Periodic Reporting for period 4 - EPOQUE (Engineering post-quantum cryptography)
Periodo di rendicontazione: 2023-04-01 al 2023-12-31
Our increasingly digital modern society is critically dependent on the protection of digital assets. Such assets do not only include private information stored on and transmitted between computers, smartphones, and wearables, but also the control over critical infrastructure, cars, airplanes, and a variety of small devices forming the Internet of Things (IoT). Essentially all mechanisms to protect these digital assets rely on cryptography. Most of the cryptographic protocols that we are using every day for, for example, secure Internet communication, secure payment, or secure software updates, rely on only five cryptographic building blocks: symmetric encryption, message-authentication codes, hash functions, key-agreement mechanisms, and digital signatures.
For each of those building blocks there exist algorithms that are trusted to withstand attacks even by well-funded attackers with serious computation power. However, this statement is only true if the attacker is restricted to using classical computers. Already in 1994, Shor showed that a hypothetical large universal quantum computer can efficiently solve two problems that are considered hard for classical computers: factoring large integers and computing so-called discrete logarithms. As it turns out, all key-agreement algorithms and signature algorithms in use today are based on one of those two problems. This means that if and when a large quantum computer is built, all currently deployed key-agreement and signature algorithms will no longer offer any protection.
Luckily, the dawn of large quantum computers does not mean the end of cryptography. There exist proposals for key-agreement and signatures that, as far as we know, resist attacks also by large quantum computers, so called "post-quantum" schemes.
In order to focus efforts and eventually standardize post-quantum key-agreement and signature schemes, the US National Institute for Standards and Technology (NIST) issued a public call for proposals for such schemes in 2016. As a first major result, in 2022 this effort by NIST selected four schemes for standardization,
three of these schemes are co-designed by the PI of this project, including the only selected key-agreement algorithm, for which he is the primary submitter to the NIST standardization project.
Research within EPOQUE tackled engineering challenges of post-quantum cryptography following two main themes.
The first theme is research into efficient and secure implementations of post-quantum schemes.
This includes optimization for speed on various platforms, for code size, and for RAM usage. Furthermore we
studied various aspects relating to so-called side-channel attacks and countermeasures. Side-channel attacks use
information such as timing or power consumption of cryptographic devices to obtain secret information.
The second direction is about protocol integration. We examied how different real-world cryptographic
protocols can accommodate the drastically different performance characteristics of post-quantum cryptogra-
phy, explore what algorithms suit best the requirements of common usage scenarios of these protocols, and
investigate if changes to the high-level protocol layer are advisable to improve overall system performance.
For each of those building blocks there exist algorithms that are trusted to withstand attacks even by well-funded attackers with serious computation power. However, this statement is only true if the attacker is restricted to using classical computers. Already in 1994, Shor showed that a hypothetical large universal quantum computer can efficiently solve two problems that are considered hard for classical computers: factoring large integers and computing so-called discrete logarithms. As it turns out, all key-agreement algorithms and signature algorithms in use today are based on one of those two problems. This means that if and when a large quantum computer is built, all currently deployed key-agreement and signature algorithms will no longer offer any protection.
Luckily, the dawn of large quantum computers does not mean the end of cryptography. There exist proposals for key-agreement and signatures that, as far as we know, resist attacks also by large quantum computers, so called "post-quantum" schemes.
In order to focus efforts and eventually standardize post-quantum key-agreement and signature schemes, the US National Institute for Standards and Technology (NIST) issued a public call for proposals for such schemes in 2016. As a first major result, in 2022 this effort by NIST selected four schemes for standardization,
three of these schemes are co-designed by the PI of this project, including the only selected key-agreement algorithm, for which he is the primary submitter to the NIST standardization project.
Research within EPOQUE tackled engineering challenges of post-quantum cryptography following two main themes.
The first theme is research into efficient and secure implementations of post-quantum schemes.
This includes optimization for speed on various platforms, for code size, and for RAM usage. Furthermore we
studied various aspects relating to so-called side-channel attacks and countermeasures. Side-channel attacks use
information such as timing or power consumption of cryptographic devices to obtain secret information.
The second direction is about protocol integration. We examied how different real-world cryptographic
protocols can accommodate the drastically different performance characteristics of post-quantum cryptogra-
phy, explore what algorithms suit best the requirements of common usage scenarios of these protocols, and
investigate if changes to the high-level protocol layer are advisable to improve overall system performance.
Within the first research theme -- secure implementations of post-quantum schemes -- one large focus of our work has been on implementation techniques for embedded microcontrollers, in particular the ARM Cortex-M4 that NIST declared as a reference platform. We have published multiple papers presenting new speed records, but also techniques to reduce memory usage, which is often more critical than speed on embedded platforms.
As part of the project we maintained a framework called pqm4, which collects, tests, and benchmarks post-quantum crypto software targeting the ARM Cortex M4. Another large focus was on side-channel attacks and heavily influenced by independent research published during the course of the project. Specifically, the presentation of the "Spectre" class of attacks in 2018 challenged very common assumptions about timing-attack countermeasures.
A major result of EPOQUE is to present a principled approach to protect cryptographic software, including implementations of the new post-quantum schemes, against Spectre attacks without incurring a massive overhead.
Within the second research theme -- post-quantum protocol integration -- one large focus so far has been on research into an alternative handshake for TLS -- the protocol that is underlying all secured web communication., We call this proposal KEMTLS and it is an example of what it means to re-think protocols with the performance characteristics of post-quantum schemes in mind. Following the initial proposal of KEMTLS, we continued to investigate how to improve performance further in many common scenarios. The other large focus topic of our work has been on the Noise framework for authenticated key exchange. We proposed a post-quantum version of the WireGuard VPN; the original version of WireGuard is using a handshake derived from Noise and we used this concrete example as a first step towards a more general investigation into post-quantum Noise.
As part of the project we maintained a framework called pqm4, which collects, tests, and benchmarks post-quantum crypto software targeting the ARM Cortex M4. Another large focus was on side-channel attacks and heavily influenced by independent research published during the course of the project. Specifically, the presentation of the "Spectre" class of attacks in 2018 challenged very common assumptions about timing-attack countermeasures.
A major result of EPOQUE is to present a principled approach to protect cryptographic software, including implementations of the new post-quantum schemes, against Spectre attacks without incurring a massive overhead.
Within the second research theme -- post-quantum protocol integration -- one large focus so far has been on research into an alternative handshake for TLS -- the protocol that is underlying all secured web communication., We call this proposal KEMTLS and it is an example of what it means to re-think protocols with the performance characteristics of post-quantum schemes in mind. Following the initial proposal of KEMTLS, we continued to investigate how to improve performance further in many common scenarios. The other large focus topic of our work has been on the Noise framework for authenticated key exchange. We proposed a post-quantum version of the WireGuard VPN; the original version of WireGuard is using a handshake derived from Noise and we used this concrete example as a first step towards a more general investigation into post-quantum Noise.
While the project has formally ended, there are some more results that will appear in the near future, which are based on research carried out during the course of EPOQUE. This includes work on post-quantum cryptography for the OpenTitan hardware root of trust and additional results on formally verified post-quantum crypto software.