Quantum Resistant Public Key Cryptography: A Survey Ray A. Perlner (firstname.lastname@example.org) David A. Cooper (email@example.com) What is a quantum computer • Short answer – A classical computer processes classical information. – A quantum computer processes quantum information. • What is the difference? – Classical information is measured in bits (a unit of entropy in the classical limit of physics) – Quantum information consists of qbits (a unit of entropy in real physics) – Either way, available entropy scales with the size of a system. – So it should be possible to build a quantum computer. What can a quantum computer do? (faster than a classical computer) • Simulate a quantum computer – The best known classical algorithm is exponentially more costly in the worst case. – This does NOT mean that a quantum computer can always provide exponential speedup. • Stuff that matters for cryptography – Quadratic speedup over classical brute force search. (Grover) – Polynomial time algorithms for factoring and discrete logs, including elliptic curves. (Shor) • This completely breaks every public key algorithm you’ve probably ever heard of. Why haven’t these monstrosities been built? • Error correction/fault tolerance is much harder for quantum information. – Currently, we’re better off using a classical computer to run simulations. – Threshold theorems say that if we can build good enough components, the cost is only polynomial. • Components are not cheap like transistors – Options include ultra-cold ultra-small solid state devices and charged ions or neutral atoms controlled by lasers. – Pure optical systems may be an important component, but are unlikely to be the whole solution. Quantum Resistance • Quantum resistant algorithms are algorithms we don’t know how to break with a quantum or classical computer. – This is the same criterion we use for security in the classical model (pending P≠NP proof) – As with classically secure algorithms, related “hard problems” add a measure of confidence. – (Classical) algorithms meeting the above criteria do exist at present. The Algorithms General Concerns • Security Assumptions • Public Key Length • Signature Length/Ciphertext Expansion – E.g. RSA has ~1-2 kb (~10 - 20×) • Public Key Lifetime – Mostly an issue for signatures – Can be dealt with using Merkle Trees and certificate chains – Memory (may need more than just the private key) • Computational Cost Lamport Signatures • One time signatures • Basic Scheme: Sign a single bit – Private key consists of two secrets S0 and S1 – Public key is H(S0) || H(S1) – Signature for 0 is S0, signature for 1 is S1 • To sign an n-bit digest, just use n times as many secrets to sign the bits individually. • Many optimizations are possible that trade increased computation for reduced key and/or signature size. Merkle Trees Lamport Signatures • Security Assumption: preimage and secondpreimage resistance of a one-way function – Only the message digest needs collision resistance. • Public Key Length: ~n2 for an n-bit one-way function and a 2n-bit digest – ~10 kb for n = 80 – ~20 kb for n =128 • Signature Length: same • Public Key Lifetime: 1 signature • Computational Cost: ~1ms (comparable to DSA) – Includes key generation Lamport Signatures (with Merkle Trees and Chaining) • Security Assumption: preimage and secondpreimage resistance of a one-way function – Only the message digest needs collision resistance. • Public Key Length: n for an n-bit one-way function and a 2n-bit digest • Private Key Length: ~250 – 500 kb • Signature Length: ~50 – 100 kb • Public Key Lifetime: 1012 signatures • Computational Cost: ~1ms (comparable to DSA) – key generation: ~1s McEliece Encryption • Start with an error correction code generator matrix, G – Rectangular matrix such that it’s easy to reconstruct x from Gx + e. • x has dimension k • e has hamming weight t or less and dimension n > k • Public key K = PGS – S is k×k and invertible – P is an n×n permutation • To Encrypt m: compute Km + e McEliece Encryption • Security Assumption: indistinguishability of masked Goppa code and general linear code – Decoding problem for general linear codes is NP-complete • • • • Public Key Length: ~500kb Message Size: ~1kb Public Key Lifetime: potentially unlimited Computational Cost: ~100μs – Signatures exist, but very expensive for signer NTRU • Private key is a short basis for an N dimensional lattice • Public key is a long basis for the same lattice. • Save space by representing lattice basis as a polynomial rather than a matrix – This requires all lattice basis vectors to be cyclic permutations. – Many academic crypto schemes employ lattices but do not employ this technique, preferring security assumptions based on a less symmetric version of the lattice problems. • Coefficients are generally reduced modulo q N 256 NTRU • Security Assumption: unique closest vector problem • Public Key Size: 2-4kb • Ciphertext Size: 2-4kb • Signature Size: 4-8kb • Public Key Lifetime: ~1 billion signatures – Signature scheme has changed in response to a series of attacks. • Computational Cost: ~100μs Other • Hidden Field Equations • Braid Groups • New schemes based on these crop up from time to time, but most have been broken. Implications • Crypto Agility is a Minimum Requirement • Long Signatures or Public Keys – Transmitting certificates may become unwieldy (especially when revocation is considered) • Cache Certificates • Limit Cert Chain Depth • Limited Lifetime Signing Keys – Mostly applicable to high load servers (e.g., OCSP responders) • Use a Merkle tree or subordinate public keys where applicable. Conclusion • All widely used public key crypto is threatened by quantum computing. • We do have potentially viable options to consider. • Protocol designers can think about how to deal with these algorithms now.