Post-Quantum TLS

Transcript

1. 1/20 Post-Quantum TLS Presenter: Jong-Shian Wu [email protected] Department of Electrical

   Engineering, National Taiwan University, Taiwan December 12, 2014

2. 2/20 Thanks to my coauthors Yun-An Chang, National Taiwan University

   Ming-Shing Chen, National Taiwan University Bo-Yin Yang, Academia Sinica

3. 3/20 Outline Issues on TLS Attacks from quantum computers TLS

   handshake and our changes Our contributions Selected post-quantum primitives MPKC signature RLWE authenticated key exchange Benchmarks Conclusion

4. 4/20 Outline Issues on TLS Attacks from quantum computers TLS

   handshake and our changes Our contributions Selected post-quantum primitives MPKC signature RLWE authenticated key exchange Benchmarks Conclusion

5. 5/20 Various issues and attacks on TLS A badly designed

   protocol Too complicated Issues from the protocol itself and implementations: Renegotiation attack Version rollback attacks BEAST attack CRIME and BREACH attacks Padding attacks POODLE attack RC4 attacks Truncation attack Heartbleed Bug . . .

6. 5/20 Various issues and attacks on TLS A badly designed

   protocol Too complicated Issues from the protocol itself and implementations: Renegotiation attack Version rollback attacks BEAST attack CRIME and BREACH attacks Padding attacks POODLE attack RC4 attacks Truncation attack Heartbleed Bug . . .

7. 6/20 Attacks from Quantum computers Emerging threats for popular PKCs

   In particular, TLS is not quantum-safe! Because Shor’s algorithm can solve the following problems on quantum computers in polynomial time Integer factorization (for RSA encryption or signature) Discrete logarithm problem in elliptic curve groups (for ECDH) We need post-quantum cryptography to counteract the attacks from quantum computers.

8. 6/20 Attacks from Quantum computers Emerging threats for popular PKCs

   In particular, TLS is not quantum-safe! Because Shor’s algorithm can solve the following problems on quantum computers in polynomial time Integer factorization (for RSA encryption or signature) Discrete logarithm problem in elliptic curve groups (for ECDH) We need post-quantum cryptography to counteract the attacks from quantum computers.

9. 6/20 Attacks from Quantum computers Emerging threats for popular PKCs

   In particular, TLS is not quantum-safe! Because Shor’s algorithm can solve the following problems on quantum computers in polynomial time Integer factorization (for RSA encryption or signature) Discrete logarithm problem in elliptic curve groups (for ECDH) We need post-quantum cryptography to counteract the attacks from quantum computers.

10. 7/20 What We Change in TLS Handshake Client Server ClientHello

    −→ ServerHello Certificate* ServerKeyExchange* CertificateRequest* ←− ServerHelloDone Certificate* ClientKeyExchange CertificateVerify* (plaintext) ClientFinished −→ (ciphertext) ←− ServerFinished Messages colored in orange/red need post-quantum PKC Messages with * are not always sent, depending on the situation

11. 8/20 Our contributions Reinventing a new wheel is not an

    option, as it will be too complicated to build a new TLS library. We choose to modify PolarSSL, which is a lightweight library and has a well-documented codebase. Binary code size: < 1 MB. Run-time memory requirement: < 128 KB. We present a fully post-quantum TLS implementation Multivariate digital signature Lattice-based key exchange

12. 8/20 Our contributions Reinventing a new wheel is not an

    option, as it will be too complicated to build a new TLS library. We choose to modify PolarSSL, which is a lightweight library and has a well-documented codebase. Binary code size: < 1 MB. Run-time memory requirement: < 128 KB. We present a fully post-quantum TLS implementation Multivariate digital signature Lattice-based key exchange

13. 8/20 Our contributions Reinventing a new wheel is not an

    option, as it will be too complicated to build a new TLS library. We choose to modify PolarSSL, which is a lightweight library and has a well-documented codebase. Binary code size: < 1 MB. Run-time memory requirement: < 128 KB. We present a fully post-quantum TLS implementation Multivariate digital signature Lattice-based key exchange

14. 9/20 Outline Issues on TLS Attacks from quantum computers TLS

    handshake and our changes Our contributions Selected post-quantum primitives MPKC signature RLWE authenticated key exchange Benchmarks Conclusion

15. 10/20 MQ hard problem and Multivariate PKC (MPKC) MQ: Given

    coefficients Pik, Qik, Rijk and z = (z1, . . . , zm), it’s hard to find w = (w1, . . . , wn) such that: P :      i Pi1wi + i Qi1w2 i + i>j Rij1wi wj = z1 . . . i Pimwi + i Qimw2 i + i>j Rijmwi wj = zm In MPKC, P is a composition of secret maps S, Q, and T: P := T ◦ Q ◦ S S and T are randomly chosen invertible linear maps. Q is an invertible quadratic form.

16. 11/20 Selected TTS/Rainbow signature parameters Scheme Security Signature Digest Pubkey

    Seckey (over F31 ) (bits) (Byte) (Byte) (Byte) (Byte) TTS1 (24,20,20) 80 40 24 53,600 8,608 (26,24,(2,4),24) 128 50 32 107,900 13,704 Rainbow2 (24,20,20) 80 40 24 53,600 60,960 (26,24,(2,4),24) 128 50 32 107,900 112,884 Small signature and huge public key. Good for CA (public key preinstalled on devices). 1DBLP:conf/ches/ChenCCCDKLY09. 2Ding:2005:RNM:2134532.2134544.

17. 12/20 The Ring Learning with Error (RLWE) hard problem Consider

    elements of the ring Rq := Zq[x]/ xn + 1 . a ←r Rq denotes sampling a uniformly from Rq; e ←r χα denotes sampling e from Gaussian distribution χα. Assumption (RLWE): It’s hard for a PPT to distinguish the pair (a, as + e) from the pair (a, c), where a, c ←r Rq and s, e ←r χα.

18. 13/20 A RLWE authenticated key exchange (AKE) protocol Party i

    (server) Party j (client) Public Key: pi = asi + 2ei ∈ Rq Public Key: pj = asj + 2ej ∈ Rq Secret Key: si ∈ Rq Secret Key: sj ∈ Rq where si , ei ←r χα where sj , ej ←r χα xi = ari + 2fi ∈ Rq yj = arj + 2fj ∈ Rq where ri , fi ←r χβ where rj , fj ←r χβ xi ,pi − − − − − − − − − − → kj = (pi c + xi )(sj d + rj ) + 2gj where gj ←r χβ wj = Cha(kj ) ∈ {0, 1}n yj ,wj ,pj ← − − − − − − − − − − − ki = (pj d + yj )(si c + ri ) + 2gi where gi ←r χβ σi = Mod2 (ki , wj ) ∈ {0, 1}n σj = Mod2 (kj , wj ) ∈ {0, 1}n ski = H2 (i, j, xi , yj , wj , σi ) skj = H2 (i, j, xi , yj , wj , σj ) c = H1 (i, j, xi ) ∈ Rq, d = H1 (j, i, yj , xi ) ∈ Rq

19. 14/20 Selected RLWE AKE parameters The amount of data needed

    to be sent in selected AKE schemes: Scheme Security Pubkey (pi ,pj ) Ephemeral Pubkey (bits) (Byte) (xi ,yj + wj ) (Byte) Scheme I n = 1024 80 5K 5K+128(client) q = 240 − 87 5K (server) Scheme III n = 2048 128 16K 16K +256(client) q ∼ 63bit 16K(server) Computation Polynomial additions and multiplications (FFT) Discrete Gaussian sampling Big number operations (40 or 63-bit in our choice)

20. 15/20 Outline Issues on TLS Attacks from quantum computers TLS

    handshake and our changes Our contributions Selected post-quantum primitives MPKC signature RLWE authenticated key exchange Benchmarks Conclusion

21. 16/20 Performance of our new crypto primitives Computation Throughput RSA

    (2048-bit) sign 487 sign/s ECDSA (secp256r1) sign 2111 sign/s RSA (2048-bit) verify 16405 verify/s ECDSA (secp256r1) verify 572 verify/s ECDHE (secp521r1) exchange 248 exchange/s ECDHE (secp256r1) exchange 568 exchange/s TTS (80b) sign 19780 sign/s TTS (128b) sign 12555 sign/s Rainbow (80b) sign 3218 sign/s Rainbow (128b) sign 1743 sign/s TTS/Rainbow (80b) verify 12094 verify/s TTS/Rainbow (128b) verify 6126 verify/s RLWE exchange (I) 38.4 exchange/s RLWE exchange (I, using GMP) 62.5 exchange/s RLWE exchange (III) 18.4 exchange/s RLWE exchange(III, using GMP) 28.5 exchange/s

22. 17/20 Performance of a full handshake in PolarSSL Cipher suite

    Throughput handshakes/sec ECDHE(secp256r1)-RSA(2048-bit) 20.58 ECDHE(secp256r1)-ECDSA(secp256r1) 19.46 ECDHE(secp256r1)-TTS(128b) 22.88 LATTICEE(III)-TTS(128b) 10.95

23. 18/20 Outline Issues on TLS Attacks from quantum computers TLS

    handshake and our changes Our contributions Selected post-quantum primitives MPKC signature RLWE authenticated key exchange Benchmarks Conclusion

24. 19/20 Conclusion We incorporated PQ crypto primitives into the lightweight

    TLS library PolarSSL, including digital signatures and AKE. You can access our software online: https://github.com/fast-crypto-lab/PQ-polarssl Future work: a shorter data transmission for handshake. Yet new primitives with shorter messages. Design a cache mechanism for certificate chains.

25. 20/20 Conclusion Thanks!