Post-Quantum Cryptography Standardization
Post-Quantum Cryptography Standardization is a project by NIST to standardize post-quantum cryptography.[1] 23 signature schemes were submitted, 59 encryption/KEM schemes were submitted[2] by the initial submission deadline at the end of 2017, of which 69 total were deemed complete and proper and participated in the first round. 26 of these have advanced to the second round (17 encryption/key-establishment and 9 signature schemes).
Background
A NIST published report from April 2016 cites experts that acknowledge the possibility of quantum technology to render the commonly used RSA algorithm insecure by 2030.[3] As a result, a need to standardize quantum-secure cryptographic primitives arose. Since most symmetric primitives are relatively easy to modify in a way that makes them quantum resistant, efforts have focused on public-key cryptography, namely digital signatures and key encapsulation mechanisms. In December 2016 NIST initiated a standardization process by announcing a call for proposals.[4]
The competition is now in its second round out of expected three, where in each round some algorithms are discarded and others are studied more carefully. NIST hopes to publish the standardization documents by 2024, but may speed up the process if major breakthroughs in quantum computing are made.
It is currently undecided whether the future standards be published as FIPS or as NIST Special Publication (SP).
Round One
Under consideration were:[5]
(strikethrough means it had been withdrawn)
Type | PKE/KEM | Signature | Signature & PKE/KEM |
---|---|---|---|
Lattice |
|
|
|
Code-based |
|
|
|
Hash-based |
|
||
Multivariate |
|
|
|
Braid group |
|
||
Supersingular Elliptic Curve Isogeny |
|
||
Satirical submission | |||
Other |
|
|
Round One submissions published attacks
- Guess Again by Lorenz Panny [11]
- RVB by Lorenz Panny[12]
- RaCoSS by Daniel J. Bernstein, Andreas Hülsing, Tanja Lange and Lorenz Panny[13]
- HK17 by Daniel J. Bernstein and Tanja Lange[14]
- SRTPI by Bo-Yin Yang[15]
- WalnutDSA
- DRS by Yang Yu and Léo Ducas [18]
- DAGS by Elise Barelli and Alain Couvreur[19]
- Edon-K by Matthieu Lequesne and Jean-Pierre Tillich[20]
- RLCE by Alain Couvreur, Matthieu Lequesne, and Jean-Pierre Tillich[21]
- Hila5 by Daniel J. Bernstein, Leon Groot Bruinderink, Tanja Lange and Lorenz Panny[22]
- Giophantus by Ward Beullens, Wouter Castryck and Frederik Vercauteren[23]
- RankSign by Thomas Debris-Alazard and Jean-Pierre Tillich [24]
- McNie by Philippe Gaborit [25]; Terry Shue Chien Lau and Chik How Tan [26]
Round Two
Candidates moving on to the second round were announced on January 30, 2019. They are:[27]
Type | PKE/KEM | Signature |
---|---|---|
Lattice | ||
Code-based | ||
Hash-based |
| |
Multivariate | ||
Supersingular Elliptic Curve Isogeny |
|
|
Zero-knowledge proofs |
|
Round Three
Albeit unplanned at first, it is likely that NIST will hold a third round in June 2020. By that point NIST will have selected fewer schemes and focus on standardization efforts[48]. The work is expected to end and draft standards made publicly available between 2022 and 2024.[49]
See also
References
- ↑ "Post-Quantum Cryptography Standardization - Post-Quantum Cryptography". 3 January 2017. https://csrc.nist.gov/projects/post-quantum-cryptography/post-quantum-cryptography-standardization. Retrieved 31 January 2019.
- ↑ "Archived copy". https://post-quantum.ch/#.
- ↑ "NIST Released NISTIR 8105, Report on Post-Quantum Cryptography". https://csrc.nist.gov/News/2016/NIST-Released-NISTIR-8105,-Report-on-Post-Quantum. Retrieved 5 November 2019.
- ↑ "NIST Asks Public to Help Future-Proof Electronic Information". https://www.nist.gov/news-events/news/2016/12/nist-asks-public-help-future-proof-electronic-information. Retrieved 5 November 2019.
- ↑ Computer Security Division, Information Technology Laboratory (3 January 2017). "Round 1 Submissions - Post-Quantum Cryptography - CSRC". https://csrc.nist.gov/Projects/Post-Quantum-Cryptography/Round-1-Submissions. Retrieved 31 January 2019.
- ↑ 6.0 6.1 6.2 "Archived copy". https://www.onboardsecurity.com/nist-post-quantum-crypto-submission.
- ↑ 7.0 7.1 "Google Groups". https://groups.google.com/a/list.nist.gov/forum/#!topic/pqc-forum/YsGkKEJTt5c. Retrieved 31 January 2019.
- ↑ 8.0 8.1 "ROLLO". http://www.pqc-rollo.org/. Retrieved 31 January 2019.
- ↑ RSA using 231 4096-bit primes for a total key size of 1 TiB. "Key almost fits on a hard drive" Bernstein, Daniel (2010-05-28). "McBits and Post-Quantum RSA". http://cr.yp.to/talks/2010.05.28/slides.pdf#page=29.
- ↑ Bernstein, Daniel; Heninger, Nadia (2017-04-19). "Post-quantum RSA". https://cr.yp.to/papers/pqrsa-20170419.pdf.
- ↑ "Dear all, the following Python script quickly recovers the message from a given "Guess Again" ciphertext without knowledge of the private key". https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-Cryptography/documents/round-1/official-comments/guess-again-official-comment.pdf. Retrieved 30 January 2019.
- ↑ Panny, Lorenz (25 December 2017). "Fast key recovery attack against the "RVB" submission to #NISTPQC: t …. Computes private from public key.". Twitter. https://twitter.com/yx7__/status/945283780851400704. Retrieved 31 January 2019.
- ↑ "Archived copy". https://helaas.org/racoss/.
- ↑ "Archived copy". https://helaas.org/hk17/.
- ↑ "Dear all, We have broken SRTPI under CPA and TPSig under KMA.". https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-Cryptography/documents/round-1/official-comments/SRTPI-official-comment.pdf. Retrieved 30 January 2019.
- ↑ Beullens, Ward; Blackburn, Simon R. (2018). Practical attacks against the Walnut digital signature scheme. https://eprint.iacr.org/2018/318.
- ↑ Kotov, Matvei; Menshov, Anton; Ushakov, Alexander (2018). AN ATTACK ON THE WALNUT DIGITAL SIGNATURE ALGORITHM. https://eprint.iacr.org/2018/393.
- ↑ Yu, Yang; Ducas, Léo (2018). Learning strikes again: the case of the DRS signature scheme. https://eprint.iacr.org/2018/294.
- ↑ Barelli, Elise; Couvreur, Alain (2018). "An efficient structural attack on NIST submission DAGS". arXiv:1805.05429 [cs.CR].
- ↑ Lequesne, Matthieu; Tillich, Jean-Pierre (2018). "Attack on the Edon-K Key Encapsulation Mechanism". arXiv:1802.06157 [cs.CR].
- ↑ Couvreur, Alain; Lequesne, Matthieu; Tillich, Jean-Pierre (2018). "Recovering short secret keys of RLCE in polynomial time". arXiv:1805.11489 [cs.CR].
- ↑ Bernstein, Daniel J.; Groot Bruinderink, Leon; Lange, Tanja; Lange, Lorenz (2017). Hila5 Pindakaas: On the CCA security of lattice-based encryption with error correction. https://eprint.iacr.org/2017/1214.
- ↑ "Official Comments". 13 September 2018. https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-Cryptography/documents/round-1/official-comments/Giophantus-official-comment.pdf.
- ↑ Debris-Alazard, Thomas; Tillich, Jean-Pierre (2018). "Two attacks on rank metric code-based schemes: RankSign and an Identity-Based-Encryption scheme". arXiv:1804.02556 [cs.CR].
- ↑ "I am afraid the parameters in this proposal have at most 4 to 6‐bits security under the Information Set Decoding (ISD) attack.". https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-Cryptography/documents/round-1/official-comments/McNie-official-comment.pdf. Retrieved 30 January 2019.
- ↑ Lau, Terry Shue Chien; Tan, Chik How (31 January 2019). "Key Recovery Attack on McNie Based on Low Rank Parity Check Codes and Its Reparation". Advances in Information and Computer Security. Lecture Notes in Computer Science. 11049. Springer International Publishing. pp. 19–34. doi:10.1007/978-3-319-97916-8_2. ISBN 978-3-319-97915-1.
- ↑ Computer Security Division, Information Technology Laboratory (3 January 2017). "Round 2 Submissions - Post-Quantum Cryptography - CSRC". https://csrc.nist.gov/projects/post-quantum-cryptography/round-2-submissions. Retrieved 31 January 2019.
- ↑ 28.0 28.1 Schwabe, Peter. "CRYSTALS". https://pq-crystals.org/. Retrieved 31 January 2019.
- ↑ "FrodoKEM". https://frodokem.org/. Retrieved 31 January 2019.
- ↑ Schwabe, Peter. "NewHope". https://newhopecrypto.org/. Retrieved 31 January 2019.
- ↑ "Archived copy". https://ntruprime.cr.yp.to/.
- ↑ "SABER". https://www.esat.kuleuven.be/cosic/pqcrypto/saber/index.html. Retrieved 17 June 2019.
- ↑ "ThreeBears". https://sourceforge.net/projects/threebears/. Retrieved 31 January 2019.
- ↑ "Falcon". https://falcon-sign.info/. Retrieved 26 June 2019.
- ↑ "qTESLA – Efficient and post-quantum secure lattice-based signature scheme". https://qtesla.org/. Retrieved 31 January 2019.
- ↑ "BIKE - Bit Flipping Key Encapsulation". https://bikesuite.org/. Retrieved 31 January 2019.
- ↑ "HQC". http://pqc-hqc.org/. Retrieved 31 January 2019.
- ↑ "LEDAkem Key Encapsulation Module". https://www.ledacrypt.org/LEDAkem/. Retrieved 31 January 2019.
- ↑ "LEDApkc Public Key Cryptosystem". https://www.ledacrypt.org/LEDApkc/. Retrieved 31 January 2019.
- ↑ "Archived copy". https://nts-kem.io/.
- ↑ "RQC". http://pqc-rqc.org/. Retrieved 31 January 2019.
- ↑ [1]
- ↑ "Archived copy". https://www-polsys.lip6.fr/Links/NIST/GeMSS.html.
- ↑ "LUOV -- An MQ signature scheme". https://www.esat.kuleuven.be/cosic/pqcrypto/luov/. Retrieved 22 January 2020.
- ↑ "MQDSS post-quantum signature". http://mqdss.org/. Retrieved 31 January 2019.
- ↑ "SIKE – Supersingular Isogeny Key Encapsulation". http://sike.org/. Retrieved 31 January 2019.
- ↑ "Picnic. A Family of Post-Quantum Secure Digital Signature Algorithms". https://microsoft.github.io/Picnic/. Retrieved 26 February 2019.
- ↑ "Some announcements". https://groups.google.com/a/list.nist.gov/forum/#!topic/pqc-forum/-rKSOqFAQeI. Retrieved 6 October 2019.
- ↑ "NIST Workshops and Timeline". https://csrc.nist.gov/Projects/post-quantum-cryptography/workshops-and-timeline. Retrieved 6 October 2019.
External links
- Post-quantum cryptography website by djb
- First round candidates by field by Ryo Fujita
- First round candidates by field (revised)
- First round candidates by field (revised again)