CTF Player, NSUCrypto winner
Hardware Engineer
Code Reverser, Crypto Engineer
Highly proficient Hardware Architecture: ARM, Intel
Enjoy writing high performance SIMD code
Enjoy watching people trial by combat
- As you may know, there are 2 states |1> and |0> happen at the same time
- For short, 10 classical bits are approximately equivalent to 5 qubits.
- We can think of it on a large scale: 64 qubits is equivalent to 128 classical bits.
An effect over a single in quantum bit can propagate through entire array.
Quantum Computer can solve in polynomial time:
Quantum Computer can solve in polynomial time:
Quantum Computer can solve in polynomial time:
=> RSA is dead
=> DSA, Elgamal are dead
=> ECC is dead
Both can be solved in polynomial time on a quantum computer.
AES-128 is only 64 security bits in quantum computer. Thus, AES-192 is only 96 quantum security bit.
SHA0, SHA1 are dead, SHA2 suffer length extension attack due to its Merkle–Damgård structure, SHA3-224 is insecure in quantum era.
SHA3-256, SHA3-384, SHA3-512 (published in 2015) are not widely deployed yet.
Need to invalidate AES-128, AES-192 in the government sector. Move to AES-256, deploy SHA3 as soon as possible.
IBM quantum scientists are building a quantum computer with a 1,121-qubit processor, called Condor, inside a large dilution "super-fridge"
Condor lays the groundwork for scaling to fully error-corrected, interconnected, 1-million-plus-qubit quantum computers.
In 2021, IBM will debut the 127-qubit "Eagle" chip.
Eagle will be followed by the 433-qubit "Osprey" processor in 2022
These advances are necessary to establish a Quantum Industry: fabrication, cryogenic, and electronics, software capabilities, error-correction coding.
NOTE: KEM is Key Encapsulate Mechanism
Security problem relied on Shortest/Closest Vector Problem
Security problem relied in syndrome decoding
Only suitable for KEM.
Security problem relied in solving multivariate equations.
No Multivate submission in KEM category.
Rainbow
Only suitable for Signature
Security problem relied on pseudo-random walks in supersingular isogeny graphs.
It's only advantage is small public keysize.
Horribly slow.
Unacceptable speed in IoT device e.g: Cortex-M4
Security problem relied on hash security.
SPHINCS+
It's only advantage is re-use native hash instruction set in modern CPU.
Horribly slow.
Vulnerable to side-channel attack, signature can be forge at very small computation cost
Lattice size: 1138 bytes
Isogeny size: 676 bytes
Public key + Ciphertext size
The overall Internet speed is faster.
Keysize versus computing speed is similar to Internet speed vs Moore's Law
You know which one is growing faster... :)
Key size may not fit in RAM. <= Stack size
Too slow due to complication algorithm. <= Speed
Power consumption is a big concern. <= Energy
Bandwidth is limited. <= Key size
Sign | Verify | |
---|---|---|
dilithium2 | 1184 | 2044 |
falcon512 | 897 | 617 |
SIKEp434 | 330 | 346 |
Sign | Verify | |
---|---|---|
dilithium4 | 1760 | 3366 |
falcon1024 | 1793 | 1233 |
SIKEp751 | 564 | 596 |
Level 1
Level 3
Public key | Ciphertext | |
---|---|---|
LightSaber | 672 | 736 |
Kyber512 | 800 | 736 |
Public key | Ciphertext | |
---|---|---|
Saber | 992 | 1088 |
Kyber768 | 1184 | 1088 |
Level 1
Level 3
Public key | Ciphertext | |
---|---|---|
FireSaber | 1312 | 1472 |
Kyber1024 | 1568 | 1568 |
Level 5
WireGuard is simple and fastest VPN at the moment, simple design.
The key to observe here:
VPN Software | Packet Number | Traffic (bytes) | Client time (ms) | Server Time (ms) |
---|---|---|---|---|
WireGuard | 2 | 324 | 0.572 | 0.005 |
PQ-WireGuard | 2 | 2492 | 0.573 | 0.027 |
OpenVPN (NIST P-256) | 19 | 5408 | 242.014 | 253.582 |
OpenVPN (RSA-2048) | 21 | 7535 | 244.288 | 251.304 |
It is simple to draw conclusion, isn't it?
At some point in the near future, given crypto algorithm,
it will have Hardware Accelerator, or
Hardware Security Module, or
become a critical component for Crypto Networking Card, etc...
The result shows that FPGA can outperform Cortex-A53 1200 Mhz. Although FPGA run at slower clock ratio 322 Mhz, but still, faster.
The result shows that FPGA can outperformCortex-A53 1200 Mhz. Although FPGA run at slower clock ratio 322 Mhz, but still, faster.
Still, open problems in research community
RSA-512 publicly broken: "Let's use RSA-768"
RSA-768 publicly broken: "Let's use RSA-1024"
RSA-2048 publicly broken by quantum computers: "Okay, let's use RSA-3072"
Future: "Still use RSA"
Keysize must be increased
Keysize | |
---|---|
Key | 1 Gb |
Signature | ~1 Gb |
KEM Ciphertext | 1 Gb |
Encrypt Ciphertext | 1 Gb |
Keygen | Decrypt | Encrypt | |
---|---|---|---|
pqrsa15 | 10.5h | 22m | 3m |
pqrsa20 | 11h | 35m | 6m |
pqrsa25 | 2.2d | 1.5h | 8m |
pqrsa30 | 2.3d | 2.1h | 10m |
Computational time must be increased too
Public exponent e = 3
Shor's algorithm doesn't apply here, but Grover's quantum search is too strong..