[HHHW09] [HPS98]
LWE-[Reg05]
Micciancio-Regev
[MR08]
Lindner-Peikert [LP10]
(R)-LWE
NTRU-Variant [SS11]
Standard Lattices
Ideal Lattices
Key sizes for medium security (roughly 128-bit?)
x Standard: PK: 48 kB Msg: 0.5 kB Ideal: PK: 0.4 kB Msg: 0.81 kB
Standard: PK: 732 kB Msg: 0.3 kB
PK: 1.5 kB SK: 1.8 kB Msg: 1.5 kB
![Page 45: Getting Post-Quantum Crypto Algorithms Ready for Deployment · 2013-03-25 · Code-based Cryptography – Basics Hard problem(s): decoding a syndrome/random linear code Principle:](https://reader035.fdocuments.us/reader035/viewer/2022070812/5f0b42697e708231d42fa1d6/html5/thumbnails/45.jpg)
Key Aspects of Lattice-based Systems
Encryption and signature systems are both feasible • Undesired message expansion for LWE encryption • Rare decryption error probability in LWE encryption
Random Sampling not only from uniform but also from Gaussian
distributions (not trivial)
Most underlying operations are efficient and parallizable • (Ideal lattices) Make use of FFT for polynomial multiplication • (Standard lattices) Matrix-vector arithmetic
Reasonably large public and private keys • True for encryption/signatures constructions • Unclear for more complex services such as homomorphic/IBE
![Page 46: Getting Post-Quantum Crypto Algorithms Ready for Deployment · 2013-03-25 · Code-based Cryptography – Basics Hard problem(s): decoding a syndrome/random linear code Principle:](https://reader035.fdocuments.us/reader035/viewer/2022070812/5f0b42697e708231d42fa1d6/html5/thumbnails/46.jpg)
Outline
• Introduction
• Alternative Public-Key Cryptosystems (APKC)
• Practical Considerations of APKCs
• Case Studies on Lattice-based Cryptography
• Conclusions
![Page 47: Getting Post-Quantum Crypto Algorithms Ready for Deployment · 2013-03-25 · Code-based Cryptography – Basics Hard problem(s): decoding a syndrome/random linear code Principle:](https://reader035.fdocuments.us/reader035/viewer/2022070812/5f0b42697e708231d42fa1d6/html5/thumbnails/47.jpg)
Case Study #1: LWE-Encryption
CPA-secure public key encryption scheme for standard and ideal lattices introduced by Lindner and Peikert in 2010.
GEN(a): KeyGen(a): Choose 𝑟1, 𝑟2 ← 𝜒 from a small Gaussian distribution and let 𝑝 = 𝑟1 − 𝑎 ∙ 𝑟2. Public key 𝒑 and secret key 𝒓𝟐.
ENC(a,p,m): choose 𝑒1, 𝑒2, 𝑒3 ← 𝜒. Let 𝑚 = encode(𝑚) in 𝑅𝑝. The ciphertext is 𝑐1 = 𝑎 ∙ 𝑒1+ 𝑒2, 𝑐2 = 𝑝 ∙ 𝑒1+ 𝑒3+𝑚
DEC((c1,c2),r2): output decode(c1 ∙ r2+c2)
Review of Operations: - Polynomial multiplication - Gaussian sampling
![Page 48: Getting Post-Quantum Crypto Algorithms Ready for Deployment · 2013-03-25 · Code-based Cryptography – Basics Hard problem(s): decoding a syndrome/random linear code Principle:](https://reader035.fdocuments.us/reader035/viewer/2022070812/5f0b42697e708231d42fa1d6/html5/thumbnails/48.jpg)
Implementation Aspects and Results
One message bit is encoded using a threshhold scheme into one coefficient (𝟎 ⇒ 𝟎, 𝟏 ⇒ q/2) (rare) probability of (yet unhandled) decryption errors
Performance results for LWE-Encryption [GFSHB12]
• Intel/AMD Core 2 [email protected] GHz: • 195ms keygen/ 1.52ms enc/ 0.57 ms dec reasonably fast (but uses only NTL)
• Hardware (using a very very expensive FPGAs): • Virtex-7 2000T: 320816 LUTs/ 143396 registers/ ~8µs enc
Virtex-7 2000T: 124265LUTs/ 65174 registers/ ~8µs dec much too costly
![Page 49: Getting Post-Quantum Crypto Algorithms Ready for Deployment · 2013-03-25 · Code-based Cryptography – Basics Hard problem(s): decoding a syndrome/random linear code Principle:](https://reader035.fdocuments.us/reader035/viewer/2022070812/5f0b42697e708231d42fa1d6/html5/thumbnails/49.jpg)
Case Study #2: An Improved Signature Schemes on Ideal Lattices
• Signature scheme by Lyubashevsky [Lyu12] provable secure in random oracle model (ROM)
• Efficiency improvement by a different hardness assumption: (Decisional) Ring-LWE with “aggressive” parameters
• Internal values s1,s2 only have -1/0/1 coefficients instead of using a Gaussian distribution (like in [LPR10]), for other values uniform distributions are sufficient
![Page 50: Getting Post-Quantum Crypto Algorithms Ready for Deployment · 2013-03-25 · Code-based Cryptography – Basics Hard problem(s): decoding a syndrome/random linear code Principle:](https://reader035.fdocuments.us/reader035/viewer/2022070812/5f0b42697e708231d42fa1d6/html5/thumbnails/50.jpg)
Signing and Verification [GLP12]
• GEN
1. Pick a from 𝑅 = 𝑍𝑝[𝑥]/(xn+1) and s1,s2 from subset R1. Compute t = as1+s2
2. Secret key sk = (s1,s2), Public key pk = (a, t)
• SIGN(m,sk)
1. Pick y1,y2 from uniformly sampled distribution 𝑅𝑘 from [-k,k]
2. c=H(Transform(r=ay1+y2),m)
3. z1=s1c+y1, z2=s2c+y2
4. If z1, z2 not in 𝑅k-32 goto 1.
5. z2‘=Compress(ay1+y2-z2,z2,p, k-32)
6. Return σ=(z1, z2‘, c)
Review of Operations: - Polynomial multiplication
in steps 2,3 (sign), 2 (verify)
- Aggressive signature size reduction by
- Hashing of high-order bits (transform/compress)
- Rejection step (only for signing)
• VER(σ=(z1,z2‘,c),pk=(a,t), m)
1. If z1,z2‘ not in Rk-32 reject
2. If c=H(Transform(az1+z2‘-tc), m)
then accept
else reject
![Page 51: Getting Post-Quantum Crypto Algorithms Ready for Deployment · 2013-03-25 · Code-based Cryptography – Basics Hard problem(s): decoding a syndrome/random linear code Principle:](https://reader035.fdocuments.us/reader035/viewer/2022070812/5f0b42697e708231d42fa1d6/html5/thumbnails/51.jpg)
Implementation Results
Lattice-based Signature [GLP12]
Implementations on reconfigurable hardware
Parameters (p=8383489, n=512, k=214)
![Page 52: Getting Post-Quantum Crypto Algorithms Ready for Deployment · 2013-03-25 · Code-based Cryptography – Basics Hard problem(s): decoding a syndrome/random linear code Principle:](https://reader035.fdocuments.us/reader035/viewer/2022070812/5f0b42697e708231d42fa1d6/html5/thumbnails/52.jpg)
Lattice-based -Cryptography: Research Directions and Future Work
More cryptanalysis on lattice-based constructions
FFT/NTT techniques to accelerate polynomial multiplication
in 𝑅 = 𝑍𝑝[𝑥]/(xn+1) (required by many lattice-based schemes)
High-speed implementations targeting specific processor instruction sets (vector units, FFT/MAC instructions)
Efficient Gaussian sampling on constrained devices
Implementation and acceleration of high-level constructions like homomorphic encryption or IBE
CCA2-secure conversions for encryption schemes
![Page 53: Getting Post-Quantum Crypto Algorithms Ready for Deployment · 2013-03-25 · Code-based Cryptography – Basics Hard problem(s): decoding a syndrome/random linear code Principle:](https://reader035.fdocuments.us/reader035/viewer/2022070812/5f0b42697e708231d42fa1d6/html5/thumbnails/53.jpg)
Outline
• Introduction
• Alternative Public-Key Cryptosystems (APKC)
• Practical Considerations of APKCs
• Case Studies on Lattice-based Cryptography
• Conclusions
![Page 54: Getting Post-Quantum Crypto Algorithms Ready for Deployment · 2013-03-25 · Code-based Cryptography – Basics Hard problem(s): decoding a syndrome/random linear code Principle:](https://reader035.fdocuments.us/reader035/viewer/2022070812/5f0b42697e708231d42fa1d6/html5/thumbnails/54.jpg)
Conclusions
• Looking back at the four branches of PQC…
– Code-based encryption schemes are the most mature and practical APKCs today
– But lattice-based cryptography looks very promising
• For deployment in real-world systems, we need to
– Need many more (solid) implementations for efficiency evaluation
– Investigate physical security aspects of PQC
– Standardize parameters and instances
![Page 55: Getting Post-Quantum Crypto Algorithms Ready for Deployment · 2013-03-25 · Code-based Cryptography – Basics Hard problem(s): decoding a syndrome/random linear code Principle:](https://reader035.fdocuments.us/reader035/viewer/2022070812/5f0b42697e708231d42fa1d6/html5/thumbnails/55.jpg)
Tim Güneysu Hardware Security Group Horst Görtz Institute for IT-Security, Bochum
1/24/2013
Getting Post-Quantum Crypto Algorithms Ready for Deployment
End of ECRYPT II Event: Crypto for 2020
Questions?