arXiv:1912.12257v1 [cs.CR] 20 Sep 2019 otiue oteae ypoiigbnhak ftefront the dev of low-power single-board benchmarks popular providing a on by a algorithms area devices, these running the constrained well outlines within to how paper PQC contributes investigate This for devices. to framework powered to need evaluation limited able we on be run methods, methods may new devices to these computing susceptible run Cryptograph high-powered not Quantum Post While based are create (PQC). methods which which build problem, and algorithm to mathematical Shor’s need Diffie-Hellman hard secur we a remain the adversary, to on quantum with system b a cryptographic as methods a against For threatens such method. also relies logarithms, exchange It often discrete which factorisation. on system of cryptographic difficulty any the of thr This security tractable. more the ever numbers factorising for rithm iis[] hr r eea ehd endfrquantum for defined methods several time including: reasonable are a robust There within cracked [2]. existing be the limits will of most methods computers, quantum key quantum public of a advent Diffie the polynomia defined On in Curve runs [1]. though, Elliptic that factorization with Shor, integer for the as algorithm Peter such perform (ECDH). key, to shared Hellman techniques we a function Curve methods, of exchange curve Elliptic creation key elliptic use With an now field. within typically finite a points over rever of of bounded a difficulty addition the of the have reversing we ing finite Curve the a Elliptic involves the For within difficulty on logarithm. numbers ElGamal’s based prime methods while is large RSA field, used factorizing ElGamal. widely of and most Curve difficulty signing three Elliptic digital RSA, provide The are often negotiation. which key methods key and symmetric confidentiality, public provide While is ChaCha20, systems. it and digital AES many as such of methods, security the to tal o,R-PI IoT, Abstract • • fundamen- are methods (asymmetric) key Public Terms Index ehdue iercdsta r sdi ro correct- error in used are but that McEliece [3] codes The linear applications. real uses McEliece in method using the been with barely has 1978 in ated Ring- cryptography is methods Code-based (R-LWE). popular Errors most With the Learning code and of encryption, One homomorphic meth- obfuscation. fully cryptography for new as to such leading ods, is and potential great cryptography Lattice-based outCytgah naCntandDevice Constrained a on Cryptography Robust Avne nqatmcmuigmk hrsalgo- Shor’s make computing quantum in —Advances efrac nlsso L o Quantum for TLS of Analysis Performance Ps unu rporpy cryptography, Cryptography, Quantum —Post lcps DLb colo optn,EibrhNpe Uni Napier Edinburgh Computing, of School Lab, ID Blockpass .I I. o atn ila uhnn ilArmo,Nklo Pit Nikolaos Abramson, Will Buchanan, J William Barton, Jon NTRODUCTION hscasfiainwscre- was classification This . hscasfiainshows classification This . eatens time l ased ice. nd on an s- y e - alaiiy(M.Ti od hr navray ie a given adversary, an where holds This (NM). Malleability a sdt rvd ttsial ennfl( meaningful C-library statistically source provide open to used the was the Pi and Raspberry openSUSE, a running specifically ARMv8 meth- (aarch64), the signature within architecture performed nine 64-bit measure- are and evaluation tests includes methods benchmarking their The exchange It ods. in key process. 17 and of handshaking PQC, ments TLS within used the be around could that ods eue h etfntosbitinto built functions Sinc test schemes. the signature used five we and encapsulation key seven for ntigaotteascae plaintext associated the about anything htteplaintext the that h rtpoet sIdsigihblt ID.Ti hold ciphertext This given (IND). adversary, Indistinguishability an is where property The relation first attack. their of examine The and scenarios notions pre-existing separate these three take with possess, might Security Measuring for Notions Foundation A. repeatability. to themselves ihret ste ih putlte r etteoefrth for one the sent are they until up to wish, Attack ability they as the as Ciphertext has plaintexts Chosen also from adversary Non-Adaptive the ciphertexts the function, (CCA1), many For encrypt as wish. the generate to they can access to they so has (CPA), which adversary Attack and ciphertext Plaintext the Chosen challenge them, a a help Under given decipher. be to to need going is case ain of variant • hspprfcsso h oeaeo h motn meth- important the of coverage the on focuses paper This • 4 emtstosprt rpriswihacrypto-system a which properties separate two permutes [4] h he tak r sflos h desr neach in adversary The follows. as are attacks three The xml falna oei amn code. Hamming is code linear An a multiplication. of matrix-vector example involves and codes, ing losfrtesge ouetesm est inmultiple sign to keys same the of use entities. produced. to all be signer which the a of can Trees, for Merkle allows is that track into there integrate signatures a though, that of methods, keep New number and the signed, to to been needs have limit signer that messages a the that draw- is The methods. back have hashing using proposed signatures digital ating been have that [2]. broken methods of been already the systems of solving Unfortunately many of fields. finite difficulty over polynomials multivariate the involves cryptography fication polynomial Multivariate ahbsdsignatures Hash-based c p sntal opoueasprt ciphertext separate a produce to able not is , . p est,Eibrh UK. Edinburgh, versity, ′ —that c hscasfiainivle cre- involves classification This . ′ ropakis nihr—ssm legitimate some enciphers—is liboqs p c h eodi Non- is second The . sual olearn to unable is , hs eut lend results these , > n decrypt hsclassi- This . 30 samples ) smany as c liboqs ′ ships. such 3B+ y e e s , challenge. Finally, for the Adaptive Chosen Ciphertext Attack quantum security is lower than the classical one ([7]). There (CCA2), the adversary has all the previous capabilities, and is a well-known birthday paradox which means the security can also keep querying the decrypt function after the challenge level for n-bit hash-functions is typically n/2 ([8]). In the has been received, except for the very challenge ciphertext context of a hash function the is the number of itself. Figure 1 shows the implications that [4] proves to hold operations, on average, that one needs to perform to generate between the six permutations of property and type of attack. a collision. [9] uses this with Grover’s algorithm to make hash This figure highlights two things. First, that IND-CCA2 and functions even more vulnerable against a quantum adversary; the security level is a third of the length of the output of the NM-CPA o NM-CCA1 o NM-CCA2 function. O In order to illustrate this, table I (adapted from [10], with additions) combines these results to show some cryptographic schemes and their classical and post-quantum security levels.    IND-CPAo IND-CCA1 o IND-CCA2 C. The Hardness of Mathematical Problems Fig. 1. Implications of IND, NM and CPA, CCA1, CCA2 Here we give an informal introduction to the notion of NP- hardness from complexity theory. First we need to introduce NM-CCA2 are equivalent, which is to say that in the context of asymptotic notation. We occasionally use some asymptotic the Adaptive Chosen Ciphertext Attack, Non-Malleability and notation, which denotes the order of growth of functions ([11, Indistinguishability amount to the same. Second, that IND- 16]). For any two positive functions, f(x) nd g(x): CPA is the weakest of the notions that might apply to a f = O(g) means there are two constants, m and n such cryptosystem. Informally, this is the idea that the content of an • encrypted message stays hidden from a passive eavesdropper, that f(x) ≤ m · g(x) for all x ≥ n. Intuitively: f grows who has access to the public key and the encrypted message. no faster than g. f = Ω(g) means g = O(f). Intuitively: g grows no faster 1) Signature Strength: Signature schemes can also be clas- • sified according to whether they are susceptible to various than f. f = Θ(g) means f = O(g) and g = O(f). Intuitively: types of forgery. [5] introduced three notions of forgeability; • Universal, Selective and Existential. Informally, the notions are f and g grow at the same rate. as follows. A signature scheme is Universally forgeable if the Turing machines were the invention of Alan Turing. They adversary can sign any message with a signature that appears are theoretical models which simulate computation. The head genuine. If the adversary can do this for a particular message of the machine moves over a tape which is split into squares. that they select, then the scheme is Selectively forgeable. What state the machine is in together with what it scans from Existential forgeability applies where the adversary can forge the square are listed in a finite table which dictates what it does a signature for at least one message; but they have no control next ([12]). Deterministic Turing machines move from one over the content of the message itself. state to another deterministically; i.e. given the situation there Similar to the notions for encryption schemes, above, there is a single well-defined path to take. For a non-deterministic are different types of attack scenario to be considered. Under Turing machine, there may be move than one route to follow a Known-message attack, the adversary has access to a set ([13]). of messages and their signatures. Under a Chosen-message Solving a problem in polynomial time means that the attack, she is allowed to choose a list of messages which will amount of time taken to solve it is not greater than a poly- be signed and returned to her. nomial in the size of the input to the algorithm. I.e. for a c The strongest types of signature schemes will not allow size of input n, the time t(n) = O(n ), for some constant c even Existential forgery under the most severe attack; Chosen- ([14]). We can now introduce the two classes, P and NP, as message. This feature is called Existential Unforgeability follows ([11, 15–16]). If a deterministic Turing machine can under Chosen Message Attack, and is commonly abbreviated solve the problem in polynomial time, then that problem is in as either ‘EU-CMA’, or ‘EUF-CMA’. the class P . If a non-deterministic Turing machine can solve the problem in polynomial time, then that problem is in the B. Security Level class NP. One measure of the strength of a cipher is to conjecture NP contains the whole of P , but it is not known whether how many operations an attacker would need to perform in P and NP are co-extensive. Many people believe that P 6= order to break it. If they would need to perform 2n operations NP; if that is correct then there are problems which cannot in order to break the cipher, by brute force, the cipher is said be solved in deterministic polynomial time. Such problems to have a security level of n-bits. For a symmetric cipher such would be good candidates for using as a basis in cryptographic as AES, this is the size of the key. I.e. AES-128 offers 128- systems. bit security, meaning an attacker would need to perform 2128 We should note two things. First, the lack of a proof that operations to break it. a problem is NP-hard does not show that it is not. However, There is a quantum algorithm ([6]) which reduces the time it should engender caution about assuming that it is. Second, of a brute force attack on such keys which means that the post- that the complexity of a problem may be such that even though Key or Output Classical Post-Quantum Algorithm Type Size (bits) Security (bits) Security (bits) RSA-1024 Public Key 1024 80 0 RSA-2048 Public Key 2048 112 0 ECC-256 Public Key 256 128 0 ECC-384 Public Key 384 256 0 AES-128 Symmetric 128 128 64 AES-256 Symmetric 256 256 128 SHA-256 Hash 256 128 85 SHA-512 Hash 512 256 170 TABLE I CLASSICAL AND POST-QUANTUM SECURITY LEVELS

it is soluble in deterministic time, it would take an unfeasible fixed size output ([19]). It is called ‘one-way’ since it has amount of time. What is feasible will change as technology the following properties. improves. Pre-image Resistance: It is computationally very hard to • A proof of security might be based solely on the hardness find, for a given hash value x, a value a such that H(a)= of the task involved in breaking a cryptographic scheme. If x. such a proof exists, the scheme is said to be secure in the Second pre-image Resistance: It is computationally very • standard model. hard to find, for a given data input a a separate input, b, A weaker notion is to invoke an idealisation and prove such that H(a)= H(b). the scheme is secure based on that idealisation. Where the Collision Resistance: It is computationally very hard to • idealisation involved is a black box random oracle, the scheme find different a and b, such that H(a)= H(b). is said to be secure in the Random Oracle Model. This is Cryptographic hashes have many uses. The first we shall introduced by [15]. The working assumption is that where a look at, due to Lamport ([20]), is to enable digital signatures. scheme is provably secure in the random oracle model (ROM), The purpose of a is to allow a recipient of then the scheme where the random oracle is replaced by a hash a message to verify two things. First, that the message does function, is also secure. The authors point out that this is not a indeed come from the stated sender, and second that it has not proof that the hash-based scheme is secure, but rather that the been tampered with en route. ‘protocol is secure to the extent that h instantiates a random Lamport’s Signature Scheme involves the sender creating oracle’ [15, 14]. a pair of private and public keys. The private key is used The driving thought is that proof of security in the ROM to produce the signature for the message. Lamport’s scheme acts as a guide—or heuristic—for the scheme being secure in operates bit-by-bit; the secret key is two separate lists of reality. There is some dispute about whether this methodology th random bits. If the n bit of the message (Mn) is 0, then is sound ([16]). Loosely, one can concoct a scheme which th the n bit of the signature (Sn) is taken from the first list; if is provably secure in the ROM, but demonstrably insecure. Mn is 1, then the second list is used. However, following [17], it seems that used with appropriate The recipient uses the same hash function on the signature caution, the paradigm does provide some assurance regarding to check against the public key, which is also made up of the security of a scheme. two lists, and is the hash value of the secret key. Taking the [18] introduces the idea of the quantum random oracle Mn, the receiver works out the hash value of Sn. If Mn is 0, model (QROM). In this case the oracle is allowed to be this hash value is compared against the first list of the public in a quantum superposition when it is queried. In that case signature; if Mn is 1, then against the second list. If all the measuring the input to find out what it is will alter the hashed bits match against the public key, then the signature is state itself. The assumptions on which proofs of security in valid. Since the hash was produced with a key which is private the ROM rely may well break when faced with this added to the sender, the sender has also been verified. complication. Being secure in the ROM and being secure in There are two main disadvantages of Lamport’s scheme. the QROM are therefore distinct. The first is that the keys are relatively big; to encrypt in 256-bit In so far as the ROM methodology does provide a good blocks, one needs a 256-bit key. More importantly, to remain heuristic for a security proof for a scheme, we should prefer secure, each key can only be used once. If the same key is ones that are secure in the QROM. used more than once, and this is known, then an eavesdropper II. LITERATURE REVIEW can start to produce their own forged signatures which appear This section outlines the core principles behind some of the genuine. The main drawback to Lamport’s scheme is that it key quantum-robust encryption methods. is single-use. To overcome this, a sender would need to use a different key pair for every message. To do this with a brute A. Hash-Based list would be costly; which is why Merkle ([21]) introduced A cryptographic hash function, H, is a one-way function the idea of a hash tree, also known as a Merkle Tree. There which takes a variable size of input data and produces a are many variants ([22]), but the key notion is to induce a data structure which is hierarchical and uses a hash function alter the message and then tweak the signature appropriately to generate its nodes. This is the second usage of hashes; this ([25]). is an outline of how the process works ([23]): 1) Signatures without a State: For the systems presented so far, the signer must keep track of which leaves have been used; The sender generates all the public and private keys that • that is: the systems are stateful. This has some drawbacks. For they need, using the Lamport scheme. instance, if a system is restored from back-up, the counter will They then construct a Merkle Tree with one public key • be reset; but the signatures are in the wild. Re-transmission at each node. The tree can be identified by the hash value will involve re-use of one or more private keys. Goldreich at its root. This root hash value is the public key for the introduced the idea of a stateless system for signing ([26]). The whole system of private/public key pairs in play. central notion is to make the number of available private/public The sender picks a private key to sign the message. • key pairs so large that it is statistical very unlikely that the (Which one will be discussed below.) same pair would ever be used twice. Within certain parameters, The sender creates a Merkle Proof. This proof shows • this risk can be managed. However, the signature size suffers. that the corresponding public key is in the Merkle Tree SPHINCS ([27]) is a highly optimised system to reduce identified by the hash value at its root. the signature size, whilst maintaining a stateless hash-based The sender sends the message, the signature, the Lamport • approach. It enhances an earlier few-time signature scheme public key which corresponds to the private key, and the (FTS), HORS (Hash to Obtain Random Subset; [28]), to create Merkle Proof. HORST (HORS with Trees). SPHINCS is introduced with The receiver first uses the Merkle Proof to check that the • rigorous security credentials, which they note are lacking in public key provided is in the Merkle Tree identified by the cases of other post-quantum hopefuls ([27, 2]). the hash value at its root. 2) Zero-Knowledge Based: Schemes based on zero- With that assurance they can verify the signature using • knowledge are arguably hash-based, for reasons that will the public key provided. become clearer below. The challenge driving zero-knowledge It is essential that the same private/public key pair is not used schemes is to convince someone that you know something, twice. One way to ensure this is the case is to use the key pairs such as a passphrase, without letting them know the thing in sequence and keep track of where we are in the sequence; itself. That is: the only piece of knowledge that they gain is it is stateful. The main innovation here is the Merkle Tree whether you do indeed know the item in question, and nothing and associated Merkle Proof. Since the Merkle Tree can be else. Hence ‘zero-knowledge’. The notion was introduced in identified by the hash value at its root, it can act as the public [29]. [30] and [31] develop and explain the notion. A useful key of the entire system of private/public key pairs. It is much introduction can be found in [32]. Systems based on zero- shorter than using the list of the individual public keys. The knowledge proofs are not necessarily quantum-resistant; but security of this system relies solely on the security of the hash they can be. function that is used ([22]). This makes it a single point of A sigma protocol provides a methodology for such an vulnerability. But in fact this is also an advantage; given the exchange. Suppose Alice wants to prove to Bob that she knows design of the meta-structure it is relatively straightforward to some secret, without letting Bob know what that secret is. change the hash function as and when it is compromised. Following [33], in outline, the protocol proceeds as follows: What if we wanted to use a Lamport-style scheme, but Alice sends a commitment to Bob. • instead of signing bit-by-bit, sign variable chunks, say, of 4 Bob chooses a challenge at random, concerning the • bits at a time? Since there are 16 different combinations of 4 commitment and sends it to Alice. bits, we would need 16 separate lists of random numbers. This From the challenge, Alice computes a response and • led Winternitz to propose what is now called a Winternitz-type returns it to Bob. one-time Signature Scheme (WOTS+) [24]. The central idea Based on the response, Bob either accepts or rejects • is to start with a single list of random numbers as the seed Alice’s original claim. list. Then we generate the next list by using the hash function Where this is implemented as four algorithms; Commit, Chal- on the elements of that list; this is repeated iteratively until lenge, Respond, Check, the flow can be seen in Table II (from we have as many lists as needed. This means we only need to [17]). store the seed list; the others can be calculated. Sigma protocols have three important properties: Soundness Winternitz’s proposal for the public key is that we take - if Alice tries to cheat Bob, Bob will find out; Completeness- the final secret key and apply the hash function once more. if Alice is telling the truth, then Bob will be convinced; and This means that someone trying to verify a message against a Zero-knowledge - Bob does not learn anything else, other than signature can apply the hash function iteratively, as many times the binary fact of whether Alice’s original claim is true or false. as appropriate (i.e. to check an item against list four, apply To prove the zero-knowledge of a protocol, [29] proposes the hash function the remaining 15 times) and then compare the following method. Suppose there is an algorithm Simulator against the equivalent in the public key. The proposal also (Simon), which starts with no special knowledge whatsoever. includes a checksum, which is signed along with the message. Suppose further that Simon is able to trick Bob into believing The nature of the checksum is such that an attacker cannot a statement is true, whilst producing a pattern of steps which Alice Bob co, st = Commit(secret, public) With the above notions in place, we can introduce Picnic, co −−−−−−−→ which is a Microsoft-led project (Picnic project), described in c = Challenge() [37]. The central motif is to take a system of zero-knowledge c ←−−−−−−− proofs for statements about boolean circuits ([38]). The set of r = Respond(st, c) r inputs to a circuit is the secret key. The precise configuration −−−−−−→ Check(co, c, r) of the circuit is hard to invert; i.e. it constitutes a trapdoor TABLE II function. The output of the circuit makes up the public key. OUTLINE SIGMA PROTOCOL At the heart, is a zero-knowledge proof system for boolean circuits, ZKBoo, as put forward in [39]. This is optimised to produce ZKB++. The Unruh transformation is applied to ZKB++, creating a non-interactive zero-knowledge scheme cannot be distinguished from that produced by Alice. This which is provably secure in the QROM ([37, 2]). The authors appears to contradict Soundness. However, the conditions employ the LowMC ([40]) for the hash function. under which we can construct Simon’s responses are idealised. The resulting signature scheme is dubbed Picnic. To be more precise, they involve being able to rewind the steps taken in the protocol. That is, Simon can adjust his B. Code-Based response to the challenge, after having seen what the challenge Around the same time that Lamport was producing his will be. This could not happen in practice, between a real scheme for digital signatures, McEliece was applying the Alice and Bob. The core idea, then, is that if for every theory of error-correcting codes in telecommunications to the possible Verifier (Bob), we can show the existence, under these same purpose. The McEliece scheme was published over 40 idealised circumstances, of a Simulator (Simon), then there is years ago in [3]. It has withstood many years of no knowledge to be transferred and hence the protocol is zero- and the original remains secure and quantum-resistant. knowledge. 1) Goppa-McEliece: The McEliece scheme is an asym- Sigma protocols are not automatically zero-knowledge; they metric public/private key system based on a type of error- are in fact honest-verifier zero-knowledge. This is a weaker correcting codes, known as Goppa codes after [41]. The public condition that applies when the Verifier (Bob) is acting hon- key is a generator matrix of a Goppa code, which is carefully estly. However, a sigma protocol can be turned into a zero- chosen to be indistinguishable from a random matrix. Because knowledge scheme by making it non-interactive. The idea of a of the nature of the key, it is very large. To introduce the non-interactive zero-knowledge proof was introduced in [34]. scheme, we need to introduce some relevant concepts, taken The driving thought here is that the Alice and Bob may not from [42] and [43]. . A binary linear code C of dimension k and be available concurrently to execute the protocol. There is a • well-known transformation called the Fiat-Shamir transform length n ≥ k is a k-dimensional subspace of the vector from [35] which takes an interactive scheme a makes it non- space {0, 1}n. A codeword is a vector in C. Goppa Code. A Goppa code is a particular type of linear interactive. Briefly put, instead of Bob generating a challenge, • Alice chooses a hash function (H) and creates the challenge code, defined in [41]. Hamming Weight. The weight of a codeword is the herself, as outlined in Table III (also from [17]). • number of its co-ordinates that are non-zero. Alice Bob Generator Matrix. The rows of the Generator Matrix co, st = Commit(secret, public) • c = H(public, co) form a basis of a linear code C. It is a k × n matrix k n k r = Respond(st, c) G ∈ {0, 1} × , such that C = {xG|x ∈ {0, 1} }. co, r −−−−−−−−→ The mapping x 7→ xG takes a k-bit word to an n-bit c = H(public, co) codeword. Check(co, c, r) Permutation Matrix. A permutation matrix is binary, in TABLE III • FIAT-SHAMIR TRANSFORMED SIGMA PROTOCOL that it contains only ones and zeros. Each row/column pair contains only zeros, apart from a single position which is a 1. Before introducing the scheme, we briefly explain the There are three parameters for a McEliece system, which import of Unruh’s transform ([36]). In the context of zero- are shared amongst its users, n, k and t. n is the length of the knowledge proofs, the input of a classical random oracle Goppa codes; k is the dimension of the Goppa codes and t is well-defined [36, 758]. This allows for the ‘rewinding’ is the number of errors for introduction (by the sender) and involved in the idealised thought experiment to produce a sim- correction (by the recipient). To generate the keys (following ulator. This assumption does not hold in the quantum random [44]): oracle model (QROM). Unruh works within the QROM and Choose C: a random [n, k, 2t + 1]-linear code over F , • 2 provides a transform parallel to the Fiat-Shamir transform but with efficient decoding algorithm D which can correct for quantum states where the input to the oracle may be in up to t errors. superposition. Compute G: a k × n generator matrix for C. • Generate S: a random k × k binary non-singular matrix. C. Multivariate Quadratic Polynomials • Generate P : a random n × n permutation matrix. • The basis of the multivariate public key cryptosystem is The public key is (G′,t), where G′ = SGP . • the multivariate quadratic polynomial (MQ) problem. The The private key is (G,S,P,D). • public key is a system of quadratic polynomials of the form For plaintext m ∈ {0, 1}k, Alice takes Bob’s public key (following [54] and [55]): n (G′,t) and picks a random vector e ∈ {0, 1} of weight t, and computes the ciphertext: pi(x1,...,xn)= αi + X βij xj + X γijk xj xk 1 j n 1 j k n ≤ ≤ ≤ ≤ ≤ c = mG′ + e for 1 ≤ i ≤ m and the coefficients αi,βij ,γijk ∈ F, where F is a small finite field. Then the public key can be written Receiving the ciphertext c ∈ {0, 1}n, Bob consults his private key (G,S,P,D), and calculates: P(x) = (p1(x1,...,xn),...,pm(x1,...,xn))

or simply P for short. The private key, denoted P′, is a map 1 1 cP − = (mS)G + eP − n m P′ : F → F Bob notes that (mS)G is a valid codeword for the linear code, This is the map in the centre of the scheme. To disguise this 1 and eP − has a Hamming weight of t, so using the decoding central map, it is combined with two other maps, which are algorithm D, he reaches the interim step: invertible S : Fm → Fm and T : Fn → Fn. The private key is (S, P′,T ). The public key is the composite map P = S◦P′◦T . 1 Figure 2 from [55] shows a useful way of visualising the make- c′ = D(cP − )= mS up of this trapdoor system. and from there recovers the message Input x 1 m = c′S−

As noted in [44], McEliece’s original scheme uses irre- ducible binary Goppa codes. [45] presented an efficient algo-  x = (x1,...,xn) rithm for decoding these, known as the Patterson algorithm. To use this algorithm we need the polynomial which is used ED Private: S for generating the Goppa code. We can then finesse the private key as (G,S,P,g(X)), where g(X) is the Goppa polynomial  for the chosen code. x′ [46] proposes a very similar system to McEliece. The Public: Private: P′ McEliece and Niederreiter schemes were shown to be equiv- P = (p1,...,pn) alent in [47]. It is the derivative system that was used to  construct a digital signature scheme in [48]. Whilst it does y′ have short signatures, [22] criticises it for still having very large keys. The Niederreiter scheme is also the basis of the Private: T McBits implementation of [49].  BC 2) Quasicyclic Codes and MDPC: [50] proposed a restric- Output y o tion to the use of block-circulant matrices for the generator Fig. 2. MQ-Trapdoor matrix. A circulant matrix is one where each row is rotated right from the previous row ([42]). With this restriction in In order to encrypt plaintext x ∈ Fn, generate the ciphertext place, only the first row is necessary to identify the matrix y = P(x); y ∈ Fm. In order that the decryption produces a involved. Hence the public keys can be substantially smaller unique output, this relation needs to be injective, hence it needs than those in the traditional McEliece system. Furthermore, to be the case that m ≥ n ([56]). To decrypt a ciphertext y ∈ m 1 m 1 [51] proved that this does not alter the security proof in its F , first compute y′ = T − (y) ∈ F , then x′ = P′− (y′) ∈ n 1 n essentials. However, [52] introduced an algebraic technique F , and finally x = S− (x′) ∈ F . that shows that some instances of this compact-key approach A signature scheme requires that the mapping is surjective, can be broken in negligible time. so that any document can be signed. Hence in this case, m ≤ n A separate attempt to reduce the size of the keys was ([56]). The signing process reverses the steps for encryption. put forward by [53]. The proposal here is to use Moderate Take a message, m. First we compute a hash value using a Density Parity Check Codes (MDPC). This could provide for secure hash function H(·): h = H(m) ∈ Fm. We then use 1 m more efficient key-exchange ([42]), with smaller keys than the the inverted maps in sequence: y′ = T − (h) ∈ F ; x′ = 1 n 1 n original McEliece system. P′− (y′) ∈ F to reach the signature s = S− (x′) ∈ F . To check whether a message m has a valid signature s, we point lattice as the points of intersection of those lines. This generate the hash value of the message h = H(m) ∈ Fm. paper follows the same path and begin by considering the Then we use the public key to compute h′ = P(s). As long lines. However, we shall follow the cryptographic literature, as h and h′ match, then the signature is authentic. and from here on, by ‘lattice’ we shall mean ‘point lattice’. 1) The MQ-Problem: The security of this type of system The cryptographic exposition here draws mainly on [70], [71] depends on how hard the MQ-problem is. Namely the dif- and [72]. ficulty, given P, of discovering its components S ◦P′ ◦ T . Alternatively, for each quadratic in P, being the series

pi = (x1,...,xn) for 1 ≤ i ≤ m, solve the system

p1(¯x)= p2(¯x)= pm(¯x)=0 R This problem is, in general, hard ([57, 194]). Q 2) Oil and Vinegar: The Unbalanced Oil and Vinegar b1 (UOV) scheme is presented in [58], which built on the original P Oil and Vinegar scheme of [59], after the latter was broken in [60] Let F be a finite field and o and v integers. Define O b2 n = o + v, V = {1,...,v} and O = {v + 1,...,n}. x1,...,xv, and xv+1,...,xn are the vinegar and oil variables, respectively. Then the private key P′ is made up of quadratics of the form: Fig. 3. A Point Lattice pi = αi′ + X βij′ xi′ + X X γijk′ xi′ xj′ + X X δijk′ xj′ xk′ Figure 3 shows a lattice in two dimensions, from [69, 32, ff] j V O j V k O j V k V ∈ ∪ ∈ ∈ ∈ ∈ (using an adapted [73]). The parallelogram OPQR acts as a template, and determines the shape of the overall lattice, which where 1 ≤ i ≤ o, and the coefficients (αi′ ,βij′ ,γijk′ ,δijk′ ) are randomly chosen from F. extends in both dimensions to infinity. Equivalently, the lattice −−→ −−→ b To produce the public key only one map T is used: P = is generated by the two vectors OP and OQ, labelled 1 and b P′ ◦ T . The private key is then (P′,T ). 2 in the diagram. This is a basis of the lattice, which can be 3) Other Schemes: These include: written in this case as B = {b1, b2}. For this introduction, we Rainbow Rainbow was introduced in [61], and can be restrict our attention to integer lattices; i.e. all the co-ordinates • considered a nested version of UOV. It results in a very are integers. Then we can generalise to n-dimensional lattices fast signature scheme ([56, 32]). (compare [69, 523, ff]): (HFE) [62] introduces HFE. The B b b • = { 1,..., n} original was broken, and extended in [63] to HFEv-, with the implementation QUARTZ. These modifiers indicate The lattice L is then the sum of the integers with these vectors: the two-fold aim to take some equations from the public n B Z b key (HFE-) and add further vinegar variables (HFEv). L = L( )= X( · i) Gui. Gui is another HFEv- scheme from [64]. This can i=1 • get down to 120-bit signatures, providing 80-bit security The basis of a lattice is not unique. In this example, as well as −−→ −−→ −−→ −−→ ([56, 33]. {OP, OQ}, the same lattice could be described by {OP, OR} Multivariate Quadratic Digital Signature Scheme −−→ −−→ • or {OQ, OR}. (MQDSS). MQDSS from [7] has a security proof that 1) The Shortest Vector Problem: There are several mathe- depends only on the hardness of the MQ-problem. Two matical problems for lattices which are considered hard. The other MQ-based signature schemes include PFLASH first is the Shortest Vector Problem (SVP). The minimum ([65]) and Tame Transfer Signatures (TTS) ([66]). distance (λ1) in a lattice is the shortest nonzero vector: SimpleMatrix. Lastly, there is an encryption scheme, as • v opposed to signature scheme, proposed by [67], called λ1(L) = min k k v 0 SimpleMatrix. ∈L\{ } where k·k is the Euclidean distance. The challenge of SVP D. Lattice-Based comes in several varieties. The Search version is to find a Point lattices are mathematical structures from Minkowski’s shortest nonzero vector in a lattice L, given a basis B of that geometry of numbers ([68]). In this context, they are of interest lattice, such that kvk = λ1(L). The related Decision version since some lattice problems are provably hard. [69] introduces (GapSVP) is given a basis, B, of lattice L, and a real d> 0, a lattice as a system of parallel lines, and subsequently a discover whether λ1(L) ≤ d or λ1(L) > d. There are also versions of these problems which introduce the vector b of the samples is uniquely close to one vector. The an approximation factor (γ ≥ 1) to allow less precise answers Decision version of LWE is to tell the difference between a to the question. Given a basis, B, of lattice L, and a real d> 0, set of responses (A, b) and a set (A, b′), where b disguises discover whether λ1(L) ≤ d or λ1(L) >γ · d. a secret, but b′ is simply uniformly random. This has been There are proofs that SVP is NP-hard (e.g. [11, 83 ff]). shown to be at least as hard as the Search-LWE problem. However, Peikert points out that most crypto-systems rely on 4) LWE Cryptosystem: Here we follow [75] to describe a the approximations such as GapSVPγ, which are not proven cryptosystem based on LWE. The security parameter is n; the to be hard. They may still be hard enough, since solutions LWE dimension. Three other parameters are the number of to these approximation problems appear to require 2Ω(n) time samples m, the modulus q and a distribution χ over Z. s Zn ([71]). The private key is the secret ∈ q which is chosen 2) Short Integer Solution: The seminal work [74] intro- uniformly at random. The public key is the set of samples duced the problem of the Short Integer Solution (SIS). This as laid out in the previous section. We choose m vectors a a Zn is then proven to link to the GapSVP problem just outlined. 1,... m at random from q . We also choose error factors The problem involves n-dimensional integer vectors, modulo e1,... em, from Zq according to the distribution χ. Then Zn a q: q . Starting with a set of these vectors, that are uniformly the public key is the list for 1 ≤ i ≤ m of ( i,bi) where random, a1,..., am, the aim is to find a set of nontrivial bi = hai, si + ei. z1,...,zm where zi ∈ {−1, 0, 1}, such that: To encrypt a bit, choose a random subset S from the list of m samples (ai,bi) which make up the public key. If the bit is 0, a 0 Zn the encryption is: X i · zi = ∈ q a i=1 (X i, X bi). i S i S The vectors a1,..., am can be combined into a matrix A ∈ ∈ ∈ Zn m q × , and the problem can be restated in terms of the lattice If the bit is 1, the encryption is which it generates: a q (X i, ⌊ ⌋ + X bi) m 2 L⊥(A)= {z ∈ Z : Az = 0} i S i S ∈ ∈ The SIS problem then is to find a suitably short vector in where ⌊x⌋ is a rounding function, denoting the largest integer a A. One notable contribution of [74] is as follows. Consider a which is not greater than x. To decrypt a pair ( ,b), first calculate a s . If that value is closer to 0 than to q short vector; meaning its distance is less than a parameter β, b − h , i ⌊ 2 ⌋ which itself is very much less than the modulus q. Suppose modulo q, then the decryption is 0. Otherwise the decryption you have a reliable method for finding such a nonzero vector is 1. 5) Further Developments: Lattices have proven an ex- z ∈ L⊥(A). Ajtai proves that in that case, you also have a reliable method for solving GapSVP . Therefore, SIS has tremely fertile area for cryptography. [70] provides a detailed β√n survey of the progress up to three years ago. This is a non- been shown to be hard on the assumption that GapSVPγ is itself hard. exhaustive list which demonstrates the how diverse the field 3) (LWE): Learning With Errors was is. [76] presents a signature scheme that relies on SIS. A introduced in [75]. The main parameters are the dimension ( ), collision-resistant hash-function based on SIS is in [77]. For n 2 the modulus (q) and an error distribution (χ). n and q are as n-dimension LWE, the public key is n bits and the ciphertext for SIS; χ is usually a Gaussian distribution. Associated with is n bits; that is to encipher a plaintext of a single bit. Despite the distribution there is also the width of the error sample, this, [78] presents a protocol, Frodo, based on which is much less than q and the rate, α which is the width LWE. divided by q. Ring Learning With Errors (RLWE) was introduced in [79] In the Search version of the problem, start with a secret RLWE is a special case of LWE for polynomial rings over s ∈ Zn. The set-up is that an attacker will be given as finite fields. The main advantage over LWE is that RLWE has q Z many samples as they wish for (m). The ith sample consists smaller keys. RLWE works over a ring R, degree n, over .A n modulus q ∈ N defines a quotient ring. Based on RLWE, [80] of ai, being a vector chosen uniformly at random from Z . q introduced the key exchange mechanism NewHope. The key Then bi = hs, aii + ei mod q, where ei is drawn from the distribution χ exchange system BCNS ([81]) is also based on RLWE. There are also signature schemes, such as GLYPH put forward by As for SIS, the series ai can be listed as a matrix, and the bi [82]. and ei as vectors b and e respectively. Then, where t denotes the transform operation, then we have: Nth degree Truncated Polynomial Ring (NTRU) [83] was the first cryptosystem to use polynomial rings, in the system bt = stA + et (mod q) labelled NTRU ([70, 14]). The public is approxi- mately the same size as for RLWE, but with a smaller private Also following the case for SIS, this can be expressed in terms key. There were initial concerns about the lack of a security of a lattice. The Search problem then becomes for proof. However, subsequent advances have shown that it can A Ats s Zn Zm L( )= { : ∈ q } + q be made secure, based on the hardness of RLWE ([84]). There is a signature scheme, NSS, which is based on NTRU in elliptic curves are a special type of elliptic curve, where the [85]. There is also a signature scheme called Bimodal Lattice ring of the endomorphisms is not commutative. Signature Scheme (BLISS) described in [86]. [92] has further built on this work to provide a set of algorithms with a faster implementation. Recent work in [93] E. Isogeny-Based has improved further on that. An elliptic curve is an equation of the form (drawing on [69], [87] and [19]) III. METHODOLOGY A competition is underway to find suitable post quantum E : y2 = x3 + Ax + B ciphers for the future, run by NIST. This chapter begins with Loosely, an isogeny is a structure-preserving map from one an introduction to this selection process. We then cover liboqs, curve to another. More formally, a morphism is a rational map a useful tool for testing PQC, which is supported by the Open between two curves, which is defined for every point. Take Quantum Safe project. Some of the tests we run are on the TLS E1 and E2 as elliptic curves defined over a field k. Then an 1.3 protocol. We briefly sketch the transactions involved in that isogeny φ : E1 → E2 is a surjective (onto) morphism that protocol. The chapter ends with a specification of the hardware creates a group homomorphism from E1(k¯) to E2(k¯). Where and software which are used to run the tests themselves. an isogeny exists, the curves involved are said to be isogenous. NIST has played a leading role in evaluating PQC The underlying mathematical problem here is given two ([94][95]), and the candidates for digital signatures must be curves, how does one construct an isogeny between them? provably EUF-CMA up to 264 queries. For public key and key Using elliptic curves, a Diffie-Hellman type key exchange can exchange, there are two types. Where key re-use is allowed be set up as follows. they must be IND-CCA2, up to 264 queries. Where there is First, select q, a large integer which is either prime or a no key re-use, IND-CPA is sufficient. As we have seen, both power of 2. This is applied as a modulus to both sides of AES with larger keys, and SHA with larger hash (e.g. 256 the general equation for an elliptic curve. It is an important bits) are both quantum-resistant. Therefore NIST set the target measure of the encryption for elliptic curve cryptography; security levels for the candidates in terms of AES and SHA, similar in that regard to the key length of other systems. as outline in table IV. This also explains why the focus is on key exchange rather than general encryption; the search is for 2 3 y mod q = (x + ax + b) mod q a candidate for exchanging a key of (for instance) AES which Then select the parameters a and b; with those in place, there is is long enough to be quantum-resistant. now a set of points which makes up the elliptic curve: Eq(a,b). Security Level Equivalent The order of a point on an elliptic curve is the lowest positive 1 Key search on AES-128 integer n, such that nG = O, where O is the zero point of the 2 Collision search on SHA256 3 Key search on AES-192 elliptic curve. To complete the public information, we select 4 Collision search on SHA384 a point G from Eq(a,b), whose order is very large. 5 Key search on AES-256 With these in place, the key exchange between Alice and TABLE IV Bob proceeds like this: NIST SECURITY LEVELS

Alice selects a private na where na

Underlying Variant Protocol In liboqs? LWE Crystals-Dilithium  those which currently have a representation in liboqs. These Lattice RLWE qTESLA  restrictions overlook many subtleties, but nevertheless yield NTRU Falcon × insight. Stateless SPHINCS+  Hash-based Zero-Knowledge Picnic  With respect to speed, the candidates fall into three divi- LUOV × sions, with lattice-based solutions being the front-runners. In UOV Rainbow  Multivariate the first division are Saber, Kyber and NewHope. Saber has HFEv- GeMSS × Pure MQ MQDSS  both a reasonable keysize and is performing its operations sub-millisecond. The second division is made up of Frodo, TABLE VI NIST ROUND 2: SIGNATURE BY TYPE NTRU and code-based BIKE. Finally, SIKE is in a division of its own; whilst having a reasonable keysize, it is taking over 3 full seconds for encapsulating or decapsulating. These divisions are compared in figures 4, 5 and 6. JeOS) since it appears to be the best maintained of the 1) Comparison with Other Work: Table IX shows the Linux-based systems for the ARMv8 available. 64 bit results from three other papers to measure the key exchange for IV. RESULTS post quantum algorithms. The listed speed is the speed of an In this paper we present our results and compare them, encapsulation followed by a decapsulation. The table presents where possible, with other benchmarks from the literature. the best attempt to provide like-for-like comparison between First we look at the key exchange mechanisms. That is the various works. The main point is that the benchmarking is followed by the results for the signature schemes. We then conducted under differing assumptions. This means that com- look at the TLS handshake which combines both exchange parisons between the results need to be made with very great mechanisms and signatures. Finally, we offer some considera- care. A brief outline of the works illustrates the differences. tions which aim to help with choosing a reliable cryptographic Seo et al [116] implements a highly optimised version algorithm. of SIKE, written in assembly for the aarch64 instruction set, and tested on an ARMv8 (A53) running 64-bit code at A. Key Exchange Mechanisms 1.536 GHz. For SIKEp610 (NIST level 3), the reported clock To gain an appreciation for the different systems, we chart cycles (crudely) equate to 303ms. An et al [114] measures the the public and private key sizes in table VIII. These are performance of the protocols then available in liboqs: Frodo, gleaned from the second round submissions for: Crystals- BCNS, NewHope, MSrln, Kyber, NTRU, McBits, IQC and Kyber ([105]), FrodoKEM ([106]), SABER ([107]), NewHope SIDH. The tests are on an Intel i7-5500 at 2.4 GHz, two ([108]), NTRU ([109]), BIKE ([110]) and SIKE ([111]). cores, with 16GB RAM. For Kyber and Frodo they use non- In order that the numbers are not overwhelming, we restrict standard parameter sets for which the post quantum security the view in several ways. First, we choose the parameter set level is unclear. This is probably due to the work coming which has been provided for achieving level three security, before alterations for round two of the NIST competition. which is equivalent to breaking AES-256, or alternatively 128 The NTRU and SIDH parameter sets are not specified, so the bits of quantum security. Second, where IND-CPA and IND- quantum security is unclear. CCA versions are specified, we restrict the view to IND- Malina et al [115] tests six key exchange mechanism; CCA. Third, we pick the first BIKE model as representative NewHope, NTRU, BCNS, Frodo, McBits and SIDH. To do of that family of three implementations. Lastly, we only list this they tweaked liboqs to run in 32-bits, and then ran tests CLIENT SERVER Key Exchange Generate Key ClientHello −−−−−−−−−−−−−−−−−−−−−−−−→ Generate Key Generate Secret ServerHello ←−−−−−−−−−−−−−−−−−−−−−−−− Generate Secret Server Parameters

EncryptedExtensions ←−−−−−−−−−−−−−−−−−−−−−−−− Authentication

Certificate ←−−−−−−−−−−−−−−−−−−−−−−−− Sign Certificate CertificateVerify ←−−−−−−−−−−−−−−−−−−−−−−−− Finished ←−−−−−−−−−−−−−−−−−−−−−−−− Verify and Authenticate Finished −−−−−−−−−−−−−−−−−−−−−−−−→ Application Communication

Application Data ←−−−−−−−−−−−−−−−−−−−−−−−→ Application Data TABLE VII TLS1.3 PROTOCOL OUTLINE

Underlying Variant: Protocol Parameter Set Private Public LWE: Saber SABER-KEM 2,304 992 LWE: Crystals-Kyber Kyber-768 2,400 1,184 Lattice LWE: FrodoKEM FrodoKEM-976 31,296 15,632 RLWE: NewHope NewHope1024 3,680 1,824 NTRU: NTRU ntruhps4096821 1,592 1,230 Code-Based MDPC: BIKE BIKE-1-CCA 6,592 6,205 Isogeny Supersingular: SIKE SIKEp610 524 462 TABLE VIII KEY EXCHANGE SUBMITTED PUBLIC AND PRIVATE KEY LENGTH (BYTES)

0.65 Keygen Saber 0.76 0.84 Encaps Decaps Kyber 0.89 1.08 768 1.32

NewHope 1.04 1.53 1024-CCA 1.84 0 0.5 1 1.5 Time (ms)

Fig. 4. KEM Meantimes: Top Performing Algorithms at Level 3 NTRU-HPS 119 8.84 4096-821 24

Frodo 46.7 Keygen 62.2 976-SHAKE 61.8 Encaps Decaps Frodo 84 87.7 976-AES 87.6

BIKE 24.5 30.3 1-L3 127 0 20 40 60 80 100 120 Time (ms)

Fig. 5. KEM Meantimes: 2nd Division Algorithms at Level 3

Keygen Encaps 1,790 Decaps SIKE-p610 3,300 3,320 0 500 1,000 1,500 2,000 2,500 3,000 Time (ms)

Fig. 6. KEM Meantimes: 3rd Division Algorithm at Level 3

Cipher Bench Security Level Constrained? Speed (ms) Saber [112] —  18.84 Saber [113] 185  98.60 Saber This Work 185  1.60 Kyber [114] — × 0.38 Kyber [113] 164  93.39 Kyber This Work 164  2.40 NewHope [114] 233 × 0.23 NewHope [115] 206  2.36 NewHope [113] 233  159.61 NewHope This Work 233  3.38 NTRU [114] — × 2.06 NTRU [115] 128  12.88 NTRU [113] 128  94.69 NTRU This Work 128  32.82 Frodo [114] — × 9.38 Frodo [115] 130  702.12 Frodo This Work 150  175.30 SIKE [116] 192  303.00 SIKE [113] 192  279,866.01 SIKE This Work 192  6,620.41 TABLE IX COMPARISON WITH OTHER KEM WORK on (a) an Android 6 device with Qualcomm Snapdragon 801 (4 involved, compared with ‘simple’ whose security proof is cores) at 2.5 GHz with 2 GB RAM, and (b) a Raspberry Pi 2, heuristic in the sense of being proved in the ROM. For a given running Raspbian Strech Lite, on an ARMv7 at 1.2 GHz, with NIST level, there are therefore 12 different sets of parameters. 1 GB RAM. Karmakar et al [112] Implements an optimised We take SHA256 to be representative. Saber on an ARM Cortex-M4, with an assumed clock of c) Rainbow: The ‘compressed’ version can take the 168 MHz.Kannwischer et all [113] from July 2019 presents private signature down to 64 bytes (512 bits). a benchmarking framework pqm4. They consistently benched 1) Comparison with Other Work: Table XI shows a com- 10 key encapsulation and 5 signature schemes on a 32-bit parison between the benchmarks from [113] and the results ARM Cortex-M4 running at 24 MHz, with 196kB of RAM. presented here. The speed is the total speed of a sign/verify Frodo-976 takes too much resource to run in this environment. pair. There are several other related works which are not suitable a) [127]: Shows that an optimised SPHINCS-256 can for inclusion in Table IX, since they are even more disparate run on an ARM Cortex M3 running at 32 MHz with 16kB than those included. We describe them briefly to show why. RAM. This is a signature scheme, and no numbers are [117] looks at MQ-based systems on a ATxMega128a1 comparable to those presented here. • microprocessor, running at 32 MHz, with 8kB RAM and b) [113]: is explained in § IV-A1, above. With respect 128kB storage. to signatures, Rainbow and MQDSS outstrip the available [118] compares the speed of a RLWE cipher against resource. • classical ciphers, when used for the key exchange during C. TLS 1.3 Handshake TLS handshakes. Benchmarks are from an ARM Cortex- A7 running at 700 MHz with 1 GB of RAM and storage In our tests, varying the signature algorithm made no of over 1 GB. They class the classical security level at difference to the size of the handshake (2041B read, 391B 128 bit. written), nor to the (wall-clock) speed of the handshake (mean [119] uses the ABSOLUT ([120]) tool to test Frodo time of 0.05s). This may be because the two PQC signature • and NewHope on simulated (a) Raspberry Pi 2, with algorithms available, Dilithium and qTESLA, are both lattice- Broadcom BCM2836 at 900 MHz quad-core 32-bit ARM based. One area for further work is to examine this area Cortex-A7 processor with 1 GB RAM, and (b) Raspberry in more detail, when further algorithms are available. The Pi 3, with Broadcom BCM2837 at 1.2 GHz quad-core 64- importance of the security of the signature algorithm should bit ARM Cortex-A53, also with 1 GB RAM. The focus not be underestimated; it ensures the authentication of the on power consumption, and the numbers provided do not counterparty. provide for a comparison with the current work. Table XII shows how the size and speed of the TLS 1.3 The recent [121] provides extensive observations on the handshake varies with the key exchange. This shows that, as • integration of post-quantum algorithms into TLS and we expect from the results above, that Saber, Crystal and SSH. NewHope are light and fast; BIKE, Frodo and NTRU are comparable. While the handshake for SIKE is the smallest B. Signatures of all, it takes orders of magnitude longer. For the different signature schemes, we chart the public 1) Comparison with Other Work: Table XIII shows two and private key sizes together with the signature size, in table other attempts from the literature to measure post quantum X. These are taken from the second round submissions for: key exchange in TLS handshakes. The same caveats apply as Dilithium ([122]), qTESLA ([123]), MQDSS ([124]), Rainbow for the comparisons in Table IX above. ([125]) and SPHINCS+ ([126]). As for key exchanges, we a) [81]: implements a RLWE ciphersuite in OpenSSL restrict the view to those parameter sets which aim for security (v1.0.1f) and benchmarks interactions with an Apache web- at NIST level 3, and only list those which currently have a server. The parameters they choose aim for 128-bit security, representation in liboqs. which matches the rationale chosen here. They provide results Tables 7, 8, 9 and 10 show how they line up against for retrieving a 1 byte payload, which is comparable with each other. There are some items which should be taken into completing a TLS handshake. One difference is that they account with these comparisons. code with TLS 1.2, which is less efficient that TLS 1.3. The a) qTESLA: There is a version of qTESLA which is largest difference is that their devices are not constrained: the provably secure, but it is not yet implemented in liboqs and ‘client’ machine is based on an Intel i5 with 4 cores running has not been tested here. at 2.7 GHz; the ‘server’ machine is an Intel Duo with 2 cores b) SPHINCS+: SPHINCS+ presents three sets of param- running at 2.33 GHz. eters of various sorts. First, since it is hash-based it needs b) [78]: benchmarks connections to a TLS-protected a hash function. There are three options: Haraka, SHA256 webserver for Frodo, BCNS, NewHope and NTRU. These and SHAKE256. Second, they produce a set of parameters were run on a Google Cloud VM (n1-standard-4), with 4 optimized for small signatures (‘s’ for small) and for fast virtual CPUs at 2.6 GHz, with 15GB of RAM. The clients processing (‘f’ for fast). They also produce a ‘robust’ ver- were similarly specified (n1-standard-32). The parameters sion whose security proof relies on the security of the hash were aimed at 128 bits of security. Some testing was also Underlying Parameter Set Private Public Signature Lattice (LWE) Dilithium IV 96 1,760 3,366 Lattice (RLWE) qTESLA-III 2,368 3,104 2,848 MQDSS-31-64 24 64 43,728 MQ Rainbow-IIIc 511.4 kB 710.6 kB 156 Rainbow-IIIc-cyclic 511.4 kB 206.7 kB 156 SPHINCS+-192s 96 48 17,064 Hash-based SPHINCS+-192f 96 48 35,664 TABLE X SIGNATURE SCHEMES:KEY AND SIGNATURE LENGTHS (BYTES)

DILITHIUM 1.84 Keypair 6.76 4 Sign 2.14 Verify

qTESLA 14.5 III (speed) 5.38 1.25

qTESLA 25.1 III (size) 10.8 1.24 0 5 10 15 20 25 Time (ms)

Fig. 7. Signature Meantimes: Lattice-based at Level 3

Keypair MQDSS 6.17 161 Sign 31-64 120 Verify

1,930 Rainbow 17.1 IIIc-Classic 18.3

Rainbow 2,190 IIIc-Cyclic 17.1 55 0 50 100 150 ··· 1,900 2,000 2,100 Time (ms)

Fig. 8. Signature Meantimes: MQ-based at Level 3

Keypair SPHINCS+ 28.4 Sign SHA256-192f-simple 785 39.7 Verify

SPHINCS+ 53.8 1,480 SHA256-192f-robust 80.2 0 20 40 60 80 ··· 800 1,000 1,200 1,400 Time (ms)

Fig. 9. Signature Meantimes: SPHINCS+ ‘f’ at Level 3 Keypair SPHINCS+ 918 21,200 Sign SHA256-192s-simple 15.8 Verify

1,760 SPHINCS+ 38,700 SHA256-192s-robust 32.1 0 0.5 1 1.5 2 ··· 20 25 30 35 Time (ms) ×103

Fig. 10. Signature Meantimes: SPHINCS+ SHA256 ‘s’ at Level 3

Cipher Bench Speed (ms) [113] 485.10 Venerability. How venerable is the underlying mathemat- Dilithium IV • This Work 0.01 ical problem? The more cryptanalysis it has survived the [113] 354.06 qTESLA-III better. This Work 2.70 NP-hard. Is there a proof of the hardness of the under- f-sim [113] 30,116.29 • f-sim This Work 824,908.31 lying problem? f-rob [113] 57,169.86 Problem-Reduction. Is there a proof of the reduction of f-rob This Work 1,558,082.26 • SPHINCS+-SHA256-192 the scheme to the underlying problem? s-sim [113] 793,925.00 QROM-secure. Is there a proof of security in the QROM? s-sim This Work 21,187,279.39 • s-rob [113] 1,433,837.19 The existence of a proof in the QROM does not entail s-rob This Work 38,682,673.41 reduction to the hard problem; but it is widely taken to TABLE XI act as a good heuristic. COMPARISON WITH OTHER SIGNATURE WORK ROM-secure. Is there a proof of security in the ROM? • The existence of such a proof does not entail security against a classical adversary, but it is taken to be a good done on a BeagleBone Black, with an AM335x ARM Cortex- heuristic. ([122, 6] conjectures that whilst the theoretical A8 running at 1 GHz. The BeagleBone was not running a TLS details differ, security in the ROM and security in the client, and there is no available comparison on that front with QROM will converge to indicate the same level of this work. security in practice.) D. Choosing an Algorithm Finally, it is worth bearing in mind that even schemes which are proven to reduce to provably NP-hard problems might Which algorithm is best? There is no single good answer turn out to be tractable, if it turns out that P is NP. to this question; it will depend on a number of factors. Table XIV summarises the current answers to these five The purpose of the encryption is an important consideration. questions, for the algorithms investigated. Suppose the target is to verify a system update for an IoT device. Then the signing will be done by the system issuing E. Summary the update; assume this is not itself IoT. In that case the SPHINCS+ suite might be a viable choice. The IoT device In terms of KEM performance, SABER is the clear winner, only needs to verify the signature, which we have shown it executing its basic operations in under a millisecond; the can do sub-second (at level 3). That may well be fast enough TLS handshake in under 90ms. At the other end, SIKE’s for relatively infrequent system updates. On the other hand, performance makes it an unlikely choice; the empty TLS SIKE (SIKE-p610) would be inappropriate for involvement in handshake taking over 8s. It is true that there is at least the key exchanges of TLS since the encapsulation followed by one finely-tuned version written in assembly which performs decapsulation would add over six seconds to the handshake. better. However, such fine-tuning is very expensive in terms So whether an algorithm is ‘fast enough’ will depend on the of initial production and ongoing maintenance. It would also use to which it is being put. Similar considerations will apply make the implementation platform-dependent. to the public/private keysize. We have introduced a set of five notions—Venerability, These factors, as well as the number of bits of security NP-hardness, Problem Reduction, ROM-security and QROM required, need to be considered. But it is important to note security—which should be considered when trying to pin that all these fall by the wayside if the system is broken. The down how certain we are that a particular algorithm is secure chief issue when choosing an algorithm is not mathematical, or not. Whilst lattices are proving a fertile area for crypto- but epistemological: how certain are we that the system is graphic systems, it is interesting to note that the systems (to secure? We explore this by breaking it down into a series of date) do not reduce to the NP-hard SVP. The factors also show questions. SIKE in a bad light; it is only five years old, and not proven Handshake (Bytes) Speed Protocol Parameter Set Read Write Total (ms) Crystals-Kyber Kyber-768 3,897 1,543 5,440 89.82 FrodoKEM FrodoKEM-976 18,553 15,991 34,544 295.81 Saber SABER-KEM 3,897 1,351 5,248 87.69 NewHope NewHope1024 5,017 2,183 7,200 88.12 NTRU ntruhps4096821 4,039 1,589 5,628 241.34 BIKE BIKE-1-CCA 7,773 5,323 13,096 199.66 SIKE SIKEp610 3,295 821 4,116 8,580.58 TABLE XII TLS HANDSHAKE PROFILES BY KEM

Cipher Bench Security Level Constrained? Handshake (Bytes) Speed (ms) NewHope [78] 206 × 5,514 13.10 RLWE [81] 82 × 10,479 54.00 NewHope This Work 233  7,200 88.12 NTRU [78] 128 × 3,691 19.90 NTRU This Work 128  5,628 241.34 Frodo [78] 130 × 24,228 20.70 Frodo This Work 150  34,554 295.81 TABLE XIII COMPARISON WITH OTHER TLS WORK

Scheme Underlying Venerability (yrs) NP-hard Problem-Reduction ROM-secure QROM-secure Saber Lattice: LWE 14a i ×i q q Kyber Lattice: LWE 14a i ×i r r Frodo Lattice: LWE 14a i ×i s s NewHope Lattice: RLWE 9b j ×j t t NTRU Lattice: NTRU 23c k ×k u u BIKE Code: MDPC 41d l n n ×n SIKE Supersingular 5e × v v ×v Dilithium Lattice: LWE 14a i ×i w w qTESLA Lattice: RLWE 9b j ×j x x MQDSS MQ 31f m o o ×o Rainbow MQ: UOV 20g m ×p ×y ×y SPHINCS+ Hash: Haraka 4h — — — — SPHINCS+ Hash: SHA256 18h — — — — SPHINCS+ Hash: SHAKE256 7h — — — — TABLE XIV CONSIDERATIONS FOR CERTAINTY ABOUT SECURITY

Notes:

a 2005 [75] is a revision of the original. [70, 14]. b 2010 [79]. l [132] c 1996 [74]. m [133] d 1978 [3] ([53]). n [110, 60-1] e 2014 [91]. o [134] f 1988 [128]. p [125, 43] g 1999 [58]. q [107, 12-3] h SPHINCS+ is no more secure than the hash it uses ([22, 41]). Haraka dates from r [105, 19-20] 2015 [129]; SHA256 from 2001 ([130]); SHAKE256 from 2012 (see [131]). The s [106, 31-5] notions of NP-hardness, or security in ROM do not apply directly to hashes. t [108, 28-29] i SVP and variants have been proved NP-hard [11]. However, the systems rely on u [109, 30] approximations which have not [70], hence no Problem Reduction. v [111, 41-2] j RLWE is NP-hard [70]; however, as for (i), the systems rely on approximation w [122, 5-6] problems which have not. x [123, 47-8] k The NTRU problem is not reducible to a lattice problem [70, 14]. However, RLWE y [125, 43] is at least as hard as NTRU and if RLWE is hard, then NTRU can be made secure NP-hard. It might yet prove to be secure, but it is unlikely to problems in lattices is of concern. BIKE rests on a sounder be the system of choice for constrained devices. theoretical foundation. For signature schemes the pattern is There is a trade-off between the speed of the system similar; Dilithium is light and fast. MQDSS is slower, and and uncertainty about the security of the cipher system. For has longer signatures, but better theoretical pedigree. signature schemes, MQDSS presents us with good balance. It has survived through over 30 years of cryptanalysis, and REFERENCES stands on the strongest theoretical basis of all the ciphers we [1] P. W. Shor, “Polynomial-Time Algorithms for Prime have examined. In that light the 250ms operating times are Factorization and Discrete Logarithms on a Quantum Computer,” SIAM Journal on Computing, vol. 26, reasonable. no. 5, pp. 1484–1509, aug 2003. [Online]. Available: Cryptography is a blend of theory and practice, and post- http://arxiv.org/abs/quant-ph/9508027http://dx.doi.org/10.1137/S0097539795293172 in particular is a very fast-paced area. [2] W. Buchanan and A. Woodward, “Will quantum computers be the end of public key encryption?” Journal of Cyber Security Technology, We have shown that many of the contenders for standardisation vol. 1, no. 1, pp. 1–22, 2017. are suitable in practice for single-board ARMv8 constrained [3] R. J. McEliece, “A Public-Key Cryptosystem Based On Algebraic devices. Coding Theory,” 1978. [4] M. Bellare, A. Desai, D. Pointcheval, and P. Rogaway, “Relations among notions of security for public-key encryption schemes,” in V. CONCLUSION Lecture Notes in Computer Science (including subseries Lecture Notes This paper explores how well post-quantum cryptography in Artificial Intelligence and Lecture Notes in Bioinformatics), 1998. [5] S. Goldwasser, S. Micali, and R. L. Rivest, “A Digital Signature performs on constrained devices. It contributes to this area Scheme Secure Against Adaptive Chosen-Message Attacks,” SIAM by providing benchmarks for popular single-board low-power Journal on Computing, 2005. computers, the Raspberry Pi. We cannot rely on symmetric [6] L. K. Grover, “A fast quantum mechanical algorithm for database search,” in Proceedings of the twenty-eighth annual ACM symposium ciphers to exchange cipher keys. RSA is popular at least in part on Theory of computing - STOC ’96, 1996. because it is (relatively) easy to understand the mathematics [7] M. S. Chen, A. H¨ulsing, J. Rijneveld, S. Samardjiska, and P. Schwabe, behind it. The quantum-resistant alternatives are not so forgiv- “From 5-pass MQ-based identification to MQ-based signatures,” in ing. Hash-based systems have built-in future-proofing. Code- Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), 2016. based systems are venerable and tried-and-tested. MQDSS is [8] G. Yuval, “How to swindle rabin,” Cryptologia, 1979. a variant of multivariate quadratic polynomial ciper schemes [9] G. Brassard, P. Høyer, and A. Tapp, “Quantum cryptanalysis of hash which is provably reducible to the underlying NP-hard math- and claw-free functions,” ACM SIGACT News, 2004. [10] V. Mavroeidis, K. Vishi, M. D., and A. Jøsang, “The Impact of ematical problem. Minkowski’s lattices are a fecund area, but on Present Cryptography,” International Journal the resulting systems do not reduce to the NP-hardness of the of Advanced Computer Science and Applications, 2018. underlying problems. Supersingular isogeny is yet to stand the [11] D. Micciancio and S. Goldwasser, Complexity of Lattice Problems: A Cryptographic Perspective. Kluwer, 2002. test of time. [12] A. M. Turing, “Intelligent Machinery, A Heretical Theory*,” SABER is the clear winner for the KEM with operations un- Philosophia Mathematica, 2012. der a millisecond and TLS handshake in under 90ms. SIKE’s [13] Wikipedia, “Turing Machine,” 2019. [Online]. Available: https://en.wikipedia.org/wiki/Turing{ }machine performance with the TLS handshake takes over 8s. For a [14] ——, “Time Complexity,” 2019. [Online]. Available: signature scheme, MQDSS gives a good balance of theoretical https://en.wikipedia.org/wiki/Time{ }complexity basis and reasonable run time. The issue of which ciphersuite [15] M. Bellare and P. Rogaway, “Random Oracles are Practical :A Paradigm for Designing Efficient Protocols,” in Proc. 1st ACM Conf. to trust is epistemological rather than purely mathematical. Comput. Commun. Secur., 1993. Lattice-based systems are the fastest of many contenders that [16] N. Koblitz and A. J. Menezes, “The random oracle model: a twenty- have been shown practicable on constrained devices. year retrospective,” Designs, Codes, and Cryptography, 2015. [17] Anonymous, “What is the Fiat-Shamir Until [113] (published late July 2019), it seemed that ours transform?” 2015. [Online]. Available: was the first study to bring together the performance of the http://bristolcrypto.blogspot.com/2015/08/52-things-number-47-what-is-fiat-shamir.html front-running PQC algorithms on a constrained device for [18] D. Boneh, O.¨ Dagdelen, M. Fischlin, A. Lehmann, C. Schaffner, and M. Zhandry, “Random oracles in a quantum world,” in Lecture Notes comparison. As we have seen above, several papers run some in Computer Science (including subseries Lecture Notes in Artificial benchmarks on the ARM architecture, but the specifications Intelligence and Lecture Notes in Bioinformatics), 2011. of the hardware involved, and the controls on the tests, are [19] W. Stallings, Cryptography and Network Security, 7th ed. Harlow: Pearson, 2017. disparate. [20] L. Lamport, “Constructing Digital Signatures from a One-Way Func- The leading question has been answered in this paper tion,” SRI International Computer Science Laboratory, 1979. by providing benchmarks on a constrained device for the [21] R. C. Merkle, “A certified digital signature,” in Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial front-running algorithms in the NIST standardisation exercise Intelligence and Lecture Notes in Bioinformatics), 1990. which is currently in progress. On the theoretical front, the [22] D. Butin, “Hash-based signatures: State of play,” IEEE Security and Literature Review includes basic introductions to the five Privacy, 2017. [23] M. Green, “Hash-based Signatures: An il- main areas of PQC, distinguished by their separate areas of lustrated Primer,” 2018. [Online]. Available: mathematics. The investigations together allow us to draw https://blog.cryptographyengineering.com/2018/04/07/hash-based-signatures-an-illustrated-primer/ several conclusions. Lattice-based systems are light and fast, [24] A. H¨ulsing, “W-OTS+ - Shorter signatures for hash-based signature schemes,” in Lecture Notes in Computer Science (including subseries with SABER standing out as the fastest KEM. The lack of Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinfor- proof of a reduction of the systems to the underlying hard matics), 2013. [25] M. Green, “Winternitz Checksum,” 2018. [Online]. Available: [50] P. Gaborit, “Shorter keys for code based cryptography,” in Proceedings https://blog.cryptographyengineering.com/winternitz-checksum/ of the 2005 International Workshop on Coding and Cryptography [26] O. Goldreich, “Two remarks concerning the Goldwasser-Micali-Rivest (WCC 2005), 2005. signature scheme,” in Lecture Notes in Computer Science (including [51] N. Sendrier, “On the Use of Structured Codes in Code Based Cryptog- subseries Lecture Notes in Artificial Intelligence and Lecture Notes in raphy,” in Coding Theory and Cryptography III, S. Nikova, B. Preneel, Bioinformatics), 1987. and L. Storme, Eds., 2009, pp. 59–68. [27] D. J. Bernstein, D. Hopwood, A. H¨ulsing, T. Lange, R. Niederhagen, [52] J. C. Faug`ere, A. Otmani, L. Perret, and J. P. Tillich, “Algebraic L. Papachristodoulou, M. Schneider, P. Schwabe, and Z. Wilcox- cryptanalysis of McEliece variants with compact keys,” in Lecture O’hearn, “SPHINCS: Practical stateless hash-based signatures,” in Notes in Computer Science (including subseries Lecture Notes in Lecture Notes in Computer Science (including subseries Lecture Notes Artificial Intelligence and Lecture Notes in Bioinformatics), 2010. in Artificial Intelligence and Lecture Notes in Bioinformatics), 2015. [53] R. Misoczki, J. P. Tillich, N. Sendrier, and P. S. Barreto, “MDPC- [28] L. Reyzin and N. Reyzin, “Better than BiBa: Short one-time signatures McEliece: New McEliece variants from Moderate Density Parity-Check with fast signing and verifying,” in Lecture Notes in Computer Science codes,” in IEEE International Symposium on Information Theory - (including subseries Lecture Notes in Artificial Intelligence and Lecture Proceedings, 2013. Notes in Bioinformatics), vol. 2384. Springer Verlag, 2002, pp. 144– [54] C. Wolf, “Multivariate Quadratic Polynomials in 153. Public Key Cryptography,” DIAMANT/EIDMA Sym- [29] S. Goldwasser, S. Micali, and C. Rackoff, “The knowledge complexity posium, Tech. Rep., 2005. [Online]. Available: of interactive proof-systems,” in Proceedings of the seventeenth annual https://www.win.tue.nl/diamant/symposium05/abstracts/wolf.pdf ACM symposium on Theory of computing - STOC ’85, 1985. [55] ——, “Introduction to Multivariate Quadratic Public Key Systems and [30] O. Goldreich, S. Micali, and A. Wigderson, “Proofs that yield nothing their Applications,” in Proceedings of YACC, 2006. but their validity or all languages in NP have zero-knowledge proof [56] J. Ding and A. Petzoldt, “Current State of Multivariate Cryptography,” systems,” Journal of the ACM, 1991. 2017. [31] O. Goldreich, “A Short Tutorial of Zero-Knowledge,” The Weizmann [57] J. Ding and B.-Y. Yang, “Multivariate Public Key Cryptography,” in Institute of Science, Tech. Rep., 2010. [Online]. Available: Post-Quantum Cryptography, 2009. http://www.wisdom.weizmann.ac.il/{∼}oded/PS/zk-tut10.ps [32] D. Bernhard, “Zero Knowledge Proofs in Theory and Practice,” [58] A. Kipnis, J. Patarin, and L. Goubin, “Unbalanced Oil and Vinegar PhD Thesis, University of Bristol, 2014. [Online]. Available: Signature Schemes,” 1999. http://people.cs.bris.ac.uk/{∼}bernhard/thesis.pdf [59] J. Patarin, “The Oil and Vinegar Signature Scheme,” Dagstuhl Work- [33] Anonymous, “What do correctness, soundness and zero-knowledge shop on Cryptography, Tech. Rep., 1997. mean in the context of a Sigma protocol?” 2015. [Online]. Available: [60] A. Kipnis and A. Shamir, “Cryptanalysis of the oil and vinegar http://bristolcrypto.blogspot.com/2015/08/52-things-number-46-what-do-correctness.htmlsignature scheme,” in Lecture Notes in Computer Science (including [34] M. Blum, P. Feldman, and S. Micali, “Non-interactive zero-knowledge subseries Lecture Notes in Artificial Intelligence and Lecture Notes in and its applications,” in Proceedings of the twentieth annual ACM Bioinformatics), 1998. symposium on Theory of computing - STOC ’88, 1988. [61] J. Ding and D. Schmidt, “Rainbow, a New Multivariable Polynomial [35] A. Fiat and A. Shamir, “How to prove yourself: Practical solutions to Signature Scheme,” 2005. identification and signature problems,” in Lecture Notes in Computer [62] J. Patarin, “Hidden fields equations (HFE) and isomorphisms of Science (including subseries Lecture Notes in Artificial Intelligence and polynomials (IP): Two new families of asymmetric algorithms,” in Lecture Notes in Bioinformatics), 1987. Lecture Notes in Computer Science (including subseries Lecture Notes [36] D. Unruh, “Non-interactive zero-knowledge proofs in the quantum in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. random oracle model,” in EUROCRYPT’15, 2014, pp. 1–26. 1070. Springer Verlag, 1996, pp. 33–48. [37] M. Chase, D. Derler, S. Goldfeder, C. Orlandi, S. Ramacher, [63] J. Patarin, N. Courtois, and L. Goubin, “QUARTZ, 128-Bit Long C. Rechberger, D. Slamanig, and G. Zaverucha, “Post-Quantum Zero- Digital Signatures,” 2001. Knowledge and Signatures from Symmetric-Key Primitives,” 2017. [64] A. Petzoldt, M. S. Chen, B. Y. Yang, C. Tao, and J. Ding, “Design [38] ——, “The Picnic Digital Signature Algorithm: NIST First PQC principles for HFEV-based multivariate signature schemes,” in Lecture Standardization Conference,” Aarhus University, Graz University of Notes in Computer Science (including subseries Lecture Notes in Technology, Microsoft, Princeton University,, Tech. Rep., 2018. Artificial Intelligence and Lecture Notes in Bioinformatics), 2015. [39] I. Giacomelli and C. Orlandi, “ZKBoo: Faster Zero-Knowledge for [65] J. Ding, V. Dubois, B. Y. Yang, O. C. H. Chen, and C. M. Cheng, Boolean Circuits,” Usenix Security, 2016. “Could SFLASH be repaired?” in Lecture Notes in Computer Science [40] M. R. Albrecht, C. Rechberger, T. Schneider, T. Tiessen, and (including subseries Lecture Notes in Artificial Intelligence and Lecture M. Zohner, “Ciphers for MPC and FHE,” in Lecture Notes in Computer Notes in Bioinformatics), 2008. Science (including subseries Lecture Notes in Artificial Intelligence and [66] B.-Y. Yang and J.-M. Chen, “Building Secure Tame-like Multivariate Lecture Notes in Bioinformatics), 2015. Public-Key : The New TTS,” 2010. [41] V. Goppa, “A New Class of Linear Correcting Codes,” Problems of [67] C. Tao, A. Diene, S. Tang, and J. Ding, “Simple matrix scheme InformationTransition, vol. 6, no. 3, pp. 207–212, 1970. for encryption,” in Lecture Notes in Computer Science (including [42] N. Sendrier, “Code-Based Cryptography: State of the Art and Perspec- subseries Lecture Notes in Artificial Intelligence and Lecture Notes tives,” IEEE Security and Privacy, 2017. in Bioinformatics), 2013. [43] Wikipedia, “Linear Code,” pp. 1–17, 2007. [Online]. Available: [68] H. Minkowski, Geometric der Zahlen. Leipzig: Tuebner, 1910. https://en.wikipedia.org/wiki/Linear code { } [69] G. H. Hardy and E. M. Wright, An Introduction to the Theory of [44] S. Siim and V. S. May, “Study of McEliece cryptosystem,” pp. 1–19, Numbers, 6th ed. Oxford: OUP, 2008. 2015. [70] C. Peikert, “A decade of lattice cryptography,” Foundations and Trends [45] N. J. Patterson, “The Algebraic Decoding of Goppa Codes,” IEEE in Theoretical Computer Science, vol. 10, no. 4, pp. 283–424, 2016. Transactions on Information Theory, 1975. [46] H. Niederreiter, “Knapsack-type cryptosystems and algebraic coding [71] ——, “Lattice-Based Cryptography Lecture at QCrypt theory.” Probl. Control Inf. Theory, 1986. 2016,” QCrypt, Tech. Rep., 2016. [Online]. Available: [47] Y. X. Li, R. H. Deng, and X. M. Wang, “On the Equivalence https://www.youtube.com/watch?v=FVFw{ }qb1ZkY of McEliece’s and Niederreiter’s Public-Key Cryptosystems,” IEEE [72] ——, “Lattices in Cryptography,” 2015. Transactions on Information Theory, 1994. [73] B. Tourloupis, “Example: Drawing lattice [48] N. T. Courtois, M. Finiasz, and N. Sendrier, “How to Achieve a points and vectors,” 2012. [Online]. Available: McEliece-Based Digital Signature Scheme,” HAL-Inria, Tech. Rep., http://www.texample.net/tikz/examples/lattice-points/ 2001. [Online]. Available: https://hal.inria.fr/inria-00072511 [74] M. Ajtai, “Generating Hard Instances of Lattice Problems,” Stoc, 1996. [49] D. J. Bernstein, T. Chou, and P. Schwabe, “McBits: Fast constant- [75] O. Regev, “On lattices, learning with errors, random linear codes, and time code-based cryptography,” in Lecture Notes in Computer Science cryptography,” Journal of the ACM, 2009. (including subseries Lecture Notes in Artificial Intelligence and Lecture [76] C. Gentry, C. Peikert, and V. Vaikuntanathan, “Trapdoors for hard Notes in Bioinformatics), 2013. lattices and new cryptographic constructions,” 2008. [77] V. Lyubashevsky, D. Micciancio, C. Peikert, and A. Rosen, “SWIFFT: [100] D. J. Lilja, Measuring Computer Performance: A practitioner’s guide. A modest proposal for FFT hashing,” in Lecture Notes in Computer Cambridge University Press, 2000. Science (including subseries Lecture Notes in Artificial Intelligence and [101] E. Rescorla, “The Transport Layer Security (TLS) Protocol Version Lecture Notes in Bioinformatics), 2008. 1.3,” Tech. Rep., 2018. [78] J. Bos, C. Costello, L. Ducas, I. Mironov, M. Naehrig, V. Nikolaenko, [102] N. Sullivan, “A Detailed Look at RFC 8446,” 2018. [Online]. A. Raghunathan, and D. Stebila, “Frodo: Take off the ring! Practical, Available: https://new.blog.cloudflare.com/rfc-8446-aka-tls-1-3/ QuantumSecure Key Exchange from LWE,” CCS’16, 2016. [103] A. Brodie, “Overview of TLS v1.3,” [79] V. Lyubashevsky, C. Peikert, and O. Regev, “On ideal lattices and OWASP, Tech. Rep., 2018. [Online]. Available: learning with errors over rings,” in Lecture Notes in Computer Science https://www.owasp.org/images/9/91/OWASPLondon20180125{ }TLSv1.3{ }Andy{ }Brodie.pdf (including subseries Lecture Notes in Artificial Intelligence and Lecture [104] T. Buehler, “Design and Verification of the TLS 1.3 Handshake Notes in Bioinformatics), 2010. State Machine in LibreSSL,” BSDCan, Tech. Rep., 2019. [Online]. [80] E. Alkim, L. Ducas, T. P¨oppelmann, and P. Schwabe, “Post-quantum Available: https://www.bsdcan.org/2019/schedule/events/1088.en.html key exchange-a new hope *,” Proceedings of the 25th USENIX Security [105] R. Avanzi, J. Bos, L. Ducas, E. Kiltz, T. Lepoint, V. Lyubashevsky, Symposium, 2016. J. Schanck, P. Schwabe, G. Seiler, and S. Damien, “CRYSTALS- [81] J. W. Bos, C. Costello, M. Naehrig, and D. Stebila, “Post-quantum Kyber,” Tech. Rep., 2019. key exchange for the TLS protocol from the ring learning with errors [106] E. Alkim, J. W. Bos, L. Ducas, P. Longa, I. Mironov, M. Naehrig, problem,” in Proceedings - IEEE Symposium on Security and Privacy, V. Nikolaenko, C. Peikert, A. Raghunathan, and D. Stebila, 2015. “FrodoKEM: Learning with Errors Key Encapsulation Algorithm Spec- [82] A. Chopra, “GLYPH: A New Instantiation of the GLP Digital Signature ifications and Supporting Documentation,” Tech. Rep., 2019. Scheme,” 2017. [107] J.-P. D’Anvers, A. Karmakar, S. S. Roy, and F. Vercauteren, “SABER: [83] J. Hoffstein, J. Pipher, and J. H. Silverman, “NTRU: A ring-based Mod-LWR based KEM (Round 2 Submission),” Tech. Rep., 2019. public key cryptosystem,” 1998. [108] T. Poppelmann, E. Alkim, R. Avanzi, J. Bos, L. Ducas, A. de la [84] D. Stehl´e and R. Steinfeld, “Making NTRU as secure as worst-case Piedra, P. Schwabe, D. Stebila, M. R. Albrecht, E. Orsini, problems over ideal lattices,” in Lecture Notes in Computer Science V. Osheter, K. G. Paterson, G. Peer, and N. P. Smart, (including subseries Lecture Notes in Artificial Intelligence and Lecture “NewHope Specification,” Tech. Rep., 2019. [Online]. Available: Notes in Bioinformatics), 2011. https://newhopecrypto.org/data/NewHope{ }2019{ }07{ }10.pdf [85] J. Hoffstein, J. Pipher, and J. H. Silverman, “NSS: An NTRU Lattice- [109] C. Chen, O. Danba, J. Hoffstein, A. Hulsing, J. Rijneveld, J. M. Based Signature Scheme,” 2001. Schanck, P. Schwabe, W. Whyte, and Z. Zhang, “NTRU Round 2,” [86] L. Ducas, A. Durmus, T. Lepoint, and V. Lyubashevsky, “Lattice Tech. Rep., 2019. Signatures and Bimodal Gaussians,” ENS, Paris, Tech. Rep., 2013. [110] N. Aragon, P. S. L. M. Barreto, S. Bettaieb, L. Bidoux, O. Blazy, [Online]. Available: https://eprint.iacr.org/2013/383.pdf J.-C. Deneuville, P. Gaborit, S. Gueron, T. Guneysu, C. A. Melchor, R. Misoczki, E. Persichetti, N. Sendrier, J.-P. Tillich, V. Vasseur, and [87] A. Sutherland, “Elliptic Curves: Lecture 5,” G. Zemor, “BIKE: Bit Flipping Key Encapsulation,” Tech. Rep., 2019. MIT, Tech. Rep., 2015. [Online]. Available: https://math.mit.edu/classes/18.783/2015/LectureNotes5.pdf [111] D. Jao, R. Azarderakhsh, M. Campagna, C. Costello, L. D. Feo, B. Hess, A. Jalali, B. Koziel, B. LaMacchia, M. Naehrig, G. Pereira, [88] A. Stolbunov, “Constructing public-key cryptographic schemes based V. Soukharev, and D. Urbanik, “Supersingular Isogeny Key Encapsu- on class group action on a set of isogenous elliptic curves,” Advances lation,” Tech. Rep., 2019. in Mathematics of Communications, 2010. [112] A. Karmakar, J. M. B. Mera, S. S. Roy, and I. Verbauwhede, “Saber [89] A. Childs, D. Jao, and V. Soukharev, “Constructing elliptic curve on ARM: CCA-secure module lattice-based key encapsulation on Journal of Mathematical isogenies in quantum subexponential time,” ARM,” IACR Transactions on Cryptographic Hardware and Embedded Cryptology, 2014. Systems, no. 3, pp. 243–266, 2018. [90] D. Jao and L. De Feo, “Towards quantum-resistant cryptosystems from [113] M. J. Kannwischer, J. Rijneveld, P. Schwabe, and K. Stoffelen, “pqm4: supersingular elliptic curve isogenies,” Lecture Notes in Computer Testing and Benchmarking NIST PQC on ARM Cortex-M4,” Tech. Science, vol. 7071, pp. 19–34, 2011. Rep., 2019. [91] L. De Feo, D. Jao, and J. Plˆut, “Towards quantum-resistant cryp- [114] H. An, J. Lee, and K. Kim, “Performance Evaluation of liboqs in Open tosystems from supersingular elliptic curve isogenies,” Journal of Quantum Safe Project ( Part I ),” pp. 1–7, 2018. Mathematical Cryptology, 2014. [115] L. Malina, L. Popelova, P. Dzurenda, J. Hajny, and Z. Martinasek, “On [92] C. Costello, P. Longa, and M. Naehrig, “Efficient algorithms for Feasibility of Post-Quantum Cryptography on Small Devices,” IFAC- supersingular isogeny Diffie-Hellman,” in Lecture Notes in Computer PapersOnLine, vol. 51, no. 6, pp. 462–467, jan 2018. Science (including subseries Lecture Notes in Artificial Intelligence and [116] H. Seo, A. Jalali, and R. Azarderakhsh, “Optimized SIKE Round 2 on Lecture Notes in Bioinformatics), vol. 9814. Springer Verlag, 2016, 64-bit ARM,” Tech. Rep., 2019. pp. 572–601. [117] P. Czypek, S. Heyse, and E. Thomae, “Efficient implementations of [93] A. Faz-Hernandez, J. Lopez, E. Ochoa-Jimenez, and F. Rodriguez- MQPKS on constrained devices,” in Lecture Notes in Computer Science Henriquez, “A Faster Software Implementation of the Supersingular (including subseries Lecture Notes in Artificial Intelligence and Lecture Isogeny Diffie-Hellman Key Exchange Protocol,” IEEE Transactions Notes in Bioinformatics), 2012. on Computers, 2018. [118] R. Johansson and T. Strahl, “Post-quantum Secure [94] D. Moody, “Post-Quantum Cryptography: NIST’s Plan for the Future,” Communication on a Low Performance IoT Plat- Tech. Rep., 2016. form,” Ph.D. dissertation, Lund, 2016. [Online]. Available: [95] NIST, “Post-Quantum Cryptography: Round https://lup.lub.lu.se/student-papers/search/publication/8878692 2 Submissions,” 2019. [Online]. Available: [119] J. Suomalainen, A. Kotelba, J. Kreku, and S. Lehtonen, “Evaluating https://csrc.nist.gov/projects/post-quantum-cryptography/round-2-submissions the Efficiency of Physical and Cryptographic Security Solutions for [96] ——, “Round 1 Submissions,” 2017. [Online]. Available: Quantum Immune IoT,” Cryptography, 2018. https://csrc.nist.gov/projects/post-quantum-cryptography/round-1-submissions[120] J. Vatjus-Anttila, J. Kreku, J. Korpi, S. Khan, J. Saastamoinen, and [97] ——, “PQC Standardization Process: Second Round K. Tiensyrj¨a, “Early-phase performance exploration of embedded sys- Candidate Announcement,” 2019. [Online]. Available: tems with ABSOLUT framework,” Journal of Systems Architecture, https://csrc.nist.gov/news/2019/pqc-standardization-process-2nd-round-candidates2013. [98] D. Moody, “Round 2 of the NIST PQC [121] E. Crockett, C. Paquin, and D. Stebila, “Prototyping post-quantum ’Competition’,” NIST, Tech. Rep., 2019. [Online]. Available: and hybrid key exchange and authentication in TLS and SSH,” 2019. https://csrc.nist.gov/CSRC/media/Presentations/Round-2-of-the-NIST-PQC-Competition-What-was-NIST/image[Online]. Available: https://eprint.iacr.org/2019/858s-media/pqcrypto-may2019-moody.pdf.pdf [99] D. Stebila and M. Mosca, “Post-Quantum Key Exchange for the [122] L. Ducas, L. Ducas, E. Kiltz, T. Lepoint, V. Lyubashevsky, P. Schwabe, Internet and the Open Quantum Safe Project,” Lecture Notes in G. Seiler, and S. Damien, “CRYSTALS-Dilithium,” Tech. Rep., 2019. Computer Science (including subseries Lecture Notes in Artificial [123] N. Bindel, S. Akleylek, E. Alkim, P. S. L. M. Barreto, J. Buchmann, Intelligence and Lecture Notes in Bioinformatics), pp. 14–37, 2017. E. Eaton, G. Gutoski, J. Kramer, P. Longa, H. Polat, J. E. Ricardini, [Online]. Available: https://eprint.iacr.org/2016/1017.pdf and G. Zanon, “qTESLA 2nd Round Submission,” Tech. Rep., 2019. [124] M.-S. Chen, A. Hulsing, J. Rijneveld, S. Samardjiska, and P. Schwabe, “MQDSS 2nd Round Submission,” Tech. Rep., 2019. [125] M.-S. Chen, J. Ding, A. Petzoldt, D. Schmidt, and B.-Y. Yang, “Rainbow: Round 2 Submission,” Tech. Rep., 2019. [126] J.-P. Aumasson, D. J. Bernstein, C. Dobraunig, M. Eichlseder, S. Fluhrer, S.-L. Gazdag, A. Hulsing, P. Kampanakis, S. Kolbl, T. Lange, M. M. Lauridsen, F. Mendel, R. Niederhagen, C. Rechberger, J. Rijneveld, and P. Schwabe, “SPHINCS+,” Tech. Rep., 2019. [127] A. H¨ulsing, J. Rijneveld, and P. Schwabe, “ARMed SPHINCS comput- ing a 41KB signature in 16KB of RAM,” in Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), 2016. [128] T. Matsumoto and H. Imai, “Public quadratic polynomial-tuples for efficient signature-verification and message-encryption,” in Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), 1988. [129] S. K¨olbl, M. M. Lauridsen, F. Mendel, and C. Rechberger, “Haraka v2 Efficient Short-Input Hashing for Post-Quantum Applications,” IACR Transactions on Symmetric Cryptology, 2017. [130] NIST, “FIPS 180-2: Announcing the Secure Hash Standard,” FIPS, 2002. [131] ——, “Secure Hash Standard (SHS) (FIPS PUB 180-4),” Federal Information Processing Standards Publication, 2015. [132] E. R. Berlekamp, R. J. McEliece, and H. C. A. van Tilborg, “On the Inherent Intractability of Certain Coding Problems,” IEEE Transactions on Information Theory, 1978. [133] M. R. Garey and D. S. Johnson, “A Guide to the Theory of NP- Completeness,” 1979. [134] M. S. Chen, A. H¨ulsing, J. Rijneveld, S. Samardjiska, and P. Schwabe, “From 5-pass MQ-based identification to MQ-based signatures,” in Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), 2016.