Postquantum cryptography
Postquantum cryptography (sometimes referred to as quantumproof, quantumsafe or quantumresistant) refers to cryptographic algorithms (usually publickey algorithms) that are thought to be secure against an attack by a quantum computer. As of 2018^{[update]}, this is not true for the most popular publickey algorithms, which can be efficiently broken by a sufficiently strong hypothetical quantum computer. The problem with currently popular algorithms is that their security relies on one of three hard mathematical problems: the integer factorization problem, the discrete logarithm problem or the ellipticcurve discrete logarithm problem. All of these problems can be easily solved on a sufficiently powerful quantum computer running Shor's algorithm.^{[1]}^{[2]} Even though current, publicly known, experimental quantum computers lack processing power to break any real cryptographic algorithm,^{[3]} many cryptographers are designing new algorithms to prepare for a time when quantum computing becomes a threat. This work has gained greater attention from academics and industry through the PQCrypto conference series since 2006 and more recently by several workshops on Quantum Safe Cryptography hosted by the European Telecommunications Standards Institute (ETSI) and the Institute for Quantum Computing.^{[4]}^{[5]}^{[6]}
In contrast to the threat quantum computing poses to current publickey algorithms, most current symmetric cryptographic algorithms and hash functions are considered to be relatively secure against attacks by quantum computers.^{[2]}^{[7]} While the quantum Grover's algorithm does speed up attacks against symmetric ciphers, doubling the key size can effectively block these attacks.^{[8]} Thus postquantum symmetric cryptography does not need to differ significantly from current symmetric cryptography. See section on symmetrickey approach below.
Contents
 1 Algorithms

2 Security reductions
 2.1 Latticebased cryptography – RingLWE Signature
 2.2 Latticebased cryptography – NTRU, BLISS
 2.3 Multivariate cryptography – Rainbow
 2.4 Hashbased cryptography – Merkle signature scheme
 2.5 Codebased cryptography – McEliece
 2.6 Codebased cryptography – RLCE
 2.7 Supersingular elliptic curve isogeny cryptography

3 Comparison
 3.1 Latticebased cryptography – LWE key exchange and RingLWE key exchange
 3.2 Latticebased Cryptography – NTRU encryption
 3.3 Multivariate cryptography – Rainbow signature
 3.4 Hashbased cryptography – Merkle signature scheme
 3.5 Codebased cryptography – McEliece
 3.6 Supersingular elliptic curve isogeny cryptography
 3.7 Symmetric–keybased cryptography
 4 Forward secrecy
 5 Open Quantum Safe project
 6 Implementation
 7 See also
 8 References
 9 Further reading
 10 External links
Algorithms
Currently postquantum cryptography research is mostly focused on six different approaches:^{[2]}^{[5]}
Latticebased cryptography
This approach includes cryptographic systems such as learning with errors, ring learning with errors (ringLWE),^{[9]}^{[10]}^{[11]} the ring learning with errors key exchange and the ring learning with errors signature, the older NTRU or GGH encryption schemes, and the newer NTRU signature and BLISS signatures.^{[12]} Some of these schemes like NTRU encryption have been studied for many years without anyone finding a feasible attack. Others like the ringLWE algorithms have proofs that their security reduces to a worstcase problem.^{[13]} The Post Quantum Cryptography Study Group sponsored by the European Commission suggested that the Stehle–Steinfeld variant of NTRU be studied for standardization rather than the NTRU algorithm.^{[14]}^{[15]} At that time, NTRU was still patented.
Multivariate cryptography
This includes cryptographic systems such as the Rainbow (Unbalanced Oil and Vinegar) scheme which is based on the difficulty of solving systems of multivariate equations. Various attempts to build secure multivariate equation encryption schemes have failed. However, multivariate signature schemes like Rainbow could provide the basis for a quantum secure digital signature.^{[16]} There is a patent on the Rainbow Signature Scheme.
Hashbased cryptography
This includes cryptographic systems such as Lamport signatures and the Merkle signature scheme and the newer XMSS^{[17]} and SPHINCS^{[18]} schemes. Hash based digital signatures were invented in the late 1970s by Ralph Merkle and have been studied ever since as an interesting alternative to numbertheoretic digital signatures like RSA and DSA. Their primary drawback is that for any hashbased public key, there is a limit on the number of signatures that can be signed using the corresponding set of private keys. This fact had reduced interest in these signatures until interest was revived due to the desire for cryptography that was resistant to attack by quantum computers. There appear to be no patents on the Merkle signature scheme^{[citation needed]} and there exist many nonpatented hash functions that could be used with these schemes. The stateful hashbased signature scheme XMSS is described in RFC 8391.^{[19]} Note that all the above schemes are onetime or boundedtime signatures, Moni Naor and Moti Yung invented UOWHF hashing in 1989 and designed a signature based on hashing (the NaorYung scheme)^{[20]} which can be unlimitedtime in use (the first such signature that does not require trapdoor properties).
Codebased cryptography
This includes cryptographic systems which rely on errorcorrecting codes, such as the McEliece and Niederreiter encryption algorithms and the related Courtois, Finiasz and Sendrier Signature scheme. The original McEliece signature using random Goppa codes has withstood scrutiny for over 30 years. However, many variants of the McEliece scheme, which seek to introduce more structure into the code used in order to reduce the size of the keys, have been shown to be insecure.^{[21]} The Post Quantum Cryptography Study Group sponsored by the European Commission has recommended the McEliece public key encryption system as a candidate for long term protection against attacks by quantum computers.^{[14]}
Supersingular elliptic curve isogeny cryptography
This cryptographic system relies on the properties of supersingular elliptic curves and supersingular isogeny graphs to create a DiffieHellman replacement with forward secrecy.^{[22]} This cryptographic system uses the well studied mathematics of supersingular elliptic curves to create a DiffieHellman like key exchange that can serve as a straightforward quantum computing resistant replacement for the DiffieHellman and elliptic curve Diffie–Hellman key exchange methods that are in widespread use today. Because it works much like existing Diffie–Hellman implementations, it offers forward secrecy which is viewed as important both to prevent mass surveillance by governments but also to protect against the compromise of long term keys through failures.^{[23]} In 2012, researchers Sun, Tian and Wang of the Chinese State Key Lab for Integrated Service Networks and Xidian University, extended the work of De Feo, Jao, and Plut to create quantum secure digital signatures based on supersingular elliptic curve isogenies.^{[24]} There are no patents covering this cryptographic system.
Symmetric key quantum resistance
Provided one uses sufficiently large key sizes, the symmetric key cryptographic systems like AES and SNOW 3G are already resistant to attack by a quantum computer.^{[25]} Further, key management systems and protocols that use symmetric key cryptography instead of public key cryptography like Kerberos and the 3GPP Mobile Network Authentication Structure are also inherently secure against attack by a quantum computer. Given its widespread deployment in the world already, some researchers recommend expanded use of Kerberoslike symmetric key management as an efficient and effective way to get Post Quantum cryptography today.^{[26]}
Security reductions
In cryptography research, it is desirable to prove the equivalence of a cryptographic algorithm and a known hard mathematical problem. These proofs are often called "security reductions", and are used to demonstrate the difficulty of cracking the encryption algorithm. In other words, the security of a given cryptographic algorithm is reduced to the security of a known hard problem. Researchers are actively looking for security reductions in the prospects for post quantum cryptography. Current results are given here:
Latticebased cryptography – RingLWE Signature
In some versions of RingLWE there is a security reduction to the shortestvector problem (SVP) in a lattice as a lower bound on the security. The SVP is known to be NPhard.^{[27]} Specific ringLWE systems that have provable security reductions include a variant of Lyubashevsky's ringLWE signatures defined in a paper by Guneysu, Lyubashevsky, and Poppelmann.^{[10]} The GLYPH signature scheme is a variant of the Gunesyu, Lyubashevsky, and Poppelmann (GLP) signature which takes into account research results that have come after the publication of the GLP signature in 2012. Another RingLWE signature is RingTESLA.^{[28]}
Latticebased cryptography – NTRU, BLISS
The security of the NTRU encryption scheme and the BLISS^{[12]} signature is believed to be related to, but not provably reducible to, the Closest Vector Problem (CVP) in a Lattice. The CVP is known to be NPhard. The Post Quantum Cryptography Study Group sponsored by the European Commission suggested that the Stehle–Steinfeld variant of NTRU which does have a security reduction be studied for long term use instead of the original NTRU algorithm.^{[14]}
Multivariate cryptography – Rainbow
The Rainbow Multivariate Equation Signature Scheme is a member of a class of multivariate quadratic equation cryptosystems called "Unbalanced Oil and Vinegar Cryptosystems" (UOV Cryptosystems) Bulygin, Petzoldt and Buchmann have shown a reduction of generic multivariate quadratic UOV systems to the NPHard Multivariate Quadratic Equation Solving problem.^{[29]}
Hashbased cryptography – Merkle signature scheme
In 2005, Luis Garcia proved that there was a security reduction of Merkle Hash Tree signatures to the security of the underlying hash function. Garcia showed in his paper that if computationally oneway hash functions exist then the Merkle Hash Tree signature is provably secure.^{[30]}
Therefore, if one used a hash function with a provable reduction of security to a known hard problem one would have a provable security reduction of the Merkle tree signature to that known hard problem. ^{[31]}
The Post Quantum Cryptography Study Group sponsored by the European Commission has recommended use of Merkle signature scheme for long term security protection against quantum computers.^{[14]}
Codebased cryptography – McEliece
The McEliece Encryption System has a security reduction to the Syndrome Decoding Problem (SDP). The SDP is known to be NPhard^{[32]} The Post Quantum Cryptography Study Group sponsored by the European Commission has recommended the use of this cryptography for long term protection against attack by a quantum computer.^{[14]}
Codebased cryptography – RLCE
In 2016, Wang proposed a random linear code encryption scheme RLCE ^{[33]} which is based on McEliece schemes. RLCE scheme can be constructed using any linear code such as ReedSolomon code by inserting random columns in the underlying linear code generator matrix.
Supersingular elliptic curve isogeny cryptography
Security is related to the problem of constructing an isogeny between two supersingular curves with the same number of points. The most recent investigation of the difficulty of this problem is by Delfs and Galbraith indicates that this problem is as hard as the inventors of the key exchange suggest that it is.^{[34]} There is no security reduction to a known NPhard problem.
Comparison
One common characteristic of many postquantum cryptography algorithms is that they require larger key sizes than commonly used "prequantum" public key algorithms. There are often tradeoffs to be made in key size, computational efficiency and ciphertext or signature size. The table lists some values for different schemes at a 128 bit postquantum security level.
Algorithm  Type  Public Key  Private Key  Signature 

NTRU Encrypt^{[35]}  Lattice  6130 B  6743 B  
Streamlined NTRU Prime  Lattice  1232 B  
Rainbow^{[36]}  Multivariate  124 KB  95 KB  
SPHINCS^{[18]}  Hash Signature  1 KB  1 KB  41 KB 
SPHINCS+^{[37]}  Hash Signature  32 B  64 B  8 KB 
BLISSII  Lattice  7 KB  2 KB  5 KB 
GLPVariant GLYPH Signature^{[10]}^{[38]}  RingLWE  2 KB  0.4 KB  1.8 KB 
New Hope^{[39]}  RingLWE  2 KB  2 KB  
Goppabased McEliece^{[14]}  Codebased  1 MB  11.5 KB  
Random Linear Code based encryption^{[40]}  RLCE  115 KB  3 KB  
Quasicyclic MDPCbased McEliece^{[41]}  Codebased  1232 B  2464 B  
SIDH^{[42]}  Isogeny  751 B  48 B  
SIDH (compressed keys)^{[43]}  Isogeny  564 B  48 B  
3072bit Discrete Log  not PQC  384 B  32 B  96 B 
256bit Elliptic Curve  not PQC  32 B  32 B  65 B 
A practical consideration on a choice among postquantum cryptographic algorithms is the effort required to send public keys over the internet. From this point of view, the RingLWE, NTRU, and SIDH algorithms provide key sizes conveniently under 1KB, hashsignature public keys come in under 5KB, and MDPCbased McEliece takes about 1KB. On the other hand, Rainbow schemes require about 125KB and Goppabased McEliece requires a nearly 1MB key.
Latticebased cryptography – LWE key exchange and RingLWE key exchange
The fundamental idea of using LWE and Ring LWE for key exchange was proposed and filed at the University of Cincinnati in 2011 by Jintai Ding. The basic idea comes from the associativity of matrix multiplications, and the errors are used to provide the security. The paper^{[44]} appeared in 2012 after a provisional patent application was filed in 2012.
In 2014, Peikert^{[45]} presented a key transport scheme following the same basic idea of Ding's, where the new idea of sending additional 1 bit signal for rounding in Ding's construction is also utilized. For somewhat greater than 128 bits of security, Singh presents a set of parameters which have 6956bit public keys for the Peikert's scheme.^{[46]} The corresponding private key would be roughly 14,000 bits.
In 2015, an authenticated key exchange with provable forward security following the same basic idea of Ding's was presented at Eurocrypt 2015,^{[47]} which is an extension of the HMQV^{[48]} construction in Crypto2005. The parameters for different security levels from 80 bits to 350 bits, along with the corresponding key sizes are provided in the paper.^{[47]}
Latticebased Cryptography – NTRU encryption
For 128 bits of security in NTRU, Hirschhorn, Hoffstein, HowgraveGraham and Whyte, recommend using a public key represented as a degree 613 polynomial with coefficients . This results in a public key of 6130 bits. The corresponding private key would be 6743 bits.^{[35]}
Multivariate cryptography – Rainbow signature
For 128 bits of security and the smallest signature size in a Rainbow multivariate quadratic equation signature scheme, Petzoldt, Bulygin and Buchmann, recommend using equations in with a public key size of just over 991,000 bits, a private key of just over 740,000 bits and digital signatures which are 424 bits in length.^{[36]}
Hashbased cryptography – Merkle signature scheme
In order to get 128 bits of security for hash based signatures to sign 1 million messages using the fractal Merkle tree method of Naor Shenhav and Wool the public and private key sizes are roughly 36,000 bits in length.^{[49]}
Codebased cryptography – McEliece
For 128 bits of security in a McEliece scheme, The European Commissions Post Quantum Cryptography Study group recommends using a binary Goppa code of length at least and dimension at least , and capable of correcting errors. With these parameters the public key for the McEliece system will be a systematic generator matrix whose nonidentity part takes bits. The corresponding private key, which consists of the code support with elements from and a generator polynomial of with coefficients from , will be 92,027 bits in length^{[14]}
The group is also investigating the use of Quasicyclic MDPC codes of length at least and dimension at least , and capable of correcting errors. With these parameters the public key for the McEliece system will be the first row of a systematic generator matrix whose nonidentity part takes bits. The private key, a quasicyclic paritycheck matrix with nonzero entries on a column (or twice as much on a row), takes no more than bits when represented as the coordinates of the nonzero entries on the first row.
Barreto et al. recommend using a binary Goppa code of length at least and dimension at least , and capable of correcting errors. With these parameters the public key for the McEliece system will be a systematic generator matrix whose nonidentity part takes bits.^{[50]} The corresponding private key, which consists of the code support with elements from and a generator polynomial of with coefficients from , will be 40,476 bits in length.
Supersingular elliptic curve isogeny cryptography
For 128 bits of security in the supersingular isogeny DiffieHellman (SIDH) method, De Feo, Jao and Plut recommend using a supersingular curve modulo a 768bit prime. If one uses elliptic curve point compression the public key will need to be no more than 8x768 or 6144 bits in length.^{[51]} A March 2016 paper by authors Azarderakhsh, Jao, Kalach, Koziel, and Leonardi showed how to cut the number of bits transmitted in half, which was further improved by authors Costello, Jao, Longa, Naehrig, Renes and Urbanik resulting in a compressedkey version of the SIDH protocol with public keys only 2640 bits in size.^{[43]} This makes the number of bits transmitted roughly equivalent to the nonquantum secure RSA and DiffieHellman at the same classical security level.^{[52]}
Symmetric–keybased cryptography
As a general rule, for 128 bits of security in a symmetrickeybased system, one can safely use key sizes of 256 bits. The best quantum attack against generic symmetrickey systems is an application of Grover's algorithm, which requires work proportional to the square root of the size of the key space. To transmit an encrypted key to a device that possesses the symmetric key necessary to decrypt that key requires roughly 256 bits as well. It is clear that symmetrickey systems offer the smallest key sizes for postquantum cryptography.
Forward secrecy
A publickey system demonstrates a property referred to as perfect forward secrecy when it generates random public keys per session for the purposes of key agreement. This means that the compromise of one message cannot lead to the compromise of others, and also that there is not a single secret value which can lead to the compromise of multiple messages. Security experts recommend using cryptographic algorithms that support forward secrecy over those that do not.^{[53]} The reason for this is that forward secrecy can protect against the compromise of long term private keys associated with public/private key pairs. This is viewed as a means of preventing mass surveillance by intelligence agencies.
Both the RingLWE key exchange and supersingular isogeny DiffieHellman (SIDH) key exchange can support forward secrecy in one exchange with the other party. Both the RingLWE and SIDH can also be used without forward secrecy by creating a variant of the classic ElGamal encryption variant of DiffieHellman.
The other algorithms in this article, such as NTRU, do not support forward secrecy as is.
Any authenticated public key encryption system can be used to build a key exchange with forward secrecy.^{[54]}
Open Quantum Safe project
Open Quantum Safe^{[55]}^{[56]} (OQS) project was started in late 2016 and has the goal of developing and prototyping quantumresistant cryptography. It aims to integrate current postquantum schemes in one library: liboqs.^{[57]} liboqs is an open source C library for quantumresistant cryptographic algorithms. liboqs initially focuses on key exchange algorithms. liboqs provides a common API suitable for postquantum key exchange algorithms, and will collect together various implementations. liboqs will also include a test harness and benchmarking routines to compare performance of postquantum implementations. Furthermore, OQS also provides integration of liboqs into OpenSSL.^{[58]}
As of April 2017, the following key exchange algorithms are supported:^{[55]}
Algorithm  Type 

BCNS15^{[59]}  Ring learning with errors key exchange 
NewHope^{[60]}^{[39]}  Ring learning with errors key exchange 
Frodo^{[61]}  Learning with errors 
NTRU^{[62]}  Latticebased cryptography 
SIDH^{[63]}^{[64]}  Supersingular isogeny key exchange 
McBits^{[65]}  Errorcorrecting codes 
Implementation
One of the main challenges in postquantum cryptography is considered to be the implementation of potentially quantum safe algorithms into existing systems. There are tests done, for example by Microsoft Research implementing PICNIC in a PKI using Hardware security modules.^{[66]} Test implementations for Google's NewHope algorithm have also been done by HSM vendors.
See also
 Ideal lattice cryptography (ringlearning with errors is one example of ideal lattice cryptography)
 PostQuantum Cryptography Standardization by NIST
 Quantum cryptography, for cryptography based on quantum mechanics; likely to be implemented in quantum computers.
References
 ^ Peter W. Shor (1997). "PolynomialTime Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer". SIAM Journal on Computing. 26 (5): 1484–1509. arXiv:quantph/9508027. doi:10.1137/S0097539795293172.
 ^ ^{a} ^{b} ^{c} Daniel J. Bernstein (2009). "Introduction to postquantum cryptography" (PDF). (Introductory Chapter to Book "Postquantum Cryptography").
 ^ "New qubit control bodes well for future of quantum computing". phys.org.
 ^ "Cryptographers Take On Quantum Computers". IEEE Spectrum. 20090101.
 ^ ^{a} ^{b} "Q&A With PostQuantum Computing Cryptography Researcher Jintai Ding". IEEE Spectrum. 20081101.
 ^ "ETSI Quantum Safe Cryptography Workshop". ETSI Quantum Safe Cryptography Workshop. ETSI. October 2014. Retrieved 24 February 2015.
 ^ Daniel J. Bernstein (20090517). "Cost analysis of hash collisions: Will quantum computers make SHARCS obsolete?" (PDF).
 ^ Daniel J. Bernstein (20100303). "Grover vs. McEliece" (PDF).
 ^ Peikert, Chris (2014). "Lattice Cryptography for the Internet". IACR. Archived from the original (PDF) on 31 January 2014. Retrieved 10 May 2014.
 ^ ^{a} ^{b} ^{c} Güneysu, Tim; Lyubashevsky, Vadim; Pöppelmann, Thomas (2012). "Practical LatticeBased Cryptography: A Signature Scheme for Embedded Systems" (PDF). INRIA. Retrieved 12 May 2014.
 ^ Zhang, jiang (2014). "Authenticated Key Exchange from Ideal Lattices". iacr.org. IACR. Archived from the original (PDF) on 17 August 2014. Retrieved 7 September 2014.
 ^ ^{a} ^{b} Ducas, Léo; Durmus, Alain; Lepoint, Tancrède; Lyubashevsky, Vadim (2013). "Lattice Signatures and Bimodal Gaussians". Retrieved 20150418.
 ^ Lyubashevsky, Vadim; =Peikert; Regev (2013). "On Ideal Lattices and Learning with Errors Over Rings". IACR. Archived from the original (PDF) on 22 July 2013. Retrieved 14 May 2013.
 ^ ^{a} ^{b} ^{c} ^{d} ^{e} ^{f} ^{g} Augot, Daniel (7 September 2015). "Initial recommendations of longterm secure postquantum systems" (PDF). PQCRYPTO. Retrieved 13 September 2015.
 ^ Stehlé, Damien; Steinfeld, Ron (20130101). "Making NTRUEncrypt and NTRUSign as Secure as Standard WorstCase Problems over Ideal Lattices".
 ^ Ding, Jintai; Schmidt (7 June 2005). Ioannidis, John, ed. Rainbow, a New Multivariable Polynomial Signature Scheme. Third International Conference, ACNS 2005, New York, NY, USA, June 7–10, 2005. Proceedings. Lecture Notes in Computer Science. 3531. pp. 64–175. doi:10.1007/11496137_12. ISBN 9783540262237.
 ^ Buchmann, Johannes; Dahmen, Erik; Hülsing, Andreas (2011). "XMSS  A Practical Forward Secure Signature Scheme Based on Minimal Security Assumptions". Lecture Notes in Computer Science. 7071 (PostQuantum Cryptography. PQCrypto 2011): 117–129. CiteSeerX 10.1.1.400.6086. doi:10.1007/9783642254055_8. ISSN 03029743.
 ^ ^{a} ^{b} Bernstein, Daniel J.; Hopwood, Daira; Hülsing, Andreas; Lange, Tanja; Niederhagen, Ruben; Papachristodoulou, Louiza; Schneider, Michael; Schwabe, Peter; WilcoxO’Hearn, Zooko (2015). Oswald, Elisabeth; Fischlin, Marc, eds. SPHINCS: practical stateless hashbased signatures. Lecture Notes in Computer Science. 9056. Springer Berlin Heidelberg. pp. 368–397. CiteSeerX 10.1.1.690.6403. doi:10.1007/9783662468005_15. ISBN 9783662467992.
 ^ "RFC 8391  XMSS: eXtended Merkle Signature Scheme". tools.ietf.org.
 ^ Moni Naor, Moti Yung: Universal OneWay Hash Functions and their Cryptographic Applications .STOC 1989: 3343
 ^ Overbeck, Raphael; Sendrier (2009). Bernstein, Daniel, ed. Codebased cryptography. PostQuantum Cryptography. pp. 95–145. doi:10.1007/9783540887027_4. ISBN 9783540887010.
 ^ De Feo, Luca; Jao; Plut (2011). "Towards quantumresistant cryptosystems from supersingular elliptic curve isogenies" (PDF). PQCrypto 2011. Retrieved 14 May 2014.
 ^ Higgins, Peter (2013). "Pushing for Perfect Forward Secrecy, an Important Web Privacy Protection". Electronic Frontier Foundation. Retrieved 15 May 2014.
 ^ Sun, Xi; Tian; Wang (19–21 Sep 2012). Browse Conference Publications > Intelligent Networking and Co … Help Working with Abstracts Toward QuantumResistant Strong Designated Verifier Signature from Isogenies. Intelligent Networking and Collaborative Systems (INCoS), 2012 4th International Conference on. pp. 292–296. doi:10.1109/iNCoS.2012.70. ISBN 9781467322812.
 ^ Perlner, Ray; Cooper (2009). "Quantum Resistant Public Key Cryptography: A Survey". NIST. Retrieved 23 Apr 2015.
 ^ Campagna, Matt; Hardjono; Pintsov; Romansky; Yu (2013). "Kerberos Revisited QuantumSafe Authentication" (PDF). ETSI.
 ^ Lyubashevsky, Vadim; Peikert; Regev (25 June 2013). "On Ideal Lattices and Learning with Errors Over Rings" (PDF). Springer. Retrieved 19 June 2014.
 ^ Akleylek, Sedat; Bindel, Nina; Buchmann, Johannes; Krämer, Juliane; Marson, Giorgia Azzurra (2016). "An Efficient LatticeBased Signature Scheme with Provably Secure Instantiation".
 ^ Bulygin, Stanislav; Petzoldt; Buchmann (2010). Towards Provable Security of the Unbalanced Oil and Vinegar Signature Scheme under Direct Attacks. Progress in Cryptology – INDOCRYPT 2010. Lecture Notes in Computer Science. 6498. pp. 17–32. CiteSeerX 10.1.1.294.3105. doi:10.1007/9783642174018_3. ISBN 9783642174001.
 ^ Pereira, Geovandro; Puodzius, Cassius; Barreto, Paulo (2016). "Shorter hashbased signatures". Journal of Systems and Software. 116: 95–100. doi:10.1016/j.jss.2015.07.007.
 ^ Garcia, Luis. "On the security and the eﬃciency of the Merkle signature scheme" (PDF). Cryptology ePrint Archive. IACR. Retrieved 19 June 2013.
 ^ Blaum, Mario; Farrell; Tilborg (31 May 2002). Information, Coding and Mathematics. Springer. ISBN 9781475735857.
 ^ Wang, Yongge (2016). "Quantum resistant random linear code based public key encryption scheme RLCE". Proceedings of Information Theory (ISIT). IEEE ISIT: 2519–2523. arXiv:1512.08454.
 ^ Delfs, Christina; Galbraith (2013). "Computing isogenies between supersingular elliptic curves over F_p". arXiv:1310.7789 [math.NT].
 ^ ^{a} ^{b} Hirschborrn, P; Hoffstein; HowgraveGraham; Whyte. "Choosing NTRUEncrypt Parameters in Light of Combined Lattice Reduction and MITM Approaches" (PDF). NTRU. Retrieved 12 May 2014.
 ^ ^{a} ^{b} Petzoldt, Albrecht; Bulygin; Buchmann (2010). "Selecting Parameters for the Rainbow Signature Scheme – Extended Version ". Archived from the original (PDF) on 11 Aug 2010. Retrieved 12 May 2014.
 ^ "SPHINCS+: Submission to the NIST postquantum project" (PDF).
 ^ Chopra, Arjun (2017). "GLYPH: A New Insantiation of the GLP Digital Signature Scheme".
 ^ ^{a} ^{b} Alkim, Erdem; Ducas, Léo; Pöppelmann, Thomas; Schwabe, Peter (2015). "Postquantum key exchange  a new hope" (PDF). Cryptology ePrint Archive, Report 2015/1092. Retrieved 1 September 2017.
 ^ Wang, Yongge (2017). "Revised Quantum Resistant Public Key Encryption Scheme RLCE and INDCCA2 Security for McEliece Schemes".
 ^ Misoczki, R.; Tillich, J. P.; Sendrier, N.; Barreto, P. S. L. M. (2013). MDPCMcEliece: New McEliece variants from Moderate Density ParityCheck codes. 2013 IEEE International Symposium on Information Theory. pp. 2069–2073. CiteSeerX 10.1.1.259.9109. doi:10.1109/ISIT.2013.6620590. ISBN 9781479904464.
 ^ Costello, Craig; Longa, Patrick; Naehrig, Michael (2016). "Efficient algorithms for supersingular isogeny DiffieHellman" (PDF). Advances in Cryptology.
 ^ ^{a} ^{b} Costello, Craig; Jao; Longa; Naehrig; Renes; Urbanik. "Efficient Compression of SIDH public keys". Retrieved 8 October 2016.
 ^ Lin, Jintai Ding, Xiang Xie, Xiaodong (20120101). "A Simple Provably Secure Key Exchange Scheme Based on the Learning with Errors Problem".
 ^ Peikert, Chris (20140101). "Lattice Cryptography for the Internet".
 ^ Singh, Vikram (2015). "A Practical Key Exchange for the Internet using Lattice Cryptography". Retrieved 20150418.
 ^ ^{a} ^{b} Zhang, Jiang; Zhang, Zhenfeng; Ding, Jintai; Snook, Michael; Dagdelen, Özgür (20150426). Oswald, Elisabeth; Fischlin, Marc, eds. Authenticated Key Exchange from Ideal Lattices. Lecture Notes in Computer Science. Springer Berlin Heidelberg. pp. 719–751. CiteSeerX 10.1.1.649.1864. doi:10.1007/9783662468036_24. ISBN 9783662468029.
 ^ Krawczyk, Hugo (20050814). "HMQV: A HighPerformance Secure DiffieHellman Protocol". In Shoup, Victor. Advances in Cryptology – CRYPTO 2005. Lecture Notes in Computer Science. 3621. Springer Berlin Heidelberg. pp. 546–566. doi:10.1007/11535218_33. ISBN 9783540281146.
 ^ Naor, Dalit; Shenhav; Wool (2006). "OneTime Signatures Revisited: Practical Fast Signatures Using Fractal Merkle Tree Traversal" (PDF). IEEE. Retrieved 13 May 2014.
 ^ Barreto, Paulo S. L. M.; Biasi, Felipe Piazza; Dahab, Ricardo; LópezHernández, Julio César; Morais, Eduardo M. de; Oliveira, Ana D. Salina de; Pereira, Geovandro C. C. F.; Ricardini, Jefferson E. (2014). Koç, Çetin Kaya, ed. A Panorama of Postquantum Cryptography. Springer International Publishing. pp. 387–439. doi:10.1007/9783319106830_16. ISBN 9783319106823.
 ^ De Feo, Luca; Jao; Plut (2011). "Towards QuantumResistant Cryptosystems From Supersingular Elliptic Curve Isogenies". Archived from the original (PDF) on October 2011. Retrieved 12 May 2014.
 ^ "Cryptology ePrint Archive: Report 2016/229". eprint.iacr.org. Retrieved 20160302.
 ^ Ristic, Ivan (20130625). "Deploying Forward Secrecy". SSL Labs. Retrieved 14 June 2014.
 ^ "Does NTRU provide Perfect Forward Secrecy?". crypto.stackexchange.com.
 ^ ^{a} ^{b} "Open Quantum Safe". openquantumsafe.org.
 ^ Stebila, Douglas; Mosca, Michele. "PostQuantum Key Exchange for the Internet and the Open Quantum Safe Project". Cryptology ePrint Archive, Report 2016/1017, 2016. Retrieved 9 April 2017.
 ^ "liboqs: C library for quantumresistant cryptographic algorithms". 26 November 2017 – via GitHub.
 ^ "openssl: Fork of OpenSSL that includes quantumresistant algorithms and ciphersuites based on liboqs". 9 November 2017 – via GitHub.
 ^ Stebila, Douglas (26 Mar 2018). "liboqs nistbranch algorithm datasheet: kem_newhopenist". GitHub. Retrieved 27 September 2018.
 ^ "Lattice Cryptography Library". Microsoft Research. 19 Apr 2016. Retrieved 27 September 2018.
 ^ Bos, Joppe; Costello, Craig; Ducas, Léo; Mironov, Ilya; Naehrig, Michael; Nikolaenko, Valeria; Raghunathan, Ananth; Stebila, Douglas (20160101). "Frodo: Take off the ring! Practical, QuantumSecure Key Exchange from LWE".
 ^ "NTRUOpenSourceProject/NTRUEncrypt". GitHub. Retrieved 20170410.
 ^ "SIDH Library  Microsoft Research". Microsoft Research. Retrieved 20170410.
 ^ Feo, Luca De; Jao, David; Plût, Jérôme (20110101). "Towards quantumresistant cryptosystems from supersingular elliptic curve isogenies". Archived from the original on 20140503.
 ^ Bernstein, Daniel J.; Chou, Tung; Schwabe, Peter (20150101). "McBits: fast constanttime codebased cryptography".
 ^ "Microsoft/Picnic" (PDF). GitHub. Retrieved 20180627.
Further reading
 PostQuantum Cryptography. Springer. 2008. p. 245. ISBN 9783540887010.
 Isogenies in a Quantum World
 On Ideal Lattices and Learning With Errors Over Rings
 Kerberos Revisited: QuantumSafe Authentication
 The picnic signature scheme
External links
 PQCrypto, the postquantum cryptography conference
 ETSI Quantum Secure Standards Effort
 NIST's PostQuantum crypto Project
 PQCrypto Usage & Deployment