getting ready for the post-quantum transition...dec 09, 2020 · predictions: “cascades” and...

Getting Ready for the Post-Quantum Transition

2000 2002 2004 2006 2008 2010 2012 2014 2016 2018

Relative Algorithm Strength Over TimeMD5 SHA1 RSA 1024->2048 RSA->ECC PQC

1st better-than-brute-force attack on SHA-1

1st MD5 collision

1st SHA-1 collision

MSR PQC project starts

NSA revises Suite B & says PQC coming

Crypto SDL bans RSA

Quantum is coming

Contemporary CryptographyTLS-ECDHE-RSA-AES128-GCM-SHA256

Applied Crypto Symposium 4

Difficulty of factoringDifficulty of elliptic

curve discrete logarithms

Can be solved efficiently by a large-scale quantum computer

(Shor’s Algorithm 1994)

RSA signaturesElliptic curve

Diffie–Hellmankey exchange

AES SHA-2

Impacted by quantum computing but we can mitigate by increasing key sizes

(Grover’s Algorithm 1996)

9-December-2020

Resource Estimates for Shor’s Algorithm

Applied Crypto Symposium 5

Source: Quantum Resource Estimates for Computing Elliptic Curve Discrete Logarithms, Roeteller et al., Asiacrypt 2017.

9-December-2020

31-JAN-2019 DigiCert Security Summit 6

Hypothetical 15-Year View for PQ Crypto~ 2030

Quantum Computer Breaks Asymmetric Crypto

(>2400 logical qubits)

Dec 2017 – Dec 2023NIST PQ Standardization Process

WE ARE HERE

JAN 2015 JAN 2016 JAN 2017 JAN 2018 JAN 2019 JAN 2020 JAN 2021 JAN 2022 JAN 2023 JAN 2024 JAN 2025 JAN 2026 JAN 2027 JAN 2028 JAN 2029 Dec 2029

R&D

ROLLOUTS DECOMMISSION

PILOTS

MIGRATION

STANDARDS DISCUSSIONS

NSA Suite B Update

Future Quantum Computers are a Threat Today• Even if a cryptographically-relevant quantum computer is a decade

away…• Record now, exploit later

• Today’s non-PQ encryption will break in the future• What is the security lifetime of the data you and your customers are

transmitting and storing?• Authentication, code-signing, and digital signatures

• If I can break the algorithm and determine the private key, I can impersonate• For example, the Windows Update channel• What happens if an adversary can “update” the firmware on your processor?

• We’re creating more legacy every day

9-December-2020 Applied Crypto Symposium 7

Post-Quantum Cryptography at MicrosoftThree Parallel Workstreams• Algorithms: 4 submissions to the NIST PQC standardization process.

Ongoing work on high-performance implementations and cryptanalysis of our submissions.

• Protocols: Make commonly-used security protocols “PQ-enabled”.• Systems: Integrate PQC into exemplary “high-value/high-risk”

engineering systems and processes.


“Picnic”Post-Quantum

Signatures

“SIKE”Supersingular Isogeny

Key Encipherment

“FrodoKEM”Learning With Errors Key Encipherment

Our NIST Round 3 Candidates

Applied Crypto Symposium 99-December-2020

NIST PQC Round 3• 15 algorithms selected for Round 3

• 7 “Finalists” (4 encryption, 3 digital signature)• 8 “Alternates” (5 encryption, 3 digital signature)

• NIST said they expect to pick at most 2 encryption & 2 signature algorithm Finalists for standardization at the end of Round 3

• But…NIST also announced a likely Round 4 and the likely standardization of at least some of the Alternates at the end of Round 4

• ANALYSIS: We will see at least two waves of PQC algorithm standards from NIST, which makes having cryptographic agility in deployed systems even more important


Predictions: “Cascades” and “Long Tails”• 2025: likely ~2-4 NIST PQ encryption algorithms and ~1-3 NIST PQ signature

algorithms• 2025-2030: standards bodies will begin updating for PQC (having waited for FIPS)

• Expect at least a year per standard, likely longer based on past experience

• Cascade of crypto/protocol standards dependencies will extend transition times• Long tail of security protocols with small implementor communities

• These protocols won’t migrate to PQC as quickly as TLS, SSH, OpenVPN, IPSec, etc., and they will likely be harder to update

• 2030: likely to still be “PQ-messy” in terms of updates to standards


Bringing PQ to Industry Crypto Protocols• The Open Quantum Safe (OQS) project provides a common API for

testing and prototyping with post-quantum crypto algorithms• Multi-org OQS dev team includes University of Waterloo, Microsoft, Amazon,

SRI International• Includes LIBOQS, an open source C library for PQ Crypto algorithms

(with C++/C#/Python wrappers)• This lets us access and test any PQ algorithm in an OQS-enlightened

protocol• To date, we have integrated Frodo/FrodoKEM, SIDH/SIKE, qTESLA, and Picnic

into OQS• https://openquantumsafe.org/


https://openquantumsafe.org/

PQC Protocol Integrations using OQS• We integrated the OQS library into protocols to provide PQC and hybrid

ciphersuites• Hybrid: keep your FIPS or otherwise approved crypto, add PQ protection• For more on hybrid PKI, see Bindel et al. 2017: https://eprint.iacr.org/2017/460.pdf

• OpenSSL, with TLS 1.2 and 1.3 support• https://github.com/open-quantum-safe/openssl

• OpenSSH• https://github.com/open-quantum-safe/openssh-portable

• OpenVPN: For securing links against “record now/exploit later” attacks.• https://github.com/Microsoft/PQCrypto-VPN


https://eprint.iacr.org/2017/460.pdfhttps://github.com/open-quantum-safe/opensslhttps://github.com/open-quantum-safe/openssh-portablehttps://github.com/Microsoft/PQCrypto-VPN


Comprehensive Datacenter DesignFacts and Figures• 12.2m length, 2.8m diameter• Available IT Space: 12 42U racks• Max Power: 454 KW (38 KW/rack)• Est. Power Utilization Effectiveness of 1.03• Payload: 864 Azure servers w/FPGA• Cold Aisle Temperature: 15C

© 2018 Microsoft Corporation. All rights reserved.

30 Days: Factory to Powerup

Site Information• Location: European Marine Energy Centre,

Scotland• Electricity: 100% locally sourced renewable © 2018 Microsoft Corporation. All rights reserved.

Securing the link (>6900km) with a Post-Quantum VPN

Systems: Key Scenarios for Microsoft• Public Key Infrastructure (PKI)

• Both corporate and externally-facing• Code signing for Microsoft products and services

• Authenticode (e.g. Windows DLLs)• UWP (Microsoft Store) applications• XBOX

• Azure Cloud Computing• Key Vault


PQC & Hybrid Certs with an HSM• We added support for the Picnic algorithm to an Utimaco HSM

• Where possible, we replaced functions in MS software with calls to Utimaco firmware: RNG, SHA-3, ASN.1 utilities

• Demonstrated key PKI CA operations:• HSM generates & stores new PQ CA key and issues self-signed cert• HSM generates & stores new PQ EE key, CA issues cert for EE key• CA issues PQ cert for externally-generated CSR for (legacy) RSA public key.• All PQ operations use Picnic keys and signatures

• More recently: working with DigiCert and Utimaco, we demonstrated using an HSM to issue (RSA/ECDSA)-PQ hybrid certificates

• X.509v3 certificates with a new “hybrid” signature OID• Signature blob is concatenation of “classic” and PQ signatures


Upgrading to PQC Means Larger Keys, Ciphertexts, Signatures

NIST Round 3 Candidates -- Public Key & Signature Sizes for L1Signature Algorithm pk (bytes) signature (bytes)CRYSTALS-DILITHIUM (L2) 1312 2420Falcon 897 666Rainbow 157800 66SPHINCS+ 32 7856Picnic 34 13802GeMSS 352190 32

RSA-2048: pk 256 bytes, signatures 256 bytesECC-P256: pk 32 bytes, signatures 64 bytes


Sheet1

SubmissionRound 2Specific ImplementationCategoryKeyPair Median x10^3Keypair Average x10^3Sign Median x10^3Sign Average x10^3Open MedianOpen AverageskpkbytesNIST Category ClaimTrialsFilter

CRYSTALS-DilithiumYESDilithium_mediumLattices227.254244.278910.9111,185.462291,116307,1112,8001,1842,04411001

CRYSTALS-DilithiumYESDilithium_recommendedLattices398.131606.3381,911.4582,753.772465,591558,2813,5041,4722,7012100

CRYSTALS-DilithiumYESDilithium_very_highLattices498.068651.61,587.0412,293.141567,109611,3253,8561,7603,3663100

DualModeMSNODualModeMS128Multivariate2,388,709,250.0412,435,532,588.73312,307,304.22312,468,307.43511,593,12910,893,36918,038,18452832,64013

DRSNODRS128Lattices962,089.3511,001,828.78658,737.20562,867.536477,191,758505,869,98951,2745,094,4338,5501100

DRSNODRS192Lattices1,896,716.7151,910,198.59586,794.47495,622.249796,874,795814,640,08384,0608,410,00111,0203100

DRSNODRS256Lattices3,172,545.1733,208,544.675140,374.162148,424.9471,413,362,3721,419,704,155144,52714,402,02614,4215100

FalconYESfalcon1024Lattices249,896.264300,030.87216,237.74119,884.3641,215,9311,384,5748,1931,7931,3305100

FalconYESfalcon512Lattices82,196.67591,009.2097,359.1908,359.971639,568666,1084,09789769011001

FalconYESfalcon768Lattices151,553.770157,623.02812,729.70313,058.6411,037,6961,117,6246,1451,4411,0773100

GeMSSYESGeMSS128Multivariate111,011.159114,893.9991,580,939.7071,660,770.7521,186,8891,254,87714,208417,408481501

GeMSSYESGeMSS192Multivariate563,794.772567,250.4724,390,176.3084,620,657.460856,573950,11139,4401,304,19288350

GeMSSYESGeMSS256Multivariate1,216,128.6331,245,472.2625,124,161.8205,522,622.7281,932,0812,202,92582,0563,603,792104550

Gravity-SPHINCSNOGravity-SPHINCSHash73,803,301.14473,862,973.254436,308.098446,574.9682,563,7632,710,40665,5683215,728210

GuiNOGui-184Multivariate4,046,082.1374,242,998.5552,535,987.4523,936,040.765234,163252,51714,985422,12245150

GuiNOGui-312Multivariate46,031,660.52846,031,660.528143,796,442.308143,796,442.308724,044724,04441,7551,990,0456331

GuiNOGui-448Multivariate270,756,279.964270,756,279.9642,540,747,361.2312,540,747,361.2312,004,1552,004,15594,7575,903,4058351

HiMQ-3NOHiMQ-3Multivariate155,935.988157,899.562113.12321.443268,050614,73511,489125,400751100

HiMQ-3NOHiMQ-3FMultivariate227,835.453232,452.977140.062162.823225,759527,33016,46497,954671100

LUOVYESluov-48-49-242Multivariate26,815.58127,419.22386,903.96188,046.94849,200,63850,301,626327,5361,74621001



LUOVYESluov-8-117-404Multivariate276,255.962276,912.036140,030.441144,203.73683,789,98484,564,46532100,9895215100



MQDSSYESmqdss-48Multivariate2,579.2342,957.276252,403.091266,840.340185,066,255191,666,288326232,88221001

MQDSSYESmqdss-64Multivariate5,806.4626,680.606742,204.726776,183.461554,688,427571,665,382488867,8004100

pqNTRUsignNOGaussian-1024Lattices240,784.241259,672.814278,349.344349,028.1182,511,6872,955,4942,6042,0652,0655100

pqNTRUsignNOUniform-1024Lattices259,565.725268,329.761156,401.058202,185.3032,533,0222,726,2302,6042,0652,0655100

PicnicYESpicnicl1fsHash78.649700.82514,475.69922,147.1169,130,95316,780,554493334,00411001

PicnicYESpicnicl1urHash65.577162.78413,884.70015,668.4699,914,22811,541,517493353,9331100





pqsigRMNOpqsigrm412Codes18,062,152.61017,797,110.77333,057,982.12830,196,550.274301,873,276298,776,8371,382,118336,80452815

pqsigRMNOpqsigrm612Codes3,607,821.5223,506,673.3624,119,764.0008,275,550.862181,584,216191,346,710334,006501,17652835

pqsigRMNOpqsigrm613Codes42,567,420.69642,549,338.2142,568,032.3922,755,185.1941,157,067,3711,165,262,4022,144,1662,105,3441,04055

qTESLAYESqTesla_128Lattices2,582.8883,223.8651,384.8282,020.404427,116459,6332,1124,1283,10411001

qTESLAYESqTesla_192Lattices5,395.9786,571.7557,449.9729,899.854873,498955,5768,2568,2246,1763100

qTESLAYESqTesla_256Lattices9,302.62612,746.6355,275.8958,143.8691,131,1371,436,9498,2568,2246,1765100

RainbowYESIaMultivariate1,283,151.9401,386,524.568567.948645.747389,154396,633100,209152,09764151

RainbowYESIbMultivariate7,307,095.0447,482,815.8373,109.4244,646.5252,763,1382,733,884114,308163,1857815

RainbowYESIcMultivariate4,838,950.1604,834,305.7701,575.2461,710.9261,369,5341,449,947143,385192,24110415

RainbowYESIIIbMultivariate63,704,193.01364,320,942.5158,867.48211,834.9709,425,16111,860,706409,463564,53511235

RainbowYESIIIcMultivariate46,931,611.44547,631,497.9836,021.5766,129.3985,350,1345,474,488537,781720,79315635

RainbowYESIVaMultivariate10,569,365.73210,424,599.9071,519.8861,634.3441,072,6641,155,030376,141565,4899245

RainbowYESVcMultivariate176,779,219.216176,779,219.21630,892.26330,892.26320,436,46020,436,4601,274,3171,723,68120451

RainbowYESVIaMultivariate41,744,033.52141,744,033.5213,133.7323,133.7322,771,7602,771,760892,0791,351,36111851

RainbowYESVIbMultivariate329,804,733.184329,804,733.18424,203.31424,203.31423,546,25823,546,2581,016,8681,456,22514751

RankSignNORankSign-ICodes232,753.953245,504.16822,401.92123,937.3588,720,3269,113,23123,86410,0801,3771100

RankSignNORankSign-IICodes508,307.602512,379.68638,628.17239,928.81115,445,70315,909,12128,09212,0961,5011100

RankSignNORankSign-IIICodes641,480.391683,557.28551,151.22455,852.46320,701,40622,153,82344,31619,4402,1613100

RankSignNORankSign-IVCodes1,207,547.4991,216,000.23478,615.19779,093.34032,134,18732,380,35664,34028,5602,9295100

Sphincs+YESsphincs-haraka-128fHash20,986.25623,220.290847,479.191872,790.52732,631,66533,947,415643216,976120

Sphincs+YESsphincs-haraka-128sHash680,796.717703,041.42812,661,962.08012,935,242.75813,953,02414,371,63164328,080120

Sphincs+YESsphincs-haraka-192fHash28,644.01332,728.072975,669.218969,961.77048,758,55956,769,096964835,664320

Sphincs+YESsphincs-haraka-192sHash927,856.173966,686.52128,943,879.35330,131,223.65820,364,36422,147,154964817,064320

Sphincs+YESsphincs-haraka-256fHash76,939.55989,035.0342,262,289.3222,268,610.72950,800,20453,017,7471286449,216520

Sphincs+YESsphincs-haraka-256sHash1,243,668.2581,270,883.41119,361,324.96619,434,047.16128,862,52329,485,2051286429,792520

Sphincs+YESsphincs-sha256-128fHash7,170.3458,061.416238,582.187260,218.6189,951,24110,923,659643216,976120

Sphincs+YESsphincs-sha256-128sHash488,585.878438,280.8977,438,906.4166,427,781.9314,223,2937,134,38064328,0801201

Sphincs+YESsphincs-sha256-192fHash13,816.54814,164.328392,744.928428,532.20120,734,02122,351,224964835,664320


Sphincs+YESsphincs-sha256-256fHash56,223.74558,751.1561,393,641.1641,389,343.73331,570,38334,900,6061286449,216520


Sphincs+YESsphincs-shake256-128fHash15,317.08317,198.282492,096.807519,930.42722,618,27125,122,811643216,976120

Sphincs+YESsphincs-shake256-128sHash505,434.390513,876.9966,977,287.9737,023,176.1999,466,8349,742,29764328,080120

Sphincs+YESsphincs-shake256-192fHash20,775.91124,905.011604,780.961633,229.99130,560,93132,551,936964835,664320


Sphincs+YESsphincs-shake256-256fHash62,744.55363,680.2001,450,205.9581,451,433.53333,607,61234,389,2631286449,216520


WalnutDSANOwalnut128-bklBraids1,782.8142,086.564126,822.981137,691.86392,69996,962136831,1001100

WalnutDSANOwalnut256-bklBraids4,149.4454,456.087454,977.624472,468.875179,665197,2432911281,8005100

WalnutDSANOwalnut128-stochasticrewriteBraids1,905.9022,271.19945,760.33751,244.84295,682101,529136831,2001100

WalnutDSANOwalnut256-stochasticrewriteBraids4,164.2574,519.863127,413.278134,509.781181,122194,9162911282,1005100

WalnutDSANOwalnut128-stochasticrewritenodehornoyBraids1,935.0442,574.82443,111.04348,246.052133,359147,948136832,0001100

WalnutDSANOwalnut256-stochasticrewritenodehornoyBraids4,532.9414,836.298125,289.337130,993.063287,763311,1162911283,4005100

WalnutDSANOwalnut128-refBraids1,135.3801,225.0462,039,841.3502,071,390.234166,520175,770136831,1001100

WalnutDSANOwalnut256-refBraids1,162.8701,255.0202,026,491.1432,084,771.866168,897193,6372911281,8005100

Sheet2

Signature Algorithmpk (bytes)pk (base64)signature (bytes)signature (base64)

CRYSTALS-DILITHIUM (L2)1312175024203227

Falcon8971196666888

Rainbow1578002104006688

SPHINCS+3243785610475

Picnic34461380218403

GeMSS3521904695873243

Looking Forward…


Past Algorithm Transitions Have Taken YearsPQC Will Be No Different• ECC (starting in 2005) is the closest model to the PQC transition• Adding base level of ECC support to Windows took 4.5 years

• Three releases (Vista, Vista SP1, Win7) from NSA’s Suite B announcement• 15 years later, parts of the ecosystem still working on ECC parity• Transitioning to a new algorithm takes more time, is more complicated, and

impacts more functions and features than you expect• Long-term support requirements slow algorithm decommissioning• Start planning your migration now

• Draft NCCoE white paper: Getting Ready for Post-Quantum Cryptography• CRA Quad Paper: Post Quantum Cryptography: Readiness Challenges and the

Approaching Storm


https://doi.org/10.6028/NIST.CSWP.05262020-drafthttps://cra.org/ccc/wp-content/uploads/sites/2/2020/10/Post-Quantum-Cryptography_-Readiness-Challenges-and-the-Approaching-Storm-1.pdf

Summary – Preparing for a PQ future• Quantum computers are coming – maybe not for a decade or more, but within the

protection lifetime of data we are generating and encrypting today• We need to start planning the transition to post-quantum cryptographic algorithms now.

• To prepare for the PQ transition, all our systems need cryptographic agility• Hybrid solutions combining classical and post-quantum primitives look promising; they provide both

traditional cryptographic guarantees as well as some PQ resistance

• Practical engineering options exist today for deploying PQ• But it is going to take a long time to update our software stacks…

• We may already be late to transition• Some of our customers have data with a protection lifespan of 15-20 years or more.• IoT and critical infrastructure have devices that won’t be updated for 15+ years.


PQ Open Source ReleasesLibraries:• https://github.com/Microsoft/PQCrypto-LWEKE• https://github.com/Microsoft/PQCrypto-SIKE

• https://github.com/microsoft/qTESLA-Library• https://github.com/Microsoft/Picnic

Protocol Integrations:• https://openquantumsafe.org/• https://github.com/open-quantum-safe/openssl

• https://github.com/open-quantum-safe/openssh-portable• https://github.com/Microsoft/PQCrypto-VPN

PQ-VPN to Project Natick:• https://www.microsoft.com/en-us/research/project/post-quantum-crypto-tunnel-to-the-underwater-datacenter/

Overall project site:• https://www.microsoft.com/en-us/research/project/post-quantum-cryptography/


https://github.com/Microsoft/PQCrypto-LWEKEhttps://github.com/Microsoft/PQCrypto-SIKEhttps://github.com/microsoft/qTESLA-Libraryhttps://github.com/Microsoft/Picnichttps://openquantumsafe.org/https://github.com/open-quantum-safe/opensslhttps://github.com/open-quantum-safe/openssh-portablehttps://github.com/Microsoft/PQCrypto-VPNhttps://www.microsoft.com/en-us/research/project/post-quantum-crypto-tunnel-to-the-underwater-datacenter/https://www.microsoft.com/en-us/research/project/post-quantum-cryptography/

Questions?


Getting Ready for the �Post-Quantum TransitionSlide Number 2Slide Number 3Contemporary Cryptography�TLS-ECDHE-RSA-AES128-GCM-SHA256Resource Estimates for Shor’s AlgorithmHypothetical 15-Year View for PQ CryptoFuture Quantum Computers are a Threat TodayPost-Quantum Cryptography at Microsoft�Three Parallel WorkstreamsOur NIST Round 3 CandidatesNIST PQC Round 3Predictions: “Cascades” and “Long Tails”Bringing PQ to Industry Crypto ProtocolsPQC Protocol Integrations using OQSComprehensive Datacenter Design 30 Days: Factory to PowerupSlide Number 16Slide Number 17Slide Number 18Slide Number 19Systems: Key Scenarios for MicrosoftPQC & Hybrid Certs with an HSMUpgrading to PQC Means Larger �Keys, Ciphertexts, SignaturesLooking Forward…Past Algorithm Transitions Have Taken Years�PQC Will Be No DifferentSummary – Preparing for a PQ futurePQ Open Source ReleasesQuestions?

getting ready for the post-quantum transition...dec 09, 2020 · predictions: “cascades” and...

Documents