Document Sample
Quantum-Resistant-Public-Key-Cryptography-A-Survey Powered By Docstoc
					Quantum Resistant Public Key Cryptography: A Survey
Ray A. Perlner (ray.perlner@nist.gov) David A. Cooper (david.cooper@nist.gov)

What is a quantum computer
• Short answer
– A classical computer processes classical information. – A quantum computer processes quantum information.

• What is the difference?
– Classical information is measured in bits (a unit of entropy in the classical limit of physics) – Quantum information consists of qbits (a unit of entropy in real physics) – Either way, available entropy scales with the size of a system. – So it should be possible to build a quantum computer.

What can a quantum computer do?
(faster than a classical computer)
• Simulate a quantum computer
– The best known classical algorithm is exponentially more costly in the worst case. – This does NOT mean that a quantum computer can always provide exponential speedup.

• Stuff that matters for cryptography
– Quadratic speedup over classical brute force search. (Grover) – Polynomial time algorithms for factoring and discrete logs, including elliptic curves. (Shor)
• This completely breaks every public key algorithm you’ve probably ever heard of.

Why haven’t these monstrosities been built?
• Error correction/fault tolerance is much harder for quantum information.
– Currently, we’re better off using a classical computer to run simulations. – Threshold theorems say that if we can build good enough components, the cost is only polynomial.

• Components are not cheap like transistors
– Options include ultra-cold ultra-small solid state devices and charged ions or neutral atoms controlled by lasers. – Pure optical systems may be an important component, but are unlikely to be the whole solution.

Quantum Resistance
• Quantum resistant algorithms are algorithms we don’t know how to break with a quantum or classical computer.
– This is the same criterion we use for security in the classical model (pending P≠NP proof) – As with classically secure algorithms, related “hard problems” add a measure of confidence. – (Classical) algorithms meeting the above criteria do exist at present.

The Algorithms

General Concerns
• Security Assumptions • Public Key Length • Signature Length/Ciphertext Expansion
– E.g. RSA has ~1-2 kb (~10 - 20×)

• Public Key Lifetime
– Mostly an issue for signatures – Can be dealt with using Merkle Trees and certificate chains – Memory (may need more than just the private key)

• Computational Cost

Lamport Signatures
• One time signatures • Basic Scheme: Sign a single bit – Private key consists of two secrets S0 and S1 – Public key is H(S0) || H(S1) – Signature for 0 is S0, signature for 1 is S1 • To sign an n-bit digest, just use n times as many secrets to sign the bits individually. • Many optimizations are possible that trade increased computation for reduced key and/or signature size.

Merkle Trees

Lamport Signatures
• Security Assumption: preimage and secondpreimage resistance of a one-way function
– Only the message digest needs collision resistance.

• Public Key Length: ~n2 for an n-bit one-way function and a 2n-bit digest
– ~10 kb for n = 80 – ~20 kb for n =128

• Signature Length: same • Public Key Lifetime: 1 signature • Computational Cost: ~1ms (comparable to DSA)
– Includes key generation

Lamport Signatures (with Merkle Trees and Chaining)
• Security Assumption: preimage and secondpreimage resistance of a one-way function
– Only the message digest needs collision resistance.

• Public Key Length: n for an n-bit one-way function and a 2n-bit digest • Private Key Length: ~250 – 500 kb • Signature Length: ~50 – 100 kb • Public Key Lifetime: 1012 signatures • Computational Cost: ~1ms (comparable to DSA)
– key generation: ~1s

McEliece Encryption
• Start with an error correction code generator matrix, G
– Rectangular matrix such that it’s easy to reconstruct x from Gx + e.
• x has dimension k • e has hamming weight t or less and dimension n > k

• Public key K = PGS
– S is k×k and invertible – P is an n×n permutation

• To Encrypt m: compute Km + e

McEliece Encryption
• Security Assumption: indistinguishability of masked Goppa code and general linear code
– Decoding problem for general linear codes is NP-complete

• • • •

Public Key Length: ~500kb Message Size: ~1kb Public Key Lifetime: potentially unlimited Computational Cost: ~100μs
– Signatures exist, but very expensive for signer

• Private key is a short basis for an N dimensional lattice • Public key is a long basis for the same lattice. • Save space by representing lattice basis as a polynomial rather than a matrix
– This requires all lattice basis vectors to be cyclic permutations. – Many academic crypto schemes employ lattices but do not employ this technique, preferring security assumptions based on a less symmetric version of the lattice problems.

• Coefficients are generally reduced modulo q  N  256

• Security Assumption: unique closest vector problem • Public Key Size: 2-4kb • Ciphertext Size: 2-4kb • Signature Size: 4-8kb • Public Key Lifetime: ~1 billion signatures
– Signature scheme has changed in response to a series of attacks.

• Computational Cost: ~100μs

• Hidden Field Equations • Braid Groups • New schemes based on these crop up from time to time, but most have been broken.

• Crypto Agility is a Minimum Requirement • Long Signatures or Public Keys
– Transmitting certificates may become unwieldy (especially when revocation is considered)
• Cache Certificates • Limit Cert Chain Depth

• Limited Lifetime Signing Keys
– Mostly applicable to high load servers (e.g., OCSP responders)
• Use a Merkle tree or subordinate public keys where applicable.

• All widely used public key crypto is threatened by quantum computing. • We do have potentially viable options to consider. • Protocol designers can think about how to deal with these algorithms now.

Shared By:
Tags: Quant, um-Re
Description: Quantum-Resistant-Public-Key-Cryptography-A-Survey