And “CRYSTALS-DILITHIUM” is, obviously, a Star Trek reference. :)
Not sure what browser you use, but in most you can select what you wanna search for, click "Search on $searchEngine for $term" and there you go! For PQC, I get Wikipedia link with "PQC can refer to: Post-quantum cryptography" in the description as the 3rd result on Google.
Not sure what classifies as "fair amount", but for me it took about 1-2 seconds to find the Wikipedia link ;)
DJB is an author on the SPHINCS+ team; glad to see that his work will be part of the standard.
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&c...
It would not surprise me if OpenSSH only chooses to add SPHINCS+ and refuses the others.
These are meant as a gentle introduction to the ideas and intuitions behind the schemes. The book is recent but some of that stuff (hash-based signatures) I started writing back in 2015 and is available on my blog: https://cryptologie.net/article/306/one-time-signatures/
At the time the schemes had not yet been chosen, fortunately I picked the right ones :) don't have to rewrite that chapter (yet).
> In addition, NIST has engaged with third parties that own various patents directed to cryptography, and NIST acknowledges cooperation of ISARA, Philippe Gaborit, Carlos Aguilar Melchor, the laboratory XLIM, the French National Center for Scientific Research (CNRS), the University of Limoges, and Dr. Jintai Ding. NIST and these third parties are finalizing agreements such that the patents owned by the third parties will not be asserted against implementers (or end-users) of a standard for the selected cryptographic algorithm
and
> NIST expects to execute the various agreements prior to publishing the standard. If the agreements are not executed by the end of 2022, NIST may consider selecting NTRU instead of KYBER. NTRU was proposed in 1996, and U.S. patents were dedicated to the public in 2007.
It's really unfortunate the the licensing terms weren't announced at the same time: Depending on how they're written the result may still be unattractive to use, and since they've already announced the selection NIST probably just lost some amount of negotiating leverage.
(As the obvious negotiation would be "agree to these terms we find reasonable, or we just select NTRU prime")
It would probably be interesting to look up who of these people also has patents outside of the USA. If there really is someone being particularly stubborn, one might reasonably expect them to enforce the non-US patent variant outside of the USA.
It is especially interesting that NTRU (nor NTRU Prime, a different proposal) is _not_ advancing to the 4th round. Wouldn't you want to encourage more analysis for your (implied) runner-up?
> Overall assessment. One important feature of NTRU is that because it has been around for longer, its IP situation is more clearly understood. The original designers put their patents into the public domain [113], in addition to most of them having expired.
> As noted by the submitters, NTRU may not be the fastest or smallest among the lattice KEM finalists, and for most applications and use cases, the performance would not be a problem. Nonetheless, as NIST has selected KYBER for standardization, NTRU will therefore not be considered for standardization in the fourth round.
https://nvlpubs.nist.gov/nistpubs/ir/2022/NIST.IR.8413.pdf
"NTRU is obviously legal and perfectly suitable, but we're not picking it." I find this to be a baffling position given the as-yet-unsolved patent issues with KYBER.
Press release: https://techxplore.com/news/2022-07-nist-quantum-resistant-c...
What is your prediction when classical public key encryption using elliptical curve cryptographic becomes practically vulnerable to quantum computers, such that we would need these PQC algorithms.
10 years out? 20 years out? 50 years out? 100 years out?
There's a lot of investment currently in the quantum computer space (+ a lot of hype and scams). Yet this is still all very early research and far away from any practical use. The challenges to really build a QC that can break cryptography are enormous - and it is absolutely a possibility that they're too big to overcome.
https://www.forbes.com/sites/arthurherman/2021/06/07/q-day-i...
There are some other examples of people factoring special-form composites that are particularly easy to factor on quantum computers, but those are basically stunts with no impact.
To threaten RSA, quantum computers need to increase the number qubits 6 orders of magnitude and improve the error correction at least 2 orders of magnitude. Check out this blog post for an illustration of where we are at: https://sam-jaques.appspot.com/quantum_landscape
There is a table of transition algorithms on the second or third page, depending on your screen size. [1]
[1] https://apps.nsa.gov/iaarchive/programs/iad-initiatives/cnsa...
The community prediction is 22% by 2032 which seems way too high IMO. I predict 5% due to advances in automated algorithm search and 0% due to quantum computers in that time frame.
https://arxiv.org/pdf/2009.05045v1.pdf
See Figure 11. Optimistically 15 years. Pessimistically 35 years. But anything can happen.
Given that (varied) expert option on quantum computing being able to break current public key cryptography seems to mostly fall in the 10-20 year range, there is some, at least mild, urgency to start using PQC for the most sensitive data relatively soon.
Bitcoin uses ECDSA to validate whether coins were spent by the owner of an address.
https://en.bitcoin.it/wiki/Elliptic_Curve_Digital_Signature_...
This tells me that Algorand is one of the more serious blockchain projects out there with top cryptographers as evidenced by Falcon.
Any predictions on these time scales are pretty much pointless.
> Both BIKE and HQC are based on structured codes, and either would be suitable as a general-purpose KEM that is not based on lattices
What's up with this caveat? Why would the standard require algorithms not based on lattices assuming there is confidence in the lattice based approach?
Is this a security concern, or is there some performance (ops/sec or size) related trade-off?
Consider the graph in the Classic McEliece marketing materials, showing the exponent in the attack costs for lattice-based crypto:
https://classic.mceliece.org/comparison.html
Because of communication cost considerations the lattice candidates use problems small enough that another substantial improvement in attacks could leave them vulnerable (no shock that they use small problems: if you're really not communication cost constrained use McEliece and don't worry about it).
If you do use lattice key agreement, be sure to use it in a hybrid configuration (combined with ECC like ed25519 or Curve448) to avoid the (small but hard to assess) risk that your security upgrade could actually be a security downgrade.
See also sha-3 vs sha-256
Perhaps NIST knows something we don't ; ^ )
[1] - https://twitter.com/CJTjhai/status/1544398903591796736
At a very high level, all of the three rely on an n x n matrix at a certain point. The "structured lattice" schemes (Kyber/Saber) make structural assumptions about this matrix, say that each row is a cyclic shift of the previous row. This turns an O(n^2) object into an O(n) object, giving many performance improvements. The downside is that the additional structure can plausibly be used for attacks (but the best attacks ignore the structure, so this is a "potential issue", not a current issue).
Edit: lol, actually it looks like you guys borrowed some of my code for that. (Which is totally fine and part of the point of open source!)
If you assume the PQC KEM doesn't interact with classical ECDH, you might want to get some kind of PQC KEM rolled out as quickly as you can, in a dual construction with ECDH; the worst that happens is, your new KEM isn't quantum-safe (or anything-safe), but your ECDH holds up. But that's (if you believe in quantum attacks on crypto) still better than no PQC KEM at all.
Good news is that we are likely more than 10 years away from QCs being useful enough to do this.
There's a linked PDF paper with more detail.
he also alleges that NIST have been moving the goal posts to favor Kyber, and they've been duplicitous in their narrative.
he favors NTRU, which iirc isn't his.
https://mark-schultz.github.io/nist-standard-out/
It's the same base scheme as Saber/Kyber, although as Saber/Kyber are over algebraically structured lattices they are significantly more efficient.
