Some Notes on Post-Quantum Cryptography

Some Notes on Post-Quantum Cryptography

J. Maurice Rojas

Texas A&M University

March 27, 2014

Historical Context...

Flight

≤150≤150≤150 B.C.E.:

Reference toSyena=Garuda=a Bird-likeHindu divinityin India

J. Maurice Rojas Notes on Post-Quantum


Flight

≤150≤150≤150 B.C.E.: ...Garuda in India

≤100≤100≤100 B.C.E.: Greek legend of Icarus



Flight

≤150≤150≤150 B.C.E.:

...Garuda in India

≤100≤100≤100 B.C.E.:

Greek legend ofIcarus

559559559: Manned kiteglide off a tower inChina



Flight

≤150≤150≤150 B.C.E.:

...Garuda in India

≤100≤100≤100 B.C.E.:

Greek legend ofIcarus

559559559: Manned kiteglide off a tower inChina

March 10, 1912:

First bombingmission, duringItalo-Turkish War



Flight

≤150≤150≤150 B.C.E.:

...Garuda in India

≤100≤100≤100 B.C.E.:

Greek legend ofIcarus...

187418741874: Felix duTemple makesshort flight insteam-poweredaluminummonoplane inFrance



Flight

≤150≤150≤150 B.C.E.:

...Garuda in India

≤100≤100≤100 B.C.E.:


187418741874: Felix duTemple makesshort flight insteam-poweredaluminummonoplane inFrance

1914-1918:

WWI



Flight

≤150≤150≤150 B.C.E.:

...Garuda in India

≤100≤100≤100 B.C.E.:


187418741874: Felix duTemple makesshort flight...

1914-1918:

WWI

1920: NationalAir Mail begins



Flight

≤150≤150≤150 B.C.E.:

...Garuda in India

≤100≤100≤100 B.C.E.:



1914-1918:

WWI


Nuclear Energy

1789: Martin Klaprothdiscovers uranium



Flight

≤150≤150≤150 B.C.E.:

...Garuda in India

≤100≤100≤100 B.C.E.:



1914-1918:

WWI


Nuclear Energy


1905: Einstein’s paperputting forthmass=energy



Flight

≤150≤150≤150 B.C.E.:

...Garuda in India

≤100≤100≤100 B.C.E.:



1914-1918:

WWI


Nuclear Energy



1939: Otto Frischconfirms energy releasefrom fission



Flight

≤150≤150≤150 B.C.E.:

...Garuda in India

≤100≤100≤100 B.C.E.:



1914-1918:

WWI


Nuclear Energy




July 16, 1945: Firstfission explosion



Flight

≤150≤150≤150 B.C.E.:

...Garuda in India

≤100≤100≤100 B.C.E.:



1914-1918:

WWI


Nuclear Energy




July 16, 1945: Firstfission explosion

December 1951: Firstnuclear reactor, byArgonne National Labs,in Idaho


On to Crypto...



Flight

≤150≤150≤150 B.C.E.:

Garuda...

≤100≤100≤100 B.C.E.:

Icarus...

187418741874: duTemple’sflight...

1914-1918:

WWI

1920: AirMail begins

Nuclear Energy

1789:

uranium

1905:

Einstein’spaper...

1939: Frischconfirmsfission...

1945: Fissionexplosion

1951: Firstreactor

Cryptology

≤ 1500≤ 1500≤ 1500B.C.E.:

Encryptedrecipe on claytablets inMesopotamia



Flight

≤150≤150≤150 B.C.E.:

Garuda...

≤100≤100≤100 B.C.E.:

Icarus...


1914-1918:

WWI


Nuclear Energy

1789:

uranium

1905:




1951: Firstreactor

Cryptology

≤ 1500≤ 1500≤ 1500B.C.E.:


≤ 1865≤ 1865≤ 1865:Ciphers in USCivil War



Flight

≤150≤150≤150 B.C.E.:

Garuda...

≤100≤100≤100 B.C.E.:

Icarus...


1914-1918:

WWI


Nuclear Energy

1789:

uranium

1905:




1951: Firstreactor

Cryptology

≤ 1500≤ 1500≤ 1500B.C.E.:



1920− 19451920− 19451920− 1945:Enigmainvented byGermans thenused in WWII



Flight

≤150≤150≤150 B.C.E.:

Garuda...

≤100≤100≤100 B.C.E.:

Icarus...


1914-1918:

WWI


Nuclear Energy

1789:

uranium

1905:




1951: Firstreactor

Cryptology

≤ 1500≤ 1500≤ 1500B.C.E.:

Mesopotamia...


1920− 19451920− 19451920− 1945:Enigmainvented byGermans thenused in WWII

197619761976 & 197819781978:DH and RSAinvented



Flight

≤150≤150≤150 B.C.E.:

Garuda...

≤100≤100≤100 B.C.E.:

Icarus...


1914–1918:

WWI


Nuclear Energy

1789:

uranium

1905:




1951: Firstreactor

Cryptology

...≤ 1945≤ 1945≤ 1945...

≤ 1973≤ 1973≤ 1973–’747474: RSAand DH actually

invented at GCHQ!



Flight

≤150≤150≤150 B.C.E.:

Garuda...

≤100≤100≤100 B.C.E.:

Icarus...


1914–1918:

WWI


Nuclear Energy

1789:

uranium

1905:




1951: Firstreactor

Cryptology

...≤ 1945≤ 1945≤ 1945...


invented at GCHQ!

199419941994: Peter Shorfinds quantumalgorithm that, intheory, easilybreaks DH andRSA.



Flight

≤150≤150≤150 B.C.E.:

Garuda...

≤100≤100≤100 B.C.E.:

Icarus...


1914–1918:

WWI


Nuclear Energy

1789:

uranium

1905:




1951: Firstreactor

Cryptology

...≤ 1945≤ 1945≤ 1945...


invented at GCHQ!

199419941994: Peter Shorfinds quantumalgorithm that, intheory, easilybreaks DH andRSA.

199819981998: GCHQ:“Yeah, we didinvent RSA andDH...”


What are DH and RSA? Who Cares?

1 DH and RSA are methods for sharing encryption keys, nowused in routers and internet servers everywhere...




2 DH is based on the Discrete Log Problem: Given a, g, p∈N,find x∈{0, . . . , p− 1} with gx=a mod p.





3 RSA is based on the “hardness” of Integer Factoring:





3 RSA is based on the “hardness” of Integer Factoring: Giventhat n is a product of two distinct primes, find the primes!






4 As far as we know (on the outside), there are no practicalquantum computers... Unless you count D-Wave’s128-“qubit” computer which costs $10M...






4 As far as we know (on the outside), there are no practicalquantum computers... Unless you count D-Wave’s128-“qubit” computer which costs $10M...

5 So what?


Why Cares if Quantum Computing Comes?

As we’ve already seen from the 25 year lag of “inside” discoverydisclosure (and the some recent controversial leaks), “inside”completion of a quantum computer is likely to remain hidden,be it by NSA



As we’ve already seen from the 25 year lag of “inside” discoverydisclosure (and the some recent controversial leaks), “inside”completion of a quantum computer is likely to remain hidden,be it by NSA or Google



As we’ve already seen from the 25 year lag of “inside” discoverydisclosure (and the some recent controversial leaks), “inside”completion of a quantum computer is likely to remain hidden,be it by NSA or Google or IBM



As we’ve already seen from the 25 year lag of “inside” discoverydisclosure (and the some recent controversial leaks), “inside”completion of a quantum computer is likely to remain hidden,be it by NSA or Google or IBM or Siemens



As we’ve already seen from the 25 year lag of “inside” discoverydisclosure (and the some recent controversial leaks), “inside”completion of a quantum computer is likely to remain hidden,be it by NSA or Google or IBM or Siemens or Sony



As we’ve already seen from the 25 year lag of “inside” discoverydisclosure (and the some recent controversial leaks), “inside”completion of a quantum computer is likely to remain hidden,be it by NSA or Google or IBM or Siemens or Sony or Dubai...




“OK, so I’ll stop using public-key crypto now...”





Not so fast...





Not so fast... What about archival data?





Not so fast... What about archival data? e.g., medical records





Not so fast... What about archival data? e.g., medical records,contracts, etc...





Not so fast... What about archival data? e.g., medical records,contracts, etc...

Experts say we could have an honest, working quantumcomputer within 15 years...


Complexity Theory vs. Practical Complexity

Definition

We say two functions f, g : N −→ R satisfy f=O(g) ⇐⇒ thereare constants C,M>0 with |f(x)|≤Mg(x) for all x≥C. ⋄



Definition


Examples



Definition


Examples

• Inverting an n× n matrix takes O(n3) arithmetic operations(or O(n2.3727) if you’re really clever).



Definition


Examples


• Factoring an N -digit integer takes 2O(N1/3(lgN)2/3) seconds onour best (classical) computers.



Definition


Examples



But what about N=200, say?



Definition


Examples



But what about N=200, say? Or N=500?



Definition

We say two functions f, g : N −→ R satisfy f=o(g) ⇐⇒limx→+∞

f(x)g(x) =0. ⋄



Definition


f(x)g(x) =0. ⋄

Examples



Definition


f(x)g(x) =0. ⋄

Examples

• Shor’s Algorithm can factor N -digit RSA integers withinN2+o(1) seconds, on a quantum computer with N1+o(1)

qubits.



Definition


f(x)g(x) =0. ⋄

Examples


qubits.

• A 1978 cryptosystem of McEliece



Definition


f(x)g(x) =0. ⋄

Examples


qubits.

• A 1978 cryptosystem of McEliece (quantum-resistant so far!)



Definition


f(x)g(x) =0. ⋄

Examples


qubits.

• A 1978 cryptosystem of McEliece (quantum-resistant so far!)needs a key-size of b2+o(1) to force breakage to take ≥2b

seconds.



Definition


f(x)g(x) =0. ⋄

Examples


qubits.


seconds.

• RSA needs a key-size of 0.016...b3/(lg b)2 to force breakage totake ≥2b seconds (on a classical computer).



Definition


f(x)g(x) =0. ⋄

Examples


qubits.


seconds.

• RSA needs a key-size of 0.016...b3/(lg b)2 to force breakage totake ≥2b seconds (on a classical computer).

But the devil is in the constants!: real-world security needsaround b=128 =⇒ thousands of bits for RSA but millions ofbits for McEliece [Bernstein, 2009]!


Moral: Deep Understanding Needed!

• If we are to maintain our comfortable lives (with reasonableprivacy), we need to get work now on improving alternativecryptosystems!



• If we are to maintain our comfortable lives (with reasonableprivacy), we need to get work now on improving alternativecryptosystems!• A particularly promising vein of quantum-resistantcryptosystems come from lattice vector problems: thesecryptosystems are closely related to NP-hard problems thathave good average-case behavior: average instances are provablyalmost as hard as worst-case instances.



• If we are to maintain our comfortable lives (with reasonableprivacy), we need to get work now on improving alternativecryptosystems!• A particularly promising vein of quantum-resistantcryptosystems come from lattice vector problems: thesecryptosystems are closely related to NP-hard problems thathave good average-case behavior: average instances are provablyalmost as hard as worst-case instances.Example: The Closest Vector Problem (CVP) is: Given

vectors v1, . . . , vN ∈Zn and a target vector t∈Qn, find theclosest integer linear combination α1v1 + · · ·+ αnvn to t.



• If we are to maintain our comfortable lives (with reasonableprivacy), we need to get work now on improving alternativecryptosystems!• A particularly promising vein of quantum-resistantcryptosystems come from lattice vector problems: thesecryptosystems are closely related to NP-hard problems thathave good average-case behavior: average instances are provablyalmost as hard as worst-case instances.Example: The Closest Vector Problem (CVP) is: Given

vectors v1, . . . , vN ∈Zn and a target vector t∈Qn, find theclosest integer linear combination α1v1 + · · ·+ αnvn to t.

• Solving CVP, even within a factor of√n, in time polynomial

in n would imply P=NP, i.e., you would simultaneously solvenumerous other important problems in polynomial-time (andwin $1M)!


♥♥♥ Thank you for your attention.

See:• Bernstein, Buchmann, Dahmen’s 2009 Springer book onPost-Quantum Cryptography

• Web-sites of Dan Bernstein and Tanja Lange• Blog of Scott Aaronson• Math 470• Math 415• Math 427...

...and www.math.tamu.edu/~rojas for further info onalgorithmic algebraic geometry.


Some Notes on Post-Quantum Cryptography

Documents

Transcript of Some Notes on Post-Quantum Cryptography