1、 ETSI GR QSC 003 V1.1.1 (2017-02) Quantum Safe Cryptography; Case Studies and Deployment Scenarios Disclaimer The present document has been produced and approved by the Quantum-Safe Cryptography (QSC) ETSI Industry Specification Group (ISG) and represents the views of those members who participated
2、in this ISG. It does not necessarily represent the views of the entire ETSI membership. GROUP REPORT ETSI ETSI GR QSC 003 V1.1.1 (2017-02) 2 Reference DGR/QSC-003 Keywords algorithm, authentication, confidentiality, security ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +
3、33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice The present document can be downloaded from: http:/www.etsi.org/standards-search The present document may be made availabl
4、e in electronic versions and/or in print. The content of any electronic and/or print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any existing or perceived difference in contents between such versions and/or in print, the only pre
5、vailing document is the print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this and other ET
6、SI documents is available at https:/portal.etsi.org/TB/ETSIDeliverableStatus.aspx If you find errors in the present document, please send your comment to one of the following services: https:/portal.etsi.org/People/CommiteeSupportStaff.aspx Copyright Notification No part may be reproduced or utilize
7、d in any form or by any means, electronic or mechanical, including photocopying and microfilm except as authorized by written permission of ETSI. The content of the PDF version shall not be modified without the written authorization of ETSI. The copyright and the foregoing restriction extend to repr
8、oduction in all media. European Telecommunications Standards Institute 2017. All rights reserved. DECTTM, PLUGTESTSTM, UMTSTMand the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members. 3GPPTM and LTE are Trade Marks of ETSI registered for the benefit of its Members and of th
9、e 3GPP Organizational Partners. GSM and the GSM logo are Trade Marks registered and owned by the GSM Association. ETSI ETSI GR QSC 003 V1.1.1 (2017-02) 3 Contents Intellectual Property Rights 5g3Foreword . 5g3Modal verbs terminology 5g31 Scope 6g32 References 6g32.1 Normative references . 6g32.2 Inf
10、ormative references 6g33 Abbreviations . 8g34 QSC deployment scenarios 9g35 Network security protocols 10g35.1 Introduction 10g35.2 TLS . 10g35.2.1 TLS cryptography . 10g35.2.2 Drop-in replacement . 11g35.2.3 Hybrid scheme 11g35.2.4 Re-engineering 11g35.3 Discussion 11g35.3.1 Integration into the pr
11、otocol stack 11g35.3.2 Handling large key sizes . 12g35.3.3 Is quantum-safe authentication required today? . 13g36 Offline services 13g36.1 Secure e-mail 13g36.2 Credentials for offline services . 14g36.3 Discussion 14g37 Internet of Things . 14g37.1 Introduction 14g37.2 IoT cryptography 15g37.3 Dis
12、cussion 15g38 Satellite communications . 16g38.1 Requirements 16g38.2 Constraints 16g38.3 Discussion 17g39 Key Distribution Centres 17g39.1 Introduction 17g39.2 Examples 18g39.2.1 Kerberos18g39.2.2 ZigBeeTrust Centre 18g39.2.3 Datagram Transport Layer Security (DTLS) 18g39.3 Discussion 18g310 Authen
13、tication 19g310.1 Introduction 19g310.2 Requirements and use cases . 19g310.2.1 Authenticating Internet-based applications . 19g310.2.2 Offline file Authentication 19g310.2.3 Authenticating broadcast communications . 20g310.3 Symmetric solutions . 20g310.4 Discussion 20g311 Exotic functionality 20g3
14、11.1 Identity-based encryption (IBE) . 20g311.2 Attribute-based encryption (ABE) and fully homomorphic encryption (FHE) 21g3ETSI ETSI GR QSC 003 V1.1.1 (2017-02) 4 11.3 Discussion 22g312 Conclusions 22g3Annex A: Summary table 24g3History 25g3ETSI ETSI GR QSC 003 V1.1.1 (2017-02) 5 Intellectual Prope
15、rty Rights IPRs essential or potentially essential to the present document may have been declared to ETSI. The information pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found in ETSI SR 000 314: “Intellectual Property Rights (IPRs); Es
16、sential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards“, which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web server (https:/ipr.etsi.org/). Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carrie
17、d out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become, essential to the present document. Foreword This Group Report (GR) has been produced by ETSI Industry Specificatio
18、n Group (ISG) Quantum-Safe Cryptography (QSC). Modal verbs terminology In the present document “should“, “should not“, “may“, “need not“, “will“, “will not“, “can“ and “cannot“ are to be interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of provisions)
19、. “must“ and “must not“ are NOT allowed in ETSI deliverables except when used in direct citation. ETSI ETSI GR QSC 003 V1.1.1 (2017-02) 6 1 Scope The present document examines a number of real-world uses cases for the deployment of quantum-safe cryptography (QSC). Specifically, it examines some typi
20、cal applications where cryptographic primitives are deployed today and discusses some points for consideration by developers, highlighting features that may need change to accommodate quantum-safe cryptography. The main focus of the document is on options for upgrading public-key primitives for key
21、establishment and authentication, although several alternative, non-public-key options are also discussed. The present document gives an overview of different technology areas; identify where the security and cryptography currently resides; and indicate how things may have to evolve to support quant
22、um-safe cryptographic primitives. Clauses five and six discuss network security protocols, using TLS and S/MIME as typical examples. These are contrasted in clauses seven and eight by an examination of security options for IoT and Satellite use cases, which have very different requirements and const
23、raints than traditional internet-type services. Some alternatives to public key protocols are reviewed in clause nine. Authentication requirements are discussed in clause ten and some forward-looking examples providing advanced functionality are examined in clause eleven. 2 References 2.1 Normative
24、references Normative references are not applicable in the present document. 2.2 Informative references References are either specific (identified by date of publication and/or edition number or version number) or non-specific. For specific references, only the cited version applies. For non-specific
25、 references, the latest version of the referenced document (including any amendments) applies. NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee their long term validity. The following referenced documents are not necessary for the applic
26、ation of the present document but they assist the user with regard to a particular subject area. i.1 ETSI: “Quantum safe cryptography and security,“ ETSI White Paper No. 8, 2015. i.2 IETF RFC 5246: “The Transport Layer Security (TLS) Protocol Version 1.2“, 2008. i.3 Draft RCF draft-ietf-tls-tls13-09
27、: “The Transport Layer Security (TLS) protocol version 1.3“, 5 October 2015. i.4 C. Peikert: “Lattice Cryptography for the Internet“ IACR ePrint 2014/070, 2014. i.5 J. W. Bos, C. Costello, M. Naehrig and D. Stebila: “Post-quantum key exchange for the TLS protocol from the ring learning with errors p
28、roblem“ IACR ePrint Archive 2014/599, 2014. i.6 V. Singh: “A Practical Key Exchange for the Internet using Lattice Cryptography“ IACR ePrint 2015/138, 2015. i.7 E. Alkim, L. Ducas, T. Pppelmann and P. Schwabe: “Post-quantum key exchange - a new hope“ IACR ePrint 2015/1092, 2015. i.8 Draft IETF draft
29、-whyte-qsh-tls13-01: “Quantum-safe hybrid (QSH) ciphersuite for Transport Layer Security (TLS) version 1.3 (draft RFC)“, 20 September 2015. i.9 O. Garcia-Morchon, R. Rietman, L. Tolhuizen, J.-L. Torre-Arce, S. Bhattacharya and M. Bodlaender: “Efficient quantum-resistant trust Infrastructure based on
30、 HIMMO“, IACR ePrint 2016/410, 2016. ETSI ETSI GR QSC 003 V1.1.1 (2017-02) 7 i.10 D. McGrew: “Living with post quantum security“, NIST workshop on cubersecurity in a post quantum world, 2015. i.11 Z. Zheng, W. White and J. Schanck: “A quantum-safe circuit-extension handshake for Tor“ in NIST Worksho
31、p on Cybersecurity in a Post-Quantum World, 2015. i.12 ETSI GR QSC 001 (V1.1.1): “Quantum-Safe Cryptography (QSC); Quantum-safe algorithmic framework“. i.13 IETF RFC 5751: “Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.2“, 2010. i.14 D. McGrew, P. Kampanakis , S. Fluhrer, S.-L. Gaz
32、dag , D. Butin and J. Buchmann: “State Management for Hash-Based Signatures“ IACR ePrint, vol. 2016/357, 2016. i.15 Philips: “Philips Hue“. NOTE: Available at . i.16 O. Garcia-Morchon: “Security for Pervasive Healthcare“ PhD Thesis, RWTH University, 2011. i.17 ZigBee Alliance. NOTE: Available at www
33、.zigbee.org. i.18 IETF RFC 7228: “Terminology for Constrained-Node Networks“, 2014. i.19 A. Waller, A. Byrne, R. Griffin, S. La Porta, B. Ammar and D. Lund: “Case Study Specification and Requirements“ 2015. NOTE: Available at http:/www.safecrypto.eu/. i.20 A. Menezes, P. van Oorschot and S. Vanstone
34、: “Chapter 13: Key Management Techniques, Handbook of Applied Cryptography“. NOTE: Available at http:/cacr.uwaterloo.ca/hac/. i.21 KerberosConsortium. NOTE: Available at www.kerberos.org. i.22 IETF RFC 1510: “The Kerberos Network Authentication Service (V5)“, 1993. i.23 IETF RFC 7252: “The Constrain
35、ed Application Protocol (CoAP)“, 2014. i.24 IETF RFC 4279: “Pre-Shared Key Ciphersuites for Transport Layer Security (TLS)“, 2005. i.25 O. Garcia-Morchon: “DTLS-HIMMO: Achieving DTLS certificate security with symmetric key overhead“ in 20th European Symposium on Research in Computer Security (ESORIC
36、S), 2015. i.26 R. Blom: “Non-public key distribution“ in CRYPTO 82, New York, 1983. i.27 T. Matsumoto and H. Imai: “On the key predistribution system - A practical solution to the key distribution problem“ in CRYPTO 87. i.28 C. Blundo, A. De Santis, A. Herzberg, S. Kutten, U. Vaccaro and M. Yung: “P
37、erfectly-secure key distribution for dynamic conferences“ in CRYPTO 92, 1992. i.29 W. Zhang, M. Tran, S. Zhu and G. Cao: “A Random PerturbationBased Pairwise Key Establishment Scheme for Sensor Networks“ in ACM MobiHoc, 2007. i.30 M. Albrecht, C. Gentry, S. Halev and J. Katz: “Attacking cryptographi
38、c schemes based on “perturbation polynomials“ in 16th ACM conference on Computer and communications security (CCS 09), 2009. i.31 O. Garcia-Morchon, R. Rietman, L. Tolhuizen, J.-L. Torre-Arce, S. Moon, D. Gomez-Perez, J. Gutierrez and B. Schoenmakers: “Attacks and parameter choices in HIMMO“ IACR eP
39、rint 2016/152, 2016. ETSI ETSI GR QSC 003 V1.1.1 (2017-02) 8 i.32 TUD: “Practical hash based signatures“, 2016. NOTE: Available at www.pqsignatures.org. i.33 IEEE 1609.2-2013: “Wireless Access in Vehicular Environments“, 2013. i.34 NIST: “The keyed-hash Meassage Authentication Code (HMAC)“ FIPS-198-
40、1, 2008. i.35 ISO/IEC 9797 parts 1 and 2: “Message Authentication Codes (MACs)“, 1999. i.36 L. Ducas, V. Lyubashevsky and T. Prest: “Efficient identity-based encryption over NTRU lattices,“ IACR ePrint 2014/794, 2014. i.37 D. Apon, X. Fan and F.-H. Liu: “Fully secure lattice-based IBE as compact as
41、PKE“ IACR ePrint 2016/125, 2016. i.38 S. Agrawal, D. Boneh and X. Boyen: “Lattice basis delegation in fixed dimension and shorter ciphertext hierarchical IBE“ in EUROCRYPT 2010 Volume 6110 of the series Lecture Notes in Computer Science pp 553-, 2010. i.39 D. Cash, D. Hofheinz, E. Kiltz and C. Peike
42、rt: “Bonsai Trees, or How To Delegate a Lattice Basis“ Journal of Cryptology October 2012, vol. 25, no. 4, pp. 601-609, 2012. i.40 KLU: “HEAT project“. NOTE: Available at https:/heat-project.eu/. i.41 K. Xagawa: “Improved (hierarchical) inner-product encryption from lattices“ IACR ePrint 2015/249, 2
43、015. i.42 S. Argawal, D. Freeman and V. Vaikuntanathan: “Functional encryption for inner product predicates from learning with errors“ IACR ePrint 200/410, 2011. i.43 C. Gentry, A. Sahai and B. Waters: “Homomorphic encryption from learning with errors: Conceptually-simpler, asymptotically-faster, at
44、tribute-based“ IACT ePrint 2013/340, 2013. i.44 Z. Barkerski, C. Gentry and V. Vaikuntanathan: “(Leveled) fully homomorphic encryption without bootstrapping“ IACR ePrint 2011/277, 2011. i.45 NIST: “Report on Post Quantum cryptography“ NISTER 8105, 2016. 3 Abbreviations For the purposes of the presen
45、t document, the following abbreviations apply: 6LoWPAN Ipv6 over Low power Wireless Personal Area Networks ABE Attribute-based Encryption AES Advanced Encryption Standard CoAP Constrained Application Protocol COTS Commercial Off The Shelf DH Diffie-Hellman DSA Digital Signature Algorithm DTLS Datagr
46、am Transport Layer Security ECDH Elliptic Curve Diffie-Hellman ECDSA Elliptic Curve Digital Signature Algorithm FHE Fully Homomorphic Encryption HEAT Homomorphic Encryption Applications and Technology HFE Hidden Field Equations HIBE Hierarchical Identity-Based Encryption HIMMO Hiding Information Mix
47、ing Modular Operations HTTP Hypertext Transfer Protocol IEEE Institute of Electrical and Electronics Engineers IETF Internet Engineering Task Force ETSI ETSI GR QSC 003 V1.1.1 (2017-02) 9 IKE Internet Key Exchange IoT Internet of Things IPsec Internet Protocol Security KDC Key Distribution Centre KM
48、S Key Management Server KTC Key Translation Centre LoRA Low Power Wide Area Network for IoT LTE Long Term Evolution MAC Message Authentication Codes MIT Massachusetts Institute of Technology oneM2M Standards for machine to machine PKC Public Key Cryptography PKI Public Key Infrastructure PSK Pre-sha
49、red key QSC Quantum-Safe Cryptography QSH Quantum Safe Hybrid RFC Request For CommentsRSA Rivest Shamir Adleman S/MIME Secure/Multipurpose Internet Mail Extensions SHA Secure Hash Algorithm SMTP Simple Mail Transfer Protocol TCP Transmission Control ProtocolTLS Transport Layer Security UDP User Datagram Protocol V2X Vehicle to everything VoIP Voice over Internet Protocol VPN Virtual Private Network W3C Worldwide Web Consortium 4 QSC deployment scenarios Cryptogr
