recent developments of post quantum cryptography · security evaluation of post‐quantum...
TRANSCRIPT
Security Evaluation of Post‐Quantum Cryptography
Recent Developments of Post‐Quantum Cryptography
Tsuyoshi Takagi
Kyushu University, Institute of Mathematics for Industry
http://imi.kyushu-u.ac.jp/~takagi/en/
Workshop on Cyber Security between RHUL and Kyushu Univ.February 29, 2016.
Security Evaluation of Post‐Quantum Cryptography
Old Cryptography
Special technology used by limited purposes
Daily used technologyContemporary Cryptography
Cryptography is fundamental technology.
Cryptography in Modern Society
http://www.e-gov.go.jp/
Security Evaluation of Post‐Quantum Cryptography
Rabi Model Shor IBM’s NMR Haroche-Wineland’s(1944) Algorithm Quantum Computer Quantum Experiments
× × × ×
research phase
widely used
History of Public‐Key Cryptography
1980 1990 2000 2010 2020 2030 | | | | | |
Post-quantum cryptography (PQC) (code-based, lattice-based, multivariate polynomial based, etc)
RSA (widely used in such as SSL, integer factorization problem)
Elliptic Curve Cryptography (short keys, used in embedding devices)
long-term security, efficient implementation, fully homomorphic encryption, multi-linear maps
These cryptosystems are no longer secure in the era of quantum computer.
~~
Security Evaluation of Post‐Quantum Cryptography
• National Security Agency (NSA) announced preliminary plans for transitioning to quantum resistant algorithms in August 2015. https://www.nsa.gov/ia/programs/suiteb_cryptography/
• Recent Workshops January 2015, DIMACS Workshop on The Mathematics of Post‐Quantum Cryptographyhttp://dimacs.rutgers.edu/Workshops/Post‐QuantumApril 2015, NIST Workshop on Cybersecurity in a Post‐Quantum Worldhttp://www.nist.gov/itl/csd/ct/post‐quantum‐crypto‐workshop‐2015.cfmSeptember 2015, Dagstuhl Seminar ‐ Quantum Cryptanalysishttps://www.dagstuhl.de/en/program/calendar/semhp/?semnr=15371November 2015, ESTI Workshop on Quantum‐safe Cryptography February 2016, PQCrypto 2016: https://pqcrypto2016.jp/
• Big Research Projects Post‐quantum cryptography for long‐term security: http://pqcrypto.eu.org/CROSSING: https://www.crossing.tu‐darmstadt.de/JST CREST CryptoMath: https://cryptomath‐crest.jp/
Trend in Post‐Quantum Cryptography
Security Evaluation of Post‐Quantum Cryptography
PQCrypto 2016
• Winter School February 22‐23, 2016, Fukuoka, Japan.
• NIST announced a preliminary plan of quantum‐resistant algorithms for potential standardization.
Security Evaluation of Post‐Quantum Cryptography
Theory of ComputationNumber
Theory
Algebraic Geometry
Interaction: Crypto and MathHistorical Success
Advances of Mathematical Theory requiredfor Cryptography
Conventional Cryptography
Mathematical Modeling of
Multi‐Functional Next‐Generation Cryptography
using wide‐range Mathematical
Theories
MathematicsModeling of theStrongest Possible
Attacks
Quantum Computation
Representation TheoryQuantum
Field TheoryMathematical
Physics
Lattice TheoryMultivariate Polynomial Theory
Security Evaluation of Post‐Quantum Cryptography
Security Evaluation Cycle
New Scheme
Security Evaluation
Practical Use Expiringkey size
Stress Test
New attack algorithm
How many bits are secure?
How about this attack?
Cycle of about 10 years
discussion in public conferences
Computer speed-up New cryptoanalyses
Security Evaluation of Post‐Quantum Cryptography
Cryptography Research and Evaluation Committees in Japan
http://www.cryptrec.go.jp/
Security Evaluation of Post‐Quantum Cryptography
Example of RSA public key
Security Evaluation of Post‐Quantum Cryptography
Current record for factoring integers
• January 2010, 768 bits, 1500 CPU years, Aoki et al.
• 1230186684530117755130494958384962720772853569595334792197322452151726400507263657518745202199786469389956474942774063845925192557326303453731548268507917026122142913461670429214311602221240479274737794080665351419597459856902143413= 33478071698956898786044169848212690817704794983713768568912431388982883793878002287614711652531743087737814467999489×36746043666799590428244633799627952632279158164343087642676032283815739666511279233373417143396810270092798736308917
Security Evaluation of Post‐Quantum Cryptography
Estimation for Key Length of RSA
Computational cost for finishing the sieving step within one year (updated July 2015)
RSA 1024 bits
RSA 1536 bits
RSA 2048 bits
Tianhe‐2 Titan
K Sequoia
RSA 768 bits
Security Evaluation of Post‐Quantum Cryptography
Candidates of Post‐Quantum Cryptography
• Hash‐based signature schemes• Code‐based cryptosystems• Multivariate cryptosystems • Lattice‐based cryptosystems • etc
Security Evaluation of Post‐Quantum Cryptography
Lattice‐based Cryptography
Security Evaluation of Post‐Quantum Cryptography
A lattice is the set of all integer combinations of linearly independent vectors . As , , .
14
Shortest vector problem (SVP): find the shortest vectors in the lattice of given basis , , .
Security Evaluation of Post‐Quantum Cryptography
Darmstadt Lattice Challengehttps://www.latticechallenge.org/• SVP Challenge / Lattice Challenge (since 2008) • Ideal Lattice Challenge (since 2013)
Security Evaluation of Post‐Quantum Cryptography16
Darmstadt Ideal Lattice Challenge
Instance:HNFofRandomLatticeTargetvector s.t. n det1/n.
Cost Estimation by Simulator
224.0 sec
220.7 sec
Our simulator gives a sharp estimation.
Security Evaluation of Post‐Quantum Cryptography
Multivariate Public‐Key Cryptography(MPKC)
Security Evaluation of Post‐Quantum Cryptography
MQ problem
mnji ni
mi
miji
mijnm
nji niiijiijn
nji niiijiijn
dcxbxxaxxf
dcxbxxaxxf
dcxbxxaxxf
,1 1
)()()(1
2,1 1
)2()2()2(12
1,1 1
)1()1()1(11
),...,(
),...,(
),...,(
MPKC are public key cryptosystems whose security depends on the difficulty in solving a system of multivariate quadratic polynomials with coefficients in a finite field .
MQ problem: find a solution of the system of multivariate equations:
It is believed that it is difficult to solve (general) MQ problem.
Security Evaluation of Post‐Quantum Cryptography
MQ ChallengeStarting from April 2015https://www.mqchallenge.org/
Security Evaluation of Post‐Quantum Cryptography
Current records• Type I ( )
m n time110 55 963.53
112 56 2254.21
114 57 5096.94
116 58 10391.10
118 59 18357.53
120 60 23536.88
122 61 80244.52unit: second
Security Evaluation of Post‐Quantum Cryptography
Conclusion
• The attack technology is developing further.
• We need to keep investigating the security of (post‐quantum) cryptosystems.
• Challenge problems are used for estimating the computational over‐limit of expected attackers.
Security Evaluation of Post‐Quantum Cryptography
Thank you!Q&A