# PQC TSS and PQC TPM



a prototype

Andreas Fuchs, 19th October 2018



### Introduction

- Due to the thread of quantum computers, we expect that asymmetric cryptography will transition to Post-Quantum Cryptography in the next ten years.
- PQC-schemes tend to have larger resource requirements than RSA, DH and ECC.
- In particular for resource restricted embedded systems, PQC might be hard to implement efficiently.
- TPMs have highly restricted resources.
- $\Rightarrow$  Investigate the usability of PQC for TPMs.



## Introduction

## **Communication between Application and TPM:**



POC TSS and POC TPM | Andreas Fuchs | 19th October 2018 | 2 (11)

## Hash-based Signature Schemes

Introduction

### **Properties:**

- Hash functions as only building block.
- Well understood, high security guarantees.
- Limited number of signatures per public key!
- Some schemes need to maintain a state!

## **Examples:**

- Stateful:
  - LMS, XMSSXMSS
- State-less:
  - SPHINCS, SPHINCS<sup>+</sup>



## **Code-based Encryption Schemes**

Introduction

#### **Properties:**

- Use *error correcting codes* for cryptography.
- Studied since 1978, security depends on code family.
- Conservative schemes require large keys!
- Decoding errors may enable attacks (for some code choices)!

### Codes for the McEliece/Niederreiter system:

- binary Goppa
- GRS, Reed-Muller, BCH
- LDPC, QC-MDPCQC-MDPC



## Lattice-based Encryption Schemes

Introduction

#### **Properties:**

- Use hard *lattice problems* for cryptography.
- Plenty of security proofs.
- Choice of parameters not yet well understood!
- Very promising, efficient schemes.

### **Examples:**

- KEX: New Hope,
- KEM: NTRU, qTESLA, KyberKyber



## Post-Quantum TPM

### Approach

#### Simulation:

- Extend an existing TPM simulator by adding PQC schemes.
- Test functionality.

#### Prototype:

- Transfer the TPM simulator to an embedded RISC-V processor.
- Measure performance and memory demand.

## **Optimization (ongoing work):**

- Optimize TPM "simulator" software.
- Provide hardware accelerators for PQC primitives.



## **Post-Quantum TPM**

#### Demonstration





## **Post-Quantum TPM**

#### Performance

| Scheme | Key Generation       |         | Encrypti             | on      | Decryption          |         |  |
|--------|----------------------|---------|----------------------|---------|---------------------|---------|--|
|        | Cycles               | Time    | Time Cycles          |         | Cycles              | Time    |  |
| Kyber  | $35.7 \times 10^{6}$ | 0.715 s | $44.5 \times 10^{6}$ | 0.891 s | $9.36 	imes 10^{6}$ | 0.187 s |  |
| QcBits | $231 \times 10^{6}$  | 4.63 s  | $8.34	imes10^6$      | 0.167 s | $167 \times 10^{6}$ | 3.34 s  |  |

| Scheme           | Key Generation |                                              |              |        | Verification |                                              |                | Signing  |            |                                          |              |            |
|------------------|----------------|----------------------------------------------|--------------|--------|--------------|----------------------------------------------|----------------|----------|------------|------------------------------------------|--------------|------------|
| <i>h</i> = 10    | Cycles T       |                                              | Time         |        | Cycles       |                                              | Time           |          | Cycles     |                                          | Time         |            |
| XMSS<br>XMSS HW* | 209<br>311     | imes 10 <sup>9</sup> $	imes$ 10 <sup>6</sup> | 4190<br>6.22 | s<br>s | 130<br>589   | imes 10 <sup>6</sup> $	imes$ 10 <sup>3</sup> | 2.60<br>0.0118 | s<br>B s | 209<br>1.7 | × 10 <sup>9</sup><br>7 × 10 <sup>6</sup> | 4190<br>0.03 | s<br>354 s |

\*estimation based on experiments

time at 50 MHz



## Limitations of the TPM 2.0 Specification

#### **Standard TPM Parameters**

## **IO Buffer Size:**

The default maximum size of the IO buffer is 4096 Bytes. (This limitation is vendor-specific and not fixed in the specification.)

The default buffer size allows the following parameters:

- XMSS (SHA256):
  - Tree height:  $24 \Rightarrow 2^{24} = 16,777,216$  signatures.
  - Limitation: computing time (key gen and sign).
  - NVRAM of TPM is perfect for storing state!
  - NVRAM size limits number of keys.
    - $\Rightarrow$  Increase NVRAM size if more keys are required.
- QC-MDPC:
  - Buffer size fine for 80-bit and 128-bit security parameters.
  - Data structures for 256-bit security parameters too large.
     ⇒ Double IO buffer size.



## Limitations of the TPM 2.0 Specification

### **Limitations of the Specification**

## Additional Commands for XMSS:

Optimized tree traversal algorithms (for signing) require to cache inner tree nodes in order to avoid recomputing the entire tree for each signature.

Solutions:

- Store caching data in NVRAM. Limited resource!
- Use pseudo-persistent storage outside the TPM.
   ⇒ Requires additional commands to send and retrieve cache data.
   XMSS state (next leaf index) remains in NVRAM.
   Data on inner tree nodes is pseudo-persistently cached.
   Drop outdated caching data!



## Conclusion

#### Take away:

- The TPM 2.0 specification is sufficiently agile for PQ crypto.
- Some limits on computation and communication need to be lifted.
- Some additional commands are required for efficiency.
- Hash-based signature schemes may be enabled by firmware updates. ⇒ No need for new hardware.
- Fast and efficient lattice-, code-, or *MQ*-based implementations require

new crypto accelerators.  $\Rightarrow$  New hardware required.



Thank you!





## **Kontakt Information**



Andreas Fuchs Ruben Niederhagen

Cyber-Physical Systems Security

Fraunhofer Institute for Secure Information Technology

Addresse: Rheinstraße 75 64295 Darmstadt Germany Internet: www.sit.fraunhofer.de/en/pqc-tpm/

 Telefon:
 +49 6151 869-228

 Fax:
 +49 6151 869-224

 E-Mail:
 andreas.fuchs@sit.fraunhofer.de



### **Image Sources**

Title Page: ©IBM Research, CC BY-ND 2.0 https://creativecommons.org/licenses/by-nd/2.0/

Clip Art (slide 7): Public Domain https://creativecommons.org/publicdomain/zero/1.0/

