Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [post-quantum-cryptography]

This tag refers to public-key algorithms based on problems that quantum computers can't solve efficiently. Existing algorithms such as RSA, Diffie-Hellman, and ECDSA are known to be breakable using Shor's algorithm on quantum computers. Symmetric-key algorithms generally don't fall under this category.

This tag refers to public-key algorithms based on problems that quantum computers can't solve efficiently. Existing algorithms such as RSA, Diffie-Hellman, and ECDSA are known to be breakable using Shor's algorithm on quantum computers.

Currently, the only standardized public-key encryption algorithm is NTRU (by IEEE), and the only standardized digital signature schemes are XMSS and LMS (specs published by IETF, hardware implementations approved by NIST).

Symmetric-key algorithms generally don't fall under this category.

718 questions
19
votes
3 answers

Is braid-based cryptography proven insecure when looking towards post-quantum cryptography?

Braid groups has drawn the attention of cryptographers for a few years, as a promising platform for post-quantum cryptographic protocols. The security of the proposed schemes mostly relied on conjugacy problems, and attacks against this problem were…
Calodeon
  • 382
  • 1
  • 7
10
votes
1 answer

Looking for the current status of the Chinese national cryptographic algorithm design competition

I'm trying to find the results of the Chinese national cryptographic algorithm design competition (which I believe is targeted towards postquantum algorithms); however I cannot find it. I did find this page which (from the title) appears to list the…
poncho
  • 147,019
  • 11
  • 229
  • 360
9
votes
3 answers

Could tropical cryptography become another candidate for post-quantum cryptography?

According to Wikipedia, tropical cryptographic protocols are built upon tropical algebras, i.e., a semiring $(\mathbb{R} \cup \{\infty\}, \oplus, \otimes)$ where $x \oplus y = \min \{x,y\}$ and $x \otimes y = x+y$. Recently, several tropical…
Iqazra
  • 193
  • 1
  • 5
6
votes
2 answers

Can quantum hardness be demonstrated?

I am disturbed by assertions that this or that classical cryptographic primitive is "quantum resistant", but my understanding is that no one knows yet how to demonstrate quantum hardness, or even if such demonstrations are possible. At best, there…
Benjamin Mord
  • 127
  • 6
6
votes
1 answer

Long-term data protection, storage of old encrypted traffic and quantum cryptocalipse

Tony Arcieri makes an interesting point in his Imperfect Forward Secrecy article which basically boils down to: large entities such as NSA are storing encrypted internet traffic, also what's to stop smaller entities such as proxy owners from doing…
bbozo
  • 277
  • 1
  • 7
6
votes
2 answers

Kyber 512 Security Level Issue

So I read parts of the following article: https://blog.cr.yp.to/20231003-countcorrectly.html But I quite dont understand it. NIST assumes Kyber 512 is just as hard as AES128 nowadays, in presence of quantum computers. The error they mention is that…
user112982
  • 61
  • 1
6
votes
1 answer

Is Argon2 Quantum safe?

I am developing a post quantum safe GPG like program, is argon2 quantum safe cryptographically for GPG like application.
ANISH M 18CS006
  • 51
  • 13
5
votes
1 answer

Question about degree of regularity

I have been reading some papers on cryptography based on multivariate systems and I have a question. How does one relate the difficulty of calculating Gröbner basis (GB) of a multivariate system with its degree of regularity? From what I understand,…
Partha
  • 63
  • 4
4
votes
1 answer

How is a "quantum safe" algorithm fundamentally different from the current "secure" crypto algorithms (pre-quantum)?

I recently read that work is being done to develop "quantum safe" algorithms for encryption / hashing. Presumably, these will have fundamental differences from the current "non-quantum safe" algorithms in use today (RSA, DH, AES, ChaCha20, Poly1305,…
jester
  • 53
  • 3
4
votes
2 answers

Can post-quantum algorithms be run on commercial devices?

Noob alert! Can we run quantum safe algorithms on commercial devices (like phones, laptops, etc)? I've seen some messaging apps and vpn providers marketing themselves as quantum-proof. How likely is that all these claims are bogus for marketing…
Ana-Maria
  • 43
  • 3
4
votes
3 answers

Why the exponent is a power of 2 in Ring-LWE?

I was reading some papers on Ring-LWE. I found almost all of them talk to choose the polynomial modulo $x^n+1$ where $n$ is a power of $2$. I did not understand why this condition is necessary?
Rick
  • 1,265
  • 8
  • 17
4
votes
1 answer

Deterministic Rand function for Winternitz One Time Signatures

Suppose you are implementing a Generalized Merkle Signature Scheme, using the Winternitz One-Time Signature Scheme for the node signatures. Furthermore, suppose the implementation is to be stateless (i.e. you don't keep track of which signatures…
Henrick Hellström
  • 10,406
  • 1
  • 30
  • 58
3
votes
1 answer

Quantum Resistance Characteristics - why symmetric?

I have heard that public key cryptography may be “totally broken” by Quantum computers running Shor’s algorithm, whils symmetric key ciphers are safe, but Grover’s algorithm may require twice as many bits in the keys. Can someone please elaborate on…
Gregory Magarshak
  • 435
  • 3
  • 11
3
votes
1 answer

Is a layer of classical encryption plus a layer of post quantum encryption equivalent to a classical/post quantum hybrid?

My company builds an encrypted data transfer app that has two layers of encryption. There is an outer layer of TLS encryption using ECDHE with Curve 25519 that runs between app clients and servers. There is also an inner layer of encryption that…
Andrea Russo
  • 139
  • 5
3
votes
0 answers

Best Attack Against HFE cryptosystem

I am looking for the best know attack against HFE cryptosystem. Reading this paper DEGREE OF REGULARITY FOR HFE I found the next claim However, Faugere and Joux demonstrated that we can solve and break these systems easily in the case when $q = 2$…
juaninf
  • 2,701
  • 2
  • 18
  • 28
1
2 3