Post Quantum Cryptography Team Presenter: Lily Chen National Institute of Standards and Technology (NIST)
Post Quantum Cryptography Team Presenter: Lily Chen
National Institute of Standards and Technology (NIST)
� Quantum computing will break many public-key cryptographic algorithms/schemes ◦ Key agreement (e.g. DH and MQV)◦ Digital signatures (e.g. RSA and DSA)◦ Encryption (e.g. RSA)
� These algorithms have been used to protect Internet protocols (e.g. IPsec) and applications (e.g.TLS)
� NIST is studying “quantum-safe” replacements
� This talk will focus on practicalpracticalpracticalpractical aspects◦ For security, see Yi-Kai Liu’s talk later today
◦ Key establishment: ephemeral Diffie-Hellman
◦ Authentication: signature or pre-shared key
� Key establishment throughRSA, DHE, or DH◦ RSA – Client encrypts pre-master secret using server’s RSA public key
◦ DHE – Ephemeral Diffie-Hellman
◦ DH – Client generates an ephemeral DH public value.
Client Server
Client Hello Server Hello
Certificate* ServerKeyExchange* CertificateRequest* ServerHelloDone ephemeral DH public value.
Pre-master secret is generated using server static public key
� Server authentication◦ RSA – implicit (by key confirmation)
◦ DHE - signature◦ DH – implicit (by key confirmation)
{ChangeCipherSpec} Finished
ServerHelloDoneCertificate* ClientKeyExchange* CertificateVerify* {ChangeCipherSpec} Finished
Application data Application Data
� IKE◦ A replacement of ephemeral Diffie-Hellman key agreement should have a fast key pair generation scheme◦ If signatures are used for authentication, both signing and verifying need to be equally efficientsigning and verifying need to be equally efficient
� TLS◦ RSA - encryption replacement needs to have a fast encryption◦ DHE – fast key pair generation and efficient signature verification ◦ DH – fast key pair generation
� Which are most important in practice?◦ Public and private key sizes
◦ Key pair generation time
◦ Ciphertext size
◦ Encryption/Decryption speed◦ Encryption/Decryption speed
◦ Signature size
◦ Signature generation/verification time
� Not a lot of benchmarks in this area
� Lattice-based◦ NTRU Encryption and NTRU Signature◦ (Ring-based) Learning with Errors
� Code-based◦ McEliece encryption and CFS signatures
� Multivariate◦ HFE, psFlash, Quartz (a variant of HFE), ◦ HFE, psFlash, Quartz (a variant of HFE),
� Many more….◦ hash-based signatures◦ isogeny-based schemes◦ etc...
� All have their pros and cons
AlgorithmAlgorithmAlgorithmAlgorithm KeyGenKeyGenKeyGenKeyGen
TimeTimeTimeTime
(RSA (RSA (RSA (RSA
sign=1)sign=1)sign=1)sign=1)
Decrypt Decrypt Decrypt Decrypt
TimeTimeTimeTime
(RSA (RSA (RSA (RSA
sign=1)sign=1)sign=1)sign=1)
Encrypt Encrypt Encrypt Encrypt
TimeTimeTimeTime
(RSA (RSA (RSA (RSA
sign=1)sign=1)sign=1)sign=1)
Public Public Public Public
Key Key Key Key
SizeSizeSizeSize
(bits)(bits)(bits)(bits)
Private Private Private Private
Key Key Key Key SizeSizeSizeSize
(bits)(bits)(bits)(bits)
CiphertextCiphertextCiphertextCiphertext
Size Size Size Size
((((bits)bits)bits)bits)
Time* Time* Time* Time*
ScalingScalingScalingScaling
Key* Key* Key* Key*
ScalingScalingScalingScaling
NTRUEncryptNTRUEncryptNTRUEncryptNTRUEncrypt 10 0.1 0.1 ~3000 ~4000 ~3000 k2 k
McElieceMcElieceMcElieceMcEliece 5 1 0.02 651264 1098256 1660 k2 k2
QuasiQuasiQuasiQuasi----Cyclic Cyclic Cyclic Cyclic
McElieceMcElieceMcElieceMcEliece
5 1 0.02 4801 9602 9602 k2 k
RSARSARSARSA 50 1 0.02 1024 1024 1024 k6 k3
DHDHDHDH 0.5 0.5 0.5 1024 160 1024 k4 k3
ECCECCECCECC 0.1 0.1 0.1 320 160 320 k2 k
• DisclaimerDisclaimerDisclaimerDisclaimer – these are rough estimates for comparison purposes only, not benchmarks. Numbers are for 80 bits of security.
* Time and key scaling ignore log k factors
AlgorithmAlgorithmAlgorithmAlgorithm KeyGenKeyGenKeyGenKeyGen
TimeTimeTimeTime
(RSA (RSA (RSA (RSA
sign=1)sign=1)sign=1)sign=1)
Sign Sign Sign Sign
TimeTimeTimeTime
((((RSA RSA RSA RSA
sign=1)sign=1)sign=1)sign=1)
Verify Verify Verify Verify
TimeTimeTimeTime
(RSA (RSA (RSA (RSA
sign=1)sign=1)sign=1)sign=1)
Limited Limited Limited Limited
LifetimeLifetimeLifetimeLifetime
????
Public Public Public Public
Key SizeKey SizeKey SizeKey Size
Private Key Private Key Private Key Private Key
SizeSizeSizeSize
Signature Signature Signature Signature
Size (bits)Size (bits)Size (bits)Size (bits)
Time* Time* Time* Time*
ScalingScalingScalingScaling
Key Key Key Key ****
ScalingScalingScalingScaling
WinternitzWinternitzWinternitzWinternitz----MerkleMerkleMerkleMerkle
signaturessignaturessignaturessignatures
200
10000
500000
1
1
2
0.2
0.2
0.2
220
230
240
368
368
368
15200
22304
29344
17024
18624
20224
k2 k2
GLP sGLP sGLP sGLP signaturesignaturesignaturesignatures
(lattice(lattice(lattice(lattice----based)based)based)based)
0.01 0.5 0.02 11800 1620 8950 k2 k
CFS CFS CFS CFS signaturesignaturesignaturesignature
(code (code (code (code based)based)based)based)
5 2000 0.02 9437184 ~15000000 144 exp(o(k)) exp(o(k))
(code (code (code (code based)based)based)based)
PsflashPsflashPsflashPsflash signaturesignaturesignaturesignature
(multivariate)(multivariate)(multivariate)(multivariate)
50 1 0.1 576992 44400 296 k3 k3
Quartz signatureQuartz signatureQuartz signatureQuartz signature
((((multivariate)multivariate)multivariate)multivariate)
100 2 0.05 126000 11500 80 k3 k3
RSARSARSARSA 50 1 0.02 1024 1024 1024 k6 k3
DSADSADSADSA 0.5 0.5 0.5 1024 160 320 k4 k3
ECDSAECDSAECDSAECDSA 0.1 0.1 0.1 320 160 320 k2 k
• DisclaimerDisclaimerDisclaimerDisclaimer – these are rough estimates for comparison purposes only, not benchmarks. Numbers are for 80 bits of security.
* Time and key scaling ignore log k factors
� For the most of the potential PQC replacements, the times needed for encryption, decryption, signing, verification are acceptable
� Some key sizes are significantly larger than RSA and DL families with the current required security strength◦ If the public keys do not need to be exchanged, it may not be a problem
◦ But long certificates have been considered as an implementation ◦ But long certificates have been considered as an implementation pitfall for TLS handshake
� Some ciphertext size and signature size are not quite plausible◦ It may become a show stopper for the bandwidth/space limited environment
� Key pair generation time for the encryption schemes is not bad at all◦ One-time encryption can be used to replace ephemeral DH for “perfect forward secrecy”
� No easy “drop-in” replacements◦ Many factors need to be considered
� We need more time to study� Would be nice to have more benchmarks� We would like more input
Questions? Comments? [email protected]� Questions? Comments? [email protected]
NIST PQC Team: Lily Chen, Stephen Jorden, Yi-Kai Liu, Dustin Moody, Rene Peralta, Ray Perlner, Daniel Smith