Recent Developments of Post Quantum Cryptography · Security Evaluation of Post‐Quantum Cryptography Rabi Model Shor IBM’s NMR Haroche-Wineland’s (1944) Algorithm Quantum Computer

Security Evaluation of Post‐Quantum Cryptography

Recent Developments of Post‐Quantum Cryptography

Tsuyoshi Takagi

Kyushu University, Institute of Mathematics for Industry

http://imi.kyushu-u.ac.jp/~takagi/en/

Workshop on Cyber Security between RHUL and Kyushu Univ.February 29, 2016.


Old Cryptography

Special technology used by limited purposes

Daily used technologyContemporary Cryptography

Cryptography is fundamental technology.

Cryptography in Modern Society

http://www.e-gov.go.jp/


Rabi Model Shor IBM’s NMR Haroche-Wineland’s(1944) Algorithm Quantum Computer Quantum Experiments

× × × ×

research phase

widely used

History of Public‐Key Cryptography

1980 1990 2000 2010 2020 2030 ｜｜｜｜｜ |

Post-quantum cryptography (PQC) (code-based, lattice-based, multivariate polynomial based, etc)

RSA (widely used in such as SSL, integer factorization problem)

Elliptic Curve Cryptography (short keys, used in embedding devices)

long-term security, efficient implementation, fully homomorphic encryption, multi-linear maps

These cryptosystems are no longer secure in the era of quantum computer.

～～


• National Security Agency (NSA) announced preliminary plans for transitioning to quantum resistant algorithms in August 2015. https://www.nsa.gov/ia/programs/suiteb_cryptography/

• Recent Workshops January 2015, DIMACS Workshop on The Mathematics of Post‐Quantum Cryptographyhttp://dimacs.rutgers.edu/Workshops/Post‐QuantumApril 2015, NIST Workshop on Cybersecurity in a Post‐Quantum Worldhttp://www.nist.gov/itl/csd/ct/post‐quantum‐crypto‐workshop‐2015.cfmSeptember 2015, Dagstuhl Seminar ‐ Quantum Cryptanalysishttps://www.dagstuhl.de/en/program/calendar/semhp/?semnr=15371November 2015, ESTI Workshop on Quantum‐safe Cryptography February 2016, PQCrypto 2016: https://pqcrypto2016.jp/

• Big Research Projects Post‐quantum cryptography for long‐term security: http://pqcrypto.eu.org/CROSSING: https://www.crossing.tu‐darmstadt.de/JST CREST CryptoMath: https://cryptomath‐crest.jp/

Trend in Post‐Quantum Cryptography


PQCrypto 2016

• Winter School February 22‐23, 2016, Fukuoka, Japan.

• NIST announced a preliminary plan of quantum‐resistant algorithms for potential standardization.


Theory of ComputationNumber

Theory

Algebraic Geometry

Interaction: Crypto and MathHistorical Success

Advances of Mathematical Theory requiredfor Cryptography

Conventional Cryptography

Mathematical Modeling of

Multi‐Functional Next‐Generation Cryptography

using wide‐range Mathematical

Theories

MathematicsModeling of theStrongest Possible

Attacks

Quantum Computation

Representation TheoryQuantum

Field TheoryMathematical

Physics

Lattice TheoryMultivariate Polynomial Theory


Security Evaluation Cycle

New Scheme

Security Evaluation

Practical Use Expiringkey size

Stress Test

New attack algorithm

How many bits are secure?

How about this attack?

Cycle of about 10 years

discussion in public conferences

Computer speed-up New cryptoanalyses


Cryptography Research and Evaluation Committees in Japan

http://www.cryptrec.go.jp/


Example of RSA public key


Current record for factoring integers

• January 2010, 768 bits, 1500 CPU years, Aoki et al.

• 1230186684530117755130494958384962720772853569595334792197322452151726400507263657518745202199786469389956474942774063845925192557326303453731548268507917026122142913461670429214311602221240479274737794080665351419597459856902143413= 33478071698956898786044169848212690817704794983713768568912431388982883793878002287614711652531743087737814467999489×36746043666799590428244633799627952632279158164343087642676032283815739666511279233373417143396810270092798736308917


Estimation for Key Length of RSA

Computational cost for finishing the sieving step within one year (updated July 2015)

RSA 1024 bits

RSA 1536 bits

RSA 2048 bits

Tianhe‐2 Titan

K Sequoia

RSA 768 bits


Candidates of Post‐Quantum Cryptography

• Hash‐based signature schemes• Code‐based cryptosystems• Multivariate cryptosystems • Lattice‐based cryptosystems • etc


Lattice‐based Cryptography


A lattice is the set of all integer combinations of linearly independent vectors . As , , .

14

Shortest vector problem (SVP): find the shortest vectors in the lattice of given basis , , .


Darmstadt Lattice Challengehttps://www.latticechallenge.org/• SVP Challenge / Lattice Challenge (since 2008) • Ideal Lattice Challenge (since 2013)

Security Evaluation of Post‐Quantum Cryptography16

Darmstadt Ideal Lattice Challenge

Instance:HNFofRandomLatticeTargetvector s.t. n det1/n.

Cost Estimation by Simulator

224.0 sec

220.7 sec

Our simulator gives a sharp estimation.


Multivariate Public‐Key Cryptography(MPKC)


MQ problem

mnji ni

mi

miji

mijnm

nji niiijiijn

nji niiijiijn

dcxbxxaxxf

dcxbxxaxxf

dcxbxxaxxf

,1 1

)()()(1

2,1 1

)2()2()2(12

1,1 1

)1()1()1(11

),...,(

),...,(

),...,(

MPKC are public key cryptosystems whose security depends on the difficulty in solving a system of multivariate quadratic polynomials with coefficients in a finite field .

MQ problem: find a solution of the system of multivariate equations:

It is believed that it is difficult to solve (general) MQ problem.


MQ ChallengeStarting from April 2015https://www.mqchallenge.org/


Current records• Type I （）

m n time110 55 963.53

112 56 2254.21

114 57 5096.94

116 58 10391.10

118 59 18357.53

120 60 23536.88

122 61 80244.52unit: second


Conclusion

• The attack technology is developing further.

• We need to keep investigating the security of (post‐quantum) cryptosystems.

• Challenge problems are used for estimating the computational over‐limit of expected attackers.


Thank you!Q&A

Documents

Recent Developments of Post Quantum Cryptography · Security Evaluation of Post‐Quantum Cryptography Rabi Model Shor IBM’s NMR Haroche-Wineland’s (1944) Algorithm Quantum Computer