Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Yi-Kai Liu
US National Institute of Standards and Technology
(NIST)
NIST PQC team: Lily Chen Stephen Jordan Dustin Moody Rene Peralta Ray Perlner Daniel Smith
Email: [email protected]
Security is hard to measure!
Want to have a transparent justification: why is this secure?
Continuing to use RSA is risky; is there a benefit to using PQC? ◦ Diversity/redundancy in security
What does security mean? ◦ Breaking the cryptosystem is computationally hard,
e.g., requires 2256 operations
Show security against known attacks ◦ Try all known attacks, show that they are infeasible
How to protect against unknown attacks? ◦ New attacks, new discoveries in mathematics?
◦ Try to argue that these are “unlikely”
Security proofs (based on mathematical conjectures)
Design cryptosystems to defeat common classes of attacks
Lattice basis reduction ◦ LLL, BKZ, enumeration + extreme pruning ◦ Practical performance beats theoretical guarantees
What problem instances?
How to measure solution quality?
Tradeoffs between different algorithms
Grobner basis reduction ◦ General algorithm for solving multivariate systems
of equations Running time may depend on special structure present
in the equations
“Learning a parallelepiped” ◦ Breaks old versions of NTRUSign ◦ NTRUSign can be repaired using perturbations;
is this secure? ◦ Other lattice-based signatures are provably secure;
recent work has improved their efficiency
Differential attacks ◦ Break certain multivariate cryptosystems (e.g., SFLASH) ◦ HFE, unbalanced oil/vinegar are still ok
Lattice reduction attacks ◦ Break some versions of McEliece using LDPC codes ◦ Standard McEliece is still ok
Estimate the complexity of the known attacks ◦ Run experiments on small instances of the problem
◦ Then extrapolate to larger problem sizes
Adjust the cryptosystem to defeat these attacks
Type of attack Complexity of attack Countermeasure
General purpose algorithm
Exponential time Increase the key size
Exploit some special structure in the problem
Varies, can be polynomial time
Design the cryptosystem to avoid that structure
Reduced efficiency
Could there be other attacks that we haven’t discovered yet?
Faster general-purpose algorithms? ◦ Probably not…
More specialized attacks? ◦ Attacks on ideal lattices, compact McEliece
cryptosystems?
◦ (These cryptosystems have special structure, to improve efficiency)
Theoretical tools for thinking about security ◦ Security proofs ◦ Impossibility of special classes of attacks
Why is a particular cryptosystem secure?
Can we reason about the possible existence of attacks that haven’t been discovered? ◦ Designing a public-key cryptosystem is “harder”
than designing a block cipher or a hash function
◦ Want to avoid unpleasant surprises!
(e.g., new discoveries that lead to poly-time attacks)
Goal: rule out the existence of attacks
Method: relate the security of a cryptosystem to another problem that we understand better ◦ Factoring, discrete logs ◦ Finding short lattice vectors ◦ Solving multivariate systems of equations
Perspective from complexity theory: ◦ Public-key cryptography requires very hard problems
Average-case instances must be hard
Need to generate hard instances efficiently
Need trapdoor one-way functions
Conjecture: “Problem Π is hard” ◦ Do we believe this conjecture?
E.g, lattice-based crypto: general lattices seem hard, b/c of connection with integer programming; situation for ideal lattices is less clear
Theorem: “If you can break cryptosystem C, you can solve problem Π” ◦ How strong is the connection between C and Π?
E.g., lattice-based crypto: very strong connection (“worst-case to average-case reduction”)
Have to define “security” ◦ Different notions: CPA < CCA < UC ◦ May not fully describe the real world (e.g., side channels)
Additional assumptions are often needed, to prove security for practical cryptosystems ◦ Assume ideal lattices are hard ◦ Work in random oracle model
Use the security proof to choose key sizes? ◦ Security proof gives a lower bound on security ◦ Bound can be very loose => not useful in practice
On the positive side…
Security proofs help to constrain the space of possible attacks ◦ Argue that polynomial-time attacks are unlikely…
(would require surprising discoveries)
Some specific attacks one might worry about ◦ Differential attacks in multivariate crypto
◦ Shor’s algorithm, hidden subgroup problems
◦ Grover’s search algorithm
Can prove limits on the power of these attacks!
Differential attacks in multivariate crypto ◦ Find and classify all “differential invariants” ◦ Can rule out all possible differential attacks!
(Perlner & Smith, 2013)
Quantum algorithms for hidden subgroup problems ◦ Generalizations of Shor’s algorithm to other groups ◦ Unlikely to get a poly-time quantum algorithm for the
symmetric group (Moore & Russell)
Lower bounds on quantum query complexity ◦ For black-box problems, e.g., search and collision finding ◦ Known quantum algorithms are nearly optimal ◦ Rules out the possibility of a super-polynomial quantum
speedup
Different approaches to evaluating security ◦ Estimating the performance of known attacks
◦ Using security proofs and formal analysis to rule out the existence of unknown attacks
Open questions ◦ Many cryptosystems use lattices/codes/equations
with special structure; how does this affect security?
◦ How to measure the complexity of a quantum attack?
◦ How well do these cryptosystems perform with other protocols in the real world?