vlad gheorghiu open quantum safe - liboqs · [email protected] [email protected] etsi-iqc...

OPEN QUANTUM SAFE - LIBOQSVLAD GHEORGHIU

[email protected] [email protected]

ETSI-IQC 6th Quantum Safe Workshop, Nov. 8, Beijing, China1Institute for Quantum Computing, 2evolutionQ Inc., 3softwareQ Inc.

1,2,3

mailto:[email protected]


© COPYRIGHT 2018 VLAD GHEORGHIU, ALL RIGHTS RESERVED

QUANTUM COMPUTING - BOTH A BLESSING AND A CURSEPowerful new quantum technologies are emerging, which promise tremendous benefits…

…but also pose serious threats to our

communications, control and information security.

�2


TODAY - PUBLIC KEY CRYPTOGRAPHY IS SAFE

▸ Cyber criminals look for poor design, configuration errors, user mistakes or poor practices. It’s practically impossible to attack the underlying mathematics.

506680360140974948323 = ???????????? x

???????????? Codebreaking is

HARD!

3967241 x 5289737

20985661505617Encrypting is EASY

�3


TOMORROW - PUBLIC KEY CRYPTOGRAPHY IS BROKEN

▸ Quantum computers will easily solve the mathematical problems at the core of today’s public-key cryptography

3967241 x 5289737

20985661505617Encrypting is EASY

506680360140974948323 = 13561998077

x 37360303199 Codebreaking is EASY!

�4


WHAT WILL BE AFFECTED?▸ Products, services, business

functions that rely on security products will either stop functioning or not provide the expected levels of security

▸ Not everything is broken: symmetric cryptography (e.g. AES, hash functions etc.) are only weakened

Double key sizes! Clouding computing Payment systems Internet IoT eHealth

RSA, DSA, DH, ECDH, ECDSA,AES, 3-DES, SHA, …

Secure Web Browsing - TLS/SSL Auto-Updates – Digital Signatures VPN - IPSec Secure email -S/MIME PKI

�5


WHAT CAN WE DO NOW TO PROTECT?

▸ Be proactive and don’t wait!

▸ Use a hybrid approach, post-quantum cryptography + currently deployed cryptography

▸ Experiment with various solutions

�6

© COPYRIGHT 2018 VLAD GHEORGHIU, ALL RIGHTS RESERVED �7

openquantumsafe.org


LIBOQS – HTTPS://GITHUB.COM/OPEN-QUANTUM-SAFE/LIBOQS

�8


LIBOQS

▸ Open source, runs on UNIX/Linux/Windows/ARM etc.

▸ Collaborative effort. Project leaders: Michele Mosca and Douglas Stebila (University of Waterloo).

▸ Prototype post-quantum cryptography in protocols and applications

▸ Incorporates and adapts a variety of open source cryptographic software

▸ Testing new algorithms (allows algorithm switching both at compile-time and run-time)

▸ Benchmarking suite, continuous integration

▸ Long term goal: support the development and prototyping of quantum-resistant cryptography (NIST submissions etc.)

�9


DETAILS▸ 2 main branches (2 ”philosophies”): master and nist-branch

▸ master: more selective, algorithms need to be unbroken and meet certain security criteria; we will possibly make changes to implementations' source code, including improvements from static analysis and other quality improvements. We aim to make releases of liboqs master branch every 2 to 3 months. Plans for each individual release can be found on our Github projects board.

▸ nist-branch: incorporate submissions to the NIST Post-Quantum Cryptography for purposes of benchmarking and integration into a common API. Use for experimentation, not for production-ready code. Aims to incorporate as many NIST submissions as possible; we will not be selective, will aim to make no changes to implementations' code, and will make no promises about quality of algorithms or implementations.

▸ "light touch" approach to incorporation

▸ source code from a NIST submission will be included ideally with no changes, in an "upstream" subdirectory

▸ a thin wrapper will be written to provide the implementation using the liboqs API

▸ if an algorithm in nist-branch is found to be insecure in month $X$, a compile-time warning will be added in the tagged snapshot for month $X+1$, and it may be removed in month $X+2$

�10

https://github.com/open-quantum-safe/liboqs/projects/


SELECTION CRITERIA▸ Algorithmic requirements:

▸ The algorithm must be submitted to the NIST Post-Quantum Cryptography project, or posted as update to an existing algorithm, and must be present in the current round

▸ Algorithms whose security is considered effectively broken are not eligible for addition; see the Lifecycle section below for conditions on their removal

▸ KEMs can be IND-CPA or IND-CCA-secure, at any NIST security level

▸ Signature schemes can be EUF-CMA-secure, at any NIST security level

▸ Targets:

▸ Operating systems: The code must build on Linux and macOS, add Windows in the future

▸ Architecture: The code must build at least on x64. Targets are currently provided for x86. We plan to add an AVX2 target, and possibly others.

▸ Quality control: Continuous integration (Travis-CI), AppVeyor

�11


SELECTION CRITERIA

▸ Source code requirements:

▸ The source code can be from the original submission, or can be an updated version

▸ License: Source code licensed under the MIT License, the BSD license, or in the public domain can be directly incorporated into the repository. GPL code will not be included in the repository, but a wrapper to the OQS API may be included, as well as a script that downloads and compiles in GPL code if the algorithm is requested at compile-time.

▸ Code quality: Given the "light touch" philosophy of nist-branch, we have no requirements on source code quality, other than that it compile on the targets

�12


CURRENTLY SUPPORTED KEY EXCHANGE ALGORITHMS AND SIGNATURES

▸ Learning with errors (LWE)

▸ FrodoKEM

▸ Ring learning with errors (RLWE)

▸ NewHopeNIST

▸ Supersingular isogeny Diffie-Hellman (SIDH)

▸ SIKE, SIDH

▸ Code-based

▸ BIKE

▸ Signatures

▸ Picnic (hash-based), qTesla (decisional RLWE)

MASTER BRANCH

�13


CURRENTLY SUPPORTED KEY EXCHANGE ALGORITHMS AND SIGNATURES

▸ Learning with errors (LWE)

▸ FrodoKEM

▸ Ring learning with errors (RLWE)

▸ NewHopeNIST, LIMA,

▸ Module learning with errors (MLWE)

▸ BIG QUAKE, CRYSTALS-KYBER, SABER, Dilithium (also based on Module-Short Integer Solution (M-SIS))

▸ Middle-product learning with errors (MP-LWE)

▸ Titanium CCA

NIST BRANCH

�14

▸ Supersingular isogeny Diffie-Hellman (SIDH)

▸ SIKE, SIDH

▸ Code-based

▸ BIKE (Quasi Cyclic Syndrom Decoding), LedaKEM (Niederreiter)

▸ Signatures

▸ Picnic (hash-based), qTesla (decisional RLWE)

THANK YOUVlad Gheorghiu

Post-doctoral fellow Institute for Quantum Computing, University of Waterloo

Co-Founder and CEO softwareQ Inc. www.softwareq.ca

Quantum Risk Researcher at evolutionQ Inc. www.evolutionq.com

[email protected] [email protected]

http://www.evolutionq.com/



vlad gheorghiu open quantum safe - liboqs · [email protected] [email protected] etsi-iqc...

Documents