SAFEcrypto: Secure Architectures of Future Emerging cryptography · 2016. 9. 30. · SAFEcrypto:...
Transcript of SAFEcrypto: Secure Architectures of Future Emerging cryptography · 2016. 9. 30. · SAFEcrypto:...
SAFEcrypto: Secure
Architectures of Future
Emerging cryptography
Ciara Rafferty
Queen’s University Belfast
20 September 2016
This project has received funding from the European Union H2020 research and innovation programme under grant agreement No 644729 www.SAFEcrypto.eu @SAFEcrypto
www.safecrypto.eu | @safecrypto
• Project goal and main objectives
• SAFEcrypto Case Studies
- Satellite Communications
- Public Safety Communication
- Municipal Data Analytics
• Research output: LWE v ring-LWE
• Challenges for LBC Hardware/Software Implementations
• Summary of outcomes to date
• Conclusion & Future Work Plans
Outline of Talk
www.safecrypto.eu | @safecrypto
SAFEcrypto Project
• 4-year project - commenced in January 2015
• Academic partners
– Institut National De Recherche en Informatiqueet en Automatique (France)
– Queen’s University Belfast (UK)
– Ruhr-Universitaet Bochum (Germany)
– Universita Della Svizzera Italiana (Switzerland)
• Industry partners
– EMC/RSA
– HWCommunications Ltd
– Thales
www.safecrypto.eu | @safecrypto
Overall Goal
SAFEcrypto will provide a new generation of practical, robust and
physically secure post-quantum cryptographic solutions that ensure
long-term security for future ICT systems, services and applications.
SAFEcrypto
www.safecrypto.eu | @safecrypto
Lattice-based Cryptography (LBC) emerging as a very promising PQ candidate
• LBC encryption and digital signatures already practical & efficient
- NTRUEncrypt exists since 1996 with no significant attacks to date
- Recent LBC signatures schemes shown to outperform RSA sig schemes
• Underlying operations can be implemented efficiently
• Allows for other constructions/applications beyond encryption/signatures
- Identity based encryption (IBE)
- Attribute-based encryption (ABE)
- Fully homomorphic encryption (FHE)
Quantum-Safe Cryptography
www.safecrypto.eu | @safecrypto
Summary of Objectives
1. Investigate practicality of LBC primitives (digital signatures, authentication, IBE and ABE) to determine their fit-for-purpose in real-world applications
2. Design and implement hardware & software architectures of LBC primitives that will fulfill the needs of a wide range of applications
3. Investigate the physical security of the LBC implementations to protect against leakage of sensitive information via side channel and fault attacks
4. Evaluate LBC in current secure comms. protocols, such as TLS, IPSec
5. Deliver proof-of-concept demonstrators of LBC primitives applied to 3 case-studies:
• Satellite Communications
• Public Safety Communication
• Municipal Data Analytics
SAFEcrypto
www.safecrypto.eu | @safecrypto
1. Satellite Communications
Security and key management vital within satellite systems• Currently: - systems owned and operated by one organisation
- symmetric key crypto exclusively used
• In future: - Repurposing of satellites and sharing of infrastructure- Number of space-based entities, missions & number/
variety of end users will increase- Public key cryptography will be used
Case Studies
• Given the longevity of satellite systems, public key solutions needs to withstand attacks for 10-40 years
=> ideal case study for post-quantum cryptography
www.safecrypto.eu | @safecrypto
2. Public Safety Communications
• Traditionally public safety comms relied on security of bespoke systems and closed networks.
• Future systems seeking to use COTS technology.
- LTE identified as a potential network layer solution- The browser application WebRTC may be used (uses DTLS protocol)
Case Studies
• Public safety comms technology may not be refreshed for up to 30 years…
=> need to provide long term security assurances e.g via post quantum cryptography
www.qinetiq.com
www.safecrypto.eu | @safecrypto
3. Municipal data analytics
• Significant benefits possible through collaborative analytics of large government-owned data sets;
• Needs appropriate management of accessibility & privacy of the info
• Group key management a key requirement
Need for long-term protection of personal & sensitive info within data sets
SAFEcrypto will provide:
- LBC key management approaches to manage access to data through group keys, broadcast keys, etc.
- A practical lattice-based ABE scheme
Case Studies
www.safecrypto.eu | @safecrypto
Lattice-based Cryptography
• Matrix vector multiplication for standard lattices
• Polynomial multiplication for ideal lattices
• Discrete Gaussian Sampling
• Bernoulli sampling
• Cumulative Distribution Table (CDT) sampling
• Knuth-Yao sampling
• Ziggurat sampling
Lattice Based Cryptography Building Blocks
Recent work in SAFEcrypto:- Proposes that the precision of Gaussian samplers (2- for -bit security)
can be reduced from = 128 to =64 with negligible effect on security
(Saarinen, Cryptology ePrint archive, report 2015/953, 2015)
www.safecrypto.eu | @safecrypto
Lattice-based Cryptography
• Currently two popular lattice-based problems for cryptography are the Learning With Errors (LWE) problem and Ring-LWE problem
LWE Vs Ring-LWE
Standard-LWE Ring-LWE
Large key sizes required (size N2)Reduced key sizes can be used due to ideal lattice assumption (size N)
Matrix-vector multiplications required
Reduces computations to polynomial multiplication, allowing use of fast NTT multiplication
Security is based on the LWE problem
Security is based on the LWE problem with an additional security assumption to use an ideal lattice structure
Hardware LBC Implementations: LWE Vs Ring-LWE Encryption
Note: LWE has higher no. of multiplications and x128 increase in key size
RLWE Encrypt (Pöppelmann & Güneysu (PG), 2014)*
S6LX16 4121/3513/- 14/1 160 6861 23321
RLWE Decrypt (PG 2014)* S6LX16 4121/3513/- 14/1 160 4404 36331
RLWE Encrypt (PG 2014)* V6LX75T 4549/3624/1506 12/1 262 6861 38187
RLWE Decrypt (PG 2014)* V6LX75T 4549/3624/1506 12/1 262 4404 59492
RLWE Encrypt (PG 2014) S6LX9 282/238/95 2/1 144 136212 1057
RLWE Decrypt (PG 2014) S6LX9 94/87/32 1/1 189 66338 2849
RLWE Encrypt (Roy et al, 2014)* V6LX75T 1349/860/- 2/1 313 6300 49751
RLWE Decrypt (Roy et al, 2014)* V6LX75T 1349/860/- 2/1 313 2800 109890
Post place & route results of standard & ring LWE encryption and decryption, with parameter set (dim=256, 𝑞=4096, 𝜎 = 3.39), except *, where 𝑞 =4093. (Howe et al. DAC 2016)
Operation and Algorithm Device LUT/FF/SLICE BRAM/DSP
MHz Cycles Ops/s
LWE Encrypt (𝜆 = 128) S6LX45 6152/4804/1866 73/1 125 98304 1272
LWE Encrypt (𝜆 = 64) S6LX45 6078/4676/1811 73/1 125 98304 1272
LWE Decrypt S6LX45 63/58/32 13/1 144 32768 4395
Challenges for Practical LBC Implementations
• Need to be as efficient and versatile as classical Public Key systems, such as RSA and ECC
• Embedded devices are constrained
- No large memories
- Limited computational power
• Choice of parameters is crucial - long-term/QC-security
- Parameters tend to be larger than classic PK schemes
- Directly affects performance
- Scalability
• Choice of Gaussian Sampler
- Different choice for signatures Vs encryption
- Different choice for high speed Vs compact design
Challenges for Practical LBC Implementations
• Resistance to physical attacks, such as side channel and fault attacks
- Timing Analysis (exploits dependency between execution time of algor & secret internal states)
- Power/EM Analysis (exploits dependency between power/EM consumed by device & data processed)
- Profiling(involves constructing an offline model by characterizinga device similar to target)
- Fault(deliberate injection of fault in a device to exploit differencebetween correct and faulty output)
• Physical attacks demonstrated on AES, ECC, RSA
• Little research into vulnerabilities of LBC implementationsto physical attacks
Outcomes 2015-2016
• Deliverable 2.4: Overview of Related research projects
• Deliverable 3.1: Risk and Vulnerability assessment of LBC architectures
• Deliverable 4.1: Evaluation report of lattice-based digital signatures
• Deliverable 5.1: Evaluation report of efficiency of lattice-based constructions
• Deliverable 6.1: Software requirements specification
• Deliverable 7.1: State-of-the-Art in Physical side-channel attacks and resistant technologies
• Deliverable 8.1: Post-Quantum Cryptographic Key Management Assessment
• Deliverable 9.1: Case Study Specifications and Requirements
For more information and further documentation, see the website: www.safecrypto.eu/more-information/outcomes/
Conclusion
• Lattice-based cryptosystems are a promising Post-Quantum cryptography solution for long-term security applications
• LBC offers versatility in the range of cryptosystems it can support
• LBC Encryption & signatures now more practical than RSA-based schemes
• However, to be considered as a replacement for traditional PK cryptography, LBC must be verified to demonstrate it can meet the requirements of real world scenarios.
Future Plans
Summary of SAFEcrypto future work
• Investigate parameter trade-offs to illustrate integration of lattice-based encryption/signature primitives into actual systems
• Develop practical IBE/ABE constructions
• Design and implementation of physically secure HW/SW LBC schemes
• Develop proof of concept demonstrators for 3 case studies in Satellite Communications, Public Safety Communication & Municipal Data Analytics
• Assist with current global initiatives:
– ETSI QSC Industry Specification Group
– US NIST competition for Quantum-safe public-key candidates
www.safecrypto.eu | @safecrypto
2015:
• J. Howe, T. Pöppelmann, M. O'Neill, E. O'Sullivan, T. Güneysu, ”Practical Lattice-Based Digital Signature Schemes”,
ACM Transaction on Embedded Computing 2015
• T. Güneysu, V. Lyubashevsky, T. Pöppelmann, “Lattice-Based Signatures: Optimization and Implementation on
Reconfigurable Hardware” , IEEE Transaction on Computers 2015
• V. Lyubashevsky, T. Prest, “Quadratic time, linear space algorithms for Gram-Schmidt orthogonalization and
Gaussian sampling in structured lattices”, EUROCRYPT 2015
• V. Lyubashevsky, D. Wichs, “Simple lattice trapdoor sampling from a broad class of distributions”, Public Key
Cryptography (PKC) 2015
• T. Pöppelmann, T. Oder, T. Güneysu, “High-Performance Ideal Lattice-Based Cryptography on ATXME-GA 8-Bit
Microcontrollers” , Latincrypt 2015
• M.-J. O. Saarinen, “Gaussian Sampling Precision in Lattice Cryptography”, IACR ePrint 2015/953
2016:
• J. Buchmann, F. Göpfert, T. Güneysu, T. Oder, T. Pöppelmann, “High-Performance and Lightweight Lattice-Based
Public-Key Encryption”, 2nd ACM International Workshop on IoT Privacy, Trust, and Security - IoTPTS '16
• R. Del Pino, V. Lyubashevsky, D. Pointcheval, “The Whole is Less Than the Sum of its Parts: Constructing More
Efficient Lattice-based AKEs”, Security and Cryptography in Networks (SCN) 2016
• J. Howe, C. Moore, M. O'Neill, F. Regazzoni, T. Güneysu, K. Beeden, “Standard Lattices in Hardware”, Proceedings of the
53rd Annual Design Automation Conference on - DAC '16
• M. O'Neill, F. Regazzoni, F. Valencia, T. Güneysu, T. Oder, A. Waller, G. Jones, A. Barnett, R. Griffin, A. Byrne, B. Ammar, E.
O'Sullivan, D. Lund, G. McWilliams, M.-J. Saarinen, C. Moore, A. Khalid, J. Howe, R. del Pino, M. Abdalla, “Secure
architectures of future emerging cryptography”, Computing Frontiers - CF '16 (invited paper)
For more information and further documentation, see the website: www.safecrypto.eu/more-information/outcomes/
Publications