PQC

Question 1

Advantages QC

Answer 1

• Optimization of logistics
• Simulation of molecules
• Search in unsorted lists
• Factorization, and discrete logarithm

Question 2

Quantum algorithms: Grover’s Algorithms

Answer 2

• Grover’s algorithm weakens security of all symmetric encryption schemes (AES, SHA-256, …)
  -> Search in unsorted list
  -> Square root speedup for brute-force attacks
  -> Easy solution: Double the key size or use larger hashes

Question 3

PQC families

Answer 3

• Code-based
• Lattice-based
• Hash-based
• Multivariate
• Isogeny-based

Question 4

Code-based Cryptography

Answer 4

• Large public keys, small ciphertexts, good performance
• Prone to decoding errors
• based on hardness of decoding a linear code
  -> linear code is an error-correcting code for which any linear combination of codewords is also a codeword

Question 5

Lattice-based Cryptography

Answer 5

• Well studied problem
• Hard instances of lattice problems
• Can be further adapted

Question 6

Multivariate Cryptography

Answer 6

• Very small signature sizes, large private keys
• In contrast to “easy” linear equations, multivariate equations are known to be NP-complete

Question 7

Hash-based Cryptography

Answer 7

• Only works for signature schemes
• provably secure (given secure hash functions)
• One-way functions are a necessary assumption for cryptography
• State management can be an issue
• Stateless schemes have large signatures
• Computing pre-images of a cryptographic hash function remains hard also for quantum computers (use pre-image as private key, hash-value as public key)

Question 8

Isogeny-based Cryptography (Dis-)advantages

Answer 8

• fairly new
• computational effort
• recent breaks
  -+ complicated math
  + very short keys
  + DH-like schemes
  + Development like ECC?

Question 9

Quantum algorithms: Shor’s Algorithm

Answer 9

• Breaks all asymmetric encryption and digital signatures like RSA, (EC)DH, (EC)DSA, …
  -> Solves integer factorization and discrete logarithm problem
  -> Speedup to polynomial time on quantum computers
  -> There are no easy solutions, we need QC-resistant cryptographic schemes

Question 10

Comparison: Encryption: Keys

Answer 10

• Classic: ++
• Code: –
• Lattice: +
• Isogeny: ++

Question 11

Comparison: Encryption: Ciphertexts

Answer 11

• Classic: ++
• Code: +
• Lattice: -
• Isogeny: ++

Question 12

Comparison: Encryption: Performance

Answer 12

• Classic: o
• Code: +
• Lattice: ++
• Isogeny: –

Question 13

Comparison: Encryption: Candidates

Answer 13

• Classic: ECDH, RSA
• Code: Classic McEliece, HQC, BIKE
• Lattice: Kyber, FrodoKEM
• Isogeny: SIKE (broken)

Question 14

Comparison: Signature: Key

Answer 14

• Classic: ++
• Lattice: +
• Hash: ++
• Multivariate: –

Question 15

Comparison: Signature: Signature

Answer 15

• Classic: ++
• Lattice: +
• Hash: –
• Multivariate: ++

Question 16

Comparison: Signature: Performance

Answer 16

• Classic: +
• Lattice: -
• Hash: –
• Multivariate: +

Question 17

Comparison: Signature: Candidates

Answer 17

• Classic: ECDSA, RSA
• Lattice: Dilithium, FALCON
• Hash: SPHINCS, XMSS
• Multivariate: Rainbow (broken), GeMSS