Document Sample

Quantum Resistant Public Key Cryptography: A Survey Ray A. Perlner (ray.perlner@nist.gov) David A. Cooper (david.cooper@nist.gov) What is a quantum computer • Short answer – A classical computer processes classical information. – A quantum computer processes quantum information. • What is the difference? – Classical information is measured in bits (a unit of entropy in the classical limit of physics) – Quantum information consists of qbits (a unit of entropy in real physics) – Either way, available entropy scales with the size of a system. – So it should be possible to build a quantum computer. What can a quantum computer do? (faster than a classical computer) • Simulate a quantum computer – The best known classical algorithm is exponentially more costly in the worst case. – This does NOT mean that a quantum computer can always provide exponential speedup. • Stuff that matters for cryptography – Quadratic speedup over classical brute force search. (Grover) – Polynomial time algorithms for factoring and discrete logs, including elliptic curves. (Shor) • This completely breaks every public key algorithm you’ve probably ever heard of. Why haven’t these monstrosities been built? • Error correction/fault tolerance is much harder for quantum information. – Currently, we’re better off using a classical computer to run simulations. – Threshold theorems say that if we can build good enough components, the cost is only polynomial. • Components are not cheap like transistors – Options include ultra-cold ultra-small solid state devices and charged ions or neutral atoms controlled by lasers. – Pure optical systems may be an important component, but are unlikely to be the whole solution. Quantum Resistance • Quantum resistant algorithms are algorithms we don’t know how to break with a quantum or classical computer. – This is the same criterion we use for security in the classical model (pending P≠NP proof) – As with classically secure algorithms, related “hard problems” add a measure of confidence. – (Classical) algorithms meeting the above criteria do exist at present. The Algorithms General Concerns • Security Assumptions • Public Key Length • Signature Length/Ciphertext Expansion – E.g. RSA has ~1-2 kb (~10 - 20×) • Public Key Lifetime – Mostly an issue for signatures – Can be dealt with using Merkle Trees and certificate chains – Memory (may need more than just the private key) • Computational Cost Lamport Signatures • One time signatures • Basic Scheme: Sign a single bit – Private key consists of two secrets S0 and S1 – Public key is H(S0) || H(S1) – Signature for 0 is S0, signature for 1 is S1 • To sign an n-bit digest, just use n times as many secrets to sign the bits individually. • Many optimizations are possible that trade increased computation for reduced key and/or signature size. Merkle Trees Lamport Signatures • Security Assumption: preimage and secondpreimage resistance of a one-way function – Only the message digest needs collision resistance. • Public Key Length: ~n2 for an n-bit one-way function and a 2n-bit digest – ~10 kb for n = 80 – ~20 kb for n =128 • Signature Length: same • Public Key Lifetime: 1 signature • Computational Cost: ~1ms (comparable to DSA) – Includes key generation Lamport Signatures (with Merkle Trees and Chaining) • Security Assumption: preimage and secondpreimage resistance of a one-way function – Only the message digest needs collision resistance. • Public Key Length: n for an n-bit one-way function and a 2n-bit digest • Private Key Length: ~250 – 500 kb • Signature Length: ~50 – 100 kb • Public Key Lifetime: 1012 signatures • Computational Cost: ~1ms (comparable to DSA) – key generation: ~1s McEliece Encryption • Start with an error correction code generator matrix, G – Rectangular matrix such that it’s easy to reconstruct x from Gx + e. • x has dimension k • e has hamming weight t or less and dimension n > k • Public key K = PGS – S is k×k and invertible – P is an n×n permutation • To Encrypt m: compute Km + e McEliece Encryption • Security Assumption: indistinguishability of masked Goppa code and general linear code – Decoding problem for general linear codes is NP-complete • • • • Public Key Length: ~500kb Message Size: ~1kb Public Key Lifetime: potentially unlimited Computational Cost: ~100μs – Signatures exist, but very expensive for signer NTRU • Private key is a short basis for an N dimensional lattice • Public key is a long basis for the same lattice. • Save space by representing lattice basis as a polynomial rather than a matrix – This requires all lattice basis vectors to be cyclic permutations. – Many academic crypto schemes employ lattices but do not employ this technique, preferring security assumptions based on a less symmetric version of the lattice problems. • Coefficients are generally reduced modulo q N 256 NTRU • Security Assumption: unique closest vector problem • Public Key Size: 2-4kb • Ciphertext Size: 2-4kb • Signature Size: 4-8kb • Public Key Lifetime: ~1 billion signatures – Signature scheme has changed in response to a series of attacks. • Computational Cost: ~100μs Other • Hidden Field Equations • Braid Groups • New schemes based on these crop up from time to time, but most have been broken. Implications • Crypto Agility is a Minimum Requirement • Long Signatures or Public Keys – Transmitting certificates may become unwieldy (especially when revocation is considered) • Cache Certificates • Limit Cert Chain Depth • Limited Lifetime Signing Keys – Mostly applicable to high load servers (e.g., OCSP responders) • Use a Merkle tree or subordinate public keys where applicable. Conclusion • All widely used public key crypto is threatened by quantum computing. • We do have potentially viable options to consider. • Protocol designers can think about how to deal with these algorithms now.

DOCUMENT INFO

Shared By:

Categories:

Stats:

views: | 13 |

posted: | 12/1/2009 |

language: | English |

pages: | 18 |

Description:
Quantum-Resistant-Public-Key-Cryptography-A-Survey

OTHER DOCS BY akgame

Docstoc is the premier online destination to start and grow small businesses. It hosts the best quality and widest selection of professional documents (over 20 million) and resources including expert videos, articles and productivity tools to make every small business better.

Search or Browse for any specific document or resource you need for your business. Or explore our curated resources for Starting a Business, Growing a Business or for Professional Development.

Feel free to Contact Us with any questions you might have.