Dustin Moody Post Quantum Cryptography Team National Institute of Standards and Technology (NIST)

Similar documents
FORWARD: Standards-and-Guidelines-Process.pdf. 1

Computer Security: Principles and Practice

Safeguarding Data Using Encryption. Matthew Scholl & Andrew Regenscheid Computer Security Division, ITL, NIST

Table of Contents. Bibliografische Informationen digitalisiert durch

Cryptographic Algorithms and Key Size Issues. Çetin Kaya Koç Oregon State University, Professor

National Security Agency Perspective on Key Management

Forward Secrecy: How to Secure SSL from Attacks by Government Agencies

SHA3 WHERE WE VE BEEN WHERE WE RE GOING

Cryptographic Hash Functions Message Authentication Digital Signatures

A PPENDIX H RITERIA FOR AES E VALUATION C RITERIA FOR

Certicom Security for Government Suppliers developing client-side products to meet the US Government FIPS security requirement

Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths

Public Key Cryptography. Performance Comparison and Benchmarking

Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

SECURITY IMPROVMENTS TO THE DIFFIE-HELLMAN SCHEMES

SMPTE Standards Transition Issues for NIST/FIPS Requirements v1.1

Authentication requirement Authentication function MAC Hash function Security of

IT Networks & Security CERT Luncheon Series: Cryptography

An Introduction to Cryptography as Applied to the Smart Grid

Introduction to Security and PIX Firewall

Quantum Safe Security Workgroup Presentation. Battelle / ID Quantique / QuantumCTek CSA EMEA Congress, Rome 19 November 2014

2014 IBM Corporation

Cryptography and Key Management Basics

Chapter 8. Network Security

Accellion Secure File Transfer Cryptographic Module Security Policy Document Version 1.0. Accellion, Inc.

Cryptography & Network Security. Introduction. Chester Rebeiro IIT Madras

Chapter 11 Security+ Guide to Network Security Fundamentals, Third Edition Basic Cryptography

FIPS Non- Proprietary Security Policy. McAfee SIEM Cryptographic Module, Version 1.0

Elliptic Curve Cryptography Methods Debbie Roser Math\CS 4890

Pulse Secure, LLC. January 9, 2015

Announcing Approval of Federal Information Processing Standard (FIPS) 197, Advanced. National Institute of Standards and Technology (NIST), Commerce.

Network Security. Security Attacks. Normal flow: Interruption: 孫 宏 民 Phone: 國 立 清 華 大 學 資 訊 工 程 系 資 訊 安 全 實 驗 室

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

Symantec Mobility: Suite Server Cryptographic Module

SE 4472a / ECE 9064a: Information Security

I N F O R M A T I O N S E C U R I T Y

Symantec Corporation Symantec Enterprise Vault Cryptographic Module Software Version:

Cryptography and Network Security

Lecture 9: Application of Cryptography

CSCE 465 Computer & Network Security

Cryptography and Network Security Chapter 11

CRYPTOGRAPHY IN NETWORK SECURITY

RSA BSAFE. Crypto-C Micro Edition for MFP SW Platform (psos) Security Policy. Version , October 22, 2012

Secure Network Communications FIPS Non Proprietary Security Policy

Quantum Computers vs. Computers

Randomized Hashing for Digital Signatures

Real-World Post-Quantum Digital Signatures

Archived NIST Technical Series Publication

Overview of Public-Key Cryptography

Recommendation for Cryptographic Key Generation

Evaluating Security of Cryptographic Algorithm

Connected from everywhere. Cryptelo completely protects your data. Data transmitted to the server. Data sharing (both files and directory structure)

Evaluation of Digital Signature Process

How encryption works to provide confidentiality. How hashing works to provide integrity. How digital signatures work to provide authenticity and

CRYPTOGRAPHY AND NETWORK SECURITY

Security needs in embedded systems

I N F O R M A T I O N S E C U R I T Y

Elliptic Curve Hash (and Sign)

SPC5-CRYP-LIB. SPC5 Software Cryptography Library. Description. Features. SHA-512 Random engine based on DRBG-AES-128

Assurance or Insurance?

Ky Vu DeVry University, Atlanta Georgia College of Arts & Science

Cybersecurity in a Quantum World: will we be ready?

Crittografia e sicurezza delle reti. Digital signatures- DSA

CrypTool Claudia Eckert / Thorsten Clausius Bernd Esslinger / Jörg Schneider / Henrik Koy

Cryptography and Network Security: Summary

How To Encrypt With A 64 Bit Block Cipher

Final Exam. IT 4823 Information Security Administration. Rescheduling Final Exams. Kerberos. Idea. Ticket

A Question of Key Length

Message Authentication

Next Frontier H O W QU A N TUM T E C H N O LOGIES H AV E A L R E A DY B E GU N I M PAC TING T HE C Y B E R S E C U RI TY L A N D S CAPE.

Performance Investigations. Hannes Tschofenig, Manuel Pégourié-Gonnard 25 th March 2015

Encryption, Data Integrity, Digital Certificates, and SSL. Developed by. Jerry Scott. SSL Primer-1-1

Guideline for Implementing Cryptography In the Federal Government

U.S. Federal Information Processing Standard (FIPS) and Secure File Transfer

CIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives

NIST Cryptographic Standards and Guidelines Development Process

Public-Key Infrastructure

efolder White Paper: The Truth about Data Integrity: 5 Questions to ask your Online Backup Provider

Public Key (asymmetric) Cryptography

ETSI TS V1.2.1 ( )

CSCI-E46: Applied Network Security. Class 1: Introduction Cryptography Primer 1/26/16 CSCI-E46: APPLIED NETWORK SECURITY, SPRING

Symmetric Mechanisms for Authentication in IDRP

SECURITY IN NETWORKS

Strengths and Weaknesses of Cybersecurity Standards

Lecture 6 - Cryptography

Secure Sockets Layer (SSL ) / Transport Layer Security (TLS) Network Security Products S31213

Public Key Cryptography in Practice. c Eli Biham - May 3, Public Key Cryptography in Practice (13)

CIS433/533 - Computer and Network Security Cryptography

VoIP Security. Seminar: Cryptography and Security Michael Muncan

Public Key Cryptography Overview

C O M P U T E R S E C U R I T Y

GoldKey Product Info. Do not leave your Information Assets at risk Read On... Detailed Product Catalogue for GoldKey

Network Security. Computer Networking Lecture 08. March 19, HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

Length extension attack on narrow-pipe SHA-3 candidates

SeChat: An AES Encrypted Chat

2. Cryptography 2.4 Digital Signatures

Briefing note: GCHQ Internships

Outline. CSc 466/566. Computer Security. 8 : Cryptography Digital Signatures. Digital Signatures. Digital Signatures... Christian Collberg

AN IMPLEMENTATION OF HYBRID ENCRYPTION-DECRYPTION (RSA WITH AES AND SHA256) FOR USE IN DATA EXCHANGE BETWEEN CLIENT APPLICATIONS AND WEB SERVICES

Transcription:

Dustin Moody Post Quantum Cryptography Team National Institute of Standards and Technology (NIST)

When will a quantum computer be built that breaks current crypto? 15 years, $1 billion USD, nuclear power plant (to break RSA-2048) (PQCrypto 2014, Matteo Mariantoni) Impact: Public key crypto: FIPS 186-4, SP 800-56A/56B RSA Elliptic Curve Cryptography (ECDSA) Finite Field Cryptography (DSA) Diffie-Hellman key exchange Symmetric key crypto: FIPS 197, SP 800-57 AES Triple DES Hash functions: FIPS 180-4, FIPS 202 SHA-1, SHA-2 and SHA-3

When will a quantum computer be built? 15 years, $1 billion USD, nuclear power plant (PQCrypto 2014, Matteo Mariantoni) Impact: Public key crypto: RSA Elliptic Curve Cryptography (ECDSA) Finite Field Cryptography (DSA) Diffie-Hellman key exchange Symmetric key crypto: AES Need larger keys Triple DES Need larger keys Hash functions: SHA-1, SHA-2 and SHA-3 Use longer output

How long does encryption need to be secure (x years) How long to re-tool existing infrastructure with quantum safe solution (y years) How long until large-scale quantum computer is built (z years) Theorem (Mosca): If x + y > z, then worry What do we do here?? y z x secret keys revealed time NSA is transitioning in the not too distant future <https://www.iad.gov/iad/programs/iad-initiatives/cnsa-suite.cfm> European PQCrypto project ETSI work IETF hash-based signature RFC s NIST report - <http://csrc.nist.gov/publications/drafts/nistir-8105/nistir_8105_draft.pdf>

NIST is calling for quantum-resistant cryptographic algorithms for new public-key crypto standards Digital signatures Encryption/key-establishment We see our role as managing a process of achieving community consensus in a transparent and timely manner We do not expect to pick a winner Ideally, several algorithms will emerge as good choices We may pick one (or more) for standardization Only algorithms publicly submitted considered

Fall 2016 formal Call For Proposals Nov 2017 Deadline for submissions 3-5 years Analysis phase NIST will report its findings 2 years later - Draft standards ready Workshops Early 2018 submitter s presentations One or two during the analysis phase

Post-quantum cryptography is more complicated than AES or SHA-3 No silver bullet - each candidate has some disadvantage Not enough research on quantum algorithms to ensure confidence for some schemes We do not expect to pick a winner Ideally, several algorithms will emerge as good choices We may narrow our focus at some point This does not mean algorithms are out Requirements/timeline could potentially change based on developments in the field

The formal Call will have detailed submission requirements A complete written specification of the algorithms shall be included, consisting of all necessary mathematical operations, equations, tables, diagrams, and parameters that are needed to implement the algorithms. The document shall include design rationale and an explanation for all the important design decisions that are made. Minimal acceptability requirements Publicly disclosed and available with no IPR Implementable in wide range of platforms Provides at least one of: signature, encryption, or key exchange Theoretical and empirical evidence providing justification for security claims

Implementation Reference version Optimized version Cryptographic API will be provided Can call approved hash functions, block ciphers, modes, etc Known Answer and Monte Carlo tests Optional constant time implementation

Signed statements Submitted algorithm Implementations Disclose known patent information Available worldwide without royalties or any intellectual property restrictions during the analysis phase Submitters can reclaim rights by withdrawing submission from consideration

To be detailed in the formal Call Security Cost (computational and memory) Algorithm and implementation characteristics Draft criteria will be open for public comment We strongly encourage public evaluation and publication of results concerning submissions NIST will summarize the evaluation results and report publicly

Target security levels 128 bits classical security 64/80/96/128 bits quantum security? Correct security definitions? IND-CCA2 for encryption EUF-CMA for signatures CK best for key exchange? Quantum/classical algorithm complexity Stability of best known attack complexity Precise security claim against quantum computation Parallelism? Attacks on multiple keys? How many chosen ciphertext queries allowed? Security proofs Quality and quantity of prior cryptanalysis

Computational efficiency Hardware and software Key generation Encryption/Decryption Signing/Verification Key exchange Memory requirements Concrete parameter sets and key sizes for target security levels Ciphertext/signature size

Ease of implementation Tunable parameters Implementable on wide variety of platforms and applications Parallelizable Resistance to side-channel attacks Ease of use How does it fit in existing protocols (such as TLS or IKE) Misuse resistance Simplicity

How is the timeline? Too fast? Too slow? Do we need an ongoing process, or is one time enough? How to determine if a candidate is mature enough for standardization? hash-based signatures for code signing Should we just focus on encryption and signatures, or should we also consider other functionalities? How many "bits of security" do we need against quantum attacks? How can we encourage more work on quantum cryptanalysis? Maybe we need "challenge problems"? How can we encourage people to study practical impacts on the existing protocols? For example, key sizes may be too big

NIST is calling for quantum-resistant algorithms We see our role as managing a process of achieving community consensus in a transparent and timely manner Different from (but similar to) AES/SHA-3 competitions We don t have all the answers Wanted: Postdocs, guest researchers at NIST We would like public feedback Email: pqc-comments@nist.gov PQC forum: pqc-forum@nist.gov

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information