Professional Documents
Culture Documents
The history of cryptography standards is reviewed, with a view to planning for the challenges, uncertainties,
and strategies that the standardization of postquantum cryptography will entail.
1540-7993/17/$33.00 © 2017 IEEE Copublished by the IEEE Computer and Reliability Societies July/August 2017 51
POSTQUANTUM CRYPTOGRAPHY, PART 1
It also enables digital signatures for public authentica- of Cryptographic Techniques.8 RSA-OAEP introduced
tion and authorization. not only a new way to randomize plaintext messages to
As the 1990s began, revolutionary advances in com- hide every bit of the plaintext but also the concept of
puting technology and digital communications provided nonmalleable security against adaptively chosen cipher-
commercial opportunities for public-key cryptography text attacks (NM-CCA2, also known as IND-CCA2)
deployment. RSA Laboratories developed and published under the random oracle model.
the first de facto standards: the Public-Key Cryptogra- In the past two decades, more security notions have
phy Standards (PKCS) series.5 In particular, PKCS#1 been established and used to prove security for a given
provides the basic definitions of and recommenda- cryptosystem. The rich theory in the provable secu-
tions for implementing RSA public-key cryptosystems. rity provides confidence in new cryptography systems.
In 1994, IEEE approved the P1363 project to develop However, determining how much to weigh provable
a public-key cryptography standard. Around the same security when selecting algorithms for standardization
time, X9, a standards orga- remains a challenge. For a
nization for financial given cryptographic
services, established scheme, should we
working group X9F1 Will plugging postquantum cryptography adopt a provably
to develop public-key (PQC) into existing applications be as easy secure but less effi-
cryptography stan- as replacing a light bulb? cient version—or the
dards. The standards version that seems
developed by IEEE secure but doesn’t
P1363 and X9F1 have a security proof?
focus on general-use algorithm specifications. The Inter- As security theories advance, this decision might
net Engineering Task Force (IETF) was probably the become harder.
first organization to standardize public-key cryptog- We must also remember that efficiency in any par-
raphy for real applications, that is, Internet protocols. ticular computing environment has historically been
Internet Key Exchange (IKE)6 and TLS7 are two proto- a critical factor for adoption. In other words, a small
cols in which public-key cryptography is used for mutual advantage in performance might differentiate one algo-
authentication and key establishment. rithm from another. For example, being able to select
In standardization’s early days, the goal was to small public-key sizes to speed up encryption and sig-
make use of public-key cryptography in the emerging nature verification for RSA algorithms was considered
network for communication and commerce. Secu- a remarkable advantage. In the 1990s, great effort was
rity notions and proofs weren’t as well developed as made to improve performance. Open source implemen-
they are today. The ideas underlying the RSA and tations weren’t available.
Diffie-Hellman schemes can be explained to people On the other hand, attackers were also limited
with a high school mathematics background. The rela- by computing capacity. For IKE, Oakley Group 1
tionship between the hardness of integer factorization used a prime modulus of less than 800 bits in the
and RSA, and between the hardness of the discrete log- Diffie-Hellman key agreement, which is very weak con-
arithm problem (DLP) and Diffie-Hellman, are intui- sidering today’s discrete logarithm algorithms and com-
tive enough to be widely understood. puting power. Equally small integers were also used for
Early research focused on the computing complex- RSA as moduli.
ity of factorization and discrete logarithm computation. Today, computing power has increased tremen-
Theory focused on reduction proofs and the existence dously. Although efficiency remains important, for
of (trapdoor) one-way functions, pseudorandom func- many of today’s implementation platforms, resource
tions, and so on. demands for implementing cryptography aren’t major
At that time, many details about securely imple- showstoppers. Furthermore, recently proposed PQC
menting public-key cryptography weren’t understood. algorithms—such as lattice-based, coding-based, and
For example, PKCS#1’s padding scheme has several ver- multivariate cryptosystems—appear efficient enough
sions, with some of the padding methods having security to be plugged in to environments in which public-key
flaws. That is, the hardness of factorization can’t guaran- cryptography is now implemented. Therefore, process-
tee the security of the RSA scheme in practice unless ing efficiency might not be the major competing fac-
every detail is handled properly. RSA Optimal Asym- tor differentiating algorithms. But for very constrained
metric Encryption Padding (RSA-OAEP) was pro- devices and bandwidth-limited networks, key size, sig-
posed as a provably secure method for RSA encryption nature size, and ciphertext expansion might become
at the 1994 Workshop on the Theory and Application barriers for applications.
www.computer.org/security 53
POSTQUANTUM CRYPTOGRAPHY, PART 1
Nevertheless, all of these uncertainties urge us perfect forward secrecy—meaning the compromise of
to start, because they’ll take time to understand and long-term keys doesn’t compromise past session keys.
resolve. It’s going to be a long journey. This has become a very desirable property. As specified
by IETF, in TLS version 1.2 and earlier versions, three
Postquantum Cryptography key establishment schemes have been supported: RSA
Drop-In Replacements key transport, Static and Ephemeral Diffie-Hellman,
Today, public-key cryptography is used everywhere. and Ephemeral-Ephemeral Diffie-Hellman. In the
Introducing quantum-resistant counterparts involves newest version, TLS 1.3, Ephemeral-Ephemeral
a transition stage. Finding PQC algorithms that can be Diffie-Hellman is the only supported key establishment
used as drop-in replacements will make the transition scheme.
less disruptive. The question is, can we find them? A Diffie-Hellman quantum-resistant counterpart
As I discussed, processing complexity might not be tops the wish list, and researchers are pursuing this
a barrier anymore, because most emerging PQC algo- direction. Oded Regev’s learning with errors (LWE)
rithms are pretty efficient in terms of processing time. problem has turned out to be a promising basis for con-
However, we must prepare to deal with new challenges. structing Diffie-Hellman-like key agreement schemes.18
One example is stateful Jintai Ding and his col-
hash-based signa- leagues built the
tures.13 Hash-based first such scheme in
signatures were first As we move toward PQC standardization, 2012.19 Currently,
introduced in the the first step will be to understand and work more than one
1970s in the Lamport with the uncertainties. Diffie-Hellman-like
one-time signature quantum-resistant
scheme. A major dis- key establishment
advantage of Lamp- scheme has been pro-
ort one-time signatures is their large public and private posed and even prototyped. Although their properties
keys. To sign a message M, h(M) = {0, 1}k , 2k hash val- differ, they’re generally very close to the Diffie-Hellman
ues have to be saved. In 1979, Ralph Merkle proposed key agreement.
using a hash tree to reduce the public-key size.14 State- One of these schemes is named New Hope.20 And
ful hash-based signatures are essentially Merkle signa- the proposed scheme is indeed as the name claims: a
tures. Compared to other PQC categories, the security new hope for a drop-in Diffie-Hellman replacement.
of hash-based signatures is better understood. However, Performance is quite reasonable. The difference is that
each private key can be used only once. Thus, the task the operations aren’t symmetric for the two parties. Not
of managing private keys, also called state management, only do the operations differ, but the responder needs to
becomes a major challenge for large-scale applications generate a message based on the initiator’s public value.
of hash-based signatures. The scheme could possibly fail even if both parties cor-
To overcome this state management challenge, rectly select random values and conduct operations.
stateless hash-based signatures were introduced.15 This might not be a major concern for key establish-
However, these have a much larger signature size. For ment, but it can hardly be considered a drop-in replace-
bandwidth-limited applications, signature transmission ment for Diffie-Hellman.
might require segmenting the data into multiple mes- Another “new hope” for key agreement is a fam-
sages in the existing protocols. Some postquantum sig- ily of recently proposed schemes based on isogenies
nature schemes, such as the family of schemes based on between elliptic curves. The hardness of finding isoge-
multivariate cryptography (for example, Quartz,16 Rain- nies between supersingular elliptic curves was first intro-
bow,17 and their variants), offer signature sizes compat- duced as the basis for cryptosystems more than 10 years
ible with standardized signature schemes such as the ago by Denis Charles and his colleagues.21 One version
Elliptic Curve Digital Signature Algorithm (ECDSA). is called Supersingular Isogeny Diffie-Hellman (SIDH)
But the public- and private-key sizes can be hundreds to emphasize the resemblance to Diffie-Hellman key
of times larger. As a result, a given quantum-resistant agreement. Operationally, it’s more symmetric for the
signature scheme could work as a replacement in one two parties. For those looking for drop-in replacements,
application but not in another—there’s no one-for-all SIDH looks much closer to Diffie-Hellman key agree-
drop-in replacement. ment than other postquantum key agreement schemes.
The Diffie-Hellman key agreement is a beauti- Performance-wise, it’s significantly slower and more
ful public-key cryptography scheme for many rea- costly than Elliptic Curve Diffie-Hellman (ECDH).22
sons. When ephemeral keys are used, it provides However, if performance cost is an issue for some
www.computer.org/security 55
POSTQUANTUM CRYPTOGRAPHY, PART 1
www.computer.org/security 57