Transitioning to a Quantum-Resistant Public Key Infrastructure
To ensure uninterrupted cryptographic security, it is important to begin planning the transition to post-quantum cryptography. In addition to creating post-quantum primitives, we must also plan how to adapt the cryptographic infrastructure for the transition, especially in scenarios such as public key infrastructures (PKIs) with many participants. The use of hybrids—multiple algorithms in parallel—will likely play a role during the transition for two reasons: “hedging our bets” when the security of newer primitives is not yet certain but the security of older primitives is already in question; and to achieve security and functionality both in post-quantum-aware and in a backwards-compatible way with not-yet-upgraded software.
In this paper, we investigate the use of hybrid digital signature schemes. We consider several methods for combining signature schemes, and give conditions on when the resulting hybrid signature scheme is unforgeable. Additionally we address a new notion about the inability of an adversary to separate a hybrid signature into its components. For both unforgeability and non-separability, we give a novel security hierarchy based on how quantum the attack is. We then turn to three real-world standards involving digital signatures and PKI: certificates (X.509), secure channels (TLS), and email (S/MIME). We identify possible approaches to supporting hybrid signatures in these standards while retaining backwards compatibility, which we test in popular cryptographic libraries and implementations, noting especially the inability of some software to handle larger certificates.
KeywordsHybrid Signature Signature Scheme Random Oracle Server Authentication Valid Signature
NB acknowledges support by the German Research Foundation (DFG) as part of project P1 within the CRC 1119 CROSSING. DS acknowledges support from Natural Sciences and Engineering Research Council of Canada (NSERC) Discovery grant RGPIN-2016-05146.
- 1.Akleylek, S., Bindel, N., Buchmann, J., Krämer, J., Marson, G.A.: An efficient lattice-based signature scheme with provably secure instantiation. In: Pointcheval, D., Nitaj, A., Rachidi, T. (eds.) AFRICACRYPT 2016. LNCS, vol. 9646, pp. 44–60. Springer, Cham (2016). doi: 10.1007/978-3-319-31517-1_3 CrossRefGoogle Scholar
- 2.Alkim, E., Bindel, N., Buchmann, J., Dagdelen, Ö.: TESLA: tightly-secure efficient signatures from standard lattices. Cryptology ePrint Archive, Report 2015/755 (2015)Google Scholar
- 3.Barreto, P., Longa, P., Naehrig, M., Ricardini, J.E., Zanon, G.: Sharper ring-LWE signatures. Cryptology ePrint Archive, Report 2016/1026 (2016)Google Scholar
- 7.Bindel, N., Herath, U., McKague, M., Stebila, D.: Transitioning to a quantum-resistant public key infrastructure (full version). Cryptology ePrint Archive, April 2017Google Scholar
- 9.Bos, J.W., Costello, C., Naehrig, M., Stebila, D.: Post-quantum key exchange for the TLS protocol from the ring learning with errors problem. In: 2015 IEEE Symposium on Security and Privacy, pp. 553–570. IEEE Computer Society Press, May 2015Google Scholar
- 10.Braithwaite, M.: Google Security Blog: Experimenting with post-quantum cryptography, July 2016. https://security.googleblog.com/2016/07/experimenting-with-post-quantum.html
- 12.Campagna, M., et al.: Quantum safe cryptography and security: an introduction, benefits, enablers and challengers. Technical report, ETSI (European Telecommunications Standards Institute) June 2015. http://www.etsi.org/images/files/ETSIWhitePapers/QuantumSafeWhitepaper.pdf
- 13.Chen, A.I.-T., Chen, M.-S., Chen, T.-R., Cheng, C.-M., Ding, J., Kuo, E.L.-H., Lee, F.Y.-S., Yang, B.-Y.: SSE implementation of multivariate PKCs on modern x86 CPUs. In: Clavier, C., Gaj, K. (eds.) CHES 2009. LNCS, vol. 5747, pp. 33–48. Springer, Heidelberg (2009). doi: 10.1007/978-3-642-04138-9_3 CrossRefGoogle Scholar
- 14.Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., Polk, W.: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. RFC 5280, May 2008Google Scholar
- 15.Dierks, T., Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.2. RFC 5246, August 2008Google Scholar
- 20.Housley, R.: Cryptographic Message Syntax (CMS). RFC 5652, September 2009Google Scholar
- 22.Ramsdell, B., Turner, S.: Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.2 Message Specification. RFC 5751, January 2010Google Scholar
- 23.Rescorla, E.: The Transport Layer Security (TLS) protocol version 1.3, draft 19, March 2017. https://tools.ietf.org/html/draft-ietf-tls-tls13-19
- 24.Sullivan, N.: Exported authenticators in TLS, draft 01, March 2017. https://tools.ietf.org/html/draft-sullivan-tls-exported-authenticator-01