Embed Size (px)
Citation preview
Towards quantum-
safe cryptography:Workshop on Quantum-Safe
Cryptography
26 September 2013
Michele Mosca
ETSI, Sophia Antipolis, France
The problem
1
Cryptography is a foundational pillar of the global information
security infrastructure
Cryptography allows us to achieve
information security in the “cloud”.
physicalsecurity
cryptography
trust
2
Information is handled by untrusted parties
through untrusted media.
e.g. Do you update your software and anti-
virus daily? Why do you trust the source?
One serious problem for public-key cryptography
Algorithms for Quantum Computation:
In: Proceedings, 35th Annual Symposium on Foundations of Computer Science,
Santa Fe, NM, November 20–22, 1994, IEEE Computer Society Press, pp. 124–134.
Discrete Logarithms and Factoring
3
Discrete Logarithms and Factoring
Peter W. Shor
AT&T Bell Labs
Room 2D-149
600 Mountain Ave.
Murray Hill, NJ 07974, USA
…on top of ever-present risk of unexpected advances in
classical algorithms
e.g.
4
Cryptology ePrint Archive: Report 2013/400Date: received 18 Jun 2013
How much of
a problem is
quantum
5
quantum
computing,
really??
How soon do we need to worry?
Depends on:
� How long do you need encryption to be secure? (x years)
� How much time will it take to re-tool the existing infrastructure with large-scale quantum-safe solution? (y years)
� How long will it take for a large-scale quantum computer to be built (or for any other relevant
6
� How long will it take for a large-scale quantum computer to be built (or for any other relevant advance? (z years)
Theorem 1: If x + y > z, then worry.
y
What do we do here??
time
x
z
“Threshold theorem”
Architecture description
7
Architecture description
Error model
Threshold “ɛ”
If the error rates of the
basic operations of the
device are below ɛ,
then we can efficiently
scale quantum
computations.
8
9
Recent progress in superconducting qubits
10
11
12
How long to re-tool the cryptographic infrastructure?
Cryptographers are studying possible quantum-safe codes.
Quantum information experts are researching the power of quantum algorithms, and their impact on computationally secure cryptography.
How easy is it to change from one cryptographic algorithm to a quantum-secure one? Are the standards
13
algorithm to a quantum-secure one? Are the standards and practices ready?
Sponsored by the Joint Quantum
Institute (JQI), NIST,
and the University of Maryland.
October 27-29, 2010
Past examples…quiz
How many years for
� RSA to go from discovery to ubiquitous deployment?
� ECC from discovery to ubiquitous
14
� ECC from discovery to ubiquitous deployment?
� BEAST attack to roll out of TLS 1.1?
Bottom line
“Wait and see” approach is too risky.
The next generation cryptographic infrastructure:
� Must have quantum-safe alternatives
15
� Must have quantum-safe alternatives
� Should have algorithmic agility built-in
The solutions
16
Quantum-safe cryptographic infrastructure
“post-quantum” cryptography
� classical codes deployable
without quantum technologies
� believed/hoped to be secure
against quantum computer
quantum cryptography
� quantum codes requiring
some quantum technologies
(typically less than a large-
scale quantum computer)
+
17
against quantum computer
attacks of the future
scale quantum computer)
� typically no computational
assumptions and thus known
to be secure against quantum
attacks
Both sets of cryptographic tools can work very well together in quantum-safe
cryptographic ecosystem
Overview of options
Quantum-safe authentication
� Trap-door predicate based public-key signatures
� Hash-function based public-key signatures
Quantum-safe key establishment
� “Alternative” public-key-encryption based key establishment
• Lattices
18
signatures
� Symmetric-key authentication• Codes
• Multi-variate functions
• Other
� Quantum key establishment
Important questions
How ready are
19
What gaps What are the How ready are these systems for wide-scale deployment?
What are the next steps with respect to standardization and certification?
What gaps remain for the various approaches?
What are the pitfalls to avoid?
Thank you
20
