post-quantum key exchange for optical networks · 2018-04-09 · we have implemented a post-quantum...
TRANSCRIPT
Post-Quantum Key Exchange for Optical Networks
Joo Yeon Cho
5-6 April 2018
PQCrypto Code-Based Workshop 2018
© 2018 ADVA Optical Networking. All rights reserved. Confidential.22
Security in Optical Transmission
© 2018 ADVA Optical Networking. All rights reserved. Confidential.33
OTN (Layer 1) Security
© 2018 ADVA Optical Networking. All rights reserved. Confidential.44
Optical Transmission
• No IP address
• Wavelength Division Multiplexing (CWDM, DWDM,…)
• High speed transmission: 10G/40G/100G/200G/..
• Usually Point-to-Point transmission over long distance
© 2018 ADVA Optical Networking. All rights reserved. Confidential.55
Encryption PerformanceComparison of Maximum Throughput
Framesize / Bytes
Thro
ugh
pu
t
And why on Layer 1?
• Protocol and data rate agnostic
• Lowest Latency
• 100% Throughput
• Operational Simplicity
© 2018 ADVA Optical Networking. All rights reserved. Confidential.66
Tapping of Optical Fiber is Reality
“The Guardian” Report:
… GCHQ was … tapping in to 200
fiber-optic cables to give it the ability
to monitor up to 600 million
communications every day …
… the GCHQ operation codenamed
“Tempora” has been running for 18
months …
… information from Internet and
phone use was stored for up to 30
days to be shifted and
analyzed …UK Government Communications Headquarter
– GCHQ –
© 2018 ADVA Optical Networking. All rights reserved. Confidential.77
Tapping of Optical Fiber is Reality
Fiber optical networks are susceptible to tapping, bending and splicing attacks.
© 2018 ADVA Optical Networking. All rights reserved. Confidential.88
Encryption / Decryption Model
Symmetric key
encryption
Public key
crypto
Key En
cod
er
Client
Data
Input
Deco
der
Client
Data
Output
Symmetric key
decryption
Public key
crypto
Alice
Bob
Optical
Channel
Key
Ele
ctro-O
ptic
con
versio
n
Op
to-E
lectro
nic
con
versio
n
FEC
FEC
Deco
der
Data
OutputSymmetric key
decryption
cryptanalysis
Eve
KeyO
pto
-Ele
ctron
ic
con
versio
n
FEC
Wiretap
FEC: Forward Error Correction
© 2018 ADVA Optical Networking. All rights reserved. Confidential.99
1 …….…. 14 15 ….… 16 17 ………………………………. 3824 3825 .… 4080
1
2
3
4
Column number
OTU/ODU
overheadRO
W OPU
overheadEncryption
FEC
area
Encrypted Payload
OCH Overhead Och payload FEC data
Optical channel frame structure
AES-256
encrypted payload
Authenticated Diffie-
Hellman Key Exchange
Key Exchange
Encryption using G.709* / OTH Link Protocol * S. Gorshe, A tutorial on ITU-T G.709 optical transport networks (OTN), 2010
© 2018 ADVA Optical Networking. All rights reserved. Confidential.1010
ODU overhead fields are used for the key exchange protocol.
Key Exchange Data Transmission
© 2018 ADVA Optical Networking. All rights reserved. Confidential.1111
• ADVA has obtained the BSIapproval for VS-NfD
• 100G Muxponder module:10TCE-PCN-16GU+AES100G-BSI
• First Layer 1 device listed
Governmental Approval
BSI Approval
https://www.bsi.bund.de/DE/Themen/Sicherheitsberatung/ZugelasseneProdukte/Liste_Produkte/Liste_Produkte_html.html
First and only Layer 1 device approved and listed at German BSI
© 2018 ADVA Optical Networking. All rights reserved. Confidential.1212
ADVA‘s Approach
© 2018 ADVA Optical Networking. All rights reserved. Confidential.1313
Post-quantum Encryption for Optical Network
Layer-1 Encryption: AES-256 => quantum-safe
Password based authentication (PACE protocol) => quantum-safe
Message Authentication Code: AES-GCM => quantum-safe
x Key Exchange: Diffie-Hellman => not quantum-safe
© 2018 ADVA Optical Networking. All rights reserved. Confidential.1414
We chose McEliece / Niederreiter because …
• Based on the (proven) hardness of syndrome decoding problem.
• Theory on error correction code is well-developed.
• The McEliece cryptosystem was first proposed in 1978, and not broken yet.
• Other Post-quantum key exchange schemes are relatively new, except for NTRU.
• Large key size is not very critical for optical network.
© 2018 ADVA Optical Networking. All rights reserved. Confidential.1515
NIST Post-quantum Cryptography
• NIST received a total of 82 submissions, two of which have been withdrawn. (05.12.2017)
• There are 65 schemes that have not officially withdrawn yet. (06.03.2018)
• www.nist.gov/pqcrypto
• https://www.safecrypto.eu/pqclounge/
© 2018 ADVA Optical Networking. All rights reserved. Confidential.1616
Niederreiter-Goppa Key Exchange (or KEM)
• Security level: NIST Category 5 (256-bit key)
• IND-CCA security in the ROM: Fujisaki-Okamoto / Dent transform
• There are two submissions:
• Classic McEliece (https://classic.mceliece.org/)
• NTS-KEM (https://nts-kem.io/)
KEM [n, t] Public Key Secret Key
Classic McEliece [8192, 128] ~1.3 MB ~14 KB
NTS-KEM [8192, 136] ~1.4 MB ~19 KB
* Performance: NTS-KEM > Classic McEliece
© 2018 ADVA Optical Networking. All rights reserved. Confidential.1717
McEliece
• A generator matrix G ⋲ F2(k x n)
c = mG + e ⋲ F2n
• G=[Ik;Q] and Q is used as PK.
• if n is doubled then c is also doubled.
Niederreiter
• A parity check matrix H ⋲ F2(n-k) x n
c = H · uT ⋲ F2(n-k)
• H=[In-k;T] and T is used as PK.
• if n is doubled, c only increases by the
factor log2(n)+1 / log2(n).
McEliece vs Niederreiter
• The security of the Niederreiter and the McEliece
scheme are equivalent.
• Niederreiter has (usually) smaller public key /
ciphertext length.
G · HT = 0
© 2018 ADVA Optical Networking. All rights reserved. Confidential.1818
Classic McEliece vs NTS-KEM
• Both are Niederreiter-Goppa KEM.
• Security: Classic McEliece ≈ NTS-KEM
• Performance: NTS-KEM > Classic McEliece
• Mainly due to Albrecht et al. “Efficient Dense Gaussian Elimination over the Finite Field with Two
Elements” (https://arxiv.org/abs/1111.6549, 2011)
KEM Key Pair Avg Enc Avg Dec Avg sk pk ct
Classic McEliece 6806781057 12653666 686157417 14080 1357824 240
NTS-KEM 335604669 1081765 2923896 19890 1419704 253
* Extracted from “Performance_Testing_TestPlatform.xlsx” by NIST (16.01.2018)
© 2018 ADVA Optical Networking. All rights reserved. Confidential.1919
Best Known Attacks
• Information Set Decoding (ISD)
• Most efficient attack on code-based crypto
• D. Bernstein, et al. “Smaller decoding exponents: Ball-collision decoding” in CRYPTO 2011
• Script by Peters (https://bitbucket.org/cbcrypto/isdfq): time-complexity estimation
• Reaction attack / timing attack
• Q. Guo, et al. “A key recovery attack on MDPC with CCA security using decoding errors”, in ASIACRYPT
2016
• Deterministic decoding algorithm or refreshing key every session could prevent this type of attack.
• Quantum Attacks
• No known quantum algorithms for attacking McEliece
© 2018 ADVA Optical Networking. All rights reserved. Confidential.2020
Implementation & Demo Plan
© 2018 ADVA Optical Networking. All rights reserved. Confidential.2121
Implementation
• Hardware platform
• Embedded system with PowerPC processor
• Limited resources such as cache and memory
• Following versions are implemented (Category 5).
• Classic McEliece: (8192, 128)
• NTS-KEM: (8192, 136)
• Key generation
• A key pair (pk, sk) is generated every session.
© 2018 ADVA Optical Networking. All rights reserved. Confidential.2222
Brief Description of Protocol
r
Alice
X
r=AES-1(AES(r))
Bob
Y
AES (r)P: password
r: Random number
X: public-key
x: private-key
Encapsulation
Decapsulation
H: MAC func.
K: MAC Key
(K1, c1) = Encap(Y) (K2, c2) = Encap(X) c1, c2
X, Y
P: password
Y: public-key
y: private-key
H: MAC func.
K: MAC Key
K2=Decap(x, c2)
K=H(K1, K2, r)K=H(K1, K2, r)
K1=Decap(y, c1)
tag tag tag
© 2018 ADVA Optical Networking. All rights reserved. Confidential.2323
Hybrid Mode: DH + PQC
PQC?
KD
F
KAES + IV
KDH
KPQCPQC
DH KEX
Start KEX
Yes
KPQC = 0No
DH KEX + KDF: [NIST 800-56A]
© 2018 ADVA Optical Networking. All rights reserved. Confidential.2424
Brief Description of Protocol - Hybrid
r
Alice
XDH = gxDH
X=XDH || XPQ
r=AES-1(AES(r))
Bob
YDH = gyDH
Y=YDH || YPQ
AES (r)P: password
r: Random number
DH: (xDH, XDH)
PQ: (xPQ, XPQ)
Encapsulation
Decapsulation
H: MAC func.
K: MAC Key
(K1, c1) = Encap(YPQ) (K2, c2) = Encap(XPQ) c1, c2
X, Y
P: password
DH: (yDH, YDH)
PQ: (yPQ, YPQ)
H: MAC func.
K: MAC Key
K2=Decap(xPQ, c2)
K=H( K0, K1, gxDHyDH+r ) K=H( K1, K2, gxDHyDH+r )
K1=Decap(yPQ, c1)
tagtag
tag
© 2018 ADVA Optical Networking. All rights reserved. Confidential.2525
Comparison of Data Transmission Time
N: amount of data for key exchange
fk : ODUk frame period
b: the number of overhead bytes used
Goppa (n, t) = (8192, 128)
QC-MDPC (n, t) = (65542, 264)
Tk = fk x N / b
© 2018 ADVA Optical Networking. All rights reserved. Confidential.2626
The 100G Encryption Demo
XG-210
VideoLocal
“Sender”
Remote
“Receiver”
Intermediate
“Hacker”
Optic Coupler
WCC-AES100G
4CSM Filter
XG-210
WCC-AES100G
4CSM Filter
XG-210
WCC-AES100G
4CSM Filter &
EDFA VGC
Video
CLI CLIVideo
?
CLI
© 2018 ADVA Optical Networking. All rights reserved. Confidential.2727
Summary
We have implemented a post-quantum key exchange protocol on optical network.
• Classic McEliece and NTS-KEM
We claim at least 2^128 post-quantum security, which is well matched with AES-256.
We support a hybrid mode (DH + PQ) for the safe transition from classical to quantum crypto.
© 2018 ADVA Optical Networking. All rights reserved. Confidential.2828
Acknowledgements
This work has been performed in the framework of the CELTIC EUREKA project
SENDATE-Secure-DCI (Project ID C2015/3-4), and it is partly funded by the
German BMBF (Project ID 16KIS0477K).
Thank you
IMPORTANT NOTICE
The content of this presentation is strictly confidential. ADVA Optical Networking is the exclusive owner or licensee of the content, material, and information in this presentation. Any reproduction, publication or reprint, in whole or in part, is strictly prohibited.
The information in this presentation may not be accurate, complete or up to date, and is provided without warranties or representations of any kind, either express or implied. ADVA Optical Networking shall not be responsible for and disclaims any liability for any loss or damages, including without limitation, direct, indirect, incidental, consequential and special damages, alleged to have been caused by or in connection with using and/or relying on the information contained in this presentation.
Copyright © for the entire content of this presentation: ADVA Optical Networking.