Post-Quantum Cryptography in ARM Processors · 2019-10-07 · Open Questions about Post-Quantum...
31
Reza Azarderakhsh, Ph.D. Florida Atlantic University and PQSecure Technologies ARM Research Summit Austin, TX Sept. 2019 Post-Quantum Cryptography in ARM Processors
Transcript of Post-Quantum Cryptography in ARM Processors · 2019-10-07 · Open Questions about Post-Quantum...
Reza Azarderakhsh, Ph.D.
Florida Atlantic University and PQSecure Technologies
ARM Research Summit
Austin, TX
Sept. 2019
Post-Quantum Cryptography in ARM Processors
Quantum Threat to Information Security
Large-scale quantumcomputers could break some encryption schemes
Need to migrate encryption to quantum-resistant algorithms
When we should start the process?
Questions:• When will quantum computers arrive?• When will they be a threat?• When do we switch?• How do we have live and agile transition?• What do we transition to?• …
“In 25 years we’ll be working on quantum resistant crypto standardization
based on elliptic curves in some way!”
─Dustin Moody, NIST (NSF CCC Workshop 2019)
Universalquantumcomputeravailable
2016
2017
2022? 2031
PQCproject
start
Round 1 begin Dec
Standardsready
2026
Mosca – 1/7 chance breaking
RSA-2048
Mosca – ½ chance breaking
RSA-2048
2035
All systems transitioned toquantum-safe
Round 2begin Jan
2019
2020
Round 3 begin June
(69 Candidates)
(17 KEM + 9 DSA) “more than one”
Retroactive decryption: Record encrypted communication now,
Decrypt once quantum computers are available
Open Questions about Post-Quantum Cryptography
• Design better post-quantum cryptosystems
• Improve classical and quantum attacks
• Pick parameter sizes
• Develop fast, efficient, and secure implementations
• Integrate them into the existing infrastructures
Post-Quantum Key-Exchange
Code-based
Lattice-based
Isogeny-based
Hash-based
Lattice-based
Zero-Knowledgebased
Multivariate-based
Post-Quantum Signatures
Quick Overview
• [2006]: Birth of a supersingular isogeny-based cryptosystem• Charles – Goren – Lauter
• built hash function from supersingular isogeny graph
• [2011]: Supersingular isogeny key exchange • Jao – De Feo
• [2017]: Supersingular isogeny key encapsulation• SIKE Team
SIKE Team
Isogeny-Based Cryptography
• Isogeny-based cryptography is constructed on a set of curves.
• Given two curve 𝐸 and 𝐸′ = 𝜙(𝐸) find 𝜙?
Supersingular Isomorphism Classes
• We are interested in the set of supersingularcurves (up to isomorphism) over a specific field
• Prime 𝑝 = 2𝑒𝐴 ∙ 3𝑒𝐵 ∙ 𝑓 ± 1
• Elliptic curves over 𝔽𝑝2, #𝐸 = 𝑝 ∓ 1 2
• Supersingular 𝑗-invariants: #𝑆𝑝2 ≈𝑝
12(isogenous elliptic curves)
40
17
48
0
41
24
66
Prime p = 23 ∙ 32 − 1 = 71, #𝐸 = 722, #𝑆𝑝2 = 7
Isogeny Graphs
With isogeny of degree ℓ, we get a connected (ℓ + 1)-regular graph.
Vertices: All isogenous elliptic curves over 𝔽𝑝2.
Edges: Isogenies of degree ℓ
40
17
48
0
41
24
66
40
17
48
0
41
24
66
2-isogeny graph 3-isogeny graph
Key Exchange based on Isogeny Graphs
40
17
48
0
41
24
66
40
17
48
0
41
24
66
2-isogeny graph 3-isogeny graph
Alice Bob
Public Parameters
𝐸0/𝔽𝑝2
𝑃𝐴, 𝑄𝐴 ∈ 𝐸0[2𝑒𝐴]
𝑃𝐵, 𝑄𝐵 ∈ 𝐸0[3𝑒𝐵]
𝑃𝐴 = 53, 55
𝑄𝐴 = 18, 27𝑤 + 44
𝑃𝐵 = 7𝑤 + 20, 31𝑤 + 50
𝑄𝐵 = 21𝑤 + 64, 38𝑤 + 13
40
17
48
0
41
24
66
40
17
48
0
41
24
66
Alice Bob
𝐸0: 𝑦2 = 𝑥3 + 𝑥
Secret Key
𝑠𝐴 = 6 𝑠𝐵 = 3
𝑠𝐴 ∈ 0,2𝑒𝐴
𝑠𝐵 ∈ 0,3𝑒𝐵
40
17
48
0
41
24
66
40
17
48
0
41
24
66
Alice Bob
Public Key Generation
40
17
48
0
41
24
66
40
17
48
0
41
24
66
Alice Bob
𝐸0: 𝑦2 = 𝑥3 + 𝑥 𝐸0: 𝑦
2 = 𝑥3 + 𝑥
𝐸0
Public Key Generation
40
17
48
0
41
24
66
40
17
48
0
41
24
66
Alice Bob
𝐸0: 𝑦2 = 𝑥3 + 𝑥 𝐸0: 𝑦
2 = 𝑥3 + 𝑥
𝜙𝐴: 𝐸0 → 𝐸𝐴 𝜙𝐵: 𝐸0 → 𝐸𝐵
𝐸0
p = 23 ∙ 32 − 1 = 71
Public Key Generation
40
17
48
0
41
24
66
40
17
48
0
41
24
66
Alice Bob
𝐸0: 𝑦2 = 𝑥3 + 𝑥 𝐸0: 𝑦
2 = 𝑥3 + 𝑥
𝜙𝐴: 𝐸0 → 𝐸𝐴
𝐸𝐴: 𝑦2 = 𝑥3 + 22𝑥 + 35
𝜙𝐵: 𝐸0 → 𝐸𝐵
𝐸𝐵: 𝑦2 = 𝑥3 +63𝑥 + (55𝑤 + 16)
𝐸0
𝐸𝐴 = 𝐸0/ 𝐴 𝐸𝐵 = 𝐸0/ 𝐵
𝑅𝐴, 𝑆𝐴 = 𝜙𝐴 𝑃𝐵 , 𝜙𝐴 𝑄𝐵 𝑅𝐵, 𝑆𝐵 = 𝜙𝐵 𝑃𝐴 , 𝜙𝐵 𝑄𝐴
Key Exchange
40
17
48
0
41
24
66
40
17
48
0
41
24
66
Alice Bob
𝐸0: 𝑦2 = 𝑥3 + 𝑥 𝐸0: 𝑦
2 = 𝑥3 + 𝑥
𝜙𝐴: 𝐸0 → 𝐸𝐴
𝐸𝐴: 𝑦2 = 𝑥3 + 22𝑥 + 35
𝜙𝐵: 𝐸0 → 𝐸𝐵
𝐸𝐵: 𝑦2 = 𝑥3 +63𝑥 + (55𝑤 + 16)
𝐸0
𝐸𝐴 = 𝐸0/ 𝐴 𝐸𝐵 = 𝐸0/ 𝐵
𝑅𝐴, 𝑆𝐴 = 𝜙𝐴 𝑃𝐵 , 𝜙𝐴 𝑄𝐵 𝑅𝐵, 𝑆𝐵 = 𝜙𝐵 𝑃𝐴 , 𝜙𝐵 𝑄𝐴
Shared Secret Generation 𝐸0
𝐸𝐴 = 𝐸0/ 𝐴 𝐸𝐵 = 𝐸0/ 𝐵
𝑅𝐴, 𝑆𝐴 = 𝜙𝐴 𝑃𝐵 , 𝜙𝐴 𝑄𝐵 𝑅𝐵, 𝑆𝐵 = 𝜙𝐵 𝑃𝐴 , 𝜙𝐵 𝑄𝐴
40
17
48
0
41
24
66
40
17
48
0
41
24
66
Alice Bob
𝐸𝐵: 𝑦2 = 𝑥3 +63𝑥 + (55𝑤 + 16) 𝐸𝐴: 𝑦
2 = 𝑥3 + 22𝑥 + 35
Shared Secret Generation 𝐸0
𝐸𝐴 = 𝐸0/ 𝐴 𝐸𝐵 = 𝐸0/ 𝐵
𝑅𝐴, 𝑆𝐴 = 𝜙𝐴 𝑃𝐵 , 𝜙𝐴 𝑄𝐵 𝑅𝐵, 𝑆𝐵 = 𝜙𝐵 𝑃𝐴 , 𝜙𝐵 𝑄𝐴
40
17
48
0
41
24
66
40
17
48
0
41
24
66
Alice Bob
𝐸𝐵: 𝑦2 = 𝑥3 +63𝑥 + (55𝑤 + 16) 𝐸𝐴: 𝑦
2 = 𝑥3 + 22𝑥 + 35
𝜙𝐴𝐵:𝐸𝐵 → 𝐸𝐴𝐵 𝜙𝐵𝐴: 𝐸𝐴 → 𝐸𝐵𝐴
Shared Secret Generation 𝐸0
𝐸𝐴 = 𝐸0/ 𝐴 𝐸𝐵 = 𝐸0/ 𝐵
𝑅𝐴, 𝑆𝐴 = 𝜙𝐴 𝑃𝐵 , 𝜙𝐴 𝑄𝐵 𝑅𝐵, 𝑆𝐵 = 𝜙𝐵 𝑃𝐴 , 𝜙𝐵 𝑄𝐴
𝐸𝐴𝐵 = 𝐸𝐵/⟨𝐴′⟩ ≅ 𝐸𝐴/⟨𝐵
′⟩ = 𝐸𝐵𝐴
40
17
48
0
41
24
66
40
17
48
0
41
24
66
Alice Bob
𝐸𝐵: 𝑦2 = 𝑥3 +63𝑥 + (55𝑤 + 16) 𝐸𝐴: 𝑦
2 = 𝑥3 + 22𝑥 + 35
𝜙𝐴𝐵:𝐸𝐵 → 𝐸𝐴𝐵
𝐸𝐴𝐵: 𝑦2 = 𝑥3 + 21𝑤 + 14 𝑥 + (57𝑤 + 21)
𝜙𝐵𝐴: 𝐸𝐴 → 𝐸𝐵𝐴
𝐸𝐵𝐴: 𝑦2 = 𝑥3 + 21𝑤 + 14 𝑥 + (57𝑤 + 21)
Shared Secret Generation
40
17
48
0
41
24
66
40
17
48
0
41
24
66
Alice Bob
Shared Secret
𝐸0
𝐸𝐴 = 𝐸0/ 𝐴 𝐸𝐵 = 𝐸0/ 𝐵
𝑅𝐴, 𝑆𝐴 = 𝜙𝐴 𝑃𝐵 , 𝜙𝐴 𝑄𝐵 𝑅𝐵, 𝑆𝐵 = 𝜙𝐵 𝑃𝐴 , 𝜙𝐵 𝑄𝐴
𝐸𝐴𝐵 = 𝐸𝐵/⟨𝐴′⟩ ≅ 𝐸𝐴/⟨𝐵
′⟩ = 𝐸𝐵𝐴
22
SIKE Key sizes
NIST Level Prime size (bits)
Prime Public key size (bytes)
CompressedPK size (bytes)
1 434 22163137 − 1 330 196
2 503 22503159 − 1 378 224
3 610 23053192 − 1 462 273
5 751 23723239 − 1 564 331
SIDH Computations
𝐹𝑝 Arithmetic
𝐹𝑝2 Arithmetic
Group ops
Extendedgroup ops
PQCprotocols
Addition Mult. Inversion
Addition Mult. InversionSquaring
Point Addition Point Doubling
Double Point Multiplication
Isogeny Evaluation and Computation
SIDH/ SIKE
Large Degree Isogeny Comput
Comparisons
Public Key vs Ciphertext Size Speed vs Size
Post-quantum on Small Devices
• STM32F4DISCOVERY
• Recommended by NIST for PQC evaluation
• ARM Cortex-M4
• 32-bit, ARMv7E-M
• 192 KiB RAM, 168 MHZ
SIKE: Results for NIST level 1
0
200
400
600
800
1000
1200
1400
1600
1800
2000
Software Hardware
Mili
seco
nd
s
SIKE Total Running Time
ARM Cortex-M4 Artix-7 FPGA
~3K Slices only
ARM Cortex-A53 Artix-7 FPGA
Target: Resource-constrained IoTTarget: High Performance Edge
0
10
20
30
40
50
60
70
Software Hardware
Mili
seco
nd
s
SIKE Total Running Time
~10K Slices
Hybrid Key Exchange and Signatures
•Hybrid → combine multiple cryptosystems at once
• Classical PKC still in use
• Classical is Smaller/Faster/Efficient
• PQC still being studied: i.e. may be broken
• Multiple choices for different environments
•Goal: Leverage risk among multiple schemes
•Example:
• Hash shared secret from multiple cryptosystems to get private key for AES
BROKEN if ECDH is broken
BROKEN if ECDH, SIKE, AND Frodo are broken
The case for SIKE
• The post-quantum landscape is uncharted territory:• The smallest scheme is the slowest, and the fastest scheme is the largest.
• Compare with traditional cryptography, where the fastest scheme (ECC) is also the smallest.
• This situation introduces a new set of tradeoffs.• SIKE's advantages will become more pronounced over time.
• SIKE's disadvantages will become less pronounced over time.
The future of SIKE: Computational Costs
• Hardware gets faster over time.
• Software also gets faster over time.
• The above happens naturally, without effort or expenditure.
• An across-the-board performance increase reduces the performance penalty of SIKE (in absolute terms).
• We can also spend more money for faster hardware.
• Certain expenditures (e.g. hardware acceleration) provide good value per unit cost.
The future of SIKE: Communication Costs
• As hardware and software gets faster, attacks get faster.
• Faster attacks require larger keys to counteract.
• An across-the-board key size increase enlarges the communication cost benefits of SIKE (in absolute terms).
• Variance in communication channels is much higher than variance in cycle counts. SIKE already wins today on desktop browsers when including variance.
Thank you!Questions?
