|随着量子破译算法的不断优化和量子计算机硬件技术的快速发展，目前传统密码算法面临越来越大的安全风险，这使得抗量子计算成为研究热点，目前用传统密码体制构建的VPN，越来越受到量子计算攻击的威胁。为了解决传统VPN中在身份验证和密钥协商环节不能抵抗量子计算攻击的问题，本文基于Microsoft PQCrypto-VPN项目的框架，依赖于OpenSSL的OpenQuantum Safe项目分支，设计了一套抗量子计算攻击的软件VPN系统。对比进入NIST第三轮筛选的后量子数字签名和密钥协商算法，通过综合考量运算性能和安全性能，系统采用后量子签名算法Picnic和密钥协商算法CRYSTALS-KYBER，以实现VPN通信中数据的抗量子计算攻击安全保护。同时，本文对所使用的上述两种后量子算法进行了安全性分析，以阐述本系统的抗量子安全性能，并对系统进行了性能测试。在测试的带宽条件下，VPN连接后最高上传速度可达206 Kb/s，下载速度可达2495 Kb/s，与通过公网直接传输和通过传统OpenVPN传输两种情形下的传输速度相近；在通信延迟方面，相比目前提出的三种后量子VPN系统均有明显降低，在牺牲少量带宽的情况下实现了对数据通信的更高安全保障。
|关键词: 抗量子计算攻击 Picnic CRYSTALS-KYBER SSL VPN OpenSSL OpenVPN
|PQVPN: Design of Software VPN against Quantum Computing Attack
|YANG Yatao,ZHAO Ruoyan,CHANG Xin,GUO Chao,XIAO Song
|Department of Electronic and Communication Engineering, Beijing Electronics Science and Technology Institute, Beijing 100070, China;School of Telecommunication Engineering, Xidian University, Xi'an 710071, China
|With the continuous optimization of quantum decoding algorithm and the rapid development of quantum computer hardware technology, traditional cryptography algorithms are confronting more and more security risks, which makes post quantum computing becoming one of research hotspots. At present, Virtual Private Network (VPN) with traditional cryptographic mechanism is facing a growing security threat by quantum computing attacks in authentication and key exchange. In order to solve the issue of quantum computing attack in authentication and key exchange in traditional VPN, A software VPN system against quantum computing attacks (PQVPN) is designed in this paper based on the framework of Microsoft PQcrypto-VPN project and relied on the open quantum safe project branch of OpenSSL. The post quantum digital signature and key exchange algorithms that have been selected as the third-round candidates by National Institute of Standards and Technology (NIST) are compared in this paper with comprehensive consideration on the working performance and security of these algorithms. Picnic, a post quantum signature algorithm, and CRYSTALS-KYBER, a key agreement algorithm, are used in this system to achieve the post quantum security protection for communication data in VPN tunnel. Moreover, the security of these two post quantum algorithms is analyzed in this paper, the post quantum security in this PQVPN system is also illustrated. In addition, the working performance of this PQVPN system in the public network environment is tested. The test shows that the maximum of upload speed and download speed after VPN connection can reach 206 Kb/s and 2495 Kb/s under the experimental bandwidth environment, which is similar to the transmission speed under the direct transmission through public network and transmission through traditional OpenVPN. Compared with three proposed post quantum VPN systems, the communication delay is significantly reduced, higher security in data communication can be realized with a small amount of bandwidth expense in this PQVPN system.
|Key words: resist quantum computing attacks picnic CRYSTALS-KYBER SSL VPN OpenSSL OpenVPN