Getting Post-Quantum Crypto Algorithms Ready for Deployment End of - - PowerPoint PPT Presentation

1/24/2013

Getting Post-Quantum Crypto Algorithms Ready for Deployment

End of ECRYPT II Event: Crypto for 2020

Outline

• Introduction
• Alternative Public-Key Cryptosystems (APKC)
• Practical Considerations of APKCs
• Case Studies on Lattice-based Cryptography
• Conclusions

Public-Key Crypto – Situation Today

• PKCs used in practice are

in fact RSA and ECC

• Underlying problems

(factorization/dlog) are both closely related

• As learned from Tanja‘s talk

yesterday, both are dead when quantum-computing comes into play

Public-Key Crypto – A Wishlist

• Add some alternative PK-

cryptosystems to our basket

• Security reductions based
• n known hard problems
• No possible poly-time

attack algorithms (e.g., Shor) with quantum computers

• Efficiency in implementations

comparable to RSA and ECC

Outline

• Introduction
• Alternative Public-Key Cryptosystems (APKC)
• Practical Considerations of APKCs
• Case Studies on Lattice-based Cryptography
• Conclusions

Alternative Public-Key Cryptography

• Four main branches
• f post-quantum crypto:

– Code-based – Hash-based – Multivariate-quadratic – Lattice-based

• Can potentially provide PK encryption

and/or signature schemes

Alternative Public-Key Cryptography (APKC)

• But: Why haven‘t we seen any APKC in

real-world systems yet?

– Many constructions are too novel and hardly analyzed/not mature enough – Potential of possible attacks is not fully captured yet – No concrete instances/parameters given – Implementations of „secure“ instances seem to be much too huge and/or slow – Skeptics still like to keep ECC/RSA or just don‘t believe in quantum computers

Alternative Public-Key Cryptography (APKC)

• How to get APKCs ready for deployment?

– Pick APKCs for which sufficient confidence of security and defined instances/parameters exist – Make sure their description is comprehensible for implementers – Evaluate efficiency of APKC implementations in particular on constrained embedded devices – Disseminate APKCs to crypto libraries and (international) standards

Outline

• Introduction
• Alternative Public-Key Cryptosystems (APKC)
• Practical Considerations of APKCs

– Code-based Cryptography – Hash-based Cryptography – Multivariate-Quadratic-based Cryptography – Lattice-based Cryptography

• Conclusions

Disclaimer Slide

A Word of Warning…

• The following overview on PQC systems

does not claim to be complete.

• It rather focusses on selected systems

that are suitable to provide evidence on

• Activities within each PQC branch
• Good and (some) bad constructions
• Constructions that provide concrete instances or only “some” parameters
• Constructions that provide efficient instances
• Some (important) parameters are also omitted from some slides
• See http://pqcrypto.org for more works and definitions

Code-based Cryptography – Basics

• Hard problem(s): decoding a syndrome/random linear code
• Principle:
• Hide the code generating matrix G by multiplication with

permutation P and a scrambling matrix S (remark: the latter is not required in all cases)  Public Key G’=SGP

• Add errors e during cryptographic operation
• Decoding is only efficiently possible if the generator matrix

is known  Secret Key G

• The general concept of “decoding with errors” is also picked

up by other constructions (e.g., in lattice-based crypto)

Code-based Encryption Schemes

McEliece [M78] Niederreiter [N86]

Taxonomy of Code-based Encryption

Generalized Reed-Solomon Goppa Reed Muller Concatenated Turbo/LDCP/MDCP Srivastava Elliptic

Code-based Encryption Schemes

McEliece [M78] Niederreiter [N86]

Taxonomy of Code-based Encryption

Generalized Reed-Solomon Goppa Reed Muller Concatenated Srivastava Elliptic Turbo/LDCP/MDCP

Code-based Encryption Schemes

McEliece [M78] Niederreiter [N86]

Taxonomy of Code-based Encryption

Generalized Reed-Solomon Goppa Reed Muller Concatenated Srivastava Elliptic Turbo/LDCP/MDCP

Code-based Signature Schemes

Courtois, Finiasz, Sendrier (CFS) Signatures

Taxonomy of Code-based Signatures

Original [CFS01] Parallel CFS [F10]

Code-based Signature Schemes

Courtois, Finiasz, Sendrier (CFS) Signatures

Taxonomy of Code-based Signatures

Original [CFS01] Parallel CFS [F10]

Code-based Signature Schemes

Courtois, Finiasz, Sendrier (CFS) Signatures

Taxonomy of Code-based Signatures

Original [CFS01] Parallel CFS [F10]

Key Aspects of Code-based Systems

• Focus on encryption, signature schemes are less efficient
• Selection of underlying code is the most critical issue
• Structures in codes reduce key sizes, but often enable also attacks
• Encoding is a very fast operation on most platforms (matrix multiplication)
• Decoding is typically a more complex process (fast decoders are available)
• Reasonably small public and private keys for encryption
• Additional computational efforts on constant weight encoding

algorithm for Niederreiter’s scheme

• Encryption schemes are quite mature (McEliece proposed in ’78,

Niederreiter ‘83)  CCA2-conversion available

Hints on Efficiency: McEliece vs. Niederreiter

• McEliece (using binary Goppa codes, 80 bit equiv. security)
• Existing implementations:
• PC (HyMES ‘08) : 140 cycles/bit enc. 2714 cycles/bit dec.
• AVR µC [EGH09] : 7200 cycles/bit enc. 11300 cycles/bit dec.
• FPGA [SWM+09] : 160 cycles/bit enc. 446 cycles/bit dec.
• Niederreiter (using binary Goppa codes, 80 bit equiv. security)
• Existing implementations:
• PC (public domain) : returns a segfault (?)
• AVR µC [H11] : 267 cycles/bit enc 30000 cycles/bit dec.
• FPGA

: see next slide

Implementation Results

• Results on FPGAs for roughly 80 bit of equivalent symmetric security
• Parameter set (n=2048, k=1751, t=27) using Goppa codes

Outline

• Introduction
• Alternative Public-Key Cryptosystems (APKC)
• Practical Considerations of APKCs

– Code-based Cryptography – Hash-based Cryptography – Multivariate-Quadratic-based Cryptography – Lattice-based Cryptography

• Conclusions

Hash-based Cryptography – Basics

• Hard problem: find (second) preimages of cryptographic

hash functions

• Build OTS scheme using a cryptographic hash function
• A Hash tree reduces many OTS public keys to a single root

Hash-based Signature Schemes

Merkle Signature Scheme MSS [Mer89] CMSS [BCD+06]

XMSS [BDH11]

Taxonomy of Hash-based Signatures

GMSS [BDK+07] SPR-MSS [DOTV08]

Hash-based Signature Schemes

MSS [Mer89] CMSS [BCD+06]

XMSS [BDH11]

Taxonomy of Hash-based Signatures

GMSS [BDK+07] SPR-MSS [DOTV08]

Hash-based Encryption Schemes

Taxonomy of Hash-based Encryption

{ }

Key Aspects of Hash-based Systems

• Only signature schemes available, no encryption
• Moderate requirements for implementations
• Second preimage (older schemes: collision) resistant hash function
• Pseudorandom functions for OTS (XMSS)
• Hard limitation on the number of signatures per tree
• Height of the tree determines max. # of signatures

(issue with DoS attacks for real-world systems)

• Requires track record of signatures already used

(critical in untrusted environments!)

• Increasing tree height increases memory requirements and

computational complexity

Implementation Results

• Lots of hash functions available, but not many implementations
• f hash-based crypto

Results for XMSS with H=20 [BDH11] presented on PQCrypto 2011 Platform: Intel Core i5 M540@2.53GHz; Figure marked with (*) uses AES NI

Outline

• Introduction
• Alternative Public-Key Cryptosystems (APKC)
• Practical Considerations of APKCs

– Code-based Cryptography – Hash-based Cryptography – Multivariate-Quadratic-based Cryptography – Lattice-based Cryptography

• Case Studies on Lattice-based Cryptography
• Conclusions

Multivariate-quadratic Cryptography – Basics

• Hard problem: Find the solution for a set of MQ equations
• Given F and P MQ maps and two linear maps S and T
• P has no special structure and is large, therefore hard to invert
• A special (secret) structure in F is necessary to allow easy inversion
• This secret structure is hidden by mappings S and T

MQ-based Signature Schemes

Oil and Vinegar Stepwise Triangular Systems (STS)

Taxonomy of Multivariate-Quadratic Signatures

Matsumoto-Imai A

MQ-based Signature Schemes

Oil and Vinegar Stepwise Triangular Systems (STS)

Taxonomy of Multivariate-Quadratic Signatures

Matsumoto-Imai A

MQ-based Signature Schemes

Oil and Vinegar Stepwise Triangular Systems (STS)

Taxonomy of Multivariate-Quadratic Signatures

Matsumoto-Imai A

MQ Encryption Schemes

Taxonomy of Multivariate-Quadratic Encryption

{ }

Key Aspects of MQ-based Systems

• Only signature schemes available, no encryption
• Basic operations are efficient
• Mainly linear operations over finite field (e.g., Gaussian elimination)
• Operations are simple to implement on any platform
• Large public and private key (but the latter is certainly more critical)
• Embedded microcontrollers/smart cards have <16 KB internal Flash
• High number of memory accesses required
• Extra external (permanent) memory for keys required

Sign Verify

• Some implementations of an 80-bit level of equivalent security targeting

an AVR microcontroller:

• Comparison with

ECC/RSA on the same platform

Implementation Results

Outline

• Introduction
• Alternative Public-Key Cryptosystems (APKC)
• Practical Considerations of APKCs

– Multivariate-Quadratic-based Cryptography – Hash-based Cryptography – Code-based Cryptography – Lattice-based Cryptography

• Conclusions

Lattice-based Cryptography – Basics

• Hard problem: Shortest/Closest Vector Problem

(SVP/CVP) in the worst case

• Typically thought to be

– Unpractical but provably secure – Practical but without proof (GGH/NTRU) – Lately: Ideal lattices can potentially combine both

• More constructions feasible beyond classical PKC:

hash functions, PRFs, identity-based encryption, homomorphic encryption

Lattice-based Signature Schemes

Taxonomy of Lattice-based Signatures

NTRU Sign/GGH Hash-and-sign [GPV08] [HPS01] [HHGP+03] [GGH97] Fiat-Shamir [FS86] [Lyu09] [Lyu12] [GLP12] [MP12]

Lattice-based Signature Schemes

Taxonomy of Lattice-based Signatures

NTRU Sign/GGH Hash-and-sign [GPV08] [HPS01] [HHGP+03] [GS02] [NR09] [GGH97] Fiat-Shamir [Lyu09] [Lyu12] [GLP12] [MP12]

Lattice-based Signature Schemes

Taxonomy of Lattice-based Signatures

NTRU Sign/GGH Hash-and-sign [GPV08] [HPS01] [HHGP+03] [GS02] [NR09] [GGH97] Fiat-Shamir [Lyu09] [Lyu12] [GLP12] [MP12]

Lattice-based Encryption Schemes

Taxonomy of Lattice-based Encryption

NTRU [HHHW09] [HPS98] LWE-[Reg05] Micciancio- Regev [MR08] Lindner-Peikert [LP10] (R)-LWE NTRU-Variant [SS11]

Standard Lattices Ideal Lattices

Lattice-based Encryption Schemes

Taxonomy of Lattice-based Encryption

NTRU [HHHW09] [HPS98] LWE-[Reg05] Micciancio- Regev [MR08] Lindner-Peikert [LP10] (R)-LWE NTRU-Variant [SS11]

Standard Lattices Ideal Lattices

Lattice-based Encryption Schemes

Taxonomy of Lattice-based Encryption

NTRU [HHHW09] [HPS98] LWE-[Reg05] Micciancio- Regev [MR08] Lindner-Peikert [LP10] (R)-LWE NTRU-Variant [SS11]

Standard Lattices Ideal Lattices

x

Lattice-based Encryption Schemes

Taxonomy of Lattice-based Encryption

NTRU [HHHW09] [HPS98] LWE-[Reg05] Micciancio- Regev [MR08] Lindner-Peikert [LP10] (R)-LWE NTRU-Variant [SS11]

Standard Lattices Ideal Lattices

x

Key Aspects of Lattice-based Systems

• Encryption and signature systems are both feasible
• Undesired message expansion for LWE encryption
• Rare decryption error probability in LWE encryption
• Random Sampling not only from uniform but also from Gaussian

distributions (not trivial)

• Most underlying operations are efficient and parallizable
• (Ideal lattices) Make use of FFT for polynomial multiplication
• (Standard lattices) Matrix-vector arithmetic
• Reasonably large public and private keys
• True for encryption/signatures constructions
• Unclear for more complex services such as homomorphic/IBE

Outline

• Introduction
• Alternative Public-Key Cryptosystems (APKC)
• Practical Considerations of APKCs
• Case Studies on Lattice-based Cryptography
• Conclusions

Case Study #1: LWE-Encryption

• CPA-secure public key encryption scheme for standard and

ideal lattices introduced by Lindner and Peikert in 2010.

• GEN(a): KeyGen(a): Choose 𝑠1, 𝑠2 ← 𝜓 from a small Gaussian

distribution and let 𝑞 = 𝑠1 − 𝑏 ∙ 𝑠2. Public key 𝒒 and secret key 𝒔𝟑.

• ENC(a,p,m): choose 𝑓1, 𝑓2, 𝑓3 ← 𝜓. Let 𝑛

= encode(𝑛) in 𝑆𝑞. The ciphertext is 𝑑1 = 𝑏 ∙ 𝑓1 + 𝑓2, 𝑑2 = 𝑞 ∙ 𝑓1 + 𝑓3 + 𝑛

• DEC((c1,c2),r2): output decode(c1 ∙ r2+c2)

Review of Operations:

• Polynomial multiplication
• Gaussian sampling

Implementation Aspects and Results

• One message bit is encoded using a threshhold scheme into one

coefficient (𝟏 ⇒ 𝟏, 𝟐 ⇒ q/2)  (rare) probability of (yet unhandled) decryption errors

• Performance results for LWE-Encryption [GFSHB12]
• Intel/AMD Core 2 Duo@3.00 GHz:
• 195ms keygen/ 1.52ms enc/ 0.57 ms dec

 reasonably fast (but uses only NTL)

• Hardware (using a very very expensive FPGAs):
• Virtex-7 2000T: 320816 LUTs/ 143396 registers/ ~8µs enc

Virtex-7 2000T: 124265LUTs/ 65174 registers/ ~8µs dec  much too costly

Case Study #2: An Improved Signature Schemes

• n Ideal Lattices
• Signature scheme by Lyubashevsky [Lyu12] provable

secure in random oracle model (ROM)

• Efficiency improvement by a different hardness

assumption: (Decisional) Ring-LWE with “aggressive” parameters

• Internal values s1,s2 only have -1/0/1 coefficients

instead of using a Gaussian distribution (like in [LPR10]), for other values uniform distributions are sufficient

Signing and Verification [GLP12]

• GEN
• 1. Pick a from 𝑆 = 𝑎𝑞[𝑦]/(xn+1) and s1,s2 from subset R1. Compute t = as1+s2
• 2. Secret key sk = (s1,s2), Public key pk = (a, t)
• SIGN(m,sk)

1. Pick y1,y2 from uniformly sampled distribution 𝑆𝑙 from [-k,k] 2. c=H(Transform(r=ay1+y2),m) 3. z1=s1c+y1, z2=s2c+y2 4. If z1, z2 not in 𝑆k-32 goto 1. 5. z2‘=Compress(ay1+y2-z2,z2,p, k-32) 6. Return σ=(z1, z2‘, c)

Review of Operations:

• Polynomial multiplication

in steps 2,3 (sign), 2 (verify)

• Aggressive signature size

reduction by

• Hashing of high-order bits

(transform/compress)

• Rejection step (only for

signing)

• VER(σ=(z1,z2‘,c),pk=(a,t), m)

1. If z1,z2‘ not in Rk-32 reject 2. If c=H(Transform(az1+z2‘-tc), m) then accept else reject

Implementation Results

Lattice-based Signature [GLP12]

• Implementations on reconfigurable hardware
• Parameters (p=8383489, n=512, k=214)

Lattice-based -Cryptography: Research Directions and Future Work

• More cryptanalysis on lattice-based constructions
• FFT/NTT techniques to accelerate polynomial multiplication

in 𝑆 = 𝑎𝑞[𝑦]/(xn+1) (required by many lattice-based schemes)

• High-speed implementations targeting specific processor

instruction sets (vector units, FFT/MAC instructions)

• Efficient Gaussian sampling on constrained devices
• Implementation and acceleration of high-level constructions

like homomorphic encryption or IBE

• CCA2-secure conversions for encryption schemes

Outline

• Introduction
• Alternative Public-Key Cryptosystems (APKC)
• Practical Considerations of APKCs
• Case Studies on Lattice-based Cryptography
• Conclusions

Conclusions

• Looking back at the four branches of PQC…

– Code-based encryption schemes are the most mature and practical APKCs today – But lattice-based cryptography looks very promising

• For deployment in real-world systems, we need to

– Need many more (solid) implementations for efficiency evaluation – Investigate physical security aspects of PQC – Standardize parameters and instances

1/24/2013

Getting Post-Quantum Crypto Algorithms Ready for Deployment

End of ECRYPT II Event: Crypto for 2020

Questions?