Yi-Kai Liu

US National Institute of Standards and Technology

(NIST)

NIST PQC team: Lily Chen Stephen Jordan Dustin Moody Rene Peralta Ray Perlner Daniel Smith

Email: pqc@nist.gov

Security is hard to measure!

Want to have a transparent justification: why is this secure?

Continuing to use RSA is risky; is there a benefit to using PQC? ◦ Diversity/redundancy in security

What does security mean? ◦ Breaking the cryptosystem is computationally hard,

e.g., requires 2256 operations

Show security against known attacks ◦ Try all known attacks, show that they are infeasible

How to protect against unknown attacks? ◦ New attacks, new discoveries in mathematics?

◦ Try to argue that these are “unlikely”

Security proofs (based on mathematical conjectures)

Design cryptosystems to defeat common classes of attacks

Lattice basis reduction ◦ LLL, BKZ, enumeration + extreme pruning ◦ Practical performance beats theoretical guarantees

What problem instances?

How to measure solution quality?

Tradeoffs between different algorithms

Grobner basis reduction ◦ General algorithm for solving multivariate systems

of equations Running time may depend on special structure present

in the equations

“Learning a parallelepiped” ◦ Breaks old versions of NTRUSign ◦ NTRUSign can be repaired using perturbations;

is this secure? ◦ Other lattice-based signatures are provably secure;

recent work has improved their efficiency

Differential attacks ◦ Break certain multivariate cryptosystems (e.g., SFLASH) ◦ HFE, unbalanced oil/vinegar are still ok

Lattice reduction attacks ◦ Break some versions of McEliece using LDPC codes ◦ Standard McEliece is still ok

Estimate the complexity of the known attacks ◦ Run experiments on small instances of the problem

◦ Then extrapolate to larger problem sizes

Adjust the cryptosystem to defeat these attacks

Type of attack Complexity of attack Countermeasure

General purpose algorithm

Exponential time Increase the key size

Exploit some special structure in the problem

Varies, can be polynomial time

Design the cryptosystem to avoid that structure

Reduced efficiency

Could there be other attacks that we haven’t discovered yet?

Faster general-purpose algorithms? ◦ Probably not…

More specialized attacks? ◦ Attacks on ideal lattices, compact McEliece

cryptosystems?

◦ (These cryptosystems have special structure, to improve efficiency)

Theoretical tools for thinking about security ◦ Security proofs ◦ Impossibility of special classes of attacks

Why is a particular cryptosystem secure?

Can we reason about the possible existence of attacks that haven’t been discovered? ◦ Designing a public-key cryptosystem is “harder”

than designing a block cipher or a hash function

◦ Want to avoid unpleasant surprises!

(e.g., new discoveries that lead to poly-time attacks)

Goal: rule out the existence of attacks

Method: relate the security of a cryptosystem to another problem that we understand better ◦ Factoring, discrete logs ◦ Finding short lattice vectors ◦ Solving multivariate systems of equations

Perspective from complexity theory: ◦ Public-key cryptography requires very hard problems

Average-case instances must be hard

Need to generate hard instances efficiently

Need trapdoor one-way functions

Conjecture: “Problem Π is hard” ◦ Do we believe this conjecture?

E.g, lattice-based crypto: general lattices seem hard, b/c of connection with integer programming; situation for ideal lattices is less clear

Theorem: “If you can break cryptosystem C, you can solve problem Π” ◦ How strong is the connection between C and Π?

E.g., lattice-based crypto: very strong connection (“worst-case to average-case reduction”)

Have to define “security” ◦ Different notions: CPA < CCA < UC ◦ May not fully describe the real world (e.g., side channels)

Additional assumptions are often needed, to prove security for practical cryptosystems ◦ Assume ideal lattices are hard ◦ Work in random oracle model

Use the security proof to choose key sizes? ◦ Security proof gives a lower bound on security ◦ Bound can be very loose => not useful in practice

On the positive side…

Security proofs help to constrain the space of possible attacks ◦ Argue that polynomial-time attacks are unlikely…

(would require surprising discoveries)

Some specific attacks one might worry about ◦ Differential attacks in multivariate crypto

◦ Shor’s algorithm, hidden subgroup problems

◦ Grover’s search algorithm

Can prove limits on the power of these attacks!

Differential attacks in multivariate crypto ◦ Find and classify all “differential invariants” ◦ Can rule out all possible differential attacks!

(Perlner & Smith, 2013)

Quantum algorithms for hidden subgroup problems ◦ Generalizations of Shor’s algorithm to other groups ◦ Unlikely to get a poly-time quantum algorithm for the

symmetric group (Moore & Russell)

Lower bounds on quantum query complexity ◦ For black-box problems, e.g., search and collision finding ◦ Known quantum algorithms are nearly optimal ◦ Rules out the possibility of a super-polynomial quantum

speedup

Different approaches to evaluating security ◦ Estimating the performance of known attacks

◦ Using security proofs and formal analysis to rule out the existence of unknown attacks

Open questions ◦ Many cryptosystems use lattices/codes/equations

with special structure; how does this affect security?

◦ How to measure the complexity of a quantum attack?

◦ How well do these cryptosystems perform with other protocols in the real world?