1、 ETSI GR QSC 001 V1.1.1 (2016-07) Quantum-Safe Cryptography (QSC); Quantum-safe algorithmic framework GROUP REPORT ETSI ETSI GR QSC 001 V1.1.1 (2016-07) 2 Reference DGR/QSC-001 Keywords algorithm, authentication, confidentiality, security ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex -
2、FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice The present document can be downloaded from: http:/www.etsi.org/standards-search The present document may be
3、 made available in electronic versions and/or in print. The content of any electronic and/or print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any existing or perceived difference in contents between such versions and/or in print
4、, the only prevailing document is the print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of thi
5、s and other ETSI documents is available at https:/portal.etsi.org/TB/ETSIDeliverableStatus.aspx If you find errors in the present document, please send your comment to one of the following services: https:/portal.etsi.org/People/CommiteeSupportStaff.aspx Copyright Notification No part may be reprodu
6、ced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm except as authorized by written permission of ETSI. The content of the PDF version shall not be modified without the written authorization of ETSI. The copyright and the foregoing restriction
7、extend to reproduction in all media. European Telecommunications Standards Institute 2016. All rights reserved. DECTTM, PLUGTESTSTM, UMTSTMand the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members. 3GPPTM and LTE are Trade Marks of ETSI registered for the benefit of its Mem
8、bers and of the 3GPP Organizational Partners. GSM and the GSM logo are Trade Marks registered and owned by the GSM Association. ETSI ETSI GR QSC 001 V1.1.1 (2016-07) 3 Contents Intellectual Property Rights 6g3Foreword . 6g3Modal verbs terminology 6g31 Scope 7g32 References 7g32.1 Normative reference
9、s . 7g32.2 Informative references 7g33 Abbreviations . 16g34 Primitives under consideration . 17g34.1 Introduction 17g34.2 Primitive families . 17g34.3 Primitive types 17g34.4 Application-specific or restricted-use cases . 18g34.5 Other mechanisms 18g35 Assessment framework. 18g35.1 Introduction 18g
10、35.2 Assessment criteria . 18g35.2.1 Security . 18g35.2.2 Efficiency 19g35.2.3 Implementation and deployment issues 19g35.3 Security considerations . 19g35.3.1 Classical security 19g35.3.2 Quantum security 19g35.3.3 Provable security 20g35.3.4 Forward security . 20g35.3.5 Active security 20g36 Latti
11、ce-based primitives . 21g36.1 Introduction 21g36.2 Provable security 21g36.3 Key establishment 22g36.3.1 Key agreement primitives . 22g36.3.1.1 Peikert . 22g36.3.1.2 Zhang et al . 22g36.3.1.3 Ghosh-Kate . 22g36.3.2 Key transport primitives . 22g36.3.2.1 NTRUEncrypt . 22g36.3.3 Other key establishmen
12、t primitives. 23g36.3.3.1 HIMMO 23g36.3.4 Forward security . 23g36.3.5 Active security 23g36.4 Authentication 23g36.4.1 Fiat-Shamir signatures 23g36.4.1.1 Lyubashevsky 23g36.4.1.2 Gneysu-Lyubashevsky-Pppelmann . 23g36.4.1.3 BLISS 24g36.4.2 Hash-and-sign signatures 24g36.4.2.1 NTRU-MLS 24g36.4.2.2 Ag
13、uilar et al . 24g36.4.2.3 Ducas-Lyubashevsky-Prest . 24g36.4.3 Other authentication primitives . 24g36.4.3.1 HIMMO 24g36.5 Quantum security . 24g37 Multivariate schemes 25g3ETSI ETSI GR QSC 001 V1.1.1 (2016-07) 4 7.1 Introduction 25g37.2 Provable security 25g37.3 Key establishment 26g37.3.1 Key tran
14、sport primitives . 26g37.3.1.1 Simple Matrix . 26g37.3.1.2 HFE . 26g37.3.1.3 ZHFE . 26g37.3.1.4 Polly Cracker Revisited . 26g37.3.2 Forward security . 26g37.3.3 Active security 27g37.4 Authentication 27g37.4.1 Fiat-Shamir signatures 27g37.4.1.1 Sakumoto-Shirai-Hiwatari 27g37.4.2 Hash-and-sign signat
15、ures 27g37.4.2.1 Quartz 27g37.4.2.2 Gui. 27g37.4.2.3 UOV 27g37.4.2.4 Rainbow 28g37.5 Quantum security . 28g38 Code-based primitives 28g38.1 Introduction 28g38.2 Provable security 28g38.3 Key establishment 29g38.3.1 Key transport primitives . 29g38.3.1.1 McEliece and Niederreiter 29g38.3.1.2 Wild McE
16、liece 29g38.3.1.3 MDPC McEliece . 29g38.3.1.4 LRPC McEliece 29g38.3.2 Forward security . 29g38.3.3 Active security 29g38.4 Authentication 30g38.4.1 Fiat-Shamir signatures 30g38.4.1.1 Cayrel et al 30g38.4.2 Hash-and-sign signatures 30g38.4.2.1 CFS . 30g38.4.2.2 RankSign . 30g38.5 Quantum security . 3
17、0g39 Hash-based primitives 30g39.1 Introduction 30g39.2 Provable security 31g39.3 Authentication 31g39.3.1 Stateful signatures . 31g39.3.1.1 Merkle . 31g39.3.1.2 XMSS 31g39.3.2 Stateless signatures . 31g39.3.2.1 SPHINCS 31g39.4 Quantum security . 32g310 Isogeny-based primitives 32g310.1 Introduction
18、 32g310.2 Provable security 32g310.3 Key establishment 32g310.3.1 Key agreement primitives . 32g310.3.1.1 Jao-De Feo 32g310.3.2 Forward security . 33g310.3.3 Active security 33g310.4 Authentication 33g310.4.1 Other authentication primitives . 33g310.4.1.1 Jao-Soukharev . 33g310.4.1.2 Sun-Tian-Wang .
19、 33g310.5 Quantum security . 33g3ETSI ETSI GR QSC 001 V1.1.1 (2016-07) 5 11 Key length summary 33g311.1 Introduction 33g311.2 Key establishment 34g311.3 Authentication 35g312 Conclusions 36g3Annex A: Classical key size comparison 38g3A.1 Key establishment 38g3A.2 Authentication 39g3Annex B: Quantum
20、key size comparison . 40g3B.1 Key establishment 40g3B.2 Authentication 41g3History 42g3ETSI ETSI GR QSC 001 V1.1.1 (2016-07) 6 Intellectual Property Rights IPRs essential or potentially essential to the present document may have been declared to ETSI. The information pertaining to these essential IP
21、Rs, if any, is publicly available for ETSI members and non-members, and can be found in ETSI SR 000 314: “Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards“, which is available from the ETSI Secretariat. Latest updates are av
22、ailable on the ETSI Web server (https:/ipr.etsi.org/). Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which
23、are, or may be, or may become, essential to the present document. Foreword This Group Report (GR) has been produced by ETSI Industry Specification Group (ISG) Quantum-Safe Cryptography (QSC). Modal verbs terminology In the present document “should“, “should not“, “may“, “need not“, “will“, “will not
24、“, “can“ and “cannot“ are to be interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of provisions). “must“ and “must not“ are NOT allowed in ETSI deliverables except when used in direct citation. ETSI ETSI GR QSC 001 V1.1.1 (2016-07) 7 1 Scope The prese
25、nt document gives an overview of the current understanding and best practice in academia and industry about quantum-safe cryptography (QSC). It focuses on identifying and assessing cryptographic primitives that have been proposed for efficient key establishment and authentication applications, and w
26、hich may be suitable for standardization by ETSI and subsequent use by industry to develop quantum-safe solutions for real-world applications. QSC is a rapidly growing area of research. There are already academic conference series such as PQC and workshops have been established by ETSI/IQC i.1 and N
27、IST. The European Commission has recently granted funding to two QSC projects under the Horizon 2020 framework: SAFEcrypto i.2 and PQCrypto i.3 and i.4. The present document draws on all these research efforts. The present document will cover three main areas. Clauses 4 and 5 discuss the types of pr
28、imitives being considered and describe an assessment framework; clauses 6 to 10 discuss some representative cryptographic primitives; and clause 11 gives a preliminary discussion of key sizes. 2 References 2.1 Normative references Normative references are not applicable in the present document. 2.2
29、Informative references References are either specific (identified by date of publication and/or edition number or version number) or non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the referenced document (including any amendm
30、ents) applies. NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee their long term validity. The following referenced documents are not necessary for the application of the present document but they assist the user with regard to a particul
31、ar subject area. i.1 ETSI White Paper No. 8 (2015): “Quantum safe cryptography and security“. i.2 NIST PQC workshop (2015): “SAFEcrypto Project“, M. ONiell. i.3 NIST Workshop on Cybersecurity in a Post-Quantum World (2015): “PQCrypto project“, T. Lange. i.4 PQCrypto (2015): “Initial recommendations
32、of long-term secure post-quantum systems“. NOTE: Available at http:/www.pqcrypto.eu.org/. i.5 John Wiley and Sons (1996): “Applied cryptography“, B. Schneier. i.6 ACM Symposium on Theory of Computing (1977): “Universal classes of hash functions“, J. Carter and M. Wegman. i.7 IETF RFC 4120 (2005): “T
33、he Kerberos network authentication service (V5)“, C. Neuman, T. Yu, S. Hartman and K. Raeburn. i.8 EUROCRYPT (2006): “QUAD: A practical stream cipher with provable security“, C. Berbain, H. Gilbert and J. Patarin. i.9 C. Blanchard: “Security for the third generation (3G) mobile system“, Information
34、Security Technical Report, vol. 5, no. 3, pp. 55-65, 2000. i.10 IETF RFC 4279 (2005): “Pre-Shared Key Ciphersuites for TLS“, P. Eronen and H. Tschofenig. ETSI ETSI GR QSC 001 V1.1.1 (2016-07) 8 i.11 ZigBee(2015): “Zigbee alliance website“. NOTE 1: Available at http:/www.zigbee.org/. NOTE: 2 ZigBee i
35、s an example of a suitable porduct available commercially. This information is given for the convenience of users of the present document and does not constitute an endorsement by ETSI of this product. i.12 TU Darmstadt (2015): “Lattice challenge“. NOTE: Available at www.latticechallenge.org. i.13 P
36、hilips (2015): “HIMMO challenge“. NOTE: Available at www.himmo-. i.14 ACM Communications in Computer Algebra, vol. 49, no. 3, pp. 105-107 (2015): “A multivariate quadratic challenge toward post-quantum generation cryptography“, T. Yasuda, X. Dahan, Y.-J. Huang, T. Takagi and K. Sakurai. i.15 IACR eP
37、rint Archive 2015/374 (2015): “On the impossibility of tight cryptographic reductions“, C. Bader, T. Jager, Y. Li and S. Schge. i.16 PQC (2014): “A note on quantum security for post-quantum cryptography“, F. Song. i.17 CT-RSA (2003): “Forward-security in private-key cryptography“, M. Bellare and B.
38、Yee. i.18 draft-ietf-tls-tls13-012 (21 March 2016): “The Transport Layer Security (TLS) protocol version 1.3“, E. Resorla. i.19 NIST Workshop on Cybersecurity in a Post-Quantum World (2015): “Failure is not an option: standardization issues for post-quantum key agreement“, M. Motley. i.20 CRYPTO (19
39、98): “Chosen ciphertext attacks against protocols based on the RSA encryption standard PKCS#1“, D. Bleichenbacher. i.21 CRYPTO (2000): “Differential fault attacks on elliptic curve cryptosystems“, I. Biehl, B. Meyer and V. Mller. i.22 IACR ePrint Archive 2015/939 (2015): “A decade of lattice cryptog
40、raphy“, C. Peikert. i.23 CRYPTO (1998): “Public-key cryptosystems from lattice reduction problems“, O. Goldreich, S. Goldwasser and S. Halevi. i.24 CT-RSA (2003): “NTRUSign: Digital signatures using the NTRU lattice“, J. Hoffstein, N. Howgrave-Graham, J. Pipher, J. Silverman and W. Whyte. i.25 EUROC
41、RYPT (2006): “Learning a parallelepiped: Cryptanalysis of GGH and NTRU signatures“, P. Q. Nguyen and O. Regev. i.26 ASIACRYPT (2012): “Learning a zonotope and more: Cryptanalysis of NTRUSign countermeasures“, L. Ducas and P. Q. Nguyen. i.27 Designs, Codes and Cryptography (2014): “Finding shortest l
42、attice vectors faster using quantum search“, T. Laarhoven, M. Mosca and J. van de Pol. i.28 PQC Summer School (2014): “Lattice cryptography“, D. Micciancio. i.29 FOCS (2002): “Generalized compact knapsacks, cyclic lattices, and efficient one-way functions from worst-case complexity assumptions“, D.
43、Micciancio. i.30 Journal of the ACM (JACM), vol. 60, no. 6, p. 43 (2013): “On ideal lattices and learning with errors over rings“, V. Lyubashevsky, C. Peikert and O. Regev. i.31 Proceedings of the Twenty-Eighth Annual ACM Symposium on Theory of Computing (1996): “Generating hard instances of lattice
44、 problems“, M. Ajtai. ETSI ETSI GR QSC 001 V1.1.1 (2016-07) 9 i.32 2nd ETSI Quantum Safe Workshop (2014): “Soliloquy: A cautionary tale“, P. Campbell, M. Groves and D. Shepherd. i.33 CRYPTO (2015): “Provably weak instances of Ring-LWE“, Y. Elias, K. E. Lauter, E. Ozman and K. E. Stange. i.34 IACR eP
45、rint Archive 2016/351 (2016): “How (not) to instantiate Ring-LWE“, C. Peikert. i.35 PQC (2014): “Lattice cryptography for the internet“, C. Peikert. i.36 Security and Privacy (2015): “Post-quantum key exchange for the TLS protocol from the ring learning with errors problem“, J. W. Bos, C. Costello,
46、M. Naehrig and D. Stebila. i.37 IACR ePrint Archive 138/2015 (2015): “A practical key exchange for the internet using lattice cryptography“, V. Singh. i.38 IACR ePrint Archive 2015/1120 (2015): “Even more practical key exchanges for the internet using lattice cryptography“, V. Singh and A. Chopra. i
47、.39 IACR ePrint Archive 2015/1092 (2015): “Post-quantum key exchange - A new hope“, E. Alkim, L. Ducas, T. Pppelmann and P. Schwabe. i.40 EUROCRYPT (2015): “Authenticated key exchange from ideal lattices“, J. Zhang, Z. Zhang, J Ding, M. Snook and O. Dagdelen. i.41 Applied Cryptography and Network Se
48、curity (2015): “Post-quantum forward secure onion routing (future anonymity in todays budget)“, S. Ghosh and A. Kate. i.42 ANTS III (1998): “NTRU: A ring-based public key cryptosystem“, J. Hoffstein, J. Pipher and J. H. Silverman. i.43 EUROCRYPT (2011): “Making NTRU as secure as worst-case problems
49、over ideal lattices“, D. Stehl and R. Steinfeld. i.44 IEEE 1363.1 (2008): “Public-key cryptographic techniques based on hard problems over lattices“. i.45 ANSI X9.98 (2010): “Lattice-based polynomial public key establishment algorithm for the financial services industry“. i.46 IACR ePrint Archive 2015/708 (2015): “Choosing parameters for NTRUEncrypt“, J. Hoffstein, J. Pipher, J. M. Schanck, J. H. Silverman, W. Whyte and Z. Zhang. i.47 CRYPTO (2015): “An im
