Post-Quantum Secure Cryptographic Algorithms
PPost-Quantum Secure Cryptographic AlgorithmsPost-Quantum Secure Cryptographic Algo-rithms
Dipl. Math. Xenia Bogomolec, X4pi GmbHDr. Jochen Gerhard, BearingPoint Software Solutions GmbH [email protected]@bearingpoint.com
Introduction
The expected dawn of a new technological era hascertainly begun when IBM offered their first commer-cially available 20-Qubit Quantum Computers Novem-ber 2017. While it was still discussed if it was necessaryto take quantum technology into account in the IT in-dustry during the last year, the estimations about theircapability evolvement become much more specific now.Luckily scientific researchers have specialized in theexaminations of the various resulting challenges andquestions since the beginning of this century. A seriesof conferences about post-quantum cryptography, thePQCrypto, started in 2006. Since 2010, they take placein another town of the world every year. The follow-ing article gives an overview of current developments inalgorithmic solutions answering the upcoming threatsposed by quantum computers as well as unsolved prob-lems in the classical IT landscape.
Quantum Technologies
Quantum-mechanical phenomena, such as superposi-tion and entanglement, are used for communication,computing, sensoring and simulation. While commu-nication, sensoring and simulation have been realized inpublicly announced projects or products, quantum com-puting was only a matter of research until last november.With the advent of 49 qubit processors quantumsupremacy lies within reach, i.e. the potential ability ofquantum computing devices to solve problems that clas- sical computers practically cannot solve [2, 3]. IBM hasannounced to have built a 50 qubit prototype, Googleparticipates in the race with their new record-breaking72-qubit quantum processor Bristlecone.
Benefits
Quantum technologies offer and promise major bene-fits. So called adiabatic quantum computers, e.g. theD-Wave 2000Q with 2048 qubits from D-Wave Systemsin Canada are able to solve optimization problems thatwould overburden a classical computer. Photon basedquantum key distribution devices from ID Quantique inSwitzerland are used by the government in Geneva andother institutions. China has built the 2000km quan-tum communication channel QUESS between Beijingand Shanghai for banks, the Xinhua News Agency andthe government, whose nodes receive keys from theirquantum communication satellite. Last year they de-noted feasible distances up to 1200 km.In the future quantum computers with enough stablequbits are expected to be able to help building complexmaterials as well as solve medical and environmentalproblems amongst other things.
Threats
It is long known that the security of currently used cryp-tographic algorithms relying on the hardness of integerfactorization and finding discrete logarithms (DLOGsystems) [1] will expire with potent enough quantumcomputers. All public parameters like public keys fromasymmetric key pairs can then be used to compute the1 a r X i v : . [ c s . CR ] S e p orresponding private keys. With the knowledge ofthose private keys, encrypted data which was collectedand assigned to the relevant key exchanges, will nolonger remain secret. For technologies like public dis-tributed ledgers, where encrypted data is publicly avail-able, this threat is even more serious. Solutions
Quantum Key Distribution
QKD is an implemented cryptographic protocol for keydistribution involving components of quantum mechan-ics. The security of encryption that uses quantum keydistribution relies on the foundations of quantum me-chanics. In this context, the process of measuring aquantum system in general disturbs the system itself.So any third party trying to gain knowledge of the keywould be detected by the original communication par-ties.Quantum key distribution networks have already beenestablished in China (QUESS), Austria (SECQC), Japan(Tokyo QKD Network), Switzerland (SwissQuantum)and the USA (DARPA). Disadvantages for widespreadpractical usage are limited distances between communi-cation partners and the need of expensive hardware.Rarely mentioned is the fact that message source au-thentication does not come with QKD genuinely. Manin the middle attacks are also possible if the communi-cation parties do not agree on an authentication protocolbeforehand.
Post-Quantum Cryptography
The alternative to QKD are algorithms whose securityrely on mathematical properties, like hardness of com-puting the inversion of a one way function even with aquantum computer. There are four mathematical areaswhich offer solutions for encryption, key exchanges andsignatures. Some of them are still in the middle of theresearch process, others have been observed and chal-lenged for years. The advantages of post-quantum cryp-tography are that they can run effectively on currentlyused devices such as smart phones, desktops and IoTsand they can be enabled by simple software updates.
Code-Based
Syndrome decoding of linear error-correcting codes areNP-complete considered as a decision problem if thenumber of errors are unbounded. On the other hand,some classes of linear codes have very fast decoding al-gorithms. The basic idea of a code-based crypto systemis to choose a linear code with fast decoding algorithmand disguise it as a general linear code. Then the at-tacker has to use syndrome decoding for decrypting themessage while the message receiver, who also set up thesystem, can remove the disguise and use the fast decod-ing algorithm. M C E LIECE and the N
IEDERREITER cryptosystemsare two basic encryption schemes built on this setup.M C E LIECE was the first scheme using randomizationin the encryption process. Both systems consist of threealgorithms:1) Probabilistic key generation algorithm producingan asymmetric key pair2) Probabilistic encryption algorithm3) Deterministic decryption algorithmThe private key is an ( n, k ) -linear error correctingcode represented by a generator matrix G , with a knownefficient decoding algorithm. Originally binary GoppaCodes with the Patterson decoding algorithm were used.The public key is the generator matrix G perturbated bytwo randomly chosen invertible matrices S and PG (cid:48) = SGP where S , a ( k × k ) matrix, functions as a scrambler and P is a ( n × n ) permutation matrix. Parameters pro-posed by M C E LIECE [4] result in a public key of bytes size. The most effective attacks on M C E LIECE use information-set decoding. To resist those in a quan-tum computing context, key sizes have to be increasedby a factor of 4.The N
IEDERREITER scheme [5] applies the same ideato a parity check matrix H of a linear code. The encryp-tion is about ten times faster than McEliece. McEliecewas originally believed not to be usable for authentica-tion or signature schemes because the encryption algo-rithm is not one-to-one and the total algorithm is trulyasymmetric, meaning, encryption and decryption do notcommute. However, a one-time signature scheme basedon M C E LIECE and N
IEDERREITER was proposed at theAsiacrypt in [6]:1) Choose a hash function h and compute the hashvalue h ( d ) of the document d which has to be besigned2) Decrypt the hash value h ( d ) as if it was an in-stance of the ciphertext3) Append the decrypted hash value to the documentas a signatureAs the second step in the signature scheme almost al-ways fails, the system additionally specifies a determin-istic way of tweaking d until a hash value h ( d ) is foundwhich can be decrypted. Verification then applies thepublic encryption function to the signature to the signa-ture and compares it to the hash value of the document.The most recently published code-based key exchangeprotocol is O UROBOROS [7]. It uses quasi-cyclic codesin Hamming metric in the encryption algorithm, ef-ficient decoding is achieved through bit flipping inthe Random Oracle Model. Encryption and decryp-tion are faster than RSA for comparative benchmarks2https://bench.cr.yp.to). Ouroboros’ integration into theOpenSSL/TLS library is planned and it is proposed aspost-quantum secure algorithm at the NIST.
Hash-Based
This domain is limited to digital signatures schemeswhich rely exclusively on the security of the underlyinghash functions so far. The signatures themselves reveala part of the signing key and can only be used for onemessage, same as it is known from one-time pads suchas visual cryptography shares.Merkle tree signature schemes, introduced in 1979,combine a one-time signature scheme with a Merkletree structure. Building blocks of the Merkle trees areone-time signature key pairs, with the node at the topbeing the global public key. This typically 256 bit largekey can be verified with the path to another given pub-lic one-time key in the tree using a sequence of treenodes, called the authentication path. The global pri-vate key is usually derived from a seed generated by apseudo random number generator and has the size of256 bits as well. Hereby, the number of possibilities forsuch signatures are all possible combinations of the sim-ple one-time signatures within the tree structure. Thisprocedure considerously enhances the security of thescheme against brute force attacks.The latest performance improved hash-based signaturescheme is SPHINCS + [8], the advanced SPHINCS [9]scheme which was presented at EUROCRYPT 2015.Unlike its predecessors, XMSS and LMS, it is state-less, meaning that signing doesn’t require updating thesecret key. It is a so called few-times scheme, where"few-times" means as much as after signatures it isnecessary to reinitiate the complete scheme. Its signa-ture sizes range from 8kb for NIST security level 1 to30kb for NIST security level 5. Lattice-Based
Lattice based codes come with the challenge of findingthe nearest lattice point or a shortest basis for a givenlattice. Both problems and their approximate adequateshave been solved with NP-hard algorithms only. Giventhey are one of the longest known public key crypto sys-tems, they can be fairly seen as the most promising postquantum crypto approaches. Low memory requirementsand high speed computations let them run effectively onall currently and widely used devices. However, due totheir significantly bigger key sizes they had not been asthoroughly researched and applied as RSA, E L G AMAL [10] or DLOG systems.NTRU was the first successful lattice-based asymmetriccryptosystem. It was was proposed and patented in 1996[11]. With the expiration of the patent in 2016, NTRUPrime [12], an improvement by eliminating worrisomealgebraic structure could be published. Their securityrely on the interaction of a polynomial mixing systemwith the independence of reduction modulo two rela- tively prime integers p and q .Another popular ingredient of lattice-based algorithmsis the Learning with Errors (LWE) problem. It was usedin BCNS [13], which phrased Peikerts key encapsula-tion algorithm as a key exchange protocol. BCNS wasthe first lattice-based algorithm which was integratedinto the OpenSSL library.With N EW H OPE [14] an improvement was achievedby chosing more efficient parameters and shifting fromLWE to Ring Learning with Errors (RLWE). The N EW H OPE protocol allows man in the middle attacks, mes-sage authentication has to be implemented additionally.Google ran an experiment by using N EW H OPE em-bedded in an ECC procedure for a certain number ofconnections between the Chrome browser and their ownservers in 2016. Since 2017, Infineon works on the firstgeneration of contactless post-quantum chips with Pöp-pelmann, one of the authors of the N EW H OPE paper.D
ILITHIUM [15], a module-lattice-based signaturescheme was designed with the intention to be easy toimplement against side-channel attacks, while offeringcomparable efficiency to previously developed lattice-based signature schemes. The key innovation is thereplacement of Gaussian sampling by uniformly ran-dom sampling over a bounded domain. Furthermore,the public key sizes are reduced by more than a factorof 2.All these algorithms except BCNS are submitted tothe NIST post-quantum cryptography standardizationprocess.
Multivariate
The proven NP-hardness and NP-completeness of solv-ing multivariate polynomial equations over a finite field F are the reason why schemes with those asymmet-ric cryptographic primitives are considered good candi-dates for post-quantum security. Most of the publishedschemes use multivariate quadratics, namely polynomi-als of degree two.The basic scheme consists of two affine transformations S : F n → F n T : F m → F m and an easy to invert quadratic map P (cid:48) : F m → F n The trapdoor ( S − , P (cid:48) − , T − ) represents the privatekey, whithout which the public key P = S ◦ P (cid:48) ◦ T isassumed to be hard to invert.A first multivariate quadratic scheme, C ∗ [16], was pre-sented at the E UROCRYPT C ONFERENCE
IDDEN F IELD E QUATIONS [18] and QUAD [19].3ultivariate signature schemes provide the shortest sig-natures amongst post-quantum algorithms (G UI [20]129 bit over GF (2) for a quantum security level of80 bit). The signature x of a message m is createdby hashing m into a vector y ∈ F n and computing x = P − ( y ) = T − ( P (cid:48) ( S − ( y ))) . The receiver cansimply compute the hash y and check if P ( x ) = y .M EDIUM F IELD S IGNATURE S CHEMES [21] withfewer equations and variables in the public key offera further reduction in key sizes, greater efficiency andscalable levels of security. A proposal is submitted tothe NIST standardization process of post-quantum sig-nature schemes.
Isogeny-Based
One of the latest and most challenging post-quantumcrypto ideas is the application of isogeny based encryp-tion schemes like S
UPERSINGULAR I SOGENY D IFFIE -H ELLMANN (SIDH). With 2688-bit public keys at a128-bit quantum security level, this scheme uses thesmallest keys amongst post-quantum key exchanges.Additionally it supports perfect forward secrecy, a prop-erty which preserves the confidentiality of old com-munication sessions even if long-term keys have beencompromised.Although they are not as thoroughly researched as thepreviously mentioned schemes, Microsoft publishedan experimental VPN-library with a S
UPERSINGULAR I SOGENY K EY E NCAPSULATION algorithm (SIKE)based on SIDH amongst a LWE key exchange and asignature algorithm using symmetric-key primitives andnon-interactive zero-knowledge proofs [22]. SIKE isalso submitted to the NIST standardization process ofpost-quantum cryptography schemesIn a youtube video of a Microsoft research sessionwhere SIKE is presented to other researchers byChristophe Petit, he states at the end: "I wouldn’t betnational security on it". On the other hand, SIDH wasalso denoted as "the hottest thing we have" in the keynote of the pqcrypto conference 2017.
Amendment
Paramater choices are much more delicate for post-quantum crypto schemes than they are for classical ones.Furthermore classical asymmetric schemes mostly relyon number theory, a topic which has been studied inearly courses at universities, where post-quantum algo-rithms include more mathematics from courses whichare usually taught at later stages of study courses.It will not only be a challenge to distinguish and weighthe complex influences on security of post-quantum en-cryption schemes, there will also be an increased needof cooperations between mathematicians, computer sci-entists and programmers to mitigate flaws in implemen-tations, configurations and applications. For someone who is not familiar with the concept ofa mathematical conjecture, it is hard to understand onwhat ground the security of cryptography is built andwhat time can do to it, with or without regard to emerg-ing technologies. Who can say for sure that there isno-one who generates one RSA key pair after anothersince decades and stores them in a huge database wherehe can simply assign a private key to its public key if itis present in his own collection? How many distinctiveusable key pairs can even be expected within the rangeof a 4096-bit integer?
References [1] P. W. Shor Polynomial-Time Algorithms forPrime Factorization and Discrete Logarithms onaQuantum Computer https://arxiv.org/abs/quant-ph/9508027 , 1995.[2] J. Hsu Spectrum IEEE Tech Talk, Jan-uary 9, 2018 https://spectrum.ieee.org/tech-talk/computing/hardware/intels-49qubit-chip-aims-for-quantum-supremacy[3] J. Kelly Google AI Blog, March 5, 2018https://ai.googleblog.com/2018/03/a-preview-of-bristlecone-googles-new.html[4] R. McEliece. A Public-Key Cryptosystem BasedOn Algebraic Coding Theory,
DSN Progress Re-port 42-44 , 1978.[5] H. Niederreiter. Knapsack-type cryptosystems andalgebraic coding theory,
Problems of Control andInformation Theory , 1886.[6] N. T. Courtois, M. Finiasz and N. Sendrier. Howto Achieve a McEliece-Based Digital SignatureScheme,
Asiacrypt , 2001.[7] J. C. Deneuveville, P. Gaborit and G. Zémor. A Sim-ple, Secure and Efficient Key Exchange ProtocolBased on Coding Theory,
Springer, Post-QuantumCryptography - PQCrypto 2017 [8] J. Rijneveld and S. Kölbl. The SPHINCS + referencecode, https://github.com/sphincs/sphincsplus .[9] D. J. Bernstein, D. Hopwood, A. Hülsing,T. Lange, R. Niederhagen, L. Papachristodoulou,M. Schneider, P. Schwabe and Z. Wilcox-O’Hearn.SPHINCS: practical stateless hash-based signa-tures, Springer, Advances in Cryptology - EURO-CRYPT 2015 .[10] J. Hoffstein, J. Pipher and J. H. Silverman. An In-troduction to Mathematical Cryptography,
SpringerScience+Business Media , 2008.[11] J. Hoffstein, J. Pipher and J. H. Silverman.NTRU: A Ring-Based Public Key Cryptosystem,
SpringerLink International Number Theory Sympo-sium , 1998.412] D. Bernstein, C. Chuengsatiansup, T. Lange andC. van Vredendaal. NTRU Prime: reducing at-tack surface at low cost,
Cryptology ePrint Archive2017 .[13] J. W. Bos, C. Costello, M. Naehrig, and A. D. Ste-bila. Post-quantum key exchange for the TLS proto-col from the ring learning with errors problem,
Pro-ceedings of the forty-fifth annual ACM symposiumon Theory of computing , 2013.[14] E. Alkim, L. Ducas, T. Pöppelmann andP. Schwabe. Post-quantum key exchange – a newhope,
IEEE Security & Privacy 2015 .[15] L. Ducas, T. Lepoint, V. Lyubashevsky,P. Schwabe, G. Seiler and D. Stehlé. CRYS-TALS - Dilithium: Digital Signatures from ModuleLattices,
Cryptology ePrint Archive 2017 .[16] T. Matsumoto and H. Imai. Public QuadraticPolynomial-Tuples for Efficient Signature-Verification and Message-Encryption,
SpringerEUROCRYPT ’88 . [17] J. Patarin. Cryptanalysis of the Matsumoto andImai Public Key Scheme of Eurocrypt ’88,
SpringerCRYPTO ’95’ .[18] J. Patarin. Hidden Field Equations and Isomor-phisms of Polynomials: Two New Families ofAsymmetric Algorithms,
EUROCRYPT 1996 .[19] C. Berbain, H. Gilbert and J. Patarin. A Practi-cal Stream Cipher with Provable Security,
Springer,Advances in Cryptology - EUROCRYPT 2006 .[20] M. S. E. Mohamed and A. Petzoldt. The Short-est Signatures Ever,
TU Darmstadt, Germany andKyushu University, Fukuoka Japan , 2015.[21] A. Petzoldt, M. -S. Chen, J. Ding and B. -Y. Yang. HMFEv - An Efficient Multivariate Sig-nature Scheme,
Springer, Post-Quantum Cryptog-raphy - PQCrypto 2017 .[22] Microsoft Research Security and Cryptog-raphy Group. Microsoft PQCrypto VPN, https://github.com/Microsoft/PQCrypto-VPNhttps://github.com/Microsoft/PQCrypto-VPN