量子加密_量子强化加密协议

量子加密

I recently did some work as a side project for company called Patero that involved creating quantum hardened prototype of one of their products. This post discusses how to secure state-of-the-art cryptographic protocols against attacks from (future) quantum computers. It starts off with an introduction to how crypto protocols in general are constructed, to serve as an introduction for those of us who haven’t done much crypto work in the past. Either watch the video (EN/DE) or read the post below for a text version.

最近，我作为Patero公司的附属项目做了一些工作，其中涉及为其产品之一创建量子硬化原型。 这篇文章讨论了如何保护最新的加密协议免受来自(未来)量子计算机的攻击。 它首先介绍了一般如何构造加密协议，以作为过去对我们没有做太多加密工作的人们的介绍。 观看视频( EN / DE )或阅读下面的文章以获取文本版本。

In addition to my role at Adobe, I also do occasional freelance work as a software engineer focusing on rust/c++/embedded and cryptographic work. One of the clients I usually do work for is Patero, who are working on integrating quantum hardened secure communication modules in mobile devices, IoT, and critical infrastructure. One of their projects is an end-to-end encrypted, hardware-based cryptography module for securing mobile calls and communications in general even in the face of a compromised operating system. To further this project I was asked to create a quantum hardened version of this chip for evaluation purposes; first identifying those parts of their cryptographic protocol¹ that would break when quantum computer based attacks become feasible and finding solutions to harden the protocol against such attacks. This blog post discusses the general approach usually taken when hardening modern crypto protocols.

除了在Adobe担任职务外，我还偶尔担任软件工程师的自由职业者，重点是rust / c ++ / embedded和cryptographic。 我通常为之工作的客户之一是Patero，他正在致力于将量子硬化安全通信模块集成到移动设备，物联网和关键基础设施中。 他们的项目之一是端到端的，基于硬件的加密模块，即使在操作系统受到威胁的情况下，也可以总体上保护移动电话和通信的安全。 为了促进这个项目，我被要求为评估目的创建该芯片的量子硬化版本。 首先确定其密码协议¹的那些部分，这些部分在基于量子计算机的攻击变得可行时会破坏，并找到解决方案以加强协议以抵抗此类攻击。 这篇博客文章讨论了强化现代加密协议时通常采用的一般方法。

To be clear here, this post is about Quantum Hardening also known as Post Quantum Cryptography; that is the study of how to secure the sort of crypto protocols used in normal machines against cryptanalysis (attacks) using quantum computers. This post is not about Quantum Computing (the study of how to use quantum computers to solve problems) and it is not about Quantum Cryptography (the study of using quantum effects to do cryptography).

在这里要清楚，这篇文章是关于量子硬化的，也被称为量子量子密码学 。 这是关于如何使用量子计算机保护普通机器中使用的那种加密协议免遭密码分析(攻击)的研究。 这篇文章不是关于量子计算 (如何使用量子计算机解决问题的研究)，也不是关于量子密码术 (使用量子效应进行密码学的研究)。

The first part of this post is dedicated to revisiting some cryptography fundamentals the basic make up of modern day crypto protocols so even readers less familiar with the subject can take away something from this post. Jump down to Quantum Attacks: Grover’s algorithm if you are already familiar with the inner workings of modern cryptographic transport protocols.

这篇文章的第一部分致力于重温一些现代密码协议基本构成的密码学基础，因此，即使是对这一主题不太熟悉的读者也可以从这篇文章中受益。 如果您已经熟悉现代密码传输协议的内部工作原理，请跳到“ 量子攻击：Grover算法” 。

简介：如何快速进行量子硬化 (Summary: How to quantum harden in a hurry)

The availability of practical quantum computers would render all commonly used asymmetric cryptography used today insecure. Since pretty much all modern day cryptographic protocols (like HTTPS, TLS⁵, or SSH⁶) rely on asymmetric crypto as a vital component, these protocols will also become insecure. Symmetric cryptography is also affected but doubling key sizes provides an easy fix. Updating asymmetric crypto to be secure again will require the introduction of entirely new cryptographic primitives.

实用的量子计算机的可用性将使当今使用的所有常用非对称密码学变得不安全。 由于几乎所有现代加密协议(例如HTTPS，TLS⁵或SSH⁶)都依赖非对称加密作为重要组成部分，因此这些协议也将变得不安全。 对称加密也受到影响，但是加倍密钥大小可以轻松解决。 要再次更新非对称密码以确保安全，将需要引入全新的密码原语。

This is not a large problem now, because quantum computers are currently impractical, but their technology may advance in the coming years or decades enough to make quantum computer based attacks feasible; we should prepare for this point in time soon and some data needs to remain securely encrypted over the next decades, which is why quantum hardened cryptography is starting to become an important subject.

现在这不是一个大问题，因为量子计算机目前尚不可行，但它们的技术可能在未来几年或几十年中发展到足以使基于量子计算机的攻击成为可能。 我们应该为这一时间点做好准备，并且在接下来的几十年中需要对一些数据进行安全加密，这就是为什么量子硬化密码学开始成为重要课题的原因。

The process to develop post quantum cryptography is currently ongoing. For key exchanges, Classic McElice is a robust choice, but its memory requirements are prohibitive for many platforms. Failing that FrodoKEM is not a terrible choice. Post quantum signature schemes are not as relevant because they are only relevant to thwart online attacks (and for those you need a quantum computer now). Still Sphincs+ is probably not a particularly bad choice, but again the memory requirements are pretty tough to meet.

当前正在开发后量子密码术的过程。 对于密钥交换，Classic McElice是一个可靠的选择，但是它的内存要求在许多平台上都无法满足。 拒绝FrodoKEM并不是一个糟糕的选择。 后量子签名方案并不重要，因为它们仅与阻止在线攻击相关(对于那些现在需要量子计算机的攻击)。 仍然Sphincs +可能不是一个特别糟糕的选择，但是再次很难满足内存要求。

Any post quantum crypto primitive is currently suspect and should not be used on it’s own; there is significant risk the key exchange or signature scheme could be insecure against classical computers, meaning that you would be worse off than with state of the art protocols using such a primitive. Quantum hardened algorithms should only be used together with classical, well analyzed primitives. Employ robust combiners for this purpose. Open Quantum Safe is probably not a bad source of implementations for post quantum primitives.

当前，任何后量子密码基元都值得怀疑，不应单独使用。 密钥交换或签名方案可能对传统计算机不安全，存在很大的风险，这意味着与使用此类原语的最新协议相比 ，您的处境更糟 。 量子硬化算法仅应与经过充分分析的经典图元一起使用。 为此，请使用强大的组合器 。 Open Quantum Safe可能不是后期量子图元实现的不错来源。

Post Quantum Crypto should be limited to research and evaluation use cases at the moment except in very special circumstances. Even though redundant constructions using robust combiners are probably safe, the act of updating protocols, changing implementations may introduce implementation errors, side channels, or operational problems which can easily render your crypto system as a whole insecure. Even if extremely stringent measures are taken to publicly vet the resulting protocol and implementation, this risk persists.

除非常特殊的情况外，Post Quantum Crypto目前应仅限于研究和评估用例。 尽管使用健壮的组合器的冗余结构可能是安全的，但更新协议，更改实现的行为可能会引入实现错误， 侧边通道 或操作问题，这些问题很容易使您的加密系统整体上变得不安全。 即使采取了极其严格的措施公开审查所产生的协议和实施，这种风险仍然存在。

什么是加密 (What is crypto)

On a basic level, the goal of cryptography is the protection of private messages sent over public channels from interception by a third party. In the slide shown above, Alice would like to send a message (“I like your cat ears!”) to Berta; since this message is confidential, she would like to cryptographically protect the message.

从根本上讲，加密的目标是保护通过公共渠道发送的私人消息不受第三方的拦截。 在上面显示的幻灯片中，爱丽丝想向Berta发送一条消息(“我喜欢你的猫耳朵！”)； 由于此消息是机密信息，因此她想用密码保护该消息。

Other use cases have even more stringent requirements: imagine sending a message requesting a wire transfer via online banking; you would not want an adversary to be able to send a transfer in your name or modify the message in somehow. This is why all crypto protocols should fulfill all three properties: Confidentiality (only recipient can read it), Authentication (only you can send), as well as Data Integrity (message cannot be changed).

其他用例则有更严格的要求：想象一下通过网上银行发送一条消息，要求电汇； 您不希望对手能够以您的名义发送转帐或以某种方式修改消息。 这就是为什么所有加密协议都应具有所有三个属性的原因：机密性(只有收件人可以读取它)，身份验证(只有您可以发送)以及数据完整性(消息不能更改)。

古代密码：旋转密码 (Archaic Ciphers: Rotation Cipher)