1/20
Post-Quantum TLS
Presenter: Jong-Shian Wu
[email protected]
Department of Electrical Engineering, National Taiwan University, Taiwan
December 12, 2014
Slide 2
Slide 2 text
2/20
Thanks to my coauthors
Yun-An Chang, National Taiwan University
Ming-Shing Chen, National Taiwan University
Bo-Yin Yang, Academia Sinica
Slide 3
Slide 3 text
3/20
Outline
Issues on TLS
Attacks from quantum computers
TLS handshake and our changes
Our contributions
Selected post-quantum primitives
MPKC signature
RLWE authenticated key exchange
Benchmarks
Conclusion
Slide 4
Slide 4 text
4/20
Outline
Issues on TLS
Attacks from quantum computers
TLS handshake and our changes
Our contributions
Selected post-quantum primitives
MPKC signature
RLWE authenticated key exchange
Benchmarks
Conclusion
Slide 5
Slide 5 text
5/20
Various issues and attacks on TLS
A badly designed protocol
Too complicated
Issues from the protocol itself and implementations:
Renegotiation attack
Version rollback attacks
BEAST attack
CRIME and BREACH attacks
Padding attacks
POODLE attack
RC4 attacks
Truncation attack
Heartbleed Bug
. . .
Slide 6
Slide 6 text
5/20
Various issues and attacks on TLS
A badly designed protocol
Too complicated
Issues from the protocol itself and implementations:
Renegotiation attack
Version rollback attacks
BEAST attack
CRIME and BREACH attacks
Padding attacks
POODLE attack
RC4 attacks
Truncation attack
Heartbleed Bug
. . .
Slide 7
Slide 7 text
6/20
Attacks from Quantum computers
Emerging threats for popular PKCs
In particular, TLS is not quantum-safe!
Because Shor’s algorithm can solve the following problems on
quantum computers in polynomial time
Integer factorization (for RSA encryption or signature)
Discrete logarithm problem in elliptic curve groups (for ECDH)
We need post-quantum cryptography to counteract the
attacks from quantum computers.
Slide 8
Slide 8 text
6/20
Attacks from Quantum computers
Emerging threats for popular PKCs
In particular, TLS is not quantum-safe!
Because Shor’s algorithm can solve the following problems on
quantum computers in polynomial time
Integer factorization (for RSA encryption or signature)
Discrete logarithm problem in elliptic curve groups (for ECDH)
We need post-quantum cryptography to counteract the
attacks from quantum computers.
Slide 9
Slide 9 text
6/20
Attacks from Quantum computers
Emerging threats for popular PKCs
In particular, TLS is not quantum-safe!
Because Shor’s algorithm can solve the following problems on
quantum computers in polynomial time
Integer factorization (for RSA encryption or signature)
Discrete logarithm problem in elliptic curve groups (for ECDH)
We need post-quantum cryptography to counteract the
attacks from quantum computers.
Slide 10
Slide 10 text
7/20
What We Change in TLS Handshake
Client Server
ClientHello −→
ServerHello
Certificate*
ServerKeyExchange*
CertificateRequest*
←− ServerHelloDone
Certificate*
ClientKeyExchange
CertificateVerify* (plaintext)
ClientFinished −→ (ciphertext)
←− ServerFinished
Messages colored in orange/red need post-quantum PKC
Messages with * are not always sent, depending on the situation
Slide 11
Slide 11 text
8/20
Our contributions
Reinventing a new wheel is not an option, as it will be too
complicated to build a new TLS library.
We choose to modify PolarSSL, which is a lightweight library
and has a well-documented codebase.
Binary code size: < 1 MB.
Run-time memory requirement: < 128 KB.
We present a fully post-quantum TLS implementation
Multivariate digital signature
Lattice-based key exchange
Slide 12
Slide 12 text
8/20
Our contributions
Reinventing a new wheel is not an option, as it will be too
complicated to build a new TLS library.
We choose to modify PolarSSL, which is a lightweight library
and has a well-documented codebase.
Binary code size: < 1 MB.
Run-time memory requirement: < 128 KB.
We present a fully post-quantum TLS implementation
Multivariate digital signature
Lattice-based key exchange
Slide 13
Slide 13 text
8/20
Our contributions
Reinventing a new wheel is not an option, as it will be too
complicated to build a new TLS library.
We choose to modify PolarSSL, which is a lightweight library
and has a well-documented codebase.
Binary code size: < 1 MB.
Run-time memory requirement: < 128 KB.
We present a fully post-quantum TLS implementation
Multivariate digital signature
Lattice-based key exchange
Slide 14
Slide 14 text
9/20
Outline
Issues on TLS
Attacks from quantum computers
TLS handshake and our changes
Our contributions
Selected post-quantum primitives
MPKC signature
RLWE authenticated key exchange
Benchmarks
Conclusion
Slide 15
Slide 15 text
10/20
MQ hard problem and Multivariate PKC (MPKC)
MQ: Given coefficients Pik, Qik, Rijk and z = (z1, . . . , zm),
it’s hard to find w = (w1, . . . , wn) such that:
P :
i
Pi1wi + i
Qi1w2
i
+ i>j
Rij1wi wj = z1
.
.
.
i
Pimwi + i
Qimw2
i
+ i>j
Rijmwi wj = zm
In MPKC, P is a composition of secret maps S, Q, and T:
P := T ◦ Q ◦ S
S and T are randomly chosen invertible linear maps.
Q is an invertible quadratic form.
Slide 16
Slide 16 text
11/20
Selected TTS/Rainbow signature parameters
Scheme Security Signature Digest Pubkey Seckey
(over F31
) (bits) (Byte) (Byte) (Byte) (Byte)
TTS1
(24,20,20) 80 40 24 53,600 8,608
(26,24,(2,4),24) 128 50 32 107,900 13,704
Rainbow2
(24,20,20) 80 40 24 53,600 60,960
(26,24,(2,4),24) 128 50 32 107,900 112,884
Small signature and huge public key.
Good for CA (public key preinstalled on devices).
1DBLP:conf/ches/ChenCCCDKLY09.
2Ding:2005:RNM:2134532.2134544.
Slide 17
Slide 17 text
12/20
The Ring Learning with Error (RLWE) hard problem
Consider elements of the ring Rq := Zq[x]/ xn + 1 .
a ←r Rq denotes sampling a uniformly from Rq;
e ←r χα denotes sampling e from Gaussian distribution χα.
Assumption (RLWE): It’s hard for a PPT to distinguish the
pair (a, as + e) from the pair (a, c),
where a, c ←r Rq and s, e ←r χα.
Slide 18
Slide 18 text
13/20
A RLWE authenticated key exchange (AKE) protocol
Party i (server) Party j (client)
Public Key: pi
= asi
+ 2ei ∈ Rq
Public Key: pj
= asj
+ 2ej ∈ Rq
Secret Key: si ∈ Rq
Secret Key: sj ∈ Rq
where si , ei ←r χα
where sj , ej ←r χα
xi
= ari
+ 2fi ∈ Rq
yj
= arj
+ 2fj ∈ Rq
where ri , fi ←r χβ
where rj , fj ←r χβ
xi ,pi
−
−
−
−
−
−
−
−
−
−
→
kj
= (pi
c + xi
)(sj
d + rj
) + 2gj
where gj ←r χβ
wj
= Cha(kj
) ∈ {0, 1}n
yj ,wj ,pj
←
−
−
−
−
−
−
−
−
−
−
−
ki
= (pj
d + yj
)(si
c + ri
) + 2gi
where gi ←r χβ
σi
= Mod2
(ki , wj
) ∈ {0, 1}n σj
= Mod2
(kj , wj
) ∈ {0, 1}n
ski
= H2
(i, j, xi , yj , wj , σi
) skj
= H2
(i, j, xi , yj , wj , σj
)
c = H1
(i, j, xi
) ∈ Rq, d = H1
(j, i, yj , xi
) ∈ Rq
Slide 19
Slide 19 text
14/20
Selected RLWE AKE parameters
The amount of data needed to be sent in selected AKE schemes:
Scheme Security Pubkey (pi
,pj
) Ephemeral Pubkey
(bits) (Byte) (xi
,yj
+ wj
) (Byte)
Scheme I
n = 1024 80 5K 5K+128(client)
q = 240 − 87 5K (server)
Scheme III
n = 2048 128 16K 16K +256(client)
q ∼ 63bit 16K(server)
Computation
Polynomial additions and multiplications (FFT)
Discrete Gaussian sampling
Big number operations (40 or 63-bit in our choice)
Slide 20
Slide 20 text
15/20
Outline
Issues on TLS
Attacks from quantum computers
TLS handshake and our changes
Our contributions
Selected post-quantum primitives
MPKC signature
RLWE authenticated key exchange
Benchmarks
Conclusion
17/20
Performance of a full handshake in PolarSSL
Cipher suite Throughput
handshakes/sec
ECDHE(secp256r1)-RSA(2048-bit) 20.58
ECDHE(secp256r1)-ECDSA(secp256r1) 19.46
ECDHE(secp256r1)-TTS(128b) 22.88
LATTICEE(III)-TTS(128b) 10.95
Slide 23
Slide 23 text
18/20
Outline
Issues on TLS
Attacks from quantum computers
TLS handshake and our changes
Our contributions
Selected post-quantum primitives
MPKC signature
RLWE authenticated key exchange
Benchmarks
Conclusion
Slide 24
Slide 24 text
19/20
Conclusion
We incorporated PQ crypto primitives into the lightweight
TLS library PolarSSL, including digital signatures and AKE.
You can access our software online:
https://github.com/fast-crypto-lab/PQ-polarssl
Future work: a shorter data transmission for handshake.
Yet new primitives with shorter messages.
Design a cache mechanism for certificate chains.