Post-Quantum Cryptography: State of the Art

  • Johannes A. Buchmann
  • Denis Butin
  • Florian Göpfert
  • Albrecht Petzoldt
Chapter
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9100)

Abstract

Public-key cryptography is indispensable for cyber security. However, as a result of Peter Shor shows, the public-key schemes that are being used today will become insecure once quantum computers reach maturity. This paper gives an overview of the alternative public-key schemes that have the capability to resist quantum computer attacks and compares them.

Keywords

Public-key cryptography Quantum computing   Post-quantum cryptography 

References

  1. 1.
    Ajtai, M.: Generating hard instances of lattice problems (extended abstract). In: Proceedings of the Twenty-Eighth Annual ACM Symposium on Theory of Computing, STOC 1996, pp. 99–108. ACM, New York (1996)Google Scholar
  2. 2.
    El Yousfi Alaoui, S.M., Cayrel, P.-L., Mohammed, M.: Improved identity-based identification and signature schemes using Quasi-dyadic Goppa codes. In: Kim, T., Adeli, H., Robles, R.J., Balitanas, M. (eds.) ISA 2011. CCIS, vol. 200, pp. 146–155. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  3. 3.
    Bai, S., Galbraith, S.D.: An improved compression technique for signatures based on learning with errors. In: Benaloh, J. (ed.) CT-RSA 2014. LNCS, vol. 8366, pp. 28–47. Springer, Heidelberg (2014)CrossRefGoogle Scholar
  4. 4.
    Bai, S., Galbraith, S.D.: Lattice decoding attacks on binary LWE. In: Susilo, W., Mu, Y. (eds.) ACISP 2014. LNCS, vol. 8544, pp. 322–337. Springer, Heidelberg (2014)Google Scholar
  5. 5.
    Bennett, C.H., Bernstein, E., Brassard, G., Vazirani, U.: Strengths and weaknesses of quantum computing. SIAM J. Comput. 26(5), 1510–1523 (1997)MathSciNetCrossRefMATHGoogle Scholar
  6. 6.
    Bernstein, D.J., Buchmann, J., Dahmen, E. (eds.): Post-Quantum Cryptography. Springer, Heidelberg (2008)Google Scholar
  7. 7.
    Bernstein, D.J., Lange, T., Peters, C., Schwabe, P.: Faster 2-regular information-set decoding. In: Chee, Y.M., Guo, Z., Ling, S., Shao, F., Tang, Y., Wang, H., Xing, C. (eds.) IWCC 2011. LNCS, vol. 6639, pp. 81–98. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  8. 8.
    Bertoni, G., Daemen, J., Peeters, M., Assche, G.V.: The Keccak reference, January 2011. http://keccak.noekeon.org/
  9. 9.
    Biswas, B., Sendrier, N.: McEliece cryptosystem implementation: theory and practice. In: Buchmann, J., Ding, J. (eds.) PQCrypto 2008. LNCS, vol. 5299, pp. 47–62. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  10. 10.
    Bogdanov, A., Eisenbarth, T., Rupp, A., Wolf, C.: Time-area optimized public-key engines: MQ-cryptosystems as replacement for elliptic curves? In: Oswald, E., Rohatgi, P. (eds.) CHES 2008. LNCS, vol. 5154, pp. 45–61. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  11. 11.
    Brassard, G., Hoyer, P., Tapp, A.: Quantum algorithm for the collision problem. arXiv preprint quant-ph/9705002 (1997)Google Scholar
  12. 12.
    Buchmann, J.: Introduction to Cryptography. Springer, Heidelberg (2004)CrossRefMATHGoogle Scholar
  13. 13.
    Buchmann, J., Dahmen, E., Ereth, S., Hülsing, A., Rückert, M.: On the security of the Winternitz one-time signature scheme. In: Nitaj, A., Pointcheval, D. (eds.) AFRICACRYPT 2011. LNCS, vol. 6737, pp. 363–378. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  14. 14.
    Buchmann, J., Dahmen, E., Hülsing, A.: XMSS - a practical forward secure signature scheme based on minimal security assumptions. In: Yang, B.-Y. (ed.) PQCrypto 2011. LNCS, vol. 7071, pp. 117–129. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  15. 15.
    Buhler, J.P., Lenstra Jr., H.W., Pomerance, C.: Factoring integers with the number field sieve. In: The Development of the Number Field Sieve, pp. 50–94. Springer, Heidelberg (1993)Google Scholar
  16. 16.
    Chen, A.I.-T., Chen, M.-S., Chen, T.-R., Cheng, C.-M., Ding, J., Kuo, E.L.-H., Lee, F.Y.-S., Yang, B.-Y.: SSE implementation of multivariate PKCs on modern x86 CPUs. In: Clavier, C., Gaj, K. (eds.) CHES 2009. LNCS, vol. 5747, pp. 33–48. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  17. 17.
    Chen, Y., Nguyen, P.Q.: BKZ 2.0: better lattice security estimates. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 1–20. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  18. 18.
    Diffie, W., Hellman, M.E.: New directions in cryptography. IEEE Trans. Inf. Theory 22(6), 644–654 (1976)MathSciNetCrossRefMATHGoogle Scholar
  19. 19.
    Ding, J., Schmidt, D.: Rainbow, a new multivariable polynomial signature scheme. In: Ioannidis, J., Keromytis, A.D., Yung, M. (eds.) ACNS 2005. LNCS, vol. 3531, pp. 164–175. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  20. 20.
    Ding, J., Yang, B.-Y., Dubois, V., Cheng, C.-M., Chen, O.: Breaking the symmetry: a way to resist the new differential attack (2007). http://eprint.iacr.org/2007/366
  21. 21.
    Dobbertin, H., Bosselaers, A., Preneel, B.: RIPEMD-160: a strengthened version of RIPEMD. In: Gollmann, D. (ed.) FSE 1996. LNCS, vol. 1039, pp. 71–82. Springer, Heidelberg (1996)CrossRefGoogle Scholar
  22. 22.
    Ducas, L., Durmus, A., Lepoint, T., Lyubashevsky, V.: Lattice signatures and bimodal gaussians. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part I. LNCS, vol. 8042, pp. 40–56. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  23. 23.
    Feynman, R.: Simulating physics with computers. Int. J. Theor. Phys. 21(6–7), 467–488 (1982)MathSciNetCrossRefGoogle Scholar
  24. 24.
    Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987)CrossRefGoogle Scholar
  25. 25.
    El Gamal, T.: A public key cryptosystem and a signature scheme based on discrete logarithms. In: Blakely, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 10–18. Springer, Heidelberg (1985)CrossRefGoogle Scholar
  26. 26.
    Garey, M.R., Johnson, D.S.: Computers and Intractability: A Guide to the Theory of NP-Completeness. W.H. Freeman, New York (1979)MATHGoogle Scholar
  27. 27.
    Gentry, C.: Fully homomorphic encryption using ideal lattices. In: Proceedings of the Forty-First Annual ACM Symposium on Theory of Computing, STOC 2009, pp. 169–178. ACM, New York (2009)Google Scholar
  28. 28.
    Grover, L.K.: A fast quantum mechanical algorithm for database search. In: Miller, G.L. (ed.) Proceedings of the Twenty-Eighth Annual ACM Symposium on the Theory of Computing, pp. 212–219. ACM (1996)Google Scholar
  29. 29.
    Heyse, S., von Maurich, I., Güneysu, T.: Smaller keys for code-based cryptography: QC-MDPC McEliece implementations on embedded devices. In: Bertoni, G., Coron, J.-S. (eds.) CHES 2013. LNCS, vol. 8086, pp. 273–292. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  30. 30.
    Hoffstein, J., Pipher, J., Silverman, J.H.: NTRU: a ring-based public key cryptosystem. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 267–288. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  31. 31.
    Hülsing, A., Rausch, L., Buchmann, J.: Optimal parameters for XMSS\(^{MT}\). In: Cuzzocrea, A., Kittl, C., Simos, D.E., Weippl, E., Xu, L. (eds.) CD-ARES Workshops 2013. LNCS, vol. 8128, pp. 194–208. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  32. 32.
    Joux, A.: A new index calculus algorithm with complexity l (1/4+ o (1)) in very small characteristic. IACR Cryptology ePrint Archive 2013:95 (2013)Google Scholar
  33. 33.
    Kipnis, A., Patarin, J., Goubin, L.: Unbalanced oil and vinegar signature schemes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 206–222. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  34. 34.
    Koblitz, N.: Elliptic curve cryptosystems. Math. Comput. 48(177), 203–209 (1987)MathSciNetCrossRefMATHGoogle Scholar
  35. 35.
    Lamport, L.: Constructing Digital Signatures from a One Way Function. Technical report, SRI International Computer Science Laboratory (1979). http://research.microsoft.com/en-us/um/people/lamport/pubs/dig-sig.pdf
  36. 36.
    Landais, G., Sendrier, N.: Implementing CFS. In: Galbraith, S., Nandi, M. (eds.) INDOCRYPT 2012. LNCS, vol. 7668, pp. 474–488. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  37. 37.
    Lenstra, A., Lenstra Jr., H.W., Lovász, L.: Factoring polynomials with rational coefficients. Math. Ann. 261(4), 515–534 (1982)MathSciNetCrossRefMATHGoogle Scholar
  38. 38.
    Lenstra, A.K.: Key lengths. Technical report. Wiley (2006)Google Scholar
  39. 39.
    Lenstra, A.K., Lenstra Jr., H.W., Manasse, M.S., Pollard, J.M.: The number field sieve. In: Ortiz, H. (ed.) Proceedings of the 22nd Annual ACM Symposium on Theory of Computing, Baltimore, Maryland, USA, 13–17 May, pp. 564–572. ACM (1990)Google Scholar
  40. 40.
    Lindner, R., Peikert, C.: Better key sizes (and attacks) for LWE-based encryption. In: Kiayias, A. (ed.) CT-RSA 2011. LNCS, vol. 6558, pp. 319–339. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  41. 41.
    Liu, M., Nguyen, P.Q.: Solving BDD by enumeration: an update. In: Dawson, E. (ed.) CT-RSA 2013. LNCS, vol. 7779, pp. 293–309. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  42. 42.
    Lyubashevsky, V., Micciancio, D.: Generalized compact knapsacks are collision resistant. In: Bugliesi, M., Preneel, B., Sassone, V., Wegener, I. (eds.) ICALP 2006. LNCS, vol. 4052, pp. 144–155. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  43. 43.
    Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 1–23. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  44. 44.
    Matsumoto, T., Imai, H.: Public quadratic polynomial-tuples for efficient signature-verification and message-encryption. In: Günther, C.G. (ed.) EUROCRYPT 1988. LNCS, vol. 330, pp. 419–453. Springer, Heidelberg (1988)CrossRefGoogle Scholar
  45. 45.
    McEliece, R.J.: A public-key cryptosystem based on algebraic coding theory. Deep Space Network Progress Report 44, 114–116 (1978)Google Scholar
  46. 46.
    McGrew, D., Curcio, M.: Hash-Based Signatures. Internet Engineering Task Force (2014) (Internet-Draft)Google Scholar
  47. 47.
    Melchor, C.A., Cayrel, P., Gaborit, P., Laguillaumie, F.: A new efficient threshold ring signature scheme based on coding theory. IEEE Trans. Inf. Theory 57(7), 4833–4842 (2011)MathSciNetCrossRefGoogle Scholar
  48. 48.
    Menezes, A.J., Van Oorschot, P.C., Vanstone, S.A.: Handbook of Applied Cryptography. CRC Press, Boca Raton (2010)MATHGoogle Scholar
  49. 49.
    Merkle, R.C.: Secrecy, authentication and public key systems. Ph.D. thesis, Stanford University (1979)Google Scholar
  50. 50.
    Merkle, R.C.: A certified digital signature. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 218–238. Springer, Heidelberg (1990)Google Scholar
  51. 51.
    Micciancio, D.: The hardness of the closest vector problem with preprocessing. IEEE Trans. Inf. Theory 47(3), 1212–1215 (2001)MathSciNetCrossRefMATHGoogle Scholar
  52. 52.
    Miller, V.S.: Use of elliptic curves in cryptography. In: Williams, H.C. (ed.) CRYPTO 1985. LNCS, vol. 218, pp. 417–426. Springer, Heidelberg (1986)Google Scholar
  53. 53.
    Misoczki, R., Tillich, J., Sendrier, N., Barreto, P.S.L.M.: MDPC-McEliece: new McEliece variants from moderate density parity-check codes. In: Proceedings of ISIT, pp. 2069–2073. IEEE (2013)Google Scholar
  54. 54.
    Morrison, M.A., Brillhart, J.: A method of factoring and the factorization of F7. Math. Comput. 29(129), 183–205 (1975)MathSciNetMATHGoogle Scholar
  55. 55.
    Patarin, J.: The oil and vinegar signature scheme. Dagstuhl Workshop on Cryptography, September 1997Google Scholar
  56. 56.
    Persichetti, E.: Secure and anonymous hybrid encryption from coding theory. In: Gaborit, P. (ed.) PQCrypto 2013. LNCS, vol. 7932, pp. 174–187. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  57. 57.
    Peters, C.: Information-set decoding for linear codes over F \(_{\mathit{q}}\). In: Sendrier, N. (ed.) PQCrypto 2010. LNCS, vol. 6061, pp. 81–94. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  58. 58.
    Petzoldt, A., Bulygin, S., Buchmann, J.: CyclicRainbow – a multivariate signature scheme with a partially cyclic public key. In: Gong, G., Gupta, K.C. (eds.) INDOCRYPT 2010. LNCS, vol. 6498, pp. 33–48. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  59. 59.
    Petzoldt, A., Bulygin, S., Buchmann, J.: Linear recurring sequences for the UOV key generation. In: Catalano, D., Fazio, N., Gennaro, R., Nicolosi, A. (eds.) PKC 2011. LNCS, vol. 6571, pp. 335–350. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  60. 60.
    Petzoldt, A., Bulygin, S., Buchmann, J.: A multivariate threshold ring signature scheme. In: AAECC (2012)Google Scholar
  61. 61.
    Petzoldt, A., Chen, M.-S., Yang, B.-Y., Tao, C., Ding, J.: Design principles for HFEv- based multivariate signature schemes. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015, Part I. LNCS, vol. 9452, pp. 311–334. Springer, Heidelberg (2015). doi:10.1007/978-3-662-48797-6_14 CrossRefGoogle Scholar
  62. 62.
    Pomerance, C.: The quadratic sieve factoring algorithm. In: Beth, T., Cot, N., Ingemarsson, I. (eds.) EUROCRYPT 1984. LNCS, vol. 209, pp. 169–182. Springer, Heidelberg (1985)CrossRefGoogle Scholar
  63. 63.
    Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: Proceedings of the Thirty-Seventh Annual ACM Symposium on Theory of Computing, STOC 2005, pp. 84–93. ACM, New York (2005)Google Scholar
  64. 64.
    Rivest, R.L., Shamir, A., Adleman, L.M.: A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21(2), 120–126 (1978)MathSciNetCrossRefMATHGoogle Scholar
  65. 65.
    Rogaway, P., Shrimpton, T.: Cryptographic hash-function basics: definitions, implications, and separations for preimage resistance, second-preimage resistance, and collision resistance. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 371–388. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  66. 66.
    Saeedi, K., Simmons, S., Salvail, J.Z., Dluhy, P., Riemann, H., Abrosimov, N.V., Becker, P., Pohl, H.-J., Morton, J.J.L., Thewalt, M.L.W.: Room-temperature quantum bit storage exceeding 39 minutes using ionized donors in silicon-28. Science 342(6160), 830–833 (2013)CrossRefGoogle Scholar
  67. 67.
    Sakumoto, K., Shirai, T., Hiwatari, H.: Public-key identification schemes based on multivariate quadratic polynomials. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 706–723. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  68. 68.
    Shor, P.W.: Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM J. Comput. 26(5), 1484–1509 (1997)MathSciNetCrossRefMATHGoogle Scholar
  69. 69.
    Stehlé, D., Steinfeld, R.: Making NTRU as secure as worst-case problems over ideal lattices. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 27–47. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  70. 70.
    Stern, J.: A new identification scheme based on syndrome decoding. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 13–21. Springer, Heidelberg (1994)CrossRefGoogle Scholar
  71. 71.
    Tao, C., Diene, A., Tang, S., Ding, J.: Simple matrix scheme for encryption. In: Gaborit, P. (ed.) PQCrypto 2013. LNCS, vol. 7932, pp. 231–242. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  72. 72.
    Wang, X., Yu, H.: How to break MD5 and other hash functions. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 19–35. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  73. 73.
    Wikipedia: Timeline of quantum computing – wikipedia, the free encyclopedia (2014). http://en.wikipedia.org/w/index.php?title=Timeline_of_quantum_computing&oldid=613219069. (Accessed 25 September 2014)

Copyright information

© Springer-Verlag Berlin Heidelberg 2016

Authors and Affiliations

  • Johannes A. Buchmann
    • 1
  • Denis Butin
    • 1
  • Florian Göpfert
    • 1
  • Albrecht Petzoldt
    • 1
  1. 1.Fachbereich InformatikTechnische Universität DarmstadtDarmstadtGermany

Personalised recommendations