Scribd Logo
Upload

Welcome to Scribd!

  • 57 views

    Dustin Moody Post Quantum Cryptography Team National Institute of Standards and Technology (NIST)

    Uploaded by

    lalou4
    The document discusses NIST's efforts to develop post-quantum cryptography standards before quantum computers are powerful enough to break current cryptography. NIST is calling for algorithm submissions and plans to analyze candidates over 3-5 years before standardizing one or more in 5-7 years. The timeline seeks to transition cryptography before quantum computers can crack current standards, but more research is still needed to determine ideal security levels and evaluate candidates. NIST welcomes public input to help guide the process.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd

    Dustin Moody Post Quantum Cryptography Team National Institute of Standards and Technology (NIST)

    Uploaded by

    lalou4
    57 views16 pages
    The document discusses NIST's efforts to develop post-quantum cryptography standards before quantum computers are powerful enough to break current cryptography. NIST is calling for algorithm submissions and plans to analyze candidates over 3-5 years before standardizing one or more in 5-7 years. The timeline seeks to transition cryptography before quantum computers can crack current standards, but more research is still needed to determine ideal security levels and evaluate candidates. NIST welcomes public input to help guide the process.

    Original Description:

    Post Quantum Cryptography - NIST's Plan for the Future

    Original Title

    pqcrypto-2016-presentation

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    The document discusses NIST's efforts to develop post-quantum cryptography standards before quantum computers are powerful enough to break current cryptography. NIST is calling for algorithm submissions and plans to analyze candidates over 3-5 years before standardizing one or more in 5-7 years. The timeline seeks to transition cryptography before quantum computers can crack current standards, but more research is still needed to determine ideal security levels and evaluate candidates. NIST welcomes public input to help guide the process.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    57 views16 pages

    Dustin Moody Post Quantum Cryptography Team National Institute of Standards and Technology (NIST)

    Uploaded by

    lalou4
    The document discusses NIST's efforts to develop post-quantum cryptography standards before quantum computers are powerful enough to break current cryptography. NIST is calling for algorithm submissions and plans to analyze candidates over 3-5 years before standardizing one or more in 5-7 years. The timeline seeks to transition cryptography before quantum computers can crack current standards, but more research is still needed to determine ideal security levels and evaluate candidates. NIST welcomes public input to help guide the process.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    of 16

    Dustin Moody

    Post Quantum Cryptography Team


    National Institute of Standards and Technology (NIST)
     When will a quantum computer be built that breaks current crypto?
    ◦ 15 years, $1 billion USD, nuclear power plant (to break RSA-2048)
    (PQCrypto 2014, Matteo Mariantoni)

     Impact:
    ◦ Public key crypto: FIPS 186-4, SP 800-56A/56B

     RSA
     Elliptic Curve Cryptography (ECDSA)
     Finite Field Cryptography (DSA)
     Diffie-Hellman key exchange

    ◦ Symmetric key crypto: FIPS 197, SP 800-57

     AES
     Triple DES

    ◦ Hash functions: FIPS 180-4, FIPS 202

     SHA-1, SHA-2 and SHA-3


     When will a quantum computer be built?
    ◦ 15 years, $1 billion USD, nuclear power plant
    (PQCrypto 2014, Matteo Mariantoni)

     Impact:
    ◦ Public key crypto:
     RSA
     Elliptic Curve Cryptography (ECDSA)
     Finite Field Cryptography (DSA)
     Diffie-Hellman key exchange

    ◦ Symmetric key crypto:


     AES Need larger keys
     Triple DES Need larger keys

    ◦ Hash functions:
     SHA-1, SHA-2 and SHA-3 Use longer output
     How long does encryption need to be secure (x years)
     How long to re-tool existing infrastructure with quantum safe
    solution (y years)
     How long until large-scale quantum computer is built (z years)

    Theorem (Mosca): If x + y > z, then worry


    What do we do here??

    y x
    z
    secret keys revealed

    time

     NSA is transitioning in the “not too distant” future <https://www.iad.gov/iad/programs/iad-initiatives/cnsa-suite.cfm>


     European PQCrypto project
     ETSI work
     IETF – hash-based signature RFC’s
     NIST report - <http://csrc.nist.gov/publications/drafts/nistir-8105/nistir_8105_draft.pdf>
     NIST is calling for quantum-resistant cryptographic
    algorithms for new public-key crypto standards
    ◦ Digital signatures
    ◦ Encryption/key-establishment

     We see our role as managing a process of achieving


    community consensus in a transparent and timely manner

     We do not expect to “pick a winner”


    ◦ Ideally, several algorithms will emerge as ‘good choices’

     We may pick one (or more) for standardization


    ◦ Only algorithms publicly submitted considered
     Fall 2016 – formal Call For Proposals
     Nov 2017 – Deadline for submissions
     3-5 years – Analysis phase
    ◦ NIST will report its findings
     2 years later - Draft standards ready

     Workshops
    ◦ Early 2018 – submitter’s presentations
    ◦ One or two during the analysis phase
     Post-quantum cryptography is more complicated
    than AES or SHA-3
    ◦ No silver bullet - each candidate has some disadvantage
    ◦ Not enough research on quantum algorithms to ensure
    confidence for some schemes

     We do not expect to “pick a winner”


    ◦ Ideally, several algorithms will emerge as ‘good choices’

     We may narrow our focus at some point


    ◦ This does not mean algorithms are “out”

     Requirements/timeline could potentially change


    based on developments in the field
     The formal Call will have detailed submission
    requirements
    ◦ A complete written specification of the algorithms shall be included, consisting of all necessary mathematical
    operations, equations, tables, diagrams, and parameters that are needed to implement the algorithms. The
    document shall include design rationale and an explanation for all the important design decisions that are made.

     Minimal acceptability requirements


    ◦ Publicly disclosed and available with no IPR
    ◦ Implementable in wide range of platforms
    ◦ Provides at least one of: signature, encryption, or key
    exchange
    ◦ Theoretical and empirical evidence providing justification
    for security claims
     Implementation
    ◦ Reference version
    ◦ Optimized version

     Cryptographic API will be provided


    ◦ Can call approved hash functions, block ciphers,
    modes, etc…

     Known Answer and Monte Carlo tests

     Optional – constant time implementation


     Signed statements
    ◦ Submitted algorithm
    ◦ Implementations

     Disclose known patent information

     Available worldwide without royalties or any


    intellectual property restrictions during the
    analysis phase
    ◦ Submitters can reclaim rights by withdrawing
    submission from consideration
     To be detailed in the formal Call
    ◦ Security
    ◦ Cost (computational and memory)
    ◦ Algorithm and implementation characteristics

     Draft criteria will be open for public comment

     We strongly encourage public evaluation and


    publication of results concerning submissions

     NIST will summarize the evaluation results and


    report publicly
     Target security levels
    ◦ 128 bits classical security
    ◦ 64/80/96/128 bits quantum security?

     Correct security definitions?


    ◦ IND-CCA2 for encryption
    ◦ EUF-CMA for signatures
    ◦ CK best for key exchange?

     Quantum/classical algorithm complexity


    ◦ Stability of best known attack complexity
    ◦ Precise security claim against quantum computation
    ◦ Parallelism?
    ◦ Attacks on multiple keys?
    ◦ How many chosen ciphertext queries allowed?

     Security proofs

     Quality and quantity of prior cryptanalysis


     Computational efficiency
    ◦ Hardware and software
     Key generation
     Encryption/Decryption
     Signing/Verification
     Key exchange

     Memory requirements
    ◦ Concrete parameter sets and key sizes for target
    security levels
    ◦ Ciphertext/signature size
     Ease of implementation
    ◦ Tunable parameters
    ◦ Implementable on wide variety of platforms and
    applications
    ◦ Parallelizable
    ◦ Resistance to side-channel attacks

     Ease of use
    ◦ How does it fit in existing protocols (such as TLS or IKE)
    ◦ Misuse resistance

     Simplicity
     How is the timeline? Too fast? Too slow?
    ◦ Do we need an ongoing process, or is one time enough?

     How to determine if a candidate is mature enough for standardization?


    ◦ hash-based signatures for code signing

     Should we just focus on encryption and signatures, or should we also


    consider other functionalities?

     How many "bits of security" do we need against quantum attacks?

     How can we encourage more work on quantum cryptanalysis? Maybe we


    need "challenge problems"?

     How can we encourage people to study practical impacts on the existing


    protocols?
    ◦ For example, key sizes may be too big
     NIST is calling for quantum-resistant algorithms
    ◦ We see our role as managing a process of achieving
    community consensus in a transparent and timely
    manner
    ◦ Different from (but similar to) AES/SHA-3 competitions

     We don’t have all the answers

     Wanted: Postdocs, guest researchers at NIST

     We would like public feedback


    ◦ Email: pqc-comments@nist.gov
    ◦ PQC forum: pqc-forum@nist.gov

    You might also like

    pFad - Phonifier reborn

    Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

    Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


    Alternative Proxies:

    Alternative Proxy

    pFad Proxy

    pFad v3 Proxy

    pFad v4 Proxy