PPT – xds PowerPoint presentation | free to download

About This Presentation

Title:

xds

Description:

asdsa – PowerPoint PPT presentation

Number of Views:2

Slides: 89

Provided by: ram05

Category:

Tags:

more less

Transcript and Presenter's Notes

Title: xds

1

Post-quantum cryptography

Mike Hamburg
Cryptographer

13 June 2019

2
Workshop outline

Quantum computation
Comparison to randomized computation
Shors algorithm
Other quantum algorithms
Overview of post-quantum algorithms
Learning with errors
Supersingular isogenies
Code-based encryption
Hash-based signatures
Multivariate quadratic signatures

3
Quantum computation
4
Quantum computation progress

Significant progress in past 5-10 years
Risk large quantum computer in next 20-30 years
Not a crisis yet, but need to make sure were
ready
New crypto takes years to deploy
Can store encrypted messages, break later

Image Google
5
Classical vs quantum computation

Classical computer is in one state at a time
?? 1 ? ?? 2 ?? 1 ?? 1 ? ??
3 ?? 2 ?? 2 ?
An ??-core machine is in ?? states at a time
(roughly)
Quantum computer can be in many states at a time
Up to 2 ?? states for an ??-qubit machine
so it can solve exponentially hard problems
easily?
eg, break all crypto except one-time pad, solve
NP-complete problems...
No! More complicated than that.

6
Randomized algorithms Markov model

State machine makes transitions with a certain
probability
(?? 1 )?0.3 ?? 2?? 0.7 ?? 2?? ?
Instead states being in a set ??, theyre vectors
in R ??
Stochastic vectors entries are non-negative and
sum to 1
State transitions are ???? matrices
?? 2 ?? 1 ?? 1 ?? 3 ?? 2 ?? 2 ?? 2
?? 1 ?? 1
Add the probabilities from different ways to get
to a state
?? ?? are stochastic matrices entries are
non-negative, each column sums to 1
Required so that new state will be a stochastic
vector

7
Randomized algorithms Markov model

At the end, state is ????? ?? ?? ( ?? ?? )
Final output is ?? ?? with probability ?? ??
Thought experiment want to decrypt some
ciphertext ??
Choose ?? uniformly at random, calculate ?? ??
?Decrypt(??,??), check result
Final state is 1 2 256 ?? ,??
,??????h?? ?????,??? ?? ??, ?? ??
,??????????
Machine was in exponentially many states!
... in the model, but not in real life
Cant extract the low-probability right answer

8
Quantum algorithms

State machine makes transitions with a certain
(complex) amplitude
Randomized ?? 1 ? 0.3 ?? 2?? 0.7 ??
2?? ?
Quantum ?? 1 ?? 0.3 ?? 2?? - 0.7
?? 2?? ??
Superposition instead of being in a set ??,
theyre vectors in C ??
Unit vectors squared norms of coefficients sum
to 1
Transitions are ???? matrices
Add the amplitudes from different ways to get to
a state
Unitary matrices columns are mutually
orthogonal unit vectors
At the end, state is ????? ?? ?? ?? ?? ?
Final output is ?? ?? with probability ?? ??
? 2

9
Why quantum gt randomized

Probabilities only add amplitudes can also
cancel 1 2 2 - 1 2 2 ? 0 2
Also reinforce more strongly than probabilities
1 2 2 1 2 2 ? 1 2
Small amplitudes contribute more
Markov prob ?? contributes distance ??
Quantum prob ?? contributes distance ??
Grovers algorithm takes advantage of this for
square-root speedup
Most importantly specialized algorithms
Fourier transform is unitary

10
Quantum Fourier Transform

Fourier transform reveals the periods in a data
set
Written as ?? ?? ? 1 ?? ??0 ??-1 ?? ??
?? 2???????? ??
Fast Fourier Transform CT65, GS66 can compute
in ??(?? log ?? ) steps
Quantum Fourier Transform can compute in ??(
log 2 ?? ) steps
Take Fourier transform of exponentially large
objects ( 2 thousands )!
Fourier sampling sample ?? with probability ??
?? 2
Shor Sho94 Given a function ??N??? with
unknown period ????, find ??

11
Breaking RSA with Shors algorithm

RSA ??????, ??65537, ?? ?? -1 mod ?? ??
where ?? ?? ??-1 ??-1
Encrypt ??? ?? ?? mod ?? decrypt ??? ?? ??
mod ??
Result is ?? ???? ?? ???? ?? 1 ?? 1
This is because the function ?? ?? ?? ? ?? ??
is periodic with period dividing ?? ??
Broken using Shors algorithm on a quantum
computer
Find period of ?? ?? ?? ? ?? ?? mod ??
which divides ?? ??
Can also use this info to factor ??

12
Breaking ECDH/ECDSA with Shors algorithm

ECDH/ECDSA/X25519/ public key is HaG in some
elliptic curve group
Shor find some period of ?? ??,?? ????????
which is in lattice ??,0 , 0,?? ,(??,-1)
Slightly easier than breaking RSA, but only
because EC keys are much smaller

13
Other quantum algorithms

Grovers algorithm Gro96 for satisfiability
find ?? such that ?? ?? 1
Still takes exponential time for SAT
Uses ?? sequential calls, ?? ?? ?? total
calls to ??
vs. ?? ?? classically at most ?? speedup
Practically, ??lt 2 60 5 GHz7 years
Even smaller at first 30-60 bit speedup, less
cost of quantum computer
Kuperbergs algorithm Kup03 for hidden shift
if ??(??)?? ???? , find ??
in subexponential time
Many others, but these are the most relevant

14
Quantum algorithms conclusion

If quantum computer can be built, most public key
crypto is broken
RSA broken
Finite field DSA, DH broken
Elliptic curve DSA, DH (incl. NIST, Brainpool,
25519) broken
Symmetric key crypto is probably less affected
Ciphers lose 30-60 bits of strength (not
actually half)
Hash collisions might lose 20 (SHA256 128?102)
Just use a bigger key
Need new public key encryption and signatures

15
Post-quantum cryptography
16
What are we trying to build?

Quantum-resistant replacements for existing
algorithms
Defender has a classical computer
Attacker has a quantum computer (or gets one
later)
Start with the basics
Public-key encryption
Public-key encapsulation / key agreement
Public-key signatures

17
What are we trying to build?

Public-key encryption

pk,sk ?KeyGen()
pk
ct?Encrypt(pk,??)
ct
??Decrypt(sk,ct)
18
What are we trying to build?

Public-key exchange / encapsulation

pk,sk ?KeyGen()
pk
(ct,??)?Encaps(pk)
ct
??Decaps(sk,ct)
19
What are we trying to build?

Public-key signatures

pk,sk ?KeyGen()
pk
sig?Sign(sk,??)
(??,sig)
Verify(pk,??,sig)
20
Post-quantum crypto overview

Main criterion not based on factoring or
discrete log
Lots of problems to choose from
Hashes
Codes Goppa, QC-MDPC
Multivariate quadratics HFE, UOV, Rainbow
Lattices Ring/Module Learning with
Errors/Rounding
Short independent set NTRU ...
Supersingular isogenies
Braid group conjugacy (broken?)
NIST standardization process ongoing (round 2)

21
NIST submission categories (round 2)
Category Encryption / Key Exch Signatures
Lattices / LWE 9 3
Error-correcting codes 7
Isogenies 1
Hash-based signatures 2
Multivariate quadratics 4
Total 17 9
22
Post-quantum encryption andkey exchange
23
Post-quantum RSA

Proposal multi-prime RSA with terabyte keys!

24
LWE and NTRU
25
Learning with Errors

ECDH structure
Let ?? be a generator on an elliptic curve of
order ??
Private keys are random integers ??,?? mod ??
Public keys ????,????? shared secret ??????
Broken by quantum computers!
Try again with matrices
Let ?? be a random matrix with entries mod ??
Private keys are random matrices ??,?? with
entries mod ??
Public keys ????,????? shared secret ??????
Broken by classical computers! Whoops!

26
Learning with Errors key exchange Frodo BCD16

Let ?? be a random (640640) matrix with entries
mod ?? ( 2 15 )
Private keys are random matrices ??,?? with small
entries
E.g., Gaussian with stdev 2.8
Matrices are 6408 or v/v
Public keys ??????,??????? nearly-shared secret
??????
Parties actually get ?? ?? ???????????, ?? ??
???????????
Requires reconciliation e.g. send lower bits of
?? ?? , secret is higher bits
Simple but large public keys and ciphertexts are
10kB

27
Improving performance Ring-LWE motivation

Standard LWE
?? is a random matrix (generated from seed)
not transmitted
??????,?????? are somewhat large 6408
Need to do full matrix multiply

a
k
b
G
( errors)
28
Improving performance Ring-LWE

Ring-LWE
?? is a random structured (e.g. cyclic) matrix
not transmitted
??,??,??????,?????? are also structured only
send top row
More efficient matrix multiply available
Structure might help attacker??

k
b
a
G
( errors)
29
Polynomial rings generalization of cyclic
matrices

Pick some modulus ?? and degree-?? polynomial ??
Usually ?? ?? ?? ?? 1
The polynomial ring Z ?? ?? /??(??) is
lt??th-degree polynomials with coeffs mod ??
Addition is just polynomial addition (same as
vector addition) coeffs mod ??
Multiplication produces a degree 2??-2
polynomial
Divide by ??(??) and take the remainder
If ?? ?? ?? ?? -1, same as cyclic matrices
If ??, ??-1 both highly divisible by 2, can use
fast Fourier multiply

30
Improving performance Ring-LWE

NewHope ADPS15
Very fast Ring-LWE implementation
512-element or 1024-element keys with
Fourier-based multiplication
Public keys 928 bytes, ciphertexts 1120 bytes
(at 512512)

k
b
a
G
( errors)
31
Improving performance Module-LWE

Module-LWE use a block matrix
Pioneered by Kyber BDK17
Main purpose allow tunability if using a
specific ring (e.g. for Fourier)
Less structure might might also thwart attacks?
Kyber pubkey 800 bytes, ciphertext 736 bytes

a
k
b
G
( errors)
32
Integer Module-LWE ThreeBears Ham17

Instead of blocks being a matrix (or poly ring
element), its a number mod sparse ??
??,?? and errors have small digits (in base 2
10 ) instead of small entries
Fast and simple, but problem is new
More conservative parameters just in case
Public keys 804 bytes, ciphertexts 917 bytes

a
k
b
G
( errors)
33
Learning with Rounding Saber AKRV17 and Round5
BBF19

Recall LWE
Public keys are ??????,??????
LWR
Public keys are ????? , ????
The error ??,?? is replaced by rounding error
Pro simpler, less randomness, transmit fewer
bits
Con security is less studied

34
NTRU encryption HPS98

Key generation
Choose random polynomials ??,?? in ??Z ?? ??
/( ?? ?? -1) with small coeffs
Public key is h??/?? in ??
Private key is ?? and ?? 3 ? ?? -1 in Z 3 ??
/( ?? ?? -1)
Encrypt ?? as ??3??h?? where ????? is random
with small coefficients
Decrypt ????3????????
Take coeffs mod 3 if they didnt wrap, get
???? mod 3
Multiply by ?? 3 to recover ??

35
NTRU encryption, continued

NTRU pros
NTRU encryption/decryption are very fast
Small keys/ciphertexts (1kB)
Around for 20 years, not broken ? fairly
conservative
NTRU cons Keygen can be slowish
More complex than RLWE
Security vs RLWE active debate

36
LWE/lattice key exchange, conclusion

Pros simple and fast
Cons somewhat large keys and ciphertexts
Applications TLS-like key exchange encryption
Systems many options, mostly similar, mostly
good
NTRU is time-tested, Saber is simple, Round5 is
small
Kyber and ThreeBears have good all-around
balance
LAC is hard to implement in constant time
Frodo is big but the most conservative option

37
Code-based encryption
38
Error-correcting codes
Encode
Decode
??
?? ????
Noisy channel
?? ' ??????
??

Linear codes may be described by a generator
matrix ??
Alternatively, by a parity-check matrix ?? such
that ????0
Typically given in systematic form ?? ?? ??'
, ?? ?? ??'
Each code has a design capacity of at most ??
errors
Error correction usually starts with syndrome
?? ?? ' ????

39
Code-based public key encryption McEliece McE78

Private key is an error-correcting code (eg, a
binary Goppa code)
Can be written as ???? matrix ??
Also random invertible ???? matrix ?? and ????
permutation ??
Public key is ????????
Very large 1 megabyte
Obfuscates the structure of the code
Decoding with a random code is hard
Encode a message as ??????
Decode by correcting errors using hidden
structure

40
Code-based encryption, continued

Encoding and decoding are fast ciphertexts are
small public key is huge
Niederreiters improvement Nie86
Encode the message in the errors
Send only the syndrome
Improves speed and size, but public keys are
still hundreds of kB
Security same as McEliece
Performance (128-bit security) 300kB public
key, 128 byte ciphertext
More than 40 years old still secure ? most
conservative choice

41
McEliece proposed codes
Family Proposed by Broken by
Binary Goppa Codes McEliece (78) ?
Reed Solomon Niederreiter (86) Sidelnikov Shestakov (92)
Concatenated Niederreiter (86) Sendrier (98)
Rank-metric Gabidulin (91) Overbeck (2005)
Reed Muller Sidelnikov (94) Minder Shokrollahi (07)
Algrebraic Geometric Janwa Moreno (96) Faure Minder (08) Couvreur, Marquez-Corbella Pellikaan (14)
LDPC Monico, Rosenthal Shokrollahi (00) Monico, Rosenthal Shokrollahi (00)
Convolutional codes Londahl Johansson (12) Landais Tillich (13)
QC MDPC Misoczki Tillich Sendrier Barreto (12) ?
Wild Goppa Codes Bernstein Lange Peters (10) ? Couvreur Otmani Tillich (14)
QC Rank-metric Gaborit (2013) ?
42
Structured code-based key exchange

What if we use a structured code? Eg
quasicyclic QcBits Cho16
Worse codes, more structure ? helps the attacker
Public keys are much smaller
Ciphertexts larger because of worse parameters
Roughly a code-based NTRU
Rank-metric codes ROLLO ( Oroborous-R, LAKE,
Locker) AAB19
Quasicyclic codes with rank instead of Hamming
metric
Earlier rank codes broken in 1985 and 2005
No attacks on this family yet
Smaller public keys and ciphertexts 465 bytes

43
Code-based encryption, conclusion McEliece

Pros small messages, fast decryption, very
conservative
Cons large public keys
Applications
High-value encryption that must remain secure
for a very long time
Cases where public keys are distributed very
rarely
Systems Probably Classic McEliece.
NTS-KEM is very similar

44
Code-based encryption, conclusion Structured

Pros smaller messages and public keys than
McEliece
Cons Relatively new
Structured Hamming codes usually edged out by
RLWE (in my opinion)
Failure probability issues
Rank-metric codes better performance, but even
newer
Applications
Cases where speed and bandwidth (incl public
key) are both important

45
Supersingular isogenies
46
Supersingular isogeny key exchange

Recall again ECDH structure
Let ?? be a generator on an elliptic curve of
order ??
Private keys are random integers ??,?? mod ??
Public keys ????,????? shared secret ??????
Broken by quantum computers Shor on ?? ??,??
?????????
SIKE dFJP11 / CSIDH CLM18
Let ?? be an elliptic curve
Let ??,?? be isogenies from ?? to other curves
Public keys ?? ?? ,?? ?? ? shared secret
????(??)
Cant use Shor cant implement ?? ??,??
?????????

47
Supersingular isogeny key exchange SIKE

Build ?? from a chain of degree-2 steps, ?? from
degree-3
Each degree-2 or degree-3 step has multiple
options
Chain construction is similar to EC scalar
multiply
Degree-2 and degree-3 guaranteed to commute
Pros Small keys, as small as 200 bytes
Cons Very slow and very complicated

48
Supersingular isogeny key exchange CSIDH

Use a restricted family of isogenies that always
commute
Only one option for each degree!
Chain of isogenies of degree 2 ?? , 3 ?? , 5 ??
,
Pros
Smaller keys, as small as 64 bytes
Honest-to-goodness replacement for ECDH
Cons
Even slower and even more complicated than SIKE
Hard to implement in constant time
Possibly weak to Kuperbergs quantum
hidden-shift algorithm

49
Supersingular isogenies, conclusion

Pros small public keys and ciphertexts
(especially for CSIDH)
Cons very slow and very complicated
Applications
Useful when bandwidth is of utmost importance
Systems
SIKE is the only NIST candidate
Dont use CSIDH yet its too new and already
showing risks

50
Chosen-ciphertext attacks
51
Chosen-ciphertext attacks

Most of these schemes are malleable
LWE add a little bit more error
Some code-based flip a few more bits
SIKE change which points used to represent
curve
Malleability leads to chosen-ciphertext attacks!
Usually not relevant if key is only used once
Solution Fujisaki-Okamoto transform FO99 for
KEMs
Must use PRNG to generate encryption randomness
Seed PRNG from message
When receiving, check that encryption was
honest else reject

52
Post-quantum signatures
53
Signature paradigms

Hash-and-sign
Eg RSA sig satisfies ?? pk,sig ??(??)
Fiat-Shamir transform FS86, eg EdDSA
Turn an interactive zero-knowledge proof into a
signature
Unruh transform Unr10 variant for small
domains with post-quantum proof
One-time to many-time

commit
Prover
Verifier
challenge H(commit, message)
decommit
54
Hash-based signatures
55
Hash-based one-time signatures Lam79

One-time signature
Private key is random 256-bit values ?? ?? ???
0..255
Let ?? be some one-way function (eg, SHA)
Public key is F ?? ?? ??? 0..255
To sign ?? ???hash(??) sig ?? ?? bit ?? of
?? is 1
Winternitz improvement Mer79 shorten signature
by factor of log 2 ??
Public key is hash ?? ??-1 ?? ?? ??? 0..
256 log 2 ?? checksum digits-1
To sign ?????(hash ?? ,??h????????????)sig
?? ?? ?? ?? ??
The checksum prevents forgery by finding
messages where ?? ?? ?? ??
To check signature check that pkhash ?? ??-1-
?? ?? si g i
Practical versions add salt in various places

56
Practical hash-based signatures

Problem need to sign more than one message
Partial solution make ?? keys, keep a counter
Arrange public keys in a Merkle tree
Adds only ??( log ??) hashes to signature

57
Practical hash-based signatures (XMSS, LMS)

Problem dont want to generate/store a million
keys
Solution use a tree of trees!
Generate ?? L0 keys
Generate ?? L1 keys
Use first L0 key to sign tree of L1 keys
After using all ?? L1 keys, repeat using next L0
key
?? levels ? can sign ?? ?? times

58
Stateless hash-based signatures, eg SPHINCS
BHH15

Key generation create, ?? one-time pubkeys using
a PRNG
Private key PRNG seed
Public key root hash using a Merkle tree
Signature choose one of the one-time keypairs
?? ?? ?? , ?? ?? ?? based on ??(??,????????)
Create recursive public key, again using ??
one-time pubkeys, using (seed, ??)
Sign recursive pubkey using ?? ?? ?? reveal ??
?? ?? and Merkle path
Recurse for several levels (SPHINCS ?? 2 8 ,
8 levels)
Ultimately sign message using a few-time
signature (similar construction)
Pro Entirely symmetric crypto ? almost
definitely quantum-resistant
Con Very slow to sign, sigs are 8kB-50kB

59
Hash-based zero-knowledge proof signatures
PICNIC CDH17

Set pk??(sk) for some one-way function ??
?? LowMC designed for multiparty computation
Signature emulate multiparty computation to
compute ??(sk) in 3 shares
Commit to all shares, reveal only one
Repeat in parallel many times
Uses Fiat-Shamir or Unruh transform
Security depends on LowMC as well as hash
function
Performance probably not enough better than
SPHINCS to be worth it

60
Hash-based signatures conclusion

Pros very conservative design, almost definitely
secure
Cons signatures are large signing is very slow
Applications
High-value signatures that must remain valid for
a long time
Cases where bandwidth or storage is cheap
System
Probably best to use SPHINCS rather than PICNIC
for now
XMSS / LMS give smaller signatures if you can
reliably keep state

61
Multivariate quadratic signatures
62
Multivariate quadratics

Functions ?? ?? 1 , ?? 2 ,, ?? ?? ? ?? ????
?? ?? ?? ?? ? ?? ?? ?? ??
Equation systems ?? 1 , ?? ?? ?? 1 ,, ??
?? ?? 1 ,, ?? ?? are hard
NP-hard in the worst case
No known poly-time solution in random case
Goal build encryption or signatures out of this
Signatures seem to work better than encryption

63
Multivariate Quadratic Signatures, hash-and-sign

Private key
Quadratic function ?? 0,1 ?? ? 0,1 ??
Random invertible matrices ?????? and ??????
Public key is ?????????, represented as
?????? tensor
?? must be a special easy to invert quadratic
function
Matsumoto-Imai MI98
Hidden field equations Pat96
Oil and vinegar KPG99 ?? is linear (or
piecewise) with respect to ?? variables
... etc
Public key hides that structure

64
Multivariate quadratic signatures, hash-and-sign,
continued

Sign a message ?? sig ?? -1 ?? -1 ?? -1
hash ??
Signing is quick-ish millions of cycles
Signature is small 100-450 bytes
Verify sig check that ?? sig hash ??
Verification is quick hundreds of kcycles
Public keys are huge 10s-100s of kilobytes

65
Multivariate quadratic signatures, Fiat-Shamir

Used by MQDSS CHR16
Public key
Seed for random quadratic function ??
Value of ?? ?? for some random ??
Signature
Zero-knowledge proof that signer knows ?? ??
Tiny public keys, but large signatures (16kB)

66
Multivariate quadratics, conclusion

Pros small signatures with fast verification
Cons large public keys
Applications
Use cases where sig size and verification speed
are critical
Use cases where public keys are distributed
rarely
Exception MQDSS performance is more like
hash-based (but faster)

67
Lattice signatures
68
Lattices (also underlies LWE, NTRU)

Let ?? be a collection of linearly independent
vectors ?? ?? ? R ??
Set of integer linear combinations of ?? is a
lattice
?? is called the basis of the lattice
Basis isnt unique
Hard lattice problems (when ?? is huge)
Find a basis of short vectors, given a basis of
long ones
Find a short nonzero vector in lattice
Find a lattice vector close to some point

69
Lattice signatures

Hash-and-sign GPV08
Hidden structure is a small basis for a
lattice
Know small basis ? can solve approx. closest
vector problem
Fiat-Shamir sigs BLISS DDLL13, Dilithium
DLL17
Public key is random matrix ??, ?????? where
?? is short.
Signature is zero-knowledge proof of knowledge
for ??
Short Integer Solution (SIS) lattice problem
Can get small signatures and public keys (lt2kB)
Downside usually requires a tricky Gaussian
sampling algorithm

70
Lattice signatures, conclusion

Pros good balance of sig size, public key size,
speed
Cons newer than multivariate signatures
Brittle can leak signing key by mistake
Ring lattices
Falcon (Hash-and-Sign) 900-byte public key,
690-byte signatures
Dilithium (Fiat-Shamir) 1184-byte public key,
2044-byte signatures
Random lattices
QTESLA (Fiat-Shamir) 4128-byte public key,
3104-byte signatures

71
Summary
72
Summary

Quantum computation is a distant but important
threat to public-key crypto
Dont need to deploy countermeasures just yet
Many public-key algorithms which may resist
quantum attack
Usually somewhat less efficient than classical
algorithms
Standardization process ongoing
Field will change stay tuned!

73
Summary of PQ encryption (128-bit PQ security)
Type PK B CT B Notes
Code-based (McEliece) 300k 120 40 years old, high confidence in security
Code-based (Rank) 465 465 Somewhat new
Code-based (Hamming) 1k-3k 1k-3k Issues with high failure rate
Lattices (Unstructured) 10k 10k Conservative assumptions
Lattices (NTRU) 1k 1k 20 years old, good confidence in security
Lattices (RLWE/RLWR) 445-1.2k 549-1.2k Simple somewhat new
Isogenies (SIDH) 330 346 Very slow somewhat new
Isogenies (CSIDH) 64 64 Slow, new possible quantum attacks
74
Summary of PQ signatures (128-bit PQ security)
Type PK B Sig B Notes
Hash-based (SPHINCS) 32 8k-17k Slow signing Very high confidence in security
Hash-based (Picnic2) 32 13k Less conservative than SPHINCS,
Multivariate (MQDSS) 46 16k Bigger but faster than hash-based
Multivariate (GeMSS) 350k 33 Slow signing
Multivariate (Rainbow) 58k-150k 64 Relatively fast
Multivariate (LUOV) 12k 311
Lattice (Falcon) 897 690
Lattice (Dilithium) 1.2k 2k Faster and simpler than Falcon
Lattice (qTESLA) 4k 4k Unstructured lattice more conservative
75
Thanks!

for your patience
to Antriksh for inviting me
to Melissa Rossi for slide material
to Lydia Hamburg and Mark Marson for feedback

76
Questions?
77
References Quantum algorithms

CT65 James Cooley and John Tukey. An algorithm
for the machine calculation of complex Fourier
series. Mathematics of Computation 1965.
GS66 WM Gentleman and G Sande. Fast Fourier
Transforms for fun and profit. AFIPS 1966.
Sho94 Peter Shor. Polynomial-Time Algorithms
for Prime Factorization and Discrete Logarithms
on a Quantum Computer. FOCS 1994.
Gro96 LK Grover. A fast quantum mechanical
algorithm for database search. ACM STC 1996.
Kup03 Greg Kuperberg. A subexponential-time
quantum algorithm for the dihedral hidden
subgroup problem. Arxiv 2003.

78
References Theory and frameworks

FO99 Eiichiro Fujisaki and Tatsuaki Okamoto.
Secure integration of asymmetric and symmetric
encryption schemes. CRYPTO 1999.
DXL12 Jintai Ding, Xiang Xie, and Xiaodong Lin.
A simple provably secure key exchange scheme
based on the learning with errors problem. ePrint
2012/688.
LPR10 Vadim Lyubashevsky, Chris Peikert, and
Oded Regev. On ideal lattices and learning with
errors over rings. EUROCRYPT 2010.

79
References Encryption / KEM

McE78 Robert McEliece. A Public-Key
Cryptosystem Based On Algebraic Coding Theory.
DSN 1978.
Nie86 Harald Niederreiter. Knapsack-type
cryptosystems and algebraic coding theory.
Problems of Control and Information Theory, 1986.
HPS98 Jeffrey Hoffstein, Jill Pipher, and
Joseph H. Silverman. NTRU A ring-based public
key cryptosystem. ANTS 1998.
dfJP11 Luca de Feo, David Jao, and Jérôme Plût.
Towards quantum-resistant cryptosystems from
supersingular elliptic curve isogenies. PQCrypto
2011.
Cho16 Tung Chou. QcBits Constant-time
small-key code-based cryptography. PQCrypto
2016.
CLM18 Wouter Castryck, Tanja Lange, Chloe
Martindale, Lorenz Panny, and Joost Renes. CSIDH
An Efficient Post-Quantum Commutative Group
Action. ASIACRYPT 2018.
AAB19 Carlos Aguilar Melchor, Nicolas Aragon,
Magali Bardet, Slim Bettaieb, Loic Bidoux,
Olivier Blazy, Jean-Christophe Deneuville,
Philippe Gaborit, Adrien Hauteville, Ayoub
Otmani, Olivier Ruatta, Jean-Pierre Tillich,
Gilles Zemor. ROLLO - Rank-Ouroboros, LAKE
LOCKER. NIST submission, 2019.

80
References Signatures

Lam79 Leslie Lamport. Constructing digital
signatures from a one-way function. SRI tech
report, 1979.
Mer79 Ralph Merkle. A certified digital
signature. CACM 1979.
FS86 Amos Fiat and Adi Shamir. How to prove
yourself Practical solutions to identification
and signature problems. CRYPTO 1986.
Unr10 Dominique Unruh. Quantum proofs of
knowledge. ePrint 2010, Eurocrypt 2012.
BHH15 Daniel J. Bernstein, Daira Hopwood,
Andreas Hülsing, Tanja Lange, Ruben Niederhagen,
Louiza Papachristodoulou, Michael Schneider,
Peter Schwabe, Zooko Wilcox-O'Hearn. SPHINCS
practical stateless hash-based signatures.
Eurocrypt 2015.
CDH17 Melissa Chase, David Derler, Steven
Goldfeder, Claudio Orlandi, Sebastian Ramacher,
Christian Rechberger, Daniel Slamanig, Greg
Zaverucha. Post-Quantum Zero-Knowledge and
Signatures from Symmetric-Key Primitives. ACM
CCS 2017.

81
References MQ signatures

MI88 Tsutomu Matsumoto and Hideki Imai. Public
Quadratic Polynomial-Tuples for Efficient
Signature-Verification and Message-Encryption.
Eurocrypt 1988.
Pat96 Jacques Patarin. Hidden Field Equations
(HFE) and Isomorphisms of Polynomials (IP) two
new families of asymmetric algorithms. Eurocrypt
1996.
KPG99 Aviad Kipnis, Jacques Patarin, and Louis
Goubin. Unbalanced oil and vinegar signature
schemes. Eurocrypt 1999.
CHR16 Ming-Shing Chen, Andreas Hülsing, Joost
Rijneveld, Simona Samardjiska, and Peter Schwabe.
From 5-pass MQ-based identification to MQ-based
signatures. Advances in Cryptology - ASIACRYPT
2016.

82
References Lattice signatures

GPV08 Craig Gentry, Chris Peikert, and Vinod
Vaikuntanathan. Trapdoors for hard lattices and
new cryptographic constructions. ACM STC 2008.
DDLL13 Léo Ducas, Alain Durmus, Tancrède
Lepoint, and Vadim Lyubashevsky. Lattice
Signatures and Bimodal Gaussians. CRYPTO 2013.
DLL17 CRYSTALS Dilithium Digital Signatures
from Module Lattices. ePrint 2017/633.

83
References Learning with Errors systems

ADPS15 Erdem Alkim, Léo Ducas, Thomas
Pöppelmann, and Peter Schwabe. Post-quantum key
exchange A New Hope. ePrint 2015/1092
BCD16 Joppe Bos, Craig Costello, Léo Ducas,
Ilya Mironov, Michael Naehrig, Valeria
Nikolaenko, Ananth Raghunathan, Douglas Stebila.
Frodo Take off the ring! Practical,
Quantum-Secure Key Exchange from LWE. ACM CCS
2016.
AKRV17 Jan-Pieter DAnvers, Angshuman Karmakar
Sujoy Sinha Roy, and Frederik Vercauteren.
Saber Module-LWR based key exchange, CPA-secure
encryption and CCA-secure KEM. NIST post-quantum
submission, 2018.
BDK17 Joppe Bos, Léo Ducas, Eike Kiltz,
Tancrède Lepoint, Vadim Lyubashevsky, John M.
Schanck, Peter Schwabe, and Damien Stehlé.
CRYSTALS Kyber a CCA-secure module-latticebased
KEM. Cryptology ePrint Archive, Report 2017/634.
Ham17 Hamburg, Mike. Post-quantum cryptography
proposal ThreeBears. NIST post-quantum
submission, 2017.
BBF19 Hayo Baan, Sauvik Bhattacharya, Scott
Fluhrer, Oscar Garcia-Morchon, Thijs Laarhoven,
Ronald Rietman, Markku-Juhani O. Saarinen, Ludo
Tolhuizen, and Zhenfei Zhang. Round5 Compact and
Fast Post-Quantum Public-Key Encryption. NIST
post-quantum submission, 2019.

84
References Security analysis

HGNP03 Nick Howgrave-Graham, Phong Q. Nguyen,
David Pointcheval, John Proos, Joseph H.
Silverman, Ari Singer, and William Whyte. The
impact of decryption failures on the security of
NTRU encryption. CRYPTO 2003.
BGPW16 Johannes A. Buchmann, Florian Göpfert,
Rachel Player, and Thomas Wunderer. On the
hardness of LWE with binary error Revisiting the
hybrid lattice-reduction and meet-in-themiddle
attack. AFRICACRYPT 2016.
LMP13 Thijs Laarhoven, Michele Mosca, and Joop
van de Pol. Finding shortest lattice vectors
faster using quantum search. PQCrypto 2013.
BDLG16 Anja Becker, Léo Ducas, Nicolas Gama,
and Thijs Laarhoven. New directions in nearest
neighbor searching with applications to lattice
sieving. SODA 2016.

85
Backup slides
86
Fourier Transform

Fourier transform reveals the periods in a data
set
Written as ?? ?? ? 1 ?? ??0 ??-1 ?? ??
?? 2???????? ??
Fast Fourier Transform CT65, GS66 can compute
in ??(?? log ?? ) steps
Uses butterfly transform

87
Quantum Fourier transform in time ??( log 2 ??)

Convert quantum state ? ??0 ??-1 ?? ?? ?? ?
??0 ??-1 ?? ?? ??
Large period ?? gets large amplitude ? large
probability of measurement!
Extract useful structure from an exponentially
large superposition
Each layer of butterflies can be computed in ??(
log ??) time, total ??( log 2 ??)
Butterfly is unitary, up to scaling factor 1
2

Hadamard
Cond. phase
88
Shors algorithm for period finding Sho94