Selection of Cryptographic Algorithms, Post-Quantum Cryptography: ANSSI Views

Transcription

1 Selection of Cryptographic Algorithms, Post-Quantum Cryptography: ANSSI Views Henri Gilbert Head of Crypto Laboratory ANSSI, France

2 Issue > medium/long term security of cryptographic algorithms in security products security standards how to promote the adoption of strong crypto and deprecation of obsolete crypto? how to render crypto resilient against partly unknown threats? > national cybersecurity authority role of ANSSI advisory: recommend the use of strong/state of the art crypto mechanisms regulatory: condition the delivery of some security labels to the outcome of their cryptographic evaluation

3 Outline I. ANSSI recommendations on cryptographic mechanisms National guidelines: Référentiel Général de Sécurité RGS version 2.0, Annex B1, v2.03, Feb II. ANSSI views regarding post-quantum cryptography III. SOG-IS guidelines (ongoing work) Agreed Cryptographic Mechanisms version 1.0, May 2016

4 [I] RGS Annex B1 in a nutshell [1/4] > reference document for cryptographic evaluations an optional extra assessement related to crypto in the French CC scheme associated label: statement on the adequacy of crypto mechanisms in CC certificate > topic: selection of cryptographic mechanisms symmetric and asymmetric primitives: block ciphers, stream ciphers, hash functions, RSA, (EC)-DLOG symmetric and asymmetric schemes or modes of operation encryption, message/entity authentication, signature, key establishment random number generators

5 RGS Annex B1 in a nutshell [2/4] > requirements are expressed as principles, namely: rules if mandatory recommendations otherwise not as white or black lists of algorithms > security level of cryptographic primitives i.e., overall time complexity* of the best known attack in the classical (non-quantum) computation model an implicit policy underlying rules and recommendations is the following: a security level of at least 100 bits is required a security level of at least 128 bits is recommended * typically expressed as an equivalent number of invocations of the primitive / arithmetical operations

6 RGS Annex B1 in a nutshell [3/4] > some resulting requirements on parameter sizes symmetric primitives hash functions EC-DLOG on a subgroup of order q RSA PB on Z/NZ DLOG on GF(p) recommended parameter lengths in bits key 128 hash 256 largest prime factor(q) 256 N 3072 p 3072 tolerated i.e., compliant with rules if not used beyond key hash largest prime factor(q) N p

7 RGS Annex B1 in a nutshell [4/4] > examples of other rules or recommendations recommended block size for block ciphers: n 128 bits for blockciphers used beyond 2020, n 128 bits is required for encryption modes of operations no IND-CPA attack of complexity less than 2 n/2 must exist modes supported by a proof of security are recommended a combined use whith a message authentication mode is recommended > examples of recent evolutions RSA PB + DLOG: 3072 bits beyond 2030 instead of 4096 bits beyond 2020 DLOG on prime fields only (this was only recommended in former versions) random number generators

8 [II] Post-Quantum Cryptography (PQC) > quantum computation threat (reminder) if large-scale quantum computers ever become a reality then: currently deployed asymmetric cryptography will collapse [Shor95] symmetric cryptography will also be to some extent affected [Grover96, Simon95] it is notoriously difficult to predict whether this will happen and when «only a rash person would declare that there will be no useful quantum computers by the year 2050, but only a rash person would predict that there will be» [Mermin07] one could replace 2050 by 2040 in the former statement anyway, this potential threat should obviously not be ignored while the issue has been debated for years, it was brought under the spotlights by the US CNSS advisory memorandum of July 2015 «[ ] as we anticipate a need to shift to quantum-resistant cryptography in the near future»

9 Post-Quantum Cryptography: ANSSI views [1/2] > the most promising medium/long term avenue to thwart the quantum threat > however post-quantum asymmetric mechanisms proposed so far [based on (ideal) lattices, codes, multivariate cryptography, isogenies, etc.] are not yet sufficiently mature, well studied, standardized to be immediately deployed as a drop-in replacement for pre-quantum mechanisms based on the RSA, DLOG, and EC-DLOG problems => no short-term endorsement of such mechanisms in RGS Annex B1 is foreseen [single potential exception: hash-based signatures] recognised > symmetric mechanisms and hash functions of key / hash length 256 bits can be reasonably conjectured quantum-safe [outside from the very strong security model of «quantum chosen message» attacks]

10 Post-Quantum Cryptography: ANSSI views [2/2] > recognised symmetric mechanisms and hash functions can be reasonably conjectured quantum-safe if their key / hash length is sufficiently large [outside from the very strong security model of «quantum chosen message» attacks] > hybrid mechanisms constructed over a recognised pre-quantum key exchange mechanism while not harming the pre-quantum security of the original scheme such hybrid mechanisms can potentially add some protection against the quantum threat one can distinguish two main types of hybrid key exchange mechanisms

11 Post-Quantum Cryptography: ANSSI views [2/2] > recognised symmetric mechanisms and hash functions can be reasonably conjectured quantum-safe if their key / hash length is sufficiently large [outside from the very strong security model of «quantum chosen message» attacks] > hybrid mechanisms constructed over a recognised pre-quantum key exchange mechanism type1 combines a pre-shared secret key with the key derived from the pre-quantum key exchange ( this induces a strong key management constraint ) Pre-Q of A + Secret K = Key key exchange Pre-Q of B + Secret K = Key

12 Post-Quantum Cryptography: ANSSI views [2/2] > recognised symmetric mechanisms and hash functions can be reasonably conjectured quantum-safe if their key / hash length is sufficiently large [outside from the very strong security model of «quantum chosen message» attacks] > hybrid mechanisms constructed over a recognised pre-quantum key exchange mechanism type2: combines the key derived from the pre-quantum key exchange with the key derived from a post-quantum key exchange Pre-Q of A + Post-Q of A = Key key exchange key exchange Pre-Q of B + Post-Q of B = Key 12

13 Post-Quantum Cryptography: ANSSI views [2/2] > recognised symmetric mechanisms and hash functions can be reasonably conjectured quantum-safe if their key / hash length is sufficiently large [outside from the very strong security model of «quantum chosen message» attacks] > hybrid mechanisms constructed over a recognised pre-quantum key exchange mechanism [type 1 or type 2] while not harming the pre-quantum security of the original scheme such hybrid mechanisms can potentially add some protection against the quantum threat RGS Annex B1 in its present form could allow to endorse the pre-quantum part of such hybrid public key mechanisms and to view their post-quantum part as an extra «in-depth» protection. the above approach can be transposed to other pre-quantum PK mechanisms

14 Post-Quantum Cryptography: ANSSI views [3/3] > the main focus in the next [five] years should be put on an international effort for developing, evaluating and standardizing sufficiently mature and well studied asymmetric PQC primitives a strong involvement of the academic community is needed the NIST call for proposals for quantum-safe primitives is a significant step in the right direction in France the RISQ project will contribute to this effort > or other use cases (the majority of commercial crypto) this is a medium term issue: while an immediate transitioning to quantum-safe mechanisms is not requested, provisions for facilitating future evolutions of crypto mechanisms (by enhancing crypto agility, etc.) are recommended

15 Post-Quantum Cryptography: ANSSI views [3/3] > the main focus in the next [five] years should be put on an international effort for developing, evaluating and standardizing sufficiently mature and well studied asymmetric PQC primitives a strong involvement of the academic community is needed the NIST call for proposals for quantum-safe primitives is a significant step in the right direction > for use cases requiring a long-lived protection of the information, e.g. 20 years it is advised to start taking the quantum threat into account the use of hybrid key exchange and/or of hash based signature mechanisms can be considered on a per case basis however any «direct jump» to a stand-alone post-quantum asymmetric key exchange or encryption mechanism is considered premature > for other use cases (the majority of commercial crypto) this is a medium term issue: while an immediate transitioning to quantum-safe mechanisms is not requested, provisions for facilitating future evolutions of crypto mechanisms (by enhancing crypto agility, etc.) are recommended

16 [III] SOG-IS guidelines regarding crypto (ongoing work) > SOGIS-MC [Senior Officials Group Information Systems Security Management Committee] oversees the mutual recognition of Common Criteria certificates among European certification bodies (SOG-IS MRA) > SOG-IS Crypto WG created in 2014, reporting to the MC areas of expertise: crypto (CR) and Common Criteria (CC) mandate establish a pan-european SOG-IS crypto evaluation scheme (SCES) i.e. a set of requirements and evaluation procedures related to crypto mechanisms that will condition the delivery of an optional SCES logo in CC certificates [a kind of counterpart of FIPS certificates]

17 Documents in preparation - overview topic Guidelines on Agreed Cryptographic Mechanisms progress v1.0 published for comments on SOG-IS page Informal Requirements on Harmonised Cryptographic Evaluation Procedures Formal Requirements on Evaluation of ToE with Cryptographic Mechanisms: minimum security assurance package + CC evaluation methodology Guide on reflecting crypto-related functional and assurance requirements in STs and PPs [guidance doc.] Proof of concept of a PP covering a superset of FIPS crypto and non-crypto assurance preliminary discussions ext. editorial support expected 2 draft documents under discussion relatively stable draft not started yet

18 SOG-IS requirements on agreed crypto mechanisms [1/3] > objectives specify which cryptographic mechanisms are considered agreed, i.e. eligible for mutual recognition > 3 embedded types of crypto mechanisms primitives, e.g. AES, SHA-2, RSA PB, DLOG, ECDLOG schemes or modes of operation, e.g. CBC, HMAC, GCM, ECKCDSA protocols, e.g. secure channel protocols: not covered for the time being > 2 categories of agreed mechanisms recommended (R): compliant with the state of the art security level 125 bits legacy (L): adequate short/medium term security, but should be gradually phased out because of some security assurance limitations; default acceptability deadline: 2020; security level 100 bits

19 SOG-IS requirements on agreed crypto mechanisms [2/3] > approach: extensible list of agreed mechanisms advantage over criteria/principles-based approach: no mutual «blank check», should render most situations easy to handle potential risk: impede innovative solutions and up to date crypto if lists are too restrictive and unfrequently updated trade-off: regular update of the document, silence procedure allowing a CB to vouch for the inclusion of an extra agreed mechanism > for the main types of mechanisms the following information is provided an informal description a table of the agreed mechanisms [Recommended: R and Legacy: L] caveat notes: major items to be checked during evaluation, e.g. implem. precautions

20 SOG-IS requirements on agreed crypto mechanisms [3/3] > disclaimer on Post-Quantum Cryptography "While quantum computers do not represent an immediate threat to cryptography, this might happen in the future. The current document does not provide agreed quantum resistant mechanisms. Such mechanisms might be introduced in future versions since standardization of quantum resistant mechanisms is likely to take place within a few years. For all the above reasons, developers of cryptographic systems with expected lifetimes longer than a few years should always take into account the possible need to migrate to newer algorithms, possibly including quantum-resistant algorithms. " Crypto agility 20

21 Conclusion > cryptographic mechanisms should represent a long-lasting part of information systems security selecting state of the art mechanisms with a sufficient security level is one of the conditions for keeping a sufficient security margin against practical attacks cannot represent an ever-lasting part of information systems security issues like PQC require some controlled / gradual evolution of the toolkit of trusted cryptographic mechanisms