A laypersons guide to the impact of quantum computers on … · 2019-05-01 · defeat RSA-2048, a common encryption standard, by 2026” Michele Mosca, Institute for Quantum Computing

Graham BartlettSnr Technical Leader

Secure South West 22nd March

A laypersons guide to the impact of quantum computers on secure communication today

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Agenda

Quantum Computer (QC)

Quantum Resistant (QR)Post Quantum Cryptography (PQC)

All the hype & where we are

Challenges of moving to a QR world

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

"Anyone that wants to make sure that their data is protected for longer than 10 years should move to alternate forms of encryption now,” Arvind Krishna, director of IBM Research

"1-in-7 chance that quantum breakthroughs will defeat RSA-2048, a common encryption standard, by 2026” Michele Mosca, Institute for Quantum Computing in Waterloo

”RSA-2048 broken between 2030 and 2040 by a cryptographically relevant quantum computer”

Dr Brian LaMacchia, Microsoft Research


NIST 2015



When do we need postquantum security?

• People are storing transcripts of encrypted traffic

• At some point, they may develop a Quantum Computer

NowQC

Exists

Time Data Needs to be Secure

We needQR Protocols

Here


• IoT / Automotive

• Equipment lifetime

• Financial

• Regulations

• HealthCare

• Lifetime of patience records

• Government

• Sensitive data & aggregation

Data security timeline & Verticals



Commonly used crypto primitives

AES-128-CBC

DH-1024SHA-1

RSA-1024

DH-2048 RSA-2048 SHA2-256


NGE/Suite-B (higher security levels)

AES-256-GCM ECDH-P521 SHA-512ECDSA-

P521


Quantum Bit Strength

11

Algorithm Key Length Classical BitStrength

Quantum Bit Strength

Quantum Algorithm

RSA/DH 1024 1024 bits 80 bits 0 bits ShorRSA/DH 2048 2048 bits 112 bits 0 bits ShorECC/ECDH 256 256 bits 128 bits 0 bits Shor

ECC/ECDH 521 521 bits 256 bits 0 bits Shor

AES 128 128 bits 128 bits 64 bits GroverAES 256 256 bits 256 bits 128 bits Grover


SA_INIT SA(AES-128, SHA-256, DH19) KEr (7) Nr

SA_INIT SA(AES-128, SHA-256, DH19) KEi (5) Ni

gx mod p= 211 mod 13= 7

9gy mod p

= 29 mod 13= 5

79 mod p= 8

511 mod p= 8

11

IKE_AUTH {IDr=GW.cisco.com Cert Auth TSi TSr}

IKE_AUTH {IDi=R1.cisco.com Cert Auth TSi TSr}

g=2, prime=13

IPsecKEYMAT = prf+(SK_d …)

11, 9 Secret Keys extracted

12


NIST PQ Public Key Algorithm “competition” / call for submissions

13

Feb 24-26, 2016

• NIST Presentation at PQCrypto 2016: Announcement and outline of NIST's Call for Submissions (Fall 2016), Dustin Moody

Professor of Physics, University of Waterloo, Institute for Quantum Computing (IQC)

https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-Cryptography/documents/pqcrypto-2016-presentation.pdf

https://scholar.google.com/citations?view_op=view_org&hl=en&org=12436753108180256887



NIST PQ Public Key Algorithm “competition”

• Security Analysis & Cost (mem/CPU)

• Algorithm Implementation Characteristics (Ease of use/implementation)

15

Dec 2016

Request crypto

algorithms

Round 1 algorithms

(69)

Dec 2017

Round 2 algorithms

(26)

Jan 2019

Round 3 begins or

select algorithms

2020/2021

Draft Standards Available

2022/2024

Time


What do we to deploy postquantum security?

NowQC

Exists

Time Data Needs to be Secure2019 2030

NISTAlgorithms

2022/2024

Vendorinterop

Audit current crypto

PQC Open Standard

Exchanges

NewHW/SW

DeployQCR

solution


IKE / IPsec history

• Industry / Academia / NIST

17

1998

IPsecroadmap

ISAKMPOAKLEYSKEMEIPsec..

1998

NATDPDESN

2004

IKEv2v1

2005

IKEv2v3

2014

Time

IKEv2v2

2010

CiscoMicrosoft

2011

AppleClient

2015

AWSS2S

2019


Moving to using QR algorithms can’t be *that* hard ?


SA_INIT SA KEr (DH) (QRKE1) (QRKE2) Nr

SA_INIT SA KEi (DH) (QRKE1) (QRKE2) Ni



19

X


79 mod p

= 8

511 mod p

= 8

SS = QRSS1 |

QRSS2 | 8

SS = QRSS1 |

QRSS2 | 8


SA_INIT SA KEi (DH) (QRKE1) (QRKE2) Ni

20

Backwards Compatibility


SA_INIT SA KEi (DH) (Q Frag…

21

Network Fragmentation

Frag1 RKE1) (QR

Frag2 KE2) Ni


SA_INIT SA KEr (DH) (SUPPORT_ QSKE (Frodo, New Hope)) Nr

SA_INIT SA KEi (DH) (SUPPORT_QSKE (Frodo, SIDH, New Hope)) Ni



22

IKE_INTER {QSKE1 (Frodo)}

IKE_INTER {QSKE1 (Frodo)}

IKE_INTER {QSKE2 (New Hope)}

IKE_INTER {QSKE2 (New Hope)}

79 mod p= 8

511 mod p= 8

SS = Frodo |

New Hope | 8

SS = Frodo |

New Hope | 8


X


Summary

Networks are being compromised today & data exfiltratedA QC could be built in the future

Commodity QC will be a game changer


Summary

The NIST call for submissions needs to complete before we implement PQC algorithms

Moving to a QCR solution depends on vendorsIt’s not going to be a quick or easy process…

Documents

A laypersons guide to the impact of quantum computers on … · 2019-05-01 · defeat RSA-2048, a common encryption standard, by 2026” Michele Mosca, Institute for Quantum Computing