International Association
for Cryptologic Research

Mosca introduced three crucial aspects for real-world cryptography in the quantum computing era: security shelf-life, migration time, and collapse time. While collapse time has been extensively studied, migration time has not received as much attention. Acknowledging the complexity of post-quantum cryptography (PQC) migration, NIST launched the `Migration to Post-Quantum Cryptography' project in June 2022. Migration to PQC involves three primary tasks: inventorying the use of cryptography, analyzing risks and determining migration priorities, and executing migration to PQC. The two tasks of inventorying and migration, in particular, demand capabilities of cryptographic visibility and cryptographic agility, respectively. This is especially important for enterprises that own and maintain numerous IT systems for migration at scale. While participating in NIST's `Migration to PQC' project, we investigated the possibility of using existing open sources to obtain cryptographic visibility and agility. More specifically, we modified or extended the features of existing open-source tools in the DevOps pipeline for automated inventorying of cryptographic usage, and also demonstrated changing cryptographic providers without altering applications making use of the well-designed Java Cryptography Architecture. We have gained a clearer understanding and several findings regarding migration to PQC, and this talk will provide insights for IT service providers as well as open-source community regarding PQC migration. Next, we briefly describe how we can make use of existing tools to gain cryptographic visibility and agility.

Homomorphic encryption (HE) is a promising cryptographic primitive that enables computation over encrypted data, with a variety of applications including medical, genomic, and financial tasks. In Asiacrypt 2017, Cheon et al. proposed the CKKS scheme to efficiently support approximate computation over encrypted data of real numbers. HE schemes including CKKS, nevertheless, still suffer from slow encryption speed and large ciphertext expansion compared to symmetric cryptography. In this paper, we propose a novel hybrid framework, dubbed RtF (Real-to-Finite-field) framework, that supports CKKS. The main idea behind this construction is to combine the CKKS and the FV homomorphic encryption schemes, and use a stream cipher using modular arithmetic in between. As a result, real numbers can be encrypted without significant ciphertext expansion or computational overload on the client side. As an instantiation of the stream cipher in our framework, we propose a new HE-friendly cipher, dubbed HERA, and extensively analyze its security and efficiency. The main feature of HERA is that it uses a simple randomized key schedule. Compared to recent HE-friendly ciphers such as FLIP and Rasta using randomized linear layers, HERA requires a smaller number of random bits. For this reason, HERA significantly outperforms existing HE-friendly ciphers on both the client and the server sides. With the RtF transciphering framework combined with HERA at the 128-bit security level, we achieve small ciphertext expansion ratio with a range of 1.23 to 1.54, which is at least 23 times smaller than using (symmetric) CKKS-only, assuming the same precision bits and the same level of ciphertexts at the end of the framework. We also achieve 1.6 $\mu$s and 21.7 MB/s for latency and throughput on the client side, which are 9085 times and 17.8 times faster than the CKKS-only environment, respectively.

Chou suggested a constant-time implementation for quasi-cyclic moderatedensity parity-check (QC-MDPC) code-based cryptography to mitigate timing attacks at CHES 2016. This countermeasure was later found to become vulnerable to a differential power analysis (DPA) in private syndrome computation, as described by Rossi et al. at CHES 2017. The proposed DPA, however, still could not completely recover accurate secret indices, requiring further solving linear equations to obtain entire secret information. In this paper, we propose a multiple-trace attack which enables to completely recover accurate secret indices. We further propose a singletrace attack which can even work when using ephemeral keys or applying Rossi et al.’s DPA countermeasures. Our experiments show that the BIKE and LEDAcrypt may become vulnerable to our proposed attacks. The experiments are conducted using power consumption traces measured from ChipWhisperer-Lite XMEGA (8-bit processor) and ChipWhisperer UFO STM32F3 (32-bit processor) target boards.