Post-Quantum Key Exchange for Optical Networks · 2018-04-09 · We have implemented a post-quantum...

Post-Quantum Key Exchange for Optical Networks

Joo Yeon Cho

5-6 April 2018

PQCrypto Code-Based Workshop 2018

© 2018 ADVA Optical Networking. All rights reserved. Confidential.22

Security in Optical Transmission


OTN (Layer 1) Security


Optical Transmission

• No IP address

• Wavelength Division Multiplexing (CWDM, DWDM,…)

• High speed transmission: 10G/40G/100G/200G/..

• Usually Point-to-Point transmission over long distance


Encryption PerformanceComparison of Maximum Throughput

Framesize / Bytes

Thro

ugh

pu

t

And why on Layer 1?

• Protocol and data rate agnostic

• Lowest Latency

• 100% Throughput

• Operational Simplicity


Tapping of Optical Fiber is Reality

“The Guardian” Report:

… GCHQ was … tapping in to 200

fiber-optic cables to give it the ability

to monitor up to 600 million

communications every day …

… the GCHQ operation codenamed

“Tempora” has been running for 18

months …

… information from Internet and

phone use was stored for up to 30

days to be shifted and

analyzed …UK Government Communications Headquarter

– GCHQ –


Tapping of Optical Fiber is Reality

Fiber optical networks are susceptible to tapping, bending and splicing attacks.


Encryption / Decryption Model

Symmetric key

encryption

Public key

crypto

Key En

cod

er

Client

Data

Input

Deco

der

Client

Data

Output

Symmetric key

decryption

Public key

crypto

Alice

Bob

Optical

Channel

Key

Ele

ctro-O

ptic

con

versio

n

Op

to-E

lectro

nic

con

versio

n

FEC

FEC

Deco

der

Data

OutputSymmetric key

decryption

cryptanalysis

Eve

KeyO

pto

-Ele

ctron

ic

con

versio

n

FEC

Wiretap

FEC: Forward Error Correction


1 …….…. 14 15 ….… 16 17 ………………………………. 3824 3825 .… 4080

1

2

3

4

Column number

OTU/ODU

overheadRO

W OPU

overheadEncryption

FEC

area

Encrypted Payload

OCH Overhead Och payload FEC data

Optical channel frame structure

AES-256

encrypted payload

Authenticated Diffie-

Hellman Key Exchange

Key Exchange

Encryption using G.709* / OTH Link Protocol * S. Gorshe, A tutorial on ITU-T G.709 optical transport networks (OTN), 2010


ODU overhead fields are used for the key exchange protocol.

Key Exchange Data Transmission


• ADVA has obtained the BSIapproval for VS-NfD

• 100G Muxponder module:10TCE-PCN-16GU+AES100G-BSI

• First Layer 1 device listed

Governmental Approval

BSI Approval

https://www.bsi.bund.de/DE/Themen/Sicherheitsberatung/ZugelasseneProdukte/Liste_Produkte/Liste_Produkte_html.html

First and only Layer 1 device approved and listed at German BSI

https://www.bsi.bund.de/DE/Themen/Sicherheitsberatung/ZugelasseneProdukte/Liste_Produkte/Liste_Produkte_html.html


ADVA‘s Approach


Post-quantum Encryption for Optical Network

Layer-1 Encryption: AES-256 => quantum-safe

Password based authentication (PACE protocol) => quantum-safe

Message Authentication Code: AES-GCM => quantum-safe

x Key Exchange: Diffie-Hellman => not quantum-safe


We chose McEliece / Niederreiter because …

• Based on the (proven) hardness of syndrome decoding problem.

• Theory on error correction code is well-developed.

• The McEliece cryptosystem was first proposed in 1978, and not broken yet.

• Other Post-quantum key exchange schemes are relatively new, except for NTRU.

• Large key size is not very critical for optical network.


NIST Post-quantum Cryptography

• NIST received a total of 82 submissions, two of which have been withdrawn. (05.12.2017)

• There are 65 schemes that have not officially withdrawn yet. (06.03.2018)

• www.nist.gov/pqcrypto

• https://www.safecrypto.eu/pqclounge/

http://www.nist.gov/pqcrypto

https://www.safecrypto.eu/pqclounge/


Niederreiter-Goppa Key Exchange (or KEM)

• Security level: NIST Category 5 (256-bit key)

• IND-CCA security in the ROM: Fujisaki-Okamoto / Dent transform

• There are two submissions:

• Classic McEliece (https://classic.mceliece.org/)

• NTS-KEM (https://nts-kem.io/)

KEM [n, t] Public Key Secret Key

Classic McEliece [8192, 128] ~1.3 MB ~14 KB

NTS-KEM [8192, 136] ~1.4 MB ~19 KB

* Performance: NTS-KEM > Classic McEliece

https://classic.mceliece.org/

https://nts-kem.io/


McEliece

• A generator matrix G ⋲ F2(k x n)

c = mG + e ⋲ F2n

• G=[Ik;Q] and Q is used as PK.

• if n is doubled then c is also doubled.

Niederreiter

• A parity check matrix H ⋲ F2(n-k) x n

c = H · uT ⋲ F2(n-k)

• H=[In-k;T] and T is used as PK.

• if n is doubled, c only increases by the

factor log2(n)+1 / log2(n).

McEliece vs Niederreiter

• The security of the Niederreiter and the McEliece

scheme are equivalent.

• Niederreiter has (usually) smaller public key /

ciphertext length.

G · HT = 0


Classic McEliece vs NTS-KEM

• Both are Niederreiter-Goppa KEM.

• Security: Classic McEliece ≈ NTS-KEM

• Performance: NTS-KEM > Classic McEliece

• Mainly due to Albrecht et al. “Efficient Dense Gaussian Elimination over the Finite Field with Two

Elements” (https://arxiv.org/abs/1111.6549, 2011)

KEM Key Pair Avg Enc Avg Dec Avg sk pk ct

Classic McEliece 6806781057 12653666 686157417 14080 1357824 240

NTS-KEM 335604669 1081765 2923896 19890 1419704 253

* Extracted from “Performance_Testing_TestPlatform.xlsx” by NIST (16.01.2018)

https://arxiv.org/abs/1111.6549


Best Known Attacks

• Information Set Decoding (ISD)

• Most efficient attack on code-based crypto

• D. Bernstein, et al. “Smaller decoding exponents: Ball-collision decoding” in CRYPTO 2011

• Script by Peters (https://bitbucket.org/cbcrypto/isdfq): time-complexity estimation

• Reaction attack / timing attack

• Q. Guo, et al. “A key recovery attack on MDPC with CCA security using decoding errors”, in ASIACRYPT

2016

• Deterministic decoding algorithm or refreshing key every session could prevent this type of attack.

• Quantum Attacks

• No known quantum algorithms for attacking McEliece

https://bitbucket.org/cbcrypto/isdfq


Implementation & Demo Plan


Implementation

• Hardware platform

• Embedded system with PowerPC processor

• Limited resources such as cache and memory

• Following versions are implemented (Category 5).

• Classic McEliece: (8192, 128)

• NTS-KEM: (8192, 136)

• Key generation

• A key pair (pk, sk) is generated every session.


Brief Description of Protocol

r

Alice

X

r=AES-1(AES(r))

Bob

Y

AES (r)P: password

r: Random number

X: public-key

x: private-key

Encapsulation

Decapsulation

H: MAC func.

K: MAC Key

(K1, c1) = Encap(Y) (K2, c2) = Encap(X) c1, c2

X, Y

P: password

Y: public-key

y: private-key

H: MAC func.

K: MAC Key

K2=Decap(x, c2)

K=H(K1, K2, r)K=H(K1, K2, r)

K1=Decap(y, c1)

tag tag tag


Hybrid Mode: DH + PQC

PQC?

KD

F

KAES + IV

KDH

KPQCPQC

DH KEX

Start KEX

Yes

KPQC = 0No

DH KEX + KDF: [NIST 800-56A]


Brief Description of Protocol - Hybrid

r

Alice

XDH = gxDH

X=XDH || XPQ

r=AES-1(AES(r))

Bob

YDH = gyDH

Y=YDH || YPQ

AES (r)P: password

r: Random number

DH: (xDH, XDH)

PQ: (xPQ, XPQ)

Encapsulation

Decapsulation

H: MAC func.

K: MAC Key

(K1, c1) = Encap(YPQ) (K2, c2) = Encap(XPQ) c1, c2

X, Y

P: password

DH: (yDH, YDH)

PQ: (yPQ, YPQ)

H: MAC func.

K: MAC Key

K2=Decap(xPQ, c2)

K=H( K0, K1, gxDHyDH+r ) K=H( K1, K2, gxDHyDH+r )

K1=Decap(yPQ, c1)

tagtag

tag


Comparison of Data Transmission Time

N: amount of data for key exchange

fk : ODUk frame period

b: the number of overhead bytes used

Goppa (n, t) = (8192, 128)

QC-MDPC (n, t) = (65542, 264)

Tk = fk x N / b


The 100G Encryption Demo

XG-210

VideoLocal

“Sender”

Remote

“Receiver”

Intermediate

“Hacker”

Optic Coupler

WCC-AES100G

4CSM Filter

XG-210

WCC-AES100G

4CSM Filter

XG-210

WCC-AES100G

4CSM Filter &

EDFA VGC

Video

CLI CLIVideo

?

CLI


Summary

We have implemented a post-quantum key exchange protocol on optical network.

• Classic McEliece and NTS-KEM

We claim at least 2^128 post-quantum security, which is well matched with AES-256.

We support a hybrid mode (DH + PQ) for the safe transition from classical to quantum crypto.


Acknowledgements

This work has been performed in the framework of the CELTIC EUREKA project

SENDATE-Secure-DCI (Project ID C2015/3-4), and it is partly funded by the

German BMBF (Project ID 16KIS0477K).

Thank you

IMPORTANT NOTICE

The content of this presentation is strictly confidential. ADVA Optical Networking is the exclusive owner or licensee of the content, material, and information in this presentation. Any reproduction, publication or reprint, in whole or in part, is strictly prohibited.

The information in this presentation may not be accurate, complete or up to date, and is provided without warranties or representations of any kind, either express or implied. ADVA Optical Networking shall not be responsible for and disclaims any liability for any loss or damages, including without limitation, direct, indirect, incidental, consequential and special damages, alleged to have been caused by or in connection with using and/or relying on the information contained in this presentation.

Copyright © for the entire content of this presentation: ADVA Optical Networking.

[email protected]

http://www.facebook.com/pages/ADVA-Optical-Networking/37630238931?ref=ts#!/pages/ADVA-Optical-Networking/37630238931?v=wall

http://www.linkedin.com/company/adva-optical-networking

http://www.youtube.com/user/ADVAOptical

http://advaopticalnews.tumblr.com/

http://twitter.com/ADVAOpticalNews

https://www.advaoptical.com/en/press-feed

Post-Quantum Key Exchange for Optical Networks · 2018-04-09 · We have implemented a post-quantum...

Documents

Transcript of Post-Quantum Key Exchange for Optical Networks · 2018-04-09 · We have implemented a post-quantum...