Post-Quantum Cryptography Daniel J. Bernstein · Johannes Buchmann Erik Dahmen Editors

Post-Quantum Cryptography

ABC Editors Daniel J. Bernstein Johannes Buchmann Department of Computer Science Erik Dahmen University of Illinois, Chicago Technische Universität Darmstadt 851 S. Morgan St. Department of Computer Science Chicago IL 60607-7053 Hochschulstr. 10 USA 64289 Darmstadt [email protected] Germany [email protected] [email protected]

ISBN: 978-3-540-88701-0 e-ISBN: 978-3-540-88702-7

Library of Congress Control Number: 2008937466

Mathematics Subject Classification Numbers (2000): 94A60

c 2009 Springer-Verlag Berlin Heidelberg This work is subject to copyright. All rights are reserved, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilm or in any other way, and storage in data banks. Duplication of this publication or parts thereof is permitted only under the provisions of the German Copyright Law of September 9, 1965, in its current version, and permission for use must always be obtained from Springer. Violations are liable to prosecution under the German Copyright Law.

The use of general descriptive names, registered names, trademarks, etc. in this publication does not imply, even in the absence of a specific statement, that such names are exempt from the relevant protective laws and regulations and therefore free for general use.

Cover design: WMX Design GmbH, Heidelberg

Printed on acid-free paper springer.com Preface

The first International Workshop on Post-Quantum Cryptography took place at the Katholieke Universiteit Leuven in 2006. Scientists from all over the world gave talks on the state of the art of quantum computers and on cryp- tographic schemes that may be able to resist attacks by quantum computers. The speakers and the audience agreed that post-quantum cryptography is a fascinating research challenge and that, if large quantum computers are built, post-quantum cryptography will be critical for the future of the Internet. So, during one of the coffee breaks, we decided to edit a book on this subject. Springer-Verlag promptly agreed to publish such a volume. We approached leading scientists in the respective fields and received favorable answers from all of them. We are now very happy to present this book. We hope that it serves as an introduction to the field, as an overview of the state of the art, and as an encouragement for many more scientists to join us in investigating post-quantum cryptography. We would like to thank the contributors to this volume for their smooth collaboration. We would also like to thank Springer-Verlag, and in particular Ruth Allewelt and Martin Peters, for their support. The first editor would like to additionally thank Tanja Lange for many illuminating discussions regarding post-quantum cryptography and for initiating the Post-Quantum Cryptogra- phy workshop series in the first place.

Chicago and Darmstadt, Daniel J. Bernstein December 2008 Johannes A. Buchmann Erik Dahmen Contents

Introduction to post-quantum cryptography Daniel J. Bernstein ...... 1 1 Is cryptography dead? ...... 1 2 A taste of post-quantum cryptography ...... 6 3 Challenges in post-quantum cryptography ...... 11 4 Comparison to quantum cryptography ...... 13 Quantum computing Sean Hallgren, Ulrich Vollmer ...... 15 1 Classical cryptography and quantum computing ...... 15 2 The computational model ...... 19 3 ThequantumFouriertransform ...... 22 4 Thehiddensubgroupproblem ...... 25 5 Searchalgorithms...... 29 6 Outlook...... 31 References...... 32 Hash-based Digital Signature Schemes Johannes Buchmann, Erik Dahmen, Michael Szydlo ...... 35 1 Hashbasedone-timesignatureschemes ...... 36 2 Merkle’streeauthenticationscheme ...... 40 3 One-timekey-pairgenerationusinganPRNG...... 44 4 Authentication path computation ...... 46 5 Treechaining...... 69 6 Distributedsignaturegeneration ...... 73 7 SecurityoftheMerkleSignatureScheme...... 81 References...... 91 Code-based cryptography Raphael Overbeck, Nicolas Sendrier ...... 95 1 Introduction...... 95 2 Cryptosystems...... 96 VIII Contents

3 The security of computing syndromes as one-way function ...... 106 4 Codesandstructures ...... 116 5 Practicalaspects...... 127 6 Annex...... 137 References...... 141 Lattice-based Cryptography Daniele Micciancio, Oded Regev ...... 147 1 Introduction...... 147 2 Preliminaries ...... 152 3 Finding Short Vectors in Random q-ary Lattices ...... 154 4 HashFunctions ...... 157 5 PublicKeyEncryptionSchemes...... 165 6 DigitalSignatureSchemes...... 180 7 Other Cryptographic Primitives ...... 185 8 OpenQuestions...... 186 References...... 187 Multivariate Public Key Cryptography Jintai Ding, Bo-Yin Yang ...... 193 1 Introduction...... 193 2 TheBasicsofMultivariatePKCs...... 194 3 ExamplesofMultivariatePKCs...... 198 4 BasicConstructionsandVariations...... 202 5 Standard Attacks ...... 215 6 TheFuture...... 229 References...... 234

Index ...... 243 List of Contributors

Daniel J. Bernstein Raphael Overbeck University of Illinois at Chicago EPFL, I&C, LASEC [email protected] [email protected]

Johannes Buchmann Oded Regev Technische Universität Darmstadt Tel-Aviv University [email protected]. tu-darmstadt.de Nicolas Sendrier Erik Dahmen INRIA Rocquencourt Technische Universität Darmstadt [email protected] [email protected]. tu-darmstadt.de Michael Szydlo Akamai Technologies Jintai Ding [email protected] University of Cincinnati [email protected] Ulrich Vollmer Sean Hallgren Berlin, Germany The Pennsylvania State University [email protected]

Daniele Micciancio Bo-Yin Yang University of California, San Diego Academia Sinica [email protected] [email protected]