Quantum Safe One Pass Key Establishment

Atsushi Yamada VP, Research & Development

ISARA Corporation

September 15, 2017

One Pass Protocol§One way single pass handshake

§ Datagram/Connectionless ↔Connection Oriented

§ One-way communication →No response is expected

§ Existence of the receiver at the time of transmission is not expected

§Useful for…§ E-mail§ Messaging

2

Connection Oriented

One-way communication

Secure One Pass Protocols§ TLS and IKE are connection oriented → Not One Pass§ Secure One Pass Protocols include

§ E-mail: S/MIME (CMS)§ Messaging: iMessage, Signal

§ Authentication§ RSA Signature or ECDSA is used → Need a quantum safe digital signature

§ Secrecy§ Signal uses ephemeral ECDH → Need quantum safe key exchange§ S/MIME and iMessage use RSA Encryption algorithm (key transport) → Need a

quantum key transport…§ Further looking into quantum safe secrecy for One Pass Protocols…

3

Quantum Safe One Pass§ No Key Exchange → Need quantum safe Public Key Encryption (Key

Transport) or Key Encapsulation Mechanism (KEM) § KEM avoids full CCA2 conversion, thus becoming more popular§ KEM can be constructed from Key Exchange

§ Use of static key pair is necessary…§ Lack of forward secrecy§ Randomness contribution may come from only one side§ Reasonably frequent key pair update is necessary

§ Protocols?§ Signal avoids static key pair by using pre-computed ephemeral key pairs on a server

→ Not exactly One Pass§ iMessage: not good – key pair is not updated§ S/MIME: OK

4

QSC Candidates for Secrecy§Known QSC Tools for secrecy

§ Lattice:§ LWE Encrypt/KEM§ LWE Key Exchange§ NTRU Encrypt/KEM

§ Supersingular Isogeny: Key Exchange§ Code Based (McEliece): Encrypt/KEM§ No Hash Based Cryptosystem yet§ No Multivariate Public Key Cryptosystem yet

5

Static Key Pair - Lattice§KEM algorithms are safe with static key pair

§ LWE KEM: Kyber§ NTRU KEM: NTRU Prime

§LWE key exchange are not safe with static key pair§ NewHope, Frodo are not a good fit§ Note: Key reuse can be made possible (Ding)

§Lattice algorithms are very fast and reasonably sized → very good fit§ In case something happens to Lattice crypto → nice to have a backup

6

Static Key Pair – SupersingularIsogeny, Code Based Encryption§ Supersingular Isogeny Key Exchange is not safe with static key pair

§ Due to the attack by Galbraith, Petit, Shani, and Bo Ti§ Mitigation is costly

§ Goppa McEliece/Niederreiter Encryption is safe with static key pair: McBits§ Secure and reasonably fast§ Still large public key

§ QC-MDPC McEliece Encryption§ Much smaller public key§ Public key is in systematic form → Most plaintext is exposed§ Use probabilistic decoding§ Need CCA2 conversion, s.a., Kobara-Imai (also hides plaintext)§ Guo, Johansson, and Stankovski (GJS) attack → Attack on static key pair!

7

Code-based Algorithm for Key Encapsulation (CASE)§QC-MDPC based general purpose KEM§ IND-CCA secure§ Strictly designed with ephemeral key pair in order to mitigate GJS

attack§ For this purpose, faster key pair generation than original QC-MDPC is

introduced§At the cost of public key size (twice as big)§ Public key is no longer in a systematic form → Hides plaintext§No static key pair → require two passes → not suitable for One Pass

Protocols

8

GJS Attack on QC-MDPC§ Goal: reveal static private key§ Observe decoding failures

§ Statistically analyze correlation between bit patterns of error vectors and private key (decoding matrix) upon decoding failures

§ Guess the bit distances in the decoding matrix to recover private key§ Much more efficient if attacker can choose error vectors, which increases decoding failures

considerably§ So what does this mean?

§ Requires at least 3.5×10) decoding failures to be observed§ With decoding failure rate of 10*+, it requires 3.5×10,- samples to encounter sufficient failures

§ Strategies, for example, include§ Key pair must be updated every 10. messages§ Key pair must be updated if 3 decoding failures are observed

9

QC-MDPC KEM§ If key pair update is sufficiently frequent in S/MIME

§ GJS attack may not be applicable§ Especially if error vectors are randomly generated§ Systematic form → most plaintext to the encryption function is exposed§ Kobara-Imai CCA2 conversion is good for IND-CCA, random error vectors, and

plaintext hiding, but slow§Build a One Pass IND-CCA KEM!

§ Much faster than Kobara-Imai CCA2 conversion by avoiding costly integer-error vector bijection

§ IND-CCA secure§ Verifies that error vectors are pseudo randomly generated§ Plaintext (seed) is hidden

10

QC-MDPC KEM-DEM

11

Concluding Summary§ Although much less frequently used than TLS or

IPsec/IKE, One Pass Protocols such as S/MIME and iMessage are important

§ For One Pass Protocols, static key pair is needed →Frequent key pair update is necessary

§ Lattice KEMs, s.a. Kyber and NTRU Prime, are good and efficient

§ Currently, Supersingular Isogeny Key Exchange is not looking practical

§ McBits is good, but large§ QC-MDPC KEM can be used§ Further investigations are necessary

§ Protocols, s.a., S/MIME and iMessage to accommodate KEM§ More security assessments

12

Thank You!