Post on 27-Mar-2022
Towards quantum-
safe cryptography:Workshop on Quantum-Safe
Cryptography
26 September 2013
Michele Mosca
ETSI, Sophia Antipolis, France
Cryptography is a foundational pillar of the global information
security infrastructure
Cryptography allows us to achieve
information security in the “cloud”.
physicalsecurity
cryptography
trust
2
Information is handled by untrusted parties
through untrusted media.
e.g. Do you update your software and anti-
virus daily? Why do you trust the source?
One serious problem for public-key cryptography
Algorithms for Quantum Computation:
In: Proceedings, 35th Annual Symposium on Foundations of Computer Science,
Santa Fe, NM, November 20–22, 1994, IEEE Computer Society Press, pp. 124–134.
Discrete Logarithms and Factoring
3
Discrete Logarithms and Factoring
Peter W. Shor
AT&T Bell Labs
Room 2D-149
600 Mountain Ave.
Murray Hill, NJ 07974, USA
…on top of ever-present risk of unexpected advances in
classical algorithms
e.g.
4
Cryptology ePrint Archive: Report 2013/400Date: received 18 Jun 2013
How soon do we need to worry?
Depends on:
� How long do you need encryption to be secure? (x years)
� How much time will it take to re-tool the existing infrastructure with large-scale quantum-safe solution? (y years)
� How long will it take for a large-scale quantum computer to be built (or for any other relevant
6
� How long will it take for a large-scale quantum computer to be built (or for any other relevant advance? (z years)
Theorem 1: If x + y > z, then worry.
y
What do we do here??
time
x
z
“Threshold theorem”
Architecture description
7
Architecture description
Error model
Threshold “ɛ”
If the error rates of the
basic operations of the
device are below ɛ,
then we can efficiently
scale quantum
computations.
How long to re-tool the cryptographic infrastructure?
Cryptographers are studying possible quantum-safe codes.
Quantum information experts are researching the power of quantum algorithms, and their impact on computationally secure cryptography.
How easy is it to change from one cryptographic algorithm to a quantum-secure one? Are the standards
13
algorithm to a quantum-secure one? Are the standards and practices ready?
Sponsored by the Joint Quantum
Institute (JQI), NIST,
and the University of Maryland.
October 27-29, 2010
Past examples…quiz
How many years for
� RSA to go from discovery to ubiquitous deployment?
� ECC from discovery to ubiquitous
14
� ECC from discovery to ubiquitous deployment?
� BEAST attack to roll out of TLS 1.1?
Bottom line
“Wait and see” approach is too risky.
The next generation cryptographic infrastructure:
� Must have quantum-safe alternatives
15
� Must have quantum-safe alternatives
� Should have algorithmic agility built-in
Quantum-safe cryptographic infrastructure
“post-quantum” cryptography
� classical codes deployable
without quantum technologies
� believed/hoped to be secure
against quantum computer
quantum cryptography
� quantum codes requiring
some quantum technologies
(typically less than a large-
scale quantum computer)
+
17
against quantum computer
attacks of the future
scale quantum computer)
� typically no computational
assumptions and thus known
to be secure against quantum
attacks
Both sets of cryptographic tools can work very well together in quantum-safe
cryptographic ecosystem
Overview of options
Quantum-safe authentication
� Trap-door predicate based public-key signatures
� Hash-function based public-key signatures
Quantum-safe key establishment
� “Alternative” public-key-encryption based key establishment
• Lattices
18
signatures
� Symmetric-key authentication• Codes
• Multi-variate functions
• Other
� Quantum key establishment
Important questions
How ready are
19
What gaps What are the How ready are these systems for wide-scale deployment?
What are the next steps with respect to standardization and certification?
What gaps remain for the various approaches?
What are the pitfalls to avoid?