The year in post-quantum crypto

djb and Tanja Lange

70 min

70 min 2018-12-28

2018-12-28 2018-12-29

2018-12-29 4943

4943 Fahrplan

Playlists: '35c3' videos starting here

The world is finally catching on to the urgency

of deploying post-quantum cryptography:

cryptography designed to survive attacks by quantum computers.

NIST's post-quantum competition is in full swing,

and network protocols are exploring post-quantum extensions.

This talk will take the audience on a journey

through selected recent highlights

from the post-quantum world.

Post-quantum cryptography has become one of the most active

areas in cryptography,

trying to address important questions from potential users.

Is post-quantum cryptography secure?

In the first ten months of this year

we have seen several serious breaks

of submissions to the NIST competition.

At this point, out of the original 69 submissions,

13 are broken and 8 are partially broken.

Are the remaining 48 submissions all secure?

Or is this competition a denial-of-service attack

against the cryptanalysis community?

NIST will select fewer candidates for the 2nd round,

but it is not clear whether there is an adequate basis

for judging security.

Does post-quantum cryptography provide

the functionality we expect from cryptography?

For example,

the original Diffie-Hellman system

provides not just encryption

but also more advanced features

such as non-interactive key exchange

(not provided by any NIST submissions)

and blinding.

The era of post-NIST post-quantum cryptography has begun

with the exciting new CSIDH proposal,

which has non-interactive key exchange

and is smaller than any NIST submission,

but uses more CPU time and needs much more study.

Is post-quantum cryptography small enough?

Even for network protocols that rely purely on encryption,

integration remains a major problem

because of the bandwidth requirements of most post-quantum systems,

especially the post-quantum systems

with the strongest security track records.

Experiments with integration of post-quantum cryptography into TLS

have focused on encryption without post-quantum authentication.

A new generation of network protocols

has been designed from the ground up for full post-quantum security.

Is post-quantum cryptographic software fast enough,

and is it safe to use?

Adding post-quantum cryptography

to the cryptographic software ecosystem

has produced a giant step backwards in software quality.

Major areas of current activity include

software speedups,

benchmarking,

bug fixes,

formal verification,

patent avoidance, and

development of post-quantum software libraries

such as Open Quantum Safe and libpqcrypto.

The talk will be given as a joint presentation

by Daniel J. Bernstein and Tanja Lange.

Download

Related

Embed Share:







Tags