ABSTRACT
Public key cryptography is widely used to secure transactions over the Internet. However, advances in quantum computers threaten to undermine the security assumptions upon which currently used public key cryptographic algorithms are based. In this paper, we provide a survey of some of the public key cryptographic algorithms that have been developed that, while not currently in widespread use, are believed to be resistant to quantum computing based attacks and discuss some of the issues that protocol designers may need to consider if there is a need to deploy these algorithms at some point in the future.
- M. Ajtai. The shortest vector problem in L<sub>2</sub> is NP-hard for randomized reductions (extended abstract). In Proceedings of the Thirtieth Annual ACM Symposium on the Theory of Computing, pages 10--19, 1998. Google ScholarDigital Library
- M. Ajtai and C. Dwork. A public-key cryptosystem with worst-case/average-case equivalence. In STOC '97: Proceedings of the twenty-ninth annual ACM symposium on Theory of computing, pages 284--293, 1997. Google ScholarDigital Library
- E. Barker, W. Barker, W. Burr, W. Polk, and M. Smid. Recommendation for key management -- part 1: General. NIST special publication 800-57, National Institute of Standards and Technology, Mar. 2007.Google Scholar
- C. Bennett, E. Bernstein, G. Brassard, and U. Vazirani. Strengths and weaknesses of quantum computation. Special Issue on Quantum Computation of the Siam Journal of Computing, Oct. 1997. Google ScholarDigital Library
- D. Boneh and M. Franklin. Identity-based encryption from the Weil pairing. SIAM J. of Computing, 32(3):586--615, 2003. Google ScholarDigital Library
- D. Boneh, B. Lynn, and H. Shacham. Short signatures from the Weil pairing. In Advances in Cryptology -- ASIACRYPT 2001, 7th International Conference on the Theory and Application of Cryptology and Information Security, pages 514--532, 2001. Google ScholarDigital Library
- J. Buchmann, C. Coronado, M. Döring, D. Engelbert, C. Ludwig, R. Overbeck, A. Schmidt, U. Vollmer, and R.-P. Weinmann. Post-quantum signatures. Cryptology ePrint Archive, Report 2004/297, 2004.Google Scholar
- J. L. Carter and M. N. Wegman. Universal classes of hash functions (extended abstract). In STOC '77: Proceedings of the ninth annual ACM symposium on Theory of computing, pages 106--112, 1977. Google ScholarDigital Library
- B. Chor and R. L. Rivest. A knapsack type public key cryptosystem based on arithmetic in finite fields. IEEE Transactions on Information Theory, 34(5):901--909, Sept. 1988.Google ScholarDigital Library
- S. Cook. The importance of the P versus NP question. Journal of the ACM, 50(1):27--29, 2003. Google ScholarDigital Library
- N. Courtois, M. Finiasz, and N. Sendrier. How to achieve a McEliece-based digital signature scheme. In Advances in Cryptology -- ASIACRYPT 2001, 7th International Conference on the Theory and Application of Cryptology and Information Security, pages 157--174, 2001. Google ScholarDigital Library
- N. T. Courtois, L. Goubin, and J. Patarin. SFLASH<sup>v3</sup>, a fast asymmetric signature scheme. Cryptology ePrint Archive, Report 2003/211, 2003.Google Scholar
- D. Deutsch and R. Jozsa. Rapid solution of problems by quantum computation. Proc Roy Soc Lond A, 439:553--558, Oct. 1992.Google ScholarCross Ref
- W. Diffie and M. E. Hellman. New directions in cryptography. IEEE Transactions on Information Theory, IT-22(6):644--654, Nov. 1976.Google ScholarDigital Library
- V. Dubois, P.-A. Fouque, A. Shamir, and J. Stern. Practical cryptanalysis of SFLASH. In Advances in Cryptology -- CRYPTO 2007, 27th Annual International Cryptology Conference, pages 1--12, 2007. Google ScholarDigital Library
- R. Feynman. Simulating physics with computers. International Journal of Theoretical Physics, 21(6&7):467--488, 1982.Google ScholarCross Ref
- FIPS 186-2. Digital Signature Standard (DSS). National Institute of Standards and Technology, Jan. 2000.Google Scholar
- N. Gama and P. Q. Nguyen. New chosen-ciphertext attacks on NTRU. In Public Key Cryptography -- PKC 2007, 10th International Conference on Practice and Theory in Public-Key Cryptography, pages 89--106, 2007. Google ScholarDigital Library
- T. E. Gamal. A public key cryptosystem and a signature scheme based on discrete logarithms. In Advances in Cryptology, Proceedings of CRYPTO '84, pages 10--18, 1984. Google ScholarDigital Library
- L. C. C. García. On the security and the efficiency of the Merkle signature scheme. Cryptology ePrint Archive, Report 2005/192, 2005.Google Scholar
- C. Gentry. Key recovery and message attacks on NTRU-composite. In Advances in Cryptology -- EUROCRYPT 2001, International Conference on the Theory and Application of Cryptographic Techniques, pages 182--194, 2001. Google ScholarDigital Library
- C. Gentry, J. Jonsson, J. Stern, and M. Szydlo. Cryptanalysis of the NTRU signature scheme (NSS) from Eurocrypt 2001. In Advances in Cryptology -- ASIACRYPT 2001, 7th International Conference on the Theory and Application of Cryptology and Information Security, pages 1--20, 2001. Google ScholarDigital Library
- O. Goldreich, S. Goldwasser, and S. Halevi. Public-key cryptosystems from lattice reduction problems. In Advances in Cryptology -- CRYPTO '97, 17th Annual International Cryptology Conference, pages 112--131, 1997. Google ScholarDigital Library
- L. K. Grover. A fast quantum mechanical algorithm for database search. In STOC '96: Proceedings of the twenty-eighth annual ACM symposium on Theory of computing, pages 212--219, 1996. Google ScholarDigital Library
- J. Hoffstein, N. Howgrave-Graham, J. Pipher, J. H. Silverman, and W. Whyte. NTRUSign: Digital signatures using the NTRU lattice. In Topics in Cryptology -- CT-RSA 2003, The Cryptographers' Track at the RSA Conference 2003, pages 122--140, 2003. Google ScholarDigital Library
- J. Hoffstein, N. Howgrave-Graham, J. Pipher, J. H. Silverman, and W. Whyte. NTRUEncrypt and NTRUSign: efficient public key algorithms for a post-quantum world. In PQCrypto 2006: International Workshop on Post-Quantum Cryptography, pages 141--158, May 2006.Google Scholar
- J. Hoffstein, J. Pipher, and J. H. Silverman. NTRU: A ring-based public key cryptosystem. In Algorithmic Number Theory (ANTS-III): Proceedings of the Third International Symposium on Algorithmic Number Theory, pages 267--288, June 1998. Google ScholarDigital Library
- J. Hoffstein, J. Pipher, and J. H. Silverman. NSS: An NTRU lattice-based signature scheme. In Advances in Cryptology -- EUROCRYPT 2001, International Conference on the Theory and Application of Cryptographic Techniques, pages 211--228, 2001. Google ScholarDigital Library
- N. Howgrave-Graham. A hybrid lattice-reduction and meet-in-the-middle attack against NTRU. In Advances in Cryptology -- CRYPTO 2007, 27th Annual International Cryptology Conference, pages 150--169, 2007. Google ScholarDigital Library
- N. Howgrave-Graham, J. H. Silverman, A. Singer, and W. Whyte. NAEP: Provable security in the presence of decryption failures.Google Scholar
- É. Jaulmes and A. Joux. A chosen-ciphertext attack against NTRU. In Advances in Cryptology -- CRYPTO 2000, 20th Annual International Cryptology Conference, pages 20--35, 2000. Google ScholarDigital Library
- N. Koblitz. Elliptic curve cryptosystems. Mathematics of Computation, 48(177):203--209, 1987.Google ScholarCross Ref
- L. Lamport. Constructing digital signatures from a one-way function. Technical Report CSL-98, SRI International, Oct. 1979.Google Scholar
- R. J. McEliece. A public-key cryptosystem based on algebraic coding theory. Deep Space Network Progress Report 42--44, Jet Propulsion Laboratory, California Institute of Technology, pages 114--116, 1978.Google Scholar
- R. C. Merkle. Security, Authentication, and Public Key Systems. PhD thesis, Stanford University, June 1979. Google ScholarDigital Library
- R. C. Merkle. A certified digital signature. In Advances in Cryptology -- CRYPTO '89, 9th Annual International Cryptology Conference, pages 218--238, 1989. Google ScholarDigital Library
- R. C. Merkle and M. E. Hellman. Hiding information and signatures in trapdoor knapsacks. IEEE Transactions on Information Theory, 24(5):525--530, Sept. 1978.Google ScholarDigital Library
- T. Meskanen and A. Renvall. A wrap error attack against NTRUEncrypt. Discrete Applied Mathematics, 154(2):382--391, Feb. 2006.Google ScholarDigital Library
- D. Micciancio. Improving lattice based cryptosystems using the Hermite normal form. In Cryptography and Lattices Conference --- CaLC 2001, pages 126--145, Mar. 2001. Google ScholarDigital Library
- V. S. Miller. Use of elliptic curves in cryptography. In Advances in Cryptology -- CRYPTO '85, pages 417--426, 1986. Google ScholarDigital Library
- M. Myers, R. Ankney, A. Malpani, S. Galperin, and C. Adams. X.509 Internet Public Key Infrastructure Online Certificate Status Protocol -- OCSP. RFC 2560 (Proposed Standard), June 1999. Google ScholarDigital Library
- P. Q. Nguyen. A note on the security of NTRUsign. Cryptology ePrint Archive, Report 2006/387, 2006.Google Scholar
- NTRU Announces Signature Algorithm, NTRUSign, viewed November 12, 2008, (http://www.ntru.com/cryptolab/intro_ntrusign.htm).Google Scholar
- M. O. Rabin. Digitalized signatures and public-key functions as intractable as factorization. Technical Report MIT/LCS/TR-212, MIT Laboratory for Computer Science, Jan. 1979. Google ScholarDigital Library
- O. Regev. New lattice-based cryptographic constructions. Journal of the ACM, 51(6):899--942, Nov. 2004. Google ScholarDigital Library
- R. L. Rivest, A. Shamir, and L. M. Adleman. A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM, 21(2):120--126, Feb. 1978. Google ScholarDigital Library
- S. Robinson. Emerging insights on limitations of quantum computing shape quest for fast algorithms. SIAM News, 36(1), January/February 2003.Google Scholar
- C.-P. Schnorr and H. H. Hörner. Attacking the Chor-Rivest cryptosystem by improved lattice reduction. In Advances in Cryptology -- EUROCRYPT '95, International Conference on the Theory and Application of Cryptographic Techniques, pages 1--12, 1995. Google ScholarDigital Library
- A. Shamir. A polynomial time algorithm for breaking the basic Merkle-Hellman cryptosystem. In Advances in Cryptology: Proceedings of CRYPTO '82, pages 279--288, 1982.Google Scholar
- C. Shannon. Communication theory of secrecy systems. Bell System Technical Journal, 28(4):656--715, 1949.Google ScholarCross Ref
- P. W. Shor. Algorithms for quantum computation: Discrete logarithms and factoring. In Proceedings of the 35th Symposium on Foundations of Computer Science, pages 124--134, 1994. Google ScholarDigital Library
- P. van Emde Boas. Another NP-complete problem and the complexity of computing short vectors in a lattice. Technical Report 81-04, University of Amsterdam, Department of Mathematics, Netherlands, 1981.Google Scholar
- G. S. Vernam. US patent #1,310,719: Secret signaling system, July 1919.Google Scholar
- W. Whyte. NTRUSign and P1363.1, Apr. 2006. http://grouper.ieee.org/groups/1363/WorkingGroup/presentations/P1363.1-2006-04.ppt.Google Scholar
- H. C. Williams. A modification of the RSA public-key encryption procedure. IEEE Transactions on Information Theory, IT-26(6):726--729, Nov. 1980.Google ScholarDigital Library
Index Terms
- Quantum resistant public key cryptography: a survey
Recommendations
Signcryption from randomness recoverable public key encryption
We propose a new generic construction for signcryption and show that it is secure under the security models which are comparable to the security against adaptive chosen ciphertext attacks for public key encryption and the existential unforgeability ...
Public‐key encryption indistinguishable under plaintext‐checkable attacks
Indistinguishability under chosen‐ciphertext attack (IND‐CCA) is now considered the de facto security notion for public‐key encryption. However, this sometimes offers a stronger security guarantee than what is needed. In this study, the authors consider a ...
Selective opening security of practical public‐key encryption schemes
The authors show that two well‐known and widely employed public‐key encryption schemes – RSA optimal asymmetric encryption padding (RSA‐OAEP) and Diffie–Hellman integrated encryption scheme (DHIES), instantiated with a one‐time pad, – are secure under (...
Comments