Page 30

PQC_for_Dummies

30 Post Quantum Crypto for Dummies was acquired by Security Innovation in 2009. Security Innovation released the NTRUEncrypt patents into public domain in March 2017. The initial parameters have been proven insecure; current presumably secure parameters require public key sizes of about 1.5 kB to 2.0 kB (for 256-bit classical security). The cipher text has the same length as the public key. Recent improvements to NTRUEncrypt are based on the Ring-LWE problem 56. Closely related to NTRUEncrypt is the signature scheme NTRUSign. The original version of NTRUSign was broken, but there exist improved versions that prevent known attacks. Further lattice-based signature schemes are, e.g., BLISS 27, GLP 34, and TESLA 2. However, the security of lattice-based schemes against quantumcomputer attacks is not yet well-understood. Therefore, often there are no specific parameter recommendations for these signature schemes for post-quantum security. These schemes are quite juvenile and their security is under investigation (e.g., 15). Besides public-key encryption and signature schemes, there are key-exchange protocols that make use of the LWE problem. A prominent example is the protocol NewHope 3 that has been experimentally adopted by Google 12. Unlike the classical Diffie-Hellman (DH) protocol, NewHope is not symmetric and needs two rounds for key agreement; it is rather based on public-key encryption, using a new key for each key exchange. Similar to the DH protocol, NewHope does not include authentication which needs to be achieved by other means. The rationale behind this design decision is to achieve long-term security of sensitive data for low cost. Breaking today’s long-term public keys in the future, e.g., by using a quantum computer, does not break the privacy of the communication if a secure ephemeral key exchange protocol is used. By switching to post-quantum ephemeral key exchange now, an attacker in the future does not learn encryption keys even if he breaks long-term authentication keys. Therefore, combining a post-quantum ephemeral key exchange with a classical authentication scheme provides a costefficient, long-term secure authenticated key exchange for the interim period until all cryptographic primitives have been transitioned to post-quantum secure schemes. Hash-based Cryptography The approach of hash-based cryptography is conceptually different from codebased and lattice-based cryptography.


PQC_for_Dummies
To see the actual publication please follow the link above