Cryptology, cryptography, cryptanalysis. Definitions ... · I Encrypted le system on iPhone: see...
Transcript of Cryptology, cryptography, cryptanalysis. Definitions ... · I Encrypted le system on iPhone: see...
![Page 1: Cryptology, cryptography, cryptanalysis. Definitions ... · I Encrypted le system on iPhone: see Apple vs. FBI. I PGPencrypted email,Signal,Tor,Tails,Qubes OS. Snowden in Reddit AmA](https://reader034.fdocuments.net/reader034/viewer/2022042403/5f15da76afc7f667103bf820/html5/thumbnails/1.jpg)
Cryptology, cryptography, cryptanalysis.Definitions, meanings, requirements, and current
challenges
Tanja Lange
Technische Universiteit Eindhoven
26 September 2018
ENISA summer school
![Page 2: Cryptology, cryptography, cryptanalysis. Definitions ... · I Encrypted le system on iPhone: see Apple vs. FBI. I PGPencrypted email,Signal,Tor,Tails,Qubes OS. Snowden in Reddit AmA](https://reader034.fdocuments.net/reader034/viewer/2022042403/5f15da76afc7f667103bf820/html5/thumbnails/2.jpg)
Cryptographic applications in daily life
I Mobile phones connecting to cell towers.
I Credit cards, EC-cards, access codes for banks.
I Electronic passports; soon ID cards.
I Internet commerce, online tax declarations, webmail.
I Facebook, Gmail, WhatsApp, iMessage on iPhone.
I Any webpage with https.
I Encrypted file system on iPhone: see Apple vs. FBI.
I PGP encrypted email, Signal, Tor, Tails, Qubes OS.
Snowden in Reddit AmA
Arguing that you don’t care about the right to privacy becauseyou have nothing to hide is no different than saying you don’tcare about free speech because you have nothing to say.
Tanja Lange https://pqcrypto.eu.org Introduction 2
![Page 3: Cryptology, cryptography, cryptanalysis. Definitions ... · I Encrypted le system on iPhone: see Apple vs. FBI. I PGPencrypted email,Signal,Tor,Tails,Qubes OS. Snowden in Reddit AmA](https://reader034.fdocuments.net/reader034/viewer/2022042403/5f15da76afc7f667103bf820/html5/thumbnails/3.jpg)
Cryptographic applications in daily life
I Mobile phones connecting to cell towers.
I Credit cards, EC-cards, access codes for banks.
I Electronic passports; soon ID cards.
I Internet commerce, online tax declarations, webmail.
I Facebook, Gmail, WhatsApp, iMessage on iPhone.
I Any webpage with https.
I Encrypted file system on iPhone: see Apple vs. FBI.
I PGP encrypted email, Signal, Tor, Tails, Qubes OS.
Snowden in Reddit AmA
Arguing that you don’t care about the right to privacy becauseyou have nothing to hide is no different than saying you don’tcare about free speech because you have nothing to say.
Tanja Lange https://pqcrypto.eu.org Introduction 2
![Page 4: Cryptology, cryptography, cryptanalysis. Definitions ... · I Encrypted le system on iPhone: see Apple vs. FBI. I PGPencrypted email,Signal,Tor,Tails,Qubes OS. Snowden in Reddit AmA](https://reader034.fdocuments.net/reader034/viewer/2022042403/5f15da76afc7f667103bf820/html5/thumbnails/4.jpg)
Cryptographic applications in daily life
I Mobile phones connecting to cell towers.
I Credit cards, EC-cards, access codes for banks.
I Electronic passports; soon ID cards.
I Internet commerce, online tax declarations, webmail.
I Facebook, Gmail, WhatsApp, iMessage on iPhone.
I Any webpage with https.
I Encrypted file system on iPhone: see Apple vs. FBI.
I PGP encrypted email, Signal, Tor, Tails, Qubes OS.
Snowden in Reddit AmA
Arguing that you don’t care about the right to privacy becauseyou have nothing to hide is no different than saying you don’tcare about free speech because you have nothing to say.
Tanja Lange https://pqcrypto.eu.org Introduction 2
![Page 5: Cryptology, cryptography, cryptanalysis. Definitions ... · I Encrypted le system on iPhone: see Apple vs. FBI. I PGPencrypted email,Signal,Tor,Tails,Qubes OS. Snowden in Reddit AmA](https://reader034.fdocuments.net/reader034/viewer/2022042403/5f15da76afc7f667103bf820/html5/thumbnails/5.jpg)
Cryptography
I Motivation #1: Communication channels are spying on our data.
I Motivation #2: Communication channels are modifying our data.
Sender“Alice”
//
Untrustworthy network“Eve”
//
Receiver“Bob”
I Literal meaning of cryptography: “secret writing”.
I Achieves various security goals by secretly transforming messages.
Tanja Lange https://pqcrypto.eu.org Introduction 3
![Page 6: Cryptology, cryptography, cryptanalysis. Definitions ... · I Encrypted le system on iPhone: see Apple vs. FBI. I PGPencrypted email,Signal,Tor,Tails,Qubes OS. Snowden in Reddit AmA](https://reader034.fdocuments.net/reader034/viewer/2022042403/5f15da76afc7f667103bf820/html5/thumbnails/6.jpg)
![Page 7: Cryptology, cryptography, cryptanalysis. Definitions ... · I Encrypted le system on iPhone: see Apple vs. FBI. I PGPencrypted email,Signal,Tor,Tails,Qubes OS. Snowden in Reddit AmA](https://reader034.fdocuments.net/reader034/viewer/2022042403/5f15da76afc7f667103bf820/html5/thumbnails/7.jpg)
![Page 8: Cryptology, cryptography, cryptanalysis. Definitions ... · I Encrypted le system on iPhone: see Apple vs. FBI. I PGPencrypted email,Signal,Tor,Tails,Qubes OS. Snowden in Reddit AmA](https://reader034.fdocuments.net/reader034/viewer/2022042403/5f15da76afc7f667103bf820/html5/thumbnails/8.jpg)
Secret-key encryption
// // //
I Prerequisite: Alice and Bob share a secret key .
I Prerequisite: Eve doesn’t know .
I Alice and Bob exchange any number of messages.
I Security goal #1: Confidentiality despite Eve’s espionage.
I Security goal #2: Integrity, i.e., recognizing Eve’s sabotage.
Tanja Lange https://pqcrypto.eu.org Introduction 6
![Page 9: Cryptology, cryptography, cryptanalysis. Definitions ... · I Encrypted le system on iPhone: see Apple vs. FBI. I PGPencrypted email,Signal,Tor,Tails,Qubes OS. Snowden in Reddit AmA](https://reader034.fdocuments.net/reader034/viewer/2022042403/5f15da76afc7f667103bf820/html5/thumbnails/9.jpg)
Secret-key authenticated encryption
// // //
I Prerequisite: Alice and Bob share a secret key .
I Prerequisite: Eve doesn’t know .
I Alice and Bob exchange any number of messages.
I Security goal #1: Confidentiality despite Eve’s espionage.
I Security goal #2: Integrity, i.e., recognizing Eve’s sabotage.
Tanja Lange https://pqcrypto.eu.org Introduction 6
![Page 10: Cryptology, cryptography, cryptanalysis. Definitions ... · I Encrypted le system on iPhone: see Apple vs. FBI. I PGPencrypted email,Signal,Tor,Tails,Qubes OS. Snowden in Reddit AmA](https://reader034.fdocuments.net/reader034/viewer/2022042403/5f15da76afc7f667103bf820/html5/thumbnails/10.jpg)
Secret-key authenticated encryption
// // //?I Prerequisite: Alice and Bob share a secret key .
I Prerequisite: Eve doesn’t know .
I Alice and Bob exchange any number of messages.
I Security goal #1: Confidentiality despite Eve’s espionage.
I Security goal #2: Integrity, i.e., recognizing Eve’s sabotage.
Tanja Lange https://pqcrypto.eu.org Introduction 6
![Page 11: Cryptology, cryptography, cryptanalysis. Definitions ... · I Encrypted le system on iPhone: see Apple vs. FBI. I PGPencrypted email,Signal,Tor,Tails,Qubes OS. Snowden in Reddit AmA](https://reader034.fdocuments.net/reader034/viewer/2022042403/5f15da76afc7f667103bf820/html5/thumbnails/11.jpg)
![Page 12: Cryptology, cryptography, cryptanalysis. Definitions ... · I Encrypted le system on iPhone: see Apple vs. FBI. I PGPencrypted email,Signal,Tor,Tails,Qubes OS. Snowden in Reddit AmA](https://reader034.fdocuments.net/reader034/viewer/2022042403/5f15da76afc7f667103bf820/html5/thumbnails/12.jpg)
Public-key signatures
// // //
<<
//
GG::
I Prerequisite: Alice has a secret key and public key .
I Prerequisite: Eve doesn’t know . Everyone knows .
I Alice publishes any number of messages.
I Security goal: Integrity.
Tanja Lange https://pqcrypto.eu.org Introduction 8
![Page 13: Cryptology, cryptography, cryptanalysis. Definitions ... · I Encrypted le system on iPhone: see Apple vs. FBI. I PGPencrypted email,Signal,Tor,Tails,Qubes OS. Snowden in Reddit AmA](https://reader034.fdocuments.net/reader034/viewer/2022042403/5f15da76afc7f667103bf820/html5/thumbnails/13.jpg)
Public-key signatures
// // //?<<
//
GG ;;
I Prerequisite: Alice has a secret key and public key .
I Prerequisite: Eve doesn’t know . Everyone knows .
I Alice publishes any number of messages.
I Security goal: Integrity.
Tanja Lange https://pqcrypto.eu.org Introduction 8
![Page 14: Cryptology, cryptography, cryptanalysis. Definitions ... · I Encrypted le system on iPhone: see Apple vs. FBI. I PGPencrypted email,Signal,Tor,Tails,Qubes OS. Snowden in Reddit AmA](https://reader034.fdocuments.net/reader034/viewer/2022042403/5f15da76afc7f667103bf820/html5/thumbnails/14.jpg)
Public-key signatures
m // m, s // m, s // m
k
<<
// K
GG ;;
Secret key k = , public key K = .
Tanja Lange https://pqcrypto.eu.org Introduction 9
![Page 15: Cryptology, cryptography, cryptanalysis. Definitions ... · I Encrypted le system on iPhone: see Apple vs. FBI. I PGPencrypted email,Signal,Tor,Tails,Qubes OS. Snowden in Reddit AmA](https://reader034.fdocuments.net/reader034/viewer/2022042403/5f15da76afc7f667103bf820/html5/thumbnails/15.jpg)
Public-key encryption
m // c // c // mbbcc
oo
OO
I Alice uses Bob’s public key K = to encrypt.
I Bob uses his secret key k = to decrypt.
Tanja Lange https://pqcrypto.eu.org Introduction 10
![Page 16: Cryptology, cryptography, cryptanalysis. Definitions ... · I Encrypted le system on iPhone: see Apple vs. FBI. I PGPencrypted email,Signal,Tor,Tails,Qubes OS. Snowden in Reddit AmA](https://reader034.fdocuments.net/reader034/viewer/2022042403/5f15da76afc7f667103bf820/html5/thumbnails/16.jpg)
![Page 17: Cryptology, cryptography, cryptanalysis. Definitions ... · I Encrypted le system on iPhone: see Apple vs. FBI. I PGPencrypted email,Signal,Tor,Tails,Qubes OS. Snowden in Reddit AmA](https://reader034.fdocuments.net/reader034/viewer/2022042403/5f15da76afc7f667103bf820/html5/thumbnails/17.jpg)
Public-key authenticated encryption (“DH” data flow)
// // //
<<
//
<< 77bbdd OO
oo
I Prerequisite: Alice has a secret key and public key .
I Prerequisite: Bob has a secret key and public key .I Alice and Bob exchange any number of messages.I Security goal #1: Confidentiality.I Security goal #2: Integrity.
Tanja Lange https://pqcrypto.eu.org Introduction 12
![Page 18: Cryptology, cryptography, cryptanalysis. Definitions ... · I Encrypted le system on iPhone: see Apple vs. FBI. I PGPencrypted email,Signal,Tor,Tails,Qubes OS. Snowden in Reddit AmA](https://reader034.fdocuments.net/reader034/viewer/2022042403/5f15da76afc7f667103bf820/html5/thumbnails/18.jpg)
Cryptographic tools
Many factors influence the security and privacy of data:
I Secure storage, physical security; access control.
I Protection against alteration of data⇒ public-key signatures, message-authentication codes.
I Protection of sensitive content against reading⇒ encryption.
Many more security goals studied in cryptography
I Protecting against denial of service.
I Stopping traffic analysis.
I Securely tallying votes.
I Searching in and computing on encrypted data.
I . . .
Tanja Lange https://pqcrypto.eu.org Introduction 13
![Page 19: Cryptology, cryptography, cryptanalysis. Definitions ... · I Encrypted le system on iPhone: see Apple vs. FBI. I PGPencrypted email,Signal,Tor,Tails,Qubes OS. Snowden in Reddit AmA](https://reader034.fdocuments.net/reader034/viewer/2022042403/5f15da76afc7f667103bf820/html5/thumbnails/19.jpg)
Cryptanalysis
I Cryptanalysis is the study of security of cryptosystems.
I Breaking a system can mean that the hardness assumption was nothard or that it just was not as hard as previously assumed.
I Cryptanalysis is ultimately constructive – ensure that secure systemsget used.
I Weakened crypto ultimately backfires – attacks in 2018 because ofcrypto wars in the 90s.
I Good arsenal of general approaches to cryptanalysis. There are someautomated tools.
I This area is constantly under development; researchers revisit allsystems continuously.
Tanja Lange https://pqcrypto.eu.org Introduction 14
![Page 20: Cryptology, cryptography, cryptanalysis. Definitions ... · I Encrypted le system on iPhone: see Apple vs. FBI. I PGPencrypted email,Signal,Tor,Tails,Qubes OS. Snowden in Reddit AmA](https://reader034.fdocuments.net/reader034/viewer/2022042403/5f15da76afc7f667103bf820/html5/thumbnails/20.jpg)
![Page 21: Cryptology, cryptography, cryptanalysis. Definitions ... · I Encrypted le system on iPhone: see Apple vs. FBI. I PGPencrypted email,Signal,Tor,Tails,Qubes OS. Snowden in Reddit AmA](https://reader034.fdocuments.net/reader034/viewer/2022042403/5f15da76afc7f667103bf820/html5/thumbnails/21.jpg)
![Page 22: Cryptology, cryptography, cryptanalysis. Definitions ... · I Encrypted le system on iPhone: see Apple vs. FBI. I PGPencrypted email,Signal,Tor,Tails,Qubes OS. Snowden in Reddit AmA](https://reader034.fdocuments.net/reader034/viewer/2022042403/5f15da76afc7f667103bf820/html5/thumbnails/22.jpg)
Security assumptions
I Hardness assumptions at the basis of all public-key and essentiallyall symmetric-key systems result from (failed) attempts at breakingsystems. Security proofs are built only on top of those assumptions.
I A solid symmetric systems is required to be as strong as exhaustivekey search.
I For public-key systems the best attacks are faster than exhaustivekey search. Parameters are chosen to ensure that the best attack isinfeasible.
Tanja Lange https://pqcrypto.eu.org Introduction 17
![Page 23: Cryptology, cryptography, cryptanalysis. Definitions ... · I Encrypted le system on iPhone: see Apple vs. FBI. I PGPencrypted email,Signal,Tor,Tails,Qubes OS. Snowden in Reddit AmA](https://reader034.fdocuments.net/reader034/viewer/2022042403/5f15da76afc7f667103bf820/html5/thumbnails/23.jpg)
Key size recommendationsFuture System Use
Parameter Legacy Near Term Long TermSymmetric Key Size k 80 128 256
Hash Function Output Size m 160 256 512MAC Output Size? m 80 128 256
RSA Problem `(n) ≥ 1024 3072 15360Finite Field DLP `(pn) ≥ 1024 3072 15360
`(p), `(q) ≥ 160 256 512ECDLP `(q) ≥ 160 256 512Pairing `(pk·n) ≥ 1024 6144 15360
`(p), `(q) ≥ 160 256 512
I Source: ECRYPT-CSA “Algorithms, Key Size and ProtocolsReport” (2018).
I These recommendations take into account attacks known today.I Use extrapolations to larger problem sizes.I Attacker power typically limited to 2128 operations (less for legacy).I More to come on long-term security . . .
Tanja Lange https://pqcrypto.eu.org Introduction 18
![Page 24: Cryptology, cryptography, cryptanalysis. Definitions ... · I Encrypted le system on iPhone: see Apple vs. FBI. I PGPencrypted email,Signal,Tor,Tails,Qubes OS. Snowden in Reddit AmA](https://reader034.fdocuments.net/reader034/viewer/2022042403/5f15da76afc7f667103bf820/html5/thumbnails/24.jpg)
Attackers exploit physical realityI 1996 Kocher: Typical crypto is broken by side channels.I Side channels can be any information obtainable on the
computation:I Time taken.I Power consumption (total or over time).I Electro-magnetic radiation.I Noise, heat, light emission.
I If this information is related to secret information, an attacker mightbe able to learn the secret (many measurements, statistics, machinelearning).
I Response: Hundreds of papers on side-channel defenses
and onattacks and on more defenses.
I It is important to study what information is leaked for any givenhardware; build a good model.
I Modify the implementation so that no/less information is leaked.I CHES (Cryptographic Hardware and Embedded Systems) conference
is main publication venue.
Tanja Lange https://pqcrypto.eu.org Introduction 19
![Page 25: Cryptology, cryptography, cryptanalysis. Definitions ... · I Encrypted le system on iPhone: see Apple vs. FBI. I PGPencrypted email,Signal,Tor,Tails,Qubes OS. Snowden in Reddit AmA](https://reader034.fdocuments.net/reader034/viewer/2022042403/5f15da76afc7f667103bf820/html5/thumbnails/25.jpg)
Attackers exploit physical realityI 1996 Kocher: Typical crypto is broken by side channels.I Side channels can be any information obtainable on the
computation:I Time taken.I Power consumption (total or over time).I Electro-magnetic radiation.I Noise, heat, light emission.
I If this information is related to secret information, an attacker mightbe able to learn the secret (many measurements, statistics, machinelearning).
I Response: Hundreds of papers on side-channel defenses and onattacks
and on more defenses.I It is important to study what information is leaked for any given
hardware; build a good model.I Modify the implementation so that no/less information is leaked.I CHES (Cryptographic Hardware and Embedded Systems) conference
is main publication venue.
Tanja Lange https://pqcrypto.eu.org Introduction 19
![Page 26: Cryptology, cryptography, cryptanalysis. Definitions ... · I Encrypted le system on iPhone: see Apple vs. FBI. I PGPencrypted email,Signal,Tor,Tails,Qubes OS. Snowden in Reddit AmA](https://reader034.fdocuments.net/reader034/viewer/2022042403/5f15da76afc7f667103bf820/html5/thumbnails/26.jpg)
Attackers exploit physical realityI 1996 Kocher: Typical crypto is broken by side channels.I Side channels can be any information obtainable on the
computation:I Time taken.I Power consumption (total or over time).I Electro-magnetic radiation.I Noise, heat, light emission.
I If this information is related to secret information, an attacker mightbe able to learn the secret (many measurements, statistics, machinelearning).
I Response: Hundreds of papers on side-channel defenses and onattacks and on more defenses.
I It is important to study what information is leaked for any givenhardware; build a good model.
I Modify the implementation so that no/less information is leaked.I CHES (Cryptographic Hardware and Embedded Systems) conference
is main publication venue.
Tanja Lange https://pqcrypto.eu.org Introduction 19
![Page 27: Cryptology, cryptography, cryptanalysis. Definitions ... · I Encrypted le system on iPhone: see Apple vs. FBI. I PGPencrypted email,Signal,Tor,Tails,Qubes OS. Snowden in Reddit AmA](https://reader034.fdocuments.net/reader034/viewer/2022042403/5f15da76afc7f667103bf820/html5/thumbnails/27.jpg)
Summary: current state of the art
I Currently used crypto (check the lock icon in your browser) startswith RSA, Diffie-Hellman (DH) in finite fields, or elliptic curveECDH.
I Older standards are RSA or elliptic curves from NIST (or Brainpool),e.g. NIST P256 or ECDSA.
I Internet currently moving over to Curve25519 (Bernstein) andEd25519 (Bernstein, Duif, Lange, Schwabe, and Yang).
I For symmetric crypto TLS (the protocol behind https) uses AES orChaCha20 and some MAC, e.g. AES-GCM or ChaCha20-Poly305.High-end devices have support for AES-GCM, smaller ones do betterwith ChaCha20-Poly305.
I Security is getting better. Some obstacles: bugs; untrustworthyhardware;
let alone anti-security measures such as backdoors.
Tanja Lange https://pqcrypto.eu.org Introduction 20
![Page 28: Cryptology, cryptography, cryptanalysis. Definitions ... · I Encrypted le system on iPhone: see Apple vs. FBI. I PGPencrypted email,Signal,Tor,Tails,Qubes OS. Snowden in Reddit AmA](https://reader034.fdocuments.net/reader034/viewer/2022042403/5f15da76afc7f667103bf820/html5/thumbnails/28.jpg)
Summary: current state of the art
I Currently used crypto (check the lock icon in your browser) startswith RSA, Diffie-Hellman (DH) in finite fields, or elliptic curveECDH.
I Older standards are RSA or elliptic curves from NIST (or Brainpool),e.g. NIST P256 or ECDSA.
I Internet currently moving over to Curve25519 (Bernstein) andEd25519 (Bernstein, Duif, Lange, Schwabe, and Yang).
I For symmetric crypto TLS (the protocol behind https) uses AES orChaCha20 and some MAC, e.g. AES-GCM or ChaCha20-Poly305.High-end devices have support for AES-GCM, smaller ones do betterwith ChaCha20-Poly305.
I Security is getting better. Some obstacles: bugs; untrustworthyhardware; let alone anti-security measures such as backdoors.
Tanja Lange https://pqcrypto.eu.org Introduction 20
![Page 29: Cryptology, cryptography, cryptanalysis. Definitions ... · I Encrypted le system on iPhone: see Apple vs. FBI. I PGPencrypted email,Signal,Tor,Tails,Qubes OS. Snowden in Reddit AmA](https://reader034.fdocuments.net/reader034/viewer/2022042403/5f15da76afc7f667103bf820/html5/thumbnails/29.jpg)
![Page 30: Cryptology, cryptography, cryptanalysis. Definitions ... · I Encrypted le system on iPhone: see Apple vs. FBI. I PGPencrypted email,Signal,Tor,Tails,Qubes OS. Snowden in Reddit AmA](https://reader034.fdocuments.net/reader034/viewer/2022042403/5f15da76afc7f667103bf820/html5/thumbnails/30.jpg)
![Page 31: Cryptology, cryptography, cryptanalysis. Definitions ... · I Encrypted le system on iPhone: see Apple vs. FBI. I PGPencrypted email,Signal,Tor,Tails,Qubes OS. Snowden in Reddit AmA](https://reader034.fdocuments.net/reader034/viewer/2022042403/5f15da76afc7f667103bf820/html5/thumbnails/31.jpg)
![Page 32: Cryptology, cryptography, cryptanalysis. Definitions ... · I Encrypted le system on iPhone: see Apple vs. FBI. I PGPencrypted email,Signal,Tor,Tails,Qubes OS. Snowden in Reddit AmA](https://reader034.fdocuments.net/reader034/viewer/2022042403/5f15da76afc7f667103bf820/html5/thumbnails/32.jpg)
D-Wave quantum computer isn’t universal . . .
I Can’t store stable qubits.
I Can’t perform basic qubit operations.
I Can’t run Shor’s algorithm.
I Can’t run other quantum algorithms we care about.
I Hasn’t managed to find any computation justifying its price.
I Hasn’t managed to find any computation justifying 1% of its price.
Tanja Lange https://pqcrypto.eu.org Introduction 24
![Page 33: Cryptology, cryptography, cryptanalysis. Definitions ... · I Encrypted le system on iPhone: see Apple vs. FBI. I PGPencrypted email,Signal,Tor,Tails,Qubes OS. Snowden in Reddit AmA](https://reader034.fdocuments.net/reader034/viewer/2022042403/5f15da76afc7f667103bf820/html5/thumbnails/33.jpg)
D-Wave quantum computer isn’t universal . . .
I Can’t store stable qubits.
I Can’t perform basic qubit operations.
I Can’t run Shor’s algorithm.
I Can’t run other quantum algorithms we care about.
I Hasn’t managed to find any computation justifying its price.
I Hasn’t managed to find any computation justifying 1% of its price.
Tanja Lange https://pqcrypto.eu.org Introduction 24
![Page 34: Cryptology, cryptography, cryptanalysis. Definitions ... · I Encrypted le system on iPhone: see Apple vs. FBI. I PGPencrypted email,Signal,Tor,Tails,Qubes OS. Snowden in Reddit AmA](https://reader034.fdocuments.net/reader034/viewer/2022042403/5f15da76afc7f667103bf820/html5/thumbnails/34.jpg)
. . . but universal quantum computers are coming . . .
I Massive research effort. Tons of progress summarized in, e.g.,https:
//en.wikipedia.org/wiki/Timeline_of_quantum_computing.
I Mark Ketchen, IBM Research, 2012, on quantum computing:“We’re actually doing things that are making us think like, ‘hey thisisn’t 50 years off, this is maybe just 10 years off, or 15 years off.’ It’swithin reach.”
I Fast-forward to 2022, or 2027. Universal quantum computers exist.I Shor’s algorithm solves in polynomial time:
I Integer factorization. RSA is dead.I The discrete-logarithm problem in finite fields. DSA is dead.I The discrete-logarithm problem on elliptic curves. ECDSA is dead.
I This breaks all current public-key cryptography on the Internet!I Also, Grover’s algorithm speeds up brute-force searches.I Example: Only 264 quantum operations to break AES-128;
2128 quantum operations to break AES-256.
Tanja Lange https://pqcrypto.eu.org Introduction 25
![Page 35: Cryptology, cryptography, cryptanalysis. Definitions ... · I Encrypted le system on iPhone: see Apple vs. FBI. I PGPencrypted email,Signal,Tor,Tails,Qubes OS. Snowden in Reddit AmA](https://reader034.fdocuments.net/reader034/viewer/2022042403/5f15da76afc7f667103bf820/html5/thumbnails/35.jpg)
. . . but universal quantum computers are coming . . .
I Massive research effort. Tons of progress summarized in, e.g.,https:
//en.wikipedia.org/wiki/Timeline_of_quantum_computing.I Mark Ketchen, IBM Research, 2012, on quantum computing:
“We’re actually doing things that are making us think like, ‘hey thisisn’t 50 years off, this is maybe just 10 years off, or 15 years off.’ It’swithin reach.”
I Fast-forward to 2022, or 2027. Universal quantum computers exist.
I Shor’s algorithm solves in polynomial time:I Integer factorization. RSA is dead.I The discrete-logarithm problem in finite fields. DSA is dead.I The discrete-logarithm problem on elliptic curves. ECDSA is dead.
I This breaks all current public-key cryptography on the Internet!I Also, Grover’s algorithm speeds up brute-force searches.I Example: Only 264 quantum operations to break AES-128;
2128 quantum operations to break AES-256.
Tanja Lange https://pqcrypto.eu.org Introduction 25
![Page 36: Cryptology, cryptography, cryptanalysis. Definitions ... · I Encrypted le system on iPhone: see Apple vs. FBI. I PGPencrypted email,Signal,Tor,Tails,Qubes OS. Snowden in Reddit AmA](https://reader034.fdocuments.net/reader034/viewer/2022042403/5f15da76afc7f667103bf820/html5/thumbnails/36.jpg)
. . . but universal quantum computers are coming . . .
I Massive research effort. Tons of progress summarized in, e.g.,https:
//en.wikipedia.org/wiki/Timeline_of_quantum_computing.I Mark Ketchen, IBM Research, 2012, on quantum computing:
“We’re actually doing things that are making us think like, ‘hey thisisn’t 50 years off, this is maybe just 10 years off, or 15 years off.’ It’swithin reach.”
I Fast-forward to 2022, or 2027. Universal quantum computers exist.I Shor’s algorithm solves in polynomial time:
I Integer factorization. RSA is dead.I The discrete-logarithm problem in finite fields. DSA is dead.I The discrete-logarithm problem on elliptic curves. ECDSA is dead.
I This breaks all current public-key cryptography on the Internet!
I Also, Grover’s algorithm speeds up brute-force searches.I Example: Only 264 quantum operations to break AES-128;
2128 quantum operations to break AES-256.
Tanja Lange https://pqcrypto.eu.org Introduction 25
![Page 37: Cryptology, cryptography, cryptanalysis. Definitions ... · I Encrypted le system on iPhone: see Apple vs. FBI. I PGPencrypted email,Signal,Tor,Tails,Qubes OS. Snowden in Reddit AmA](https://reader034.fdocuments.net/reader034/viewer/2022042403/5f15da76afc7f667103bf820/html5/thumbnails/37.jpg)
. . . but universal quantum computers are coming . . .
I Massive research effort. Tons of progress summarized in, e.g.,https:
//en.wikipedia.org/wiki/Timeline_of_quantum_computing.I Mark Ketchen, IBM Research, 2012, on quantum computing:
“We’re actually doing things that are making us think like, ‘hey thisisn’t 50 years off, this is maybe just 10 years off, or 15 years off.’ It’swithin reach.”
I Fast-forward to 2022, or 2027. Universal quantum computers exist.I Shor’s algorithm solves in polynomial time:
I Integer factorization. RSA is dead.I The discrete-logarithm problem in finite fields. DSA is dead.I The discrete-logarithm problem on elliptic curves. ECDSA is dead.
I This breaks all current public-key cryptography on the Internet!I Also, Grover’s algorithm speeds up brute-force searches.I Example: Only 264 quantum operations to break AES-128;
2128 quantum operations to break AES-256.
Tanja Lange https://pqcrypto.eu.org Introduction 25
![Page 39: Cryptology, cryptography, cryptanalysis. Definitions ... · I Encrypted le system on iPhone: see Apple vs. FBI. I PGPencrypted email,Signal,Tor,Tails,Qubes OS. Snowden in Reddit AmA](https://reader034.fdocuments.net/reader034/viewer/2022042403/5f15da76afc7f667103bf820/html5/thumbnails/39.jpg)
Physical cryptography: a return to the dark ages
I Imagine a lockable-briefcase salesmanproposing a “locked-briefcase Internet”using “provably secure locked-briefcase cryptography”:
I Alice puts secret information into a lockable briefcase.I Alice locks the briefcase.I A courier transports the briefcase from Alice to Bob.I Bob unlocks the briefcase and retrieves the information.I There is a mathematical proof that the information is hidden!I Throw away algorithmic cryptography!
I Most common reactions from security experts:I This would make security much worse.I You can’t do signatures.I This would be insanely expensive.I We should not dignify this proposal with a response.
Tanja Lange https://pqcrypto.eu.org Introduction 27
![Page 40: Cryptology, cryptography, cryptanalysis. Definitions ... · I Encrypted le system on iPhone: see Apple vs. FBI. I PGPencrypted email,Signal,Tor,Tails,Qubes OS. Snowden in Reddit AmA](https://reader034.fdocuments.net/reader034/viewer/2022042403/5f15da76afc7f667103bf820/html5/thumbnails/40.jpg)
Physical cryptography: a return to the dark ages
I Imagine a lockable-briefcase salesmanproposing a “locked-briefcase Internet”using “provably secure locked-briefcase cryptography”:
I Alice puts secret information into a lockable briefcase.I Alice locks the briefcase.I A courier transports the briefcase from Alice to Bob.I Bob unlocks the briefcase and retrieves the information.I There is a mathematical proof that the information is hidden!I Throw away algorithmic cryptography!
I Most common reactions from security experts:I This would make security much worse.
I You can’t do signatures.I This would be insanely expensive.I We should not dignify this proposal with a response.
Tanja Lange https://pqcrypto.eu.org Introduction 27
![Page 41: Cryptology, cryptography, cryptanalysis. Definitions ... · I Encrypted le system on iPhone: see Apple vs. FBI. I PGPencrypted email,Signal,Tor,Tails,Qubes OS. Snowden in Reddit AmA](https://reader034.fdocuments.net/reader034/viewer/2022042403/5f15da76afc7f667103bf820/html5/thumbnails/41.jpg)
Physical cryptography: a return to the dark ages
I Imagine a lockable-briefcase salesmanproposing a “locked-briefcase Internet”using “provably secure locked-briefcase cryptography”:
I Alice puts secret information into a lockable briefcase.I Alice locks the briefcase.I A courier transports the briefcase from Alice to Bob.I Bob unlocks the briefcase and retrieves the information.I There is a mathematical proof that the information is hidden!I Throw away algorithmic cryptography!
I Most common reactions from security experts:I This would make security much worse.I You can’t do signatures.
I This would be insanely expensive.I We should not dignify this proposal with a response.
Tanja Lange https://pqcrypto.eu.org Introduction 27
![Page 42: Cryptology, cryptography, cryptanalysis. Definitions ... · I Encrypted le system on iPhone: see Apple vs. FBI. I PGPencrypted email,Signal,Tor,Tails,Qubes OS. Snowden in Reddit AmA](https://reader034.fdocuments.net/reader034/viewer/2022042403/5f15da76afc7f667103bf820/html5/thumbnails/42.jpg)
Physical cryptography: a return to the dark ages
I Imagine a lockable-briefcase salesmanproposing a “locked-briefcase Internet”using “provably secure locked-briefcase cryptography”:
I Alice puts secret information into a lockable briefcase.I Alice locks the briefcase.I A courier transports the briefcase from Alice to Bob.I Bob unlocks the briefcase and retrieves the information.I There is a mathematical proof that the information is hidden!I Throw away algorithmic cryptography!
I Most common reactions from security experts:I This would make security much worse.I You can’t do signatures.I This would be insanely expensive.
I We should not dignify this proposal with a response.
Tanja Lange https://pqcrypto.eu.org Introduction 27
![Page 43: Cryptology, cryptography, cryptanalysis. Definitions ... · I Encrypted le system on iPhone: see Apple vs. FBI. I PGPencrypted email,Signal,Tor,Tails,Qubes OS. Snowden in Reddit AmA](https://reader034.fdocuments.net/reader034/viewer/2022042403/5f15da76afc7f667103bf820/html5/thumbnails/43.jpg)
Physical cryptography: a return to the dark ages
I Imagine a lockable-briefcase salesmanproposing a “locked-briefcase Internet”using “provably secure locked-briefcase cryptography”:
I Alice puts secret information into a lockable briefcase.I Alice locks the briefcase.I A courier transports the briefcase from Alice to Bob.I Bob unlocks the briefcase and retrieves the information.I There is a mathematical proof that the information is hidden!I Throw away algorithmic cryptography!
I Most common reactions from security experts:I This would make security much worse.I You can’t do signatures.I This would be insanely expensive.I We should not dignify this proposal with a response.
Tanja Lange https://pqcrypto.eu.org Introduction 27
![Page 44: Cryptology, cryptography, cryptanalysis. Definitions ... · I Encrypted le system on iPhone: see Apple vs. FBI. I PGPencrypted email,Signal,Tor,Tails,Qubes OS. Snowden in Reddit AmA](https://reader034.fdocuments.net/reader034/viewer/2022042403/5f15da76afc7f667103bf820/html5/thumbnails/44.jpg)
Security advantages of algorithmic cryptography
I Keep secrets heavily shielded inside authorized computers.
I Reduce trust in third parties:I Reduce reliance on closed-source software and hardware.I Increase comprehensiveness of audits.I Increase comprehensiveness of formal verification.I Design systems to be secure even if algorithm and public keys are
public.Critical example: signed software updates.
I Understand security as thoroughly as possible:I Publish comprehensive specifications.I Build large research community with clear security goals.I Publicly document attack efforts.I Require systems to convincingly survive many years of analysis.
Tanja Lange https://pqcrypto.eu.org Introduction 28
![Page 45: Cryptology, cryptography, cryptanalysis. Definitions ... · I Encrypted le system on iPhone: see Apple vs. FBI. I PGPencrypted email,Signal,Tor,Tails,Qubes OS. Snowden in Reddit AmA](https://reader034.fdocuments.net/reader034/viewer/2022042403/5f15da76afc7f667103bf820/html5/thumbnails/45.jpg)
History of post-quantum cryptography
I 2003 Daniel J. Bernstein introduces term Post- quantumcryptography.
I PQCrypto 2006: International Workshop on Post-QuantumCryptography.
I PQCrypto 2008, PQCrypto 2010, PQCrypto 2011, PQCrypto 2013.
I 2014 EU publishes H2020 call including post-quantum crypto astopic.
I ETSI working group on “Quantum-safe” crypto.
I PQCrypto 2014.
I April 2015 NIST hosts first workshop on post-quantum cryptography
I August 2015 NSA wakes up
Tanja Lange https://pqcrypto.eu.org Introduction 29
![Page 46: Cryptology, cryptography, cryptanalysis. Definitions ... · I Encrypted le system on iPhone: see Apple vs. FBI. I PGPencrypted email,Signal,Tor,Tails,Qubes OS. Snowden in Reddit AmA](https://reader034.fdocuments.net/reader034/viewer/2022042403/5f15da76afc7f667103bf820/html5/thumbnails/46.jpg)
History of post-quantum cryptography
I 2003 Daniel J. Bernstein introduces term Post- quantumcryptography.
I PQCrypto 2006: International Workshop on Post-QuantumCryptography.
I PQCrypto 2008, PQCrypto 2010, PQCrypto 2011, PQCrypto 2013.
I 2014 EU publishes H2020 call including post-quantum crypto astopic.
I ETSI working group on “Quantum-safe” crypto.
I PQCrypto 2014.
I April 2015 NIST hosts first workshop on post-quantum cryptography
I August 2015 NSA wakes up
Tanja Lange https://pqcrypto.eu.org Introduction 29
![Page 47: Cryptology, cryptography, cryptanalysis. Definitions ... · I Encrypted le system on iPhone: see Apple vs. FBI. I PGPencrypted email,Signal,Tor,Tails,Qubes OS. Snowden in Reddit AmA](https://reader034.fdocuments.net/reader034/viewer/2022042403/5f15da76afc7f667103bf820/html5/thumbnails/47.jpg)
![Page 48: Cryptology, cryptography, cryptanalysis. Definitions ... · I Encrypted le system on iPhone: see Apple vs. FBI. I PGPencrypted email,Signal,Tor,Tails,Qubes OS. Snowden in Reddit AmA](https://reader034.fdocuments.net/reader034/viewer/2022042403/5f15da76afc7f667103bf820/html5/thumbnails/48.jpg)
NSA announcements
August 11, 2015
IAD recognizes that there will be a move, in the not distantfuture, to a quantum resistant algorithm suite.
August 19, 2015
IAD will initiate a transition to quantum resistant algorithms inthe not too distant future.
NSA comes late to the party and botches its grand entrance.
Worse, now we get people saying “Don’t use post-quantum crypto, theNSA wants you to use it!”. Or “NSA says NIST P-384 is post-quantumsecure”. Or “NSA has abandoned ECC.”
Tanja Lange https://pqcrypto.eu.org Introduction 31
![Page 49: Cryptology, cryptography, cryptanalysis. Definitions ... · I Encrypted le system on iPhone: see Apple vs. FBI. I PGPencrypted email,Signal,Tor,Tails,Qubes OS. Snowden in Reddit AmA](https://reader034.fdocuments.net/reader034/viewer/2022042403/5f15da76afc7f667103bf820/html5/thumbnails/49.jpg)
NSA announcements
August 11, 2015
IAD recognizes that there will be a move, in the not distantfuture, to a quantum resistant algorithm suite.
August 19, 2015
IAD will initiate a transition to quantum resistant algorithms inthe not too distant future.
NSA comes late to the party and botches its grand entrance.
Worse, now we get people saying “Don’t use post-quantum crypto, theNSA wants you to use it!”. Or “NSA says NIST P-384 is post-quantumsecure”. Or “NSA has abandoned ECC.”
Tanja Lange https://pqcrypto.eu.org Introduction 31
![Page 50: Cryptology, cryptography, cryptanalysis. Definitions ... · I Encrypted le system on iPhone: see Apple vs. FBI. I PGPencrypted email,Signal,Tor,Tails,Qubes OS. Snowden in Reddit AmA](https://reader034.fdocuments.net/reader034/viewer/2022042403/5f15da76afc7f667103bf820/html5/thumbnails/50.jpg)
NSA announcements
August 11, 2015
IAD recognizes that there will be a move, in the not distantfuture, to a quantum resistant algorithm suite.
August 19, 2015
IAD will initiate a transition to quantum resistant algorithms inthe not too distant future.
NSA comes late to the party and botches its grand entrance.
Worse, now we get people saying “Don’t use post-quantum crypto, theNSA wants you to use it!”.
Or “NSA says NIST P-384 is post-quantumsecure”. Or “NSA has abandoned ECC.”
Tanja Lange https://pqcrypto.eu.org Introduction 31
![Page 51: Cryptology, cryptography, cryptanalysis. Definitions ... · I Encrypted le system on iPhone: see Apple vs. FBI. I PGPencrypted email,Signal,Tor,Tails,Qubes OS. Snowden in Reddit AmA](https://reader034.fdocuments.net/reader034/viewer/2022042403/5f15da76afc7f667103bf820/html5/thumbnails/51.jpg)
NSA announcements
August 11, 2015
IAD recognizes that there will be a move, in the not distantfuture, to a quantum resistant algorithm suite.
August 19, 2015
IAD will initiate a transition to quantum resistant algorithms inthe not too distant future.
NSA comes late to the party and botches its grand entrance.
Worse, now we get people saying “Don’t use post-quantum crypto, theNSA wants you to use it!”. Or “NSA says NIST P-384 is post-quantumsecure”.
Or “NSA has abandoned ECC.”
Tanja Lange https://pqcrypto.eu.org Introduction 31
![Page 52: Cryptology, cryptography, cryptanalysis. Definitions ... · I Encrypted le system on iPhone: see Apple vs. FBI. I PGPencrypted email,Signal,Tor,Tails,Qubes OS. Snowden in Reddit AmA](https://reader034.fdocuments.net/reader034/viewer/2022042403/5f15da76afc7f667103bf820/html5/thumbnails/52.jpg)
NSA announcements
August 11, 2015
IAD recognizes that there will be a move, in the not distantfuture, to a quantum resistant algorithm suite.
August 19, 2015
IAD will initiate a transition to quantum resistant algorithms inthe not too distant future.
NSA comes late to the party and botches its grand entrance.
Worse, now we get people saying “Don’t use post-quantum crypto, theNSA wants you to use it!”. Or “NSA says NIST P-384 is post-quantumsecure”. Or “NSA has abandoned ECC.”
Tanja Lange https://pqcrypto.eu.org Introduction 31
![Page 53: Cryptology, cryptography, cryptanalysis. Definitions ... · I Encrypted le system on iPhone: see Apple vs. FBI. I PGPencrypted email,Signal,Tor,Tails,Qubes OS. Snowden in Reddit AmA](https://reader034.fdocuments.net/reader034/viewer/2022042403/5f15da76afc7f667103bf820/html5/thumbnails/53.jpg)
Post-quantum becoming mainstream
I PQCrypto 2016: 22–26 Feb in Fukuoka, Japan, > 200 people
I NIST called for post-quantum proposals (deadline Nov 2017).
I 82 submissions; big effort to analyze, implement, prove, . . .
Tanja Lange https://pqcrypto.eu.org Introduction 32
![Page 54: Cryptology, cryptography, cryptanalysis. Definitions ... · I Encrypted le system on iPhone: see Apple vs. FBI. I PGPencrypted email,Signal,Tor,Tails,Qubes OS. Snowden in Reddit AmA](https://reader034.fdocuments.net/reader034/viewer/2022042403/5f15da76afc7f667103bf820/html5/thumbnails/54.jpg)
![Page 55: Cryptology, cryptography, cryptanalysis. Definitions ... · I Encrypted le system on iPhone: see Apple vs. FBI. I PGPencrypted email,Signal,Tor,Tails,Qubes OS. Snowden in Reddit AmA](https://reader034.fdocuments.net/reader034/viewer/2022042403/5f15da76afc7f667103bf820/html5/thumbnails/55.jpg)
Confidence-inspiring crypto takes time to build
I Many stages of research from cryptographic design to deployment:I Explore space of cryptosystems.I Study algorithms for the attackers.I Focus on secure cryptosystems.
I Study algorithms for the users.I Study implementations on real hardware.I Study side-channel attacks, fault attacks, etc.I Focus on secure, reliable implementations.I Focus on implementations meeting performance requirements.I Integrate securely into real-world applications.
I Example: ECC introduced 1985; big advantages over RSA.Robust ECC started to take over the Internet in 2015.
I Can’t wait for quantum computers before finding a solution!
Tanja Lange https://pqcrypto.eu.org Introduction 34
![Page 56: Cryptology, cryptography, cryptanalysis. Definitions ... · I Encrypted le system on iPhone: see Apple vs. FBI. I PGPencrypted email,Signal,Tor,Tails,Qubes OS. Snowden in Reddit AmA](https://reader034.fdocuments.net/reader034/viewer/2022042403/5f15da76afc7f667103bf820/html5/thumbnails/56.jpg)
Confidence-inspiring crypto takes time to build
I Many stages of research from cryptographic design to deployment:I Explore space of cryptosystems.I Study algorithms for the attackers.I Focus on secure cryptosystems.I Study algorithms for the users.I Study implementations on real hardware.I Study side-channel attacks, fault attacks, etc.I Focus on secure, reliable implementations.I Focus on implementations meeting performance requirements.I Integrate securely into real-world applications.
I Example: ECC introduced 1985; big advantages over RSA.Robust ECC started to take over the Internet in 2015.
I Can’t wait for quantum computers before finding a solution!
Tanja Lange https://pqcrypto.eu.org Introduction 34
![Page 57: Cryptology, cryptography, cryptanalysis. Definitions ... · I Encrypted le system on iPhone: see Apple vs. FBI. I PGPencrypted email,Signal,Tor,Tails,Qubes OS. Snowden in Reddit AmA](https://reader034.fdocuments.net/reader034/viewer/2022042403/5f15da76afc7f667103bf820/html5/thumbnails/57.jpg)
Confidence-inspiring crypto takes time to build
I Many stages of research from cryptographic design to deployment:I Explore space of cryptosystems.I Study algorithms for the attackers.I Focus on secure cryptosystems.I Study algorithms for the users.I Study implementations on real hardware.I Study side-channel attacks, fault attacks, etc.I Focus on secure, reliable implementations.I Focus on implementations meeting performance requirements.I Integrate securely into real-world applications.
I Example: ECC introduced 1985; big advantages over RSA.Robust ECC started to take over the Internet in 2015.
I Can’t wait for quantum computers before finding a solution!
Tanja Lange https://pqcrypto.eu.org Introduction 34
![Page 59: Cryptology, cryptography, cryptanalysis. Definitions ... · I Encrypted le system on iPhone: see Apple vs. FBI. I PGPencrypted email,Signal,Tor,Tails,Qubes OS. Snowden in Reddit AmA](https://reader034.fdocuments.net/reader034/viewer/2022042403/5f15da76afc7f667103bf820/html5/thumbnails/59.jpg)
Even higher urgency for long-term confidentiality
I Today’s encrypted communication is being stored by attackers andwill be decrypted years later with quantum computers. Danger forhuman-rights workers, medical records, journalists, security research,legal proceedings, state secrets, . . .
I Signature schemes can be replaced once a quantum computer is built– but there will not be a public announcement
. . . and an importantfunction of signatures is to protect operating system upgrades.
I Protect your upgrades now with post-quantum signatures.
Tanja Lange https://pqcrypto.eu.org Introduction 36
![Page 60: Cryptology, cryptography, cryptanalysis. Definitions ... · I Encrypted le system on iPhone: see Apple vs. FBI. I PGPencrypted email,Signal,Tor,Tails,Qubes OS. Snowden in Reddit AmA](https://reader034.fdocuments.net/reader034/viewer/2022042403/5f15da76afc7f667103bf820/html5/thumbnails/60.jpg)
Even higher urgency for long-term confidentiality
I Today’s encrypted communication is being stored by attackers andwill be decrypted years later with quantum computers. Danger forhuman-rights workers, medical records, journalists, security research,legal proceedings, state secrets, . . .
I Signature schemes can be replaced once a quantum computer is built– but there will not be a public announcement . . . and an importantfunction of signatures is to protect operating system upgrades.
I Protect your upgrades now with post-quantum signatures.
Tanja Lange https://pqcrypto.eu.org Introduction 36
![Page 61: Cryptology, cryptography, cryptanalysis. Definitions ... · I Encrypted le system on iPhone: see Apple vs. FBI. I PGPencrypted email,Signal,Tor,Tails,Qubes OS. Snowden in Reddit AmA](https://reader034.fdocuments.net/reader034/viewer/2022042403/5f15da76afc7f667103bf820/html5/thumbnails/61.jpg)
Standardize now? Standardize later?I Standardize now!
I Rolling out crypto takes long time.I Standards are important for adoption (?)I Need to be up & running when quantum computers come.
I Standardize later!I Current options are not satisfactory.I Once rolled out, it’s hard to change systems.I Please wait for the research results, will be much better!
I But what about users who rely on long-term secrecy of today’scommunication?
I Recommend now, standardize later.
I Recommend very conservative systems now; users who care willaccept performance issues and gladly update to faster/smalleroptions later.
I But: standardization takes lots of time, so start standardizationprocesses now.
Tanja Lange https://pqcrypto.eu.org Introduction 37
![Page 62: Cryptology, cryptography, cryptanalysis. Definitions ... · I Encrypted le system on iPhone: see Apple vs. FBI. I PGPencrypted email,Signal,Tor,Tails,Qubes OS. Snowden in Reddit AmA](https://reader034.fdocuments.net/reader034/viewer/2022042403/5f15da76afc7f667103bf820/html5/thumbnails/62.jpg)
Standardize now? Standardize later?I Standardize now!
I Rolling out crypto takes long time.I Standards are important for adoption (?)I Need to be up & running when quantum computers come.
I Standardize later!I Current options are not satisfactory.I Once rolled out, it’s hard to change systems.I Please wait for the research results, will be much better!
I But what about users who rely on long-term secrecy of today’scommunication?
I Recommend now, standardize later.
I Recommend very conservative systems now; users who care willaccept performance issues and gladly update to faster/smalleroptions later.
I But: standardization takes lots of time, so start standardizationprocesses now.
Tanja Lange https://pqcrypto.eu.org Introduction 37
![Page 63: Cryptology, cryptography, cryptanalysis. Definitions ... · I Encrypted le system on iPhone: see Apple vs. FBI. I PGPencrypted email,Signal,Tor,Tails,Qubes OS. Snowden in Reddit AmA](https://reader034.fdocuments.net/reader034/viewer/2022042403/5f15da76afc7f667103bf820/html5/thumbnails/63.jpg)
Standardize now? Standardize later?I Standardize now!
I Rolling out crypto takes long time.I Standards are important for adoption (?)I Need to be up & running when quantum computers come.
I Standardize later!I Current options are not satisfactory.I Once rolled out, it’s hard to change systems.I Please wait for the research results, will be much better!
I But what about users who rely on long-term secrecy of today’scommunication?
I Recommend now, standardize later.
I Recommend very conservative systems now; users who care willaccept performance issues and gladly update to faster/smalleroptions later.
I But: standardization takes lots of time, so start standardizationprocesses now.
Tanja Lange https://pqcrypto.eu.org Introduction 37
![Page 64: Cryptology, cryptography, cryptanalysis. Definitions ... · I Encrypted le system on iPhone: see Apple vs. FBI. I PGPencrypted email,Signal,Tor,Tails,Qubes OS. Snowden in Reddit AmA](https://reader034.fdocuments.net/reader034/viewer/2022042403/5f15da76afc7f667103bf820/html5/thumbnails/64.jpg)
Urgency of post-quantum recommendations
I All currently used public-key systems on the Internet are broken byquantum computers.
I Today’s encrypted communication can be (and is being!) stored byattackers and can be decrypted later with quantum computer –think of medical records, legal proceedings, and state secrets.
I Post-quantum secure cryptosystems exist (to the best of ourknowledge) but are under-researched – we can recommend securesystems now, but they are big and slow
hence the logo of thePQCRYPTO project.
I PQCRYPTO is an EU project in H2020, running 2015 – 2018.
I PQCRYPTO is designing a portfolio of high-security post-quantumpublic-key systems, and will improve the speed of these systems,adapting to the different performance challenges of mobile devices,the cloud, and the Internet.
Tanja Lange https://pqcrypto.eu.org Introduction 38
![Page 65: Cryptology, cryptography, cryptanalysis. Definitions ... · I Encrypted le system on iPhone: see Apple vs. FBI. I PGPencrypted email,Signal,Tor,Tails,Qubes OS. Snowden in Reddit AmA](https://reader034.fdocuments.net/reader034/viewer/2022042403/5f15da76afc7f667103bf820/html5/thumbnails/65.jpg)
Urgency of post-quantum recommendations
I All currently used public-key systems on the Internet are broken byquantum computers.
I Today’s encrypted communication can be (and is being!) stored byattackers and can be decrypted later with quantum computer –think of medical records, legal proceedings, and state secrets.
I Post-quantum secure cryptosystems exist (to the best of ourknowledge) but are under-researched – we can recommend securesystems now, but they are big and slow hence the logo of thePQCRYPTO project.
I PQCRYPTO is an EU project in H2020, running 2015 – 2018.
I PQCRYPTO is designing a portfolio of high-security post-quantumpublic-key systems, and will improve the speed of these systems,adapting to the different performance challenges of mobile devices,the cloud, and the Internet.
Tanja Lange https://pqcrypto.eu.org Introduction 38
![Page 66: Cryptology, cryptography, cryptanalysis. Definitions ... · I Encrypted le system on iPhone: see Apple vs. FBI. I PGPencrypted email,Signal,Tor,Tails,Qubes OS. Snowden in Reddit AmA](https://reader034.fdocuments.net/reader034/viewer/2022042403/5f15da76afc7f667103bf820/html5/thumbnails/66.jpg)
Urgency of post-quantum recommendations
I All currently used public-key systems on the Internet are broken byquantum computers.
I Today’s encrypted communication can be (and is being!) stored byattackers and can be decrypted later with quantum computer –think of medical records, legal proceedings, and state secrets.
I Post-quantum secure cryptosystems exist (to the best of ourknowledge) but are under-researched – we can recommend securesystems now, but they are big and slow hence the logo of thePQCRYPTO project.
I PQCRYPTO is an EU project in H2020, running 2015 – 2018.
I PQCRYPTO is designing a portfolio of high-security post-quantumpublic-key systems, and will improve the speed of these systems,adapting to the different performance challenges of mobile devices,the cloud, and the Internet.
Tanja Lange https://pqcrypto.eu.org Introduction 38
![Page 67: Cryptology, cryptography, cryptanalysis. Definitions ... · I Encrypted le system on iPhone: see Apple vs. FBI. I PGPencrypted email,Signal,Tor,Tails,Qubes OS. Snowden in Reddit AmA](https://reader034.fdocuments.net/reader034/viewer/2022042403/5f15da76afc7f667103bf820/html5/thumbnails/67.jpg)
Initial recommendations of long-term securepost-quantum systems
Daniel Augot, Lejla Batina, Daniel J. Bernstein, Joppe Bos,Johannes Buchmann, Wouter Castryck, Orr Dunkelman,
Tim Guneysu, Shay Gueron, Andreas Hulsing,Tanja Lange, Mohamed Saied Emam Mohamed,
Christian Rechberger, Peter Schwabe, Nicolas Sendrier,Frederik Vercauteren, Bo-Yin Yang
Tanja Lange https://pqcrypto.eu.org Introduction 39
![Page 68: Cryptology, cryptography, cryptanalysis. Definitions ... · I Encrypted le system on iPhone: see Apple vs. FBI. I PGPencrypted email,Signal,Tor,Tails,Qubes OS. Snowden in Reddit AmA](https://reader034.fdocuments.net/reader034/viewer/2022042403/5f15da76afc7f667103bf820/html5/thumbnails/68.jpg)
Initial recommendations
I Symmetric encryption Thoroughly analyzed, 256-bit keys:
I AES-256I Salsa20 with a 256-bit key
Evaluating: Serpent-256, . . .
I Symmetric authentication Information-theoretic MACs:
I GCM using a 96-bit nonce and a 128-bit authenticatorI Poly1305
I Public-key encryption McEliece with binary Goppa codes:
I length n = 6960, dimension k = 5413, t = 119 errors
Evaluating: QC-MDPC, Stehle-Steinfeld NTRU, . . .
I Public-key signatures Hash-based (minimal assumptions):
I XMSS with any of the parameters specified in CFRG draftI SPHINCS-256
Evaluating: HFEv-, . . .
Tanja Lange https://pqcrypto.eu.org Introduction 40
![Page 69: Cryptology, cryptography, cryptanalysis. Definitions ... · I Encrypted le system on iPhone: see Apple vs. FBI. I PGPencrypted email,Signal,Tor,Tails,Qubes OS. Snowden in Reddit AmA](https://reader034.fdocuments.net/reader034/viewer/2022042403/5f15da76afc7f667103bf820/html5/thumbnails/69.jpg)
Systems expected to survive
I Code-based crypto, see talks by Daniel Loebenberger
I Hash-based signatures, see talks by Stefan-Lukas Gazdag
I Isogeny-based crypto: new kid on the block, promising short keysand key exchange without communication (static-static) aspossibility; needs more reserach on security; not covered here.
I Lattice-based crypto, see talk by Vadim Luybashevsky
I Multivariate crypto, not covered here.
I Symmetric crypto.
Maybe some more, maybe some less.
Tanja Lange https://pqcrypto.eu.org Introduction 41
![Page 70: Cryptology, cryptography, cryptanalysis. Definitions ... · I Encrypted le system on iPhone: see Apple vs. FBI. I PGPencrypted email,Signal,Tor,Tails,Qubes OS. Snowden in Reddit AmA](https://reader034.fdocuments.net/reader034/viewer/2022042403/5f15da76afc7f667103bf820/html5/thumbnails/70.jpg)
Post-quantum secret-key authenticated encryption
mk
// c // ck
// m
I Very easy solutions if secret key k is long uniform random string:I “One-time pad” for encryption.I “Wegman–Carter MAC” for authentication.
I AES-256: Standardized method to expand 256-bit kinto string indistinguishable from long k.
I AES introduced in 1998 by Daemen and Rijmen.Security analyzed in papers by dozens of cryptanalysts.
I No credible threat from quantum algorithms. Grover costs 2128.I Some recent results assume attacker has quantum access to
compuation, then some systems are weaker
. . . but I’d know if mylaptop had turned into a quantum computer.
Tanja Lange https://pqcrypto.eu.org Introduction 42
![Page 71: Cryptology, cryptography, cryptanalysis. Definitions ... · I Encrypted le system on iPhone: see Apple vs. FBI. I PGPencrypted email,Signal,Tor,Tails,Qubes OS. Snowden in Reddit AmA](https://reader034.fdocuments.net/reader034/viewer/2022042403/5f15da76afc7f667103bf820/html5/thumbnails/71.jpg)
Post-quantum secret-key authenticated encryption
mk
// c // ck
// m
I Very easy solutions if secret key k is long uniform random string:I “One-time pad” for encryption.I “Wegman–Carter MAC” for authentication.
I AES-256: Standardized method to expand 256-bit kinto string indistinguishable from long k.
I AES introduced in 1998 by Daemen and Rijmen.Security analyzed in papers by dozens of cryptanalysts.
I No credible threat from quantum algorithms. Grover costs 2128.I Some recent results assume attacker has quantum access to
compuation, then some systems are weaker . . . but I’d know if mylaptop had turned into a quantum computer.
Tanja Lange https://pqcrypto.eu.org Introduction 42
![Page 72: Cryptology, cryptography, cryptanalysis. Definitions ... · I Encrypted le system on iPhone: see Apple vs. FBI. I PGPencrypted email,Signal,Tor,Tails,Qubes OS. Snowden in Reddit AmA](https://reader034.fdocuments.net/reader034/viewer/2022042403/5f15da76afc7f667103bf820/html5/thumbnails/72.jpg)
Further resourcesI https://pqcrypto.org: Our survey site.
I Many pointers: e.g., PQCrypto conference series.I Bibliography for 4 major PQC systemss.
I PQCrypto 2016 with slides and videos from lectures(incl. winter school)
I PQCrypto 2017I https://pqcrypto.eu.org: PQCRYPTO EU project.
I Expert recommendations.I Free software libraries.I More benchmarking to compare cryptosystems.
I https://twitter.com/pqc_eu: PQCRYPTO Twitter feed.I https://2017.pqcrypto.org/school: PQCRYPTO summer
school with 21 lectures on video + slides + exercises.I https://2017.pqcrypto.org/exec: Executive school (12
lectures), less math, more overview. So far slides, soon videos.I https://csrc.nist.gov/projects/
post-quantum-cryptography/round-1-submissions
NIST PQC competition.
Tanja Lange https://pqcrypto.eu.org Introduction 43