Living with postquantum cryptography
David McGrew, PhD Cisco Fellow
April 2, 2015
April 2, 2015 2 NIST Workshop on Cybersecurity in a Post-Quantum World
Biasi, Barreto, Misoczki, Ruggiero, Scaling efficient code-based cryptosystems for embedded platforms, 2012
Bernstein, Lange, Peters, Smaller decoding exponents: ball-collision decoding, CRYPTO 2011
Bernstein, Lange, Peters, Wild McEliece Incognito, PQC 2011
Bernstein, Grover vs. McEliece, PQC 2010
Burleson, Paar, Heyse, Alternative Public-Key Algorithms for High-Performance Network Security, 2011
Research into PQC sponsored (in part) by Cisco
April 2, 2015 3 NIST Workshop on Cybersecurity in a Post-Quantum World
1. Prepare for threat of practical quantum computer
2. Embrace well-known postquantum-secure algorithms Well established security is paramount
3. Use systems engineering to mitigate performance issues
Approach
April 2, 2015 4 NIST Workshop on Cybersecurity in a Post-Quantum World
1. Prepare for threat of practical quantum computer
2. Embrace well-known postquantum-secure algorithms Well established security is paramount No Quantum Cryptography
3. Use systems engineering to mitigate performance issues
Approach
Identify opportunities and challenges, not detailed proposals
April 2, 2015 5 NIST Workshop on Cybersecurity in a Post-Quantum World
Hash Based Signatures (HBS) SHA-256
Code Based Encryption (CBE) McEliece/Neiderreiter encryption 800KB public keys, but fast encryption/decryption
Symmetric cryptography AES, SHA-2, SHA-3
Cryptography
April 2, 2015 6 NIST Workshop on Cybersecurity in a Post-Quantum World
HBS for authentication
Minimize use of public key cryptography
Optimize transmission and storage of large public keys
Symmetric TTP key establishment
Applications of ‘systems’ approach
April 2, 2015 7 NIST Workshop on Cybersecurity in a Post-Quantum World
Quantum Key Distribution Is Not Needed
Minimal computational assumptions Yes Side channel resistance No Keys can be public No Minimal entropy requirements No Any device No High data rates No No range limitations No Point to multipoint No Any network, including wireless No Can be implemented in software No Simple No
April 2, 2015 8 NIST Workshop on Cybersecurity in a Post-Quantum World
Hash Based Signatures
April 2, 2015 9 NIST Workshop on Cybersecurity in a Post-Quantum World
128-bit security level 16*(265 + 20) = 1392 bytes, Key Gen time = 0.4ms * 2^20 = 7m 16*(34+20) = 864 bytes, Key Gen time = 2.5ms * 2^20 = 45 m Multilevel schemes improve these numbers
Stateful signing
Good security
Feasible and useful
Hash Based Signatures
April 2, 2015 10 NIST Workshop on Cybersecurity in a Post-Quantum World
Minimize use of public key cryptography
April 2, 2015 11 NIST Workshop on Cybersecurity in a Post-Quantum World
Cryptographic services used in SSL/TLS
Service Algorithm End-entity authentication Digital signatures
PKC decryption MAC
Session secret establishment DH PKC encryption Symmetric TTP
Session authenticated encryption AEAD MAC encryption
April 2, 2015 12 NIST Workshop on Cybersecurity in a Post-Quantum World
SSL/TLS session establishment
Authenticated key transport
Revocation/ authorization check
Session key establishment
Encrypted, authenticated session
Asymmetric
Symmetric
April 2, 2015 13 NIST Workshop on Cybersecurity in a Post-Quantum World
SSL/TLS session establishment – session resumption
Authenticated key transport
Revocation/ authorization check
Session key re-establishment
Encrypted, authenticated session
Asymmetric
Symmetric
April 2, 2015 14 NIST Workshop on Cybersecurity in a Post-Quantum World
SSL/TLS long-lived sessions & session resumption
Authenticated key transport
Revocation/ authorization check
Session key (re)establishment
Encrypted, authenticated session
Asymmetric
Symmetric
Once per peer
Once per session
April 2, 2015 15 NIST Workshop on Cybersecurity in a Post-Quantum World
TLS
M
T
W
R
F
Asymmetric and symmetric
April 2, 2015 16 NIST Workshop on Cybersecurity in a Post-Quantum World
TLS with Session Resumption
M
T
W
R
F
Symmetric
Asymmetric and symmetric
April 2, 2015 17 NIST Workshop on Cybersecurity in a Post-Quantum World
State must be stored for each peer Problematic for small devices Problematic in web model
Solution: state avoidance through encryption with local key Enables server to maintain shared secret with N devices with O(1) state
RFC 5077, TLS Session Resumption w/o Server-Side State ~ 64 bytes of state
Issue: per-peer state
April 2, 2015 18 NIST Workshop on Cybersecurity in a Post-Quantum World
Revocation check needed Should use symmetric cryptography Could be external to TLS
Forward security is desirable Could be achieved through use of PRF key updating function
Issues with long-lived sessions and session resumption
April 2, 2015 19 NIST Workshop on Cybersecurity in a Post-Quantum World
Optimize transmission and storage
April 2, 2015 20 NIST Workshop on Cybersecurity in a Post-Quantum World
Optimize transmission and storage
High bandwidth (Gb/s)
High bandwidth (Gb/s)
Low bandwidth (Mb/s)
H-devices
L-devices
April 2, 2015 21 NIST Workshop on Cybersecurity in a Post-Quantum World
Time to send 800KB key
40 Gb/s
40 Gb/s
1 Mb/s
H-devices
L-devices
6.25s
0.00015s
April 2, 2015 22 NIST Workshop on Cybersecurity in a Post-Quantum World
KS
KC
Using large public keys in TLS
NC
NS, KS
EKS(PMK), SigKC(M1), {M2}K
{M3}K
Simplified TLS – Protocol 4.24, Boyd and Mathuria, PFAKM
C S
April 2, 2015 23 NIST Workshop on Cybersecurity in a Post-Quantum World
KS
KC
Using large public keys in TLS
NC
NS, KS
EKS(PMK), SigKC(M1), {M2}K
{M3}K
Simplified TLS – Protocol 4.24, Boyd and Mathuria, PFAKM
Revocation Check
C S
April 2, 2015 24 NIST Workshop on Cybersecurity in a Post-Quantum World
KS
KC
Using large public keys in TLS
NC
NS, KS
EKS(PMK), SigKC(M1), {M2}K
{M3}K
Simplified TLS – Protocol 4.24, Boyd and Mathuria, PFAKM
Revocation Check
C S
Large key, slow link!
April 2, 2015 25 NIST Workshop on Cybersecurity in a Post-Quantum World
KS
KC
Using large public keys in ‘reversed’ TLS
NS
NC, KC
EKC(PMK), SigKS(M1), {M2}K
C S
{M3}K
R
April 2, 2015 26 NIST Workshop on Cybersecurity in a Post-Quantum World
KS
KC
Using large public keys in ‘reversed’ TLS
NS
NC, IDC
EKC(PMK), SigKS(M1), {M2}K
C S
{M3}K
R
IDC
KC
Lots of keys
April 2, 2015 27 NIST Workshop on Cybersecurity in a Post-Quantum World
Avoid transmitting large public keys across slow links
Avoid storing large public keys on endpoints
Leverage public cloud Storing public keys Revocation service
What did we achieve?
April 2, 2015 28 NIST Workshop on Cybersecurity in a Post-Quantum World
Symmetric TTP for encryption
April 2, 2015 29 NIST Workshop on Cybersecurity in a Post-Quantum World
Trusted Third Party Key Establishment
ACME
Internet
April 2, 2015 30 NIST Workshop on Cybersecurity in a Post-Quantum World
Easily postquantum secure
Can use standards like krb5
Can use server state avoidance to minimize storage cost
Trusted Third Party key management
April 2, 2015 31 NIST Workshop on Cybersecurity in a Post-Quantum World
Threshold Trusted Third Party Key Establishment
ACME ACE
Internet
April 2, 2015 32 NIST Workshop on Cybersecurity in a Post-Quantum World
Group Keys for Encryption with Hash-based signatures
ACME
Internet
April 2, 2015 33 NIST Workshop on Cybersecurity in a Post-Quantum World
TTP is high-risk target Could use key sharing / threshold to mitigate risk
Scalability State avoidance Hierarchical TTP
Trusted Third Party key management - issues
April 2, 2015 34 NIST Workshop on Cybersecurity in a Post-Quantum World
Hierarchical TTP
C
B
A
April 2, 2015 35 NIST Workshop on Cybersecurity in a Post-Quantum World
Hierarchical TTP
C
B
A
KA, KB, KC
April 2, 2015 36 NIST Workshop on Cybersecurity in a Post-Quantum World
Hierarchical TTP
C
B
A
KA, KB, KC KC
April 2, 2015 37 NIST Workshop on Cybersecurity in a Post-Quantum World
Hierarchical TTP
C
B
A
KA, KB, KC KB KC
April 2, 2015 38 NIST Workshop on Cybersecurity in a Post-Quantum World
Hierarchical TTP
C
B
A
KA, KB, KC KB KA KC
April 2, 2015 39 NIST Workshop on Cybersecurity in a Post-Quantum World
Engineering for large keys is feasible and useful We can solve many of today’s Communications Security problems this way
Best promise HBS Minimizing and optimizing public key use Revocation using HBS or symmetric cryptography TTP for encryption keys Multiple TTPs HBS authentication
Conclusions
Thank you.