Post Quantum Cryptography - Emerging Frontiers

Q U A N T U M C RY P T O G R A P H Y
L AT T I C E S , E R R O R C O R R E C T I N G C O D E S , H A S H F U N C T I O N S , E T C …

M O S T P O P U L A R P U B L I C K E Y A L G O R I T H M S C A N B E
E F F I C I E N T LY B R O K E N B Y S U F F I C I E N T LY S T R O N G
H Y P O T H E T I C A L Q U A N T U M C O M P U T E R S
P R O B L E M S TAT E M E N T …

M O S T O F T H E M R E L I E D O N T H R E E
H A R D M AT H E M AT I C A L P R O B L E M S :
R E A S O N S …

• I N T E G E R FA C T O R I S AT I O N
P R O B L E M
• D I S C R E T E L O G A R I T H M
P R O B L E M
• E L L I P T I C C U R V E D I S C R E T E
L O G A R I T H M P R O B L E M
T H E Y A R E

N I S T H A S R E C E N T LY S U M M A R I S E D T H E I M PA C T O F
Q U A N T U M C O M P U T I N G O N C O M M O N C RY P T O G R A P H I C
A L G O R I T H M S
I M PA C T …

B R O K E N A N D
I M PA C T E D
A L G O R I T H M S
• AES - 256
• Encryption
• Large key sizes needed
• SHA - 256, SHA -3
• Large output needed
• RSA
• No longer secure
• ECDSA, ECDH
• DSA

B R O K E N A N D
I M PA C T E D
A L G O R I T H M S
The emergence of quantum computers
would break all asymmetric public-key
cryptography and signature algorithms
used today - the type of cryptography that
protects communications over the internet.
The size of symmetric keys is also halved,
meaning the strength of 256-bit keys would
be equivalent to 128-bit keys. This is the
type of cryptography used for Full Disk
Encryption, when data is encrypted with a
passphrase.
All current generation symmetric
cryptographic authenticated modes such as
CBC-MAC, PMAC, GMAC, GCM, and OCB
are completely broken.

P O S T Q U A N T U M C RY P T O G R A P H Y B E C O M E S
A S I G N I F I C A N T S E C U R I T Y P R I O R I T Y !
I N T H I S J U N C T U R E …

8 2 S U B M I S S I O N S - 2 3 S I G N AT U R E , 5 9
E N C RY P T I O N S C H E M E S
N I S T C O M P E T I T I O N

• L AT T I C E S W I T H LW E
• E R R O R C O R R E C T I N G C O D E S
• H A S H F U N C T I O N S
• M U LT I VA R I AT E E Q U AT I O N S
• S U P E R S I N G U L A R E L L I P T I C A L
E M E R G I N G T E C H N I Q U E S

R E L AT E D T O C L O S E S T
V E C T O R P R O B L E M I N L AT T I C E
L AT T I C E C RY P T O G R A P H Y - N T R U , B L I S S

S H O R T E S T V E C T O R P R O B L E M I N A
L AT T I C E A S A L O W E R B O U N D O N
T H E S E C U R I T Y
L AT T I C E C RY P T O G R A P H Y - R I N G LW E S I G N AT U R E

The Rainbow Multivariate Equation Signature Scheme is a
member of a class of multivariate quadratic equation crypto
systems called "Unbalanced Oil and Vinegar Cryptosystems"
M U LT I VA R I AT E C RY P T O G R A P H Y - R A I N B O W

In 2005, Luis Garcia proved that there was a security reduction of Merkle
Hash Tree signatures to the security of the underlying hash function.
Garcia showed in his paper that if computationally one-way hash
functions exist then the Merkle Hash Tree signature is provably secure.
H A S H C RY P T O G R A P H Y - M E R K L E S I G N AT U R E S C H E M E S

In 2016, Wang proposed a random linear code encryption scheme RLCE [32]
which is based on McEliece schemes. RLCE scheme can be constructed
using any linear code such as Reed-Solomon code by inserting random
columns in the underlying linear code generator matrix.
C O D E B A S E D C RY P T O G R A P H Y - R L C E

Security is related to the problem of constructing an isogeny between two
supersingular curves with the same number of points. The most recent
investigation of the difficulty of this problem is by Delfs and Galbraith indicates
that this problem is as hard as the inventors of the key exchange suggest that it is.
S U P E R S I N G U L A R E L L I P T I C C U R V E I S O G E N Y C RY P T O G R A P H Y

E U R O P E A N C O M M I S S I O N
R E C O M M E N D AT I O N S
R E F E R E N C E - W H O N I X

S Y M M E T R I C
E N C RY P T I O N
• Symmetric systems are usually not
affected by Shor’s algorithm, but they
are affected by Grover’s algorithm
• Under Grover’s attack, the best security
a key of length n can offer is 2(n/2)
• Hence, AES - 128 offers only 2^64 post
quantum security
• Recommended
• AES - 256
• Salsa20
• Serpent - 256

S Y M M E T R I C
A U T H E N T I C AT I O N
Some message-authentication codes
provide “information-theoretic
security”, guaranteeing that they are
as secure as the underlying cipher
(within a negligible mathematically
guaranteed forgery probability), even
against an adversary with unlimited
computing power. These
authentication mechanisms are not
affected by quantum computing.
• Poly1305
• GCM using 96 bit nonce and a 128
bit authenticator

P U B L I C K E Y
E N C RY P T I O N
For public-key encryption the currently
used algorithms based on RSA and
ECC are easily broken by quantum
computers. Code-based cryptography
has been studied since 1978 and has
withstood attacks very well, including
attacks using quantum computers.
McEliece with binary Goppa codes
using length n = 6960, dimension k =
5413 and adding t = 119 errors.
The Stehl ́e–Steinfeld version of the
NTRU lattice-based crypto system.

P U B L I C K E Y
S I G N AT U R E S
Similar to encryption, currently used
signatures are based on problems that
become easy to solve with a quantum
computer. Signatures use cryptographic
hash functions in order to hash the
message and then sign the hash.
Following two hash functions can
achieve 2^128 post quantum security
• XMSS which is stateful
• SPHINCS which is stateless
• HFEv multivariate quadratic signature

F R E E S O F T WA R E
I M P L E M E N TAT I O N S
P O S T Q U A N T U M C RY P T O G R A P H Y T O O L K I T S

L I B R A R I E S
A N D T O O L S
• CodeCrypt
• Cyph
• OneTime
• TinySSH

P Q C RY P T O V P N P R O J E C T
I M P L E M E N TAT I O N I N I T I AT I V E S

A S I G N AT U R E S C H E M E U S I N G S Y M M E T R I C K E Y P R I M I T I V E S A N D N O N
I N T E R A C T I V E Z E R O K N O W L E D G E P R O O F S . M I C R O S O F T R E S E A R C H
I M P L E M E N T I N G P I C N I C I N A P K I U S I N G H A R D WA R E S E C U R I T Y M O D U L E S .
P I C N I C

O P E N Q U A N T U M
S A F E P R O J E C T
Open Quantum Safe[53][54] (OQS) project was
started in late 2016 and has the goal of
developing and prototyping quantum-resistant
cryptography. It aims to integrate current post-
quantum schemes in one library: liboqs.[55]
liboqs is an open source C library for quantum-
resistant cryptographic algorithms. liboqs
initially focuses on key exchange algorithms.
liboqs provides a common API suitable for
post-quantum key exchange algorithms, and
will collect together various implementations.
liboqs will also include a test harness and
benchmarking routines to compare
performance of post-quantum
implementations. Furthermore, OQS also
provides integration of liboqs into OpenSSL.

Z E R O K N O W L E D G E P R O O F S
A N I N T R O D U C T I O N

H I S T O RY
• Goldwasser, Micali, and Rackoff,
1985.
• ZKP instance of Interactive Proof
System
• Interactive Proof Systems
– Challenge-Response
Authentication
– Prover and Verifier
– Verifier Accepts or Rejects the
Prover

R E L E VA N C E
• Zero knowledge Transfer
between the Prover and the
Verifier
• The verifier accepts or rejects
the proof after multiple
challenges and responses
• Probabilistic Proof Protocol
• Overcomes Problems with
Password Based
Authentication

T Y P E S
• ZK proof of a statement
– convincing the verifier that a
statement is true without yielding
any other information
– example of a statement, a
propositional formula is satisfiable
• ZK proof of knowledge
– convincing the verifier that one
knows a secret, e.g., one knows
the discrete logarithm logg(y)

P R O P E R T I E S
• Completeness
– Given honest prover and honest
verifier, the protocol succeeds with
overwhelming probability
• Soundness
– no one who doesn’t know the secret
can convince the verifier with non
negligible probability
• Zero knowledge
– the proof does not leak any
additional information
– Impossibility of transferring proofs

F O R M A L I S I N G
T H E P R O P E R T Y
• A protocol is ZK if a simulator exists
– Taking what the verifier knows before the
proof, can generate a communication
transcript that is indistinguishable from one
generated during ZK proofs
• Intuition: One observes the
communication transcript. If what one
sees can be generated oneself, one
has not learned anything new
knowledge in the process.
• Three kinds of indistinguishability
– Perfect (information theoretic)
– Statistical
– Computational

Q U A N T U M I N T E R A C T I V E P R O O F S
N E X T S T E P S

Post Quantum Cryptography - Emerging Frontiers

More Related Content

What's hot (20)

Similar to Post Quantum Cryptography - Emerging Frontiers (20)

More from Gokul Alex (20)

Recently uploaded (20)

Post Quantum Cryptography - Emerging Frontiers