Cryptography in a Post Quantum Computing World Máire O’Neill.

Cryptography in a Post Quantum

Computing World

Máire O’NeillMáire O’Neill

Quantum Computing

Traditional Computing-Involves bits that exist in 2 states: binary 1 and 0-Performs one calculation at a time, in sequence

Quantum Computing-Involves qubits, that exist in a superposition state: can be both 1 and 0 at the same time-Can perform millions of calculations simultaneously

A 30-qubit quantum computer would have the same processing power as a conventional computer processing commands at 10 teraflops per second.

Quantum Computing

Needs to use algorithms that exploit its power of quantum parallelism:

Shor’s Algorithm (1994)-Can be used to quickly factorise large numbers (exponential speedup)-Significant implications for current cryptographic techniques

Grover’s Algorithm(1996)-Can be used to search an unsorted database faster than a conventional computer (quadratic speedup - O(N1/2) time rather than O(N) )

Peter Shor

Quantum Computing

Problems with Quantum Computing

-Difficult to realise on a large scale due to decoherence, i.e. unwanted interaction between the system and the environment, which introduces errors

-Also difficult to maintain the lifetime of information

-Observing quantum particles changes the outcome => difficult to verify

-In quantum communications the transmission distance is limited (eg, photons are transmitted through fibre-optic cables and over long distances the signal fades)

Quantum Computing – recent breakthroughs

- Largest number yet to be factored into its primes by a quantum algorithm

- RSA Lab’s largest published semi-prime contains 617 decimal digits (2058 bits)> Impossible to factorise using classical computing> Would be possible using quantum computing as it could run all the necessary calculations in parallel.

Quantum Computing – recent breakthroughs

- Uses both classical communication and quantum entanglement, i.e. multiple particles that are linked together such that the measurement of one particle’s quantum state determines the states of the other particles.

- Achieved across free-space between La Palma & Tenerife (making path between satellites and a ground station more feasible)

- Quantum communications has been demonstrated over 250km via fibre optics

Quantum Computing – recent breakthroughs

- A quantum memory state held stable at room temp for 39 minutes, almost 100 times longer than previous record (and 3 hours at cryogenic temperatures)

- Not long, but in this amount of time, could run >20M calculations

The World’s First Quantum Computer ???

Quantum Computing – recent breakthroughs

D-Wave’s current model billed as a 512-qubit machine (2012).

Bought by Lockheed Martin & Google/NASA

Difficult to verify if performing quantum operations or not!

Has shown significant speed-ups but only for certain calculations

Has helped to advance the research in Quantum Computing

NSA funding a $79.7 million research program to build a ‘crytologically useful quantum computer’

S. Rich, B.Gellman, The Washington Post

Quantum Computing – NSA’s Efforts

Post-Quantum Cryptography

What happens when quantum computers become a reality 10/15 years from now?

Commonly used public-key cryptographic algorithms(based on integer factorisation and discrete log problem) such as:

RSA, DSA, Diffie-Hellman Key Exchange, ECC, ECDSA

will be vulnerable to Shor’s algorithm and will no longer be secure.

Symmetric algorithms appear to be secure against quantum computers (and Grover’s algorithm) by simply increasing the associated key sizes.

Need for Post-Quantum Cryptography

But what about key exchange?

What is Post-Quantum Cryptography?

Disadvantages of Quantum Crypto:Expensive, assumes authentication, limited distance, etc..

Ref: http://swissquantum.idquantique.com/IMG/jpg/bb84.jpg

Post Quantum Cryptography Quantum Cryptography

What is Post-Quantum Cryptography?

Post Quantum Cryptography algorithms refer to conventional non-quantum cryptographic algorithms that remain secure even after practical quantum computing is a reality.

Main types of post quantum cryptography (public-key algorithm and signature schemes):•Code-based •Hash-based•Multivariate-quadratic•Lattice-based

Post-Quantum Cryptography

Code-Based Cryptography-Based on difficulty in decoding a random linear code

-Both encryption and signature schemes. Encryption schemes include: McEliece (1978); Niederreiter (1986); and variants

-Niederreiter most efficient

-Relatively large public key sizes (65/192kBytes for 80/128-bit security)

Advantages/Disadvantages

-Most mature PQ Crypto

-Rarely used in practice due to large public key sizes

Post-Quantum Cryptography

Hash-Based Cryptography-Security relies on collision resistance of cryptographic hash function-Only signature schemes exist, such as:

Merkle signature schemes (1989); CMSS (2006); XMSS(2011)-Based on one-time signature (OTS) schemes; however, in these each key can only be used once

-Combined with hash trees, key can be used to sign multiple messages

-Relatively small public/private key sizes (eg 46 Bytes – 7568 Bytes)

Advantages/Disadvantages

-Most promising PQ signature schemes

-Limited use of each public key

Post-Quantum Cryptography

Multivariate-Quadratic Cryptography-Based on difficulty in solving a set of nonlinear MQ equations

-Only signature schemes exist, such as:Oil and Vinegar (1997); Rainbow (2005); Quartz/HFE (1996); Matsumoto-Imai (1998)

-Large public and private key sizes (up to 75kBytes)

Advantages/Disadvantages

-Underlying operations can be implemented efficiently (more efficient than ECC/RSA)

-Not suitable for embedded devices due to large key sizes

Post-Quantum Cryptography

Lattice-based Cryptography-Based on shortest vector problem/closest vector problem-Both encryption and signature schemes. Encryption schemes include:

NTRU (1996); LWE (2005); R-LWE (2010); -Recent advances with ideal lattices have made them more practical -Large public /private key sizes (up to 732kBytes)

Advantages/Disadvantages

-Underlying operations can be implemented efficiently -Most promising PQ crypto, attracting most interest in research community

Post-Quantum Cryptography

Summary-Code-based most mature PQ crypto-Lattice-based most promising:

> standardised in 2008 (IEEE Std 1363.1)> it allows for other constructions/applications beyond public-key encryption, eg. identity-based encryption, homomorphic encryption.

Challenges in Post-Quantum Cryptography-Further security analysis of PQ crypto algorithms needed-Suitable parameter choices still an open research problem – currently use relatively large key sizes-Optimal and practical PQ algorithm implementations are needed-Resistance of PQ crypto architectures to physical/side-channel leakages

Post-Quantum Cryptography

Fully Homomorphic Encryption

Accelerating Fully Homomorphic Encryption (FHE)

What is Fully Homomorphic Encryption?

- In 2009, Craig Gentry using lattice-based cryptography showed the first fully homomorphic encryption scheme

- Fully homomorphic encryption allows computations on encrypted data, allowing privacy of encrypted data stored on the cloud.

- Significant potential, but: Key generation can take over 2 hours Very large public-key sizes (10MB to 2GB) Long encryption time (up to 7 mins) Memory to store parameters an issue

- Need for optimised and practical implementations

Accelerating Fully Homomorphic Encryption (FHE)

Current research at CSITAccelerating main underlying primitives in integer-based FHE i.e. large-integer multiplication and modular reduction

Accelerating Fully Homomorphic Encryption

Public key sizes >19GBits

Current research at CSIT

Proposed an improved Low Hamming Weight Multiplier Architecture

Accelerating Fully Homomorphic Encryption (FHE)

bi can be taken to be a LHW integer with max HW of 15

Accelerating Fully Homomorphic Encryption

Accelerating Fully Homomorphic Encryption (FHE)

Proposed Design

Time (s)

No. of Slice Registers

No. of Slice LUTs

No. of DSP48E1s

RAM access bit width

Toywith

256-pt FFT 0.0014 58572 136779 544 8479

Smallwith

256-pt FFT 0.0255 58572 136779 544 8479

Mediumwith

512-pt FFT 0.47 63528 144379 608 8479

Largewith

1024-pt FFT 7.88 68467 153771 672 8479

All designs fit easily on a Xilinx Virtex-7 XC7VX1140T device

Group Toy Small Medium Large

This work: Xilinx Virtex 7 0.0014s 0.0255s 0.47 s 7.88 s

Ref: Intel Core 2 Duo 0.05 s 1.0 s 21 s 7 min 15 s

GPU Platform 1.69 s

x55 improvement in speed over reference s/w design for Large parametersx66 improvement in speed over GPU-based design

Accelerating Fully Homomorphic Encryption

Accelerating Fully Homomorphic Encryption (FHE)

http://acmtecs.acm.org/special-issues/14/embcrypt2014.html