Getting Ready for the Post-Quantum Transition...Dec 09, 2020 · Predictions: “Cascades” and...
Transcript of Getting Ready for the Post-Quantum Transition...Dec 09, 2020 · Predictions: “Cascades” and...
-
Getting Ready for the Post-Quantum Transition
-
2000 2002 2004 2006 2008 2010 2012 2014 2016 2018
Relative Algorithm Strength Over TimeMD5 SHA1 RSA 1024->2048 RSA->ECC PQC
1st better-than-brute-force attack on SHA-1
1st MD5 collision
1st SHA-1 collision
MSR PQC project starts
NSA revises Suite B & says PQC coming
Crypto SDL bans RSA
-
Quantum is coming
-
Contemporary CryptographyTLS-ECDHE-RSA-AES128-GCM-SHA256
Applied Crypto Symposium 4
Difficulty of factoringDifficulty of elliptic
curve discrete logarithms
Can be solved efficiently by a large-scale quantum computer
(Shor’s Algorithm 1994)
RSA signaturesElliptic curve
Diffie–Hellmankey exchange
AES SHA-2
Impacted by quantum computing but we can mitigate by increasing key sizes
(Grover’s Algorithm 1996)
9-December-2020
-
Resource Estimates for Shor’s Algorithm
Applied Crypto Symposium 5
Source: Quantum Resource Estimates for Computing Elliptic Curve Discrete Logarithms, Roeteller et al., Asiacrypt 2017.
9-December-2020
-
31-JAN-2019 DigiCert Security Summit 6
Hypothetical 15-Year View for PQ Crypto~ 2030
Quantum Computer Breaks Asymmetric Crypto
(>2400 logical qubits)
Dec 2017 – Dec 2023NIST PQ Standardization Process
WE ARE HERE
JAN 2015 JAN 2016 JAN 2017 JAN 2018 JAN 2019 JAN 2020 JAN 2021 JAN 2022 JAN 2023 JAN 2024 JAN 2025 JAN 2026 JAN 2027 JAN 2028 JAN 2029 Dec 2029
R&D
ROLLOUTS DECOMMISSION
PILOTS
MIGRATION
STANDARDS DISCUSSIONS
NSA Suite B Update
-
Future Quantum Computers are a Threat Today• Even if a cryptographically-relevant quantum computer is a decade
away…• Record now, exploit later
• Today’s non-PQ encryption will break in the future• What is the security lifetime of the data you and your customers are
transmitting and storing?• Authentication, code-signing, and digital signatures
• If I can break the algorithm and determine the private key, I can impersonate• For example, the Windows Update channel• What happens if an adversary can “update” the firmware on your processor?
• We’re creating more legacy every day
9-December-2020 Applied Crypto Symposium 7
-
Post-Quantum Cryptography at MicrosoftThree Parallel Workstreams• Algorithms: 4 submissions to the NIST PQC standardization process.
Ongoing work on high-performance implementations and cryptanalysis of our submissions.
• Protocols: Make commonly-used security protocols “PQ-enabled”.• Systems: Integrate PQC into exemplary “high-value/high-risk”
engineering systems and processes.
9-December-2020 Applied Crypto Symposium 8
-
“Picnic”Post-Quantum
Signatures
“SIKE”Supersingular Isogeny
Key Encipherment
“FrodoKEM”Learning With Errors Key Encipherment
Our NIST Round 3 Candidates
Applied Crypto Symposium 99-December-2020
-
NIST PQC Round 3• 15 algorithms selected for Round 3
• 7 “Finalists” (4 encryption, 3 digital signature)• 8 “Alternates” (5 encryption, 3 digital signature)
• NIST said they expect to pick at most 2 encryption & 2 signature algorithm Finalists for standardization at the end of Round 3
• But…NIST also announced a likely Round 4 and the likely standardization of at least some of the Alternates at the end of Round 4
• ANALYSIS: We will see at least two waves of PQC algorithm standards from NIST, which makes having cryptographic agility in deployed systems even more important
9-December-2020 Applied Crypto Symposium 10
-
Predictions: “Cascades” and “Long Tails”• 2025: likely ~2-4 NIST PQ encryption algorithms and ~1-3 NIST PQ signature
algorithms• 2025-2030: standards bodies will begin updating for PQC (having waited for FIPS)
• Expect at least a year per standard, likely longer based on past experience
• Cascade of crypto/protocol standards dependencies will extend transition times• Long tail of security protocols with small implementor communities
• These protocols won’t migrate to PQC as quickly as TLS, SSH, OpenVPN, IPSec, etc., and they will likely be harder to update
• 2030: likely to still be “PQ-messy” in terms of updates to standards
9-December-2020 Applied Crypto Symposium 11
-
Bringing PQ to Industry Crypto Protocols• The Open Quantum Safe (OQS) project provides a common API for
testing and prototyping with post-quantum crypto algorithms• Multi-org OQS dev team includes University of Waterloo, Microsoft, Amazon,
SRI International• Includes LIBOQS, an open source C library for PQ Crypto algorithms
(with C++/C#/Python wrappers)• This lets us access and test any PQ algorithm in an OQS-enlightened
protocol• To date, we have integrated Frodo/FrodoKEM, SIDH/SIKE, qTESLA, and Picnic
into OQS• https://openquantumsafe.org/
9-December-2020 Applied Crypto Symposium 12
https://openquantumsafe.org/
-
PQC Protocol Integrations using OQS• We integrated the OQS library into protocols to provide PQC and hybrid
ciphersuites• Hybrid: keep your FIPS or otherwise approved crypto, add PQ protection• For more on hybrid PKI, see Bindel et al. 2017: https://eprint.iacr.org/2017/460.pdf
• OpenSSL, with TLS 1.2 and 1.3 support• https://github.com/open-quantum-safe/openssl
• OpenSSH• https://github.com/open-quantum-safe/openssh-portable
• OpenVPN: For securing links against “record now/exploit later” attacks.• https://github.com/Microsoft/PQCrypto-VPN
9-December-2020 Applied Crypto Symposium 13
https://eprint.iacr.org/2017/460.pdfhttps://github.com/open-quantum-safe/opensslhttps://github.com/open-quantum-safe/openssh-portablehttps://github.com/Microsoft/PQCrypto-VPN
-
9-December-2020 Applied Crypto Symposium 14
Comprehensive Datacenter DesignFacts and Figures• 12.2m length, 2.8m diameter• Available IT Space: 12 42U racks• Max Power: 454 KW (38 KW/rack)• Est. Power Utilization Effectiveness of 1.03• Payload: 864 Azure servers w/FPGA• Cold Aisle Temperature: 15C
© 2018 Microsoft Corporation. All rights reserved.
-
30 Days: Factory to Powerup
Site Information• Location: European Marine Energy Centre,
Scotland• Electricity: 100% locally sourced renewable © 2018 Microsoft Corporation. All rights reserved.
-
© 2018 Microsoft Corporation. All rights reserved.
-
Securing the link (>6900km) with a Post-Quantum VPN
-
Systems: Key Scenarios for Microsoft• Public Key Infrastructure (PKI)
• Both corporate and externally-facing• Code signing for Microsoft products and services
• Authenticode (e.g. Windows DLLs)• UWP (Microsoft Store) applications• XBOX
• Azure Cloud Computing• Key Vault
9-December-2020 Applied Crypto Symposium 20
-
PQC & Hybrid Certs with an HSM• We added support for the Picnic algorithm to an Utimaco HSM
• Where possible, we replaced functions in MS software with calls to Utimaco firmware: RNG, SHA-3, ASN.1 utilities
• Demonstrated key PKI CA operations:• HSM generates & stores new PQ CA key and issues self-signed cert• HSM generates & stores new PQ EE key, CA issues cert for EE key• CA issues PQ cert for externally-generated CSR for (legacy) RSA public key.• All PQ operations use Picnic keys and signatures
• More recently: working with DigiCert and Utimaco, we demonstrated using an HSM to issue (RSA/ECDSA)-PQ hybrid certificates
• X.509v3 certificates with a new “hybrid” signature OID• Signature blob is concatenation of “classic” and PQ signatures
9-December-2020 Applied Crypto Symposium 21
-
Upgrading to PQC Means Larger Keys, Ciphertexts, Signatures
NIST Round 3 Candidates -- Public Key & Signature Sizes for L1Signature Algorithm pk (bytes) signature (bytes)CRYSTALS-DILITHIUM (L2) 1312 2420Falcon 897 666Rainbow 157800 66SPHINCS+ 32 7856Picnic 34 13802GeMSS 352190 32
RSA-2048: pk 256 bytes, signatures 256 bytesECC-P256: pk 32 bytes, signatures 64 bytes
9-December-2020 Applied Crypto Symposium 22
Sheet1
SubmissionRound 2Specific ImplementationCategoryKeyPair Median x10^3Keypair Average x10^3Sign Median x10^3Sign Average x10^3Open MedianOpen AverageskpkbytesNIST Category ClaimTrialsFilter
CRYSTALS-DilithiumYESDilithium_mediumLattices227.254244.278910.9111,185.462291,116307,1112,8001,1842,04411001
CRYSTALS-DilithiumYESDilithium_recommendedLattices398.131606.3381,911.4582,753.772465,591558,2813,5041,4722,7012100
CRYSTALS-DilithiumYESDilithium_very_highLattices498.068651.61,587.0412,293.141567,109611,3253,8561,7603,3663100
DualModeMSNODualModeMS128Multivariate2,388,709,250.0412,435,532,588.73312,307,304.22312,468,307.43511,593,12910,893,36918,038,18452832,64013
DRSNODRS128Lattices962,089.3511,001,828.78658,737.20562,867.536477,191,758505,869,98951,2745,094,4338,5501100
DRSNODRS192Lattices1,896,716.7151,910,198.59586,794.47495,622.249796,874,795814,640,08384,0608,410,00111,0203100
DRSNODRS256Lattices3,172,545.1733,208,544.675140,374.162148,424.9471,413,362,3721,419,704,155144,52714,402,02614,4215100
FalconYESfalcon1024Lattices249,896.264300,030.87216,237.74119,884.3641,215,9311,384,5748,1931,7931,3305100
FalconYESfalcon512Lattices82,196.67591,009.2097,359.1908,359.971639,568666,1084,09789769011001
FalconYESfalcon768Lattices151,553.770157,623.02812,729.70313,058.6411,037,6961,117,6246,1451,4411,0773100
GeMSSYESGeMSS128Multivariate111,011.159114,893.9991,580,939.7071,660,770.7521,186,8891,254,87714,208417,408481501
GeMSSYESGeMSS192Multivariate563,794.772567,250.4724,390,176.3084,620,657.460856,573950,11139,4401,304,19288350
GeMSSYESGeMSS256Multivariate1,216,128.6331,245,472.2625,124,161.8205,522,622.7281,932,0812,202,92582,0563,603,792104550
Gravity-SPHINCSNOGravity-SPHINCSHash73,803,301.14473,862,973.254436,308.098446,574.9682,563,7632,710,40665,5683215,728210
GuiNOGui-184Multivariate4,046,082.1374,242,998.5552,535,987.4523,936,040.765234,163252,51714,985422,12245150
GuiNOGui-312Multivariate46,031,660.52846,031,660.528143,796,442.308143,796,442.308724,044724,04441,7551,990,0456331
GuiNOGui-448Multivariate270,756,279.964270,756,279.9642,540,747,361.2312,540,747,361.2312,004,1552,004,15594,7575,903,4058351
HiMQ-3NOHiMQ-3Multivariate155,935.988157,899.562113.12321.443268,050614,73511,489125,400751100
HiMQ-3NOHiMQ-3FMultivariate227,835.453232,452.977140.062162.823225,759527,33016,46497,954671100
LUOVYESluov-48-49-242Multivariate26,815.58127,419.22386,903.96188,046.94849,200,63850,301,626327,5361,74621001
LUOVYESluov-64-68-330Multivariate90,322.03190,548.276258,001.992259,662.473124,493,595125,317,8133219,9733,1844100
LUOVYESluov-80-86-399Multivariate177,088.232192,475.607551,022.717595,199.427249,640,573273,408,5713240,2484,8505100
LUOVYESluov-8-117-404Multivariate276,255.962276,912.036140,030.441144,203.73683,789,98484,564,46532100,9895215100
LUOVYESluov-8-63-256Multivariate38,362.87939,421.49325,821.86926,714.79614,687,14915,123,2023215,9083192100
LUOVYESluov-8-90-351Multivariate154,738.473154,498.99581,503.59181,889.84548,735,08749,173,9413246,1014414100
MQDSSYESmqdss-48Multivariate2,579.2342,957.276252,403.091266,840.340185,066,255191,666,288326232,88221001
MQDSSYESmqdss-64Multivariate5,806.4626,680.606742,204.726776,183.461554,688,427571,665,382488867,8004100
pqNTRUsignNOGaussian-1024Lattices240,784.241259,672.814278,349.344349,028.1182,511,6872,955,4942,6042,0652,0655100
pqNTRUsignNOUniform-1024Lattices259,565.725268,329.761156,401.058202,185.3032,533,0222,726,2302,6042,0652,0655100
PicnicYESpicnicl1fsHash78.649700.82514,475.69922,147.1169,130,95316,780,554493334,00411001
PicnicYESpicnicl1urHash65.577162.78413,884.70015,668.4699,914,22811,541,517493353,9331100
PicnicYESpicnicl3fsHash88.335548.51955,794.74758,962.88237,685,09740,461,275734976,7443100
PicnicYESpicnicl3urHash95.669345.5363,110.28865,884.47944,911,48946,422,7807349121,8173100
PicnicYESpicnicl5fsHash151.666571.381110,261.406114,378.50881,387,73782,751,7579765132,8285100
PicnicYESpicnicl5urHash191.969585.415128,552.720134,660.58096,114,62199,588,8789765209,4785100
pqsigRMNOpqsigrm412Codes18,062,152.61017,797,110.77333,057,982.12830,196,550.274301,873,276298,776,8371,382,118336,80452815
pqsigRMNOpqsigrm612Codes3,607,821.5223,506,673.3624,119,764.0008,275,550.862181,584,216191,346,710334,006501,17652835
pqsigRMNOpqsigrm613Codes42,567,420.69642,549,338.2142,568,032.3922,755,185.1941,157,067,3711,165,262,4022,144,1662,105,3441,04055
qTESLAYESqTesla_128Lattices2,582.8883,223.8651,384.8282,020.404427,116459,6332,1124,1283,10411001
qTESLAYESqTesla_192Lattices5,395.9786,571.7557,449.9729,899.854873,498955,5768,2568,2246,1763100
qTESLAYESqTesla_256Lattices9,302.62612,746.6355,275.8958,143.8691,131,1371,436,9498,2568,2246,1765100
RainbowYESIaMultivariate1,283,151.9401,386,524.568567.948645.747389,154396,633100,209152,09764151
RainbowYESIbMultivariate7,307,095.0447,482,815.8373,109.4244,646.5252,763,1382,733,884114,308163,1857815
RainbowYESIcMultivariate4,838,950.1604,834,305.7701,575.2461,710.9261,369,5341,449,947143,385192,24110415
RainbowYESIIIbMultivariate63,704,193.01364,320,942.5158,867.48211,834.9709,425,16111,860,706409,463564,53511235
RainbowYESIIIcMultivariate46,931,611.44547,631,497.9836,021.5766,129.3985,350,1345,474,488537,781720,79315635
RainbowYESIVaMultivariate10,569,365.73210,424,599.9071,519.8861,634.3441,072,6641,155,030376,141565,4899245
RainbowYESVcMultivariate176,779,219.216176,779,219.21630,892.26330,892.26320,436,46020,436,4601,274,3171,723,68120451
RainbowYESVIaMultivariate41,744,033.52141,744,033.5213,133.7323,133.7322,771,7602,771,760892,0791,351,36111851
RainbowYESVIbMultivariate329,804,733.184329,804,733.18424,203.31424,203.31423,546,25823,546,2581,016,8681,456,22514751
RankSignNORankSign-ICodes232,753.953245,504.16822,401.92123,937.3588,720,3269,113,23123,86410,0801,3771100
RankSignNORankSign-IICodes508,307.602512,379.68638,628.17239,928.81115,445,70315,909,12128,09212,0961,5011100
RankSignNORankSign-IIICodes641,480.391683,557.28551,151.22455,852.46320,701,40622,153,82344,31619,4402,1613100
RankSignNORankSign-IVCodes1,207,547.4991,216,000.23478,615.19779,093.34032,134,18732,380,35664,34028,5602,9295100
Sphincs+YESsphincs-haraka-128fHash20,986.25623,220.290847,479.191872,790.52732,631,66533,947,415643216,976120
Sphincs+YESsphincs-haraka-128sHash680,796.717703,041.42812,661,962.08012,935,242.75813,953,02414,371,63164328,080120
Sphincs+YESsphincs-haraka-192fHash28,644.01332,728.072975,669.218969,961.77048,758,55956,769,096964835,664320
Sphincs+YESsphincs-haraka-192sHash927,856.173966,686.52128,943,879.35330,131,223.65820,364,36422,147,154964817,064320
Sphincs+YESsphincs-haraka-256fHash76,939.55989,035.0342,262,289.3222,268,610.72950,800,20453,017,7471286449,216520
Sphincs+YESsphincs-haraka-256sHash1,243,668.2581,270,883.41119,361,324.96619,434,047.16128,862,52329,485,2051286429,792520
Sphincs+YESsphincs-sha256-128fHash7,170.3458,061.416238,582.187260,218.6189,951,24110,923,659643216,976120
Sphincs+YESsphincs-sha256-128sHash488,585.878438,280.8977,438,906.4166,427,781.9314,223,2937,134,38064328,0801201
Sphincs+YESsphincs-sha256-192fHash13,816.54814,164.328392,744.928428,532.20120,734,02122,351,224964835,664320
Sphincs+YESsphincs-sha256-192sHash475,311.338486,311.84010,063,319.27510,059,243.5468,878,4979,120,291964817,064320
Sphincs+YESsphincs-sha256-256fHash56,223.74558,751.1561,393,641.1641,389,343.73331,570,38334,900,6061286449,216520
Sphincs+YESsphincs-sha256-256sHash931,681.885941,434.32510,878,483.73510,939,016.66315,662,97118,076,9871286429,792520
Sphincs+YESsphincs-shake256-128fHash15,317.08317,198.282492,096.807519,930.42722,618,27125,122,811643216,976120
Sphincs+YESsphincs-shake256-128sHash505,434.390513,876.9966,977,287.9737,023,176.1999,466,8349,742,29764328,080120
Sphincs+YESsphincs-shake256-192fHash20,775.91124,905.011604,780.961633,229.99130,560,93132,551,936964835,664320
Sphincs+YESsphincs-shake256-192sHash734,823.375859,668.19414,155,006.70316,211,977.83512,295,97912,816,041964817,064320
Sphincs+YESsphincs-shake256-256fHash62,744.55363,680.2001,450,205.9581,451,433.53333,607,61234,389,2631286449,216520
Sphincs+YESsphincs-shake256-256sHash976,036.703995,109.73811,117,644.46711,188,061.87716,002,56716,306,9161286429,792520
WalnutDSANOwalnut128-bklBraids1,782.8142,086.564126,822.981137,691.86392,69996,962136831,1001100
WalnutDSANOwalnut256-bklBraids4,149.4454,456.087454,977.624472,468.875179,665197,2432911281,8005100
WalnutDSANOwalnut128-stochasticrewriteBraids1,905.9022,271.19945,760.33751,244.84295,682101,529136831,2001100
WalnutDSANOwalnut256-stochasticrewriteBraids4,164.2574,519.863127,413.278134,509.781181,122194,9162911282,1005100
WalnutDSANOwalnut128-stochasticrewritenodehornoyBraids1,935.0442,574.82443,111.04348,246.052133,359147,948136832,0001100
WalnutDSANOwalnut256-stochasticrewritenodehornoyBraids4,532.9414,836.298125,289.337130,993.063287,763311,1162911283,4005100
WalnutDSANOwalnut128-refBraids1,135.3801,225.0462,039,841.3502,071,390.234166,520175,770136831,1001100
WalnutDSANOwalnut256-refBraids1,162.8701,255.0202,026,491.1432,084,771.866168,897193,6372911281,8005100
Sheet2
Signature Algorithmpk (bytes)pk (base64)signature (bytes)signature (base64)
CRYSTALS-DILITHIUM (L2)1312175024203227
Falcon8971196666888
Rainbow1578002104006688
SPHINCS+3243785610475
Picnic34461380218403
GeMSS3521904695873243
-
Looking Forward…
9-December-2020 Applied Crypto Symposium 23
-
Past Algorithm Transitions Have Taken YearsPQC Will Be No Different• ECC (starting in 2005) is the closest model to the PQC transition• Adding base level of ECC support to Windows took 4.5 years
• Three releases (Vista, Vista SP1, Win7) from NSA’s Suite B announcement• 15 years later, parts of the ecosystem still working on ECC parity• Transitioning to a new algorithm takes more time, is more complicated, and
impacts more functions and features than you expect• Long-term support requirements slow algorithm decommissioning• Start planning your migration now
• Draft NCCoE white paper: Getting Ready for Post-Quantum Cryptography• CRA Quad Paper: Post Quantum Cryptography: Readiness Challenges and the
Approaching Storm
9-December-2020 Applied Crypto Symposium 24
https://doi.org/10.6028/NIST.CSWP.05262020-drafthttps://cra.org/ccc/wp-content/uploads/sites/2/2020/10/Post-Quantum-Cryptography_-Readiness-Challenges-and-the-Approaching-Storm-1.pdf
-
Summary – Preparing for a PQ future• Quantum computers are coming – maybe not for a decade or more, but within the
protection lifetime of data we are generating and encrypting today• We need to start planning the transition to post-quantum cryptographic algorithms now.
• To prepare for the PQ transition, all our systems need cryptographic agility• Hybrid solutions combining classical and post-quantum primitives look promising; they provide both
traditional cryptographic guarantees as well as some PQ resistance
• Practical engineering options exist today for deploying PQ• But it is going to take a long time to update our software stacks…
• We may already be late to transition• Some of our customers have data with a protection lifespan of 15-20 years or more.• IoT and critical infrastructure have devices that won’t be updated for 15+ years.
9-December-2020 Applied Crypto Symposium 25
-
PQ Open Source ReleasesLibraries:• https://github.com/Microsoft/PQCrypto-LWEKE• https://github.com/Microsoft/PQCrypto-SIKE
• https://github.com/microsoft/qTESLA-Library• https://github.com/Microsoft/Picnic
Protocol Integrations:• https://openquantumsafe.org/• https://github.com/open-quantum-safe/openssl
• https://github.com/open-quantum-safe/openssh-portable• https://github.com/Microsoft/PQCrypto-VPN
PQ-VPN to Project Natick:• https://www.microsoft.com/en-us/research/project/post-quantum-crypto-tunnel-to-the-underwater-datacenter/
Overall project site:• https://www.microsoft.com/en-us/research/project/post-quantum-cryptography/
9-December-2020 Applied Crypto Symposium 26
https://github.com/Microsoft/PQCrypto-LWEKEhttps://github.com/Microsoft/PQCrypto-SIKEhttps://github.com/microsoft/qTESLA-Libraryhttps://github.com/Microsoft/Picnichttps://openquantumsafe.org/https://github.com/open-quantum-safe/opensslhttps://github.com/open-quantum-safe/openssh-portablehttps://github.com/Microsoft/PQCrypto-VPNhttps://www.microsoft.com/en-us/research/project/post-quantum-crypto-tunnel-to-the-underwater-datacenter/https://www.microsoft.com/en-us/research/project/post-quantum-cryptography/
-
Questions?
9-December-2020 Applied Crypto Symposium 27
Getting Ready for the �Post-Quantum TransitionSlide Number 2Slide Number 3Contemporary Cryptography�TLS-ECDHE-RSA-AES128-GCM-SHA256Resource Estimates for Shor’s AlgorithmHypothetical 15-Year View for PQ CryptoFuture Quantum Computers are a Threat TodayPost-Quantum Cryptography at Microsoft�Three Parallel WorkstreamsOur NIST Round 3 CandidatesNIST PQC Round 3Predictions: “Cascades” and “Long Tails”Bringing PQ to Industry Crypto ProtocolsPQC Protocol Integrations using OQSComprehensive Datacenter Design 30 Days: Factory to PowerupSlide Number 16Slide Number 17Slide Number 18Slide Number 19Systems: Key Scenarios for MicrosoftPQC & Hybrid Certs with an HSMUpgrading to PQC Means Larger �Keys, Ciphertexts, SignaturesLooking Forward…Past Algorithm Transitions Have Taken Years�PQC Will Be No DifferentSummary – Preparing for a PQ futurePQ Open Source ReleasesQuestions?