Cryptography in a Post Quantum Computing World Máire O’Neill
Quantum Computing Traditional Computing -Involves bits that exist in 2 states: binary 1 and 0 -Performs one calculation at a time, in sequence Quantum Computing -Involves qubits, that exist in a superposition state: can be both 1 and 0 at the same time -Can perform millions of calculations simultaneously A 30-qubit quantum computer would have the same processing power as a conventional computer processing commands at 10 teraflops per second.
Quantum Computing Needs to use algorithms that exploit its power of quantum parallelism: Shor’s Algorithm (1994) -Can be used to quickly factorise large numbers (exponential speedup) -Significant implications for current cryptographic techniques Grover’s Algorithm(1996) -Can be used to search an unsorted database faster than a conventional computer (quadratic speedup - O(N 1/2 ) time rather than O(N) ) Peter Shor
Quantum Computing Problems with Quantum Computing -Difficult to realise on a large scale due to decoherence, i.e. unwanted interaction between the system and the environment, which introduces errors -Also difficult to maintain the lifetime of information -Observing quantum particles changes the outcome => difficult to verify -In quantum communications the transmission distance is limited (eg, photons are transmitted through fibre-optic cables and over long distances the signal fades)
Quantum Computing – recent breakthroughs -Largest number yet to be factored into its primes by a quantum algorithm -RSA Lab’s largest published semi-prime contains 617 decimal digits (2058 bits) > Impossible to factorise using classical computing > Would be possible using quantum computing as it could run all the necessary calculations in parallel.
Quantum Computing – recent breakthroughs -Uses both classical communication and quantum entanglement, i.e. multiple particles that are linked together such that the measurement of one particle’s quantum state determines the states of the other particles. -Achieved across free-space between La Palma & Tenerife (making path between satellites and a ground station more feasible) -Quantum communications has been demonstrated over 250km via fibre optics
Quantum Computing – recent breakthroughs -A quantum memory state held stable at room temp for 39 minutes, almost 100 times longer than previous record (and 3 hours at cryogenic temperatures) -Not long, but in this amount of time, could run >20M calculations
The World’s First Quantum Computer ??? Quantum Computing – recent breakthroughs D-Wave’s current model billed as a 512-qubit machine (2012). Bought by Lockheed Martin & Google/NASA Difficult to verify if performing quantum operations or not! Has shown significant speed-ups but only for certain calculations Has helped to advance the research in Quantum Computing
NSA funding a $79.7 million research program to build a ‘crytologically useful quantum computer’ S. Rich, B.Gellman, The Washington Post Quantum Computing – NSA’s Efforts
Post-Quantum Cryptography
What happens when quantum computers become a reality 10/15 years from now? Commonly used public-key cryptographic algorithms (based on integer factorisation and discrete log problem) such as: RSA, DSA, Diffie-Hellman Key Exchange, ECC, ECDSA will be vulnerable to Shor’s algorithm and will no longer be secure. Symmetric algorithms appear to be secure against quantum computers (and Grover’s algorithm) by simply increasing the associated key sizes. Need for Post-Quantum Cryptography But what about key exchange?
What is Post-Quantum Cryptography? Disadvantages of Quantum Crypto: Expensive, assumes authentication, limited distance, etc.. Ref: Post Quantum Cryptography Quantum Cryptography
What is Post-Quantum Cryptography? Post Quantum Cryptography algorithms refer to conventional non-quantum cryptographic algorithms that remain secure even after practical quantum computing is a reality. Main types of post quantum cryptography (public-key algorithm and signature schemes): Code-based Hash-based Multivariate-quadratic Lattice-based
Post-Quantum Cryptography Code-Based Cryptography -Based on difficulty in decoding a random linear code -Both encryption and signature schemes. Encryption schemes include: McEliece (1978); Niederreiter (1986); and variants -Niederreiter most efficient -Relatively large public key sizes (65/192kBytes for 80/128-bit security) Advantages/Disadvantages -Most mature PQ Crypto -Rarely used in practice due to large public key sizes
Post-Quantum Cryptography Hash-Based Cryptography -Security relies on collision resistance of cryptographic hash function -Only signature schemes exist, such as: Merkle signature schemes (1989); CMSS (2006); XMSS(2011) -Based on one-time signature (OTS) schemes; however, in these each key can only be used once -Combined with hash trees, key can be used to sign multiple messages -Relatively small public/private key sizes (eg 46 Bytes – 7568 Bytes) Advantages/Disadvantages -Most promising PQ signature schemes -Limited use of each public key
Post-Quantum Cryptography Multivariate-Quadratic Cryptography -Based on difficulty in solving a set of nonlinear MQ equations -Only signature schemes exist, such as: Oil and Vinegar (1997); Rainbow (2005); Quartz/HFE (1996); Matsumoto-Imai (1998) -Large public and private key sizes (up to 75kBytes) Advantages/Disadvantages -Underlying operations can be implemented efficiently (more efficient than ECC/RSA) -Not suitable for embedded devices due to large key sizes
Post-Quantum Cryptography Lattice-based Cryptography -Based on shortest vector problem/closest vector problem -Both encryption and signature schemes. Encryption schemes include: NTRU (1996); LWE (2005); R-LWE (2010); -Recent advances with ideal lattices have made them more practical -Large public /private key sizes (up to 732kBytes) Advantages/Disadvantages -Underlying operations can be implemented efficiently -Most promising PQ crypto, attracting most interest in research community
Post-Quantum Cryptography Summary -Code-based most mature PQ crypto -Lattice-based most promising: > standardised in 2008 (IEEE Std ) > it allows for other constructions/applications beyond public-key encryption, eg. identity-based encryption, homomorphic encryption. Challenges in Post-Quantum Cryptography -Further security analysis of PQ crypto algorithms needed -Suitable parameter choices still an open research problem – currently use relatively large key sizes -Optimal and practical PQ algorithm implementations are needed -Resistance of PQ crypto architectures to physical/side-channel leakages
Post-Quantum Cryptography
Fully Homomorphic Encryption
Accelerating Fully Homomorphic Encryption (FHE) What is Fully Homomorphic Encryption? -In 2009, Craig Gentry using lattice-based cryptography showed the first fully homomorphic encryption scheme -Fully homomorphic encryption allows computations on encrypted data, allowing privacy of encrypted data stored on the cloud. -Significant potential, but: Key generation can take over 2 hours Very large public-key sizes (10MB to 2GB) Long encryption time (up to 7 mins) Memory to store parameters an issue -Need for optimised and practical implementations
Accelerating Fully Homomorphic Encryption (FHE) Current research at CSIT Accelerating main underlying primitives in integer-based FHE i.e. large-integer multiplication and modular reduction ParameterToySmallMediumLarge Accelerating Fully Homomorphic Encryption Public key sizes >19GBits
ParameterToySmallMediumLarge Current research at CSIT Proposed an improved Low Hamming Weight Multiplier Architecture Accelerating Fully Homomorphic Encryption (FHE) b i can be taken to be a LHW integer with max HW of 15 Accelerating Fully Homomorphic Encryption
Accelerating Fully Homomorphic Encryption (FHE) Proposed Design Time (s) No. of Slice Registers No. of Slice LUTs No. of DSP48E1s RAM access bit width Toy with 256-pt FFT Small with 256-pt FFT Medium with 512-pt FFT Large with 1024-pt FFT All designs fit easily on a Xilinx Virtex-7 XC7VX1140T device GroupToySmallMediumLarge This work: Xilinx Virtex s0.0255s0.47 s7.88 s Ref: Intel Core 2 Duo0.05 s1.0 s21 s7 min 15 s GPU Platform 1.69 s x55 improvement in speed over reference s/w design for Large parameters x66 improvement in speed over GPU-based design Accelerating Fully Homomorphic Encryption
Accelerating Fully Homomorphic Encryption (FHE) issues/14/embcrypt2014.html