Quantum Resistant Public Key Cryptography: A Survey by S03OBzbO


									Quantum Resistant Public Key
  Cryptography: A Survey
           Ray A. Perlner
          David A. Cooper
  What is a quantum computer
• Short answer
  – A classical computer processes classical information.
  – A quantum computer processes quantum information.
• What is the difference?
  – Classical information is measured in bits (a unit of
    entropy in the classical limit of physics)
  – Quantum information consists of qbits (a unit of
    entropy in real physics)
  – Either way, available entropy scales with the size of a
  – So it should be possible to build a quantum computer.
What can a quantum computer do?
    (faster than a classical computer)
• Simulate a quantum computer
  – The best known classical algorithm is exponentially
    more costly in the worst case.
  – This does NOT mean that a quantum computer can
    always provide exponential speedup.
• Stuff that matters for cryptography
  – Quadratic speedup over classical brute force search.
  – Polynomial time algorithms for factoring and discrete
    logs, including elliptic curves. (Shor)
     • This completely breaks every public key algorithm you’ve
       probably ever heard of.
  Why haven’t these monstrosities
           been built?
• Error correction/fault tolerance is much harder
  for quantum information.
  – Currently, we’re better off using a classical computer
    to run simulations.
  – Threshold theorems say that if we can build good
    enough components, the cost is only polynomial.
• Components are not cheap like transistors
  – Options include ultra-cold ultra-small solid state
    devices and charged ions or neutral atoms controlled
    by lasers.
  – Pure optical systems may be an important
    component, but are unlikely to be the whole solution.
        Quantum Resistance
• Quantum resistant algorithms are
  algorithms we don’t know how to break
  with a quantum or classical computer.
  – This is the same criterion we use for security
    in the classical model (pending P≠NP proof)
  – As with classically secure algorithms, related
    “hard problems” add a measure of
  – (Classical) algorithms meeting the above
    criteria do exist at present.
           General Concerns
• Security Assumptions
• Public Key Length
• Signature Length/Ciphertext Expansion
  – E.g. RSA has ~1-2 kb (~10 - 20×)
• Public Key Lifetime
  – Mostly an issue for signatures
  – Can be dealt with using Merkle Trees and certificate
  – Memory (may need more than just the private key)
• Computational Cost
          Lamport Signatures
• One time signatures
• Basic Scheme: Sign a single bit
   – Private key consists of two secrets S0 and S1
   – Public key is H(S0) || H(S1)
   – Signature for 0 is S0, signature for 1 is S1
• To sign an n-bit digest, just use n times as many
  secrets to sign the bits individually.
• Many optimizations are possible that trade
  increased computation for reduced key and/or
  signature size.
Merkle Trees
          Lamport Signatures
• Security Assumption: preimage and second-
  preimage resistance of a one-way function
  – Only the message digest needs collision resistance.
• Public Key Length: ~n2 for an n-bit one-way
  function and a 2n-bit digest
  – ~10 kb for n = 80
  – ~20 kb for n =128
• Signature Length: same
• Public Key Lifetime: 1 signature
• Computational Cost: ~1ms (comparable to DSA)
  – Includes key generation
  Lamport Signatures (with Merkle
      Trees and Chaining)
• Security Assumption: preimage and second-
  preimage resistance of a one-way function
  – Only the message digest needs collision resistance.
• Public Key Length: n for an n-bit one-way
  function and a 2n-bit digest
• Private Key Length: ~250 – 500 kb
• Signature Length: ~50 – 100 kb
• Public Key Lifetime: 1012 signatures
• Computational Cost: ~1ms (comparable to DSA)
  – key generation: ~1s
         McEliece Encryption
• Start with an error correction code generator
  matrix, G
  – Rectangular matrix such that it’s easy to reconstruct x
    from Gx + e.
     • x has dimension k
     • e has hamming weight t or less and dimension n > k
• Public key K = PGS
  – S is k×k and invertible
  – P is an n×n permutation
• To Encrypt m: compute Km + e
          McEliece Encryption
• Security Assumption: indistinguishability of
  masked Goppa code and general linear
    – Decoding problem for general linear codes is
•   Public Key Length: ~500kb
•   Message Size: ~1kb
•   Public Key Lifetime: potentially unlimited
•   Computational Cost: ~100μs
    – Signatures exist, but very expensive for signer
• Private key is a short basis for an N dimensional lattice
• Public key is a long basis for the same lattice.
• Save space by representing lattice basis as a polynomial
  rather than a matrix
   – This requires all lattice basis vectors to be cyclic permutations.
   – Many academic crypto schemes employ lattices but do not
     employ this technique, preferring security assumptions based on
     a less symmetric version of the lattice problems.
• Coefficients are generally reduced modulo q  N  256
• Security Assumption: unique closest
  vector problem
• Public Key Size: 2-4kb
• Ciphertext Size: 2-4kb
• Signature Size: 4-8kb
• Public Key Lifetime: ~1 billion signatures
  – Signature scheme has changed in response
    to a series of attacks.
• Computational Cost: ~100μs
• Hidden Field Equations
• Braid Groups
• New schemes based on these crop up
  from time to time, but most have been
• Crypto Agility is a Minimum Requirement
• Long Signatures or Public Keys
  – Transmitting certificates may become unwieldy
    (especially when revocation is considered)
     • Cache Certificates
     • Limit Cert Chain Depth
• Limited Lifetime Signing Keys
  – Mostly applicable to high load servers (e.g., OCSP
     • Use a Merkle tree or subordinate public keys where
• All widely used public key crypto is
  threatened by quantum computing.
• We do have potentially viable options to
• Protocol designers can think about how to
  deal with these algorithms now.

To top