Quantum Resistant Public Key Cryptography: A Survey

1
Quantum Resistant Public Key Cryptography A
Survey

• Ray A. Perlner
• (ray.perlner_at_nist.gov)
• David A. Cooper
• (david.cooper_at_nist.gov)

2
What is a quantum computer

• Short answer
• A classical computer processes classical
  information.
• A quantum computer processes quantum information.
• What is the difference?
• Classical information is measured in bits (a unit
  of entropy in the classical limit of physics)
• Quantum information consists of qbits (a unit of
  entropy in real physics)
• Either way, available entropy scales with the
  size of a system.
• So it should be possible to build a quantum
  computer.

3
What can a quantum computer do?(faster than a
classical computer)

• Simulate a quantum computer
• The best known classical algorithm is
  exponentially more costly in the worst case.
• This does NOT mean that a quantum computer can
  always provide exponential speedup.
• Stuff that matters for cryptography
• Quadratic speedup over classical brute force
  search. (Grover)
• Polynomial time algorithms for factoring and
  discrete logs, including elliptic curves. (Shor)
• This completely breaks every public key algorithm
  youve probably ever heard of.

4
Why havent these monstrosities been built?

• Error correction/fault tolerance is much harder
  for quantum information.
• Currently, were better off using a classical
  computer to run simulations.
• Threshold theorems say that if we can build good
  enough components, the cost is only polynomial.
• Components are not cheap like transistors
• Options include ultra-cold ultra-small solid
  state devices and charged ions or neutral atoms
  controlled by lasers.
• Pure optical systems may be an important
  component, but are unlikely to be the whole
  solution.

5
Quantum Resistance

• Quantum resistant algorithms are algorithms we
  dont know how to break with a quantum or
  classical computer.
• This is the same criterion we use for security in
  the classical model (pending P?NP proof)
• As with classically secure algorithms, related
  hard problems add a measure of confidence.
• (Classical) algorithms meeting the above criteria
  do exist at present.

6
TheAlgorithms
7
General Concerns

• Security Assumptions
• Public Key Length
• Signature Length/Ciphertext Expansion
• E.g. RSA has 1-2 kb (10 - 20)
• Public Key Lifetime
• Mostly an issue for signatures
• Can be dealt with using Merkle Trees and
  certificate chains
• Memory (may need more than just the private key)
• Computational Cost

8
Lamport Signatures

• One time signatures
• Basic Scheme Sign a single bit
• Private key consists of two secrets S0 and S1
• Public key is H(S0) H(S1)
• Signature for 0 is S0, signature for 1 is S1
• To sign an n-bit digest, just use n times as many
  secrets to sign the bits individually.
• Many optimizations are possible that trade
  increased computation for reduced key and/or
  signature size.

9
Merkle Trees
10
Lamport Signatures

• Security Assumption preimage and second-preimage
  resistance of a one-way function
• Only the message digest needs collision
  resistance.
• Public Key Length n2 for an n-bit one-way
  function and a 2n-bit digest
• 10 kb for n 80
• 20 kb for n 128
• Signature Length same
• Public Key Lifetime 1 signature
• Computational Cost 1ms (comparable to DSA)
• Includes key generation

11
Lamport Signatures (with Merkle Trees and
Chaining)

• Security Assumption preimage and second-preimage
  resistance of a one-way function
• Only the message digest needs collision
  resistance.
• Public Key Length n for an n-bit one-way
  function and a 2n-bit digest
• Private Key Length 250 500 kb
• Signature Length 50 100 kb
• Public Key Lifetime 1012 signatures
• Computational Cost 1ms (comparable to DSA)
• key generation 1s

12
McEliece Encryption

• Start with an error correction code generator
  matrix, G
• Rectangular matrix such that its easy to
  reconstruct x from Gx e.
• x has dimension k
• e has hamming weight t or less and dimension n gt
  k
• Public key K PGS
• S is kk and invertible
• P is an nn permutation
• To Encrypt m compute Km e

13
McEliece Encryption

• Security Assumption indistinguishability of
  masked Goppa code and general linear code
• Decoding problem for general linear codes is
  NP-complete
• Public Key Length 500kb
• Message Size 1kb
• Public Key Lifetime potentially unlimited
• Computational Cost 100µs
• Signatures exist, but very expensive for signer

14
NTRU

• Private key is a short basis for an N dimensional
  lattice
• Public key is a long basis for the same lattice.
• Save space by representing lattice basis as a
  polynomial rather than a matrix
• This requires all lattice basis vectors to be
  cyclic permutations.
• Many academic crypto schemes employ lattices but
  do not employ this technique, preferring security
  assumptions based on a less symmetric version of
  the lattice problems.
• Coefficients are generally reduced modulo q ? N ?
  256

15
NTRU

• Security Assumption unique closest vector
  problem
• Public Key Size 2-4kb
• Ciphertext Size 2-4kb
• Signature Size 4-8kb
• Public Key Lifetime 1 billion signatures
• Signature scheme has changed in response to a
  series of attacks.
• Computational Cost 100µs

16
Other

• Hidden Field Equations
• Braid Groups
• New schemes based on these crop up from time to
  time, but most have been broken.

17
Implications

• Crypto Agility is a Minimum Requirement
• Long Signatures or Public Keys
• Transmitting certificates may become unwieldy
  (especially when revocation is considered)
• Cache Certificates
• Limit Cert Chain Depth
• Limited Lifetime Signing Keys
• Mostly applicable to high load servers (e.g.,
  OCSP responders)
• Use a Merkle tree or subordinate public keys
  where applicable.

18
Conclusion

• All widely used public key crypto is threatened
  by quantum computing.
• We do have potentially viable options to
  consider.
• Protocol designers can think about how to deal
  with these algorithms now.