Review Article | Published:

Post-quantum cryptography

Nature volume 549, pages 188194 (14 September 2017) | Download Citation

Abstract

Cryptography is essential for the security of online communication, cars and implanted medical devices. However, many commonly used cryptosystems will be completely broken once large quantum computers exist. Post-quantum cryptography is cryptography under the assumption that the attacker has a large quantum computer; post-quantum cryptosystems strive to remain secure even in this scenario. This relatively young research area has seen some successes in identifying mathematical operations for which quantum algorithms offer little advantage in speed, and then building cryptographic systems around those. The central challenge in post-quantum cryptography is to meet demands for cryptographic usability and flexibility without sacrificing confidence.

Access optionsAccess options

Rent or Buy article

Get time limited or full article access on ReadCube.

from$8.99

All prices are NET prices.

References

  1. 1.

    , & A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21, 120–126 (1978)

  2. 2.

    Algorithms for quantum computation: discrete logarithms and factoring. In Proc. 35th Ann. Symp. on Foundations of Computer Science (FOCS ’94) 124–134 (IEEE, 1994)

  3. 3.

    Circuit for Shor’s algorithm using 2n + 3 qubits. Quantum Inf. Comput. 3, 175–185 (2003)

  4. 4.

    Use of elliptic curves in cryptography. In Advances in Cryptology, Proc. CRYPTO ’85 (ed. 417–426 (Springer, 1985)

  5. 5.

    Elliptic curve cryptosystems. Math. Comput. 48, 203–209 (1987)

  6. 6.

    , & Roads towards fault-tolerant universal quantum computation. Nature (2017)

  7. 7.

    A fast quantum mechanical algorithm for database search. In Proc. 28th Ann. ACM Symp. on Theory of Computing (ed. ) 212–219 (ACM, 1996)

  8. 8.

    & The Design of Rijndael: AES—The Advanced Encryption Standard (Springer, 2002)

  9. 9.

    , , & Applying Grover’s algorithm to AES: quantum resource estimates. In Post-Quantum Cryptography, Proc. 7th International Workshop (PQCRYPTO 2016) (ed. ) 29–43 (Springer, 2016)

  10. 10.

    & Public-key cryptosystem based on isogenies. Preprint at (2006)

  11. 11.

    Hard homogeneous spaces (2006). Preprint at

  12. 12.

    & Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. In Post-Quantum Cryptography, Proc. 4th International Workshop (PQCRYPTO 2011) (ed. ) 19–34 (Springer, 2011)

  13. 13.

    A subexponential-time quantum algorithm for the dihedral hidden subgroup problem. SIAM J. Comput. 35, 170–188 (2005)

  14. 14.

    A Public-Key Cryptosystem based on Algebraic Coding Theory. Deep Space Network Progress Report 42–44 (1978)

  15. 15.

    , & Attacking and defending the McEliece cryptosystem. In Post-Quantum Cryptography, Proc. 2nd International Workshop (PQCRYPTO 2008) (eds & ) 31–46 (Springer, 2008)

  16. 16.

    Grover vs. McEliece. In Post-Quantum Cryptography, Proc. 3rd International Workshop (PQCRYPTO 2010) (ed. ) 73–80 (Springer, 2010)

  17. 17.

    Knapsack-type cryptosystems and algebraic coding theory. Probl. Control Inform. 15, 159–166 (1986)

  18. 18.

    , & NTRU: a ring-based public key cryptosystem. In Algorithmic Number Theory, Proc. 3rd International Symp. (ANTS-III) (ed. ) 267–288 (Springer, 1998)

  19. 19.

    , & On ideal lattices and learning with errors over rings. J. ACM 60, 43:1–43:35 (2013)

  20. 20.

    , & Soliloquy: a cautionary tale. (2014)

  21. 21.

    & Efficient quantum algorithms for computing class groups and solving the principal ideal problem in arbitrary degree number fields. In Proc. 27th Ann. ACM-SIAM Symp. on Discrete Algorithms (SODA 2016) (ed. ) 893–902 (SIAM, 2016). An extension of Shor’s algorithm breaks some lattice-based systems

  22. 22.

    , & Short Stickelberger class relations and application to Ideal-SVP. In Advances in Cryptology, Proc. Ann. International Conf. on the Theory and Applications of Cryptographic Techniques (EUROCRYPT 2017) 324–348 (Springer, 2017)

  23. 23.

    A subfield-logarithm attack against ideal lattices. The cr.yp.to blog (2014)

  24. 24.

    , , & NTRU Prime. Preprint at (2016)

  25. 25.

    Sieving for shortest vectors in lattices using angular locality-sensitive hashing. In Advances in Cryptology, Proc. 35th Ann. Cryptology Conf. (CRYPTO 2015) (eds & ) 3–22 (Springer, 2015)

  26. 26.

    & Faster sieving for shortest lattice vectors using spherical locality-sensitive hashing. In Progress in Cryptology, Proc. 4th International Conf. on Cryptology and Information Security in Latin America (LATINCRYPT 2015) (eds & ) 101–118 (Springer, 2015)

  27. 27.

    , , & New directions in nearest neighbor searching with applications to lattice sieving. In Proc. 27th Ann. ACM-SIAM Symp. on Discrete Algorithms (SODA 2016) (ed. ) 10–24 (SIAM, 2016)

  28. 28.

    On lattices, learning with errors, random linear codes, and cryptography. J. ACM 56, 34:1–34:40 (2009)

  29. 29.

    , & Public-key cryptosystems from lattice reduction problems. In Advances in Cryptology, Proc. 17th Ann. International Cryptology Conf. (CRYPTO’97) (ed. ) 112–131 (Springer, 1997)

  30. 30.

    , & NSS: an NTRU lattice-based signature scheme. In Advances in Cryptology, Proc. International Conf. on the Theory and Application of Cryptographic Techniques (EUROCRYPT 2001) (ed. ) 211–228 (Springer, 2001)

  31. 31.

    , , , & NTRUSIGN: digital signatures using the NTRU lattice. In Topics in Cryptology, Proc. Cryptographers’ Track at the RSA Conf. 2003 (CT-RSA 2003) (ed. ) 122–140 (Springer, 2003)

  32. 32.

    & Learning a parallelepiped: cryptanalysis of GGH and NTRU signatures. In Advances in Cryptology, Proc. 25th Ann. International Conf. on the Theory and Applications of Cryptographic Techniques (EUROCRYPT 2006) (ed. ) 271–288 (Springer, 2006)

  33. 33.

    & Learning a zonotope and more: cryptanalysis of NTRUSign countermeasures. In Advances in Cryptology, Proc. 18th International Conf. on the Theory and Application of Cryptology and Information Security (ASIACRYPT 2012) (eds & ) 433–450 (Springer, 2012)

  34. 34.

    Lattice signatures without trapdoors. In Advances in Cryptology, Proc. 31st Ann. International Conf. on the Theory and Applications of Cryptographic Techniques (EUROCRYPT 2012) (eds & ) 738–755 (Springer, 2012)

  35. 35.

    , , & Lattice signatures and bimodal Gaussians. In Advances in Cryptology, Proc. 33rd Ann. Cryptology Conf. (CRYPTO 2013) (eds & ) 40–56 (Springer, 2013)

  36. 36.

    , , & Flush, Gauss, and reload: a cache attack on the BLISS lattice-based signature scheme. In Cryptographic Hardware and Embedded Systems, Proc. 18th International Conf. (CHES 2016) (eds & ) 323–345 (Springer, 2016). First successful side-channel attacks against lattice-based signatures

  37. 37.

    & Public quadratic polynomial-tuples for efficient signature-verification and message-encryption. In Advances in Cryptology, Proc. Workshop on the Theory and Application of Cryptographic Techniques (EUROCRYPT’88) (ed. ) 419–453 (Springer, 1988)

  38. 38.

    Cryptanalysis of the Matsumoto and Imai public key scheme of Eurocrypt’88. In Advances in Cryptology, Proc. 15th Ann. International Cryptology Conf. (CRYPTO’95) (ed. ) 248–261 (Springer, 1995)

  39. 39.

    Hidden fields equations (HFE) and isomorphisms of polynomials (IP): two new families of asymmetric algorithms. In Advances in Cryptology, Proc. International Conf. on the Theory and Application of Cryptographic Techniques (EUROCRYPT’96) (ed. ) 33–48 (Springer, 1996)

  40. 40.

    , , , & Design principles for HFEv-based multivariate signature schemes. In Advances in Cryptology, Proc. 21st International Conf. on the Theory and Application of Cryptology and Information Security (ASIACRYPT 2015) (eds & 311–334 (Springer, 2015).Optimizes conservative multivariate-quadratic signatures

  41. 41.

    Constructing Digital Signatures from a One Way Function. Technical Report No. SRI-CSL-98 (SRI International Computer Science Laboratory, 1979); available at

  42. 42.

    & New directions in cryptography. IEEE Trans. Inf. Theory 22, 644–654 (1976)

  43. 43.

    Secrecy, Authentication, and Public Key Systems. PhD thesis, Stanford Univ., (1979)

  44. 44.

    A certified digital signature. In Advances in Cryptology, Proc. 9th Ann. International Cryptology Conf. (CRYPTO ’89) (ed. ) 218–238 (Springer, 1989)

  45. 45.

    , & Hash based digital signature schemes. In Cryptography and Coding, Proc. 10th IMA International Conf. (ed. ) 96–115 (Springer, 2005)

  46. 46.

    W-OTS+—shorter signatures for hash-based signature schemes. In Progress in Cryptology, Proc. 6th International Conf. on Cryptology in Africa (AFRICACRYPT 2013) (eds , & ) 173–188 (Springer, 2013)

  47. 47.

    , & XMSS—a practical forward secure signature scheme based on minimal security assumptions. In Post-Quantum Cryptography, Proc. 4th International Workshop (PQCRYPTO 2011) (ed. ) 117–129 (Springer, 2011).Conservative stateful hash-based signatures are small and fast

  48. 48.

    , & Optimal parameters for XMSSMT. In Security Engineering and Intelligence Informatics, Proc. CD-ARES 2013 Workshops: MoCrySEn and SeCIHD (eds et al.) 194–208 (Springer, 2013)

  49. 49.

    Hash based signatures. Imperial Violet (2013)

  50. 50.

    et al. SPHINCS: practical stateless hash-based signatures. In Advances in Cryptology, Proc. 34th Ann. International Conf. on the Theory and Applications of Cryptographic Techniques (EUROCRYPT 2015) (eds & 368–397 (Springer, 2015). Conservative stateless hash-based signatures are practical

  51. 51.

    Timing attacks on implementations of Diffie–Hellman, RSA, DSS, and other systems. In Advances in Cryptology, Proc. 16th Ann. International Cryptology Conf. (CRYPTO ’96) (ed. ) 104–113 (Springer, 1996)

  52. 52.

    , & Differential power analysis. In Advances in Cryptology, Proc. 19th Ann. International Cryptology Conf. (CRYPTO ’99) (ed. ) 388–397 (Springer, 1999)

  53. 53.

    , & McBits: fast constant-time code-based cryptography. In Cryptographic Hardware and Embedded Systems, Proc. 15th International Workshop (CHES 2013) (eds & ) 250–272 (Springer, 2013). Conservative code-based encryption is faster than ECC

  54. 54.

    PQCRYPTO Project. Initial Recommendations of Long-Term Secure Post-Quantum Systems. (2015)

  55. 55.

    Experimenting with post-quantum cryptography. Google Security Blog. (2016)

  56. 56.

    , , & Post-quantum key exchange—a new hope. In 25th USENIX Security Symp. (USENIX Security 16) (eds & 327–343 (USENIX Association, 2016)

  57. 57.

    CECPQ1 results. Imperial Violet (2016)

  58. 58.

    The Salsa20 family of stream ciphers. In New Stream Cipher Designs: The eSTREAM Finalists (eds & ) 84–97 (Springer, 2008)

  59. 59.

    & The security and performance of the Galois/counter mode (GCM) of operation. In Progress in Cryptology, Proc. 5th International Conf. on Cryptology in India (INDOCRYPT 2004) (eds & ) 343–355 (Springer, 2004)

  60. 60.

    The Poly1305-AES message-authentication code. In Fast Software Encryption, Proc. 12th International Workshop (FSE 2005) (eds & ) 32–49 (Springer, 2005)

  61. 61.

    NIST Information Technology Laboratory. Secure Hash Standard (SHS). Federal Information Processing Standards Publication 180-4, (NIST, 2012)

  62. 62.

    , , & Keccak. In Advances in Cryptology, Proc. 32nd Ann. International Conf. on the Theory and Applications of Cryptographic Techniques (EUROCRYPT 2013) (eds & ) 313–314 (Springer, 2013)

  63. 63.

    A public key cryptosystem and a signature scheme based on discrete logarithms. In Advances in Cryptology, Proc. CRYPTO ’84 (eds & ) 10–18 (Springer, 1984)

  64. 64.

    Efficient identification and signatures for smart cards. In Advances in Cryptology, Proc. 9th Ann. International Cryptology Conf. (CRYPTO ’89) (ed. ) 239–252 (Springer, 1989)

  65. 65.

    Curve25519: new Diffie–Hellman speed records. In Public Key Cryptography, Proc. 9th International Conf. on Theory and Practice of Public-Key Cryptography (PKC 2006) (eds et al.) 207–228 (Springer, 2006)

  66. 66.

    , & The elliptic curve digital signature algorithm (ECDSA). Int. J. Inf. Sec. 1, 36–63 (2001)

  67. 67.

    , , , & High-speed high-security signatures. J. Cryptographic Eng. 2, 77–89 (2012)

Download references

Acknowledgements

We thank A. Hülsing and B.-Y. Yang for their comments. Author list is in alphabetical order; see https://www.ams.org/profession/leaders/culture/CultureStatement04.pdf. This work was supported by the European Commission under Contract ICT-645622 PQCRYPTO; by the Netherlands Organisation for Scientific Research (NWO) under grant 639.073.005; and by the US National Science Foundation under grant 1314919. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation (or other funding agencies).

Author information

Affiliations

  1. Department of Computer Science, University of Illinois at Chicago, Chicago, Illinois 60607-7045, USA

    • Daniel J. Bernstein
  2. Department of Mathematics and Computer Science, Technische Universiteit Eindhoven, 5612 AZ Eindhoven, The Netherlands

    • Tanja Lange

Authors

  1. Search for Daniel J. Bernstein in:

  2. Search for Tanja Lange in:

Contributions

D.J.B. and T.L. jointly inventoried the space of cryptographic systems, selected specific systems and quantum algorithms to cover, decided on the organization, and wrote text. No new experiments were performed.

Competing interests

The authors declare no competing financial interests.

Corresponding author

Correspondence to Tanja Lange.

Publisher's note: Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

About this article

Publication history

Received

Accepted

Published

DOI

https://doi.org/10.1038/nature23461

Further reading

Comments

By submitting a comment you agree to abide by our Terms and Community Guidelines. If you find something abusive or that does not comply with our terms or guidelines please flag it as inappropriate.